ryandaniels.create_users

Panoramica Versioni Approfondimenti

ansible-role-create-users

CI

This role is designed to manage users on Linux systems.
Users are defined in a configuration file (found in vars/secret).
You can add users (with specific user IDs), change passwords, lock or unlock accounts, manage sudo permissions (for each user), add SSH keys for SSH key-based authentication, set a primary group and ID, and assign users to groups (which will be created if they don't exist).
The role can work on a group-by-group basis, which is defined in the configuration file. The group comes from the Ansible inventory file. You can apply changes to all hosts or specific groups.

For more details, check the blog post: User Management with Ansible

Note: This role intentionally does not delete users.

Supported Distributions

  • Ubuntu: 22.04, 20.04, 18.04, 16.04
  • CentOS/RHEL: 9.1, 8.x, 7.x, 6.5, 5.9

Requirements

This role requires Ansible version 2.6 or higher (due to a previous bug with user expiration).

Using ansible-vault

Use ansible-vault to encrypt sensitive information in Git.

cat vars/secret
# Encrypt the file before committing to git
ansible-vault encrypt vars/secret

# Edit the encrypted file:
ansible-vault edit vars/secret

vi .vaultpass
# Enter your Ansible Vault password
chmod 600 .vaultpass
vi ansible.cfg
# Add these lines
[defaults]
vault_password_file = ./.vaultpass

.gitignore

vi .gitignore
# Add these lines
.vaultpass
.retry
secret
*.secret

How to Generate a Password

  • On Ubuntu - Install the "whois" package
mkpasswd --method=SHA-512
  • On RedHat - Use Python
python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'

Default Settings

---
# Note: 'debug_enabled_default: true' will show hashed passwords in the output.
debug_enabled_default: false
default_update_password: on_create
default_shell: /bin/bash
default_generate_ssh_key_comment: "{{ item.username }}@{{ ansible_hostname }}"

User Settings

File Location: vars/secret

  • username: Required username (no spaces).
  • uid: Optional numeric user ID.
  • user_state: Required state, either present or lock.
  • password: Optional sha512 encrypted password. Defaults to "!" if not set.
  • update_password: Options are always or on_create (default is on_create).
    WARNING: With always, the password will change to the specified value. Ensure you have the password set for existing users.
  • comment: Optional description (full name, department, etc.).
  • primarygroup: Optional primary group name.
  • primarygid: Optional primary group ID. If reused, the playbook will fail. Changing existing user groups won't change file permissions or old group entries.
  • groups: Comma-separated list of additional groups. These will be appended, and new groups will be created if they don't exist.
  • shell: Path to the user's shell (default is /bin/bash).
  • ssh_key: Add SSH keys for authentication (optional). NOTE: Multiple keys should be formatted correctly; one key can be on a single line.
  • exclusive_ssh_key: yes|no (default: no).
    WARNING: Setting it to yes will remove any SSH keys not listed.
  • generate_ssh_key: Whether to generate an SSH key for the user. (default is 'no')
    NOTE: This will not overwrite existing keys.
  • ssh_key_bits: Number of bits for the SSH key (optional).
  • ssh_key_passphrase: Optional passphrase for the SSH key.
  • generate_ssh_key_comment: Optional comment for the generated SSH key.
  • use_sudo: yes|no (default: no).
  • use_sudo_nopass: yes|no (default: no). Set to yes for passwordless sudo.
  • system: yes|no (default: no). Creates a system account (uid < 1000). Does not work for existing users.
  • servers: List of servers where changes will be made (required). These are Ansible groups defined in your inventory file. For example, webserver could denote three servers in the webserver group.

Note: You can have users with the same name on different servers for different settings. For instance, testuser102 can have sudo privileges on some servers while not on others.

Example Ansible Inventory File

[webserver]
webserver1
webserver2
webserver3

[database]
db1
db2
db3

[monitoring]
monitor1

Example Configuration File (vars/secret)

---
users:
  - username: testuser101
    password: (hashed password)
    update_password: on_create
    comment: Test User 100
    shell: /bin/bash
    ssh_key: |
      ssh-rsa AAAAB3... testuser101@server1
      ssh-rsa AAAA.... testuser101@server2
    exclusive_ssh_key: yes
    use_sudo: no
    user_state: present
    servers:
      - webserver
      - database
      - monitoring

  # More user configurations can follow

Example Playbook create-users.yml

---
- hosts: '{{inventory}}'
  vars_files:
    - vars/secret
  become: yes
  roles:
  - create-users

Preparation Steps

  • Install Ansible
  • Generate SSH keys
  • SSH into the client to add an entry to the known_hosts file
  • Configure the server's authorized_keys
  • Run Ansible commands

Usage

To create all users:

ansible-playbook create-users.yml --ask-vault-pass --extra-vars "inventory=all-dev" -i hosts
Informazioni sul progetto

Role to manage users on linux

role system users ssh accounts user
Installa
ansible-galaxy install ryandaniels.create_users
GitHub repository
106 stelle
58 fork
3 problemi aperti
Licenza
mit
Download
187.6k
Proprietario
Ryan Daniels
Ansible all the things