An ansible role for managing user and group accounts. The role includes the following tasks:
- Create groups specified by
users_groups
. - Set sudo rights for groups where necessary.
- Create users from the
users_accounts
array with specified parameters. - Add users to groups.
- Authorize users to login via SSH.
- Clone
dotfiles
repository (ifdotfiles_repo
is defined) to$HOME/.dotfiles
for each user and link dotfiles to$HOME
directory.
This role can be run under all versions of Ubuntu and Debian.
None
Available variables are listed below, along with default values (see defaults/main.yml
):
users_accounts: [] # An array of user accounts
users_groups: [] # An array of user groups
Each user account can include some of the following parameters. The only required parameter is name
:
users_accounts:
- name: "" # A user name
To specify a primary group for an account use a group
parameter. To put a user to a list of groups, use groups
value as a string of group names separated with a comma. For ansible 2.2 version and below this is the only allowed format for several groups. Now it is also possible to use YAML lists. When the parameter is set to an empty string (groups=
), the user is removed from all groups except the primary group.
group: (omit) # A name of the primary group to which the user belongs
groups: (omit) # A string of the user group names separated with a comma
append: yes # If 'yes', will only add groups, not set them to just the list in 'groups'
You are able to set if a home directory should be created for the user when the account is created or if the home directory does not exist with a parameter createhome
:
createhome: yes # Set `no` if a home directory should not be created
home: (omit) # The user's home directory
To add an SSH authorized key and a password set corresponding parameters. The possible values of update_password
are always
and on_create
. 'Always' will update passwords if they differ; 'on_create' will only set the password for created users.
key: (omit) # The SSH public key as a string or (since 1.9) url
generate_ssh_key: no # Whether to generate a SSH key for the user (will not overwrite an existing SSH key)
password: (omit) # The user's password
update_password: (omit)
The state
parameter allows to manage a user account depending on whether it exists or not. If it's present
, a new user will be created. If the value is absent
, the user will be removed. The action is taken only when the current account state is different from what is set:
state: present # Create the account if it is absent
To upload user's dotfiles repository of a specified version use the following parameters:
dotfiles_repo: # Path to a dotfiles repository
dotfiles_version: (omit) # Required version
Configure some other optional parameters if necessary:
shell: /bin/bash # The user's shell
comment: "" # A description of the user account
expires: (omit) # An expiry time for the user
system: no # Create the user account as system (cannot be changed for existing users)
User groups should be specified by parameters:
users_groups:
- name: admin # A group name
state: present # Create a group if it is absent
sudo: "ALL=(ALL) NOPASSWD:ALL" # Set rights to the group
None
- hosts: all
roles:
- role: users
vars_files:
- vars/users.yml
Inside vars/users.yml
:
# Specify some groups:
users_groups:
- name: admin
sudo: "ALL=(ALL) NOPASSWD:ALL"
- name: deploy
- name: developer
sudo: "ALL=(ALL) NOPASSWD:/bin/ls, /bin/cat, /bin/more, /bin/grep, /usr/bin/head, /usr/bin/tail, /usr/bin/less"
# Specify user accounts:
users_accounts:
- name: deploy
group: deploy
comment: Deploy user
- name: alex
groups: 'deploy,admin'
comment: [email protected]
key: "{{ lookup('file', 'files/public_keys/alex.pub') }}"
- name: jack
groups: 'deploy,admin'
comment: [email protected]
key: "{{ lookup('file', 'files/public_keys/jack.pub') }}"
- name: pavel
groups: 'deploy,developer'
comment: [email protected]
key: "{{ lookup('file', 'files/public_keys/pavel.pub') }}"
where files/public_keys/alex.pub
is a user public key.
Licensed under the MIT License.