This role offers basic functionalities to create and manage user accounts on your machines. The accounts are managed via groups. It means that this role does not grant privileges directly to an account, but to the groups it belongs to.
Usually, people want to set up their virtual machines with some user accounts. This role was created to facilitate the process. It performs some tasks as described:
- Make sure that 2 groups
sudoandsshexist with proper rights.- Accounts in
sudogroup can usesudocommand. - Accounts in
sshgroup can be accessed viassh.
- Accounts in
- Create all groups described in
primary_groupandother_groups. - Create user accounts with provided setup.
- Make sure that only accounts in
sshgroup can be accessed viassh. - Disable root login via SSH.
The input must be put in an object called user_accounts. This is a list of dictionaries. Each of them contains
following key-value pairs:
| Key | Data type | Default value | Note |
|---|---|---|---|
| username | string | ||
| password | string | ! | if the password is not provided, the password of this account will be locked, same as running passwd --lock. |
| comment | string | ||
| primary_group | string | the primary group of this account | |
| other_groups | list of string | other groups this account also belongs to | |
| groups_append | yes/no | no | suppose an account already belongs to some groups. Setting this to no will remove all groups from the account and make sure that the account only belongs to primary_group and other_groups. Setting it to yes to keep the current groups of the account. |
| authorized_key | list of string | a list of paths to public keys, which will be added under the created account. | |
| update_password | always/on_create | on_create | always will update passwords if the current password and the input one are different. on_create will set the password only for newly created accounts. |
In addition, there is a global variable to set:
| Key | Data type | Default value | Note |
|---|---|---|---|
| sudo_without_password | boolean | false | If this is set to true, all users in the sudo group can use the sudo command without having to enter their password. |
Suppose that we want to create a new account called tdoan and modified the existing account cloud. We first declare
the user_accounts object as follows:
sudo_without_password: true
user_accounts:
- username: tdoan
password: "my_secret"
comment: "This is a comment"
primary_group: tdoan
other_groups:
- sudo
- ssh
- docker
groups_append: no
authorized_key:
- "{{ playbook_dir }}/keys/tdoan.pub"
- "{{ playbook_dir }}/keys/another_key.pub"
- username: cloud
password: "cloud_password"
comment: "This account already exists in the VM."
primary_group: cloud
other_groups:
- sudo
- ssh
groups_append: yes
authorized_key:
- "{{ playbook_dir }}/keys/tdoan.pub"- For account
tdoan:- It belongs only to 3 groups:
sudo,ssh, anddocker. - 2 public keys are added under this account.
- It belongs only to 3 groups:
- For account
cloud:- It keeps whatever groups it has plus two more groups:
sudoandssh. - 1 public key is added under this account.
- It keeps whatever groups it has plus two more groups:
- For both accounts:
- They can use
sudowithout password.
- They can use
Suppose that we put the above setup in vars.yml file. It can be used in a playbook like this:
- name: Setup my virtual machine
hosts: my-host
become: yes
vars_files:
- vars/vars.yml
roles:
- role: tdoan2010.manage_accountsMIT
This role was created in 2021 by Triet Doan.