Default variable details¶

Some of debops.system_groups default variables have more extensive configuration than simple strings or lists, here you can find documentation and examples for them.

system_groups__list

system_groups__list ¶

The system_groups__*_list variables define what UNIX system groups should be present on a given host, and can optionally create or modify configuration of selected services. The variables are list of YAML dictionaries, each dictionary defining one UNIX group.

The lists are combined together in the order specified by the system_groups__combined_list variable and the entries with the same name parameters will be merged. This can be used to change the configuration of existing entries via Ansible inventory.

Each entry can specify a set of parameters:

name

Required. The name of the UNIX group to manage. This should be an alphanumeric string, you can check the groupadd(8) manpage for allowed characters. This parameter is used as a key for merging multiple configuration entries together in order of appearance.

gid

Optional. Specify the group ID (GID) of a given UNIX group. If not specified, it will be selected automatically.

system

Optional, boolean. If True (default), the created UNIX group will be a "system" group with GID < 1000.

state

Optional. If present, the specified UNIX group will be created and its configuration in different services will be set. If absent, the UNIX group will not be created, but existing configuration will be left in place.

If init, the configuration for a given UNIX group will be prepared but it will not be active - this can be done conditionally in a later configuration entry. If ignore, a given configuration entry will be ignored by the role and its parameters will not affect a given UNIX group.

members

Optional. List of UNIX accounts that should be the members of a given UNIX group. Only existing UNIX accounts will be added by the role.

sudoers

Optional. A string or YAML text block which specifies the sudo configuration for a given UNIX group. It will be saved as /etc/sudoers.d/system_groups-<group> configuration file.

If the value is False, or the parameter is not specified, the sudo configuration file will be removed.

See sudoers(5) manual page for information about the configuration syntax. The role does not ensure that the configuration is related to the specified UNIX group, you should ensure that independently using the sudo configuration options.

sudoers_filename

Optional. Override the filename of the sudo configuration file in the /etc/sudoers.d/ directory. This might be useful if you need to change the order of the sudo configuration options. You shouldn't change the filename of existing configuration, because the role will lose track of it.

tmpfiles

Optional. A string or YAML text block which specifies the configuration of temporary files and directories maintained by the system-tmpfiles command. It will be saved as /etc/tmpfiles.d/system_groups-<group>.conf configuration file.

If the value is False, or the parameter is not specified, the systemd-tmpfiles configuration file will be removed.

See tmpfiles.d(5) manual page for information about the configuration syntax. The role does not ensure that the configuration is related to the specified UNIX group, you should ensure that independently using the systemd-tmpfiles configuration options.

tmpfiles_filename

Optional. Override the filename of the systemd-tmpfiles configuration file in the /etc/tmpfiles.d/ directory. This might be useful if you need to change the order of the systemd-tmpfiles configuration options. You shouldn't change the filename of existing configuration, because the role will lose track of it. The filename should contain the .conf suffix, otherwise it will be ignored by systemd-tmpfiles command.

The role maintains a simple Access Control List using Ansible local facts which can be used by other Ansible roles to augment their configuration. The parameters below control the ACL configuration.

access

Optional. A string or a list of resources which correspond to Access Control List entries. A given UNIX group will be added to all of the ACL entries with corresponding resources.

The access parameter should be used in default or initial configuration, using it in the inventory will override the default list of resources of a given UNIX group.

allow

Optional. A string or a list of resources which correspond to Access Control List entries. A given UNIX group will be added to all of the ACL entries with corresponding resources.

The allow parameter should be used in additional configuration entries to augment an existing ACL entries. Currently the configuration of ACL from multiple entries is not merged automatically, but existing ACL entries are preserved.

deny

Optional. A string or a list of resources which corresdpond to Access Control List entries. A given UNIX group will be removed from all of the ACL entries specified here.

The deny parameter should be used in additional configuration entries to augment an existing ACL entries. Currently the configuration of ACL from multiple entries is not merged automatically, but existing ACL entries are preserved.

Examples¶

Create a system UNIX group for an application that is composed of multiple UNIX accounts for better access control. The group will use a temporary directory as a shared communication channel and will allow its members to reload system services via sudo commands. Members of the group will be allowed to connect to the host via SSH.

system_groups__list:

  - name: 'application'
    members: [ 'app-core', 'app-webui', 'app-admin1', 'app-admin2' ]
    sudoers: |
      User_Alias  APP_ADMINS   = app-admin1, app-admin2
      Runas_Alias APP_SERVICES = app-core, app-webui

      Cmnd_Alias  APP_RELOAD   = /bin/systemctl reload app-core.service,\
                                 /bin/systemctl reload app-webui.service

      Cmnd_Alias  APP_RESTART  = /bin/systemctl restart app-core.service,\
                                 /bin/systemctl restart app-webui.service

      Cmnd_Alias  APP_STATUS   = /bin/systemctl status app-core.service,\
                                 /bin/systemctl status app-webui.service

      # Allow service reloads for all members, even services
      %application ALL = (root) NOPASSWD: APP_RELOAD

      # Allow more control over services for application administrators
      APP_ADMINS ALL = (root) NOPASSWD: APP_RESTART, APP_STATUS

      # Allow administrators to switch to the service UNIX accounts and run
      # commands on their behalf, after authentication
      APP_ADMINS ALL = (APP_SERVICES) ALL
    tmpfiles: |
      # Temporary directory for UNIX sockets
      d   /run/application   2771 root application  - -
    access: [ 'sshd' ]

You might need to add the individual accounts to the UNIX group in your role if they don't exist before the debops.system_groups role is executed, afterwards the role will ensure that the specified members are present in the group.

Default variable details¶

system_groups__list¶

Examples¶

system_groups__list ¶