debops.root_account default variables

General configuration

root_account__enabled

Whether to manage the root account.

root_account__enabled: True
root_account__shell_package_map

YAML dictionary that maps known shells used in the /etc/passwd database to the APT packages with these shells. The role will install missing shell packages if the root account uses them as their login shell.

root_account__shell_package_map:
  '/bin/bash':     'bash'
  '/bin/csh':      'csh'
  '/usr/bin/fish': 'fish'
  '/bin/ksh':      'ksh'
  '/bin/zsh':      'zsh'
root_account__base_packages

List of APT packages required by the role.

root_account__base_packages: [ 'openssh-client' ]
root_account__shell_packages

List of login shell APT packages expected on the host.

root_account__shell_packages: '{{ lookup("template", "lookup/root_account__shell_packages.j2") }}'
root_account__packages

List of additional APT packages to install for root account support.

root_account__packages: []
root_account__password

Password set on root account, saved in secrets

root_account__password: '{{ lookup("password", secret
                            + "/credentials/" + inventory_hostname
                            + "/root_account/password encrypt=sha512_crypt length="
                            + root_account__password_length) }}'
root_account__password_length

Length of the root password.

root_account__password_length: '32'
root_account__password_update

This variable controls if the role should update the root account password on each run. By default it will be updated only the first time the role is executed. If you want to update the password on each run, set this variable to True.

root_account__password_update: '{{ False
                                   if (ansible_local|d() and ansible_local.root_account|d() and
                                       ansible_local.root_account.configured|d())
                                   else True }}'
root_account__generate_ssh_key

Whether to generate a SSH key pair for root.

root_account__generate_ssh_key: True
root_account__ssh_key_type

Specify the SSH private key type to use. By default role will generate ED25519 keys if they are supported by the remote host, otherwise RSA keys will be generated.

root_account__ssh_key_type: '{{ "ed25519"
                                if ("ssh-ed25519" in root_account__register_key_types.stdout_lines)
                                else "rsa" }}'
root_account__ssh_key_file

Absolute path to the SSH private key to manage.

root_account__ssh_key_file: '/root/.ssh/id_{{ root_account__ssh_key_type }}'
root_account__ssh_key_comment

Custom comment added to the generated SSH public key.

root_account__ssh_key_comment: '[email protected]{{ ansible_hostname }} generated by Ansible'
root_account__ssh_key_bits

Specifies the number of bits in the key to create, only relevant for RSA keys.

root_account__ssh_key_bits: '4096'
root_account__group

Define the primary UNIX system group of the root UNIX account. The primary root group might be different on other operating systems, for example FreeBSD.

root_account__group: '{{ "wheel"
                         if (ansible_distribution in [ "FreeBSD" ])
                         else "root" }}'
root_account__shell

Default root shell, set to empty string to not change the shell.

root_account__shell: ''
root_account__fix_no_tty

When enabled, the role will ensure that the mesg n command located in the /root/.profile file will be run only when TTY is present. This fixes the "mesg: ttyname failed: Inappropriate ioctl for device" error message. See also: https://bugs.debian.org/794727, https://superuser.com/a/1253889

root_account__fix_no_tty: True

The root dotfiles

The dotfiles of the root account are managed using the yadm script, installed by the debops.yadm role.

root_account__dotfiles_enabled

Enable or disable dotfiles management, depending on the availablility of the dotfiles repository installed by the debops.yadm role.

root_account__dotfiles_enabled: '{{ True
                                    if (ansible_local|d() and ansible_local.yadm|d() and
                                        ansible_local.yadm.dotfiles|d())
                                    else False }}'
root_account__dotfiles_repo

An URL or an absolute directory to the git repository that contains dotfiles for the root account.

root_account__dotfiles_repo: '{{ ansible_local.yadm.dotfiles
                                 if (ansible_local|d() and ansible_local.yadm|d() and
                                     ansible_local.yadm.dotfiles|d())
                                 else "" }}'

Authorized SSH keys

root_account__authorized_keys

List of public SSH keys which will be added to the /root/.ssh/authorized_keys file on all hosts in the Ansible inventory.

root_account__authorized_keys: []
root_account__group_authorized_keys

List of public SSH keys which will be added to the /root/.ssh/authorized_keys file on hosts in a specific Ansible inventory group.

root_account__group_authorized_keys: []
root_account__host_authorized_keys

List of public SSH keys which will be added to the /root/.ssh/authorized_keys file on specific hosts in the Ansible inventory.

root_account__host_authorized_keys: []
root_account__combined_authorized_keys

This variable combines all root_account__*authorized_keys variables together and is used in the role tasks and templates.

root_account__combined_authorized_keys: '{{ root_account__authorized_keys
                                            + root_account__group_authorized_keys
                                            + root_account__host_authorized_keys }}'
root_account__authorized_keys_exclusive

If True, only the public SSH keys defined in the above variable will be present on the root account, all other keys will be removed.

If False, the public SSH keys defined in the above variable will be added to the existing keys on the root account.

root_account__authorized_keys_exclusive: False
root_account__authorized_keys_state

If present, the role will manage the /root/.ssh/authorized_keys file and add any public SSH keys to the root account. If absent, the /root/.ssh/authorized_keys file will be removed.

root_account__authorized_keys_state: 'present'

Subordinate UID/GID ranges

root_accout__subuid_enabled

Enable or disable configuration of subordinate UIDs/GIDs for the root system account.

root_account__subuid_enabled: True
root_account__subuid_start

List of subordinate UID/GID numbers which can be remapped to be the root account in new user namespaces created by the system root account.

Multiple UID/GID ranges are possible, they shouldn't overlap with either normal system UID/GID ranges or other subordinate UID/GID ranges for security reasons. Check the contents of the /etc/subuid and /etc/subgid files to verify what UID/GID ranges are used on a given host.

If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.

root_account__subuid_start: [ '{{ (ansible_local.ldap.uid_gid_max|int + 1)
                                  if (ansible_local|d() and ansible_local.ldap|d() and
                                      (ansible_local.ldap.uid_gid_max|int > 100000))
                                  else "100000" }}' ]
root_account__subuid_count

Specify the number of UIDs/GIDs to reserve for a given subordinate UID/GID range. Remember that using lower UID/GID number than 65535 may cause issues due to some system accounts like nobody and groups like nogroup having UID and GID numbers at the end of the normal 0-65535 range.

If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.

root_account__subuid_count: '{{ ansible_local.ldap.uid_gid_max
                                if (ansible_local|d() and ansible_local.ldap|d() and
                                    (ansible_local.ldap.uid_gid_max|int > 65536))
                                else "65535" }}'