Ansible role to manage user's account, groups and sudoers files, including:
-
create/remove group
-
create/remove user locally or in LDAP
-
create/remove user's home directory
-
create/copy user's ssh keys
-
add an user's existing ssh public key from
authorized_keys[]:- direct value, optionally with !unsafe prefix
- relative or absolute path to a key file
-
set user's password
-
assign already encrypted password
Anything matching below is considered to be already set or encrypted password:
!password for locked accountregex('^\$[0-9]\$.{60}'starting with$anydigit$followed by at least 60 charactersregex('^\{[A-Z0-9]+\}.+')starting with{SHA}followed by length in bytes
-
encrypt given password with
user_password_hashPlease use ansible-vault to encrypt variable with password.
echo -n "secret" | ansible-vault encrypt_string --vault-id @prompt --stdin-name password
-
generate, and store locally on ansible controller, password with given:
- encryption algorithm
- length
- allowed characters
Generated passwords are stored as plaintext in a file on ansible controller. File location is set by
user_password_filebut it always ends with user's name.
-
-
manage sudoers entries
- in
/etc/sudoersifuser_sudoers: [{file: "sudoers", ...}] - in
/etc/sudoers.d/nameifuser_sudoers: [{file: "name", ...}]
- in
-
defaults-
passworduser_password_generate: # generate password if set to this user_password_file: "" # generated password file location user_password_seed: "" # static seed to stay idempotent user_password_hash: "" # password encryption algorithm user_password_length: # generated password length user_password_chars: [] # list of allowed characters
-
groupsuser_groups: [] # list of OS groups to add/remove
-
accountsuser_accounts: [] # list of users to manage - name: username dn: "" # DN of account entry in LDAP objectClass: [] # objectClasses of account entry in LDAP attributes: {} # attributes of account entry in LDAP uid: "" # i.e. cn: "" homeDirectory: "" loginShell: "" userPassword: "" # follows the same rules as local account authorized_keys: [] # list of keys to add/remove - key: "{{ playbook_dir }}/files/id_rsa.pub" state: absent # remove key matching the one in file - key: "~/.ssh/id_rsa.pub"
-
sudoersuser_sudoers: # list of sudoers entries - file: "ansible" # store entries in /etc/sudoers.d/ansible user: "ansible" # user allowed to sudo host: "ALL" # on hosts runas: - user: "ALL" # as this user group: "ALL" # as this grup cmd: "ALL" # run this command
-
-
varsuser_sudoers_config: {} # sudoers file attributes user_homedir: {} # home directory attributes user_skel_path: /etc/skel # location of skel for home dir user_query_homedir: "" # JMESPath query to filter user that should have home dir created
- user.group - Manage groups
- user.account - Manage user's account
- user.ldap - Manage user's in LDAP
- user.homedir - Manage user's home directory
- user.sshkeys - Manage user's sshkeys
- user.sshkeys.directory - Create authorized keys directory
- user.sshkeys.authorized - Manage ssh public key in authorized keys
- user.sshkeys.copy - Copy ssh keys
- user.sudoers - Manage sudoers
-
requirements.yml- name: user src: https://github.com/mario-slowinski/user
-
playbook.yaml- hosts: servers gather_facts: no roles: - role: user