Skip to content

Latest commit

 

History

History
188 lines (137 loc) · 3.97 KB

README.md

File metadata and controls

188 lines (137 loc) · 3.97 KB

Users and Roles

Master: Build Status Develop: Build Status

This roles manages OS users and groups.

Installation and Dependencies

This role has no dependencies.

To install run ansible-galaxy install sansible.users_and_groups or add this to your roles.yml

- name: sansible.users_and_groups
  version: v2.0

and run ansible-galaxy install -p ./roles -r roles.yml

Tags

This role uses two tags: build and maintain

  • build - Ensures that specified groups and users are present.
  • maintain - Ensures users on an already built and configured instance.

Examples

Simple example for creating two users and two groups.

- name: Configure User Access
  hosts: sandbox

  roles:
    - name: sansible.users_and_groups
      sansible_users_and_groups_groups:
        - name: lorem
          system: yes
        - name: ipsum
      sansible_users_and_groups_users:
        - name: lorem.ipsum
          groups:
            - ipsum
            - lorem
          ssh_key: ./lorem.ipsum.pub
        - name: dolor.ament
          groups:
            - ipsum

Creating a jailed SFTP user (cf here for a step-by-step guide):

- name: Configure User Access
  hosts: sandbox

  roles:
    - name: sansible.users_and_groups
      sansible_users_and_groups_authorized_keys_dir: /etc/ssh/authorized_keys
      sansible_users_and_groups_groups:
        - name: sftp_only
      sansible_users_and_groups_users:
        - name: sftp
          group: sftp_only
          home: /mnt/sftp_vol

In most cases you would keep the list of users in external vars file or group|host vars file.

- name: Configure User Access
  hosts: sandbox

  vars_files:
    - "vars/sandbox/users.yml"

  roles:
    - name: sansible.users_and_groups
      sansible_users_and_groups_groups: "{{ base_image.os_groups }}"
      sansible_users_and_groups_users: "{{ base_image.admins }}"

    - name: sansible.users_and_groups
      sansible_users_and_groups_users: "{{ developers }}"

Add selected group to sudoers

- name: Configure User Access
  hosts: sandbox

  vars_files:
    - "vars/sandbox/users.yml"

  roles:
    - name: sansible.users_and_groups
      sansible_users_and_groups_groups: "{{ base_image.os_groups }}"
      sansible_users_and_groups_users: "{{ base_image.admins }}"

    - name: sansible.users_and_groups
      sansible_users_and_groups_users: "{{ developers }}"

    - name: sansible.users_and_groups
      sansible_users_and_groups_sudoers:
        - name: wheel
          user: "%wheel"
          runas: "ALL=(ALL)"
          commands: "NOPASSWD: ALL"

Use whitelist groups option to allow users contextually.

Var file with users:

---

# vars/users.yml

sansible_users_and_groups_groups:
  - name: admins
  - name: developer_group_alpha
  - name: developer_group_beta
sansible_users_and_groups_users:
  - name: admin.user
    group: admins
  - name: alpha.user
    group: alpha_develops
  - name: beta.user
    group: developer_group_beta

In a base image:

---

# playbooks/base_image.yml

- name: Base Image
  hosts: "{{ hosts }}"

  vars_files:
    - vars/users.yml

  roles:
    - role: sansible.users_and_groups
      sansible_users_and_groups_whitelist_groups:
        - admins

    - role: base_image

In a service role:

---

# playbooks/alpha_service.yml

- name: Alpha Service
  hosts: "{{ hosts }}"

  vars_files:
    - vars/users.yml

  roles:
    - role: sansible.users_and_groups
      sansible_users_and_groups_whitelist_groups:
        - admins
        - developer_group_alpha

    - role: alpha_service