ansibleguy.linux_users

Panoramica Versioni Approfondimenti

Ansible Role - System Users & Groups

Ansible Role for setting up users and groups on Linux servers.

Buy me a coffee

Molecule Test Status YamlLint Test Status PyLint Test Status Ansible-Lint Test Status Ansible Galaxy

Tested On:

  • Debian 11

Installation

# latest version
ansible-galaxy role install git+https://github.com/ansibleguy/linux_users

# from the galaxy
ansible-galaxy install ansibleguy.linux_users

# or to a custom role path
ansible-galaxy install ansibleguy.linux_users --roles-path ./roles

# install dependencies
ansible-galaxy install -r requirements.yml
python3 -m pip install -r requirements.txt

Usage

Looking for a simple Ansible GUI? Check out my Ansible WebUI.

Configuration

Set up the system_auth configuration as required:

system_auth:
  users:
    guy:
      comment: 'AnsibleGuy'
      password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        (Encrypted password here)
      ssh_pub:
        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkIlii1iJM240...'
      privileges:
        - '/usr/bin/rsync'
        - '/bin/systemctl restart apache2.service'
      bash_aliases:
        ll: 'ls -l'
  
    other_guy:
      comment: 'Unusual user'
      shell: '/bin/fancyshell'
      always_update_password: true
      password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        (Encrypted password here)
      ssh_pub:
        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBxS1MoeqDyN6+ZK...'
      scope: 'dc_europe_west'  
      privileges:
        - '/bin/systemctl restart some_service.service'
      sudoers_prompt: true  
  
    root:
      dont_touch: true  
      bash_aliases:
        ll: 'ls -l'
        la: 'ls -la'
        tc: 'tar -cJvf'
        tx: 'tar -xJvf'
  
  groups:
    ag_guest:
      members: ['joe', 'who?']
    ag_tester:
      members: ['hans']
    ag_users:
      members: ['lisa']
      nested_groups: ['ag_tester']
    ag_superguys:
      members: ['seppal']
      parents: ['ag_users']
    ag_devops:
      members: ['luis']
    ag_admins:
      members: ['reymond']
      member_of: ['ag_superguys']

To keep your passwords secure, consider using 'ansible-vault' to encrypt them:

ansible-vault encrypt_string

Running the Playbook

Execute the playbook with:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass

Nested Groups

You can connect two groups so they share members.

To let one group inherit members from another:

  • Use member_of
  • Use parents

To let the current group inherit members from another:

  • Use nested_groups
  • Use children

Features

  • Users

    • Limit where users can be created
    • Sudo privileges for specific commands
    • SSH Authorized-keys
    • Set Bash aliases

  • Groups

    • Nested groups for member inheritance

Information

  • Note: This role currently only supports Debian-based systems.

  • Note: You can choose to enable or disable most of the role's features.

    To see all available options, refer to the main defaults file.

  • Warning: Not all settings you provide will be checked for validity. Incorrect configurations may cause issues!

Example

Configuration

system_auth:
  users:
    guy:
      comment: 'AnsibleGuy'
      password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        (Encrypted password here)
      ssh_pub:
        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkIlii1iJM240...'
      privileges:
        - '/usr/bin/rsync'
        - '/bin/systemctl restart apache2.service'
  
    other_guy:
      comment: 'Unusual user'
      scope: 'dc_europe_west'
      remove: true  
      force_remove: true  
  
    another_guy:
      comment: 'Nice guy'
      password: !vault |
            $ANSIBLE_VAULT;1.1;AES256
            (Encrypted password here)
      ssh_pub:
        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBcfYHDR8O4A9uIHnw...'
      force_password_change: true
  
  groups:
    ag_guest:
      members: []
    ag_tester:
      members: ['other_guy', 'another_guy']
      state: 'absent'
    ag_users:
      members: []
      nested_group: ['ag_tester']
    ag_superguys:
      members: []
      parents: ['ag_users']
    ag_devops:
      members: []
    ag_admins:
      members: ['guy']
      member_of: ['ag_superguys']

Result:

# Check group file
guy@ansible:~# cat /etc/group
> ...
> ag_guest:x:1000:
> ag_users:x:1002:guy,another_guy
> ag_superguys:x:1003:guy
> ag_devops:x:1004:
> ag_admins:x:1005:guy
> guy:x:1006:
> another_guy:x:1007:

# Check password file
guy@ansible:~# cat /etc/passwd
> ...
> guy:x:1000:1006:Ansible managed - AnsibleGuy:/home/guy:/bin/bash
> another_guy:x:1001:1007:Ansible managed - Nice guy:/home/another_guy:/bin/bash

# Check sudo privileges
guy@ansible:~# cat /etc/sudoers.d/user_priv_guy 
> # Ansible managed
> 
> Cmnd_Alias USER_PRIV_GUY = \
>   /usr/bin/rsync, \
>   /bin/systemctl restart apache2.service
> 
> guy ALL=(ALL) NOPASSWD: USER_PRIV_GUY

guy@ansible:~# cat /etc/sudoers.d/user_priv_another_guy 
> # Ansible managed
> 
> Cmnd_Alias USER_PRIV_ANOTHERGUY = \
>   /bin/systemctl restart myNiceStuff.service
> 
> another_guy ALL=(ALL) USER_PRIV_ANOTHERGUY
Informazioni sul progetto

Role to configure users and groups on a linux machine

role users usermanagement groups sudoers privileges
Installa
ansible-galaxy install ansibleguy.linux_users
GitHub repository
2 stelle
1 fork
0 problemi aperti
Licenza
other
Download
2.6k
Proprietario
AnsibleGuy
[email protected] | GPG: https://badges.ansibleguy.net/public.gpg