users

Ansible Role - Users

An ansible role to manage users on RHEL/Centos and Debian/Ubuntu servers

Requirements

Ansible version 2.6 or later

Role Variables

Available variables are listed below. See Example Playbooks and defaults/main.yml for more details and example

passwordless_sudo_all: false
create_users: []

passwordless_sudo_all: Add passwordless sudo for all sudo/wheel user
create_users: A list of users to manage(create/delete/modify)

create_users contains following options

Parameter Name	Parameter Type	Default Value	Description
`name`	string (Required)		Name of the user to create, remove or modify.
`append`	boolean `no` `yes`	`no`	If `yes`, add the user to the groups specified in groups. If `no`, user will only be added to the groups specified in groups, removing them from all other groups.
`comment`	string		Optionally sets the description (aka GECOS) of user account.
`create_home`	boolean `no` `yes`	`yes`	Unless set to no, a home directory will be made for the user when the account is created or if the home directory does not exist.
`force`	boolean `no` `yes`	`no`	This only affects `state=absent`, it forces removal of the user and associated directories on supported platforms. The behavior is the same as `userdel --force`, check the man page for userdel on your system for details and support. When used with `generate_ssh_key=yes` this forces an existing key to be overwritten.
`generate_ssh_key`	boolean `no` `yes`	`no`	Whether to generate a SSH key for the user in question. This will not overwrite an existing SSH key unless used with `force=yes`.
`group`	string		Optionally sets the user's primary group (takes a group name).
`groups`	list		List of groups user will be added to. When set to an empty string '', the user is removed from all groups except the primary group.
`home`	path		Optionally set the user's home directory.
`move_home`	boolean `no` `yes`	`no`	If set to `yes` when used with `home:` , attempt to move the user's old home directory to the specified directory if it isn't there already and the old home exists.
`non_unique`	boolean `no` `yes`	`no`	Optionally when used with the -u option, this option allows to change the user ID to a non-unique value.
`password`	string		Optionally set the user's password to this crypted value. To create a disabled account on Linux systems, set this to '!' or '*'. See https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module for details on various ways to generate these password values.
`password_lock`	boolean `no` `yes`		Lock the password (usermod -L, pw lock, usermod -C). BUT implementation differs on different platforms, this option does not always mean the user cannot login via other methods. This option does not disable the user, only lock the password. Do not change the password in the same task.
`passwordless_sudo`	boolean `no` `yes`	`no`	Enable passwordless sudo for this user only. `sudo_user` must be set to `yes`
`remove`	boolean `no` `yes`	`no`	This only affects `state=absent`, it attempts to remove directories associated with the user. The behavior is the same as `userdel --remove`, check the man page for details and support.
`seuser`	string		Optionally sets the seuser type (`user_u`) on selinux enabled systems.
`shell`	string		Optionally set the user's shell. The default shell is determined by the underlying tool being used.
`skeleton`	string		Optionally set a home skeleton directory. Requires `create_home` option!
`ssh_key_bits`	integer	"default set by ssh-keygen"	Optionally specify number of bits in SSH key to create.
`ssh_key_comment`	string	"ansible-generated on $HOSTNAME"	Optionally define the comment for the SSH key.
`ssh_key_file`	path	`.ssh/id_rsa`	Optionally specify the SSH key filename. If this is a relative filename then it will be relative to the user's home directory. If `generate_ssh_key` is set, This parameter defaults to `.ssh/id_rsa`.
`ssh_key_type`	string	"rsa"	Optionally specify the type of SSH key to generate. Available SSH key types will depend on implementation present on target host.
`state`	string `absent` `present`	`present`	Whether the account should exist or not, taking action if the state is different from what is stated.
`sudo_user`	boolean `no` `yes`	`no`	Add the user to `sudo`/`wheel` group
`system`	boolean `no` `yes`	`no`	When creating an account `state=present`, setting this to yes makes the user a system account. This setting cannot be changed on existing users. This does not work as intended. It creates user home directory which should not exists for system user and the uid is not set under 1000 if not explicitly set by `uid`
`uid`	integer		Optionally sets the UID of the user.
`update_password`	string `always` `on_create`	`always`	`always` will update passwords if they differ. `on_create` will only set the password for newly created users.
`authorized_key`	dictionary		Optionally adds or removes an SSH authorized key.
`authorized_key`.`key`	string Required		The SSH public key(s), as a string or url
`authorized_key`.`comment`	string		Change the comment on the public key. Rewriting the comment is useful in cases such as fetching it from GitHub or GitLab. If no comment is specified, the existing comment will be kept.
`authorized_key`.`exclusive`	boolean `no` `yes`	`no`	Whether to remove all other non-specified keys from the `authorized_keys` file. Multiple keys can be specified in a single key string value by separating them by newlines.
`authorized_key`.`exclusive`	boolean `no` `yes`	`no`	Follow path symlink instead of replacing it.
`authorized_key`.`key_options`	string		A string of ssh key options to be prepended to the key in the `authorized_keys` file.
`authorized_key`.`manage_dir`	boolean `no` `yes`	`yes`	Whether this module should manage the directory of the authorized key file. If set to `yes`, the module will create the directory, as well as set the owner and permissions of an existing directory. Be sure to set `manage_dir=no` if you are using an alternate directory for `authorized_keys`, as set with path, since you could lock yourself out of SSH access.
`authorized_key`.`path`	path		Alternate path to the authorized_keys file. When unset, this value defaults to `~/.ssh/authorized_keys`.
`authorized_key`.`state`	string `absent` `present`	`present`	Whether the given key (with the given key_options) should or should not be in the file.
`authorized_key`.`validate_certs`	boolean `no` `yes`	`yes`	This only applies if using a https url as the source of the keys. If set to `no`, the SSL certificates will not be validated. This should only set to no used on personally controlled sites using self-signed certificates as it avoids verifying the source site.

Dependencies

None

Example Playbooks

Use the following playbook to create a sudo/wheel user named deployer with passwordless sudo and authorization key located at /home/local/.ssh/id_rsa.pub

- hosts: servers
  become: true
  roles:
    - role: sakibmoon.users
  vars:
    users_list:
      - name: deployer
        state: present
        sudo_user: yes
        passwordless_sudo: yes
        authorized_key:
          key: /home/local/.ssh/id_rsa.pub

Use the following plabook to remove a user named alice

- hosts: servers
  become: true
  roles:
    - role: sakibmoon.users
  vars:
    users_list:
      - name: alice
        state: absent

Create user1 and add the user to only group1 and group2(append: false). Add user2 and set group2 as his primary group.

- hosts: servers
  become: true
  roles:
    - role: sakibmoon.users
  vars:
    users_list:
      - name: user1
        state: present
        groups:
          - group1
          - group2
        append: no
      - name: user2
        state: present
        group: group2

License

MIT

Author Information

This role was created by sakibmoon in 2020.

About

Ansible role to manage(create/delete/modify) users

role system user users

Install

ansible-galaxy install sakibmoon/ansible-role-users

GitHub repository

0 stars

0 forks

0 open issues

License

mit

Downloads

Owner

Sakib