bodsch.users
Ansible Role: users
This role helps you manage multiple user accounts on Linux systems.
Features
- Add users, change their passwords, lock or unlock accounts, manage sudo access, and set authorized SSH keys for authentication.
Supported Operating Systems
Tested on:
- Arch Linux
- Debian-based systems:
- Debian 10 / 11 / 12
- Ubuntu 20.04 / 22.04
Note: RedHat-based systems are no longer officially supported but may still work.
How to Generate Passwords
On Ubuntu: Install the
whoispackage and use:mkpasswd --method=SHA-512On RedHat: Use Python:
python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'
Other password hashing methods:
# MD5 (OBSOLETE!)
openssl passwd -1 -salt 5RPVAd clear-text-passwd43
# SHA-256
openssl passwd -5 -salt 5RPVAd clear-text-passwd43
# SHA-512
openssl passwd -6 -salt 5RPVAd clear-text-passwd43
# Blowfish
python -c 'import bcrypt; print(bcrypt.hashpw(b"clear-text-passwd43", bcrypt.gensalt(rounds=15)).decode("ascii"))'
Default Settings
---
users_output: "compact" # Options: 'full' for more details
users: []
User Settings
| Parameter | Default | Description | |
|---|---|---|---|
username |
required | Desired username (no spaces) | |
uid |
optional | User ID number | |
state |
required | present, absent, or lock |
|
password |
optional | SHA512 encrypted password. Defaults to ! if not provided |
|
update_password |
always |
optional | Update passwords always or on_create |
comment |
optional | User's full name or description | |
groups |
optional | Comma-separated list of user groups (will create if missing) | |
shell |
/bin/bash |
optional | User's login shell path |
authorized_key_directory |
- |
optional | Path for SSH keys e.g. /etc/ssh/authorized_keys |
authorized_keys |
[] |
optional | List of SSH keys stored in $HOME/.ssh/authorized_keys |
ssh_keys |
optional | Dictionary of SSH keys for deployment | |
sudo |
{} |
optional | Dictionary of sudo settings (see below) |
remove |
False |
optional | Affects state=absent, removes user-associated directories |
ssh_keys
Define static SSH keys for deployment here, either in plain text or base64 encoded.
users:
- username: foo-bar
ssh_keys:
...
authorized_keys
SSH keys are stored in a .ssh directory in the user's home. If users do not maintain their keys, you can store them in a secured directory like /etc/ssh/authorized_keys.
Make sure to configure sshd properly before doing this:
AuthorizedKeysFile: /etc/ssh/authorized_keys/%u .ssh/authorized_keys
sudo
You can set a simple sudo rule for each user. For example:
- username: foo-bar
sudo:
nopassword: true
runas: "ALL"
commands: ALL
Would create this sudoers rule:
foo-bar ALL=(ALL) NOPASSWD: ALL
Available options:
| Parameter | Default | Type | Description |
|---|---|---|---|
nopassword |
False |
bool |
Requires no password for sudo commands. |
runas |
- |
string |
Specify user the commands will run as. |
commands |
- |
string or list |
Allowed commands in the sudoers rule. |
group |
- |
string |
Group name for the sudoers rule. |
Usage Example
Refer to molecule tests
- hosts: all
any_errors_fatal: false
vars:
users:
- username: foo-bar
update_password: always
comment: Foo Bar
shell: /bin/bash
ssh_keys:
...
sudo:
nopassword: true
runas: "ALL"
commands:
- ALL
group: wheel
state: present
roles:
- role: ansible-users
Author and License
- Bodo Schulz
License
FREE SOFTWARE, HELL YEAH!
Installa
ansible-galaxy install bodsch.usersLicenza
mit
Download
3.5k
Proprietario
ex-developer (c, c++, php),
ex-system administrator / engineer,
keep-it-simple,
monitoring,
automation,
system architect