102 lines
3.4 KiB
Django/Jinja
102 lines
3.4 KiB
Django/Jinja
[global]
|
|
; url - Location to fas server
|
|
url = https://admin.fedoraproject.org/accounts/
|
|
|
|
; temp - Location to generate files while user creation process is happening
|
|
temp = /var/db
|
|
|
|
{% if ansible_domain == 'qa.fedoraproject.org' %}
|
|
; Eventually, no box should use systems user to fasClient. systems has access
|
|
; to password hashes. But password hashes are needed for sudo unless the box
|
|
; uses pam_url
|
|
; login - username to contact fas
|
|
login = systems
|
|
|
|
; password - password for login name
|
|
password = {{ systemsUserPassword }}
|
|
{% else %}
|
|
; login - username to contact fas
|
|
login = {{ fedorathirdpartyUser }}
|
|
|
|
; password - password for login name
|
|
password = {{ fedorathirdpartyPassword }}
|
|
{% endif %}
|
|
; prefix - install to a location other than /
|
|
prefix = /
|
|
|
|
; modefile - Location of a file containing saved home directory modes
|
|
modefile = /var/lib/fas/client_dir_perms
|
|
|
|
; cla_group - Group for CLA requirements
|
|
cla_group = cla_done
|
|
|
|
[host]
|
|
; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
|
|
; so if someone is in all 3, the client behaves the same as if they were just
|
|
; in 'groups'
|
|
|
|
; groups that should have a shell account on this system.
|
|
{% if fas_client_groups %}
|
|
groups = {{ fas_client_groups }}
|
|
{% else %}
|
|
groups = "sysadmin-main"
|
|
{% endif %}
|
|
|
|
; groups that should have a restricted account on this system.
|
|
; restricted accounts use the restricted_shell value in [users]
|
|
restricted_groups =
|
|
|
|
; ssh_restricted_groups: groups that should be restricted by ssh key. You will
|
|
; need to disable password based logins in order for this value to have any
|
|
; security meaning. Group types can be placed here as well, for example
|
|
; @hg,@git,@svn
|
|
{% if fas_client_ssh_groups %}
|
|
ssh_restricted_groups = {{ fas_client_ssh_groups }}
|
|
{% else %}
|
|
ssh_restricted_groups =
|
|
{% endif %}
|
|
|
|
; aliases_template: Gets prepended to the aliases file when it is generated by
|
|
; fasClient
|
|
aliases_template = /etc/aliases.template
|
|
|
|
[users]
|
|
; default shell given to people in [host] groups
|
|
shell = /bin/bash
|
|
|
|
; home - the location for fas user home dirs
|
|
home = /home/fedora
|
|
|
|
; home_backup_dir - Location home dirs should get moved to when a user is
|
|
; deleted this location should be tmpwatched
|
|
home_backup_dir = /home/fedora.bak
|
|
|
|
; ssh_restricted_app - This is the path to the restricted shell script. It
|
|
; will not work automatically for most people though through alterations it
|
|
; is a powerfull way to restrict access to a machine. An alternative example
|
|
; could be given to people who should only have cvs access on the machine.
|
|
; setting this value to "/usr/bin/cvs server" would do this.
|
|
{% if fas_client_restricted_app %}
|
|
ssh_restricted_app = {{ fas_client_restricted_app }}
|
|
{% else %}
|
|
ssh_restricted_app =
|
|
{% endif %}
|
|
|
|
; ssh_admin_app - This is the path to an app that an admin is allowed to use.
|
|
{% if fas_client_admin_app %}
|
|
ssh_admin_app = {{ fas_client_admin_app }}
|
|
{% else %}
|
|
ssh_admin_app =
|
|
{% endif %}
|
|
|
|
; restricted_shell - The shell given to users in the ssh_restricted_groups
|
|
restricted_shell = /sbin/nologin
|
|
|
|
; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
|
|
ssh_restricted_shell = /bin/bash
|
|
|
|
; ssh_key_options - Options to be appended to people ssh keys. Users in the
|
|
; ssh_restricted_groups will have the keys they uploaded altered when they are
|
|
; installed on this machine, appended with the options below.
|
|
ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
|
|
|