users: allow more fine-grained login permissions with users_group and users_root_group

README.md

@@ -75,9 +75,15 @@ user_database:
 
 #### Creating user accounts
 
-Note that this doesn't create the user anywhere. To do so, define a variable
-`users` e.g. in `host_vars`. For example adding this somewhere in
-`host_vars/example.com/`:
+Note that this doesn't create the user anywhere.
+
+You can use a host var or a group var to actually create users.
+
+##### Creating accounts on hosts
+
+To create a user on a specific host, define the variable `users` in `host_vars`
+
+For example adding this to `host_vars/example.com/users`:
 ```
 users:
   - johndoe
@@ -85,16 +91,45 @@ users:
 will deploy the johndoe user as defined in the `user_database` above on
 `example.com`.
 
+##### Creating accounts on groups
+
+This can be a bit annoying if you just want to grant a group of people
+access to a bunch of hosts in a group. To grant a user access to a group of
+hosts, define the variable `users_group` in `group_vars`.
+
+For example adding this to `group_vars/dc01`:
+```
+users_group:
+  - johndoe
+```
+will deploy the johndoe user as defined in the `user_database` above on
+all hosts in the group `dc01`.
+
 #### Deploying pubkeys for the root user
 
 Pubkeys defined in the `user_database` can also be deployed for the root user.
-This is achieved by adding a user's name to the `users_root` list. For example:
+
+##### Deploying pubkeys for the root user on hosts
+
+This is achieved by adding a user's name to the `users_root` list. For example
+adding this to `host_vars/example.com/users`:
 ```
 users_root:
   - johndoe
 ```
 will deploy all pubkeys defined in the `user_database` for johndoe in the root
-account.
+account on host `example.com.
+
+##### Deploying pubkeys for the root user on groups
+
+This is achieved by adding a user's name to the `users_root_group` list. For example
+adding this to `group_vars/dc01`:
+```
+users_root_group:
+  - johndoe
+```
+will deploy all pubkeys defined in the `user_database` for johndoe in the root
+account on all hosts in group `dc01`.
 
 ### DHCP Server
 

group_vars/all

@@ -106,3 +106,4 @@ user_database:
     fullname: Stefan Mehrens
     pubkeys:
       - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV9XOmFQU2uZiaka5IMhaHf7I3Yo/NcBclxTYVLG5rofs3V7PAZ01m3wdMauqo7oO4o+aV4vF9yZOx+rc0rOP2yY11Ao2r4ospA2SZI0yaaDX1mZGErhId+RLmHVc4zcNWas8gucASP0A8rObc/ZEX8rCFITegv0OEiH0lS6NX0s+EchjxZRP8rqohWc4uLsaNhZkuheotVeFS2ecCnnvm3HngLPtUY1ZRD3jSmBmghoz6Utp4HTkk88b4PYv/Kc6Bt72IxxL2wZvqaF/bVrngYk6w7ewq3zXJMwDZscYOUSP7C3ZkGBoEvyGGtDYbDhyuptoGQNTcmmHAnbxzTdnv smehrens@oxygen.fritz.box
+  

group_vars/dhcpserver

 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland

group_vars/ffs04

----
-users:
-  - are
-  - leonard
-  - roland
-  - nrb
-
-users_root:
-  - are
-  - leonard
-  - roland
-  - nrb

group_vars/ffs05

 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
   - wilhelm
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland

group_vars/ffs06

----
-users:
-  - are
-  - leonard
-  - roland
-  - nrb
-
-users_root:
-  - are
-  - leonard
-  - roland
-  - nrb

group_vars/ffs07

 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland

group_vars/ffs08

 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland

group_vars/ffs09

 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
   - wilhelm
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland

group_vars/ffs10

 ---
-users:
+users_group:
   - are
   - leonard
   - roland
   - nrb
   - gratuxri
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland

group_vars/ffs11

 ---
-users:
+users_group:
   - are
   - leonard
   - roland
@@ -9,12 +9,8 @@ users:
   - thommie
   - docloy
   - wilhelm
-  - jochen
-  - gratuxri
-  - flip
-  - smehrens
 
-users_root:
+users_root_group:
   - are
   - leonard
   - roland

host_vars/ffs11.freifunk-stuttgart.de/users

+---
+users:
+  - jochen
+  - gratuxri
+  - flip
+  - smehrens

inventory/ffs11

@@ -77,3 +77,5 @@ ffs11:
       ansible_ssh_host: 3201.ffs11
     sso01.freifunk-stuttgart.net:
       ansible_ssh_host: 3203.ffs11
+    vpn-1nce.freifunk-stuttgart.net:
+      ansible_ssh_host: 3174.ffs11

roles/users/tasks/main.yml

 ---
 - name: Creating users
   include: user.yml 
-  loop: "{{ users }}" 
+  loop: "{{ users|default([]) + users_group|default([]) }}" 
   loop_control:
     loop_var: user
 
@@ -14,6 +14,6 @@
 - name: Deploying public key for users with root access
   include: root_pubkey.yml
   vars:
-  loop: '{{ users }}'
+  loop: '{{ user_database.keys() | list }}'
   loop_control:
     loop_var: user

roles/users/tasks/root_pubkey.yml

@@ -2,7 +2,7 @@
 - name: "Deploying {{ user }} public keys for root"
   authorized_key:
     user: "root"
-    state: '{{ (user in users_root) | ternary("present", "absent") }}'
+    state: '{{ (user in users_root|default([]) or user in users_root_group|default([]) ) | ternary("present", "absent") }}'
     key: '{{ item }}'
     comment: '{{ user }}'
     follow: yes

roles/users/tasks/user_remove.yml

@@ -4,7 +4,7 @@
     name: "{{ user.key }}"
     uid: "{{ user_database[user.key].uid }}"
     state: absent
-  when: 'user.key not in users'
+  when: 'user.key not in users|default([]) and user.key not in users_group|default([])'
 
 - name: "Remove root ssh keys for {{ user.key }}"
   authorized_key:
@@ -12,7 +12,7 @@
     state: absent
     key: '{{ pubkey }}'
     follow: yes
-  when: 'user.key not in users'
+  when: 'user.key not in users|default([]) and user.key not in users_group|default([])'
   loop: '{{ user.value.pubkeys }}'
   loop_control:
     loop_var: pubkey