Master: 
This roles manages OS users and groups.
This role is designed to work with merge "hash_behaviour". Make sure your ansible.cfg contains these settings
[defaults]
hash_behaviour = mergeThis role has no dependencies.
To install run ansible-galaxy install sansible.users_and_groups or add
this to your roles.yml
- name: sansible.users_and_groups
version: v1.0and run ansible-galaxy install -p ./roles -r roles.yml
This role uses two tags: build and maintain
build- Ensures that specified groups and users are present.maintain- Ensures users on an already built and configured instance
Simple example for creating two users and two groups.
- name: Configure User Access
hosts: sandbox
roles:
- name: sansible.users_and_groups
users_and_groups:
groups:
- name: lorem
system: yes
- name: ipsum
users:
- name: lorem.ipsum
groups:
- ipsum
- lorem
ssh_key: ./lorem.ipsum.pub
- name: dolor.ament
groups:
- ipsumCreating a jailed SFTP user (cf here for a step-by-step guide):
- name: Configure User Access
hosts: sandbox
roles:
- name: sansible.users_and_groups
users_and_groups:
authorized_keys_dir: /etc/ssh/authorized_keys
groups:
- name: sftp_only
users:
- name: sftp
group: sftp_only
home: /mnt/sftp_volIn most cases you would keep the list of users in external vars file or group|host vars file.
- name: Configure User Access
hosts: sandbox
vars_files:
- "vars/sandbox/users.yml"
roles:
- name: sansible.users_and_groups
users_and_groups:
groups: "{{ base_image.os_groups }}"
users: "{{ base_image.admins }}"
- name: sansible.users_and_groups
users_and_groups:
users: "{{ developers }}"Add selected group to sudoers
- name: Configure User Access
hosts: sandbox
vars_files:
- "vars/sandbox/users.yml"
roles:
- name: sansible.users_and_groups
users_and_groups:
groups: "{{ base_image.os_groups }}"
users: "{{ base_image.admins }}"
- name: sansible.users_and_groups
users_and_groups:
users: "{{ developers }}"
- name: sansible.users_and_groups
users_and_groups:
sudoers:
- name: wheel
user: "%wheel"
runas: "ALL=(ALL)"
commands: "NOPASSWD: ALL"Use whitelist groups option to allow users contextually.
Var file with users:
---
# vars/users.yml
users_and_groups:
groups:
- name: admins
- name: developer_group_alpha
- name: developer_group_beta
users:
- name: admin.user
group: admins
- name: alpha.user
group: alpha_develops
- name: beta.user
group: developer_group_betaIn a base image:
---
# playbooks/base_image.yml
- name: Base Image
hosts: "{{ hosts }}"
vars_files:
- vars/users.yml
roles:
- role: sansible.users_and_groups
users_and_groups:
whitelist_groups:
- admins
- role: base_imageIn a service role:
---
# playbooks/alpha_service.yml
- name: Alpha Service
hosts: "{{ hosts }}"
vars_files:
- vars/users.yml
roles:
- role: sansible.users_and_groups
users_and_groups:
whitelist_groups:
- admins
- developer_group_alpha
- role: alpha_service