From 1024921a740b24d86e1a9f6543a6402d493705b2 Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Sun, 12 Jan 2025 10:24:03 +0100 Subject: [PATCH] feat: add user role --- playbooks/user.yml | 7 +++++ roles/user/README.md | 23 ++++++++++++++++ roles/user/defaults/main.yml | 2 ++ roles/user/tasks/configure-user.yml | 41 +++++++++++++++++++++++++++++ roles/user/tasks/main.yml | 8 ++++++ 5 files changed, 81 insertions(+) create mode 100644 playbooks/user.yml create mode 100644 roles/user/README.md create mode 100644 roles/user/defaults/main.yml create mode 100644 roles/user/tasks/configure-user.yml create mode 100644 roles/user/tasks/main.yml diff --git a/playbooks/user.yml b/playbooks/user.yml new file mode 100644 index 0000000..7eab33f --- /dev/null +++ b/playbooks/user.yml @@ -0,0 +1,7 @@ +--- +- name: Configure user accounts + hosts: "{{ user_hosts | default('all', true) }}" + become: "{{ user_role_become | default(false, true) }}" + gather_facts: "{{ user_role_gather_facts | default(false, true) }}" + roles: + - role: finallycoffee.base.user diff --git a/roles/user/README.md b/roles/user/README.md new file mode 100644 index 0000000..ffcbb73 --- /dev/null +++ b/roles/user/README.md @@ -0,0 +1,23 @@ +# `finallycoffee.base.user` ansible role + +Provision and manage user accounts on the remote host. Supports setting user +home, gecos (display name) and shell. + +Warning: if the users' home exists and is changed, the role will attempt to +move the home directory. Set `move_home` to false on the user to disable this +behaviour. + +## Examples +```yaml +- hosts: all + roles: + - role: finallycoffee.base.user + vars: + users: + - name: root + - name: alice + - name: bob + state: present + - name: eve + state: absent +``` diff --git a/roles/user/defaults/main.yml b/roles/user/defaults/main.yml new file mode 100644 index 0000000..a4ae6ba --- /dev/null +++ b/roles/user/defaults/main.yml @@ -0,0 +1,2 @@ +--- +users: [] diff --git a/roles/user/tasks/configure-user.yml b/roles/user/tasks/configure-user.yml new file mode 100644 index 0000000..3f0a342 --- /dev/null +++ b/roles/user/tasks/configure-user.yml @@ -0,0 +1,41 @@ +--- +- name: Ensure user '{{ user.name }}' is {{ user_state }} + ansible.builtin.user: + name: "{{ user.name }}" + state: "{{ user_state }}" + system: "{{ user.system | default(false, true) }}" + shell: "{{ user.shell | default(omit, true) }}" + home: "{{ user.home | default(omit, true) }}" + create_home: "{{ user.create_home | default(true, true) }}" + move_home: "{{ user.move_home | default(true, true) }}" + skeleton: >-2 + {{ (user.create_home | default(true, true) and 'skeleton' in user) + | ternary(user.skeleton | default(''), omit) }} + comment: "{{ user.comment | default(user.gecos | default(omit, true), true) }}" + vars: + user_state: "{{ user.state | default('present', false) }}" + +- name: Ensure SSH authorized keys for '{{ user.name }}' are {{ user_state }} + vars: + user_state: "{{ user.state | default('present', false) }}" + when: + - user_state == 'present' + - user.authorized_keys | default([]) | length > 0 + block: + - name: Ensure .ssh directory for user '{{ user.name }}' exists + ansible.builtin.file: + path: "{{ user.home | default('/home/' + user.name) + '/.ssh' }}" + state: "directory" + owner: "{{ user.name }}" + group: "{{ user.name }}" + mode: "0700" + - name: Ensure key is up to date + ansible.posix.authorized_key: + user: "{{ user.name }}" + state: "{{ key.state | default('present', true) }}" + key: "{{ key.type }} {{ key.key }}" + comment: "{{ user.name }}-{{ key.comment }}" + loop: "{{ user.authorized_keys }}" + loop_control: + loop_var: key + label: "{{ user.name }}-{{ key.comment }}" diff --git a/roles/user/tasks/main.yml b/roles/user/tasks/main.yml new file mode 100644 index 0000000..ee87120 --- /dev/null +++ b/roles/user/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Ensure users are configured + ansible.builtin.include_tasks: + file: "configure-user.yml" + loop: "{{ users }}" + loop_control: + loop_var: user + label: "{{ user.name }}"