Getting started
Default configuration
By default, the role does not configure any access rules in the
/etc/security/access.conf
file. Control over this file is initialized
using a configuration entry named global
. See the examples in the
pam_access__rules for an explanation how to use it in the Ansible
inventory to set the access rules.
Role is designed to be used by other Ansible roles to manage their own access
lists, with a custom file per service. However, the rules defined via dependent
variables are not tracked outside of the context of a given role (ie. in
different playbooks), and roles cannot affect each other's access rules using
this method. Similarly, in Ansible inventory users should set the state of the
defined rules as append
, so that they don't clobber the existing rule files
when the debops.pam_access role is executed on its own, or via
a different playbook.
The activation of the pam_access.so
PAM module for each service is not
managed by the debops.pam_access role itself, and should be managed by
the Ansible roles designed to configure the services.
Example inventory
The debops.pam_access role is included in the DebOps common playbook, therefore you don't need to do anything special to enable it on a host.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.pam_access
role:
---
- name: Manage PAM Access Control Lists
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_pam_access' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: pam_access
tags: [ 'role::pam_access', 'skip::pam_access' ]
Other resources
List of other useful resources related to the debops.pam_access
Ansible
role:
Manual pages: pam_access(8), access.conf(5)