debops.system_users default variables
Sections
Global defaults
- system_users__enabled
Should Ansible manage system user accounts? Set to False to disable.
system_users__enabled: True
- system_users__acl_enabled
Enable or disable support for filesystem ACL management.
system_users__acl_enabled: '{{ True if ("acl" in system_users__base_packages) else False }}'
- system_users__default_shell
Specify absolute path of the shell which should be configured on all user accounts managed by this role, if not overridden by the user configuration. If not specified, the shell won't be changed, but new accounts will not have a defined shell either.
system_users__default_shell: ''
APT packages
- system_users__shell_package_map
YAML dictionary that maps known shells used in the /etc/passwd
database to the APT packages with these shells. The role will install missing
shell packages if any users have them as their login shells.
system_users__shell_package_map:
'/bin/bash': 'bash'
'/bin/csh': 'csh'
'/usr/bin/fish': 'fish'
'/bin/ksh': 'ksh'
'/bin/zsh': 'zsh'
- system_users__base_packages
List of base APT packages to install.
system_users__base_packages: [ 'acl' ]
- system_users__shell_packages
List of login shell APT packages expected on the host.
system_users__shell_packages: '{{ lookup("template", "lookup/system_users__shell_packages.j2") | from_yaml }}'
- system_users__packages
List of custom APT packages to install.
system_users__packages: []
Home directories, LDAP integration
- system_users__prefix
Add a prefix to the custom UNIX system account names created by DebOps. By default, no prefix is added.
If the role detects that the LDAP support has been, or will be, enabled on a
host by the debops.ldap Ansible role, custom UNIX account names
created locally on the host will have the _
prefix to indicate that they
are local to a given host and not create conflicts with any UNIX accounts
defined in LDAP.
If the LDAP support was enabled after the system accounts have been created, the role will keep the current prefix value to not duplicate the UNIX accounts.
system_users__prefix: '{{ ansible_local.system_users.prefix | d("_"
if ("debops_service_ldap" in group_names or
(ansible_local.ldap.posix_enabled | d() | bool))
else "") }}'
- system_users__home_root
The base path of the home directories for the UNIX accounts managed by
DebOps. In the LDAP environment, the /home
directory might be shared
between multiple hosts and mounted from a remote location (for example NFS),
therefore /var/local
is used to avoid issues with the remote
filesystem. The item.home
parameter can be used to specify the home
directory path and override the autogenerated one.
system_users__home_root: '{{ "/var/local"
if ("debops_service_ldap" in group_names or
(ansible_local.ldap.posix_enabled | d() | bool))
else "/home" }}'
- system_users__default_home_mode
The default set of permissions for the home directories, specified in octal.
It can be overridden on a per-account basis with the item.home_mode
parameter.
system_users__default_home_mode: '0751'
Administrator account status
- system_users__admin_groups
List of the UNIX groups to which the defined system administrator users (with
the admin
parameter) will be added by default. These groups grant
privileged access to the root
UNIX account, system logs and other
important services.
system_users__admin_groups: '{{ ansible_local.system_groups.access.root | d(["admins"]) }}'
User configuration files (dotfiles)
These variables are used to manage the user configuration files (dotfiles).
- system_users__dotfiles_enabled
Enable or disable management of user dotfiles via yadm script. See the debops.yadm role for script installation and dotfile mirroring.
system_users__dotfiles_enabled: '{{ True
if ansible_local.yadm.dotfiles | d()
else False }}'
- system_users__dotfiles_repo
An URL or an absolute path on the remote host to the git dotfiles repository. The repository will be used by default if the dotfiles management is enabled without specifying a custom repository for the user.
system_users__dotfiles_repo: '{{ ansible_local.yadm.dotfiles | d("") }}'
The "current Ansible user" configuration
- system_users__self
Enable or disable management of the UNIX account for the "current Ansible user". Specific parameters like the username, preferred shell, GECOS values will be automatically detected on the Ansible Controller host.
system_users__self: '{{ False
if (system_users__self_name == "root" or
ansible_connection | d("ssh") == "local")
else True }}'
- system_users__self_name
The username of the "current Ansible user", used as a basis to create the
private UNIX group, UNIX account, home directory. The account name can
contain the "prefix" specified in the system_users__prefix
variable; it will be automatically stripped when necessary.
See the Centralized "control user" UNIX account documentation for more details about configuring a shared "control user" account.
system_users__self_name: '{{ lookup("env", "USER") }}'
- system_users__self_comment
The value of the GECOS field of the control user account, used when local UNIX account information is not available.
system_users__self_comment: 'Ansible Control User'
- system_users__self_shell
The default UNIX shell used by the control user account, used when local UNIX account information is not available.
system_users__self_shell: '/bin/bash'
Lists of managed UNIX system groups and accounts
These lists can be used to manage UNIX system groups as well as UNIX system accounts through the Ansible inventory. See system_users__accounts for more details.
- system_users__groups
List of UNIX system groups to manage on all hosts in Ansible inventory.
system_users__groups: []
- system_users__group_groups
List of UNIX system groups to manage on hosts in specific Ansible inventory group.
system_users__group_groups: []
- system_users__host_groups
List of UNIX system groups to manage on specific hosts in Ansible inventory.
system_users__host_groups: []
- system_users__dependent_groups
List of UNIX system groups to manage on the current playbook host. This variable is
meant to be used from a role dependency in role/meta/main.yml
or in
a playbook.
system_users__dependent_groups: []
- system_users__default_accounts
List of default UNIX system user accounts managed by Ansible.
system_users__default_accounts:
- name: '{{ system_users__self_name }}'
group: '{{ system_users__self_name }}'
prefix: '{{ "" if ansible_user | d() else system_users__prefix }}'
comment: '{{ system_users__fact_self_comment
| d(system_users__self_comment)
| regex_replace(",,,$", "") }}'
# home path is generated automatically
shell: '{{ (system_users__fact_self_shell | d(system_users__self_shell))
if ((system_users__fact_self_shell | d(system_users__self_shell))
in system_users__shell_package_map.keys())
else omit }}'
admin: True
sshkeys: '{{ lookup("pipe", "ssh-add -L | grep ^\\\(sk-\\\)\\\?ssh || cat ~/.ssh/*.pub || cat ~/.ssh/authorized_keys || true") }}' # noqa jinja[spacing]
state: '{{ "present"
if system_users__self | bool
else "ignore" }}'
- system_users__accounts
List of UNIX system user accounts to manage on all hosts in Ansible inventory.
system_users__accounts: []
- system_users__group_accounts
List of UNIX system user accounts to manage on hosts in specific Ansible inventory group.
system_users__group_accounts: []
- system_users__host_accounts
List of UNIX system user accounts to manage on specific hosts in Ansible inventory.
system_users__host_accounts: []
- system_users__dependent_accounts
List of UNIX system user accounts to manage on the current playbook host.
This variable is meant to be used from a role dependency in
role/meta/main.yml
or in a playbook.
system_users__dependent_accounts: []
- system_users__combined_accounts
This variable combines other group and account variables together and is used in the role tasks and templates.
system_users__combined_accounts: '{{ system_users__groups
+ system_users__group_groups
+ system_users__host_groups
+ (system_users__dependent_groups | flatten)
+ system_users__default_accounts
+ system_users__accounts
+ system_users__group_accounts
+ system_users__host_accounts
+ (system_users__dependent_accounts | flatten) }}'