Skip to content

Instantly share code, notes, and snippets.

@viq

viq/authorized_keys.jinja

Forked from gravyboat/authorized_keys.jinja
Created July 1, 2014 12:26
Show Gist options
  • Save viq/ec276c183bd84e90606d to your computer and use it in GitHub Desktop.
Save viq/ec276c183bd84e90606d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
authorized_keys.jinja
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent -%}
{% for auth in user['ssh_auth'] -%}
{{ auth }}
{% endfor -%}
{% endfor -%}
Raw
init.sls
{% from "users/map.jinja" import users with context %}
include:
- users.sudo
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
{%- if user == None -%}
{%- set user = {} -%}
{%- endif -%}
{%- set home = user.get('home', "/home/%s" % name) -%}
{%- if 'prime_group' in user and 'name' in user['prime_group'] %}
{%- set user_group = user.prime_group.name -%}
{%- else -%}
{%- set user_group = name -%}
{%- endif %}
{% for group in user.get('groups', []) %}
{{ name }}_{{ group }}_group:
group:
- name: {{ group }}
- present
{% endfor %}
{{ name }}_user:
file.directory:
- name: {{ home }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 0755
- require:
- user: {{ name }}
- group: {{ user_group }}
group.present:
- name: {{ user_group }}
{%- if 'prime_group' in user and 'gid' in user['prime_group'] %}
- gid: {{ user['prime_group']['gid'] }}
{%- elif 'uid' in user %}
- gid: {{ user['uid'] }}
{%- endif %}
user.present:
- name: {{ name }}
- home: {{ home }}
- shell: {{ user.get('shell', '/bin/bash') }}
{% if 'uid' in user -%}
- uid: {{ user['uid'] }}
{% endif -%}
{% if 'password' in user -%}
- password: {{ user['password'] }}
{% endif -%}
{% if 'prime_group' in user and 'gid' in user['prime_group'] -%}
- gid: {{ user['prime_group']['gid'] }}
{% else -%}
- gid_from_name: True
{% endif -%}
{% if 'fullname' in user %}
- fullname: {{ user['fullname'] }}
{% endif -%}
- groups:
- {{ user_group }}
{% for group in user.get('groups', []) -%}
- {{ group }}
{% endfor %}
- require:
- group: {{ user_group }}
{% for group in user.get('groups', []) -%}
- group: {{ group }}
{% endfor %}
user_keydir_{{ name }}:
file.directory:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh
- user: {{ name }}
- group: {{ user_group }}
- makedirs: True
- mode: 700
- require:
- user: {{ name }}
- group: {{ user_group }}
{%- for group in user.get('groups', []) %}
- group: {{ group }}
{%- endfor %}
{% if 'ssh_keys' in user %}
{% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %}
user_{{ name }}_private_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}
- user: {{ name }}
- group: {{ user_group }}
- mode: 600
- show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:privkey
- require:
- user: {{ name }}_user
{% for group in user.get('groups', []) %}
- group: {{ name }}_{{ group }}_group
{% endfor %}
user_{{ name }}_public_key:
file.managed:
- name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub
- user: {{ name }}
- group: {{ user_group }}
- mode: 644
- show_diff: False
- contents_pillar: users:{{ name }}:ssh_keys:pubkey
- require:
- user: {{ name }}_user
{% for group in user.get('groups', []) %}
- group: {{ name }}_{{ group }}_group
{% endfor %}
{% endif %}
{% if 'ssh_auth' in user %}
user_{{ name }}_authorized_keys:
file.managed:
- name: /home/{{ name }}/.ssh/authorized_keys
- source: salt://users/files/authorized_keys.jinja
- user: {{ name }}
- group: {{ name }}
- mode: 644
- template: jinja
{% endif %}
{% if 'sudouser' in user and user['sudouser'] %}
sudoer-{{ name }}:
file.managed:
- name: {{ users.sudoers_dir }}{{ name }}
- user: root
- group: {{ users.root_group }}
- mode: '0440'
{% if 'sudo_rules' in user %}
{% for rule in user['sudo_rules'] %}
"validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}":
cmd.run:
- name: 'visudo -cf - <<<"$rule"'
- shell: {{ users.visudo_shell }}
- env:
# Specify the rule via an env var to avoid shell quoting issues.
- rule: "{{ name }} {{ rule }}"
- require_in:
- file: {{ users.sudoers_dir }}{{ name }}
{% endfor %}
{{ users.sudoers_dir }}{{ name }}:
file.managed:
- contents: |
{%- for rule in user['sudo_rules'] %}
{{ name }} {{ rule }}
{%- endfor %}
- require:
- file: sudoer-defaults
- file: sudoer-{{ name }}
{% endif %}
{% else %}
{{ users.sudoers_dir }}{{ name }}:
file.absent:
- name: {{ users.sudoers_dir }}{{ name }}
{% endif %}
{% endfor %}
{% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}
{{ name }}:
{% if 'purge' in user or 'force' in user %}
user.absent:
{% if 'purge' in user %}
- purge: {{ user['purge'] }}
{% endif %}
{% if 'force' in user %}
- force: {{ user['force'] }}
{% endif %}
{% else %}
user.absent
{% endif -%}
{{ users.sudoers_dir }}{{ name }}:
file.absent:
- name: {{ users.sudoers_dir }}{{ name }}
{% endfor %}
{% for user in pillar.get('absent_users', []) %}
{{ user }}:
user.absent
{{ users.sudoers_dir }}{{ user }}:
file.absent:
- name: {{ users.sudoers_dir }}{{ user }}
{% endfor %}
{% for group in pillar.get('absent_groups', []) %}
{{ group }}:
group.absent
{% endfor %}
Raw
map.jinja
{% set users = salt['grains.filter_by']({
'Debian': {
'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers',
'root_group': 'root',
'visudo_shell': '/bin/bash',
'bash_package': 'bash',
'sudo_package': 'sudo',
},
'Gentoo': {
'sudoers_dir': '/etc/sudoers.d/',
'sudoers_file': '/etc/sudoers',
'root_group': 'root',
'visudo_shell': '/bin/bash',
'bash_package': 'app-shells/bash',
'sudo_package': 'app-admin/sudo',
},
'FreeBSD': {
'sudoers_dir': '/usr/local/etc/sudoers.d/',
'sudoers_file': '/usr/local/etc/sudoers',
'root_group': 'wheel',
'visudo_shell': '/usr/local/bin/bash',
'bash_package': 'bash',
'sudo_package': 'sudo',
},
'default': {
'sudoers_dir': '/etc/sudoers.d/',
'sudoers_file': '/etc/sudoers',
'root_group': 'root',
'visudo_shell': '/bin/bash',
'bash_package': 'bash',
'sudo_package': 'sudo',
},
}, merge=salt['pillar.get']('users:lookup')) %}
Raw
pillar.example
users:
## Minimal required pillar values
auser:
fullname: A User
## Full list of pillar values
buser:
fullname: B User
password: $6$w.............
home: /custom/buser
sudouser: True
sudo_rules:
- ALL=(root) /usr/bin/find
- ALL=(otheruser) /usr/bin/script.sh
shell: /bin/bash
prime_group:
name: primarygroup
gid: 500
groups:
- users
ssh_key_type: rsa
ssh_keys:
privkey: PRIVATEKEY
pubkey: PUBLICKEY
ssh_auth:
- PUBLICKEY
## Absent user
cuser:
absent: True
purge: True
force: True
## Old syntax of absent_users still supported
absent_users:
- donald
- bad_guy
Raw
sudo.sls
{% from "users/map.jinja" import users with context %}
# Ensure availability of bash
bash-package:
pkg.installed:
- name: {{ users.bash_package }}
sudo-group:
group.present:
- name: sudo
- system: True
sudo-package:
pkg.installed:
- name: {{ users.sudo_package }}
- require:
- group: sudo-group
- file: {{ users.sudoers_dir }}
{{ users.sudoers_dir }}:
file:
- directory
sudoer-defaults:
file.append:
- name: {{ users.sudoers_file }}
- require:
- pkg: sudo-package
- text:
- Defaults env_reset
- Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
- '#includedir {{ users.sudoers_dir }}'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment