From ba11c68c246e080b550f317f81f4b860d5caa94c Mon Sep 17 00:00:00 2001 From: puneet kandhari Date: Mon, 27 Jul 2015 12:50:49 -0500 Subject: [PATCH] Revert "@XenophonF made me do it" This reverts commit a0392693e37048e916db2170a471d19ef6bf16d8. --- users/absentusers.sls | 45 ----- users/adduser.sls | 177 -------------------- users/bashrc.sls | 55 +++---- users/googleauth.sls | 50 +++--- users/init.sls | 371 +++++++++++++++++++++++++++++++++++++++++- users/map.jinja | 20 +-- users/sudo.sls | 100 +++--------- users/vimrc.sls | 53 +++--- 8 files changed, 459 insertions(+), 412 deletions(-) delete mode 100644 users/absentusers.sls delete mode 100644 users/adduser.sls diff --git a/users/absentusers.sls b/users/absentusers.sls deleted file mode 100644 index 887e735..0000000 --- a/users/absentusers.sls +++ /dev/null @@ -1,45 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls -{## - Name: users/absentusers.sls - Description: - This file removes users -#} - -{% from "users/map.jinja" import users_settings with context %} - -{% for name, user in users_settings.items() %} - {% if user.absent is defined and user.absent %} -users-absent_user-{{ name }}: - {% if 'purge' in user or 'force' in user %} - user.absent: - - name: {{ name }} - {% if 'purge' in user %} - - purge: {{ user['purge'] }} - {% endif %} - {% if 'force' in user %} - - force: {{ user['force'] }} - {% endif %} - {% else %} - user.absent: - - name: {{ name }} - {% endif -%} -users_{{ users_settings.sudoers_dir }}/{{ name }}: - file.absent: - - name: {{ users_settings.sudoers_dir }}/{{ name }} - {% endif %} -{% endfor %} - -{% for user in pillar.get('absent_users', []) %} -users_absent_user_2_{{ user }}: - user.absent -users_2_{{ users.sudoers_dir }}/{{ user }}: - file.absent: - - name: {{ users.sudoers_dir }}/{{ user }} -{% endfor %} - -{% for group in pillar.get('absent_groups', []) %} -users_absent_group_{{ group }}: - group.absent: - - name: {{ group }} -{% endfor %} diff --git a/users/adduser.sls b/users/adduser.sls deleted file mode 100644 index d42b903..0000000 --- a/users/adduser.sls +++ /dev/null @@ -1,177 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls -{## - Name: users/addusers.sls - Description: - This file removes users -#} - -{% from "users/map.jinja" import users_settings with context %} - -{% for name, user in users_settings.items() %} - {% if user.absent is not defined or not user.absent or user != None %} - {% set home = user.get('home', "/home/%s" % name) %} - {%- if 'prime_group' in user and 'name' in user['prime_group'] %} - {%- set user_group = user.prime_group.name -%} - {%- else -%} - {%- set user_group = name -%} - {%- endif %} - {% for group in user.get('groups', []) %} -users-{{ name }}-{{ group }}-group: - group: - - name: {{ group }} - - present - {% endfor %} -users-{{ name }}-user: - {% if user.get('createhome', True) %} - file.directory: - - name: {{ home }} - - user: {{ name }} - - group: {{ user_group }} - - mode: {{ user.get('user_dir_mode', '0750') }} - {%- endif %} - group.present: - - name: {{ user_group }} - {%- if 'prime_group' in user and 'gid' in user['prime_group'] %} - - gid: {{ user['prime_group']['gid'] }} - {%- elif 'uid' in user %} - - gid: {{ user['uid'] }} - {%- endif %} - user.present: - - name: {{ name }} - - home: {{ home }} - - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }} - {% if 'uid' in user -%} - - uid: {{ user['uid'] }} - {% endif -%} - {% if 'password' in user -%} - - password: '{{ user['password'] }}' - {% endif -%} - {% if 'enforce_password' in user -%} - - enforce_password: {{ user['enforce_password'] }} - {% endif -%} - {% if user.get('system', False) -%} - - system: True - {% endif -%} - {% if 'prime_group' in user and 'gid' in user['prime_group'] -%} - - gid: {{ user['prime_group']['gid'] }} - {% else -%} - - gid_from_name: True - {% endif -%} - {% if 'fullname' in user %} - - fullname: {{ user['fullname'] }} - {% endif -%} - {% if not user.get('createhome', True) %} - - createhome: False - {% endif %} - {% if 'expire' in user -%} - - expire: {{ user['expire'] }} - {% endif -%} - - remove_groups: {{ user.get('remove_groups', 'False') }} - - groups: - - {{ user_group }} - {% for group in user.get('groups', []) -%} - - {{ group }} - {% endfor %} - {% if 'ssh_keys' in user %} - {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %} -users_user_{{ name }}_private_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }} - - user: {{ name }} - - group: {{ user_group }} - - mode: 600 - - show_diff: False - - contents_pillar: users:{{ name }}:ssh_keys:privkey -users_user_{{ name }}_public_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - show_diff: False - - contents_pillar: users:{{ name }}:ssh_keys:pubkey - - {% endif %} - - {% if 'ssh_auth_file' in user %} -users_authorized_keys_{{ name }}: - file.managed: - - name: {{ home }}/.ssh/authorized_keys - - user: {{ name }} - - group: {{ name }} - - mode: 600 - - contents: | - {% for auth in user.ssh_auth_file -%} - {{ auth }} - {% endfor -%} - {% endif %} - - {% if 'ssh_auth' in user %} - {% for auth in user['ssh_auth'] %} -users_ssh_auth_{{ name }}_{{ loop.index0 }}: - ssh_auth.present: - - user: {{ name }} - - name: {{ auth }} - {% endfor %} - {% endif %} - - {% if 'ssh_keys_pillar' in user %} - {% for key_name, pillar_name in user['ssh_keys_pillar'].items() %} -user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }} - - user: {{ name }} - - group: {{ user_group }} - - mode: 600 - - show_diff: False - - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey -user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key: - file.managed: - - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - show_diff: False - - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey - {% endfor %} - {% endif %} - - {% if 'ssh_auth_sources' in user %} - {% for pubkey_file in user['ssh_auth_sources'] %} -users_ssh_auth_source_{{ name }}_{{ loop.index0 }}: - ssh_auth.present: - - user: {{ name }} - - source: {{ pubkey_file }} - {% endfor %} - {% endif %} - - {% if 'ssh_auth.absent' in user %} - {% for auth in user['ssh_auth.absent'] %} -users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}: - ssh_auth.absent: - - user: {{ name }} - - name: {{ auth }} - {% endfor %} - {% endif %} - - {% if 'ssh_config' in user %} -users_ssh_config_{{ name }}: - file.managed: - - name: {{ home }}/.ssh/config - - user: {{ name }} - - group: {{ user_group }} - - mode: 640 - - contents: | - # Managed by Saltstack - # Do Not Edit - {% for label, setting in user.ssh_config.items() %} - # {{ label }} - Host {{ setting.get('hostname') }} - {%- for opts in setting.get('options') %} - {{ opts }} - {%- endfor %} - {% endfor -%} - {% endif %} - {%- endif %} -{% endfor %} diff --git a/users/bashrc.sls b/users/bashrc.sls index 2cf29bd..fc268f4 100644 --- a/users/bashrc.sls +++ b/users/bashrc.sls @@ -1,32 +1,27 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls -{## - Name: users/bashrc.sls - Description: - This file sets up bashrcs -#} +{% from "users/map.jinja" import users with context %} +include: + - users -{% from "users/map.jinja" import users_settings with context %} - -{% for name, user in users_settings.items() %} - {% if user.absent is not defined or not user.absent or user != None %} - {% set home = user.get('home', "/home/%s" % name) %} - {% set manage = user.get('manage_bashrc', False) %} - {% if 'prime_group' in user and 'name' in user.get('prime_group', []) %} - {% set user_group = user.prime_group.name %} - {% else %} - {% set user_group = name %} - {% endif %} - {% if manage %} - users-{{ name }}-user-bashrc: - file.managed: - - name: {{ home }}/.bashrc - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - source: - - salt://users/files/bashrc/{{ name }}/bashrc - - salt://users/files/bashrc/bashrc - {% endif %} - {% endif %} +{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- if user == None -%} +{%- set user = {} -%} +{%- endif -%} +{%- set home = user.get('home', "/home/%s" % name) -%} +{%- set manage = user.get('manage_bashrc', False) -%} +{%- if 'prime_group' in user and 'name' in user['prime_group'] %} +{%- set user_group = user.prime_group.name -%} +{%- else -%} +{%- set user_group = name -%} +{%- endif %} +{%- if manage -%} +users_{{ name }}_user_bashrc: + file.managed: + - name: {{ home }}/.bashrc + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - source: + - salt://users/files/bashrc/{{ name }}/bashrc + - salt://users/files/bashrc/bashrc +{% endif %} {% endfor %} diff --git a/users/googleauth.sls b/users/googleauth.sls index 166f7a4..9e6a9ff 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -1,35 +1,31 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls -{## - Name: users/bashrc.sls - Description: - This file sets up bashrcs -#} +# vim: sts=2 ts=2 sw=2 et ai +{% from "users/map.jinja" import users with context %} -{% from "users/map.jinja" import users_settings with context %} - -users-googleauth-package: - file.directory: - - name: {{ users_settings.googleauth_dir }} - - user: root - - group: {{ users_settings.root_group }} - - mode: 600 +users_googleauth-package: pkg.installed: - - name: {{ users_settings.googleauth_package }} -{% for name, user in users_settings.items() %} - {% if user.absent is not defined or not user.absent or user != None %} - {% if 'google_auth' in user %} - {% for svc in user.get('google_auth') %} - {% if user.get('google_2fa', True) %} + - name: {{ users.googleauth_package }} + - require: + - file: {{ users.googleauth_dir }} + +users_{{ users.googleauth_dir }}: + file.directory: + - name: {{ users.googleauth_dir }} + - user: root + - group: {{ users.root_group }} + - mode: 600 + +{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- if 'google_auth' in user %} +{%- for svc in user['google_auth'] %} +{%- if user.get('google_2fa', True) %} users_googleauth-pam-{{ svc }}-{{ name }}: file.replace: - name: /etc/pam.d/{{ svc }} - pattern: "^@include common-auth" - - repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users_settings.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth" + - repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth" - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }} - backup: .bak - {% endif %} - {% endfor %} - {% endif %} - {% endif %} -{% endfor %} +{%- endif %} +{%- endfor %} +{%- endif %} +{%- endfor %} diff --git a/users/init.sls b/users/init.sls index 02134d9..8262cbd 100644 --- a/users/init.sls +++ b/users/init.sls @@ -1,12 +1,365 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls -{## - Name: users/init.sls - Description: - This file sets up users, sudo, google auth, flight control, bashrc, vimrc -#} +# vim: sts=2 ts=2 sw=2 et ai +{% from "users/map.jinja" import users with context %} +{% set used_sudo = [] %} +{% set used_googleauth = [] %} + +{%- for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %} +{%- if user == None -%} +{%- set user = {} -%} +{%- endif -%} +{%- if 'sudouser' in user and user['sudouser'] %} +{%- do used_sudo.append(1) %} +{%- endif %} +{%- if 'google_auth' in user %} +{%- do used_googleauth.append(1) %} +{%- endif %} +{%- endfor %} + +{%- if used_sudo or used_googleauth %} include: - - users.adduser +{%- if used_sudo %} - users.sudo +{%- endif %} +{%- if used_googleauth %} - users.googleauth - - users.absentusers +{%- endif %} +{%- endif %} + +{% for name, user in pillar.get('users', {}).iteritems() if user.absent is not defined or not user.absent %} +{%- if user == None -%} +{%- set user = {} -%} +{%- endif -%} +{%- set home = user.get('home', "/home/%s" % name) -%} + +{%- if 'prime_group' in user and 'name' in user['prime_group'] %} +{%- set user_group = user.prime_group.name -%} +{%- else -%} +{%- set user_group = name -%} +{%- endif %} + +{% for group in user.get('groups', []) %} +users_{{ name }}_{{ group }}_group: + group: + - name: {{ group }} + - present +{% endfor %} + +users_{{ name }}_user: + {% if user.get('createhome', True) %} + file.directory: + - name: {{ home }} + - user: {{ name }} + - group: {{ user_group }} + - mode: {{ user.get('user_dir_mode', '0750') }} + - require: + - user: users_{{ name }}_user + - group: {{ user_group }} + {%- endif %} + group.present: + - name: {{ user_group }} + {%- if 'prime_group' in user and 'gid' in user['prime_group'] %} + - gid: {{ user['prime_group']['gid'] }} + {%- elif 'uid' in user %} + - gid: {{ user['uid'] }} + {%- endif %} + user.present: + - name: {{ name }} + - home: {{ home }} + - shell: {{ user.get('shell', users.get('shell', '/bin/bash')) }} + {% if 'uid' in user -%} + - uid: {{ user['uid'] }} + {% endif -%} + {% if 'password' in user -%} + - password: '{{ user['password'] }}' + {% endif -%} + {% if 'enforce_password' in user -%} + - enforce_password: {{ user['enforce_password'] }} + {% endif -%} + {% if user.get('system', False) -%} + - system: True + {% endif -%} + {% if 'prime_group' in user and 'gid' in user['prime_group'] -%} + - gid: {{ user['prime_group']['gid'] }} + {% else -%} + - gid_from_name: True + {% endif -%} + {% if 'fullname' in user %} + - fullname: {{ user['fullname'] }} + {% endif -%} + {% if not user.get('createhome', True) %} + - createhome: False + {% endif %} + {% if 'expire' in user -%} + - expire: {{ user['expire'] }} + {% endif -%} + - remove_groups: {{ user.get('remove_groups', 'False') }} + - groups: + - {{ user_group }} + {% for group in user.get('groups', []) -%} + - {{ group }} + {% endfor %} + - require: + - group: {{ user_group }} + {% for group in user.get('groups', []) -%} + - group: {{ group }} + {% endfor %} + + + {% if 'ssh_keys' in user or 'ssh_auth' in user or 'ssh_auth_file' in user or 'ssh_auth.absent' in user %} +user_keydir_{{ name }}: + file.directory: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh + - user: {{ name }} + - group: {{ user_group }} + - makedirs: True + - mode: 700 + - require: + - user: {{ name }} + - group: {{ user_group }} + {%- for group in user.get('groups', []) %} + - group: {{ group }} + {%- endfor %} + {% endif %} + + {% if 'ssh_keys' in user %} + {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %} +users_user_{{ name }}_private_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }} + - user: {{ name }} + - group: {{ user_group }} + - mode: 600 + - show_diff: False + - contents_pillar: users:{{ name }}:ssh_keys:privkey + - require: + - user: users_{{ name }}_user + {% for group in user.get('groups', []) %} + - group: users_{{ name }}_{{ group }}_group + {% endfor %} +users_user_{{ name }}_public_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - show_diff: False + - contents_pillar: users:{{ name }}:ssh_keys:pubkey + - require: + - user: users_{{ name }}_user + {% for group in user.get('groups', []) %} + - group: users_{{ name }}_{{ group }}_group + {% endfor %} + {% endif %} + +{% if 'ssh_auth_file' in user %} +users_authorized_keys_{{ name }}: + file.managed: + - name: {{ home }}/.ssh/authorized_keys + - user: {{ name }} + - group: {{ name }} + - mode: 600 + - contents: | + {% for auth in user.ssh_auth_file -%} + {{ auth }} + {% endfor -%} +{% endif %} + +{% if 'ssh_auth' in user %} +{% for auth in user['ssh_auth'] %} +users_ssh_auth_{{ name }}_{{ loop.index0 }}: + ssh_auth.present: + - user: {{ name }} + - name: {{ auth }} + - require: + - file: users_{{ name }}_user + - user: users_{{ name }}_user +{% endfor %} +{% endif %} + +{% if 'ssh_keys_pillar' in user %} +{% for key_name, pillar_name in user['ssh_keys_pillar'].items() %} +user_ssh_keys_files_{{ name }}_{{ key_name }}_private_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }} + - user: {{ name }} + - group: {{ user_group }} + - mode: 600 + - show_diff: False + - contents_pillar: {{ pillar_name }}:{{ key_name }}:privkey + - require: + - user: users_{{ name }}_user + {% for group in user.get('groups', []) %} + - group: users_{{ name }}_{{ group }}_group + {% endfor %} +user_ssh_keys_files_{{ name }}_{{ key_name }}_public_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - show_diff: False + - contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey + - require: + - user: users_{{ name }}_user + {% for group in user.get('groups', []) %} + - group: users_{{ name }}_{{ group }}_group + {% endfor %} +{% endfor %} +{% endif %} + +{% if 'ssh_auth_sources' in user %} +{% for pubkey_file in user['ssh_auth_sources'] %} +users_ssh_auth_source_{{ name }}_{{ loop.index0 }}: + ssh_auth.present: + - user: {{ name }} + - source: {{ pubkey_file }} + - require: + - file: users_{{ name }}_user + - user: users_{{ name }}_user +{% endfor %} +{% endif %} + +{% if 'ssh_auth.absent' in user %} +{% for auth in user['ssh_auth.absent'] %} +users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}: + ssh_auth.absent: + - user: {{ name }} + - name: {{ auth }} + - require: + - file: users_{{ name }}_user + - user: users_{{ name }}_user +{% endfor %} +{% endif %} + +{% if 'ssh_config' in user %} +users_ssh_config_{{ name }}: + file.managed: + - name: {{ home }}/.ssh/config + - user: {{ name }} + - group: {{ user_group }} + - mode: 640 + - contents: | + # Managed by Saltstack + # Do Not Edit + {% for label, setting in user.ssh_config.items() %} + # {{ label }} + Host {{ setting.get('hostname') }} + {%- for opts in setting.get('options') %} + {{ opts }} + {%- endfor %} + {% endfor -%} +{% endif %} + +{% if 'sudouser' in user and user['sudouser'] %} + +users_sudoer-{{ name }}: + file.managed: + - name: {{ users.sudoers_dir }}/{{ name }} + - user: root + - group: {{ users.root_group }} + - mode: '0440' +{% if 'sudo_rules' in user or 'sudo_defaults' in user %} +{% if 'sudo_rules' in user %} +{% for rule in user['sudo_rules'] %} +"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}": + cmd.run: + - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' + - stateful: True + - shell: {{ users.visudo_shell }} + - env: + # Specify the rule via an env var to avoid shell quoting issues. + - rule: "{{ name }} {{ rule }}" + - require_in: + - file: users_{{ users.sudoers_dir }}/{{ name }} +{% endfor %} +{% endif %} +{% if 'sudo_defaults' in user %} +{% for entry in user['sudo_defaults'] %} +"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}": + cmd.run: + - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' + - stateful: True + - shell: {{ users.visudo_shell }} + - env: + # Specify the rule via an env var to avoid shell quoting issues. + - rule: "Defaults:{{ name }} {{ entry }}" + - require_in: + - file: users_{{ users.sudoers_dir }}/{{ name }} +{% endfor %} +{% endif %} + +users_{{ users.sudoers_dir }}/{{ name }}: + file.managed: + - name: {{ users.sudoers_dir }}/{{ name }} + - contents: | + {%- if 'sudo_defaults' in user %} + {%- for entry in user['sudo_defaults'] %} + Defaults:{{ name }} {{ entry }} + {%- endfor %} + {%- endif %} + {%- if 'sudo_rules' in user %} + {%- for rule in user['sudo_rules'] %} + {{ name }} {{ rule }} + {%- endfor %} + {%- endif %} + - require: + - file: users_sudoer-defaults + - file: users_sudoer-{{ name }} +{% endif %} +{% else %} +users_{{ users.sudoers_dir }}/{{ name }}: + file.absent: + - name: {{ users.sudoers_dir }}/{{ name }} +{% endif %} + +{%- if 'google_auth' in user %} +{%- for svc in user['google_auth'] %} +users_googleauth-{{ svc }}-{{ name }}: + file.managed: + - replace: false + - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }} + - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}' + - user: root + - group: {{ users.root_group }} + - mode: 400 + - require: + - pkg: users_googleauth-package +{%- endfor %} +{%- endif %} + +{% endfor %} + + +{% for name, user in pillar.get('users', {}).iteritems() if user.absent is defined and user.absent %} +users_absent_user_{{ name }}: +{% if 'purge' in user or 'force' in user %} + user.absent: + - name: {{ name }} + {% if 'purge' in user %} + - purge: {{ user['purge'] }} + {% endif %} + {% if 'force' in user %} + - force: {{ user['force'] }} + {% endif %} +{% else %} + user.absent: + - name: {{ name }} +{% endif -%} +users_{{ users.sudoers_dir }}/{{ name }}: + file.absent: + - name: {{ users.sudoers_dir }}/{{ name }} +{% endfor %} + +{% for user in pillar.get('absent_users', []) %} +users_absent_user_2_{{ user }}: + user.absent +users_2_{{ users.sudoers_dir }}/{{ user }}: + file.absent: + - name: {{ users.sudoers_dir }}/{{ user }} +{% endfor %} + +{% for group in pillar.get('absent_groups', []) %} +users_absent_group_{{ group }}: + group.absent: + - name: {{ group }} +{% endfor %} diff --git a/users/map.jinja b/users/map.jinja index 803e322..f81acc4 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -1,11 +1,5 @@ -# -*- coding: utf-8 -*- -# vim: ft=jinja -{## - This map.jinja pulls in - - os flavor related decisions - - merges in users pillar -##} -{% set os_settingss = salt['grains.filter_by']({ +# vim: sts=2 ts=2 sw=2 et ai +{% set users = salt['grains.filter_by']({ 'Debian': { 'sudoers_dir': '/etc/sudoers.d', 'sudoers_file': '/etc/sudoers', @@ -50,12 +44,4 @@ 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', }, -}, merge=salt['pillar.get']('users:lookup')) -%} -{% -set users_settings = salt['pillar.get']( - 'users', - default=os_settings, - merge=True) -%} - +}, merge=salt['pillar.get']('users:lookup')) %} diff --git a/users/sudo.sls b/users/sudo.sls index dab2e71..2953ad2 100644 --- a/users/sudo.sls +++ b/users/sudo.sls @@ -1,89 +1,33 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls -{## - Name: users/sudo.sls - Description: - This file sets up sudoers -#} - -{% from "users/map.jinja" import users_settings with context %} +# vim: sts=2 ts=2 sw=2 et ai +{% from "users/map.jinja" import users with context %} # Ensure availability of bash -users-bashpackage-group-dir: +users_bash-package: pkg.installed: - - name: {{ users_settings.bash_package }} + - name: {{ users.bash_package }} + +users_sudo-group: group.present: - name: sudo - system: True - file.directory: - - name: {{ users_settings.sudoers_dir }} -users-sudo-package: +users_sudo-package: pkg.installed: - - name: {{ users_settings.sudo_package }} + - name: {{ users.sudo_package }} - require: - group: users_sudo-group - - file: {{ users_settings.sudoers_dir }} - file.append: - - name: {{ users_settings.sudoers_file }} - - text: - - Defaults env_reset - - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - - '#includedir {{ users_settings.sudoers_dir }}' -{% for name, user in users_settings.items() %} - {% if user.absent is not defined or not user.absent or user != None %} - {% if 'sudouser' in user and user['sudouser'] %} -users-sudoer-{{ name }}: - file.managed: - - name: {{ users.sudoers_dir }}/{{ name }} - - user: root - - group: {{ users.root_group }} - - mode: '0440' - {% if 'sudo_rules' in user or 'sudo_defaults' in user %} - {% if 'sudo_rules' in user %} - {% for rule in user['sudo_rules'] %} -"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}": - cmd.run: - - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' - - stateful: True - - shell: {{ users.visudo_shell }} - - env: - # Specify the rule via an env var to avoid shell quoting issues. - - rule: "{{ name }} {{ rule }}" - {% endfor %} - {% endif %} - {% if 'sudo_defaults' in user %} - {% for entry in user['sudo_defaults'] %} -"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}": - cmd.run: - - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' - - stateful: True - - shell: {{ users.visudo_shell }} - - env: - # Specify the rule via an env var to avoid shell quoting issues. - - rule: "Defaults:{{ name }} {{ entry }}" - {% endfor %} - {% endif %} + - file: {{ users.sudoers_dir }} -users_{{ users.sudoers_dir }}/{{ name }}: - file.managed: - - name: {{ users.sudoers_dir }}/{{ name }} - - contents: | - {%- if 'sudo_defaults' in user %} - {%- for entry in user['sudo_defaults'] %} - Defaults:{{ name }} {{ entry }} - {%- endfor %} - {%- endif %} - {%- if 'sudo_rules' in user %} - {%- for rule in user['sudo_rules'] %} - {{ name }} {{ rule }} - {%- endfor %} - {%- endif %} - {% endif %} - {% else %} -users_{{ users.sudoers_dir }}/{{ name }}: - file.absent: - - name: {{ users.sudoers_dir }}/{{ name }} - {% endif %} - {% endif %} -{% endfor %} +users_{{ users.sudoers_dir }}: + file.directory: + - name: {{ users.sudoers_dir }} + +users_sudoer-defaults: + file.append: + - name: {{ users.sudoers_file }} + - require: + - pkg: users_sudo-package + - text: + - Defaults env_reset + - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + - '#includedir {{ users.sudoers_dir }}' diff --git a/users/vimrc.sls b/users/vimrc.sls index 1ffedba..e678bb6 100644 --- a/users/vimrc.sls +++ b/users/vimrc.sls @@ -1,33 +1,28 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls -{## - Name: users/vimrc.sls - Description: - This file sets up vimrc for users -#} -{% from "users/map.jinja" import users_settings with context %} +{% from "users/map.jinja" import users with context %} include: + - users - vim -{% for name, user in users_settings.items() %} - {% if user.absent is not defined or not user.absent or user != None %} - {% set home = user.get('home', "/home/%s" % name) %} - {% set manage = user.get('manage_vimrc', False) %} - {% if 'prime_group' in user and 'name' in user['prime_group'] %} - {% set user_group = user.prime_group.name %} - {% else %} - {% set user_group = name %} - {% endif %} - {% if manage %} - users_{{ name }}_user_vimrc: - file.managed: - - name: {{ home }}/.vimrc - - user: {{ name }} - - group: {{ user_group }} - - mode: 644 - - source: - - salt://users/files/vimrc/{{ name }}/vimrc - - salt://users/files/vimrc/vimrc - {% endif %} - {% endif %} +{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- if user == None -%} +{%- set user = {} -%} +{%- endif -%} +{%- set home = user.get('home', "/home/%s" % name) -%} +{%- set manage = user.get('manage_vimrc', False) -%} +{%- if 'prime_group' in user and 'name' in user['prime_group'] %} +{%- set user_group = user.prime_group.name -%} +{%- else -%} +{%- set user_group = name -%} +{%- endif %} +{%- if manage -%} +users_{{ name }}_user_vimrc: + file.managed: + - name: {{ home }}/.vimrc + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - source: + - salt://users/files/vimrc/{{ name }}/vimrc + - salt://users/files/vimrc/vimrc +{% endif %} {% endfor %}