diff --git a/users/init.sls b/users/init.sls index 6c7388b..a3440ff 100644 --- a/users/init.sls +++ b/users/init.sls @@ -1,3 +1,6 @@ +# vim: sts=2 ts=2 sw=2 et ai +{% from "users/map.jinja" import users with context %} + include: - users.sudo @@ -126,24 +129,24 @@ ssh_auth_{{ name }}_{{ loop.index0 }}: {% if 'sudouser' in user and user['sudouser'] %} sudoer-{{ name }}: file.managed: - - name: /etc/sudoers.d/{{ name }} + - name: {{ users.sudoers_dir }}{{ name }} - user: root - - group: root + - group: {{ users.root_group }} - mode: '0440' {% if 'sudo_rules' in user %} {% for rule in user['sudo_rules'] %} "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}": cmd.run: - name: 'visudo -cf - <<<"$rule"' - - shell: /bin/bash + - shell: {{ users.visudo_shell }} - env: # Specify the rule via an env var to avoid shell quoting issues. - rule: "{{ name }} {{ rule }}" - require_in: - - file: /etc/sudoers.d/{{ name }} + - file: {{ users.sudoers_dir }}{{ name }} {% endfor %} -/etc/sudoers.d/{{ name }}: +{{ users.sudoers_dir }}{{ name }}: file.managed: - contents: | {%- for rule in user['sudo_rules'] %} @@ -154,9 +157,9 @@ sudoer-{{ name }}: - file: sudoer-{{ name }} {% endif %} {% else %} -/etc/sudoers.d/{{ name }}: +{{ users.sudoers_dir }}{{ name }}: file.absent: - - name: /etc/sudoers.d/{{ name }} + - name: {{ users.sudoers_dir }}{{ name }} {% endif %} {% endfor %} @@ -174,17 +177,17 @@ sudoer-{{ name }}: {% else %} user.absent {% endif -%} -/etc/sudoers.d/{{ name }}: +{{ users.sudoers_dir }}{{ name }}: file.absent: - - name: /etc/sudoers.d/{{ name }} + - name: {{ users.sudoers_dir }}{{ name }} {% endfor %} {% for user in pillar.get('absent_users', []) %} {{ user }}: user.absent -/etc/sudoers.d/{{ user }}: +{{ users.sudoers_dir }}{{ user }}: file.absent: - - name: /etc/sudoers.d/{{ user }} + - name: {{ users.sudoers_dir }}{{ user }} {% endfor %} {% for group in pillar.get('absent_groups', []) %} diff --git a/users/map.jinja b/users/map.jinja new file mode 100644 index 0000000..1faa751 --- /dev/null +++ b/users/map.jinja @@ -0,0 +1,21 @@ +# vim: sts=2 ts=2 sw=2 et ai +{% set users = salt['grains.filter_by']({ + 'Debian': { + 'sudoers_dir': '/etc/sudoers.d/', + 'sudoers_file': '/etc/sudoers', + 'root_group': 'root', + 'visudo_shell': '/bin/bash', + }, + 'FreeBSD': { + 'sudoers_dir': '/usr/local/etc/sudoers.d/', + 'sudoers_file': '/usr/local/etc/sudoers', + 'root_group': 'wheel', + 'visudo_shell': '/usr/local/bin/bash', + }, + 'default': { + 'sudoers_dir': '/etc/sudoers.d/', + 'sudoers_file': '/etc/sudoers', + 'root_group': 'root', + 'visudo_shell': '/bin/bash', + }, +}, merge=salt['pillar.get']('users:lookup')) %} diff --git a/users/sudo.sls b/users/sudo.sls index 1426aef..459b247 100644 --- a/users/sudo.sls +++ b/users/sudo.sls @@ -1,3 +1,11 @@ +# vim: sts=2 ts=2 sw=2 et ai +{% from "users/map.jinja" import users with context %} + +#Support bash in FreeBSD +bash: + pkg: + - installed + sudo: group: - present @@ -6,18 +14,18 @@ sudo: - installed - require: - group: sudo - - file: /etc/sudoers.d + - file: {{ users.sudoers_dir }} -/etc/sudoers.d: +{{ users.sudoers_dir }}: file: - directory sudoer-defaults: file.append: - - name: /etc/sudoers + - name: {{ users.sudoers_file }} - require: - pkg: sudo - text: - Defaults env_reset - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - - '#includedir /etc/sudoers.d' + - '#includedir {{ users.sudoers_dir }}'