users

2025-12-06 17:22:49 +01:00 · 2024-01-17 12:51:15 -05:00
7 changed files with 210 additions and 0 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -16,6 +16,7 @@ base:
    - sensoroni.adv_sensoroni
    - telegraf.soc_telegraf
    - telegraf.adv_telegraf
    - users
  '* and not *_desktop':
    - firewall.soc_firewall
--- a/pillar/users/init.sls
+++ b/pillar/users/init.sls
@@ -0,0 +1,2 @@
 # users pillar goes in /opt/so/saltstack/local/pillar/users/init.sls
 # the users directory may need to be created under /opt/so/saltstack/local/pillar
--- a/pillar/users/pillar.example
+++ b/pillar/users/pillar.example
@@ -0,0 +1,18 @@
 users:
  sclapton:
    # required fields
    status: present
    # node_access determines which node types the user can access.
    # this can either be by grains.role or by final part of the minion id after the _
    node_access:
      - standalone
      - searchnode
    # optional fields
    fullname: Stevie Claptoon
    uid: 1001
    gid: 1001
    homephone: does not have a phone
    groups:
      - mygroup1
      - mygroup2
      - wheel # give sudo access
--- a/pillar/users/pillar.usage
+++ b/pillar/users/pillar.usage
@@ -0,0 +1,20 @@
 users:
  sclapton:
    # required fields
    status: <present | absent>
    # node_access determines which node types the user can access.
    # this can either be by grains.role or by final part of the minion id after the _
    node_access:
      - standalone
      - searchnode
    # optional fields
    fullname: <string>
    uid: <integer>
    gid: <integer>
    roomnumber: <string>
    workphone: <string>
    homephone: <string>
    groups:
      - <string>
      - <string>
      - wheel # give sudo access
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -29,6 +29,7 @@ base:
    - salt.minion-check
    - salt.lasthighstate
    - common
    - users
    - docker
    - docker_clean
--- a/salt/users/init.sls
+++ b/salt/users/init.sls
@@ -0,0 +1,110 @@
 # The creation of a user will require a pub key placed in /opt/so/saltstack/local/salt/users/authorized_keys/<username>
 # If a user is changed from present to absent, their usergroup will be removed, but any additional usergroups that were created
 # for that user will remain.
 {% from 'users/map.jinja' import reserved_usernames %}
 {% for username, userdeets in pillar.get('users', {}).items() if username not in reserved_usernames %}
  {% if 'status' in userdeets %}
    {% if userdeets.status == 'absent' %}
 remove_user_{{username}}:
  user.absent:
    - name: {{ username }}
    {% if 'purge' in userdeets %}
    - purge: {{ userdeets.purge }}
    {% endif %}
    - force: True
  {% elif userdeets.status == 'present' %}
    {% if 'node_access' in userdeets %}
      {% if grains.role in userdeets.node_access or grains.id.split('_')|last in userdeets.node_access %}
 add_user_group_{{username}}:
  group.present:
    - name: {{ username }}
        {% if 'uid' in userdeets %}
    - gid: {{ userdeets.uid }}
        {% endif %}
 add_user_{{username}}:
  user.present:
    - name: {{ username }}
    - home: {{ userdeets.get('home', "/home/%s" % username) }}
    - shell: {{ userdeets.get('shell', '/bin/bash') }}
    - usergroup: True
        {% if 'fullname' in userdeets %}
    - fullname: {{ userdeets.fullname }}
        {% endif %}
        {% if 'uid' in userdeets %}
    - uid: {{ userdeets.uid }}
        {% endif %}
        {% if 'gid' in userdeets %}
    - gid: {{ userdeets.gid }}
        {% endif %}
        {% if 'roomnumber' in userdeets %}
    - roomnumber: {{ userdeets.roomnumber }}
        {% endif %}
        {% if 'workphone' in userdeets %}
    - workphone: {{ userdeets.workphone }}
        {% endif %}
        {% if 'homephone' in userdeets %}
    - homephone: {{ userdeets.homephone }}
        {% endif %}
        {% if 'groups' in userdeets %}
    - groups:
          {% for group in userdeets.groups %}
      - {{ group }}
          {% endfor %}
        {% endif %}
 {{username}}_authorized_keys:
  file.managed:
    - name: /home/{{username}}/.ssh/authorized_keys
    - source: salt://users/authorized_keys/{{username}}
    - user: {{username}}
    - group: {{username}}
    - mode: 644
    - show_diff: False
    - makedirs: True
    - require:
      - user: add_user_{{username}}
      {% endif %}
    {% endif %}
  {% else %}
 unknown_status_or_password_not_provided_for_user_{{username}}:
  test.fail_without_changes:
    - comment: "Verify status is 'present' or 'absent' and a password is provided for {{username}} in the users pillar."
    {% endif %}
  {% else %}
 status_not_provided_for_user_{{username}}:
  test.fail_without_changes:
    - comment: "Status should be 'present' or 'absent'."
  {% endif %}
 {% endfor %}
 disable_wheel_pwd_required:
  file.comment:
    - name: /etc/sudoers
    - regex: "%wheel\\s+ALL=\\(ALL\\)\\s+ALL"
 allow_wheel_no_pwd:
  file.uncomment:
    - name: /etc/sudoers
    - regex: "%wheel\\s+ALL=\\(ALL\\)\\s+NOPASSWD: ALL"
--- a/salt/users/map.jinja
+++ b/salt/users/map.jinja
@@ -0,0 +1,58 @@
 {% set reserved_usernames = [
    'root',
    'bin',
    'daemon',
    'adm',
    'lp',
    'sync',
    'shutdown',
    'halt',
    'mail',
    'operator',
    'games',
    'ftp',
    'nobody',
    'systemd-network',
    'dbus',
    'polkitd',
    'tss',
    'sshd',
    'ossec',
    'postfix',
    'chrony',
    'ntp',
    'tcpdump',
    'socore',
    'soremote',
    'elasticsearch',
    'stenographer',
    'suricata',
    'zeek',
    'curator',
    'kratos',
    'kibana',
    'elastalert',
    'ossecm',
    'ossecr',
    'logstash',
    'sys',
    'man',
    'news',
    'uucp',
    'proxy',
    'www-data',
    'backup',
    'list',
    'irc',
    'gnats',
    'systemd-resolve',
    'syslog',
    'messagebus',
    '_apt',
    'lxd',
    'uuidd',
    'dnsmasq',
    'landscape',
    'pollinate',
    'ossec'
 ] %}
		`@@ -0,0 +1,2 @@`
							`# users pillar goes in /opt/so/saltstack/local/pillar/users/init.sls`
							`# the users directory may need to be created under /opt/so/saltstack/local/pillar`