feat: add user role

2025-01-12 10:24:03 +01:00
parent 62263726fa
commit 1024921a74
5 changed files with 81 additions and 0 deletions
--- a/roles/user/README.md
+++ b/roles/user/README.md
@@ -0,0 +1,23 @@
+# `finallycoffee.base.user` ansible role
+
+Provision and manage user accounts on the remote host. Supports setting user
+home, gecos (display name) and shell.
+
+Warning: if the users' home exists and is changed, the role will attempt to
+move the home directory. Set `move_home` to false on the user to disable this
+behaviour.
+
+## Examples
+```yaml
+- hosts: all
+  roles:
+    - role: finallycoffee.base.user
+  vars:
+    users:
+      - name: root
+      - name: alice
+      - name: bob
+        state: present
+      - name: eve
+        state: absent
+```
--- a/roles/user/defaults/main.yml
+++ b/roles/user/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+users: []
--- a/roles/user/tasks/configure-user.yml
+++ b/roles/user/tasks/configure-user.yml
@@ -0,0 +1,41 @@
+---
+- name: Ensure user '{{ user.name }}' is {{ user_state }}
+  ansible.builtin.user:
+    name: "{{ user.name }}"
+    state: "{{ user_state }}"
+    system: "{{ user.system | default(false, true) }}"
+    shell: "{{ user.shell | default(omit, true) }}"
+    home: "{{ user.home | default(omit, true) }}"
+    create_home: "{{ user.create_home | default(true, true) }}"
+    move_home: "{{ user.move_home | default(true, true) }}"
+    skeleton: >-2
+      {{ (user.create_home | default(true, true) and 'skeleton' in user)
+      | ternary(user.skeleton | default(''), omit) }}
+    comment: "{{ user.comment | default(user.gecos | default(omit, true), true) }}"
+  vars:
+    user_state: "{{ user.state | default('present', false) }}"
+
+- name: Ensure SSH authorized keys for '{{ user.name }}' are {{ user_state }}
+  vars:
+    user_state: "{{ user.state | default('present', false) }}"
+  when:
+    - user_state == 'present'
+    - user.authorized_keys | default([]) | length > 0
+  block:
+    - name: Ensure .ssh directory for user '{{ user.name }}' exists
+      ansible.builtin.file:
+        path: "{{ user.home | default('/home/' + user.name) + '/.ssh' }}"
+        state: "directory"
+        owner: "{{ user.name }}"
+        group: "{{ user.name }}"
+        mode: "0700"
+    - name: Ensure key is up to date
+      ansible.posix.authorized_key:
+        user: "{{ user.name }}"
+        state: "{{ key.state | default('present', true) }}"
+        key: "{{ key.type }} {{ key.key }}"
+        comment: "{{ user.name }}-{{ key.comment }}"
+      loop: "{{ user.authorized_keys }}"
+      loop_control:
+        loop_var: key
+        label: "{{ user.name }}-{{ key.comment }}"
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Ensure users are configured
+  ansible.builtin.include_tasks:
+    file: "configure-user.yml"
+  loop: "{{ users }}"
+  loop_control:
+    loop_var: user
+    label: "{{ user.name }}"