debops.root_account default variables¶
General configuration¶
-
root_account__enabled
¶
Whether to manage the root account.
root_account__enabled: True
-
root_account__shell_package_map
¶
YAML dictionary that maps known shells used in the /etc/passwd
database to the APT packages with these shells. The role will install missing
shell packages if the root
account uses them as their login shell.
root_account__shell_package_map:
'/bin/bash': 'bash'
'/bin/csh': 'csh'
'/usr/bin/fish': 'fish'
'/bin/ksh': 'ksh'
'/bin/zsh': 'zsh'
-
root_account__base_packages
¶
List of APT packages required by the role.
root_account__base_packages: [ 'openssh-client' ]
-
root_account__shell_packages
¶
List of login shell APT packages expected on the host.
root_account__shell_packages: '{{ lookup("template", "lookup/root_account__shell_packages.j2") }}'
-
root_account__packages
¶
List of additional APT packages to install for root account support.
root_account__packages: []
-
root_account__password
¶
Password set on root account, saved in secrets
root_account__password: '{{ lookup("password", secret
+ "/credentials/" + inventory_hostname
+ "/root_account/password encrypt=sha512_crypt length="
+ root_account__password_length) }}'
-
root_account__password_length
¶
Length of the root password.
root_account__password_length: '32'
-
root_account__password_update
¶
This variable controls if the role should update the root
account
password on each run. By default it will be updated only the first time the
role is executed. If you want to update the password on each run, set this
variable to True
.
root_account__password_update: '{{ False
if (ansible_local.root_account.configured|d())
else True }}'
-
root_account__generate_ssh_key
¶
Whether to generate a SSH key pair for root.
root_account__generate_ssh_key: True
-
root_account__ssh_key_type
¶
Specify the SSH private key type to use. By default role will generate ED25519 keys if they are supported by the remote host, otherwise RSA keys will be generated.
root_account__ssh_key_type: '{{ "ed25519"
if ("ssh-ed25519" in root_account__register_key_types.stdout_lines)
else "rsa" }}'
-
root_account__ssh_key_file
¶
Absolute path to the SSH private key to manage.
root_account__ssh_key_file: '/root/.ssh/id_{{ root_account__ssh_key_type }}'
-
root_account__ssh_key_comment
¶
Custom comment added to the generated SSH public key.
root_account__ssh_key_comment: 'root@{{ ansible_hostname }} generated by Ansible'
-
root_account__ssh_key_bits
¶
Specifies the number of bits in the key to create, only relevant for RSA keys.
root_account__ssh_key_bits: '4096'
-
root_account__group
¶
Define the primary UNIX system group of the root
UNIX account. The
primary root
group might be different on other operating systems, for
example FreeBSD.
root_account__group: '{{ "wheel"
if (ansible_distribution in [ "FreeBSD" ])
else "root" }}'
-
root_account__shell
¶
Default root shell, set to empty string to not change the shell.
root_account__shell: ''
-
root_account__fix_no_tty
¶
When enabled, the role will ensure that the mesg n command located
in the /root/.profile
file will be run only when TTY is present. This
fixes the "mesg: ttyname failed: Inappropriate ioctl for device" error message.
See also: https://bugs.debian.org/794727, https://superuser.com/a/1253889
root_account__fix_no_tty: True
The root dotfiles¶
The dotfiles of the root
account are managed using the yadm
script, installed by the debops.yadm role.
-
root_account__dotfiles_enabled
¶
Enable or disable dotfiles management, depending on the availablility of the dotfiles repository installed by the debops.yadm role.
root_account__dotfiles_enabled: '{{ True
if ansible_local.yadm.dotfiles|d()
else False }}'
-
root_account__dotfiles_repo
¶
An URL or an absolute directory to the git repository that
contains dotfiles for the root
account.
root_account__dotfiles_repo: '{{ ansible_local.yadm.dotfiles|d("") }}'
Authorized SSH keys¶
List of public SSH keys which will be added to the
/root/.ssh/authorized_keys
file on all hosts in the Ansible
inventory.
root_account__authorized_keys: []
List of public SSH keys which will be added to the
/root/.ssh/authorized_keys
file on hosts in a specific Ansible
inventory group.
root_account__group_authorized_keys: []
List of public SSH keys which will be added to the
/root/.ssh/authorized_keys
file on specific hosts in the Ansible
inventory.
root_account__host_authorized_keys: []
This variable combines all root_account__*authorized_keys variables together and is used in the role tasks and templates.
root_account__combined_authorized_keys: '{{ root_account__authorized_keys
+ root_account__group_authorized_keys
+ root_account__host_authorized_keys }}'
If True
, only the public SSH keys defined in the above variable will be
present on the root
account, all other keys will be removed.
If False
, the public SSH keys defined in the above variable will be added
to the existing keys on the root
account.
root_account__authorized_keys_exclusive: False
If present
, the role will manage the /root/.ssh/authorized_keys
file and add any public SSH keys to the root
account. If absent
, the
/root/.ssh/authorized_keys
file will be removed.
root_account__authorized_keys_state: 'present'
Subordinate UID/GID ranges¶
-
root_accout__subuid_enabled
¶
Enable or disable configuration of subordinate UIDs/GIDs for the root
system account.
root_account__subuid_enabled: True
-
root_account__subuid_start
¶
List of subordinate UID/GID numbers which can be remapped to be the root
account in new user namespaces created by the system root
account.
Multiple UID/GID ranges are possible, they shouldn't overlap with either
normal system UID/GID ranges or other subordinate UID/GID ranges for security
reasons. Check the contents of the /etc/subuid
and
/etc/subgid
files to verify what UID/GID ranges are used on a given
host.
If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.
root_account__subuid_start: [ '{{ (ansible_local.ldap.uid_gid_max|int + 1)
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.uid_gid_max|int > 100000))
else "100000" }}' ]
-
root_account__subuid_count
¶
Specify the number of UIDs/GIDs to reserve for a given subordinate UID/GID
range. Remember that using lower UID/GID number than 65535 may cause issues
due to some system accounts like nobody
and groups like nogroup
having UID and GID numbers at the end of the normal 0-65535 range.
If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.
root_account__subuid_count: '{{ ansible_local.ldap.uid_gid_max
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.uid_gid_max|int > 65536))
else "65535" }}'