diff --git a/README.md b/README.md index 724f559a0404e336a2c1e6311d7f4cfd10a43a8b..07ced05e8dc2445bc78643a73d1f5fd1dabb6b19 100644 --- a/README.md +++ b/README.md @@ -75,9 +75,15 @@ user_database: #### Creating user accounts -Note that this doesn't create the user anywhere. To do so, define a variable -`users` e.g. in `host_vars`. For example adding this somewhere in -`host_vars/example.com/`: +Note that this doesn't create the user anywhere. + +You can use a host var or a group var to actually create users. + +##### Creating accounts on hosts + +To create a user on a specific host, define the variable `users` in `host_vars` + +For example adding this to `host_vars/example.com/users`: ``` users: - johndoe @@ -85,16 +91,45 @@ users: will deploy the johndoe user as defined in the `user_database` above on `example.com`. +##### Creating accounts on groups + +This can be a bit annoying if you just want to grant a group of people +access to a bunch of hosts in a group. To grant a user access to a group of +hosts, define the variable `users_group` in `group_vars`. + +For example adding this to `group_vars/dc01`: +``` +users_group: + - johndoe +``` +will deploy the johndoe user as defined in the `user_database` above on +all hosts in the group `dc01`. + #### Deploying pubkeys for the root user Pubkeys defined in the `user_database` can also be deployed for the root user. -This is achieved by adding a user's name to the `users_root` list. For example: + +##### Deploying pubkeys for the root user on hosts + +This is achieved by adding a user's name to the `users_root` list. For example +adding this to `host_vars/example.com/users`: ``` users_root: - johndoe ``` will deploy all pubkeys defined in the `user_database` for johndoe in the root -account. +account on host `example.com. + +##### Deploying pubkeys for the root user on groups + +This is achieved by adding a user's name to the `users_root_group` list. For example +adding this to `group_vars/dc01`: +``` +users_root_group: + - johndoe +``` +will deploy all pubkeys defined in the `user_database` for johndoe in the root +account on all hosts in group `dc01`. ### DHCP Server diff --git a/group_vars/all b/group_vars/all index 86f71c64af8b74237246b10f63325c84c48e9bb9..2a51f1cf5c8b96ea9806e0358a223810b923c584 100644 --- a/group_vars/all +++ b/group_vars/all @@ -106,3 +106,4 @@ user_database: fullname: Stefan Mehrens pubkeys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV9XOmFQU2uZiaka5IMhaHf7I3Yo/NcBclxTYVLG5rofs3V7PAZ01m3wdMauqo7oO4o+aV4vF9yZOx+rc0rOP2yY11Ao2r4ospA2SZI0yaaDX1mZGErhId+RLmHVc4zcNWas8gucASP0A8rObc/ZEX8rCFITegv0OEiH0lS6NX0s+EchjxZRP8rqohWc4uLsaNhZkuheotVeFS2ecCnnvm3HngLPtUY1ZRD3jSmBmghoz6Utp4HTkk88b4PYv/Kc6Bt72IxxL2wZvqaF/bVrngYk6w7ewq3zXJMwDZscYOUSP7C3ZkGBoEvyGGtDYbDhyuptoGQNTcmmHAnbxzTdnv smehrens@oxygen.fritz.box + diff --git a/group_vars/dhcpserver b/group_vars/dhcpserver index c2df7fe2843f6dc80681ada4ff974e685d93933c..e6a8277ad258da453385fa62d82333b0f4d0caf0 100644 --- a/group_vars/dhcpserver +++ b/group_vars/dhcpserver @@ -1,11 +1,11 @@ --- -users: +users_group: - are - leonard - roland - nrb -users_root: +users_root_group: - are - leonard - roland diff --git a/group_vars/ffs04 b/group_vars/ffs04 deleted file mode 100644 index c2df7fe2843f6dc80681ada4ff974e685d93933c..0000000000000000000000000000000000000000 --- a/group_vars/ffs04 +++ /dev/null @@ -1,12 +0,0 @@ ---- -users: - - are - - leonard - - roland - - nrb - -users_root: - - are - - leonard - - roland - - nrb diff --git a/group_vars/ffs05 b/group_vars/ffs05 index 8133b87d463712cf27c73c873a33ce6aa9e64ae4..b9a6f8afea3dc21c0e26eb31f3f1fbdee96a9aef 100644 --- a/group_vars/ffs05 +++ b/group_vars/ffs05 @@ -1,12 +1,12 @@ --- -users: +users_group: - are - leonard - roland - nrb - wilhelm -users_root: +users_root_group: - are - leonard - roland diff --git a/group_vars/ffs06 b/group_vars/ffs06 deleted file mode 100644 index c2df7fe2843f6dc80681ada4ff974e685d93933c..0000000000000000000000000000000000000000 --- a/group_vars/ffs06 +++ /dev/null @@ -1,12 +0,0 @@ ---- -users: - - are - - leonard - - roland - - nrb - -users_root: - - are - - leonard - - roland - - nrb diff --git a/group_vars/ffs07 b/group_vars/ffs07 index c2df7fe2843f6dc80681ada4ff974e685d93933c..e6a8277ad258da453385fa62d82333b0f4d0caf0 100644 --- a/group_vars/ffs07 +++ b/group_vars/ffs07 @@ -1,11 +1,11 @@ --- -users: +users_group: - are - leonard - roland - nrb -users_root: +users_root_group: - are - leonard - roland diff --git a/group_vars/ffs08 b/group_vars/ffs08 index c2df7fe2843f6dc80681ada4ff974e685d93933c..e6a8277ad258da453385fa62d82333b0f4d0caf0 100644 --- a/group_vars/ffs08 +++ b/group_vars/ffs08 @@ -1,11 +1,11 @@ --- -users: +users_group: - are - leonard - roland - nrb -users_root: +users_root_group: - are - leonard - roland diff --git a/group_vars/ffs09 b/group_vars/ffs09 index 8133b87d463712cf27c73c873a33ce6aa9e64ae4..b9a6f8afea3dc21c0e26eb31f3f1fbdee96a9aef 100644 --- a/group_vars/ffs09 +++ b/group_vars/ffs09 @@ -1,12 +1,12 @@ --- -users: +users_group: - are - leonard - roland - nrb - wilhelm -users_root: +users_root_group: - are - leonard - roland diff --git a/group_vars/ffs10 b/group_vars/ffs10 index ced0a17be0e4b54e7d659c7e0247dac953eb120c..5ea265e183f7f2b33579a10222a6bf9830fa2788 100644 --- a/group_vars/ffs10 +++ b/group_vars/ffs10 @@ -1,12 +1,12 @@ --- -users: +users_group: - are - leonard - roland - nrb - gratuxri -users_root: +users_root_group: - are - leonard - roland diff --git a/group_vars/ffs11 b/group_vars/ffs11 index 96ce3d25b183ef2d28ac50e09147e4773ee13a3a..cb2df9c86c8b2e1febed35509a82552b9e5c5b5a 100644 --- a/group_vars/ffs11 +++ b/group_vars/ffs11 @@ -1,5 +1,5 @@ --- -users: +users_group: - are - leonard - roland @@ -9,12 +9,8 @@ users: - thommie - docloy - wilhelm - - jochen - - gratuxri - - flip - - smehrens -users_root: +users_root_group: - are - leonard - roland diff --git a/host_vars/ffs11.freifunk-stuttgart.de/users b/host_vars/ffs11.freifunk-stuttgart.de/users new file mode 100644 index 0000000000000000000000000000000000000000..ce5f638ef6b73be6ddec7c7582782b38977eb895 --- /dev/null +++ b/host_vars/ffs11.freifunk-stuttgart.de/users @@ -0,0 +1,6 @@ +--- +users: + - jochen + - gratuxri + - flip + - smehrens diff --git a/inventory/ffs11 b/inventory/ffs11 index b2a6e296701b084f5bbba94b00d89c22e479963a..a3e1f35cbda931e4e03fb86e4001fed7647eecd0 100644 --- a/inventory/ffs11 +++ b/inventory/ffs11 @@ -77,3 +77,5 @@ ffs11: ansible_ssh_host: 3201.ffs11 sso01.freifunk-stuttgart.net: ansible_ssh_host: 3203.ffs11 + vpn-1nce.freifunk-stuttgart.net: + ansible_ssh_host: 3174.ffs11 diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index bf6b7e36af4dc2561b1081bdf60332eae30c8f65..fb23f8060bda2803c19937967a487c8f4731c81f 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Creating users include: user.yml - loop: "{{ users }}" + loop: "{{ users|default([]) + users_group|default([]) }}" loop_control: loop_var: user @@ -14,6 +14,6 @@ - name: Deploying public key for users with root access include: root_pubkey.yml vars: - loop: '{{ users }}' + loop: '{{ user_database.keys() | list }}' loop_control: loop_var: user diff --git a/roles/users/tasks/root_pubkey.yml b/roles/users/tasks/root_pubkey.yml index efc0164f706f57f208f2b760d503ea7d7d43bf5e..4c9b9ed476e2fc32a0bfee7c2cea96a2bb1bef10 100644 --- a/roles/users/tasks/root_pubkey.yml +++ b/roles/users/tasks/root_pubkey.yml @@ -2,7 +2,7 @@ - name: "Deploying {{ user }} public keys for root" authorized_key: user: "root" - state: '{{ (user in users_root) | ternary("present", "absent") }}' + state: '{{ (user in users_root|default([]) or user in users_root_group|default([]) ) | ternary("present", "absent") }}' key: '{{ item }}' comment: '{{ user }}' follow: yes diff --git a/roles/users/tasks/user_remove.yml b/roles/users/tasks/user_remove.yml index f3a140ef7b44aa7d0122554f839251c3b94f1a4a..d5ef4bb56564fed8e7cfe6dcdc2e052d31b6dec4 100644 --- a/roles/users/tasks/user_remove.yml +++ b/roles/users/tasks/user_remove.yml @@ -4,7 +4,7 @@ name: "{{ user.key }}" uid: "{{ user_database[user.key].uid }}" state: absent - when: 'user.key not in users' + when: 'user.key not in users|default([]) and user.key not in users_group|default([])' - name: "Remove root ssh keys for {{ user.key }}" authorized_key: @@ -12,7 +12,7 @@ state: absent key: '{{ pubkey }}' follow: yes - when: 'user.key not in users' + when: 'user.key not in users|default([]) and user.key not in users_group|default([])' loop: '{{ user.value.pubkeys }}' loop_control: loop_var: pubkey