From 32ab130707616ed01aed81e8b10dc63f445d2278 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Wed, 21 Oct 2020 10:57:35 +0300 Subject: unix_users: drop obsolete authkeys_dir variable, bump version Also, document the variables in the subplot. --- roles/unix_users/defaults/main.yml | 17 ----------------- roles/unix_users/subplot.md | 31 ++++++++++++++++++++++++++++++- roles/unix_users/tasks/main.yml | 11 ++--------- 3 files changed, 32 insertions(+), 27 deletions(-) (limited to 'roles') diff --git a/roles/unix_users/defaults/main.yml b/roles/unix_users/defaults/main.yml index 8982001..cfcf754 100644 --- a/roles/unix_users/defaults/main.yml +++ b/roles/unix_users/defaults/main.yml @@ -13,7 +13,6 @@ unix_users_version: null # sudo -- yes/no, should user have sudo access? (without password) # ssh_key -- install this as ~/.ssh/id_rsa # ssh_key_pub -- install this as ~/.ssh/id_rsa.pub -# ssh_key_pub -- install this as ~/.ssh/id_rsa.pub # authorized_keys -- install this as ~/.ssh/authorized_keys # password -- encrypted password # @@ -22,19 +21,3 @@ unix_users_version: null # unix_users: [] - - -# Specify directory where per-user authorized_keys files are stored. -# Each user has their own file in the directory, named after their -# username. You MUST specify this variable. You may put more than one -# key in each user's file. -# -# You MUST create a file for each user in unix_users. An empty file -# will do. -# -# THIS IS NOW DEPRECATED. DO NOT USE. If you leave this empty, the old, -# deprecated way of installing authorized_keys files is skipped. If you -# still use that, then set it in your own vars. But switch to the new -# way asap: set authorized_keys field for the user, see above. - -authkeys_dir: diff --git a/roles/unix_users/subplot.md b/roles/unix_users/subplot.md index 78a7a48..2fde3e7 100644 --- a/roles/unix_users/subplot.md +++ b/roles/unix_users/subplot.md @@ -2,6 +2,35 @@ This role creates or updates Unix users. +## Configuration + +This role makes use of the following variables: + +* `unix_users_version` – MANDATORY: The playbook should set this + to the version of the role it expects to use. + +* `unix_users` – OPTIONAL: A list of Unix accounts to create. + Defaults to the empty list. Each item in the list is a dict with the + following keys: + + * `username` – MANDATORY: the username of the account + * `comment` – OPTIONAL: the real name (or GECOS field) of the + new account + * `shell` – OPTIONAL: the login shell + * `system` – OPTIONAL: boolean, is this a system user? + * `sudo` – OPTIONAL: boolean, should the account have password-less sudo? + * `ssh_key` – OPTIONAL: text of key to install as `~/.ssh/id_rsa` + * `ssh_key_pub` – OPTIONAL: text of key to install as `~/.ssh/id_rsa.pub` + * `authorized_keys` – OPTIONAL: text of contents of + `~/.ssh/authorized_keys` + * `password` – OPTIONAL: encrypted password + +Create the encrypted password with something like: + +~~~yaml +password: "{{ lookup('pipe', 'pass show foo | mkpasswd --method=sha-512 --stdin') }}" +~~~ + ## Create normal user with unix_users ~~~scenario @@ -17,7 +46,7 @@ and the user foo on host has authorized_keys containing "ssh-rsa" ~~~ ~~~{#foo.yml .file .yaml} -unix_users_version: 0 +unix_users_version: 1 unix_users: - username: foo diff --git a/roles/unix_users/tasks/main.yml b/roles/unix_users/tasks/main.yml index 097815f..cd6fb66 100644 --- a/roles/unix_users/tasks/main.yml +++ b/roles/unix_users/tasks/main.yml @@ -1,6 +1,6 @@ - name: "check unix_users_version" shell: | - [ "{{ unix_users_version }}" = "0" ] || \ + [ "{{ unix_users_version }}" = "1" ] || \ (echo "Unexpected version {{ unix_users_version }}" 1>&2; exit 1) - name: create system users @@ -48,14 +48,7 @@ group: "{{ item.username }}" mode: 0600 -- name: add keys to authorized_keys (deprecated way) - with_items: "{{ unix_users }}" - when: authkeys_dir != None - authorized_key: - user: "{{ item.username }}" - key: "{{ lookup('file', authkeys_dir + '/' + item.username) }}" - -- name: add keys to authorized_keys (new way) +- name: add keys to authorized_keys with_items: "{{ unix_users }}" when: item.authorized_keys is defined authorized_key: -- cgit v1.2.1