users-formula/users/init.sls
madflojo ebe5198f9d Modified Private Keys and Sudoers
Changed Private keys to have content within pillar rather than the salt
file repository.

Changes sudoers entry to get values from pillar rather than assuming
all sudo users want root.
2014-01-29 19:53:09 -07:00

151 lines
3.7 KiB
Plaintext

include:
- users.sudo
{% for name, user in pillar.get('users', {}).items() %}
{%- if user == None -%}
{%- set user = {} -%}
{%- endif -%}
{%- set home = user.get('home', "/home/%s" % name) -%}
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
{%- set user_group = user.prime_group.name -%}
{%- else -%}
{%- set user_group = name -%}
{%- endif %}
{% for group in user.get('groups', []) %}
{{ name }}_{{ group }}_group:
group:
- name: {{ group }}
- present
{% endfor %}
{{ name }}_user:
file.directory:
- name: {{ home }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 0755
- require:
- user: {{ name }}
- group: {{ user_group }}
group.present:
- name: {{ user_group }}
{%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
- gid: {{ user['prime_group']['gid'] }}
{%- elif 'uid' in user %}
- gid: {{ user['uid'] }}
{%- endif %}
user.present:
- name: {{ name }}
- home: {{ home }}
- shell: {{ user.get('shell', '/bin/bash') }}
{% if 'uid' in user -%}
- uid: {{ user['uid'] }}
{% endif -%}
{% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
- gid: {{ user['prime_group']['gid'] }}
{% else -%}
- gid_from_name: True
{% endif -%}
{% if 'fullname' in user %}
- fullname: {{ user['fullname'] }}
{% endif -%}
- groups:
- {{ user_group }}
{% for group in user.get('groups', []) -%}
- {{ group }}
{% endfor %}
- require:
- group: {{ user_group }}
{% for group in user.get('groups', []) -%}
- group: {{ group }}
{% endfor %}
user_keydir_{{ name }}:
file.directory:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
- user: {{ name }}
- group: {{ user_group }}
- makedirs: True
- mode: 744
- require:
- user: {{ name }}
- group: {{ user_group }}
{%- for group in user.get('groups', []) %}
- group: {{ group }}
{%- endfor %}
{% if 'ssh_keys' in user %}
user_{{ name }}_private_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/id_rsa
- user: {{ name }}
- group: {{ user_group }}
- mode: 600
- contents: {{ user['ssh_keys']['privkey'] }}
- require:
- user: {{ name }}_user
{% for group in user.get('groups', []) %}
- group: {{ name }}_{{ group }}_group
{% endfor %}
user_{{ name }}_public_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/id_rsa.pub
- user: {{ name }}
- group: {{ name }}
- mode: 644
- contents: {{ user['ssh_keys']['pubkey'] }}
- require:
- user: {{ name }}_user
{% for group in user.get('groups', []) %}
- group: {{ name }}_{{ group }}_group
{% endfor %}
{% endif %}
{% if 'ssh_auth' in user %}
{% for auth in user['ssh_auth'] %}
ssh_auth_{{ name }}_{{ loop.index0 }}:
ssh_auth.present:
- user: {{ name }}
- name: {{ auth }}
- require:
- file: {{ name }}_user
- user: {{ name }}_user
{% endfor %}
{% endif %}
{% if 'sudouser' in user and user['sudouser'] %}
sudoer-{{ name }}:
file.managed:
- name: /etc/sudoers.d/{{ name }}
- user: root
- group: root
- mode: '0440'
/etc/sudoers.d/{{ name }}:
file.append:
- text:
{% for rule in user.get('sudo_rules', []) %}
- {{ rule }}
{% endfor %}
- require:
- file: sudoer-defaults
- file: sudoer-{{ name }}
{% else %}
/etc/sudoers.d/{{ name }}:
file.absent:
- name: /etc/sudoers.d/{{ name }}
{% endif %}
{% endfor %}
{% for user in pillar.get('absent_users', []) %}
{{ user }}:
user.absent
/etc/sudoers.d/{{ user }}:
file.absent:
- name: /etc/sudoers.d/{{ user }}
{% endfor %}