debops.root_account default variables
General configuration
- root_account__enabled
Whether to manage the root account.
root_account__enabled: True
- root_account__shell_package_map
YAML dictionary that maps known shells used in the /etc/passwd
database to the APT packages with these shells. The role will install missing
shell packages if the root
account uses them as their login shell.
root_account__shell_package_map:
'/bin/bash': 'bash'
'/bin/csh': 'csh'
'/usr/bin/fish': 'fish'
'/bin/ksh': 'ksh'
'/bin/zsh': 'zsh'
- root_account__base_packages
List of APT packages required by the role.
root_account__base_packages: [ 'openssh-client' ]
- root_account__shell_packages
List of login shell APT packages expected on the host.
root_account__shell_packages: '{{ lookup("template", "lookup/root_account__shell_packages.j2") | from_yaml }}'
- root_account__packages
List of additional APT packages to install for root account support.
root_account__packages: []
- root_account__password
Password set on root account, saved in secrets
root_account__password: '{{ lookup("password", secret
+ "/credentials/" + inventory_hostname
+ "/root_account/password encrypt=sha512_crypt length="
+ root_account__password_length | string) }}'
- root_account__password_length
Length of the root password.
root_account__password_length: '32'
- root_account__password_update
This variable controls if the role should update the root
account
password on each run. By default it will be updated only the first time the
role is executed. If you want to update the password on each run, set this
variable to True
.
root_account__password_update: '{{ False
if (ansible_local.root_account.configured|d())
else True }}'
- root_account__generate_ssh_key
Whether to generate a SSH key pair for root.
root_account__generate_ssh_key: True
- root_account__ssh_key_type
Specify the SSH private key type to use. By default role will generate ED25519 keys if they are supported by the remote host, otherwise RSA keys will be generated.
root_account__ssh_key_type: '{{ "ed25519"
if ("ssh-ed25519" in root_account__register_key_types.stdout_lines)
else "rsa" }}'
- root_account__ssh_key_file
Absolute path to the SSH private key to manage.
root_account__ssh_key_file: '/root/.ssh/id_{{ root_account__ssh_key_type }}'
- root_account__ssh_key_comment
Custom comment added to the generated SSH public key.
root_account__ssh_key_comment: 'root@{{ ansible_hostname }} generated by Ansible'
- root_account__ssh_key_bits
Specifies the number of bits in the key to create, only relevant for RSA keys.
root_account__ssh_key_bits: '4096'
- root_account__group
Define the primary UNIX system group of the root
UNIX account. The
primary root
group might be different on other operating systems, for
example FreeBSD.
root_account__group: '{{ "wheel"
if (ansible_distribution in [ "FreeBSD" ])
else "root" }}'
- root_account__shell
Default root shell, set to empty string to not change the shell.
root_account__shell: ''
The root dotfiles
The dotfiles of the root
account are managed using the yadm
script, installed by the debops.yadm role.
- root_account__dotfiles_enabled
Enable or disable dotfiles management, depending on the availability of the dotfiles repository installed by the debops.yadm role.
root_account__dotfiles_enabled: '{{ True
if ansible_local.yadm.dotfiles|d()
else False }}'
- root_account__dotfiles_repo
An URL or an absolute directory to the git repository that
contains dotfiles for the root
account.
root_account__dotfiles_repo: '{{ ansible_local.yadm.dotfiles|d("") }}'
Subordinate UID/GID ranges
- root_accout__subuid_enabled
Enable or disable configuration of subordinate UIDs/GIDs for the root
system account.
root_account__subuid_enabled: True
- root_account__subuid_start
List of subordinate UID/GID numbers which can be remapped to be the root
account in new user namespaces created by the system root
account.
Multiple UID/GID ranges are possible, they shouldn't overlap with either
normal system UID/GID ranges or other subordinate UID/GID ranges for security
reasons. Check the contents of the /etc/subuid
and
/etc/subgid
files to verify what UID/GID ranges are used on a given
host.
If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.
root_account__subuid_start: [ '{{ (ansible_local.ldap.uid_gid_max|int + 1)
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.uid_gid_max|int > 100000))
else "100000" }}' ]
- root_account__subuid_count
Specify the number of UIDs/GIDs to reserve for a given subordinate UID/GID
range. Remember that using lower UID/GID number than 65535 may cause issues
due to some system accounts like nobody
and groups like nogroup
having UID and GID numbers at the end of the normal 0-65535 range.
If the debops.ldap role was applied on the host, the default UID/GID ranges will change to include the ranges used in the LDAP directory.
root_account__subuid_count: '{{ ansible_local.ldap.uid_gid_max
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.uid_gid_max|int > 65536))
else "65535" }}'