puneet kandhari
parent
a0392693e3
commit
ba11c68c24
@ -1,45 +0,0 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
{##
|
||||
Name: users/absentusers.sls
|
||||
Description:
|
||||
This file removes users
|
||||
#}
|
||||
|
||||
{% from "users/map.jinja" import users_settings with context %}
|
||||
|
||||
{% for name, user in users_settings.items() %}
|
||||
{% if user.absent is defined and user.absent %}
|
||||
users-absent_user-{{ name }}:
|
||||
{% if 'purge' in user or 'force' in user %}
|
||||
user.absent:
|
||||
- name: {{ name }}
|
||||
{% if 'purge' in user %}
|
||||
- purge: {{ user['purge'] }}
|
||||
{% endif %}
|
||||
{% if 'force' in user %}
|
||||
- force: {{ user['force'] }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
user.absent:
|
||||
- name: {{ name }}
|
||||
{% endif -%}
|
||||
users_{{ users_settings.sudoers_dir }}/{{ name }}:
|
||||
file.absent:
|
||||
- name: {{ users_settings.sudoers_dir }}/{{ name }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% for user in pillar.get('absent_users', []) %}
|
||||
users_absent_user_2_{{ user }}:
|
||||
user.absent
|
||||
users_2_{{ users.sudoers_dir }}/{{ user }}:
|
||||
file.absent:
|
||||
- name: {{ users.sudoers_dir }}/{{ user }}
|
||||
{% endfor %}
|
||||
|
||||
{% for group in pillar.get('absent_groups', []) %}
|
||||
users_absent_group_{{ group }}:
|
||||
group.absent:
|
||||
- name: {{ group }}
|
||||
{% endfor %}
|
||||
@ -1,177 +0,0 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
{##
|
||||
Name: users/addusers.sls
|
||||
Description:
|
||||
This file removes users
|
||||
#}
|
||||
|
||||
{% from "users/map.jinja" import users_settings with context %}
|
||||
|
||||
{% for name, user in users_settings.items() %}
|
||||
{% if user.absent is not defined or not user.absent or user != None %}
|
||||
{% set home = user.get('home', "/home/%s" % name) %}
|
||||
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
|
||||
{%- set user_group = user.prime_group.name -%}
|
||||
{%- else -%}
|
||||
{%- set user_group = name -%}
|
||||
{%- endif %}
|
||||
{% for group in user.get('groups', []) %}
|
||||
users-{{ name }}-{{ group }}-group:
|
||||
group:
|
||||
- name: {{ group }}
|
||||
- present
|
||||
{% endfor %}
|
||||
users-{{ name }}-user:
|
||||
{% if user.get('createhome', True) %}
|
||||
file.directory:
|
||||
- name: {{ home }}
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: {{ user.get('user_dir_mode', '0750') }}
|
||||
{%- endif %}
|
||||
group.present:
|
||||
- name: {{ user_group }}
|
||||
{%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
|
||||
- gid: {{ user['prime_group']['gid'] }}
|
||||
{%- elif 'uid' in user %}
|
||||
- gid: {{ user['uid'] }}
|
||||
{%- endif %}
|
||||
user.present:
|
||||
- name: {{ name }}
|
||||
- home: {{ home }}
|
||||
- shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
|
||||
{% if 'uid' in user -%}
|
||||
- uid: {{ user['uid'] }}
|
||||
{% endif -%}
|
||||
{% if 'password' in user -%}
|
||||
- password: '{{ user['password'] }}'
|
||||
{% endif -%}
|
||||
{% if 'enforce_password' in user -%}
|
||||
- enforce_password: {{ user['enforce_password'] }}
|
||||
{% endif -%}
|
||||
{% if user.get('system', False) -%}
|
||||
- system: True
|
||||
{% endif -%}
|
||||
{% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
|
||||
- gid: {{ user['prime_group']['gid'] }}
|
||||
{% else -%}
|
||||
- gid_from_name: True
|
||||
{% endif -%}
|
||||
{% if 'fullname' in user %}
|
||||
- fullname: {{ user['fullname'] }}
|
||||
{% endif -%}
|
||||
{% if not user.get('createhome', True) %}
|
||||
- createhome: False
|
||||
{% endif %}
|
||||
{% if 'expire' in user -%}
|
||||
- expire: {{ user['expire'] }}
|
||||
{% endif -%}
|
||||
- remove_groups: {{ user.get('remove_groups', 'False') }}
|
||||
- groups:
|
||||
- {{ user_group }}
|
||||
{% for group in user.get('groups', []) -%}
|
||||
- {{ group }}
|
||||
{% endfor %}
|
||||
{% if 'ssh_keys' in user %}
|
||||
{% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
|
||||
users_user_{{ name }}_private_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 600
|
||||
- show_diff: False
|
||||
- contents_pillar: users:{{ name }}:ssh_keys:privkey
|
||||
users_user_{{ name }}_public_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- show_diff: False
|
||||
- contents_pillar: users:{{ name }}:ssh_keys:pubkey
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth_file' in user %}
|
||||
users_authorized_keys_{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ home }}/.ssh/authorized_keys
|
||||
- user: {{ name }}
|
||||
- group: {{ name }}
|
||||
- mode: 600
|
||||
- contents: |
|
||||
{% for auth in user.ssh_auth_file -%}
|
||||
{{ auth }}
|
||||
{% endfor -%}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth' in user %}
|
||||
{% for auth in user['ssh_auth'] %}
|
||||
users_ssh_auth_{{ name }}_{{ loop.index0 }}:
|
||||
ssh_auth.present:
|
||||
- user: {{ name }}
|
||||
- name: {{ auth }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_keys_pillar' in user %}
|
||||
{% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
|
||||
user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 600
|
||||
- show_diff: False
|
||||
- contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
|
||||
user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- show_diff: False
|
||||
- contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth_sources' in user %}
|
||||
{% for pubkey_file in user['ssh_auth_sources'] %}
|
||||
users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
|
||||
ssh_auth.present:
|
||||
- user: {{ name }}
|
||||
- source: {{ pubkey_file }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth.absent' in user %}
|
||||
{% for auth in user['ssh_auth.absent'] %}
|
||||
users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
|
||||
ssh_auth.absent:
|
||||
- user: {{ name }}
|
||||
- name: {{ auth }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_config' in user %}
|
||||
users_ssh_config_{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ home }}/.ssh/config
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 640
|
||||
- contents: |
|
||||
# Managed by Saltstack
|
||||
# Do Not Edit
|
||||
{% for label, setting in user.ssh_config.items() %}
|
||||
# {{ label }}
|
||||
Host {{ setting.get('hostname') }}
|
||||
{%- for opts in setting.get('options') %}
|
||||
{{ opts }}
|
||||
{%- endfor %}
|
||||
{% endfor -%}
|
||||
{% endif %}
|
||||
{%- endif %}
|
||||
{% endfor %}
|
||||
@ -1,32 +1,27 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
{##
|
||||
Name: users/bashrc.sls
|
||||
Description:
|
||||
This file sets up bashrcs
|
||||
#}
|
||||
{% from "users/map.jinja" import users with context %}
|
||||
include:
|
||||
- users
|
||||
|
||||
{% from "users/map.jinja" import users_settings with context %}
|
||||
|
||||
{% for name, user in users_settings.items() %}
|
||||
{% if user.absent is not defined or not user.absent or user != None %}
|
||||
{% set home = user.get('home', "/home/%s" % name) %}
|
||||
{% set manage = user.get('manage_bashrc', False) %}
|
||||
{% if 'prime_group' in user and 'name' in user.get('prime_group', []) %}
|
||||
{% set user_group = user.prime_group.name %}
|
||||
{% else %}
|
||||
{% set user_group = name %}
|
||||
{% endif %}
|
||||
{% if manage %}
|
||||
users-{{ name }}-user-bashrc:
|
||||
file.managed:
|
||||
- name: {{ home }}/.bashrc
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- source:
|
||||
- salt://users/files/bashrc/{{ name }}/bashrc
|
||||
- salt://users/files/bashrc/bashrc
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
|
||||
{%- if user == None -%}
|
||||
{%- set user = {} -%}
|
||||
{%- endif -%}
|
||||
{%- set home = user.get('home', "/home/%s" % name) -%}
|
||||
{%- set manage = user.get('manage_bashrc', False) -%}
|
||||
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
|
||||
{%- set user_group = user.prime_group.name -%}
|
||||
{%- else -%}
|
||||
{%- set user_group = name -%}
|
||||
{%- endif %}
|
||||
{%- if manage -%}
|
||||
users_{{ name }}_user_bashrc:
|
||||
file.managed:
|
||||
- name: {{ home }}/.bashrc
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- source:
|
||||
- salt://users/files/bashrc/{{ name }}/bashrc
|
||||
- salt://users/files/bashrc/bashrc
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
@ -1,35 +1,31 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
{##
|
||||
Name: users/bashrc.sls
|
||||
Description:
|
||||
This file sets up bashrcs
|
||||
#}
|
||||
# vim: sts=2 ts=2 sw=2 et ai
|
||||
{% from "users/map.jinja" import users with context %}
|
||||
|
||||
{% from "users/map.jinja" import users_settings with context %}
|
||||
|
||||
users-googleauth-package:
|
||||
file.directory:
|
||||
- name: {{ users_settings.googleauth_dir }}
|
||||
- user: root
|
||||
- group: {{ users_settings.root_group }}
|
||||
- mode: 600
|
||||
users_googleauth-package:
|
||||
pkg.installed:
|
||||
- name: {{ users_settings.googleauth_package }}
|
||||
{% for name, user in users_settings.items() %}
|
||||
{% if user.absent is not defined or not user.absent or user != None %}
|
||||
{% if 'google_auth' in user %}
|
||||
{% for svc in user.get('google_auth') %}
|
||||
{% if user.get('google_2fa', True) %}
|
||||
- name: {{ users.googleauth_package }}
|
||||
- require:
|
||||
- file: {{ users.googleauth_dir }}
|
||||
|
||||
users_{{ users.googleauth_dir }}:
|
||||
file.directory:
|
||||
- name: {{ users.googleauth_dir }}
|
||||
- user: root
|
||||
- group: {{ users.root_group }}
|
||||
- mode: 600
|
||||
|
||||
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
|
||||
{%- if 'google_auth' in user %}
|
||||
{%- for svc in user['google_auth'] %}
|
||||
{%- if user.get('google_2fa', True) %}
|
||||
users_googleauth-pam-{{ svc }}-{{ name }}:
|
||||
file.replace:
|
||||
- name: /etc/pam.d/{{ svc }}
|
||||
- pattern: "^@include common-auth"
|
||||
- repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users_settings.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
|
||||
- repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
|
||||
- unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
|
||||
- backup: .bak
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
||||
371
users/init.sls
371
users/init.sls
@ -1,12 +1,365 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
{##
|
||||
Name: users/init.sls
|
||||
Description:
|
||||
This file sets up users, sudo, google auth, flight control, bashrc, vimrc
|
||||
#}
|
||||
# vim: sts=2 ts=2 sw=2 et ai
|
||||
{% from "users/map.jinja" import users with context %}
|
||||
{% set used_sudo = [] %}
|
||||
{% set used_googleauth = [] %}
|
||||
|
||||
{%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}
|
||||
{%- if user == None -%}
|
||||
{%- set user = {} -%}
|
||||
{%- endif -%}
|
||||
{%- if 'sudouser' in user and user['sudouser'] %}
|
||||
{%- do used_sudo.append(1) %}
|
||||
{%- endif %}
|
||||
{%- if 'google_auth' in user %}
|
||||
{%- do used_googleauth.append(1) %}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
||||
{%- if used_sudo or used_googleauth %}
|
||||
include:
|
||||
- users.adduser
|
||||
{%- if used_sudo %}
|
||||
- users.sudo
|
||||
{%- endif %}
|
||||
{%- if used_googleauth %}
|
||||
- users.googleauth
|
||||
- users.absentusers
|
||||
{%- endif %}
|
||||
{%- endif %}
|
||||
|
||||
{% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %}
|
||||
{%- if user == None -%}
|
||||
{%- set user = {} -%}
|
||||
{%- endif -%}
|
||||
{%- set home = user.get('home', "/home/%s" % name) -%}
|
||||
|
||||
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
|
||||
{%- set user_group = user.prime_group.name -%}
|
||||
{%- else -%}
|
||||
{%- set user_group = name -%}
|
||||
{%- endif %}
|
||||
|
||||
{% for group in user.get('groups', []) %}
|
||||
users_{{ name }}_{{ group }}_group:
|
||||
group:
|
||||
- name: {{ group }}
|
||||
- present
|
||||
{% endfor %}
|
||||
|
||||
users_{{ name }}_user:
|
||||
{% if user.get('createhome', True) %}
|
||||
file.directory:
|
||||
- name: {{ home }}
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: {{ user.get('user_dir_mode', '0750') }}
|
||||
- require:
|
||||
- user: users_{{ name }}_user
|
||||
- group: {{ user_group }}
|
||||
{%- endif %}
|
||||
group.present:
|
||||
- name: {{ user_group }}
|
||||
{%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
|
||||
- gid: {{ user['prime_group']['gid'] }}
|
||||
{%- elif 'uid' in user %}
|
||||
- gid: {{ user['uid'] }}
|
||||
{%- endif %}
|
||||
user.present:
|
||||
- name: {{ name }}
|
||||
- home: {{ home }}
|
||||
- shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }}
|
||||
{% if 'uid' in user -%}
|
||||
- uid: {{ user['uid'] }}
|
||||
{% endif -%}
|
||||
{% if 'password' in user -%}
|
||||
- password: '{{ user['password'] }}'
|
||||
{% endif -%}
|
||||
{% if 'enforce_password' in user -%}
|
||||
- enforce_password: {{ user['enforce_password'] }}
|
||||
{% endif -%}
|
||||
{% if user.get('system', False) -%}
|
||||
- system: True
|
||||
{% endif -%}
|
||||
{% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
|
||||
- gid: {{ user['prime_group']['gid'] }}
|
||||
{% else -%}
|
||||
- gid_from_name: True
|
||||
{% endif -%}
|
||||
{% if 'fullname' in user %}
|
||||
- fullname: {{ user['fullname'] }}
|
||||
{% endif -%}
|
||||
{% if not user.get('createhome', True) %}
|
||||
- createhome: False
|
||||
{% endif %}
|
||||
{% if 'expire' in user -%}
|
||||
- expire: {{ user['expire'] }}
|
||||
{% endif -%}
|
||||
- remove_groups: {{ user.get('remove_groups', 'False') }}
|
||||
- groups:
|
||||
- {{ user_group }}
|
||||
{% for group in user.get('groups', []) -%}
|
||||
- {{ group }}
|
||||
{% endfor %}
|
||||
- require:
|
||||
- group: {{ user_group }}
|
||||
{% for group in user.get('groups', []) -%}
|
||||
- group: {{ group }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
{% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user %}
|
||||
user_keydir_{{ name }}:
|
||||
file.directory:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- makedirs: True
|
||||
- mode: 700
|
||||
- require:
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
{%- for group in user.get('groups', []) %}
|
||||
- group: {{ group }}
|
||||
{%- endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_keys' in user %}
|
||||
{% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
|
||||
users_user_{{ name }}_private_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 600
|
||||
- show_diff: False
|
||||
- contents_pillar: users:{{ name }}:ssh_keys:privkey
|
||||
- require:
|
||||
- user: users_{{ name }}_user
|
||||
{% for group in user.get('groups', []) %}
|
||||
- group: users_{{ name }}_{{ group }}_group
|
||||
{% endfor %}
|
||||
users_user_{{ name }}_public_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- show_diff: False
|
||||
- contents_pillar: users:{{ name }}:ssh_keys:pubkey
|
||||
- require:
|
||||
- user: users_{{ name }}_user
|
||||
{% for group in user.get('groups', []) %}
|
||||
- group: users_{{ name }}_{{ group }}_group
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth_file' in user %}
|
||||
users_authorized_keys_{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ home }}/.ssh/authorized_keys
|
||||
- user: {{ name }}
|
||||
- group: {{ name }}
|
||||
- mode: 600
|
||||
- contents: |
|
||||
{% for auth in user.ssh_auth_file -%}
|
||||
{{ auth }}
|
||||
{% endfor -%}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth' in user %}
|
||||
{% for auth in user['ssh_auth'] %}
|
||||
users_ssh_auth_{{ name }}_{{ loop.index0 }}:
|
||||
ssh_auth.present:
|
||||
- user: {{ name }}
|
||||
- name: {{ auth }}
|
||||
- require:
|
||||
- file: users_{{ name }}_user
|
||||
- user: users_{{ name }}_user
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_keys_pillar' in user %}
|
||||
{% for key_name, pillar_name in user['ssh_keys_pillar'].items() %}
|
||||
user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 600
|
||||
- show_diff: False
|
||||
- contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey
|
||||
- require:
|
||||
- user: users_{{ name }}_user
|
||||
{% for group in user.get('groups', []) %}
|
||||
- group: users_{{ name }}_{{ group }}_group
|
||||
{% endfor %}
|
||||
user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key:
|
||||
file.managed:
|
||||
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- show_diff: False
|
||||
- contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey
|
||||
- require:
|
||||
- user: users_{{ name }}_user
|
||||
{% for group in user.get('groups', []) %}
|
||||
- group: users_{{ name }}_{{ group }}_group
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth_sources' in user %}
|
||||
{% for pubkey_file in user['ssh_auth_sources'] %}
|
||||
users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
|
||||
ssh_auth.present:
|
||||
- user: {{ name }}
|
||||
- source: {{ pubkey_file }}
|
||||
- require:
|
||||
- file: users_{{ name }}_user
|
||||
- user: users_{{ name }}_user
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_auth.absent' in user %}
|
||||
{% for auth in user['ssh_auth.absent'] %}
|
||||
users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
|
||||
ssh_auth.absent:
|
||||
- user: {{ name }}
|
||||
- name: {{ auth }}
|
||||
- require:
|
||||
- file: users_{{ name }}_user
|
||||
- user: users_{{ name }}_user
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if 'ssh_config' in user %}
|
||||
users_ssh_config_{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ home }}/.ssh/config
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 640
|
||||
- contents: |
|
||||
# Managed by Saltstack
|
||||
# Do Not Edit
|
||||
{% for label, setting in user.ssh_config.items() %}
|
||||
# {{ label }}
|
||||
Host {{ setting.get('hostname') }}
|
||||
{%- for opts in setting.get('options') %}
|
||||
{{ opts }}
|
||||
{%- endfor %}
|
||||
{% endfor -%}
|
||||
{% endif %}
|
||||
|
||||
{% if 'sudouser' in user and user['sudouser'] %}
|
||||
|
||||
users_sudoer-{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||
- user: root
|
||||
- group: {{ users.root_group }}
|
||||
- mode: '0440'
|
||||
{% if 'sudo_rules' in user or 'sudo_defaults' in user %}
|
||||
{% if 'sudo_rules' in user %}
|
||||
{% for rule in user['sudo_rules'] %}
|
||||
"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
|
||||
cmd.run:
|
||||
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
|
||||
- stateful: True
|
||||
- shell: {{ users.visudo_shell }}
|
||||
- env:
|
||||
# Specify the rule via an env var to avoid shell quoting issues.
|
||||
- rule: "{{ name }} {{ rule }}"
|
||||
- require_in:
|
||||
- file: users_{{ users.sudoers_dir }}/{{ name }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if 'sudo_defaults' in user %}
|
||||
{% for entry in user['sudo_defaults'] %}
|
||||
"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
|
||||
cmd.run:
|
||||
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
|
||||
- stateful: True
|
||||
- shell: {{ users.visudo_shell }}
|
||||
- env:
|
||||
# Specify the rule via an env var to avoid shell quoting issues.
|
||||
- rule: "Defaults:{{ name }} {{ entry }}"
|
||||
- require_in:
|
||||
- file: users_{{ users.sudoers_dir }}/{{ name }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
users_{{ users.sudoers_dir }}/{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||
- contents: |
|
||||
{%- if 'sudo_defaults' in user %}
|
||||
{%- for entry in user['sudo_defaults'] %}
|
||||
Defaults:{{ name }} {{ entry }}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- if 'sudo_rules' in user %}
|
||||
{%- for rule in user['sudo_rules'] %}
|
||||
{{ name }} {{ rule }}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
- require:
|
||||
- file: users_sudoer-defaults
|
||||
- file: users_sudoer-{{ name }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
users_{{ users.sudoers_dir }}/{{ name }}:
|
||||
file.absent:
|
||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||
{% endif %}
|
||||
|
||||
{%- if 'google_auth' in user %}
|
||||
{%- for svc in user['google_auth'] %}
|
||||
users_googleauth-{{ svc }}-{{ name }}:
|
||||
file.managed:
|
||||
- replace: false
|
||||
- name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
|
||||
- contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
|
||||
- user: root
|
||||
- group: {{ users.root_group }}
|
||||
- mode: 400
|
||||
- require:
|
||||
- pkg: users_googleauth-package
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
|
||||
{% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %}
|
||||
users_absent_user_{{ name }}:
|
||||
{% if 'purge' in user or 'force' in user %}
|
||||
user.absent:
|
||||
- name: {{ name }}
|
||||
{% if 'purge' in user %}
|
||||
- purge: {{ user['purge'] }}
|
||||
{% endif %}
|
||||
{% if 'force' in user %}
|
||||
- force: {{ user['force'] }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
user.absent:
|
||||
- name: {{ name }}
|
||||
{% endif -%}
|
||||
users_{{ users.sudoers_dir }}/{{ name }}:
|
||||
file.absent:
|
||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||
{% endfor %}
|
||||
|
||||
{% for user in pillar.get('absent_users', []) %}
|
||||
users_absent_user_2_{{ user }}:
|
||||
user.absent
|
||||
users_2_{{ users.sudoers_dir }}/{{ user }}:
|
||||
file.absent:
|
||||
- name: {{ users.sudoers_dir }}/{{ user }}
|
||||
{% endfor %}
|
||||
|
||||
{% for group in pillar.get('absent_groups', []) %}
|
||||
users_absent_group_{{ group }}:
|
||||
group.absent:
|
||||
- name: {{ group }}
|
||||
{% endfor %}
|
||||
|
||||
@ -1,11 +1,5 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=jinja
|
||||
{##
|
||||
This map.jinja pulls in
|
||||
- os flavor related decisions
|
||||
- merges in users pillar
|
||||
##}
|
||||
{% set os_settingss = salt['grains.filter_by']({
|
||||
# vim: sts=2 ts=2 sw=2 et ai
|
||||
{% set users = salt['grains.filter_by']({
|
||||
'Debian': {
|
||||
'sudoers_dir': '/etc/sudoers.d',
|
||||
'sudoers_file': '/etc/sudoers',
|
||||
@ -50,12 +44,4 @@
|
||||
'sudo_package': 'sudo',
|
||||
'googleauth_package': 'libpam-google-authenticator',
|
||||
},
|
||||
}, merge=salt['pillar.get']('users:lookup'))
|
||||
%}
|
||||
{%
|
||||
set users_settings = salt['pillar.get'](
|
||||
'users',
|
||||
default=os_settings,
|
||||
merge=True)
|
||||
%}
|
||||
|
||||
}, merge=salt['pillar.get']('users:lookup')) %}
|
||||
|
||||
100
users/sudo.sls
100
users/sudo.sls
@ -1,89 +1,33 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
{##
|
||||
Name: users/sudo.sls
|
||||
Description:
|
||||
This file sets up sudoers
|
||||
#}
|
||||
|
||||
{% from "users/map.jinja" import users_settings with context %}
|
||||
# vim: sts=2 ts=2 sw=2 et ai
|
||||
{% from "users/map.jinja" import users with context %}
|
||||
|
||||
# Ensure availability of bash
|
||||
users-bashpackage-group-dir:
|
||||
users_bash-package:
|
||||
pkg.installed:
|
||||
- name: {{ users_settings.bash_package }}
|
||||
- name: {{ users.bash_package }}
|
||||
|
||||
users_sudo-group:
|
||||
group.present:
|
||||
- name: sudo
|
||||
- system: True
|
||||
file.directory:
|
||||
- name: {{ users_settings.sudoers_dir }}
|
||||
|
||||
users-sudo-package:
|
||||
users_sudo-package:
|
||||
pkg.installed:
|
||||
- name: {{ users_settings.sudo_package }}
|
||||
- name: {{ users.sudo_package }}
|
||||
- require:
|
||||
- group: users_sudo-group
|
||||
- file: {{ users_settings.sudoers_dir }}
|
||||
file.append:
|
||||
- name: {{ users_settings.sudoers_file }}
|
||||
- text:
|
||||
- Defaults env_reset
|
||||
- Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
- '#includedir {{ users_settings.sudoers_dir }}'
|
||||
{% for name, user in users_settings.items() %}
|
||||
{% if user.absent is not defined or not user.absent or user != None %}
|
||||
{% if 'sudouser' in user and user['sudouser'] %}
|
||||
users-sudoer-{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||
- user: root
|
||||
- group: {{ users.root_group }}
|
||||
- mode: '0440'
|
||||
{% if 'sudo_rules' in user or 'sudo_defaults' in user %}
|
||||
{% if 'sudo_rules' in user %}
|
||||
{% for rule in user['sudo_rules'] %}
|
||||
"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
|
||||
cmd.run:
|
||||
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
|
||||
- stateful: True
|
||||
- shell: {{ users.visudo_shell }}
|
||||
- env:
|
||||
# Specify the rule via an env var to avoid shell quoting issues.
|
||||
- rule: "{{ name }} {{ rule }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if 'sudo_defaults' in user %}
|
||||
{% for entry in user['sudo_defaults'] %}
|
||||
"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}":
|
||||
cmd.run:
|
||||
- name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }'
|
||||
- stateful: True
|
||||
- shell: {{ users.visudo_shell }}
|
||||
- env:
|
||||
# Specify the rule via an env var to avoid shell quoting issues.
|
||||
- rule: "Defaults:{{ name }} {{ entry }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- file: {{ users.sudoers_dir }}
|
||||
|
||||
users_{{ users.sudoers_dir }}/{{ name }}:
|
||||
file.managed:
|
||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||
- contents: |
|
||||
{%- if 'sudo_defaults' in user %}
|
||||
{%- for entry in user['sudo_defaults'] %}
|
||||
Defaults:{{ name }} {{ entry }}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- if 'sudo_rules' in user %}
|
||||
{%- for rule in user['sudo_rules'] %}
|
||||
{{ name }} {{ rule }}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
users_{{ users.sudoers_dir }}/{{ name }}:
|
||||
file.absent:
|
||||
- name: {{ users.sudoers_dir }}/{{ name }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
users_{{ users.sudoers_dir }}:
|
||||
file.directory:
|
||||
- name: {{ users.sudoers_dir }}
|
||||
|
||||
users_sudoer-defaults:
|
||||
file.append:
|
||||
- name: {{ users.sudoers_file }}
|
||||
- require:
|
||||
- pkg: users_sudo-package
|
||||
- text:
|
||||
- Defaults env_reset
|
||||
- Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
- '#includedir {{ users.sudoers_dir }}'
|
||||
|
||||
@ -1,33 +1,28 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
{##
|
||||
Name: users/vimrc.sls
|
||||
Description:
|
||||
This file sets up vimrc for users
|
||||
#}
|
||||
{% from "users/map.jinja" import users_settings with context %}
|
||||
{% from "users/map.jinja" import users with context %}
|
||||
include:
|
||||
- users
|
||||
- vim
|
||||
|
||||
{% for name, user in users_settings.items() %}
|
||||
{% if user.absent is not defined or not user.absent or user != None %}
|
||||
{% set home = user.get('home', "/home/%s" % name) %}
|
||||
{% set manage = user.get('manage_vimrc', False) %}
|
||||
{% if 'prime_group' in user and 'name' in user['prime_group'] %}
|
||||
{% set user_group = user.prime_group.name %}
|
||||
{% else %}
|
||||
{% set user_group = name %}
|
||||
{% endif %}
|
||||
{% if manage %}
|
||||
users_{{ name }}_user_vimrc:
|
||||
file.managed:
|
||||
- name: {{ home }}/.vimrc
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- source:
|
||||
- salt://users/files/vimrc/{{ name }}/vimrc
|
||||
- salt://users/files/vimrc/vimrc
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
|
||||
{%- if user == None -%}
|
||||
{%- set user = {} -%}
|
||||
{%- endif -%}
|
||||
{%- set home = user.get('home', "/home/%s" % name) -%}
|
||||
{%- set manage = user.get('manage_vimrc', False) -%}
|
||||
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
|
||||
{%- set user_group = user.prime_group.name -%}
|
||||
{%- else -%}
|
||||
{%- set user_group = name -%}
|
||||
{%- endif %}
|
||||
{%- if manage -%}
|
||||
users_{{ name }}_user_vimrc:
|
||||
file.managed:
|
||||
- name: {{ home }}/.vimrc
|
||||
- user: {{ name }}
|
||||
- group: {{ user_group }}
|
||||
- mode: 644
|
||||
- source:
|
||||
- salt://users/files/vimrc/{{ name }}/vimrc
|
||||
- salt://users/files/vimrc/vimrc
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user