Getting started¶
Access Control List¶
The debops.system_groups
role maintains a simple Access Control List in the
Ansible local facts, under ansible_local.system_groups.access.*
variable
hierarchy. Other roles can inspect it to get a list of UNIX group names which
they can use to configure access in their respective applications.
The ansible_local.system_groups.access
variable is a YAML dictionary. Each
key of this dictionary corresponds to a particular resource, and the value is
a list of UNIX group names. The resources are user-defined, by default the role
creates:
root
- Members of these UNIX groups have full, privileged access to the
root
account on a given host. This resource should be reserved to system administrators. sshd
- Members of these UNIX groups can login to the host via the SSH service. See debops.sshd role for more details.
webserver
- Members of these UNIX groups can manipulate various webserver-related services. See debops.nginx and debops.php roles for more details.
Example inventory¶
The debops.system_groups
role is included by default in the common.yml
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
it.
Example playbook¶
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.system_groups
role:
---
- name: Configure UNIX system groups
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_system_groups' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: python
tags: [ 'role::python', 'skip::python', 'role::ldap' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ sudo__ldap__dependent_tasks }}'
- role: sudo
tags: [ 'role::sudo', 'skip::sudo' ]
- role: system_groups
tags: [ 'role::system_groups', 'skip::system_groups' ]
Ansible tags¶
You can use Ansible --tags
or --skip-tags
parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
role::system_groups
- Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.
Other resources¶
List of other useful resources related to the debops.system_groups
Ansible
role:
- Manual pages: group(5), sudoers(5), tmpfiles.d(5)
- Debian System Groups documentation on Debian Wiki
- UNIX permissions documentation on Debian Wiki
- User Private Groups documentation on Debian Wiki
- Security privileges documentation on Ubuntu Wiki
- Multi User Management documentation on Ubuntu Wiki
- UNIX group identifier page on Wikipedia