Getting started
Access Control List
The debops.system_groups
role maintains a simple Access Control List in the
Ansible local facts, under ansible_local.system_groups.access.*
variable
hierarchy. Other roles can inspect it to get a list of UNIX group names which
they can use to configure access in their respective applications.
The ansible_local.system_groups.access
variable is a YAML dictionary. Each
key of this dictionary corresponds to a particular resource, and the value is
a list of UNIX group names. The resources are user-defined, by default the role
creates:
root
Members of these UNIX groups have full, privileged access to the
root
account on a given host. This resource should be reserved to system administrators.sshd
Members of these UNIX groups can login to the host via the SSH service. See debops.sshd role for more details.
webserver
Members of these UNIX groups can manipulate various webserver-related services. See debops.nginx and debops.php roles for more details.
Example inventory
The debops.system_groups
role is included by default in the common.yml
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
it.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.system_groups
role:
---
- name: Configure UNIX system groups
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_system_groups' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: python
tags: [ 'role::python', 'skip::python', 'role::ldap' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ sudo__ldap__dependent_tasks }}'
- role: sudo
tags: [ 'role::sudo', 'skip::sudo' ]
- role: system_groups
tags: [ 'role::system_groups', 'skip::system_groups' ]
Other resources
List of other useful resources related to the debops.system_groups
Ansible
role:
Manual pages: group(5), sudoers(5), tmpfiles.d(5)
Debian System Groups documentation on Debian Wiki
UNIX permissions documentation on Debian Wiki
User Private Groups documentation on Debian Wiki
Security privileges documentation on Ubuntu Wiki
Multi User Management documentation on Ubuntu Wiki
UNIX group identifier page on Wikipedia