Salt
/
users-formula
mirror of https://github.com/saltstack-formulas/users-formula.git
0
0
Fork 0
Code Issues Activity

Merge branch 'master' into policykit-settings

This commit is contained in:
N 2019-06-18 15:53:07 +01:00 committed by GitHub
parent b84e79bd31 d4f8cf955d
commit 18c5d9e205
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 294 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.rst
View File

@ -45,9 +45,25 @@ True' in pillar per user. Defaults to False.
Ensures the vimrc file exists in the users home directory. Sets 'manage_vimrc: Ensures the vimrc file exists in the users home directory. Sets 'manage_vimrc:
True' in pillar per user. Defaults to False. True' in pillar per user. Defaults to False.
This depends on the vim-formula to be installed. This depends on the vim-formula being available and pillar `users:use_vim_formula: True`.
``users.user_files`` ``users.user_files``
--------------- ---------------
Permits the abitrary management of files. See pillar.example for configuration details. Permits the abitrary management of files. See pillar.example for configuration details.
Overriding default values
=========================
In order to separate actual user account definitions from configuration the pillar ``users-formula`` was introduced:
.. code-block:: yaml
users:
myuser:
# stuff
users-formula:
lookup:
root_group: toor
shell: '/bin/zsh'

61
pillar.example
View File

@ -1,9 +1,22 @@
users-formula:
use_vim_formula: True
lookup: # override the defauls in map.jinja
root_group: root
# group initialization
groups:
foo:
state: present
gid: 500
system: False
users: users:
## Minimal required pillar values ## Minimal required pillar values
auser: auser:
fullname: A User fullname: A User
## Full list of pillar values ## Full list of pillar values
allow_gid_change: False
buser: buser:
fullname: B User fullname: B User
password: $6$w............. password: $6$w.............
@ -22,9 +35,13 @@ users:
workphone: "(555) 555-5555" workphone: "(555) 555-5555"
homephone: "(555) 555-5551" homephone: "(555) 555-5551"
manage_vimrc: False manage_vimrc: False
allow_gid_change: True
manage_bashrc: False manage_bashrc: False
manage_profile: False manage_profile: False
expire: 16426 expire: 16426
# Disables user management except sudo rules.
# Useful for setting sudo rules for system accounts created by package instalation
sudoonly: False
sudouser: True sudouser: True
# sudo_rules doesn't need the username as a prefix for the rule # sudo_rules doesn't need the username as a prefix for the rule
# this is added automatically by the formula. # this is added automatically by the formula.
@ -55,6 +72,13 @@ users:
ssh_keys: ssh_keys:
privkey: PRIVATEKEY privkey: PRIVATEKEY
pubkey: PUBLICKEY pubkey: PUBLICKEY
# or you can provide path to key on Salt fileserver
privkey: salt://path_to_PRIVATEKEY
pubkey: salt://path_to_PUBLICKEY
# you can provide multiple keys, the keyname is taken as filename
# make sure your public keys suffix is .pub
foobar: PRIVATEKEY
foobar.pub: PUBLICKEY
# ... or you can pull them from a different pillar, # ... or you can pull them from a different pillar,
# for example one called "ssh_keys": # for example one called "ssh_keys":
ssh_keys_pillar: ssh_keys_pillar:
@ -75,10 +99,18 @@ users:
# than inline in pillar, this works. # than inline in pillar, this works.
ssh_auth_sources: ssh_auth_sources:
- salt://keys/buser.id_rsa.pub - salt://keys/buser.id_rsa.pub
ssh_auth_sources.absent:
- salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
# Manage the ~/.ssh/config file # Manage the ~/.ssh/config file
ssh_known_hosts: ssh_known_hosts:
importanthost: importanthost:
port: 22
fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
key: PUBLICKEY
enc: ssh-rsa
hash_known_hosts: True
timeout: 5
fingerprint_hash_type: sha256
ssh_known_hosts.absent: ssh_known_hosts.absent:
- notimportanthost - notimportanthost
ssh_config: ssh_config:
@ -98,7 +130,11 @@ users:
gitconfig: gitconfig:
user.name: B User user.name: B User
user.email: buser@example.com user.email: buser@example.com
url."https://".insteadOf: "git://" "url.https://.insteadOf": "git://"
gitconfig.absent:
- push.default
- color\..+
google_2fa: True google_2fa: True
google_auth: google_auth:
@ -113,6 +149,8 @@ users:
33333333 33333333
44444444 44444444
55555555 55555555
# unique: True allows user to have non unique uid
unique: False
uid: 1001 uid: 1001
user_files: user_files:
@ -121,6 +159,13 @@ users:
# should be a salt fileserver path either with or without 'salt://' # should be a salt fileserver path either with or without 'salt://'
# if not present, it defaults to 'salt://users/files/user/<username> # if not present, it defaults to 'salt://users/files/user/<username>
source: users/files/default source: users/files/default
template: jinja
# You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
# it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
# execution bit for example.
file_mode: keep
sym_mode: 640
exclude_pat: "*.gitignore"
## Absent user ## Absent user
cuser: cuser:
@ -133,3 +178,17 @@ users:
absent_users: absent_users:
- donald - donald
- bad_guy - bad_guy
groups:
badguys:
absent: True
niceguys:
gid: 4242
system: False
addusers: root
delusers: toor
ssl-cert:
system: True
members:
- www-data
- openldap

3
users/bashrc.sls
View File

@ -21,7 +21,8 @@ users_{{ name }}_user_bashrc:
- user: {{ name }} - user: {{ name }}
- group: {{ user_group }} - group: {{ user_group }}
- mode: 644 - mode: 644
- source: - template: jinja
- source:
- salt://users/files/bashrc/{{ name }}/bashrc - salt://users/files/bashrc/{{ name }}/bashrc
- salt://users/files/bashrc/bashrc - salt://users/files/bashrc/bashrc
{% endif %} {% endif %}

10
users/defaults.yaml Normal file
View File

@ -0,0 +1,10 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
users-formula:
use_vim_formula: False
users:
allow_gid_change: True
createhome: True

165
users/init.sls
View File

@ -5,11 +5,31 @@
{% set used_user_files = [] %} {% set used_user_files = [] %}
{% set used_polkit = [] %} {% set used_polkit = [] %}
{% for group, setting in salt['pillar.get']('groups', {}).items() %}
{% if setting.absent is defined and setting.absent or setting.get('state', "present") == 'absent' %}
users_group_absent_{{ group }}:
group.absent:
- name: {{ group }}
{% else %}
users_group_present_{{ group }}:
group.present:
- name: {{ group }}
- gid: {{ setting.get('gid', "null") }}
- system: {{ setting.get('system',"False") }}
- members: {{ setting.get('members')|json }}
- addusers: {{ setting.get('addusers')|json }}
- delusers: {{ setting.get('delusers')|json }}
{% endif %}
{% endfor %}
{%- for name, user in pillar.get('users', {}).items() {%- for name, user in pillar.get('users', {}).items()
if user.absent is not defined or not user.absent %} if user.absent is not defined or not user.absent %}
{%- if user == None -%} {%- if user == None -%}
{%- set user = {} -%} {%- set user = {} -%}
{%- endif -%} {%- endif -%}
{%- if 'sudoonly' in user and user['sudoonly'] %}
{%- set _dummy=user.update({'sudouser': True}) %}
{%- endif %}
{%- if 'sudouser' in user and user['sudouser'] %} {%- if 'sudouser' in user and user['sudouser'] %}
{%- do used_sudo.append(1) %} {%- do used_sudo.append(1) %}
{%- endif %} {%- endif %}
@ -47,6 +67,7 @@ include:
{%- endif -%} {%- endif -%}
{%- set current = salt.user.info(name) -%} {%- set current = salt.user.info(name) -%}
{%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%} {%- set home = user.get('home', current.get('home', "/home/%s" % name)) -%}
{%- set createhome = user.get('createhome') -%}
{%- if 'prime_group' in user and 'name' in user['prime_group'] %} {%- if 'prime_group' in user and 'name' in user['prime_group'] %}
{%- set user_group = user.prime_group.name -%} {%- set user_group = user.prime_group.name -%}
@ -54,6 +75,7 @@ include:
{%- set user_group = name -%} {%- set user_group = name -%}
{%- endif %} {%- endif %}
{%- if not ( 'sudoonly' in user and user['sudoonly'] ) %}
{% for group in user.get('groups', []) %} {% for group in user.get('groups', []) %}
users_{{ name }}_{{ group }}_group: users_{{ name }}_{{ group }}_group:
group.present: group.present:
@ -63,13 +85,24 @@ users_{{ name }}_{{ group }}_group:
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{# in case home subfolder doesn't exist, create it before the user exists #}
{% if createhome -%}
users_{{ name }}_user_prereq:
file.directory:
- name: {{ salt['file.dirname'](home) }}
- makedirs: True
- prereq:
- user: users_{{ name }}_user
{%- endif %}
users_{{ name }}_user: users_{{ name }}_user:
{% if user.get('createhome', True) %} {% if createhome -%}
file.directory: file.directory:
- name: {{ home }} - name: {{ home }}
- user: {{ user.get('homedir_owner', name) }} - user: {{ user.get('homedir_owner', name) }}
- group: {{ user.get('homedir_group', user_group) }} - group: {{ user.get('homedir_group', user_group) }}
- mode: {{ user.get('user_dir_mode', '0750') }} - mode: {{ user.get('user_dir_mode', '0750') }}
- makedirs: True
- require: - require:
- user: users_{{ name }}_user - user: users_{{ name }}_user
- group: {{ user_group }} - group: {{ user_group }}
@ -123,11 +156,15 @@ users_{{ name }}_user:
- workphone: {{ user['workphone'] }} - workphone: {{ user['workphone'] }}
{% endif %} {% endif %}
{% if 'homephone' in user %} {% if 'homephone' in user %}
- homephone: {{ user['workphone'] }} - homephone: {{ user['homephone'] }}
{% endif %} {% endif %}
{% if not user.get('createhome', True) %} - createhome: {{ createhome }}
- createhome: False {% if not user.get('unique', True) %}
- unique: False
{% endif %} {% endif %}
{%- if grains['saltversioninfo'] >= [2018, 3, 1] %}
- allow_gid_change: {{ users.allow_gid_change if 'allow_gid_change' not in user else user['allow_gid_change'] }}
{%- endif %}
{% if 'expire' in user -%} {% if 'expire' in user -%}
{% if grains['kernel'].endswith('BSD') and {% if grains['kernel'].endswith('BSD') and
user['expire'] < 157766400 %} user['expire'] < 157766400 %}
@ -141,6 +178,18 @@ users_{{ name }}_user:
- expire: {{ user['expire'] }} - expire: {{ user['expire'] }}
{% endif %} {% endif %}
{% endif -%} {% endif -%}
{% if 'mindays' in user %}
- mindays: {{ user.get('mindays', None) }}
{% endif %}
{% if 'maxdays' in user %}
- maxdays: {{ user.get('maxdays', None) }}
{% endif %}
{% if 'inactdays' in user %}
- inactdays: {{ user.get('inactdays', None) }}
{% endif %}
{% if 'warndays' in user %}
- warndays: {{ user.get('warndays', None) }}
{% endif %}
- remove_groups: {{ user.get('remove_groups', 'False') }} - remove_groups: {{ user.get('remove_groups', 'False') }}
- groups: - groups:
- {{ user_group }} - {{ user_group }}
@ -173,6 +222,7 @@ user_keydir_{{ name }}:
- group: {{ user_group }} - group: {{ user_group }}
- makedirs: True - makedirs: True
- mode: 700 - mode: 700
- dir_mode: 700
- require: - require:
- user: {{ name }} - user: {{ name }}
- group: {{ user_group }} - group: {{ user_group }}
@ -182,35 +232,40 @@ user_keydir_{{ name }}:
{% endif %} {% endif %}
{% if 'ssh_keys' in user %} {% if 'ssh_keys' in user %}
{% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %} {% for _key in user.ssh_keys.keys() %}
users_user_{{ name }}_private_key: {% if _key == 'privkey' %}
{% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') %}
{% elif _key == 'pubkey' %}
{% set key_name = 'id_' + user.get('ssh_key_type', 'rsa') + '.pub' %}
{% else %}
{% set key_name = _key %}
{% endif %}
users_{{ name }}_{{ key_name }}_key:
file.managed: file.managed:
- name: {{ home }}/.ssh/{{ key_type }} - name: {{ home }}/.ssh/{{ key_name }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 600
- show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:privkey
- require:
- user: users_{{ name }}_user
{% for group in user.get('groups', []) %}
- group: users_{{ name }}_{{ group }}_group
{% endfor %}
users_user_{{ name }}_public_key:
file.managed:
- name: {{ home }}/.ssh/{{ key_type }}.pub
- user: {{ name }} - user: {{ name }}
- group: {{ user_group }} - group: {{ user_group }}
{% if key_name.endswith(".pub") %}
- mode: 644 - mode: 644
{% else %}
- mode: 600
{% endif %}
- show_diff: False - show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:pubkey {%- set key_value = salt['pillar.get']('users:'+name+':ssh_keys:'+_key) %}
{%- if 'salt://' in key_value[:7] %}
- source: {{ key_value }}
{%- else %}
- contents_pillar: users:{{ name }}:ssh_keys:{{ _key }}
{%- endif %}
- require: - require:
- user: users_{{ name }}_user - user: users_{{ name }}_user
{% for group in user.get('groups', []) %} {% for group in user.get('groups', []) %}
- group: users_{{ name }}_{{ group }}_group - group: users_{{ name }}_{{ group }}_group
{% endfor %} {% endfor %}
{% endfor %}
{% endif %} {% endif %}
{% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %} {% if 'ssh_auth_file' in user or 'ssh_auth_pillar' in user %}
users_authorized_keys_{{ name }}: users_authorized_keys_{{ name }}:
file.managed: file.managed:
@ -224,8 +279,9 @@ users_authorized_keys_{{ name }}:
{{ auth }} {{ auth }}
{% endfor -%} {% endfor -%}
{% else %} {% else %}
- contents: |
{%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %} {%- for key_name, pillar_name in user['ssh_auth_pillar'].items() %}
- contents_pillar: {{ pillar_name }}:{{ key_name }}:pubkey {{ salt['pillar.get'](pillar_name + ':' + key_name + ':pubkey', '') }}
{%- endfor %} {%- endfor %}
{% endif %} {% endif %}
{% endif %} {% endif %}
@ -280,7 +336,23 @@ users_ssh_auth_source_{{ name }}_{{ loop.index0 }}:
- user: {{ name }} - user: {{ name }}
- source: {{ pubkey_file }} - source: {{ pubkey_file }}
- require: - require:
{% if createhome -%}
- file: users_{{ name }}_user - file: users_{{ name }}_user
{% endif -%}
- user: users_{{ name }}_user
{% endfor %}
{% endif %}
{% if 'ssh_auth_sources.absent' in user %}
{% for pubkey_file in user['ssh_auth_sources.absent'] %}
users_ssh_auth_source_delete_{{ name }}_{{ loop.index0 }}:
ssh_auth.absent:
- user: {{ name }}
- source: {{ pubkey_file }}
- require:
{% if createhome -%}
- file: users_{{ name }}_user
{% endif -%}
- user: users_{{ name }}_user - user: users_{{ name }}_user
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -292,7 +364,9 @@ users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
- user: {{ name }} - user: {{ name }}
- name: {{ auth }} - name: {{ auth }}
- require: - require:
{% if createhome -%}
- file: users_{{ name }}_user - file: users_{{ name }}_user
{% endif -%}
- user: users_{{ name }}_user - user: users_{{ name }}_user
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -334,8 +408,14 @@ users_ssh_known_hosts_{{ name }}_{{ loop.index0 }}:
{% if 'enc' in host %} {% if 'enc' in host %}
- enc: {{ host['enc'] }} - enc: {{ host['enc'] }}
{% endif -%} {% endif -%}
{% if 'hash_hostname' in host %} {% if 'hash_known_hosts' in host %}
- hash_hostname: {{ host['hash_hostname'] }} - hash_known_hosts: {{ host['hash_known_hosts'] }}
{% endif -%}
{% if 'timeout' in host %}
- timeout: {{ host['timeout'] }}
{% endif -%}
{% if 'fingerprint_hash_type' in host %}
- fingerprint_hash_type: {{ host['fingerprint_hash_type'] }}
{% endif -%} {% endif -%}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -348,13 +428,15 @@ users_ssh_known_hosts_delete_{{ name }}_{{ loop.index0 }}:
- name: {{ host }} - name: {{ host }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endif %}
{% set sudoers_d_filename = name|replace('.','_') %}
{% if 'sudouser' in user and user['sudouser'] %} {% if 'sudouser' in user and user['sudouser'] %}
users_sudoer-{{ name }}: users_sudoer-{{ name }}:
file.managed: file.managed:
- replace: False - replace: False
- name: {{ users.sudoers_dir }}/{{ name }} - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
- user: root - user: root
- group: {{ users.root_group }} - group: {{ users.root_group }}
- mode: '0440' - mode: '0440'
@ -393,7 +475,7 @@ users_sudoer-{{ name }}:
users_{{ users.sudoers_dir }}/{{ name }}: users_{{ users.sudoers_dir }}/{{ name }}:
file.managed: file.managed:
- replace: True - replace: True
- name: {{ users.sudoers_dir }}/{{ name }} - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
- contents: | - contents: |
{%- if 'sudo_defaults' in user %} {%- if 'sudo_defaults' in user %}
{%- for entry in user['sudo_defaults'] %} {%- for entry in user['sudo_defaults'] %}
@ -414,14 +496,14 @@ users_{{ users.sudoers_dir }}/{{ name }}:
- file: users_sudoer-defaults - file: users_sudoer-defaults
- file: users_sudoer-{{ name }} - file: users_sudoer-{{ name }}
cmd.wait: cmd.wait:
- name: visudo -cf {{ users.sudoers_dir }}/{{ name }} || ( rm -rvf {{ users.sudoers_dir }}/{{ name }}; exit 1 ) - name: visudo -cf {{ users.sudoers_dir }}/{{ sudoers_d_filename }} || ( rm -rvf {{ users.sudoers_dir }}/{{ sudoers_d_filename }}; exit 1 )
- watch: - watch:
- file: {{ users.sudoers_dir }}/{{ name }} - file: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
{% endif %} {% endif %}
{% else %} {% else %}
users_{{ users.sudoers_dir }}/{{ name }}: users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
file.absent: file.absent:
- name: {{ users.sudoers_dir }}/{{ name }} - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
{% endif %} {% endif %}
{%- if 'google_auth' in user %} {%- if 'google_auth' in user %}
@ -439,10 +521,6 @@ users_googleauth-{{ svc }}-{{ name }}:
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
#
# if not salt['cmd.has_exec']('git')
# fails even if git is installed
#
# this doesn't work (Salt bug), therefore need to run state.apply twice # this doesn't work (Salt bug), therefore need to run state.apply twice
#include: #include:
# - users # - users
@ -452,10 +530,12 @@ users_googleauth-{{ svc }}-{{ name }}:
# - require_in: # - require_in:
# - sls: users # - sls: users
# #
{% if salt['cmd.has_exec']('git') %}
{% if 'gitconfig' in user %} {% if 'gitconfig' in user %}
{% for key, value in user['gitconfig'].items() %} {% for key, value in user['gitconfig'].items() %}
users_{{ name }}_user_gitconfig_{{ loop.index0 }}: users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
{% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %} {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
git.config_set: git.config_set:
{% else %} {% else %}
git.config: git.config:
@ -463,7 +543,7 @@ users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
- name: {{ key }} - name: {{ key }}
- value: "{{ value }}" - value: "{{ value }}"
- user: {{ name }} - user: {{ name }}
{% if grains['saltversioninfo'] >= (2015, 8, 0, 0) %} {% if grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
- global: True - global: True
{% else %} {% else %}
- is_global: True - is_global: True
@ -471,6 +551,19 @@ users_{{ name }}_user_gitconfig_{{ loop.index0 }}:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if 'gitconfig.absent' in user and grains['saltversioninfo'] >= [2015, 8, 0, 0] %}
{% for key in user.get('gitconfig.absent') %}
users_{{ name }}_user_gitconfig_absent_{{ key }}:
git.config_unset:
- name: '{{ key }}'
- user: {{ name }}
- global: True
- all: True
{% endfor %}
{% endif %}
{% endif %}
{% endfor %} {% endfor %}

56
users/map.jinja
View File

@ -1,5 +1,22 @@
# vim: sts=2 ts=2 sw=2 et ai # vim: sts=2 ts=2 sw=2 et ai
{% set users = salt['grains.filter_by']({
{# import defaults.yaml as defaults #}
{% import_yaml 'users/defaults.yaml' as defaults %}
{# set Os-family specific settings #}
{% set users = salt['grains.filter_by'](
defaults,
merge=salt['grains.filter_by']({
'MacOS': {
'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers',
'googleauth_dir': '/etc/google_authenticator.d',
'shell': '/bin/bash',
'visudo_shell': '/bin/bash',
'bash_package': 'bash',
'sudo_package': 'sudo',
'googleauth_package': 'google-authenticator-libpam',
},
'Debian': { 'Debian': {
'sudoers_dir': '/etc/sudoers.d', 'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers', 'sudoers_file': '/etc/sudoers',
@ -23,7 +40,7 @@
'bash_package': 'app-shells/bash', 'bash_package': 'app-shells/bash',
'sudo_package': 'app-admin/sudo', 'sudo_package': 'app-admin/sudo',
'googleauth_package': 'libpam-google-authenticator', 'googleauth_package': 'libpam-google-authenticator',
}, },
'FreeBSD': { 'FreeBSD': {
'sudoers_dir': '/usr/local/etc/sudoers.d', 'sudoers_dir': '/usr/local/etc/sudoers.d',
'sudoers_file': '/usr/local/etc/sudoers', 'sudoers_file': '/usr/local/etc/sudoers',
@ -34,7 +51,29 @@
'bash_package': 'bash', 'bash_package': 'bash',
'sudo_package': 'sudo', 'sudo_package': 'sudo',
'googleauth_package': 'pam_google_authenticator', 'googleauth_package': 'pam_google_authenticator',
}, },
'OpenBSD': {
'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers',
'googleauth_dir': '/etc/google_authenticator.d',
'root_group': 'wheel',
'shell': '/bin/csh',
'visudo_shell': '/usr/local/bin/bash',
'bash_package': 'bash',
'sudo_package': 'sudo',
'googleauth_package': 'pam_google_authenticator',
},
'Solaris': {
'sudoers_dir': '/opt/local/etc/sudoers.d',
'sudoers_file': '/opt/local/etc/sudoers',
'googleauth_dir': '/opt/local/etc/google_authenticator.d',
'root_group': 'root',
'shell': '/bin/bash',
'visudo_shell': '/bin/bash',
'bash_package': 'bash',
'sudo_package': 'sudo',
'googleauth_package': 'libpam-google-authenticator',
},
'default': { 'default': {
'sudoers_dir': '/etc/sudoers.d', 'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers', 'sudoers_file': '/etc/sudoers',
@ -47,5 +86,12 @@
'googleauth_package': 'libpam-google-authenticator', 'googleauth_package': 'libpam-google-authenticator',
'polkit_dir': '/etc/polkit-1/localauthority.conf.d', 'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
'polkit_defaults': 'unix-group:sudo;' 'polkit_defaults': 'unix-group:sudo;'
}, },
}, merge=salt['pillar.get']('users:lookup')) %} }, merge=salt['pillar.get']('users-formula:lookup')),
base='users',
) %}
{% if grains.os == 'MacOS' %}
{% set group = salt['cmd.run']("stat -f '%Sg' /dev/console") %}
{% do users.update({'root_group': group,}) %}
{% endif %}

1
users/profile.sls
View File

@ -21,6 +21,7 @@ users_{{ name }}_user_profile:
- user: {{ name }} - user: {{ name }}
- group: {{ user_group }} - group: {{ user_group }}
- mode: 644 - mode: 644
- template: jinja
- source: - source:
- salt://users/files/profile/{{ name }}/profile - salt://users/files/profile/{{ name }}/profile
- salt://users/files/profile/profile - salt://users/files/profile/profile

1
users/sudo.sls
View File

@ -11,6 +11,7 @@ users_sudo-package:
- name: {{ users.sudo_package }} - name: {{ users.sudo_package }}
- require: - require:
- file: {{ users.sudoers_dir }} - file: {{ users.sudoers_dir }}
- unless: test "`uname`" = "Darwin"
users_{{ users.sudoers_dir }}: users_{{ users.sudoers_dir }}:
file.directory: file.directory:

16
users/user_files.sls
View File

@ -9,6 +9,10 @@ include:
{%- set user_files = salt['pillar.get'](('users:' ~ username ~ ':user_files'), {'enabled': False}) -%} {%- set user_files = salt['pillar.get'](('users:' ~ username ~ ':user_files'), {'enabled': False}) -%}
{%- set user_group = salt['pillar.get'](('users:' ~ username ~ ':prime_group:name'), username) -%} {%- set user_group = salt['pillar.get'](('users:' ~ username ~ ':prime_group:name'), username) -%}
{%- set user_home = salt['pillar.get'](('users:' ~ username ~ ':home'), current.get('home', '/home/' ~ username )) -%} {%- set user_home = salt['pillar.get'](('users:' ~ username ~ ':home'), current.get('home', '/home/' ~ username )) -%}
{%- set user_files_template = salt['pillar.get'](('users:' ~ username ~ ':user_files:template'), None) -%}
{%- set user_files_file_mode = salt['pillar.get'](('users:' ~ username ~ ':user_files:file_mode'), False) -%}
{%- set user_files_sym_mode = salt['pillar.get'](('users:' ~ username ~ ':user_files:sym_mode'), False) -%}
{%- set user_files_exclude_pat = salt['pillar.get'](('users:' ~ username ~ ':user_files:exclude_pat'), False) -%}
{%- if user_files.enabled -%} {%- if user_files.enabled -%}
{%- if user_files.source is defined -%} {%- if user_files.source is defined -%}
@ -34,7 +38,19 @@ users_userfiles_{{ username }}_recursive:
- source: {{ file_source }} - source: {{ file_source }}
- user: {{ username }} - user: {{ username }}
- group: {{ user_group }} - group: {{ user_group }}
{% if user_files_template -%}
- template: {{ user_files_template }}
{% endif -%}
- clean: False - clean: False
{% if user_files_file_mode -%}
- file_mode: {{ user_files_file_mode }}
{% endif -%}
{% if user_files_sym_mode -%}
- sym_mode: {{ user_files_sym_mode }}
{% endif -%}
{% if user_files_exclude_pat -%}
- exclude_pat: "{{ user_files_exclude_pat }}"
{% endif -%}
- include_empty: True - include_empty: True
- keep_symlinks: True - keep_symlinks: True
- require: - require:

8
users/vimrc.sls
View File

@ -1,4 +1,7 @@
{% from "users/map.jinja" import users with context %} {% from "users/map.jinja" import users with context %}
{% if users.use_vim_formula %}
include: include:
- users - users
- vim - vim
@ -22,8 +25,11 @@ users_{{ name }}_user_vimrc:
- user: {{ name }} - user: {{ name }}
- group: {{ user_group }} - group: {{ user_group }}
- mode: 644 - mode: 644
- source: - template: jinja
- source:
- salt://users/files/vimrc/{{ name }}/vimrc - salt://users/files/vimrc/{{ name }}/vimrc
- salt://users/files/vimrc/vimrc - salt://users/files/vimrc/vimrc
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %}