summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--roles/unix_users/defaults/main.yml17
-rw-r--r--roles/unix_users/subplot.md31
-rw-r--r--roles/unix_users/tasks/main.yml11
3 files changed, 32 insertions, 27 deletions
diff --git a/roles/unix_users/defaults/main.yml b/roles/unix_users/defaults/main.yml
index 8982001..cfcf754 100644
--- a/roles/unix_users/defaults/main.yml
+++ b/roles/unix_users/defaults/main.yml
@@ -13,7 +13,6 @@ unix_users_version: null
# sudo -- yes/no, should user have sudo access? (without password)
# ssh_key -- install this as ~/.ssh/id_rsa
# ssh_key_pub -- install this as ~/.ssh/id_rsa.pub
-# ssh_key_pub -- install this as ~/.ssh/id_rsa.pub
# authorized_keys -- install this as ~/.ssh/authorized_keys
# password -- encrypted password
#
@@ -22,19 +21,3 @@ unix_users_version: null
#
unix_users: []
-
-
-# Specify directory where per-user authorized_keys files are stored.
-# Each user has their own file in the directory, named after their
-# username. You MUST specify this variable. You may put more than one
-# key in each user's file.
-#
-# You MUST create a file for each user in unix_users. An empty file
-# will do.
-#
-# THIS IS NOW DEPRECATED. DO NOT USE. If you leave this empty, the old,
-# deprecated way of installing authorized_keys files is skipped. If you
-# still use that, then set it in your own vars. But switch to the new
-# way asap: set authorized_keys field for the user, see above.
-
-authkeys_dir:
diff --git a/roles/unix_users/subplot.md b/roles/unix_users/subplot.md
index 78a7a48..2fde3e7 100644
--- a/roles/unix_users/subplot.md
+++ b/roles/unix_users/subplot.md
@@ -2,6 +2,35 @@
This role creates or updates Unix users.
+## Configuration
+
+This role makes use of the following variables:
+
+* `unix_users_version` – MANDATORY: The playbook should set this
+ to the version of the role it expects to use.
+
+* `unix_users` – OPTIONAL: A list of Unix accounts to create.
+ Defaults to the empty list. Each item in the list is a dict with the
+ following keys:
+
+ * `username` – MANDATORY: the username of the account
+ * `comment` – OPTIONAL: the real name (or GECOS field) of the
+ new account
+ * `shell` – OPTIONAL: the login shell
+ * `system` – OPTIONAL: boolean, is this a system user?
+ * `sudo` – OPTIONAL: boolean, should the account have password-less sudo?
+ * `ssh_key` – OPTIONAL: text of key to install as `~/.ssh/id_rsa`
+ * `ssh_key_pub` – OPTIONAL: text of key to install as `~/.ssh/id_rsa.pub`
+ * `authorized_keys` – OPTIONAL: text of contents of
+ `~/.ssh/authorized_keys`
+ * `password` – OPTIONAL: encrypted password
+
+Create the encrypted password with something like:
+
+~~~yaml
+password: "{{ lookup('pipe', 'pass show foo | mkpasswd --method=sha-512 --stdin') }}"
+~~~
+
## Create normal user with unix_users
~~~scenario
@@ -17,7 +46,7 @@ and the user foo on host has authorized_keys containing "ssh-rsa"
~~~
~~~{#foo.yml .file .yaml}
-unix_users_version: 0
+unix_users_version: 1
unix_users:
- username: foo
diff --git a/roles/unix_users/tasks/main.yml b/roles/unix_users/tasks/main.yml
index 097815f..cd6fb66 100644
--- a/roles/unix_users/tasks/main.yml
+++ b/roles/unix_users/tasks/main.yml
@@ -1,6 +1,6 @@
- name: "check unix_users_version"
shell: |
- [ "{{ unix_users_version }}" = "0" ] || \
+ [ "{{ unix_users_version }}" = "1" ] || \
(echo "Unexpected version {{ unix_users_version }}" 1>&2; exit 1)
- name: create system users
@@ -48,14 +48,7 @@
group: "{{ item.username }}"
mode: 0600
-- name: add keys to authorized_keys (deprecated way)
- with_items: "{{ unix_users }}"
- when: authkeys_dir != None
- authorized_key:
- user: "{{ item.username }}"
- key: "{{ lookup('file', authkeys_dir + '/' + item.username) }}"
-
-- name: add keys to authorized_keys (new way)
+- name: add keys to authorized_keys
with_items: "{{ unix_users }}"
when: item.authorized_keys is defined
authorized_key: