# -*- coding: utf-8 -*- # vim: ft=yaml --- users-formula: use_vim_formula: true lookup: # override the defauls in map.jinja root_group: root # group initialization groups: foo: state: present gid: 1500 system: false badguys: absent: true niceguys: gid: 4242 system: false addusers: root delusers: toor ssl-cert: system: true members: # *TODO*: run groups after all users created and then use `auser` and # `buser` instead - root - sshd # - bin # - daemon users: ## Minimal required pillar values auser: fullname: A User ## Full list of pillar values buser: fullname: B User password: $6$w............. enforce_password: true # WARNING: If 'empty_password' is set to true, the 'password' statement # will be ignored by enabling password-less login for the user. empty_password: false hash_password: false system: false home: /custom/buser homedir_owner: buser homedir_group: primarygroup user_dir_mode: 750 createhome: true roomnumber: "A-1" workphone: "(555) 555-5555" homephone: "(555) 555-5551" manage_vimrc: false allow_gid_change: false manage_bashrc: false manage_profile: false expire: 16426 # Disables user management except sudo rules. # Useful for setting sudo rules for system accounts created by package instalation sudoonly: false sudouser: true # sudo_rules doesn't need the username as a prefix for the rule # this is added automatically by the formula. # ---------------------------------------------------------------------- # In case your sudo_rules have a colon please have in mind to not leave # spaces around it. For example: # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok) # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK sudo_rules: - ALL=(root) /usr/bin/find - ALL=(otheruser) /usr/bin/script.sh sudo_defaults: - '!requiretty' # enable polkitadmin to make user an AdminIdentity for polkit polkitadmin: true shell: /bin/bash remove_groups: false prime_group: name: primarygroup gid: 1501 groups: - users optional_groups: - some_groups_that_might - not_exist_on_all_minions ssh_key_type: rsa # # You can inline the private keys ... # ssh_keys: # privkey: PRIVATEKEY # pubkey: PUBLICKEY # # or you can provide path to key on Salt fileserver # # privkey: salt://path_to_PRIVATEKEY # # pubkey: salt://path_to_PUBLICKEY # # you can provide multiple keys, the keyname is taken as filename # # make sure your public keys suffix is .pub # foobar: PRIVATEKEY # foobar.pub: PUBLICKEY # # ... or you can pull them from a different pillar, # # for example one called "ssh_keys": # ssh_keys_pillar: # id_rsa: "ssh_keys" # another_key_pair: "ssh_keys" # ssh_auth: # - PUBLICKEY # ssh_auth.absent: # - PUBLICKEY_TO_BE_REMOVED # # Generates an authorized_keys file for the user # # with the given keys # ssh_auth_file: # - PUBLICKEY # # ... or you can pull them from a different pillar similar to ssh_keys_pillar # ssh_auth_pillar: # id_rsa: "ssh_keys" # # If you prefer to keep public keys as files rather # # than inline in pillar, this works. # ssh_auth_sources: # - salt://keys/buser.id_rsa.pub # ssh_auth_sources.absent: # - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED # Manage the ~/.ssh/config file ssh_known_hosts: importanthost: port: 22 fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 key: PUBLICKEY enc: ssh-rsa hash_known_hosts: true timeout: 5 fingerprint_hash_type: sha256 ssh_known_hosts.absent: - notimportanthost ssh_config: all: hostname: "*" options: - "StrictHostKeyChecking no" - "UserKnownHostsFile=/dev/null" importanthost: hostname: "needcheck.example.com" options: - "StrictHostKeyChecking yes" # Using gitconfig without Git installed will result in an error # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html: # This state module now requires git 1.6.5 (released 10 October 2009) or newer. gitconfig: user.name: B User user.email: buser@example.com "url.https://.insteadOf": "git://" gitconfig.absent: - push.default - color\..+ google_2fa: true google_auth: sshd: | SOMEGAUTHHASHVAL " RESETTING_TIME_SKEW 46956472+2 46991595-2 " RATE_LIMIT 3 30 1415800560 " DISALLOW_REUSE 47193352 " TOTP_AUTH 11111111 22222222 33333333 44444444 55555555 # unique: true allows user to have non unique uid unique: false uid: 1001 user_files: enabled: true # 'source' allows you to define an arbitrary directory to sync, # useful to use for default files. # should be a salt fileserver path either with or without 'salt://' # if not present, it defaults to 'salt://users/files/user/ source: users/files # template: jinja # You can specify octal mode for files and symlinks that will be copied. # Since version 2016.11.0 it's possible to use 'keep' for file_mode, # to preserve file original mode, thus you can save execution bit for example. file_mode: keep # You can specify octal mode for directories as well. # This won't work on Windows minions # dir_mode: 775 sym_mode: 640 exclude_pat: "*.gitignore" ## Absent user cuser: absent: true purge: true force: true ## Old syntax of absent_users still supported absent_users: - donald - bad_guy