From a0392693e37048e916db2170a471d19ef6bf16d8 Mon Sep 17 00:00:00 2001 From: puneet kandhari Date: Mon, 27 Jul 2015 12:45:56 -0500 Subject: [PATCH] @XenophonF made me do it --- users/absentusers.sls | 45 +++++ users/adduser.sls | 177 ++++++++++++++++++++ users/bashrc.sls | 55 ++++--- users/googleauth.sls | 44 ++--- users/init.sls | 371 +----------------------------------------- users/map.jinja | 20 ++- users/sudo.sls | 100 +++++++++--- users/vimrc.sls | 53 +++--- 8 files changed, 409 insertions(+), 456 deletions(-) create mode 100644 users/absentusers.sls create mode 100644 users/adduser.sls diff --git a/users/absentusers.sls b/users/absentusers.sls new file mode 100644 index 0000000..887e735 --- /dev/null +++ b/users/absentusers.sls @@ -0,0 +1,45 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls +{## + Name: users/absentusers.sls + Description: + This file removes users +#} + +{% from "users/map.jinja" import users_settings with context %} + +{% for name, user in users_settings.items() %} + {% if user.absent is defined and user.absent %} +users-absent_user-{{ name }}: + {% if 'purge' in user or 'force' in user %} + user.absent: + - name: {{ name }} + {% if 'purge' in user %} + - purge: {{ user['purge'] }} + {% endif %} + {% if 'force' in user %} + - force: {{ user['force'] }} + {% endif %} + {% else %} + user.absent: + - name: {{ name }} + {% endif -%} +users_{{ users_settings.sudoers_dir }}/{{ name }}: + file.absent: + - name: {{ users_settings.sudoers_dir }}/{{ name }} + {% endif %} +{% endfor %} + +{% for user in pillar.get('absent_users', []) %} +users_absent_user_2_{{ user }}: + user.absent +users_2_{{ users.sudoers_dir }}/{{ user }}: + file.absent: + - name: {{ users.sudoers_dir }}/{{ user }} +{% endfor %} + +{% for group in pillar.get('absent_groups', []) %} +users_absent_group_{{ group }}: + group.absent: + - name: {{ group }} +{% endfor %} diff --git a/users/adduser.sls b/users/adduser.sls new file mode 100644 index 0000000..d42b903 --- /dev/null +++ b/users/adduser.sls @@ -0,0 +1,177 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls +{## + Name: users/addusers.sls + Description: + This file removes users +#} + +{% from "users/map.jinja" import users_settings with context %} + +{% for name, user in users_settings.items() %} + {% if user.absent is not defined or not user.absent or user != None %} + {% set home = user.get('home', "/home/%s" % name) %} + {%- if 'prime_group' in user and 'name' in user['prime_group'] %} + {%- set user_group = user.prime_group.name -%} + {%- else -%} + {%- set user_group = name -%} + {%- endif %} + {% for group in user.get('groups', []) %} +users-{{ name }}-{{ group }}-group: + group: + - name: {{ group }} + - present + {% endfor %} +users-{{ name }}-user: + {% if user.get('createhome', True) %} + file.directory: + - name: {{ home }} + - user: {{ name }} + - group: {{ user_group }} + - mode: {{ user.get('user_dir_mode', '0750') }} + {%- endif %} + group.present: + - name: {{ user_group }} + {%- if 'prime_group' in user and 'gid' in user['prime_group'] %} + - gid: {{ user['prime_group']['gid'] }} + {%- elif 'uid' in user %} + - gid: {{ user['uid'] }} + {%- endif %} + user.present: + - name: {{ name }} + - home: {{ home }} + - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }} + {% if 'uid' in user -%} + - uid: {{ user['uid'] }} + {% endif -%} + {% if 'password' in user -%} + - password: '{{ user['password'] }}' + {% endif -%} + {% if 'enforce_password' in user -%} + - enforce_password: {{ user['enforce_password'] }} + {% endif -%} + {% if user.get('system', False) -%} + - system: True + {% endif -%} + {% if 'prime_group' in user and 'gid' in user['prime_group'] -%} + - gid: {{ user['prime_group']['gid'] }} + {% else -%} + - gid_from_name: True + {% endif -%} + {% if 'fullname' in user %} + - fullname: {{ user['fullname'] }} + {% endif -%} + {% if not user.get('createhome', True) %} + - createhome: False + {% endif %} + {% if 'expire' in user -%} + - expire: {{ user['expire'] }} + {% endif -%} + - remove_groups: {{ user.get('remove_groups', 'False') }} + - groups: + - {{ user_group }} + {% for group in user.get('groups', []) -%} + - {{ group }} + {% endfor %} + {% if 'ssh_keys' in user %} + {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %} +users_user_{{ name }}_private_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }} + - user: {{ name }} + - group: {{ user_group }} + - mode: 600 + - show_diff: False + - contents_pillar: users:{{ name }}:ssh_keys:privkey +users_user_{{ name }}_public_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - show_diff: False + - contents_pillar: users:{{ name }}:ssh_keys:pubkey + + {% endif %} + + {% if 'ssh_auth_file' in user %} +users_authorized_keys_{{ name }}: + file.managed: + - name: {{ home }}/.ssh/authorized_keys + - user: {{ name }} + - group: {{ name }} + - mode: 600 + - contents: | + {% for auth in user.ssh_auth_file -%} + {{ auth }} + {% endfor -%} + {% endif %} + + {% if 'ssh_auth' in user %} + {% for auth in user['ssh_auth'] %} +users_ssh_auth_{{ name }}_{{ loop.index0 }}: + ssh_auth.present: + - user: {{ name }} + - name: {{ auth }} + {% endfor %} + {% endif %} + + {% if 'ssh_keys_pillar' in user %} + {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %} +user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }} + - user: {{ name }} + - group: {{ user_group }} + - mode: 600 + - show_diff: False + - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey +user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - show_diff: False + - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey + {% endfor %} + {% endif %} + + {% if 'ssh_auth_sources' in user %} + {% for pubkey_file in user['ssh_auth_sources'] %} +users_ssh_auth_source_{{ name }}_{{ loop.index0 }}: + ssh_auth.present: + - user: {{ name }} + - source: {{ pubkey_file }} + {% endfor %} + {% endif %} + + {% if 'ssh_auth.absent' in user %} + {% for auth in user['ssh_auth.absent'] %} +users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}: + ssh_auth.absent: + - user: {{ name }} + - name: {{ auth }} + {% endfor %} + {% endif %} + + {% if 'ssh_config' in user %} +users_ssh_config_{{ name }}: + file.managed: + - name: {{ home }}/.ssh/config + - user: {{ name }} + - group: {{ user_group }} + - mode: 640 + - contents: | + # Managed by Saltstack + # Do Not Edit + {% for label, setting in user.ssh_config.items() %} + # {{ label }} + Host {{ setting.get('hostname') }} + {%- for opts in setting.get('options') %} + {{ opts }} + {%- endfor %} + {% endfor -%} + {% endif %} + {%- endif %} +{% endfor %} diff --git a/users/bashrc.sls b/users/bashrc.sls index fc268f4..2cf29bd 100644 --- a/users/bashrc.sls +++ b/users/bashrc.sls @@ -1,27 +1,32 @@ -{% from "users/map.jinja" import users with context %} -include: - - users +# -*- coding: utf-8 -*- +# vim: ft=sls +{## + Name: users/bashrc.sls + Description: + This file sets up bashrcs +#} -{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} -{%- if user == None -%} -{%- set user = {} -%} -{%- endif -%} -{%- set home = user.get('home', "/home/%s" % name) -%} -{%- set manage = user.get('manage_bashrc', False) -%} -{%- if 'prime_group' in user and 'name' in user['prime_group'] %} -{%- set user_group = user.prime_group.name -%} -{%- else -%} -{%- set user_group = name -%} -{%- endif %} -{%- if manage -%} -users_{{ name }}_user_bashrc: - file.managed: - - name: {{ home }}/.bashrc - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - source: - - salt://users/files/bashrc/{{ name }}/bashrc - - salt://users/files/bashrc/bashrc -{% endif %} +{% from "users/map.jinja" import users_settings with context %} + +{% for name, user in users_settings.items() %} + {% if user.absent is not defined or not user.absent or user != None %} + {% set home = user.get('home', "/home/%s" % name) %} + {% set manage = user.get('manage_bashrc', False) %} + {% if 'prime_group' in user and 'name' in user.get('prime_group', []) %} + {% set user_group = user.prime_group.name %} + {% else %} + {% set user_group = name %} + {% endif %} + {% if manage %} + users-{{ name }}-user-bashrc: + file.managed: + - name: {{ home }}/.bashrc + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - source: + - salt://users/files/bashrc/{{ name }}/bashrc + - salt://users/files/bashrc/bashrc + {% endif %} + {% endif %} {% endfor %} diff --git a/users/googleauth.sls b/users/googleauth.sls index 9e6a9ff..166f7a4 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -1,31 +1,35 @@ -# vim: sts=2 ts=2 sw=2 et ai -{% from "users/map.jinja" import users with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls +{## + Name: users/bashrc.sls + Description: + This file sets up bashrcs +#} -users_googleauth-package: - pkg.installed: - - name: {{ users.googleauth_package }} - - require: - - file: {{ users.googleauth_dir }} +{% from "users/map.jinja" import users_settings with context %} -users_{{ users.googleauth_dir }}: +users-googleauth-package: file.directory: - - name: {{ users.googleauth_dir }} + - name: {{ users_settings.googleauth_dir }} - user: root - - group: {{ users.root_group }} + - group: {{ users_settings.root_group }} - mode: 600 - -{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} -{%- if 'google_auth' in user %} -{%- for svc in user['google_auth'] %} -{%- if user.get('google_2fa', True) %} + pkg.installed: + - name: {{ users_settings.googleauth_package }} +{% for name, user in users_settings.items() %} + {% if user.absent is not defined or not user.absent or user != None %} + {% if 'google_auth' in user %} + {% for svc in user.get('google_auth') %} + {% if user.get('google_2fa', True) %} users_googleauth-pam-{{ svc }}-{{ name }}: file.replace: - name: /etc/pam.d/{{ svc }} - pattern: "^@include common-auth" - - repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth" + - repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users_settings.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth" - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }} - backup: .bak -{%- endif %} -{%- endfor %} -{%- endif %} -{%- endfor %} + {% endif %} + {% endfor %} + {% endif %} + {% endif %} +{% endfor %} diff --git a/users/init.sls b/users/init.sls index 8262cbd..02134d9 100644 --- a/users/init.sls +++ b/users/init.sls @@ -1,365 +1,12 @@ -# vim: sts=2 ts=2 sw=2 et ai -{% from "users/map.jinja" import users with context %} -{% set used_sudo = [] %} -{% set used_googleauth = [] %} - -{%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %} -{%- if user == None -%} -{%- set user = {} -%} -{%- endif -%} -{%- if 'sudouser' in user and user['sudouser'] %} -{%- do used_sudo.append(1) %} -{%- endif %} -{%- if 'google_auth' in user %} -{%- do used_googleauth.append(1) %} -{%- endif %} -{%- endfor %} - -{%- if used_sudo or used_googleauth %} +# -*- coding: utf-8 -*- +# vim: ft=sls +{## + Name: users/init.sls + Description: + This file sets up users, sudo, google auth, flight control, bashrc, vimrc +#} include: -{%- if used_sudo %} + - users.adduser - users.sudo -{%- endif %} -{%- if used_googleauth %} - users.googleauth -{%- endif %} -{%- endif %} - -{% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %} -{%- if user == None -%} -{%- set user = {} -%} -{%- endif -%} -{%- set home = user.get('home', "/home/%s" % name) -%} - -{%- if 'prime_group' in user and 'name' in user['prime_group'] %} -{%- set user_group = user.prime_group.name -%} -{%- else -%} -{%- set user_group = name -%} -{%- endif %} - -{% for group in user.get('groups', []) %} -users_{{ name }}_{{ group }}_group: - group: - - name: {{ group }} - - present -{% endfor %} - -users_{{ name }}_user: - {% if user.get('createhome', True) %} - file.directory: - - name: {{ home }} - - user: {{ name }} - - group: {{ user_group }} - - mode: {{ user.get('user_dir_mode', '0750') }} - - require: - - user: users_{{ name }}_user - - group: {{ user_group }} - {%- endif %} - group.present: - - name: {{ user_group }} - {%- if 'prime_group' in user and 'gid' in user['prime_group'] %} - - gid: {{ user['prime_group']['gid'] }} - {%- elif 'uid' in user %} - - gid: {{ user['uid'] }} - {%- endif %} - user.present: - - name: {{ name }} - - home: {{ home }} - - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }} - {% if 'uid' in user -%} - - uid: {{ user['uid'] }} - {% endif -%} - {% if 'password' in user -%} - - password: '{{ user['password'] }}' - {% endif -%} - {% if 'enforce_password' in user -%} - - enforce_password: {{ user['enforce_password'] }} - {% endif -%} - {% if user.get('system', False) -%} - - system: True - {% endif -%} - {% if 'prime_group' in user and 'gid' in user['prime_group'] -%} - - gid: {{ user['prime_group']['gid'] }} - {% else -%} - - gid_from_name: True - {% endif -%} - {% if 'fullname' in user %} - - fullname: {{ user['fullname'] }} - {% endif -%} - {% if not user.get('createhome', True) %} - - createhome: False - {% endif %} - {% if 'expire' in user -%} - - expire: {{ user['expire'] }} - {% endif -%} - - remove_groups: {{ user.get('remove_groups', 'False') }} - - groups: - - {{ user_group }} - {% for group in user.get('groups', []) -%} - - {{ group }} - {% endfor %} - - require: - - group: {{ user_group }} - {% for group in user.get('groups', []) -%} - - group: {{ group }} - {% endfor %} - - - {% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user %} -user_keydir_{{ name }}: - file.directory: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh - - user: {{ name }} - - group: {{ user_group }} - - makedirs: True - - mode: 700 - - require: - - user: {{ name }} - - group: {{ user_group }} - {%- for group in user.get('groups', []) %} - - group: {{ group }} - {%- endfor %} - {% endif %} - - {% if 'ssh_keys' in user %} - {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %} -users_user_{{ name }}_private_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }} - - user: {{ name }} - - group: {{ user_group }} - - mode: 600 - - show_diff: False - - contents_pillar: users:{{ name }}:ssh_keys:privkey - - require: - - user: users_{{ name }}_user - {% for group in user.get('groups', []) %} - - group: users_{{ name }}_{{ group }}_group - {% endfor %} -users_user_{{ name }}_public_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - show_diff: False - - contents_pillar: users:{{ name }}:ssh_keys:pubkey - - require: - - user: users_{{ name }}_user - {% for group in user.get('groups', []) %} - - group: users_{{ name }}_{{ group }}_group - {% endfor %} - {% endif %} - -{% if 'ssh_auth_file' in user %} -users_authorized_keys_{{ name }}: - file.managed: - - name: {{ home }}/.ssh/authorized_keys - - user: {{ name }} - - group: {{ name }} - - mode: 600 - - contents: | - {% for auth in user.ssh_auth_file -%} - {{ auth }} - {% endfor -%} -{% endif %} - -{% if 'ssh_auth' in user %} -{% for auth in user['ssh_auth'] %} -users_ssh_auth_{{ name }}_{{ loop.index0 }}: - ssh_auth.present: - - user: {{ name }} - - name: {{ auth }} - - require: - - file: users_{{ name }}_user - - user: users_{{ name }}_user -{% endfor %} -{% endif %} - -{% if 'ssh_keys_pillar' in user %} -{% for key_name, pillar_name in user['ssh_keys_pillar'].items() %} -user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }} - - user: {{ name }} - - group: {{ user_group }} - - mode: 600 - - show_diff: False - - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey - - require: - - user: users_{{ name }}_user - {% for group in user.get('groups', []) %} - - group: users_{{ name }}_{{ group }}_group - {% endfor %} -user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - show_diff: False - - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey - - require: - - user: users_{{ name }}_user - {% for group in user.get('groups', []) %} - - group: users_{{ name }}_{{ group }}_group - {% endfor %} -{% endfor %} -{% endif %} - -{% if 'ssh_auth_sources' in user %} -{% for pubkey_file in user['ssh_auth_sources'] %} -users_ssh_auth_source_{{ name }}_{{ loop.index0 }}: - ssh_auth.present: - - user: {{ name }} - - source: {{ pubkey_file }} - - require: - - file: users_{{ name }}_user - - user: users_{{ name }}_user -{% endfor %} -{% endif %} - -{% if 'ssh_auth.absent' in user %} -{% for auth in user['ssh_auth.absent'] %} -users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}: - ssh_auth.absent: - - user: {{ name }} - - name: {{ auth }} - - require: - - file: users_{{ name }}_user - - user: users_{{ name }}_user -{% endfor %} -{% endif %} - -{% if 'ssh_config' in user %} -users_ssh_config_{{ name }}: - file.managed: - - name: {{ home }}/.ssh/config - - user: {{ name }} - - group: {{ user_group }} - - mode: 640 - - contents: | - # Managed by Saltstack - # Do Not Edit - {% for label, setting in user.ssh_config.items() %} - # {{ label }} - Host {{ setting.get('hostname') }} - {%- for opts in setting.get('options') %} - {{ opts }} - {%- endfor %} - {% endfor -%} -{% endif %} - -{% if 'sudouser' in user and user['sudouser'] %} - -users_sudoer-{{ name }}: - file.managed: - - name: {{ users.sudoers_dir }}/{{ name }} - - user: root - - group: {{ users.root_group }} - - mode: '0440' -{% if 'sudo_rules' in user or 'sudo_defaults' in user %} -{% if 'sudo_rules' in user %} -{% for rule in user['sudo_rules'] %} -"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}": - cmd.run: - - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' - - stateful: True - - shell: {{ users.visudo_shell }} - - env: - # Specify the rule via an env var to avoid shell quoting issues. - - rule: "{{ name }} {{ rule }}" - - require_in: - - file: users_{{ users.sudoers_dir }}/{{ name }} -{% endfor %} -{% endif %} -{% if 'sudo_defaults' in user %} -{% for entry in user['sudo_defaults'] %} -"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}": - cmd.run: - - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' - - stateful: True - - shell: {{ users.visudo_shell }} - - env: - # Specify the rule via an env var to avoid shell quoting issues. - - rule: "Defaults:{{ name }} {{ entry }}" - - require_in: - - file: users_{{ users.sudoers_dir }}/{{ name }} -{% endfor %} -{% endif %} - -users_{{ users.sudoers_dir }}/{{ name }}: - file.managed: - - name: {{ users.sudoers_dir }}/{{ name }} - - contents: | - {%- if 'sudo_defaults' in user %} - {%- for entry in user['sudo_defaults'] %} - Defaults:{{ name }} {{ entry }} - {%- endfor %} - {%- endif %} - {%- if 'sudo_rules' in user %} - {%- for rule in user['sudo_rules'] %} - {{ name }} {{ rule }} - {%- endfor %} - {%- endif %} - - require: - - file: users_sudoer-defaults - - file: users_sudoer-{{ name }} -{% endif %} -{% else %} -users_{{ users.sudoers_dir }}/{{ name }}: - file.absent: - - name: {{ users.sudoers_dir }}/{{ name }} -{% endif %} - -{%- if 'google_auth' in user %} -{%- for svc in user['google_auth'] %} -users_googleauth-{{ svc }}-{{ name }}: - file.managed: - - replace: false - - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }} - - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}' - - user: root - - group: {{ users.root_group }} - - mode: 400 - - require: - - pkg: users_googleauth-package -{%- endfor %} -{%- endif %} - -{% endfor %} - - -{% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %} -users_absent_user_{{ name }}: -{% if 'purge' in user or 'force' in user %} - user.absent: - - name: {{ name }} - {% if 'purge' in user %} - - purge: {{ user['purge'] }} - {% endif %} - {% if 'force' in user %} - - force: {{ user['force'] }} - {% endif %} -{% else %} - user.absent: - - name: {{ name }} -{% endif -%} -users_{{ users.sudoers_dir }}/{{ name }}: - file.absent: - - name: {{ users.sudoers_dir }}/{{ name }} -{% endfor %} - -{% for user in pillar.get('absent_users', []) %} -users_absent_user_2_{{ user }}: - user.absent -users_2_{{ users.sudoers_dir }}/{{ user }}: - file.absent: - - name: {{ users.sudoers_dir }}/{{ user }} -{% endfor %} - -{% for group in pillar.get('absent_groups', []) %} -users_absent_group_{{ group }}: - group.absent: - - name: {{ group }} -{% endfor %} + - users.absentusers diff --git a/users/map.jinja b/users/map.jinja index f81acc4..803e322 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -1,5 +1,11 @@ -# vim: sts=2 ts=2 sw=2 et ai -{% set users = salt['grains.filter_by']({ +# -*- coding: utf-8 -*- +# vim: ft=jinja +{## + This map.jinja pulls in + - os flavor related decisions + - merges in users pillar +##} +{% set os_settingss = salt['grains.filter_by']({ 'Debian': { 'sudoers_dir': '/etc/sudoers.d', 'sudoers_file': '/etc/sudoers', @@ -44,4 +50,12 @@ 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', }, -}, merge=salt['pillar.get']('users:lookup')) %} +}, merge=salt['pillar.get']('users:lookup')) +%} +{% +set users_settings = salt['pillar.get']( + 'users', + default=os_settings, + merge=True) +%} + diff --git a/users/sudo.sls b/users/sudo.sls index 2953ad2..dab2e71 100644 --- a/users/sudo.sls +++ b/users/sudo.sls @@ -1,33 +1,89 @@ -# vim: sts=2 ts=2 sw=2 et ai -{% from "users/map.jinja" import users with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls +{## + Name: users/sudo.sls + Description: + This file sets up sudoers +#} + +{% from "users/map.jinja" import users_settings with context %} # Ensure availability of bash -users_bash-package: +users-bashpackage-group-dir: pkg.installed: - - name: {{ users.bash_package }} - -users_sudo-group: + - name: {{ users_settings.bash_package }} group.present: - name: sudo - system: True + file.directory: + - name: {{ users_settings.sudoers_dir }} -users_sudo-package: +users-sudo-package: pkg.installed: - - name: {{ users.sudo_package }} + - name: {{ users_settings.sudo_package }} - require: - group: users_sudo-group - - file: {{ users.sudoers_dir }} + - file: {{ users_settings.sudoers_dir }} + file.append: + - name: {{ users_settings.sudoers_file }} + - text: + - Defaults env_reset + - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + - '#includedir {{ users_settings.sudoers_dir }}' +{% for name, user in users_settings.items() %} + {% if user.absent is not defined or not user.absent or user != None %} + {% if 'sudouser' in user and user['sudouser'] %} +users-sudoer-{{ name }}: + file.managed: + - name: {{ users.sudoers_dir }}/{{ name }} + - user: root + - group: {{ users.root_group }} + - mode: '0440' + {% if 'sudo_rules' in user or 'sudo_defaults' in user %} + {% if 'sudo_rules' in user %} + {% for rule in user['sudo_rules'] %} +"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}": + cmd.run: + - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' + - stateful: True + - shell: {{ users.visudo_shell }} + - env: + # Specify the rule via an env var to avoid shell quoting issues. + - rule: "{{ name }} {{ rule }}" + {% endfor %} + {% endif %} + {% if 'sudo_defaults' in user %} + {% for entry in user['sudo_defaults'] %} +"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}": + cmd.run: + - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' + - stateful: True + - shell: {{ users.visudo_shell }} + - env: + # Specify the rule via an env var to avoid shell quoting issues. + - rule: "Defaults:{{ name }} {{ entry }}" + {% endfor %} + {% endif %} -users_{{ users.sudoers_dir }}: - file.directory: - - name: {{ users.sudoers_dir }} - -users_sudoer-defaults: - file.append: - - name: {{ users.sudoers_file }} - - require: - - pkg: users_sudo-package - - text: - - Defaults env_reset - - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - - '#includedir {{ users.sudoers_dir }}' +users_{{ users.sudoers_dir }}/{{ name }}: + file.managed: + - name: {{ users.sudoers_dir }}/{{ name }} + - contents: | + {%- if 'sudo_defaults' in user %} + {%- for entry in user['sudo_defaults'] %} + Defaults:{{ name }} {{ entry }} + {%- endfor %} + {%- endif %} + {%- if 'sudo_rules' in user %} + {%- for rule in user['sudo_rules'] %} + {{ name }} {{ rule }} + {%- endfor %} + {%- endif %} + {% endif %} + {% else %} +users_{{ users.sudoers_dir }}/{{ name }}: + file.absent: + - name: {{ users.sudoers_dir }}/{{ name }} + {% endif %} + {% endif %} +{% endfor %} diff --git a/users/vimrc.sls b/users/vimrc.sls index e678bb6..1ffedba 100644 --- a/users/vimrc.sls +++ b/users/vimrc.sls @@ -1,28 +1,33 @@ -{% from "users/map.jinja" import users with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls +{## + Name: users/vimrc.sls + Description: + This file sets up vimrc for users +#} +{% from "users/map.jinja" import users_settings with context %} include: - - users - vim -{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} -{%- if user == None -%} -{%- set user = {} -%} -{%- endif -%} -{%- set home = user.get('home', "/home/%s" % name) -%} -{%- set manage = user.get('manage_vimrc', False) -%} -{%- if 'prime_group' in user and 'name' in user['prime_group'] %} -{%- set user_group = user.prime_group.name -%} -{%- else -%} -{%- set user_group = name -%} -{%- endif %} -{%- if manage -%} -users_{{ name }}_user_vimrc: - file.managed: - - name: {{ home }}/.vimrc - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - source: - - salt://users/files/vimrc/{{ name }}/vimrc - - salt://users/files/vimrc/vimrc -{% endif %} +{% for name, user in users_settings.items() %} + {% if user.absent is not defined or not user.absent or user != None %} + {% set home = user.get('home', "/home/%s" % name) %} + {% set manage = user.get('manage_vimrc', False) %} + {% if 'prime_group' in user and 'name' in user['prime_group'] %} + {% set user_group = user.prime_group.name %} + {% else %} + {% set user_group = name %} + {% endif %} + {% if manage %} + users_{{ name }}_user_vimrc: + file.managed: + - name: {{ home }}/.vimrc + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - source: + - salt://users/files/vimrc/{{ name }}/vimrc + - salt://users/files/vimrc/vimrc + {% endif %} + {% endif %} {% endfor %}