diff --git a/README.md b/README.md index 50ae8ce..61255d3 100644 --- a/README.md +++ b/README.md @@ -2,3 +2,14 @@ users ===== Configure users via pillar + +Using this state, you can configure users entirely via pillar: + + users: + auser: + sudouser: True + shell: /bin/zsh + groups: + - admin + ssh_auth: + - ssh-rsa PUBLICKEYKEYKEY \ No newline at end of file diff --git a/users/init.sls b/users/init.sls new file mode 100644 index 0000000..1349161 --- /dev/null +++ b/users/init.sls @@ -0,0 +1,120 @@ +include: + - users.sudo + +{% for name, user in pillar.get('users', {}).items() %} +{% if user == None %} +{% set user = {} %} +{% endif %} +{% set home = user.get('home', "/home/%s" % name) %} + +{% for group in user.get('groups', []) %} +{{ group }}_group: + group: + - name: {{ group }} + - present +{% endfor %} + +{{ name }}_user: + file.directory: + - name: {{ home }} + - user: {{ name }} + - group: {{ name }} + - mode: 0755 + - require: + - user: {{ name }} + - group: {{ name }} + group.present: + - name: {{ name }} + user.present: + - name: {{ name }} + - home: {{ home }} + - shell: {{ pillar.get('shell', '/bin/bash') }} + {% if 'uid' in user -%} + - uid: {{ user['uid'] }} + {% endif %} + - gid_from_name: True + {% if 'fullname' in user %} + - fullname: {{ user['fullname'] }} + {% endif %} + - groups: + - {{ name }} + {% for group in user.get('groups', []) %} + - {{ group }}_group + {% endfor %} + - require: + - group: {{ name }}_user + {% for group in user.get('groups', []) %} + - group: {{ group }}_group + {% endfor %} + +user_keydir_{{ name }}: + file.directory: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh + - user: {{ name }} + - group: {{ name }} + - makedirs: True + - mode: 744 + - require: + - user: {{ name }} + - group: {{ name }} + {% for group in user.get('groups', []) %} + - group: {{ group }} + {% endfor %} + + {% if 'privkey' in user %} +user_{{ name }}_private_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/id_rsa + - user: {{ name }} + - group: {{ name }} + - mode: 600 + - source: salt://keys/{{ user['privkey'] }} + - require: + - user: {{ name }}_user + {% for group in user.get('groups', []) %} + - group: {{ group }}_group + {% endfor %} +user_{{ name }}_public_key: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/id_rsa.pub + - user: {{ name }} + - group: {{ name }} + - mode: 644 + - source: salt://keys/{{ user['privkey'] }}.pub + - require: + - user: {{ name }}_user + {% for group in user.get('groups', []) %} + - group: {{ group }}_group + {% endfor %} + {% endif %} + + + {% if 'ssh_auth' in user %} + {% for auth in user['ssh_auth'] %} +ssh_auth_{{ name }}_{{ loop.index0 }}: + ssh_auth.present: + - user: {{ name }} + - name: {{ auth }} + - require: + - file: {{ name }}_user + - user: {{ name }}_user +{% endfor %} +{% endif %} + +{% if 'sudouser' in user %} +sudoer-{{ name }}: + file.append: + - name: /etc/sudoers + - text: + - "{{ name }} ALL=(ALL) NOPASSWD: ALL" + - require: + - file: sudoer-defaults + +{% endif %} + +{% endfor %} + +{% for user in pillar.get('absent_users', []) %} +{{ user }}: + user.absent +{% endfor %} diff --git a/users/sudo.sls b/users/sudo.sls new file mode 100644 index 0000000..bdcc7e6 --- /dev/null +++ b/users/sudo.sls @@ -0,0 +1,22 @@ +sudo: + group: + - present + - system: True + pkg: + - installed + - require: + - group: sudo + - file: /etc/sudoers.d + +/etc/sudoers.d: + file: + - directory + +sudoer-defaults: + file.append: + - name: /etc/sudoers + - require: + - pkg: sudo + - text: + - Defaults env_reset + - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"