debops.root_account default variables

General configuration


Whether to manage the root account.

root_account__enabled: True

YAML dictionary that maps known shells used in the /etc/passwd database to the APT packages with these shells. The role will install missing shell packages if the root account uses them as their login shell.

  '/bin/bash':     'bash'
  '/bin/csh':      'csh'
  '/usr/bin/fish': 'fish'
  '/bin/ksh':      'ksh'
  '/bin/zsh':      'zsh'

List of APT packages required by the role.

root_account__base_packages: [ 'openssh-client' ]

List of login shell APT packages expected on the host.

root_account__shell_packages: '{{ lookup("template", "lookup/root_account__shell_packages.j2") }}'

List of additional APT packages to install for root account support.

root_account__packages: []

Password set on root account, saved in secrets

root_account__password: '{{ lookup("password", secret
                            + "/credentials/" + inventory_hostname
                            + "/root_account/password encrypt=sha512_crypt length="
                            + root_account__password_length) }}'

Length of the root password.

root_account__password_length: '32'

This variable controls if the role should update the root account password on each run. By default it will be updated only the first time the role is executed. If you want to update the password on each run, set this variable to True.

root_account__password_update: '{{ False
                                   if (ansible_local.root_account.configured|d())
                                   else True }}'

Whether to generate a SSH key pair for root.

root_account__generate_ssh_key: True

Specify the SSH private key type to use. By default role will generate ED25519 keys if they are supported by the remote host, otherwise RSA keys will be generated.

root_account__ssh_key_type: '{{ "ed25519"
                                if ("ssh-ed25519" in root_account__register_key_types.stdout_lines)
                                else "rsa" }}'

Absolute path to the SSH private key to manage.

root_account__ssh_key_file: '/root/.ssh/id_{{ root_account__ssh_key_type }}'

Custom comment added to the generated SSH public key.

root_account__ssh_key_comment: 'root@{{ ansible_hostname }} generated by Ansible'

Specifies the number of bits in the key to create, only relevant for RSA keys.

root_account__ssh_key_bits: '4096'

Define the primary UNIX system group of the root UNIX account. The primary root group might be different on other operating systems, for example FreeBSD.

root_account__group: '{{ "wheel"
                         if (ansible_distribution in [ "FreeBSD" ])
                         else "root" }}'

Default root shell, set to empty string to not change the shell.

root_account__shell: ''

When enabled, the role will ensure that the mesg n command located in the /root/.profile file will be run only when TTY is present. This fixes the "mesg: ttyname failed: Inappropriate ioctl for device" error message. See also:,

root_account__fix_no_tty: True

The root dotfiles

The dotfiles of the root account are managed using the yadm script, installed by the debops.yadm role.


Enable or disable dotfiles management, depending on the availablility of the dotfiles repository installed by the debops.yadm role.

root_account__dotfiles_enabled: '{{ True
                                    if ansible_local.yadm.dotfiles|d()
                                    else False }}'

An URL or an absolute directory to the git repository that contains dotfiles for the root account.

root_account__dotfiles_repo: '{{ ansible_local.yadm.dotfiles|d("") }}'

Authorized SSH keys


List of public SSH keys which will be added to the /root/.ssh/authorized_keys file on all hosts in the Ansible inventory.

root_account__authorized_keys: []

List of public SSH keys which will be added to the /root/.ssh/authorized_keys file on hosts in a specific Ansible inventory group.

root_account__group_authorized_keys: []

List of public SSH keys which will be added to the /root/.ssh/authorized_keys file on specific hosts in the Ansible inventory.

root_account__host_authorized_keys: []

This variable combines all root_account__*authorized_keys variables together and is used in the role tasks and templates.

root_account__combined_authorized_keys: '{{ root_account__authorized_keys
                                            + root_account__group_authorized_keys
                                            + root_account__host_authorized_keys }}'

If True, only the public SSH keys defined in the above variable will be present on the root account, all other keys will be removed.

If False, the public SSH keys defined in the above variable will be added to the existing keys on the root account.

root_account__authorized_keys_exclusive: False

If present, the role will manage the /root/.ssh/authorized_keys file and add any public SSH keys to the root account. If absent, the /root/.ssh/authorized_keys file will be removed.

root_account__authorized_keys_state: 'present'

Subordinate UID/GID ranges


Enable or disable configuration of subordinate UIDs/GIDs for the root system account.

root_account__subuid_enabled: True

List of subordinate UID/GID numbers which can be remapped to be the root account in new user namespaces created by the system root account.

Multiple UID/GID ranges are possible, they shouldn't overlap with either normal system UID/GID ranges or other subordinate UID/GID ranges for security reasons. Check the contents of the /etc/subuid and /etc/subgid files to verify what UID/GID ranges are used on a given host.

If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.

root_account__subuid_start: [ '{{ (ansible_local.ldap.uid_gid_max|int + 1)
                                  if (ansible_local|d() and ansible_local.ldap|d() and
                                      (ansible_local.ldap.uid_gid_max|int > 100000))
                                  else "100000" }}' ]

Specify the number of UIDs/GIDs to reserve for a given subordinate UID/GID range. Remember that using lower UID/GID number than 65535 may cause issues due to some system accounts like nobody and groups like nogroup having UID and GID numbers at the end of the normal 0-65535 range.

If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.

root_account__subuid_count: '{{ ansible_local.ldap.uid_gid_max
                                if (ansible_local|d() and ansible_local.ldap|d() and
                                    (ansible_local.ldap.uid_gid_max|int > 65536))
                                else "65535" }}'