Ansible role to manage user's account, groups and sudoers files, including:

• create/remove group

• create/remove user locally or in LDAP

• create/remove user's home directory

• create/copy user's ssh keys

• add an user's existing ssh public key from authorized_keys[]:

  • direct value, optionally with !unsafe prefix
  • relative or absolute path to a key file

• set user's password

  • assign already encrypted password

    Anything matching below is considered to be already set or encrypted password:

    • ! password for locked account
    • regex('^\$[0-9]\$.{60}' starting with $anydigit$ followed by at least 60 characters
    • regex('^\{[A-Z0-9]+\}.+') starting with {SHA} followed by length in bytes

  • encrypt given password with user_password_hash

    Please use ansible-vault to encrypt variable with password.

    echo -n "secret" | ansible-vault encrypt_string --vault-id @prompt --stdin-name password

  • generate, and store locally on ansible controller, password with given:

    • encryption algorithm
    • length
    • allowed characters

    Generated passwords are stored as plaintext in a file on ansible controller. File location is set by user_password_file but it always ends with user's name.

• manage sudoers entries

  • in /etc/sudoers if user_sudoers: [{file: "sudoers", ...}]
  • in /etc/sudoers.d/name if user_sudoers: [{file: "name", ...}]

• ansible.builtin
• ansible.posix

• defaults

  • password

    user_password_generate:   # generate password if set to this
    user_password_file: ""    # generated password file location
    user_password_seed: ""    # static seed to stay idempotent
    user_password_hash: ""    # password encryption algorithm
    user_password_length:     # generated password length
    user_password_chars: []   # list of allowed characters

  • groups

    user_groups: []           # list of OS groups to add/remove

  • accounts

    user_accounts: []         # list of users to manage
    - name: username
      dn: ""                  # DN of account entry in LDAP
      objectClass: []         # objectClasses of account entry in LDAP
      attributes: {}          # attributes of account entry in LDAP
        uid: ""               # i.e.
        cn: ""
        homeDirectory: ""
        loginShell: ""
        userPassword: ""      # follows the same rules as local account
      authorized_keys: []     # list of keys to add/remove
        - key: "{{ playbook_dir }}/files/id_rsa.pub"
          state: absent       # remove key matching the one in file
        - key: "~/.ssh/id_rsa.pub"

  • sudoers

    user_sudoers:             # list of sudoers entries
      - file: "ansible"       # store entries in /etc/sudoers.d/ansible
        user: "ansible"       # user allowed to sudo
        host: "ALL"           # on hosts
        runas:               
          - user: "ALL"       # as this user
            group: "ALL"      # as this grup
            cmd: "ALL"        # run this command

• vars

  user_sudoers_config: {}     # sudoers file attributes
  user_homedir: {}            # home directory attributes
  user_skel_path: /etc/skel   # location of skel for home dir
  user_query_homedir: ""      # JMESPath query to filter user that should have home dir created

• ldap

• user.group - Manage groups
• user.account - Manage user's account
• user.ldap - Manage user's in LDAP
• user.homedir - Manage user's home directory
• user.sshkeys - Manage user's sshkeys
  • user.sshkeys.directory - Create authorized keys directory
  • user.sshkeys.authorized - Manage ssh public key in authorized keys
  • user.sshkeys.copy - Copy ssh keys
• user.sudoers - Manage sudoers

• requirements.yml

  - name: user
    src: https://github.com/mario-slowinski/user

• playbook.yaml

  - hosts: servers
    gather_facts: no
    roles:
      - role: user

GPL-3.0

[email protected]