debops.system_users default variables

Global defaults

system_users__enabled

Should Ansible manage system user accounts? Set to False to disable.

system_users__enabled: True
system_users__acl_enabled

Enable or disable support for filesystem ACL management.

system_users__acl_enabled: '{{ True if ("acl" in system_users__base_packages) else False }}'
system_users__default_shell

Specify absolute path of the shell which should be configured on all user accounts managed by this role, if not overriden by the user configuration. If not specified, the shell won't be changed, but new accounts will not have a defined shell either.

system_users__default_shell: ''

APT packages

system_users__shell_package_map

YAML dictionary that maps known shells used in the /etc/passwd database to the APT packages with these shells. The role will install missing shell packages if any users have them as their login shells.

system_users__shell_package_map:
  '/bin/bash':     'bash'
  '/bin/csh':      'csh'
  '/usr/bin/fish': 'fish'
  '/bin/ksh':      'ksh'
  '/bin/zsh':      'zsh'
system_users__base_packages

List of base APT packages to install.

system_users__base_packages: [ 'acl', 'libuser' ]
system_users__shell_packages

List of login shell APT packages expected on the host.

system_users__shell_packages: '{{ lookup("template", "lookup/system_users__shell_packages.j2") }}'
system_users__packages

List of custom APT packages to install.

system_users__packages: []

Home directories, LDAP integration

system_users__prefix

Add a prefix to the custom UNIX system account names created by DebOps. By default, no prefix is added.

If the role detects that the LDAP support has been enabled on a host by the debops.ldap Ansible role, custom UNIX account names created locally on the host will have the _ prefix to indicate that they are local to a given host and not create conflicts with any UNIX accounts defined in LDAP.

If the LDAP support was enabled after the system accounts have been created, the role will keep the current prefix value to not duplicate the UNIX accounts.

system_users__prefix: '{{ ansible_local.system_users.prefix
                          if (ansible_local|d() and ansible_local.system_users|d() and
                              ansible_local.system_users.prefix is defined)
                          else ("_"
                                if (ansible_local|d() and ansible_local.ldap|d() and
                                    (ansible_local.ldap.enabled|d())|bool)
                                else "") }}'
system_users__home_root

The base path of the home directories for the UNIX accounts managed by DebOps. In the LDAP environment, /home directory might be shared between multiple hosts and mounted from a remote location (for example NFS), therefore /var/local is used to avoid issues with the remote filesystem. The item.home parameter can be used to specify the home directory path and override the autogenerated one.

system_users__home_root: '{{ "/var/local"
                             if (ansible_local|d() and ansible_local.ldap|d() and
                                 (ansible_local.ldap.enabled|d())|bool)
                             else "/home" }}'
system_users__default_home_mode

The default set of permissions for the home directories, specified in octal. It can be overridden on a per-account basis with the item.home_mode parameter.

system_users__default_home_mode: '0751'

Administrator account status

system_users__admin_groups

List of the UNIX groups to which the defined system administrator users (with the admin parameter) will be added by default. These groups grant privileged access to the root UNIX account, system logs and other important services.

system_users__admin_groups: '{{ ansible_local.system_groups.access.root
                                if (ansible_local|d() and ansible_local.system_groups|d() and
                                    ansible_local.system_groups.access|d() and
                                    ansible_local.system_groups.access.root|d())
                                else [ "admins" ] }}'

User configuration files (dotfiles)

These variables are used to manage the user configuration files (dotfiles).

system_users__dotfiles_enabled

Enable or disable management of user dotfiles via yadm script. See the debops.yadm role for script installation and dotfile mirroring.

system_users__dotfiles_enabled: '{{ True
                                    if (ansible_local|d() and ansible_local.yadm|d() and
                                        ansible_local.yadm.dotfiles|d())
                                    else False }}'
system_users__dotfiles_repo

An URL or an absolute path on the remote host to the git dotfiles repository. The repository will be used by default if the dotfiles management is enabled without specifying a custom repository for the user.

system_users__dotfiles_repo: '{{ ansible_local.yadm.dotfiles
                                 if (ansible_local|d() and ansible_local.yadm|d() and
                                     ansible_local.yadm.dotfiles|d())
                                 else "" }}'

The "current Ansible user" configuration

system_users__self

Enable or disable management of the UNIX account for the "current Ansible user". Specific parameters like the username, preferred shell, GECOS values will be automatically detected on the Ansible Controller host.

system_users__self: '{{ False
                        if (system_users__self_name == "root" or
                            ansible_connection == "local")
                        else True }}'
system_users__self_name

The username of the "current Ansible user", used as a basis to create the private UNIX group, UNIX account, home directory.

system_users__self_name: '{{ lookup("env", "USER") }}'

Lists of managed UNIX system groups and accounts

These lists can be used to manage UNIX system groups as well as UNIX system accounts through the Ansible inventory. See system_users__accounts for more details.

system_users__groups

List of UNIX system groups to manage on all hosts in Ansible inventory.

system_users__groups: []
system_users__group_groups

List of UNIX system groups to manage on hosts in specific Ansible inventory group.

system_users__group_groups: []
system_users__host_groups

List of UNIX system groups to manage on specific hosts in Ansible inventory.

system_users__host_groups: []
system_users__default_accounts

List of default UNIX system user accounts managed by Ansible.

system_users__default_accounts:

  - name: '{{ system_users__self_name }}'
    group: '{{ system_users__self_name }}'
    comment: '{{ system_users__fact_self_comment | regex_replace(",,,$","") }}'
    # home path is generated automatically
    shell: '{{ system_users__fact_self_shell
               if (system_users__fact_self_shell in system_users__shell_package_map.keys())
               else omit }}'
    admin: True
    sshkeys: '{{ lookup("pipe","ssh-add -L | grep ^ssh || cat ~/.ssh/*.pub || true") }}'
    state: '{{ "present"
               if system_users__self|bool
               else "ignore" }}'
system_users__accounts

List of UNIX system user accounts to manage on all hosts in Ansible inventory.

system_users__accounts: []
system_users__group_accounts

List of UNIX system user accounts to manage on hosts in specific Ansible inventory group.

system_users__group_accounts: []
system_users__host_accounts

List of UNIX system user accounts to manage on specific hosts in Ansible inventory.

system_users__host_accounts: []
system_users__combined_accounts

This variable combines other group and account variables together and is used in the role tasks and templates.

system_users__combined_accounts: '{{ system_users__groups
                                     + system_users__group_groups
                                     + system_users__host_groups
                                     + system_users__default_accounts
                                     + system_users__accounts
                                     + system_users__group_accounts
                                     + system_users__host_accounts }}'