forked from saltstack-formulas/users-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
149 lines (141 loc) · 4.49 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
users-formula:
lookup: # override the defauls in map.jinja
root_group: root
users:
## Minimal required pillar values
auser:
fullname: A User
## Full list of pillar values
buser:
fullname: B User
password: $6$w.............
enforce_password: True
# WARNING: If 'empty_password' is set to True, the 'password' statement
# will be ignored by enabling password-less login for the user.
empty_password: False
hash_password: False
system: False
home: /custom/buser
homedir_owner: buser
homedir_group: primarygroup
user_dir_mode: 750
createhome: True
roomnumber: "A-1"
workphone: "(555) 555-5555"
homephone: "(555) 555-5551"
manage_vimrc: False
manage_bashrc: False
manage_profile: False
expire: 16426
sudouser: True
# sudo_rules doesn't need the username as a prefix for the rule
# this is added automatically by the formula.
# ----------------------------------------------------------------------
# In case your sudo_rules have a colon please have in mind to not leave
# spaces around it. For example:
# ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
# ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
sudo_rules:
- ALL=(root) /usr/bin/find
- ALL=(otheruser) /usr/bin/script.sh
sudo_defaults:
- '!requiretty'
shell: /bin/bash
remove_groups: False
prime_group:
name: primarygroup
gid: 500
groups:
- users
optional_groups:
- some_groups_that_might
- not_exist_on_all_minions
ssh_key_type: rsa
# You can inline the private keys ...
ssh_keys:
privkey: PRIVATEKEY
pubkey: PUBLICKEY
# you can provide multiple keys, the keyname is taken as filename
# make sure your public keys suffix is .pub
foobar: PRIVATEKEY
foobar.pub: PUBLICKEY
# ... or you can pull them from a different pillar,
# for example one called "ssh_keys":
ssh_keys_pillar:
id_rsa: "ssh_keys"
another_key_pair: "ssh_keys"
ssh_auth:
- PUBLICKEY
ssh_auth.absent:
- PUBLICKEY_TO_BE_REMOVED
# Generates an authorized_keys file for the user
# with the given keys
ssh_auth_file:
- PUBLICKEY
# ... or you can pull them from a different pillar similar to ssh_keys_pillar
ssh_auth_pillar:
id_rsa: "ssh_keys"
# If you prefer to keep public keys as files rather
# than inline in pillar, this works.
ssh_auth_sources:
- salt://keys/buser.id_rsa.pub
ssh_auth_sources.absent:
- salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
# Manage the ~/.ssh/config file
ssh_known_hosts:
importanthost:
fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
ssh_known_hosts.absent:
- notimportanthost
ssh_config:
all:
hostname: "*"
options:
- "StrictHostKeyChecking no"
- "UserKnownHostsFile=/dev/null"
importanthost:
hostname: "needcheck.example.com"
options:
- "StrictHostKeyChecking yes"
# Using gitconfig without Git installed will result in an error
# https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
# This state module now requires git 1.6.5 (released 10 October 2009) or newer.
gitconfig:
user.name: B User
user.email: [email protected]
"url.https://.insteadOf": "git://"
google_2fa: True
google_auth:
ssh: |
SOMEGAUTHHASHVAL
" RESETTING_TIME_SKEW 46956472+2 46991595-2
" RATE_LIMIT 3 30 1415800560
" DISALLOW_REUSE 47193352
" TOTP_AUTH
11111111
22222222
33333333
44444444
55555555
uid: 1001
user_files:
enabled: True
# 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
# should be a salt fileserver path either with or without 'salt://'
# if not present, it defaults to 'salt://users/files/user/<username>
source: users/files/default
template: jinja
# You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
# it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
# execution bit for example.
file_mode: keep
sym_mode: 640
## Absent user
cuser:
absent: True
purge: True
force: True
## Old syntax of absent_users still supported
absent_users:
- donald
- bad_guy