From 89d66728871e2defde8f3b95223169aef214120c Mon Sep 17 00:00:00 2001
From: Bohdan Kmit <bkmit@maytech.net>
Date: Wed, 14 Jan 2015 17:25:17 +0000
Subject: [PATCH 1/2] google auth package and config installation

---
 users/init.sls  | 45 +++++++++++++++++++++++++++++++++++++++------
 users/map.jinja |  8 ++++++++
 2 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/users/init.sls b/users/init.sls
index e325686..41877c7 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -1,6 +1,29 @@
 # vim: sts=2 ts=2 sw=2 et ai
 {% from "users/map.jinja" import users with context %}
-{% set used_sudo = False %}
+{% set used_sudo = [] %}
+{% set used_googleauth = [] %}
+
+{%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if user == None -%}
+{%- set user = {} -%}
+{%- endif -%}
+{%- if 'sudouser' in user and user['sudouser'] %}
+{%- do used_sudo.append(1) %}
+{%- endif %}
+{%- if 'google_auth' in user %}
+{%- do used_googleauth.append(1) %}
+{%- endif %}
+{%- endfor %}
+
+{%- if used_sudo or used_googleauth %}
+include:
+{%- if used_sudo %}
+  - users.sudo
+{%- endif %}
+{%- if used_googleauth %}
+  - users.googleauth
+{%- endif %}
+{%- endif %}
 
 {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
 {%- if user == None -%}
@@ -145,11 +168,6 @@ ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
 {% endif %}
 
 {% if 'sudouser' in user and user['sudouser'] %}
-{% if not used_sudo %}
-{% set used_sudo = True %}
-include:
-  - users.sudo
-{% endif %}
 
 sudoer-{{ name }}:
   file.managed:
@@ -187,6 +205,21 @@ sudoer-{{ name }}:
     - name: {{ users.sudoers_dir }}/{{ name }}
 {% endif %}
 
+{%- if 'google_auth' in user %}
+{%- for svc in user['google_auth'] %}
+googleauth-{{ svc }}-{{ name }}:
+  file.managed:
+    - replace: false
+    - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
+    - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
+    - user: root
+    - group: {{ users.root_group }}
+    - mode: 600
+    - require:
+      - pkg: googleauth-package
+{%- endfor %}
+{%- endif %}
+
 {% endfor %}
 
 {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}
diff --git a/users/map.jinja b/users/map.jinja
index 0779fd4..f81acc4 100644
--- a/users/map.jinja
+++ b/users/map.jinja
@@ -3,37 +3,45 @@
   'Debian': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
     'root_group': 'root',
     'shell': '/bin/bash',
     'visudo_shell': '/bin/bash',
     'bash_package': 'bash',
     'sudo_package': 'sudo',
+    'googleauth_package': 'libpam-google-authenticator',
   },
   'Gentoo': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
     'root_group': 'root',
     'shell': '/bin/bash',
     'visudo_shell': '/bin/bash',
     'bash_package': 'app-shells/bash',
     'sudo_package': 'app-admin/sudo',
+    'googleauth_package': 'libpam-google-authenticator',
   },
   'FreeBSD': {
     'sudoers_dir': '/usr/local/etc/sudoers.d',
     'sudoers_file': '/usr/local/etc/sudoers',
+    'googleauth_dir': '/usr/local/etc/google_authenticator.d',
     'root_group': 'wheel',
     'shell': '/bin/csh',
     'visudo_shell': '/usr/local/bin/bash',
     'bash_package': 'bash',
     'sudo_package': 'sudo',
+    'googleauth_package': 'pam_google_authenticator',
   },
   'default': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
     'root_group': 'root',
     'shell': '/bin/bash',
     'visudo_shell': '/bin/bash',
     'bash_package': 'bash',
     'sudo_package': 'sudo',
+    'googleauth_package': 'libpam-google-authenticator',
   },
 }, merge=salt['pillar.get']('users:lookup')) %}

From c3b5b87fb2f3c19731a9aaac8623015d67afce21 Mon Sep 17 00:00:00 2001
From: Bohdan Kmit <bkmit@maytech.net>
Date: Thu, 15 Jan 2015 13:28:51 +0000
Subject: [PATCH 2/2] google auth example pillar config add; forgotten gauth
 state file add

---
 pillar.example       | 12 ++++++++++++
 users/googleauth.sls | 15 +++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 users/googleauth.sls

diff --git a/pillar.example b/pillar.example
index 8920020..9085ac2 100644
--- a/pillar.example
+++ b/pillar.example
@@ -28,6 +28,18 @@ users:
       - PUBLICKEY
     ssh_auth.absent:
       - PUBLICKEY_TO_BE_REMOVED
+    google_auth:
+      ssh: |
+        SOMEGAUTHHASHVAL
+        " RESETTING_TIME_SKEW 46956472+2 46991595-2
+        " RATE_LIMIT 3 30 1415800560
+        " DISALLOW_REUSE 47193352
+        " TOTP_AUTH
+        11111111
+        22222222
+        33333333
+        44444444
+        55555555
 
   ## Absent user
   cuser:
diff --git a/users/googleauth.sls b/users/googleauth.sls
new file mode 100644
index 0000000..55260f6
--- /dev/null
+++ b/users/googleauth.sls
@@ -0,0 +1,15 @@
+# vim: sts=2 ts=2 sw=2 et ai
+{% from "users/map.jinja" import users with context %}
+
+googleauth-package:
+  pkg.installed:
+    - name: {{ users.googleauth_package }}
+    - require:
+      - file: {{ users.googleauth_dir }} 
+
+{{ users.googleauth_dir }}:
+  file:
+    - directory
+    - user: root
+    - group: {{ users.root_group }}
+    - mode: 600