ansibleguy.linux_users
Ansible 角色 - 系统用户和组
Ansible 角色用于在 Linux 服务器上部署用户和组。
已测试:
- Debian 11
安装
# 最新版
ansible-galaxy role install git+https://github.com/ansibleguy/linux_users
# 从 Galaxy 安装
ansible-galaxy install ansibleguy.linux_users
# 或安装到自定义角色路径
ansible-galaxy install ansibleguy.linux_users --roles-path ./roles
# 安装依赖
ansible-galaxy install -r requirements.yml
python3 -m pip install -r requirements.txt
用法
您想要一个简单的 Ansible GUI 吗?请查看我的 Ansible WebUI
配置
根据需要定义系统认证配置:
system_auth:
users:
guy:
comment: 'AnsibleGuy'
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
64373031333937633163366236663237623464336461613334343739323763373330393930666331
3333663262346337636536383539303834373733326631310a393865653831663238383937626238
35396531316338373030353530663465343838373635363633613035356338353366373231343264
3437356663383466630a666161363163346533333139656566386466383733646134616166376638
35313765356134396130333439663461353336313230366338646165376666313232
ssh_pub:
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkIlii1iJM240yPSPS5WhrdQwGFa7BTJZ59ia40wgVWjjg1JlTtr9K2W66fNb2zNO7tLkaNzPddMEsov2bJAno= [email protected]'
privileges:
- '/usr/bin/rsync'
- '/bin/systemctl restart apache2.service'
bash_aliases:
ll: 'ls -l'
other_guy:
comment: '不寻常的用户'
shell: '/bin/fancyshell'
always_update_password: true # 否则仅在创建时设置密码
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61303431646338396364383939626630336436316661623830643636376130636163356234333464
3430643134366635356130373139636664363139313831630a376436396134646665306361366464
66386166663739316162346638323537346630333761366161386364646532633434613964396264
3063306334636331320a653837663432643164626665353638643032336534653239666534373562
62323631363638633239383839666337356538366133326136363033373338643138
ssh_pub:
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBxS1MoeqDyN6+ZKsnLJHIA0/5nVQ6+a1Bgwknx3U7lGlqFIki/HgUX089YUzhbEKcxzTlR3Ji+gLnxhBZhe700= [email protected]'
scope: 'dc_europe_west' # 仅在“dc_europe_west”库存组的服务器上创建用户
privileges:
- '/bin/systemctl restart some_service.service'
sudoers_prompt: true # 如果通过 'sudo' 执行列出的命令,用户需要确认其密码
root:
dont_touch: true # 用户账户将不会被修改
bash_aliases:
ll: 'ls -l'
la: 'ls -la'
tc: 'tar -cJvf'
tx: 'tar -xJvf'
groups:
ag_guest:
members: ['joe', 'who?']
ag_tester:
members: ['hans']
ag_users:
members: ['lisa']
nested_groups: ['ag_tester']
ag_superguys:
members: ['seppal']
parents: ['ag_users']
ag_devops:
members: ['luis']
ag_admins:
members: ['reymond']
member_of: ['ag_superguys']
您可能想使用 'ansible-vault' 加密您的密码:
ansible-vault encrypt_string
执行
运行播放书:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass
嵌套组
您可以将两个组链接在一起,让它们继承彼此的成员。
如果另一个组应该继承当前组的所有成员:
- member_of
- parents
如果当前组应该继承另一个组的所有成员:
- nested_groups
- children
功能
用户
- 用户范围 => 限制用户应创建的服务器
- 特定命令的 sudo 权限
- SSH 授权密钥
- 设置 Bash 别名
组
- 嵌套组(_成员继承_)
信息
注意: 此角色当前仅支持基于 Debian 的系统
注意: 大多数角色的功能可以选择启用或禁用。
有关所有可用选项,请参阅 主默认文件 中的默认配置。
警告: 并不是您提供的每个设置/变量都会检查有效性。错误的配置可能会导致角色失效!
示例
配置
system_auth:
users:
guy:
comment: 'AnsibleGuy'
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
64373031333937633163366236663237623464336461613334343739323763373330393930666331
3333663262346337636536383539303834373733326631310a393865653831663238383937626238
35396531316338373030353530663465343838373635363633613035356338353366373231343264
3437356663383466630a666161363163346533333139656566386466383733646134616166376638
35313765356134396130333439663461353336313230366338646165376666313232
ssh_pub:
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkIlii1iJM240yPSPS5WhrdQwGFa7BTJZ59ia40wgVWjjg1JlTtr9K2W66fNb2zNO7tLkaNzPddMEsov2bJAno= [email protected]'
privileges:
- '/usr/bin/rsync'
- '/bin/systemctl restart apache2.service'
other_guy:
comment: '不寻常的用户'
scope: 'dc_europe_west'
remove: true # 如果用户被删除时是否要删除相关文件
force_remove: true # 强制删除上述用户
another_guy:
comment: '好人'
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61303431646338396364383939626630336436316661623830643636376130636163356234333464
3430643134366635356130373139636664363139313831630a376436396134646665306361366464
66386166663739316162346638323537346630333761366161386364646532633434613964396264
3063306334636331320a653837663432643164626665353638643032336534653239666534373562
62323631363638633239383839666337356538366133326136363033373338643138
ssh_pub:
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcfYHDR8O4A9uIHnw3v25rDPtqDlRmFIyJc1fxZx90K6BUNXV+TTkFH836EftHVAaMdlMZSfNm9O+o0UbrvbaI= [email protected]'
force_password_change: true
groups:
ag_guest:
members: []
ag_tester:
members: ['other_guy', 'another_guy']
state: 'absent'
ag_users:
members: []
nested_group: ['ag_tester']
ag_superguys:
members: []
parents: ['ag_users']
ag_devops:
members: []
ag_admins:
members: ['guy']
member_of: ['ag_superguys']
结果:
guy@ansible:~# cat /etc/group
> ...
> ag_guest:x:1000:
> ag_users:x:1002:guy,another_guy
> ag_superguys:x:1003:guy
> ag_devops:x:1004:
> ag_admins:x:1005:guy
> guy:x:1006:
> another_guy:x:1007:
guy@ansible:~# cat /etc/passwd
> ...
> guy:x:1000:1006:Ansible 管理 - AnsibleGuy:/home/guy:/bin/bash
> another_guy:x:1001:1007:Ansible 管理 - 好人:/home/another_guy:/bin/bash
guy@ansible:~# cat /etc/sudoers.d/user_priv_guy
> # Ansible 管理
>
> Cmnd_Alias USER_PRIV_GUY = \
> /usr/bin/rsync, \
> /bin/systemctl restart apache2.service
>
> guy ALL=(ALL) NOPASSWD: USER_PRIV_GUY
guy@ansible:~# cat /etc/sudoers.d/user_priv_another_guy
> # Ansible 管理
>
> Cmnd_Alias USER_PRIV_ANOTHERGUY = \
> /bin/systemctl restart myNiceStuff.service
>
> another_guy ALL=(ALL) USER_PRIV_ANOTHERGUY
关于项目
Role to configure users and groups on a linux machine
安装
ansible-galaxy install ansibleguy.linux_users许可证
other
下载
2.6k
拥有者
[email protected] | GPG: https://badges.ansibleguy.net/public.gpg