2017-07-04 23:46:43 +02:00
|
|
|
users-formula:
|
2018-06-12 19:02:57 +02:00
|
|
|
use_vim_formula: True
|
2017-07-04 23:46:43 +02:00
|
|
|
lookup: # override the defauls in map.jinja
|
|
|
|
root_group: root
|
|
|
|
|
2013-07-28 00:53:23 +02:00
|
|
|
users:
|
2014-04-23 13:38:31 +02:00
|
|
|
## Minimal required pillar values
|
2013-07-28 00:53:23 +02:00
|
|
|
auser:
|
2014-04-23 13:38:31 +02:00
|
|
|
fullname: A User
|
2014-01-30 03:46:54 +01:00
|
|
|
|
2014-04-23 13:38:31 +02:00
|
|
|
## Full list of pillar values
|
2018-10-03 17:35:06 +02:00
|
|
|
allow_gid_change: False
|
2014-01-30 03:46:54 +01:00
|
|
|
buser:
|
|
|
|
fullname: B User
|
2014-04-25 04:51:11 +02:00
|
|
|
password: $6$w.............
|
2015-07-17 17:18:38 +02:00
|
|
|
enforce_password: True
|
2015-09-27 16:20:45 +02:00
|
|
|
# WARNING: If 'empty_password' is set to True, the 'password' statement
|
|
|
|
# will be ignored by enabling password-less login for the user.
|
|
|
|
empty_password: False
|
2016-12-01 16:59:51 +01:00
|
|
|
hash_password: False
|
2015-12-31 09:23:00 +01:00
|
|
|
system: False
|
2014-03-30 20:31:47 +02:00
|
|
|
home: /custom/buser
|
2016-06-13 17:22:09 +02:00
|
|
|
homedir_owner: buser
|
|
|
|
homedir_group: primarygroup
|
2015-12-31 09:23:00 +01:00
|
|
|
user_dir_mode: 750
|
2014-09-07 07:23:06 +02:00
|
|
|
createhome: True
|
2015-09-12 23:22:42 +02:00
|
|
|
roomnumber: "A-1"
|
|
|
|
workphone: "(555) 555-5555"
|
|
|
|
homephone: "(555) 555-5551"
|
2015-06-11 23:34:16 +02:00
|
|
|
manage_vimrc: False
|
2018-10-03 17:35:06 +02:00
|
|
|
allow_gid_change: True
|
2015-06-11 23:34:16 +02:00
|
|
|
manage_bashrc: False
|
2015-08-09 18:59:51 +02:00
|
|
|
manage_profile: False
|
2014-12-22 14:22:46 +01:00
|
|
|
expire: 16426
|
2018-06-14 20:12:13 +02:00
|
|
|
# Disables user management except sudo rules.
|
|
|
|
# Useful for setting sudo rules for system accounts created by package instalation
|
|
|
|
sudoonly: False
|
2014-01-30 03:46:54 +01:00
|
|
|
sudouser: True
|
2015-07-04 14:30:50 +02:00
|
|
|
# sudo_rules doesn't need the username as a prefix for the rule
|
|
|
|
# this is added automatically by the formula.
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# In case your sudo_rules have a colon please have in mind to not leave
|
|
|
|
# spaces around it. For example:
|
|
|
|
# ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
|
|
|
|
# ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
|
2014-12-22 14:22:46 +01:00
|
|
|
sudo_rules:
|
2014-03-30 22:31:20 +02:00
|
|
|
- ALL=(root) /usr/bin/find
|
|
|
|
- ALL=(otheruser) /usr/bin/script.sh
|
2015-04-06 21:34:59 +02:00
|
|
|
sudo_defaults:
|
2015-04-11 14:14:36 +02:00
|
|
|
- '!requiretty'
|
2014-01-30 03:46:54 +01:00
|
|
|
shell: /bin/bash
|
2015-12-31 09:23:00 +01:00
|
|
|
remove_groups: False
|
2014-01-30 03:46:54 +01:00
|
|
|
prime_group:
|
2014-01-30 04:53:29 +01:00
|
|
|
name: primarygroup
|
|
|
|
gid: 500
|
2014-01-30 03:46:54 +01:00
|
|
|
groups:
|
|
|
|
- users
|
2016-08-05 21:04:53 +02:00
|
|
|
optional_groups:
|
|
|
|
- some_groups_that_might
|
|
|
|
- not_exist_on_all_minions
|
2014-01-31 20:44:41 +01:00
|
|
|
ssh_key_type: rsa
|
2015-05-01 17:48:28 +02:00
|
|
|
# You can inline the private keys ...
|
2014-01-30 03:46:54 +01:00
|
|
|
ssh_keys:
|
2014-01-30 04:53:29 +01:00
|
|
|
privkey: PRIVATEKEY
|
|
|
|
pubkey: PUBLICKEY
|
2018-02-14 07:12:58 +01:00
|
|
|
# or you can provide path to key on Salt fileserver
|
|
|
|
privkey: salt://path_to_PRIVATEKEY
|
|
|
|
pubkey: salt://path_to_PUBLICKEY
|
2017-09-28 08:22:25 +02:00
|
|
|
# you can provide multiple keys, the keyname is taken as filename
|
|
|
|
# make sure your public keys suffix is .pub
|
2017-04-08 16:45:17 +02:00
|
|
|
foobar: PRIVATEKEY
|
|
|
|
foobar.pub: PUBLICKEY
|
2015-05-01 17:48:28 +02:00
|
|
|
# ... or you can pull them from a different pillar,
|
|
|
|
# for example one called "ssh_keys":
|
|
|
|
ssh_keys_pillar:
|
|
|
|
id_rsa: "ssh_keys"
|
|
|
|
another_key_pair: "ssh_keys"
|
2013-07-28 00:53:23 +02:00
|
|
|
ssh_auth:
|
2014-02-14 15:33:03 +01:00
|
|
|
- PUBLICKEY
|
2014-08-03 01:40:27 +02:00
|
|
|
ssh_auth.absent:
|
|
|
|
- PUBLICKEY_TO_BE_REMOVED
|
2015-02-12 23:09:56 +01:00
|
|
|
# Generates an authorized_keys file for the user
|
|
|
|
# with the given keys
|
|
|
|
ssh_auth_file:
|
|
|
|
- PUBLICKEY
|
2015-08-21 12:17:49 +02:00
|
|
|
# ... or you can pull them from a different pillar similar to ssh_keys_pillar
|
|
|
|
ssh_auth_pillar:
|
|
|
|
id_rsa: "ssh_keys"
|
2015-04-02 19:01:30 +02:00
|
|
|
# If you prefer to keep public keys as files rather
|
|
|
|
# than inline in pillar, this works.
|
|
|
|
ssh_auth_sources:
|
|
|
|
- salt://keys/buser.id_rsa.pub
|
2017-06-12 13:20:12 +02:00
|
|
|
ssh_auth_sources.absent:
|
|
|
|
- salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
|
2015-05-15 21:47:40 +02:00
|
|
|
# Manage the ~/.ssh/config file
|
2015-08-27 16:31:14 +02:00
|
|
|
ssh_known_hosts:
|
|
|
|
importanthost:
|
2018-09-06 11:31:34 +02:00
|
|
|
port: 22
|
2015-08-27 16:31:14 +02:00
|
|
|
fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
|
2018-09-06 11:31:34 +02:00
|
|
|
key: PUBLICKEY
|
|
|
|
enc: ssh-rsa
|
|
|
|
hash_known_hosts: True
|
|
|
|
timeout: 5
|
|
|
|
fingerprint_hash_type: sha256
|
2015-08-27 16:31:14 +02:00
|
|
|
ssh_known_hosts.absent:
|
|
|
|
- notimportanthost
|
2015-05-15 21:47:40 +02:00
|
|
|
ssh_config:
|
|
|
|
all:
|
|
|
|
hostname: "*"
|
|
|
|
options:
|
|
|
|
- "StrictHostKeyChecking no"
|
|
|
|
- "UserKnownHostsFile=/dev/null"
|
|
|
|
importanthost:
|
|
|
|
hostname: "needcheck.example.com"
|
|
|
|
options:
|
|
|
|
- "StrictHostKeyChecking yes"
|
2015-04-02 19:01:30 +02:00
|
|
|
|
2016-06-09 10:13:32 +02:00
|
|
|
# Using gitconfig without Git installed will result in an error
|
|
|
|
# https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
|
|
|
|
# This state module now requires git 1.6.5 (released 10 October 2009) or newer.
|
2015-09-11 10:40:14 +02:00
|
|
|
gitconfig:
|
|
|
|
user.name: B User
|
|
|
|
user.email: buser@example.com
|
2016-02-17 10:25:45 +01:00
|
|
|
"url.https://.insteadOf": "git://"
|
2015-09-11 10:40:14 +02:00
|
|
|
|
2016-02-17 11:35:29 +01:00
|
|
|
gitconfig.absent:
|
|
|
|
- push.default
|
|
|
|
- color\..+
|
|
|
|
|
2015-07-01 18:15:31 +02:00
|
|
|
google_2fa: True
|
2015-01-15 14:28:51 +01:00
|
|
|
google_auth:
|
|
|
|
ssh: |
|
|
|
|
SOMEGAUTHHASHVAL
|
|
|
|
" RESETTING_TIME_SKEW 46956472+2 46991595-2
|
|
|
|
" RATE_LIMIT 3 30 1415800560
|
|
|
|
" DISALLOW_REUSE 47193352
|
|
|
|
" TOTP_AUTH
|
|
|
|
11111111
|
|
|
|
22222222
|
|
|
|
33333333
|
|
|
|
44444444
|
|
|
|
55555555
|
2018-06-14 20:12:13 +02:00
|
|
|
# unique: True allows user to have non unique uid
|
|
|
|
unique: False
|
2015-11-11 11:02:07 +01:00
|
|
|
uid: 1001
|
2013-08-08 18:08:01 +02:00
|
|
|
|
2015-08-21 22:42:25 +02:00
|
|
|
user_files:
|
|
|
|
enabled: True
|
|
|
|
# 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
|
|
|
|
# should be a salt fileserver path either with or without 'salt://'
|
|
|
|
# if not present, it defaults to 'salt://users/files/user/<username>
|
|
|
|
source: users/files/default
|
2017-09-22 05:30:29 +02:00
|
|
|
template: jinja
|
2017-03-23 10:19:06 +01:00
|
|
|
# You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
|
|
|
|
# it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
|
|
|
|
# execution bit for example.
|
|
|
|
file_mode: keep
|
|
|
|
sym_mode: 640
|
2018-06-21 17:01:01 +02:00
|
|
|
exclude_pat: "*.gitignore"
|
2015-08-21 22:42:25 +02:00
|
|
|
|
2014-04-23 13:38:31 +02:00
|
|
|
## Absent user
|
|
|
|
cuser:
|
|
|
|
absent: True
|
|
|
|
purge: True
|
|
|
|
force: True
|
|
|
|
|
|
|
|
|
|
|
|
## Old syntax of absent_users still supported
|
2013-08-08 18:08:01 +02:00
|
|
|
absent_users:
|
|
|
|
- donald
|
|
|
|
- bad_guy
|
2019-03-07 11:55:56 +01:00
|
|
|
|
|
|
|
groups:
|
|
|
|
badguys:
|
|
|
|
absent: True
|
|
|
|
niceguys:
|
|
|
|
gid: 4242
|
|
|
|
system: False
|
2019-03-07 11:58:57 +01:00
|
|
|
addusers: root
|
|
|
|
delusers: toor
|
|
|
|
ssl-cert:
|
|
|
|
system: True
|
|
|
|
members:
|
|
|
|
- www-data
|
|
|
|
- openldap
|