├── LICENSE ├── README.md ├── defaults └── main.yml ├── meta └── main.yml ├── tasks ├── groups.yml ├── main.yml ├── sudo.yml ├── users.yml └── users_department_pattern.yml └── templates └── autologic-sudo-group.j2 /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 AutoLogic Technology 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Autologic Users 2 | 3 | Manage UNIX system users and groups from a single role. 4 | 5 | Using a single hash, this role will allow you to define what users exist on your systems. Using the more advanced "Department Pattern" allows you to introduce a simple list for each of your groups/hosts: ```autologic_department_access```. 6 | 7 | ## Version 8 | 9 | 3.1.0 10 | 11 | ## Role Variables 12 | 13 | Here is a summary of the available variables, as defined in ```defaults/main.yml```: 14 | 15 | ```yaml 16 | --- 17 | autologic_manage_users: true 18 | autologic_manage_sshkeys: true 19 | 20 | autologic_system_users: [] 21 | 22 | autologic_department_pattern: false 23 | autologic_department_access: [] 24 | autologic_user_access: [] 25 | 26 | autologic_super_departments_nopasswd: true 27 | autologic_super_departments: [] 28 | autologic_super_users_nopasswd: true 29 | autologic_super_users: [] 30 | ``` 31 | 32 | Here is an example variable for defining users: 33 | 34 | ```yaml 35 | --- 36 | autologic_system_users: 37 | 'Michael Crilly': 38 | username: 'mcrilly' 39 | state: 'present' 40 | departments: 41 | - 'systems' 42 | # comment: '' 43 | # uid: '' 44 | # home: '/home/mcrilly' 45 | # group: 'mcrilly' 46 | # system: false 47 | # remove: false 48 | # force: false 49 | ``` 50 | 51 | You'll note that there is no 'groups' hash or list for defining groups. This is because the ```departments:``` list is used to define what groups the user exists in. It's also used to decide what groups need to be created on what hosts. This means you don't need to worry about a group existing on a system because the role will ensure it exists before adding the user. 52 | 53 | If you decide to use the "Department Pattern", then you can make use of two additional variables and open a large amount of flexibility to your estate. As an example: 54 | 55 | ```yaml 56 | --- 57 | # group_vars/webservers.yml 58 | autologic_department_access: 59 | - systems 60 | - developers 61 | ``` 62 | 63 | Or for specific user access, primarily used for individual host access control: 64 | 65 | ```yaml 66 | --- 67 | # host_vars/web-01.yml 68 | autologic_user_access: 69 | - mcrilly 70 | - johndoe 71 | ``` 72 | 73 | ## Basic User Management (autologic_department_pattern: false) 74 | If your needs are simple, then the default operation of this role is take all users from the ```autologic_system_user``` hash and add or remove them accordingly. This can be powerful enough for most people with a simple, flat user structure. 75 | 76 | The ```departments:``` list will be used to create whatever groups are needed on each system for the user in question. 77 | 78 | ## Complex User Management (autologic_department_pattern: true) 79 | The **departments:** value can be used to define what groups and or hosts this user should belong to. The idea is to remove the need to do hash merging, which gets very messy, very quickly. To avoid using merges, we've created two lists you can use for access control: ```autologic_department_access``` and ```autologic_user_access```. You will also need to turn on this method using the ```autologic_department_pattern``` variable. 80 | 81 | If you have a user that doesn't belong to a particular department, such as an external company or contractor, then you can just make ```departments: []``` an empty list, like this. 82 | 83 | See the [Autologic Example Users](https://github.com/AutoLogicTechnology/example-users) repository for a working example on how-to use this pattern to easily manage users. 84 | 85 | ## SSH Keys 86 | Each user's SSH is managed from a dedicted file. This makes the ```autologic_system_users:``` hash much easier to manage and read. 87 | 88 | When utilised, the role will use SSH keys found in ```files/sshkeys/{{autologic_system_users.username}}``` for managing your user's ```authorized_keys``` file. That is, in your Ansible root create a folder called ```files/sshkeys``` and place a new file in there with the same name as your username(s). This will be that user's dedicated SSH key file, enabling you to easily manage multiple keys and SSH options from a single point, without creating overly complicated variable files. 89 | 90 | See the [Autologic Example Users](https://github.com/AutoLogicTechnology/example-users) repository for a working example on how-to manage user SSH keys. 91 | 92 | ## Sudo Access 93 | If you want to use sudo to control priviledged access, then there are some additional variables you can use: 94 | 95 | ```yaml 96 | autologic_super_departments: [] 97 | autologic_super_users: [] 98 | ``` 99 | 100 | If you list departments under the 'super_departments' list, then they will be added to a file which permits them passwordless root access (via ```sudo -i```, not via the SSH login prompt.) 101 | 102 | The file departments and users are added to is: ```/etc/sudoers.d/autologic-sudoers```. 103 | 104 | If you list individual users under the 'super_users' group, then you will get the same effect on a per-user basis. 105 | 106 | **Please note**, that by default, these departments and users get passwordless root access. If you do not want this to be the case, forcing people to supply a password to the sudo command, then turn off ```autologic_super_departments_nopasswd: true``` and or ```autologic_super_users_nopasswd: true```. 107 | 108 | ## Kanban 109 | 110 | The project's Kanban board can be found [here on Trello](https://trello.com/b/VE5PMaUc). Considering reviewing this board before raising an issue or feature request as your needs might already be in the works. 111 | 112 | ## License 113 | 114 | MIT 115 | 116 | ## Author Information 117 | 118 | - Michael Crilly 119 | - Autologic Technology Ltd 120 | - http://www.mcrilly.me/ 121 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # These are essentially role parameters 3 | autologic_manage_groups: true 4 | autologic_manage_users: true 5 | autologic_manage_sshkeys: true 6 | autologic_manage_sudo: true 7 | 8 | # autologic_system_groups: [] 9 | autologic_system_users: [] 10 | 11 | # See README for more details about the 12 | # department pattern. 13 | autologic_department_pattern: false 14 | autologic_department_access: [] 15 | autologic_user_access: [] 16 | 17 | # Sudoers related params 18 | autologic_super_departments_nopasswd: true 19 | autologic_super_departments: [] 20 | autologic_super_users_nopasswd: true 21 | autologic_super_users: [] 22 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Michael Crilly 4 | description: User and group management role 5 | company: Autologic Technology Ltd 6 | license: MIT 7 | min_ansible_version: 1.8.4 8 | dependencies: [] 9 | -------------------------------------------------------------------------------- /tasks/groups.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Setup the system departments (department) 4 | become: yes 5 | group: 6 | name: "{{ item.1 }}" 7 | state: "{{ item.0.state }}" 8 | gid: "{{ item.0.gid | default(omit) }}" 9 | system: "{{ item.0.system | default(false) }}" 10 | with_subelements: 11 | - "{{ autologic_system_users }}" 12 | - departments 13 | when: autologic_department_pattern and item.1 in autologic_department_access 14 | 15 | - name: Setup the system departments (basic) 16 | become: yes 17 | group: 18 | name: "{{ item.1 }}" 19 | state: "{{ item.0.state }}" 20 | gid: "{{ item.0.gid | default(omit) }}" 21 | system: "{{ item.0.system | default(false) }}" 22 | with_subelements: 23 | - "{{ autologic_system_users }}" 24 | - departments 25 | when: not autologic_department_pattern 26 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: groups.yml 4 | when: autologic_manage_users 5 | tags: autologic_users_play_groups 6 | 7 | - include: users.yml 8 | when: autologic_manage_users and not autologic_department_pattern 9 | tags: autologic_users_play_users 10 | 11 | - include: users_department_pattern.yml 12 | when: autologic_manage_users and autologic_department_pattern 13 | tags: autologic_users_play_users 14 | 15 | - include: sudo.yml 16 | when: autologic_manage_sudo 17 | tags: autologic_users_play_sudo 18 | -------------------------------------------------------------------------------- /tasks/sudo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create sudoers file 4 | become: yes 5 | template: 6 | src: autologic-sudo-group.j2 7 | dest: /etc/sudoers.d/autologic-sudoers 8 | mode: 600 9 | owner: root 10 | group: root 11 | -------------------------------------------------------------------------------- /tasks/users.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Add the system users (basic) 4 | become: yes 5 | user: 6 | name: "{{ item.value.username }}" 7 | state: "{{ item.value.state }}" 8 | system: "{{ item.value.system | default(false) }}" 9 | comment: "{{ item.value.comment | default(omit) }}" 10 | uid: "{{ item.value.uid | default(omit) }}" 11 | home: "{{ item.value.home | default(omit) }}" 12 | group: "{{ item.value.group | default(omit) }}" 13 | groups: "{{ item.value.departments | default([]) | join(',') }}" 14 | remove: "{{ item.value.remove | default(false) }}" 15 | force: "{{ item.value.force | default(false) }}" 16 | with_dict: "{{ autologic_system_users }}" 17 | 18 | - name: Add user's SSH keys (basic) 19 | authorized_key: 20 | user: "{{ item.value.username }}" 21 | key: "{{ lookup('file', 'files/sshkeys/' + item.value.username) }}" 22 | state: "{{ item.value.state }}" 23 | with_dict: "{{ autologic_system_users }}" 24 | when: autologic_manage_sshkeys and item.value.state != 'absent' 25 | -------------------------------------------------------------------------------- /tasks/users_department_pattern.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Add the system users (department) 4 | become: yes 5 | user: 6 | name: "{{ item.0.username }}" 7 | state: "{{ item.0.state }}" 8 | system: "{{ item.0.system | default(false) }}" 9 | comment: "{{ item.0.comment | default(omit) }}" 10 | uid: "{{ item.0.uid | default(omit) }}" 11 | home: "{{ item.0.home | default(omit) }}" 12 | group: "{{ item.0.group | default(omit) }}" 13 | groups: "{{ item.0.departments | default([]) | join(',') }}" 14 | remove: "{{ item.0.remove | default(false) }}" 15 | force: "{{ item.0.force | default(false) }}" 16 | register: valid_users 17 | with_subelements: 18 | - "{{ autologic_system_users }}" 19 | - departments 20 | when: item.1 in autologic_department_access 21 | 22 | - name: Add user's SSH keys (department) 23 | authorized_key: 24 | user: "{{ item.1.username }}" 25 | key: "{{ lookup('file', 'files/sshkeys/' + item.1.username) }}" 26 | state: "{{ item.0.state }}" 27 | with_subelements: 28 | - "{{ valid_users.results }}" 29 | - item 30 | when: autologic_manage_sshkeys and item.0.state != 'absent' and item.1.username is defined 31 | 32 | - name: Add the system users (user) 33 | become: yes 34 | user: 35 | name: "{{ item.value.username }}" 36 | state: "{{ item.value.state }}" 37 | system: "{{ item.value.system | default(false) }}" 38 | comment: "{{ item.value.comment | default(omit) }}" 39 | uid: "{{ item.value.uid | default(omit) }}" 40 | home: "{{ item.value.home | default(omit) }}" 41 | group: "{{ item.value.group | default(omit) }}" 42 | groups: "{{ item.value.departments | default([]) | join(',') }}" 43 | remove: "{{ item.value.remove | default(false) }}" 44 | force: "{{ item.value.force | default(false) }}" 45 | with_dict: "{{ autologic_system_users }}" 46 | when: item.value.username in autologic_user_access 47 | 48 | - name: Add user's SSH keys (user) 49 | authorized_key: 50 | user: "{{ item.value.username }}" 51 | key: "{{ lookup('file', 'files/sshkeys/' + item.value.username) }}" 52 | state: "{{ item.value.state }}" 53 | with_dict: "{{ autologic_system_users }}" 54 | when: autologic_manage_sshkeys and item.value.username in autologic_user_access and item.value.state != 'absent' 55 | 56 | -------------------------------------------------------------------------------- /templates/autologic-sudo-group.j2: -------------------------------------------------------------------------------- 1 | # This file is managed by Ansible 2 | # The file was generated by the autologic-users role 3 | 4 | {% if autologic_department_pattern -%} 5 | User_Alias AUTOLOGIC_DEPARTMENTS = {{autologic_super_departments|default([])|join(', ')}} 6 | {%- endif -%} 7 | 8 | {%- if autologic_super_users|length >= 1 -%} 9 | User_Alias AUTOLOGIC_USERS = {{autologic_super_users|default([])|join(', ')}} 10 | {%- endif %} 11 | 12 | {% if autologic_department_pattern -%} 13 | {% if autologic_super_departments_nopasswd -%} 14 | AUTOLOGIC_DEPARTMENTS ALL=(ALL) NOPASSWD:ALL 15 | {%- else -%} 16 | AUTOLOGIC_DEPARTMENTS ALL=(ALL) ALL 17 | {% endif %} 18 | {% endif %} 19 | 20 | {%- if autologic_super_users|length >= 1 -%} 21 | {% if autologic_super_users_nopasswd %} 22 | AUTOLOGIC_USERS ALL=(ALL) NOPASSWD:ALL 23 | {%- else -%} 24 | AUTOLOGIC_USERS ALL=(ALL) ALL 25 | {%- endif -%} 26 | {%- endif -%} 27 | --------------------------------------------------------------------------------