@XenophonF made me do it

This commit is contained in:
puneet kandhari 2015-07-27 12:45:56 -05:00
parent 03f2158f23
commit a0392693e3
8 changed files with 409 additions and 456 deletions

45
users/absentusers.sls Normal file
View File

@ -0,0 +1,45 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{##
Name: users/absentusers.sls
Description:
This file removes users
#}
{% from "users/map.jinja" import users_settings with context %}
{% for name, user in users_settings.items() %}
{% if user.absent is defined and user.absent %}
users-absent_user-{{ name }}:
{% if 'purge' in user or 'force' in user %}
user.absent:
- name: {{ name }}
{% if 'purge' in user %}
- purge: {{ user['purge'] }}
{% endif %}
{% if 'force' in user %}
- force: {{ user['force'] }}
{% endif %}
{% else %}
user.absent:
- name: {{ name }}
{% endif -%}
users_{{ users_settings.sudoers_dir }}/{{ name }}:
file.absent:
- name: {{ users_settings.sudoers_dir }}/{{ name }}
{% endif %}
{% endfor %}
{% for user in pillar.get('absent_users', []) %}
users_absent_user_2_{{ user }}:
user.absent
users_2_{{ users.sudoers_dir }}/{{ user }}:
file.absent:
- name: {{ users.sudoers_dir }}/{{ user }}
{% endfor %}
{% for group in pillar.get('absent_groups', []) %}
users_absent_group_{{ group }}:
group.absent:
- name: {{ group }}
{% endfor %}

177
users/adduser.sls Normal file
View File

@ -0,0 +1,177 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{##
Name: users/addusers.sls
Description:
This file removes users
#}
{% from "users/map.jinja" import users_settings with context %}
{% for name, user in users_settings.items() %}
{% if user.absent is not defined or not user.absent or user != None %}
{% set home = user.get('home', "/home/%s" % name) %}
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
{%- set user_group = user.prime_group.name -%}
{%- else -%}
{%- set user_group = name -%}
{%- endif %}
{% for group in user.get('groups', []) %}
users-{{ name }}-{{ group }}-group:
group:
- name: {{ group }}
- present
{% endfor %}
users-{{ name }}-user:
{% if user.get('createhome', True) %}
file.directory:
- name: {{ home }}
- user: {{ name }}
- group: {{ user_group }}
- mode: {{ user.get('user_dir_mode', '0750') }}
{%- endif %}
group.present:
- name: {{ user_group }}
{%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
- gid: {{ user['prime_group']['gid'] }}
{%- elif 'uid' in user %}
- gid: {{ user['uid'] }}
{%- endif %}
user.present:
- name: {{ name }}
- home: {{ home }}
- shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
{% if 'uid' in user -%}
- uid: {{ user['uid'] }}
{% endif -%}
{% if 'password' in user -%}
- password: '{{ user['password'] }}'
{% endif -%}
{% if 'enforce_password' in user -%}
- enforce_password: {{ user['enforce_password'] }}
{% endif -%}
{% if user.get('system', False) -%}
- system: True
{% endif -%}
{% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
- gid: {{ user['prime_group']['gid'] }}
{% else -%}
- gid_from_name: True
{% endif -%}
{% if 'fullname' in user %}
- fullname: {{ user['fullname'] }}
{% endif -%}
{% if not user.get('createhome', True) %}
- createhome: False
{% endif %}
{% if 'expire' in user -%}
- expire: {{ user['expire'] }}
{% endif -%}
- remove_groups: {{ user.get('remove_groups', 'False') }}
- groups:
- {{ user_group }}
{% for group in user.get('groups', []) -%}
- {{ group }}
{% endfor %}
{% if 'ssh_keys' in user %}
{% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
users_user_{{ name }}_private_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 600
- show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:privkey
users_user_{{ name }}_public_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
- user: {{ name }}
- group: {{ user_group }}
- mode: 644
- show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:pubkey
{% endif %}
{% if 'ssh_auth_file' in user %}
users_authorized_keys_{{ name }}:
file.managed:
- name: {{ home }}/.ssh/authorized_keys
- user: {{ name }}
- group: {{ name }}
- mode: 600
- contents: |
{% for auth in user.ssh_auth_file -%}
{{ auth }}
{% endfor -%}
{% endif %}
{% if 'ssh_auth' in user %}
{% for auth in user['ssh_auth'] %}
users_ssh_auth_{{ name }}_{{ loop.index0 }}:
ssh_auth.present:
- user: {{ name }}
- name: {{ auth }}
{% endfor %}
{% endif %}
{% if 'ssh_keys_pillar' in user %}
{% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 600
- show_diff: False
- contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub
- user: {{ name }}
- group: {{ user_group }}
- mode: 644
- show_diff: False
- contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
{% endfor %}
{% endif %}
{% if 'ssh_auth_sources' in user %}
{% for pubkey_file in user['ssh_auth_sources'] %}
users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
ssh_auth.present:
- user: {{ name }}
- source: {{ pubkey_file }}
{% endfor %}
{% endif %}
{% if 'ssh_auth.absent' in user %}
{% for auth in user['ssh_auth.absent'] %}
users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
ssh_auth.absent:
- user: {{ name }}
- name: {{ auth }}
{% endfor %}
{% endif %}
{% if 'ssh_config' in user %}
users_ssh_config_{{ name }}:
file.managed:
- name: {{ home }}/.ssh/config
- user: {{ name }}
- group: {{ user_group }}
- mode: 640
- contents: |
# Managed by Saltstack
# Do Not Edit
{% for label, setting in user.ssh_config.items() %}
# {{ label }}
Host {{ setting.get('hostname') }}
{%- for opts in setting.get('options') %}
{{ opts }}
{%- endfor %}
{% endfor -%}
{% endif %}
{%- endif %}
{% endfor %}

View File

@ -1,20 +1,24 @@
{% from "users/map.jinja" import users with context %} # -*- coding: utf-8 -*-
include: # vim: ft=sls
- users {##
Name: users/bashrc.sls
Description:
This file sets up bashrcs
#}
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {% from "users/map.jinja" import users_settings with context %}
{%- if user == None -%}
{%- set user = {} -%} {% for name, user in users_settings.items() %}
{%- endif -%} {% if user.absent is not defined or not user.absent or user != None %}
{%- set home = user.get('home', "/home/%s" % name) -%} {% set home = user.get('home', "/home/%s" % name) %}
{%- set manage = user.get('manage_bashrc', False) -%} {% set manage = user.get('manage_bashrc', False) %}
{%- if 'prime_group' in user and 'name' in user['prime_group'] %} {% if 'prime_group' in user and 'name' in user.get('prime_group', []) %}
{%- set user_group = user.prime_group.name -%} {% set user_group = user.prime_group.name %}
{%- else -%} {% else %}
{%- set user_group = name -%} {% set user_group = name %}
{%- endif %} {% endif %}
{%- if manage -%} {% if manage %}
users_{{ name }}_user_bashrc: users-{{ name }}-user-bashrc:
file.managed: file.managed:
- name: {{ home }}/.bashrc - name: {{ home }}/.bashrc
- user: {{ name }} - user: {{ name }}
@ -23,5 +27,6 @@ users_{{ name }}_user_bashrc:
- source: - source:
- salt://users/files/bashrc/{{ name }}/bashrc - salt://users/files/bashrc/{{ name }}/bashrc
- salt://users/files/bashrc/bashrc - salt://users/files/bashrc/bashrc
{% endif %} {% endif %}
{% endif %}
{% endfor %} {% endfor %}

View File

@ -1,31 +1,35 @@
# vim: sts=2 ts=2 sw=2 et ai # -*- coding: utf-8 -*-
{% from "users/map.jinja" import users with context %} # vim: ft=sls
{##
Name: users/bashrc.sls
Description:
This file sets up bashrcs
#}
users_googleauth-package: {% from "users/map.jinja" import users_settings with context %}
pkg.installed:
- name: {{ users.googleauth_package }}
- require:
- file: {{ users.googleauth_dir }}
users_{{ users.googleauth_dir }}: users-googleauth-package:
file.directory: file.directory:
- name: {{ users.googleauth_dir }} - name: {{ users_settings.googleauth_dir }}
- user: root - user: root
- group: {{ users.root_group }} - group: {{ users_settings.root_group }}
- mode: 600 - mode: 600
pkg.installed:
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} - name: {{ users_settings.googleauth_package }}
{%- if 'google_auth' in user %} {% for name, user in users_settings.items() %}
{%- for svc in user['google_auth'] %} {% if user.absent is not defined or not user.absent or user != None %}
{%- if user.get('google_2fa', True) %} {% if 'google_auth' in user %}
{% for svc in user.get('google_auth') %}
{% if user.get('google_2fa', True) %}
users_googleauth-pam-{{ svc }}-{{ name }}: users_googleauth-pam-{{ svc }}-{{ name }}:
file.replace: file.replace:
- name: /etc/pam.d/{{ svc }} - name: /etc/pam.d/{{ svc }}
- pattern: "^@include common-auth" - pattern: "^@include common-auth"
- repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth" - repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users_settings.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
- unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }} - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
- backup: .bak - backup: .bak
{%- endif %} {% endif %}
{%- endfor %} {% endfor %}
{%- endif %} {% endif %}
{%- endfor %} {% endif %}
{% endfor %}

View File

@ -1,365 +1,12 @@
# vim: sts=2 ts=2 sw=2 et ai # -*- coding: utf-8 -*-
{% from "users/map.jinja" import users with context %} # vim: ft=sls
{% set used_sudo = [] %} {##
{% set used_googleauth = [] %} Name: users/init.sls
Description:
{%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %} This file sets up users, sudo, google auth, flight control, bashrc, vimrc
{%- if user == None -%} #}
{%- set user = {} -%}
{%- endif -%}
{%- if 'sudouser' in user and user['sudouser'] %}
{%- do used_sudo.append(1) %}
{%- endif %}
{%- if 'google_auth' in user %}
{%- do used_googleauth.append(1) %}
{%- endif %}
{%- endfor %}
{%- if used_sudo or used_googleauth %}
include: include:
{%- if used_sudo %} - users.adduser
- users.sudo - users.sudo
{%- endif %}
{%- if used_googleauth %}
- users.googleauth - users.googleauth
{%- endif %} - users.absentusers
{%- endif %}
{% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}
{%- if user == None -%}
{%- set user = {} -%}
{%- endif -%}
{%- set home = user.get('home', "/home/%s" % name) -%}
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
{%- set user_group = user.prime_group.name -%}
{%- else -%}
{%- set user_group = name -%}
{%- endif %}
{% for group in user.get('groups', []) %}
users_{{ name }}_{{ group }}_group:
group:
- name: {{ group }}
- present
{% endfor %}
users_{{ name }}_user:
{% if user.get('createhome', True) %}
file.directory:
- name: {{ home }}
- user: {{ name }}
- group: {{ user_group }}
- mode: {{ user.get('user_dir_mode', '0750') }}
- require:
- user: users_{{ name }}_user
- group: {{ user_group }}
{%- endif %}
group.present:
- name: {{ user_group }}
{%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
- gid: {{ user['prime_group']['gid'] }}
{%- elif 'uid' in user %}
- gid: {{ user['uid'] }}
{%- endif %}
user.present:
- name: {{ name }}
- home: {{ home }}
- shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
{% if 'uid' in user -%}
- uid: {{ user['uid'] }}
{% endif -%}
{% if 'password' in user -%}
- password: '{{ user['password'] }}'
{% endif -%}
{% if 'enforce_password' in user -%}
- enforce_password: {{ user['enforce_password'] }}
{% endif -%}
{% if user.get('system', False) -%}
- system: True
{% endif -%}
{% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
- gid: {{ user['prime_group']['gid'] }}
{% else -%}
- gid_from_name: True
{% endif -%}
{% if 'fullname' in user %}
- fullname: {{ user['fullname'] }}
{% endif -%}
{% if not user.get('createhome', True) %}
- createhome: False
{% endif %}
{% if 'expire' in user -%}
- expire: {{ user['expire'] }}
{% endif -%}
- remove_groups: {{ user.get('remove_groups', 'False') }}
- groups:
- {{ user_group }}
{% for group in user.get('groups', []) -%}
- {{ group }}
{% endfor %}
- require:
- group: {{ user_group }}
{% for group in user.get('groups', []) -%}
- group: {{ group }}
{% endfor %}
{% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user %}
user_keydir_{{ name }}:
file.directory:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
- user: {{ name }}
- group: {{ user_group }}
- makedirs: True
- mode: 700
- require:
- user: {{ name }}
- group: {{ user_group }}
{%- for group in user.get('groups', []) %}
- group: {{ group }}
{%- endfor %}
{% endif %}
{% if 'ssh_keys' in user %}
{% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
users_user_{{ name }}_private_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 600
- show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:privkey
- require:
- user: users_{{ name }}_user
{% for group in user.get('groups', []) %}
- group: users_{{ name }}_{{ group }}_group
{% endfor %}
users_user_{{ name }}_public_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
- user: {{ name }}
- group: {{ user_group }}
- mode: 644
- show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:pubkey
- require:
- user: users_{{ name }}_user
{% for group in user.get('groups', []) %}
- group: users_{{ name }}_{{ group }}_group
{% endfor %}
{% endif %}
{% if 'ssh_auth_file' in user %}
users_authorized_keys_{{ name }}:
file.managed:
- name: {{ home }}/.ssh/authorized_keys
- user: {{ name }}
- group: {{ name }}
- mode: 600
- contents: |
{% for auth in user.ssh_auth_file -%}
{{ auth }}
{% endfor -%}
{% endif %}
{% if 'ssh_auth' in user %}
{% for auth in user['ssh_auth'] %}
users_ssh_auth_{{ name }}_{{ loop.index0 }}:
ssh_auth.present:
- user: {{ name }}
- name: {{ auth }}
- require:
- file: users_{{ name }}_user
- user: users_{{ name }}_user
{% endfor %}
{% endif %}
{% if 'ssh_keys_pillar' in user %}
{% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 600
- show_diff: False
- contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
- require:
- user: users_{{ name }}_user
{% for group in user.get('groups', []) %}
- group: users_{{ name }}_{{ group }}_group
{% endfor %}
user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub
- user: {{ name }}
- group: {{ user_group }}
- mode: 644
- show_diff: False
- contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
- require:
- user: users_{{ name }}_user
{% for group in user.get('groups', []) %}
- group: users_{{ name }}_{{ group }}_group
{% endfor %}
{% endfor %}
{% endif %}
{% if 'ssh_auth_sources' in user %}
{% for pubkey_file in user['ssh_auth_sources'] %}
users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
ssh_auth.present:
- user: {{ name }}
- source: {{ pubkey_file }}
- require:
- file: users_{{ name }}_user
- user: users_{{ name }}_user
{% endfor %}
{% endif %}
{% if 'ssh_auth.absent' in user %}
{% for auth in user['ssh_auth.absent'] %}
users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
ssh_auth.absent:
- user: {{ name }}
- name: {{ auth }}
- require:
- file: users_{{ name }}_user
- user: users_{{ name }}_user
{% endfor %}
{% endif %}
{% if 'ssh_config' in user %}
users_ssh_config_{{ name }}:
file.managed:
- name: {{ home }}/.ssh/config
- user: {{ name }}
- group: {{ user_group }}
- mode: 640
- contents: |
# Managed by Saltstack
# Do Not Edit
{% for label, setting in user.ssh_config.items() %}
# {{ label }}
Host {{ setting.get('hostname') }}
{%- for opts in setting.get('options') %}
{{ opts }}
{%- endfor %}
{% endfor -%}
{% endif %}
{% if 'sudouser' in user and user['sudouser'] %}
users_sudoer-{{ name }}:
file.managed:
- name: {{ users.sudoers_dir }}/{{ name }}
- user: root
- group: {{ users.root_group }}
- mode: '0440'
{% if 'sudo_rules' in user or 'sudo_defaults' in user %}
{% if 'sudo_rules' in user %}
{% for rule in user['sudo_rules'] %}
"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
cmd.run:
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
- stateful: True
- shell: {{ users.visudo_shell }}
- env:
# Specify the rule via an env var to avoid shell quoting issues.
- rule: "{{ name }} {{ rule }}"
- require_in:
- file: users_{{ users.sudoers_dir }}/{{ name }}
{% endfor %}
{% endif %}
{% if 'sudo_defaults' in user %}
{% for entry in user['sudo_defaults'] %}
"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
cmd.run:
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
- stateful: True
- shell: {{ users.visudo_shell }}
- env:
# Specify the rule via an env var to avoid shell quoting issues.
- rule: "Defaults:{{ name }} {{ entry }}"
- require_in:
- file: users_{{ users.sudoers_dir }}/{{ name }}
{% endfor %}
{% endif %}
users_{{ users.sudoers_dir }}/{{ name }}:
file.managed:
- name: {{ users.sudoers_dir }}/{{ name }}
- contents: |
{%- if 'sudo_defaults' in user %}
{%- for entry in user['sudo_defaults'] %}
Defaults:{{ name }} {{ entry }}
{%- endfor %}
{%- endif %}
{%- if 'sudo_rules' in user %}
{%- for rule in user['sudo_rules'] %}
{{ name }} {{ rule }}
{%- endfor %}
{%- endif %}
- require:
- file: users_sudoer-defaults
- file: users_sudoer-{{ name }}
{% endif %}
{% else %}
users_{{ users.sudoers_dir }}/{{ name }}:
file.absent:
- name: {{ users.sudoers_dir }}/{{ name }}
{% endif %}
{%- if 'google_auth' in user %}
{%- for svc in user['google_auth'] %}
users_googleauth-{{ svc }}-{{ name }}:
file.managed:
- replace: false
- name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
- contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
- user: root
- group: {{ users.root_group }}
- mode: 400
- require:
- pkg: users_googleauth-package
{%- endfor %}
{%- endif %}
{% endfor %}
{% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %}
users_absent_user_{{ name }}:
{% if 'purge' in user or 'force' in user %}
user.absent:
- name: {{ name }}
{% if 'purge' in user %}
- purge: {{ user['purge'] }}
{% endif %}
{% if 'force' in user %}
- force: {{ user['force'] }}
{% endif %}
{% else %}
user.absent:
- name: {{ name }}
{% endif -%}
users_{{ users.sudoers_dir }}/{{ name }}:
file.absent:
- name: {{ users.sudoers_dir }}/{{ name }}
{% endfor %}
{% for user in pillar.get('absent_users', []) %}
users_absent_user_2_{{ user }}:
user.absent
users_2_{{ users.sudoers_dir }}/{{ user }}:
file.absent:
- name: {{ users.sudoers_dir }}/{{ user }}
{% endfor %}
{% for group in pillar.get('absent_groups', []) %}
users_absent_group_{{ group }}:
group.absent:
- name: {{ group }}
{% endfor %}

View File

@ -1,5 +1,11 @@
# vim: sts=2 ts=2 sw=2 et ai # -*- coding: utf-8 -*-
{% set users = salt['grains.filter_by']({ # vim: ft=jinja
{##
This map.jinja pulls in
- os flavor related decisions
- merges in users pillar
##}
{% set os_settingss = salt['grains.filter_by']({
'Debian': { 'Debian': {
'sudoers_dir': '/etc/sudoers.d', 'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers', 'sudoers_file': '/etc/sudoers',
@ -44,4 +50,12 @@
'sudo_package': 'sudo', 'sudo_package': 'sudo',
'googleauth_package': 'libpam-google-authenticator', 'googleauth_package': 'libpam-google-authenticator',
}, },
}, merge=salt['pillar.get']('users:lookup')) %} }, merge=salt['pillar.get']('users:lookup'))
%}
{%
set users_settings = salt['pillar.get'](
'users',
default=os_settings,
merge=True)
%}

View File

@ -1,33 +1,89 @@
# vim: sts=2 ts=2 sw=2 et ai # -*- coding: utf-8 -*-
{% from "users/map.jinja" import users with context %} # vim: ft=sls
{##
Name: users/sudo.sls
Description:
This file sets up sudoers
#}
{% from "users/map.jinja" import users_settings with context %}
# Ensure availability of bash # Ensure availability of bash
users_bash-package: users-bashpackage-group-dir:
pkg.installed: pkg.installed:
- name: {{ users.bash_package }} - name: {{ users_settings.bash_package }}
users_sudo-group:
group.present: group.present:
- name: sudo - name: sudo
- system: True - system: True
file.directory:
- name: {{ users_settings.sudoers_dir }}
users_sudo-package: users-sudo-package:
pkg.installed: pkg.installed:
- name: {{ users.sudo_package }} - name: {{ users_settings.sudo_package }}
- require: - require:
- group: users_sudo-group - group: users_sudo-group
- file: {{ users.sudoers_dir }} - file: {{ users_settings.sudoers_dir }}
users_{{ users.sudoers_dir }}:
file.directory:
- name: {{ users.sudoers_dir }}
users_sudoer-defaults:
file.append: file.append:
- name: {{ users.sudoers_file }} - name: {{ users_settings.sudoers_file }}
- require:
- pkg: users_sudo-package
- text: - text:
- Defaults env_reset - Defaults env_reset
- Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
- '#includedir {{ users.sudoers_dir }}' - '#includedir {{ users_settings.sudoers_dir }}'
{% for name, user in users_settings.items() %}
{% if user.absent is not defined or not user.absent or user != None %}
{% if 'sudouser' in user and user['sudouser'] %}
users-sudoer-{{ name }}:
file.managed:
- name: {{ users.sudoers_dir }}/{{ name }}
- user: root
- group: {{ users.root_group }}
- mode: '0440'
{% if 'sudo_rules' in user or 'sudo_defaults' in user %}
{% if 'sudo_rules' in user %}
{% for rule in user['sudo_rules'] %}
"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
cmd.run:
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
- stateful: True
- shell: {{ users.visudo_shell }}
- env:
# Specify the rule via an env var to avoid shell quoting issues.
- rule: "{{ name }} {{ rule }}"
{% endfor %}
{% endif %}
{% if 'sudo_defaults' in user %}
{% for entry in user['sudo_defaults'] %}
"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
cmd.run:
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
- stateful: True
- shell: {{ users.visudo_shell }}
- env:
# Specify the rule via an env var to avoid shell quoting issues.
- rule: "Defaults:{{ name }} {{ entry }}"
{% endfor %}
{% endif %}
users_{{ users.sudoers_dir }}/{{ name }}:
file.managed:
- name: {{ users.sudoers_dir }}/{{ name }}
- contents: |
{%- if 'sudo_defaults' in user %}
{%- for entry in user['sudo_defaults'] %}
Defaults:{{ name }} {{ entry }}
{%- endfor %}
{%- endif %}
{%- if 'sudo_rules' in user %}
{%- for rule in user['sudo_rules'] %}
{{ name }} {{ rule }}
{%- endfor %}
{%- endif %}
{% endif %}
{% else %}
users_{{ users.sudoers_dir }}/{{ name }}:
file.absent:
- name: {{ users.sudoers_dir }}/{{ name }}
{% endif %}
{% endif %}
{% endfor %}

View File

@ -1,21 +1,25 @@
{% from "users/map.jinja" import users with context %} # -*- coding: utf-8 -*-
# vim: ft=sls
{##
Name: users/vimrc.sls
Description:
This file sets up vimrc for users
#}
{% from "users/map.jinja" import users_settings with context %}
include: include:
- users
- vim - vim
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {% for name, user in users_settings.items() %}
{%- if user == None -%} {% if user.absent is not defined or not user.absent or user != None %}
{%- set user = {} -%} {% set home = user.get('home', "/home/%s" % name) %}
{%- endif -%} {% set manage = user.get('manage_vimrc', False) %}
{%- set home = user.get('home', "/home/%s" % name) -%} {% if 'prime_group' in user and 'name' in user['prime_group'] %}
{%- set manage = user.get('manage_vimrc', False) -%} {% set user_group = user.prime_group.name %}
{%- if 'prime_group' in user and 'name' in user['prime_group'] %} {% else %}
{%- set user_group = user.prime_group.name -%} {% set user_group = name %}
{%- else -%} {% endif %}
{%- set user_group = name -%} {% if manage %}
{%- endif %} users_{{ name }}_user_vimrc:
{%- if manage -%}
users_{{ name }}_user_vimrc:
file.managed: file.managed:
- name: {{ home }}/.vimrc - name: {{ home }}/.vimrc
- user: {{ name }} - user: {{ name }}
@ -24,5 +28,6 @@ users_{{ name }}_user_vimrc:
- source: - source:
- salt://users/files/vimrc/{{ name }}/vimrc - salt://users/files/vimrc/{{ name }}/vimrc
- salt://users/files/vimrc/vimrc - salt://users/files/vimrc/vimrc
{% endif %} {% endif %}
{% endif %}
{% endfor %} {% endfor %}