Skip to content

Commit

Permalink
Initial commit of mirror for https://github.com/unxnn/ansible-role-users
Browse files Browse the repository at this point in the history


unxnn.users appears to have been unpublished. I have a local copy from
my galaxy-roles directory but don't have the git history, sigh. Pushing
this as a mirror so we can restore DeepOps functionality.
  • Loading branch information
ajdecon committed Apr 3, 2020
0 parents commit e67df1d
Show file tree
Hide file tree
Showing 9 changed files with 419 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
*.idea
*.DS_Store
47 changes: 47 additions & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
sudo: required
language: python
python: "2.7"

install:
- pip install ansible==2.7.8

# Add ansible.cfg to pick up roles path.
- "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"

script:
# Syntax Check
- ansible-playbook -i localhost, tests/test.yml --syntax-check

# Run tests.yml
- ansible-playbook -i localhost, --connection=local --sudo tests/test.yml

# Run the role/playbook again, checking to make sure it's idempotent.
- >
ansible-playbook -i localhost, --connection=local --sudo tests/test.yml
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
# Lets check on the state of the users. I would invoke severspec myself however
# its a big thing to bring in on a small pull.
- id ansibletestuser | grep --silent "uid=2222(ansibletestuser) gid=2222(ansibletestuser) groups=2222(ansibletestuser),2(bin),100(users)"
- id ansibletestuser2 | grep --silent "uid=2223(ansibletestuser2) gid=2223(ansibletestuser2) groups=2223(ansibletestuser2),2(bin),100(users)"
- id ansibletestuser3 | grep --silent "uid=2224(ansibletestuser3) gid=4001(ansibletestgroup1) groups=4001(ansibletestgroup1),2(bin),100(users)"
- id ansibletestuser4 | grep --silent "uid=2225(ansibletestuser4) gid=100(users) groups=100(users),2(bin)"
- id ansibletestuser5 | grep --silent "uid=2226(ansibletestuser5) gid=4000(ansibletestgroup) groups=4000(ansibletestgroup),2(bin),100(users)"
- grep --silent "^ansibletestgroup:" /etc/group
- grep --silent "^ansibletestgroup1:" /etc/group
- ls -lgd /home/ansibletestuser | awk '{exit $3!="ansibletestuser"}'
- ls -lgd /home/otherdirectory | awk '{exit $3!="ansibletestuser2"}'
- ls -lgd /home/ansibletestuser3 | awk '{exit $3!="ansibletestgroup1"}'
- ls -lgd /home/otherdirectory1 | awk '{exit $3!="users"}'
- ls -lgd /home/ansibletestuser5 | awk '{exit $3!="ansibletestgroup"}'
- ls -lg /home/ansibletestuser/.profile | awk '{exit $3!="ansibletestuser"}'
- ls -lg /home/otherdirectory/.profile | awk '{exit $3!="ansibletestuser2"}'
- ls -lg /home/ansibletestuser3/.profile | awk '{exit $3!="ansibletestgroup1"}'
- ls -lg /home/otherdirectory1/.profile | awk '{exit $3!="users"}'
- ls -lgd /home/ansibletestuser5/.profile | awk '{exit $3!="ansibletestgroup"}'

notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
20 changes: 20 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
MIT License

Copyright (c) unxnn

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
108 changes: 108 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# Ansible Role: users

[![Build Status](https://travis-ci.org/unxnn/ansible-role-users.svg?branch=master)](https://travis-ci.org/unxnn/ansible-role-users)

Role to manage users on a system.

## Role configuration

* `users_create_per_user_group` (default: true) - when creating users, also
create a group with the same username and make that the user's primary
group.
* `users_group` (default: users) - if users_create_per_user_group is _not_ set,
then this is the primary group for all created users.
* `users_default_shell` (default: /bin/bash) - the default shell if none is
specified for the user.
* `users_create_homedirs` (default: true) - create home directories for new
users. Set this to false if you manage home directories separately.

## Creating users

Add a users variable containing the list of users to add. A good place to put
this is in `group_vars/all` or `group_vars/groupname` if you only want the
users to be on certain machines.

The following attributes are required for each user:

* `username` - The user's username.
* `name` - The full name of the user (gecos field).
* `home` - The home directory of the user to create (optional, defaults to /home/username).
* `uid` - The numeric user id for the user (optional). This is required for uid consistency
across systems.
* `gid` - The numeric group id for the group (optional). Otherwise, the
`uid` will be used.
* `password` - If a hash is provided then that will be used, but otherwise the
account will be locked.
* `update_password` - This can be either 'always' or 'on_create'
- `'always'` will update passwords if they differ. (default)
- `'on_create'` will only set the password for newly created users.
* `group` - Optional primary group override.
* `groups` - A list of supplementary groups for the user.
* `append` - If yes, will only add groups, not set them to just the list in groups (optional).
* `profile` - A string block for setting custom shell profiles.
* `ssh_key` - This should be a list of SSH keys for the user (optional). Each SSH key
should be included directly and should have no newlines.
* `generate_ssh_key` - Whether to generate a SSH key for the user (optional, defaults to no).

In addition, the following items are optional for each user:

* `shell` - The user's shell. This defaults to /bin/bash. The default is
configurable using the users_default_shell variable if you want to give all
users the same shell, but it is different than /bin/bash.

Example:

---
users:
- username: foo
name: Foo Bar
groups: ['admin','systemd-journal']
uid: 1005
home: /local/home/foo
profile: |
alias ll='ls -ahl'
ssh_key:
- "ssh-rsa AAAAA.... foo@server"
- "ssh-rsa AAAAB.... foo2@server"
groups_to_create:
- name: developers
gid: 20000

Generating a password hash:

# On Debian/Ubuntu (via the package "whois")
mkpasswd --method=SHA-512 --rounds=4096

# OpenSSL (note: this will only make md5crypt. While better than plantext it should not be considered fully secure)
openssl passwd -1

# Python (change password and salt values)
python -c "import crypt, getpass, pwd; print crypt.crypt('password', '\$6\$SALT\$')"

# Perl (change password and salt values)
perl -e 'print crypt("password","\$6\$SALT\$") . "\n"'

## Deleting users

The `users_deleted` variable contains a list of users who should no longer be
in the system, and these will be removed on the next ansible run. The format
is the same as for users to add, but the only required field is `username`.
However, it is recommended that you also keep the `uid` field for reference so
that numeric user ids are not accidentally reused.

You can optionally choose to remove the user's home directory and mail spool with
the `remove` parameter, and force removal of files with the `force` parameter.

users_deleted:
- username: bar
uid: 1003
remove: yes
force: yes

# Dependenices

None.

# License

MIT
22 changes: 22 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
# Create a group for every user and make that their primary group
users_create_per_user_group: true
# If we're not creating a per-user group, then this is the group all users
# belong to
users_group: users
# The default shell for a user if none is specified
users_default_shell: /bin/bash
# Create home dirs for new users? Set this to false if you manage home
# directories in some other way.
users_create_homedirs: true

# Lists of users to create and delete
users: []
users_deleted: []

# List of groups to create
# Example:
# groups_to_create:
# - name: developers
# gid: 20000
groups_to_create: []
1 change: 1 addition & 0 deletions meta/.galaxy_install_info
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{install_date: 'Thu Apr 2 19:21:46 2020', version: 78fd08ca86678d00da376eaac909d22e1022a020}
41 changes: 41 additions & 0 deletions meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
galaxy_info:
role_name: users
author: unxnn
description: User management role
company: none
license: MIT
min_ansible_version: 1.3
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- any
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- any
- name: Debian
versions:
- all
galaxy_tags:
- system
- users
- management

dependencies: []
76 changes: 76 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
---
- name: Allow admin group sudo without password
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%admin ALL='
line: '%admin ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
tags: ["users", "groups", "configuration"]

- name: Creating groups
group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}"
with_items: "{{ groups_to_create }}"
tags: ["users", "groups", "configuration"]

- name: Per-user group creation
group: name="{{ item.username }}"
gid="{{ item.gid | default(item.uid) | default(omit) }}"
with_items: "{{ users }}"
when: "'group' not in item and users_create_per_user_group"
tags: ["users", "configuration"]

- name: User creation
user:
name: "{{ item.username }}"
group: "{{ item.group | default(item.username if users_create_per_user_group else users_group) }}"
# empty string removes user from all secondary groups
groups: "{{ item.groups | join(',') if 'groups' in item else '' }}"
append: "{{ item.append | default(omit) }}"
shell: "{{ item.shell if item.shell is defined else users_default_shell }}"
password: "{{ item.password if item.password is defined else '!' }}"
comment: "{{ item.name if item.name is defined else '' }}"
uid: "{{ item.uid | default(omit) }}"
home: "{{ item.home | default('/home/' + item.username) }}"
createhome: "{{ 'yes' if users_create_homedirs else 'no' }}"
generate_ssh_key: "{{ item.generate_ssh_key | default(omit) }}"
update_password: "{{ item.update_password | default(omit) }}"
with_items: "{{ users }}"
tags: ["users", "configuration"]

- name: SSH keys
authorized_key:
user: "{{ item.0.username }}"
key: "{{ item.1 }}"
path: "{{ item.0.home | default('/home/' + item.0.username) }}/.ssh/authorized_keys"
with_subelements:
- "{{ users }}"
- ssh_key
- skip_missing: yes
tags: ["users", "configuration"]

- name: Setup user profiles
blockinfile:
block: "{{ item.profile }}"
dest: "{{ item.home | default('/home/' + item.username) }}/.profile"
owner: "{{ item.username }}"
group: "{{ item.group | default(item.username if users_create_per_user_group else users_group) }}"
mode: 0644
create: true
when: users_create_homedirs and item.profile is defined
with_items: "{{ users }}"

- name: Deleted user removal
user:
name: "{{ item.username }}"
state: absent
remove: "{{ item.remove | default(omit) }}"
force: "{{ item.force | default(omit) }}"
with_items: "{{ users_deleted }}"
tags: ["users", "configuration"]

- name: Deleted per-user group removal
group: name="{{ item.username }}" state=absent
with_items: "{{ users_deleted }}"
when: users_create_per_user_group
tags: ["users", "configuration"]
Loading

0 comments on commit e67df1d

Please sign in to comment.