User-Func Role Overview

Purpose

The user-func role is designed to set up users in a straightforward manner. The user settings will match the details in the configuration, with no unexpected outcomes.

Description

This role operates under the idea that users, not machines, are the main focus of the configuration. We’re not creating users on machines; instead, we're granting users access to specific machines.

Features

• Manage a database of user public keys
• Assign multiple keys to one user
• Remove users (home directories will remain)
• Lock/unlock password authentication
• Apply local settings for individual hosts or groups of hosts in Ansible

Role Variables

Parameters are categorized as global or local. If a parameter is defined for a specific host, the global one is ignored. If neither is set, a default value will be used.

• username: Required; the name of the user on the machine.
• hosts: Required; a list of hosts where the user can access and their local settings.
• give_sudo: A crucial parameter that indicates if the user can use sudo. Default is no.
• password: Sets the user's password and can be defined locally.
• lock_password: If yes, the user cannot log in with a password. Default is no.
• disable_user: If yes, the user cannot log in (including via SSH). Default is no.
• delete_user: Removes the user but not their home directory. Default is no. Generally, it's better to disable a user instead.
• shell: The user’s shell; default is /bin/bash.
• ssh_public_keys: A list of keys that can be managed by name.
• authorized_keys: A list of keys from the ssh_public_keys database to authorize for the user. Default is empty.
• common_groups: A global parameter specifying groups for all hosts for the user. Default is empty (do not include sudo here).
• groups: A local parameter specifying additional groups for the host. Do not include sudo here.

Example 1 (Basic Configuration)

manage-users.yml

- hosts:
    - all
  become: yes
  become_user: root
  vars_files:
    - vars/ssh_public_keys.yml
  vars:
    common_groups: [ users ]
  roles:
  
    - tags: [ admins, freehck ]
      role: user-func
      username: freehck
      give_sudo: yes
      authorized_keys: [ freehck ]
      hosts:
        - host: all

    - tags: [ special, jenkins ]
      role: user-func
      username: jenkins
      authorized_keys: [ jenkins, jenkins-slave01, jenkins-slave02 ]
      hosts:
        - host: all
        - host: jenkins-slave01
          groups: [ docker ]

    - tags: [ testers, tester ]
      role: user-func
      username: tester
      authorized_keys: [ tester ]
      hosts:
        - host: stand01
        - host: stand02
        - host: db01

vars/ssh_public_keys.yml

ssh_public_keys:
  - name: freehck
    fullname: Dmitrii Kashin
    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPSD4/7GDGnHuFr/p/ZmDoW0RZ/3bHvoI/s5WwOpARJuqgnzj2CyfiPxkK...
    
  - name: jenkins
    key: ...
  
  - name: jenkins-slave01
    key: ...

  - name: jenkins-slave02
    key: ...

Example 2 (Comprehensive Configuration)

- role: user-func
  username: freehck # required
  give_sudo: no
  password: "mysecret"
  lock_password: no
  disable_user: no
  delete_user: no
  shell: "/bin/bash"
  common_groups: [ "users" ]
  authorized_keys: [ key_name, ... ]
  ssh_public_keys:
    - name: freehck
      fullname: Dmitrii Kashin
      key: <public-key>
  hosts: # required
    - host: host-or-inventory-group # required
      give_sudo: yes
      password: "mysecret"
      lock_password: no
      disable_user: no
      delete_user: no
      shell: "/bin/zsh"
      groups: [ "vboxusers" ]
      authorized_keys: [ key_name, ... ]
    - host: host-or-inventory-group
      ...

License

GPLv3+

Author Information

Written by Dmitrii Kashin (freehck)