Configure system and normal groups and users. This role configures the following. Groups are created before users.
- Creates or removes groups.
- Creates user and user group.
- Disable or removes a user.
- Set user SSH
authorized_keys.- Where user access from.
- What abilities can be performed.
- Optional set UID and GID.
3.1.0--- Added support for RHEL10. The role now supports os_family = redhat.3.0.2--- Move testing to Ansible Molecule3.0.1--- Makeexclusivean option, not hardcoded.3.0.0--- Add Ansible-core 2.16. Removed support for Ubuntu xenial and bionic2.2.0--- added support for Ubuntu 24.042.1.0--- addedpassword_nolock, for situations we're not changing password2.0.1--- bug fix, ansible-lint2.0.0--- updated to ansible 2.12.91.7.0--- added RHEL9 and CentOS Stream 8 support1.6.2--- removed extra slashes inauthorized_keyswhen usingallow_ips1.6.1--- bugfix1.6.0--- added Jammy Removed CentOS81.5.0--- added RHEL8 Removed CentOS6 and Ubuntu 14.041.4.0--- added option for creating and removing arbitrary groups1.3.0--- remove ubuntu precise from testing1.2.0--- updated with ubuntu focal1.1.6--- tested with Ansible 2.9.111.1.5--- prepare for github1.1.4--- do not try to remove sudoers file incheck_mode1.1.3--- fixed unnecessary password updates1.1.2--- default to hard coded/bin/bashifshellis undefined1.1.1--- remove unused issue tracker from meta1.1.0--- setuser_default_restrictto an empty string1.0.0--- initial versionmaster--- latest development version
This role supports
- RedHat Based OS, version 8,9,10
- Ubuntu 20.04, 22.04, and 24.04
- CentOS 7
- CentOS Stream 8
user_default_allow_ips--- list of source ip addresses, default[]user_default_restrict--- comma separated string with restrictions for login, default"". Available restrictionsagent-forwarding--- allow forward SSH agentport-forwarding--- allow port forwardingpty--- allow ttyrestrict--- limit all, always use firstX11-forwarding--- allow X forwarding- See other options with
man sshd
user_groups--- list of dicts with all groups, default[]. Dict elements is defined as followingenabled--- is the group enabled or not, defaultfalsegid--- GID value as integer, default auto generategroup--- Linux group name, requiredsystem--- is the group a system grou, defaultfalse
user_users--- list of dicts with all users, default[]. Dict list elements is defined as followingallow_ips--- list of source ip addresses, defaultuser_default_allow_ipscomment--- user GECOS, default""create_home--- create home directory, defaulttrueenabled--- is the user enabled or not, defaultfalseenable_sudo_password--- enable password check on sudo - use withsudo, defaultfalsegid--- GID value as integer, default auto generategroups--- list of extra groups for the user, default[]group--- users main group, default usernamekey--- file with one ssh key on each line, default''exclusive--- remove ssh keys not listed here, defaulttruepassword--- set password hash for user - create new password withmkpasswd -m sha512crypt, default not setpassword_nolock--- don't lock password even if it is empty or not defined, defaultfalseremove--- remove user files whenenabled == false, defaultfalserestrict--- subset of restrictions, defaultuser_default_restrictshell--- set user default shell, defaultbashsudo--- enable password less sudo for user, defaultfalsesystem--- is user a system user, defaultfalseuid--- UID value as integer, default auto generateuser--- Linux user name, required
None
Variables are kept in the host_vars or group_vars folder usually. Defining everything in playbook is not recommended. This is just an example.
- hosts: servers
vars:
roles: user
user_default_allow_ips:
- 0.0.0.0/0
user_default_restrict: restrict,pty
user_groups:
- group: g1
enabled: true
- group: g2
system: true
enabled: true
- group: g3
gid: 4000
enabled: true
user_users:
- user: sysuser1
create_home: false
enabled: true
system: true
- user: sysuser2
create_home: true
enabled: true
system: true
- user: user1
comment: User Name,Building and room or contact person,Office Phone,Home Phone,Email
enabled: true
- user: user1
enabled: false
remove: true
- user: user2
comment: User Name,Building and room or contact person,Office Phone,Home Phone,Email
enabled: true
group: usergroup2
groups:
- adm
- users
gid: 2000
uid: 2000
allow_ips:
- 10.0.0.0/8
- 192.168.1.0/24
key: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkCVF05JvfkrfOOESivOxV4N8+A/EMEkF7/nCQMRoQg
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINy/2ldIkVhcgUAF3XkMyjfhXxuMHn0yK/1vqJwXFiue
exclusive: true
shell: /bin/sh
restrict: restrict,X11-forwarding,pty
# password 'user2'
password: $6$W7eiMn9W7lWln0ea$H7Ys/saS9vPt4ng.dKQeExzbR8tFTIOn/MZ.C7HmVCsL..5SDHgnX4lvAE6JjQjCou2fcUPgkwQ1qInySeoMp.
sudo: true
enable_sudo_password: true
- user: user3
enabled: true
key: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMFqjOZQuNPahtMmEWocMpW1oN7sukT+PmcWSqFdmSaj
sudo: true
Append to default lists in group_vars or host_vars.
- In
group_varsorhost_vars.user_users_custom: - user: user4 key: | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWIFe749/NkJcpEW1H8DtUJrnbNdvexBPiEeXyp6/uY enabled: true - In playbook, merge defaults with your custom values.
pre_tasks: - name: add custom user_users set_fact: user_users: '{{ user_users + user_users_custom|default([]) }}'
Testing is done using Ansible Molecule. It uses Vagrant with libvirt as backend.
To run full test run:
molecule testTo run test step by step run:
molecule create
molecule converge
molecule verify
molecule destroyTo run toward specific scenario use -s option.
molecule test -s ubuntu
License
-------
GPLv2
Author Information
------------------
Created 2020 by IT Infrastructure at MET Norway
Contactpoint: [IT Infrastructure Basis Team](mailto:[email protected])
###### set vim: spell spelllang=en: