-
Notifications
You must be signed in to change notification settings - Fork 357
/
Copy pathpillar.example
200 lines (190 loc) · 5.68 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
users-formula:
use_vim_formula: true
lookup: # override the defauls in map.jinja
root_group: root
# group initialization
groups:
foo:
state: present
gid: 1500
system: false
badguys:
absent: true
niceguys:
gid: 4242
system: false
addusers:
- root
delusers:
- toor
ssl-cert:
system: true
members:
- www-data
- openldap
users:
## Minimal required pillar values
auser:
fullname: A User
## Full list of pillar values
buser:
fullname: B User
password: $6$w.............
enforce_password: true
# WARNING: If 'empty_password' is set to true, the 'password' statement
# will be ignored by enabling password-less login for the user.
empty_password: false
hash_password: false
system: false
home: /custom/buser
homedir_owner: buser
homedir_group: primarygroup
user_dir_mode: 750
createhome: true
roomnumber: "A-1"
workphone: "(555) 555-5555"
homephone: "(555) 555-5551"
manage_vimrc: false
allow_gid_change: false
manage_bashrc: false
manage_profile: false
expire: 16426
# Disables user management except sudo rules.
# Useful for setting sudo rules for system accounts created by package instalation
sudoonly: false
sudouser: true
# sudo_rules doesn't need the username as a prefix for the rule
# this is added automatically by the formula.
# ----------------------------------------------------------------------
# In case your sudo_rules have a colon please have in mind to not leave
# spaces around it. For example:
# ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
# ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
sudo_rules:
- ALL=(root) /usr/bin/find
- ALL=(otheruser) /usr/bin/script.sh
sudo_defaults:
- '!requiretty'
# enable polkitadmin to make user an AdminIdentity for polkit
polkitadmin: true
shell: /bin/bash
remove_groups: false
prime_group:
name: primarygroup
gid: 1501
groups:
- users
optional_groups:
- some_groups_that_might
- not_exist_on_all_minions
ssh_key_type: rsa
ssh_keys:
# You can inline the private keys ...
# privkey: PRIVATEKEY
# pubkey: PUBLICKEY
# or you can provide path to key on Salt fileserver
privkey: salt://path_to_PRIVATEKEY
pubkey: salt://path_to_PUBLICKEY
# you can provide multiple keys, the keyname is taken as filename
# make sure your public keys suffix is .pub
foobar: PRIVATEKEY
foobar.pub: PUBLICKEY
# ... or you can pull them from a different pillar,
# for example one called "ssh_keys":
ssh_keys_pillar:
id_rsa: "ssh_keys"
another_key_pair: "ssh_keys"
ssh_auth:
- PUBLICKEY
ssh_auth.absent:
- PUBLICKEY_TO_BE_REMOVED
# Generates an authorized_keys file for the user
# with the given keys
ssh_auth_file:
- PUBLICKEY
# ... or you can pull them from a different pillar similar to ssh_keys_pillar
ssh_auth_pillar:
id_rsa: "ssh_keys"
# If you prefer to keep public keys as files rather
# than inline in pillar, this works.
ssh_auth_sources:
- salt://keys/buser.id_rsa.pub
ssh_auth_sources.absent:
- salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
# Manage the ~/.ssh/config file
ssh_known_hosts:
importanthost:
port: 22
fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
key: PUBLICKEY
enc: ssh-rsa
hash_known_hosts: true
timeout: 5
fingerprint_hash_type: sha256
ssh_known_hosts.absent:
- notimportanthost
ssh_config:
all:
hostname: "*"
options:
- "StrictHostKeyChecking no"
- "UserKnownHostsFile=/dev/null"
importanthost:
hostname: "needcheck.example.com"
options:
- "StrictHostKeyChecking yes"
# Using gitconfig without Git installed will result in an error
# https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
# This state module now requires git 1.6.5 (released 10 October 2009) or newer.
gitconfig:
user.name: B User
user.email: [email protected]
"url.https://.insteadOf": "git://"
gitconfig.absent:
- push.default
- color\..+
google_2fa: true
google_auth:
sshd: |
SOMEGAUTHHASHVAL
" RESETTING_TIME_SKEW 46956472+2 46991595-2
" RATE_LIMIT 3 30 1415800560
" DISALLOW_REUSE 47193352
" TOTP_AUTH
11111111
22222222
33333333
44444444
55555555
# unique: true allows user to have non unique uid
unique: false
uid: 1001
user_files:
enabled: true
# 'source' allows you to define an arbitrary directory to sync,
# useful to use for default files.
# should be a salt fileserver path either with or without 'salt://'
# if not present, it defaults to 'salt://users/files/user/<username>
source: users/files
# template: jinja
# You can specify octal mode for files and symlinks that will be copied.
# Since version 2016.11.0 it's possible to use 'keep' for file_mode,
# to preserve file original mode, thus you can save execution bit for example.
file_mode: keep
# You can specify octal mode for directories as well.
# This won't work on Windows minions
# dir_mode: 775
sym_mode: 640
exclude_pat: "*.gitignore"
## Absent user
cuser:
absent: true
purge: true
force: true
## Old syntax of absent_users still supported
absent_users:
- donald
- bad_guy