Default variable details¶
Some of debops.system_groups
default variables have more extensive
configuration than simple strings or lists, here you can find documentation and
examples for them.
system_groups__list¶
The system_groups__*_list
variables define what UNIX system groups should
be present on a given host, and can optionally create or modify configuration
of selected services. The variables are list of YAML dictionaries, each
dictionary defining one UNIX group.
The lists are combined together in the order specified by the
system_groups__combined_list
variable and the entries with the same
name
parameters will be merged. This can be used to change the
configuration of existing entries via Ansible inventory.
Each entry can specify a set of parameters:
name
- Required. The name of the UNIX group to manage. This should be an alphanumeric string, you can check the groupadd(8) manpage for allowed characters. This parameter is used as a key for merging multiple configuration entries together in order of appearance.
gid
- Optional. Specify the group ID (GID) of a given UNIX group. If not specified, it will be selected automatically.
system
- Optional, boolean. If
True
(default), the created UNIX group will be a "system" group with GID < 1000. state
Optional. If
present
, the specified UNIX group will be created and its configuration in different services will be set. Ifabsent
, the UNIX group will not be created, but existing configuration will be left in place.If
init
, the configuration for a given UNIX group will be prepared but it will not be active - this can be done conditionally in a later configuration entry. Ifignore
, a given configuration entry will be ignored by the role and its parameters will not affect a given UNIX group.members
- Optional. List of UNIX accounts that should be the members of a given UNIX group. Only existing UNIX accounts will be added by the role.
sudoers
Optional. A string or YAML text block which specifies the sudo configuration for a given UNIX group. It will be saved as
/etc/sudoers.d/system_groups-<group>
configuration file.If the value is
False
, or the parameter is not specified, the sudo configuration file will be removed.See sudoers(5) manual page for information about the configuration syntax. The role does not ensure that the configuration is related to the specified UNIX group, you should ensure that independently using the sudo configuration options.
sudoers_filename
- Optional. Override the filename of the sudo configuration file in
the
/etc/sudoers.d/
directory. This might be useful if you need to change the order of the sudo configuration options. You shouldn't change the filename of existing configuration, because the role will lose track of it. tmpfiles
Optional. A string or YAML text block which specifies the configuration of temporary files and directories maintained by the system-tmpfiles command. It will be saved as
/etc/tmpfiles.d/system_groups-<group>.conf
configuration file.If the value is
False
, or the parameter is not specified, the systemd-tmpfiles configuration file will be removed.See tmpfiles.d(5) manual page for information about the configuration syntax. The role does not ensure that the configuration is related to the specified UNIX group, you should ensure that independently using the systemd-tmpfiles configuration options.
tmpfiles_filename
- Optional. Override the filename of the systemd-tmpfiles
configuration file in the
/etc/tmpfiles.d/
directory. This might be useful if you need to change the order of the systemd-tmpfiles configuration options. You shouldn't change the filename of existing configuration, because the role will lose track of it. The filename should contain the.conf
suffix, otherwise it will be ignored by systemd-tmpfiles command.
The role maintains a simple Access Control List using Ansible local facts which can be used by other Ansible roles to augment their configuration. The parameters below control the ACL configuration.
access
Optional. A string or a list of resources which correspond to Access Control List entries. A given UNIX group will be added to all of the ACL entries with corresponding resources.
The
access
parameter should be used in default or initial configuration, using it in the inventory will override the default list of resources of a given UNIX group.allow
Optional. A string or a list of resources which correspond to Access Control List entries. A given UNIX group will be added to all of the ACL entries with corresponding resources.
The
allow
parameter should be used in additional configuration entries to augment an existing ACL entries. Currently the configuration of ACL from multiple entries is not merged automatically, but existing ACL entries are preserved.deny
Optional. A string or a list of resources which corresdpond to Access Control List entries. A given UNIX group will be removed from all of the ACL entries specified here.
The
deny
parameter should be used in additional configuration entries to augment an existing ACL entries. Currently the configuration of ACL from multiple entries is not merged automatically, but existing ACL entries are preserved.
Examples¶
Create a system UNIX group for an application that is composed of multiple UNIX accounts for better access control. The group will use a temporary directory as a shared communication channel and will allow its members to reload system services via sudo commands. Members of the group will be allowed to connect to the host via SSH.
system_groups__list:
- name: 'application'
members: [ 'app-core', 'app-webui', 'app-admin1', 'app-admin2' ]
sudoers: |
User_Alias APP_ADMINS = app-admin1, app-admin2
Runas_Alias APP_SERVICES = app-core, app-webui
Cmnd_Alias APP_RELOAD = /bin/systemctl reload app-core.service,\
/bin/systemctl reload app-webui.service
Cmnd_Alias APP_RESTART = /bin/systemctl restart app-core.service,\
/bin/systemctl restart app-webui.service
Cmnd_Alias APP_STATUS = /bin/systemctl status app-core.service,\
/bin/systemctl status app-webui.service
# Allow service reloads for all members, even services
%application ALL = (root) NOPASSWD: APP_RELOAD
# Allow more control over services for application administrators
APP_ADMINS ALL = (root) NOPASSWD: APP_RESTART, APP_STATUS
# Allow administrators to switch to the service UNIX accounts and run
# commands on their behalf, after authentication
APP_ADMINS ALL = (APP_SERVICES) ALL
tmpfiles: |
# Temporary directory for UNIX sockets
d /run/application 2771 root application - -
access: [ 'sshd' ]
You might need to add the individual accounts to the UNIX group in your role if
they don't exist before the debops.system_groups
role is executed,
afterwards the role will ensure that the specified members are present in the
group.