Getting started

Access Control List

The debops.system_groups role maintains a simple Access Control List in the Ansible local facts, under ansible_local.system_groups.access.* variable hierarchy. Other roles can inspect it to get a list of UNIX group names which they can use to configure access in their respective applications.

The ansible_local.system_groups.access variable is a YAML dictionary. Each key of this dictionary corresponds to a particular resource, and the value is a list of UNIX group names. The resources are user-defined, by default the role creates:

root

Members of these UNIX groups have full, privileged access to the root account on a given host. This resource should be reserved to system administrators.

sshd

Members of these UNIX groups can login to the host via the SSH service. See debops.sshd role for more details.

webserver

Members of these UNIX groups can manipulate various webserver-related services. See debops.nginx and debops.php roles for more details.

Example inventory

The debops.system_groups role is included by default in the common.yml DebOps playbook; you don't need to add hosts to any Ansible groups to enable it.

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.system_groups role:

---

- name: Configure UNIX system groups
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_all_hosts', 'debops_service_system_groups' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: python
      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
      python__dependent_packages3:
        - '{{ ldap__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ ldap__python__dependent_packages2 }}'

    - role: ldap
      tags: [ 'role::ldap', 'skip::ldap' ]
      ldap__dependent_tasks:
        - '{{ sudo__ldap__dependent_tasks }}'

    - role: sudo
      tags: [ 'role::sudo', 'skip::sudo' ]

    - role: system_groups
      tags: [ 'role::system_groups', 'skip::system_groups' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::system_groups

Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.system_groups Ansible role: