Getting started¶
Default configuration¶
By default, the role does not configure any access rules in the
/etc/security/access.conf
file. Control over this file is initialized
using a configuration entry named global
. See the examples in the
pam_access__rules for an explanation how to use it in the Ansible
inventory to set the access rules.
Role is designed to be used by other Ansible roles to manage their own access
lists, with a custom file per service. However, the rules defined via dependent
variables are not tracked outside of the context of a given role (ie. in
different playbooks), and roles cannot affect each other's access rules using
this method. Similarly, in Ansible inventory users should set the state of the
defined rules as append
, so that they don't clobber the existing rule files
when the debops.pam_access role is executed on its own, or via
a different playbook.
The activation of the pam_access.so
PAM module for each service is not
managed by the debops.pam_access role itself, and should be managed by
the Ansible roles designed to configure the services.
Example inventory¶
The debops.pam_access role is included in the DebOps common playbook, therefore you don't need to do anything special to enable it on a host.
Example playbook¶
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.pam_access
role:
---
- name: Manage PAM Access Control Lists
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_pam_access' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: pam_access
tags: [ 'role::pam_access', 'skip::pam_access' ]
Ansible tags¶
You can use Ansible --tags
or --skip-tags
parameters to limit what
tasks are performed during Ansible run. This can be used after host is first
configured to speed up playbook execution, when you are sure that most of the
configuration has not been changed.
Available role tags:
role::pam_access
- Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.
Other resources¶
List of other useful resources related to the debops.pam_access
Ansible
role:
- Manual pages: pam_access(8), access.conf(5)