# -*- coding: utf-8 -*- # vim: ft=yaml --- users-formula: use_vim_formula: True lookup: # override the defauls in map.jinja root_group: root # group initialization groups: foo: state: present gid: 1500 system: False badguys: absent: True niceguys: gid: 4242 system: False addusers: root delusers: toor ssl-cert: system: True members: - www-data - openldap users: ## Minimal required pillar values auser: fullname: A User ## Full list of pillar values buser: fullname: B User password: $6$w............. enforce_password: True # WARNING: If 'empty_password' is set to True, the 'password' statement # will be ignored by enabling password-less login for the user. empty_password: False hash_password: False system: False home: /custom/buser homedir_owner: buser homedir_group: primarygroup user_dir_mode: 750 createhome: True roomnumber: "A-1" workphone: "(555) 555-5555" homephone: "(555) 555-5551" manage_vimrc: False allow_gid_change: False manage_bashrc: False manage_profile: False expire: 16426 # Disables user management except sudo rules. # Useful for setting sudo rules for system accounts created by package instalation sudoonly: False sudouser: True # sudo_rules doesn't need the username as a prefix for the rule # this is added automatically by the formula. # ---------------------------------------------------------------------- # In case your sudo_rules have a colon please have in mind to not leave # spaces around it. For example: # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok) # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK sudo_rules: - ALL=(root) /usr/bin/find - ALL=(otheruser) /usr/bin/script.sh sudo_defaults: - '!requiretty' # enable polkitadmin to make user an AdminIdentity for polkit polkitadmin: True shell: /bin/bash remove_groups: False prime_group: name: primarygroup gid: 1501 groups: - users optional_groups: - some_groups_that_might - not_exist_on_all_minions ssh_key_type: rsa # You can inline the private keys ... ssh_keys: privkey: PRIVATEKEY pubkey: PUBLICKEY # or you can provide path to key on Salt fileserver privkey: salt://path_to_PRIVATEKEY pubkey: salt://path_to_PUBLICKEY # you can provide multiple keys, the keyname is taken as filename # make sure your public keys suffix is .pub foobar: PRIVATEKEY foobar.pub: PUBLICKEY # ... or you can pull them from a different pillar, # for example one called "ssh_keys": ssh_keys_pillar: id_rsa: "ssh_keys" another_key_pair: "ssh_keys" ssh_auth: - PUBLICKEY ssh_auth.absent: - PUBLICKEY_TO_BE_REMOVED # Generates an authorized_keys file for the user # with the given keys ssh_auth_file: - PUBLICKEY # ... or you can pull them from a different pillar similar to ssh_keys_pillar ssh_auth_pillar: id_rsa: "ssh_keys" # If you prefer to keep public keys as files rather # than inline in pillar, this works. ssh_auth_sources: - salt://keys/buser.id_rsa.pub ssh_auth_sources.absent: - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED # Manage the ~/.ssh/config file ssh_known_hosts: importanthost: port: 22 fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48 key: PUBLICKEY enc: ssh-rsa hash_known_hosts: True timeout: 5 fingerprint_hash_type: sha256 ssh_known_hosts.absent: - notimportanthost ssh_config: all: hostname: "*" options: - "StrictHostKeyChecking no" - "UserKnownHostsFile=/dev/null" importanthost: hostname: "needcheck.example.com" options: - "StrictHostKeyChecking yes" # Using gitconfig without Git installed will result in an error # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html: # This state module now requires git 1.6.5 (released 10 October 2009) or newer. gitconfig: user.name: B User user.email: buser@example.com "url.https://.insteadOf": "git://" gitconfig.absent: - push.default - color\..+ google_2fa: True google_auth: sshd: | SOMEGAUTHHASHVAL " RESETTING_TIME_SKEW 46956472+2 46991595-2 " RATE_LIMIT 3 30 1415800560 " DISALLOW_REUSE 47193352 " TOTP_AUTH 11111111 22222222 33333333 44444444 55555555 # unique: True allows user to have non unique uid unique: False uid: 1001 user_files: enabled: True # 'source' allows you to define an arbitrary directory to sync, useful to use for default files. # should be a salt fileserver path either with or without 'salt://' # if not present, it defaults to 'salt://users/files/user/ source: users/files # template: jinja # You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0 # it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save # execution bit for example. file_mode: keep # You can specify octal mode for directories as well. This won't work on Windows minions # dir_mode: 775 sym_mode: 640 exclude_pat: "*.gitignore" ## Absent user cuser: absent: True purge: True force: True ## Old syntax of absent_users still supported absent_users: - donald - bad_guy