robertdebock / ansible-role-users Goto Github PK

View Code? Open in Web Editor NEW

38.0 5.0 27.0 334 KB

The purpose of this role is to add users and groups on your system.

Home Page: https://robertdebock.nl/

License: Apache License 2.0

Jinja 100.00%

users server sudo system ansible molecule tox playbook

ansible-role-users's Introduction

Ansible role users

The purpose of this role is to add users and groups on your system.

GitHub	GitLab	Downloads	Version

Example Playbook

This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.

---
- name: Converge
  hosts: all
  become: true
  gather_facts: true

  roles:
    - role: robertdebock.users
      # You can create groups:
      users_groups:
        - name: robertdb
          gid: 1024
        - name: users
        # You can also remove groups.
        - name: notgroup
          state: absent
          # A system group is also possible.
        - name: systemgroup
          system: true

      # You can create users.
      users:
        - name: root
          cron_allow: true
          # You can remove authorized keys.
          unauthorized_keys:
            - "ssh-rsa XYZYX54321"
        - name: robertdb
          comment: Robert de Bock
          uid: 1024
          # The `group` and `groups` listed here should exist.
          group: robertdb
          # groups: A list of groups
          # groups:
          #   - users
          #   - wheel
          groups:
            - users
          cron_allow: true
          sudo_options: "ALL=(ALL) NOPASSWD: ALL"
          # Adding an authorized key.
          authorized_keys:
            - "ssh-rsa ABC123"
          # EPOCH timestamp when an account should expire.
          # Typically a positive value like: `1641971487`.
          # The value `-1` removes the expiry time.
          expires: -1
          password_validity_days: 9
          # Test username with dots
        - name: robert.d.b
          comment: Robert de Bock with dots in username
          uid: 1025
          # The `group` and `groups` listed here should exist.
          group: robertdb
          # groups: A list of groups
          # groups:
          #   - users
          #   - wheel
          groups:
            - users
          cron_allow: true
          # Allow sudo, but require a password.
          sudo_options: "ALL=(ALL) ALL"
          # Adding an authorized key.
          authorized_keys:
            - "ssh-rsa ABC123"
          # EPOCH timestamp when an account should expire.
          # Typically a positive value like: `1641971487`.
          # The value `-1` removes the expiry time.
          expires: -1
          password_validity_days: 9
        # Here a user is removed.
        - name: notuser
          state: absent
        - name: keyuser
          manage_ssh_key: true
        - name: privkeyuser
          # This user will have ssh-keys generated.
          manage_ssh_key: true
          copy_private_key: true
        - name: multiplekeys
          authorized_keys:
            - "ssh-rsa ABC1234"
            - "ssh-rsa ABC12345"
        - name: passuser
          # You can set a password. (Hashed and salted.)
          password: "$6$mysecretsalt$qJbapG68nyRab3gxvKWPUcs2g3t0oMHSHMnSKecYNpSi3CuZm.GbBqXO8BE6EI6P1JUefhA0qvD7b5LSh./PU1"
          update_password: on_create
        - name: remotekey
          authorized_keys:
            # You can also download a public key from a URL.
            - "https://raw.githubusercontent.com/shaanr/smdb/master/file.pub"
        - name: systemuser
          system: true
        - name: multisudo
          # An account that can run just a few commands without a password.
          sudo_options:
            - "ALL= NOPASSWD: /usr/bin/systemctl restart httpd"
            - "ALL= NOPASSWD: /usr/bin/systemctl start httpd"
            - "ALL= NOPASSWD: /usr/bin/systemctl stop httpd"
        - name: myprivkeyuser
          private_keys:
            - name: id_rsa
              content: |
                -----BEGIN OPENSSH PRIVATE KEY-----
                b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
                NhAAAAAwEAAQAAAYEA4CaHuEpYaSJOwVBU2vW+KVebLv33hGcRqGJrzHCcwlLAf4u+Eigm
                mtqD5qosHONAs07G3QyrViR1jTWrJh/1ShTyZ/Fv7AUM/4fFyWYEmt2Rd+ZprojzZ1HUe4
                Hlp4GV9cC28Ic7g1pglt4a4xHjhlt+J63xz+hOHbPWNfeB0Fl6+s7LB/JHbsti0qullhaf
                L2PYyH21FrCLVouOyQpHpAAjCGC264Dvke/LSReE7z7CrFc7pBZAd9McFIEVXNJPVRWOjZ
                IePXnDLclIYceqDJV1elP6bCb8l9m3K4k/pbHjVgjIRCLXsD+yCgPvnfUBRaK7IWZWqSc0
                EDJAt7+THeksVf4kamxzZlnWfmsJ323gvktlMjBhSfKdB6YXmD8MQGOPqATAbwed/1ZDAX
                L90GyzYNBwx+jUxCOOItGEMwXQEImaVO6nfiG5Zgn6MwjP2gQ3lDVZgjhaXJM6B3PZQU4t
                MLDl8jZeCmjbltppKQ6OJx8QwImrSWcXr+lFKh7FAAAFoP+Ytw7/mLcOAAAAB3NzaC1yc2
                EAAAGBAOAmh7hKWGkiTsFQVNr1vilXmy7994RnEahia8xwnMJSwH+LvhIoJprag+aqLBzj
                QLNOxt0Mq1YkdY01qyYf9UoU8mfxb+wFDP+HxclmBJrdkXfmaa6I82dR1HuB5aeBlfXAtv
                CHO4NaYJbeGuMR44Zbfiet8c/oTh2z1jX3gdBZevrOywfyR27LYtKrpZYWny9j2Mh9tRaw
                i1aLjskKR6QAIwhgtuuA75Hvy0kXhO8+wqxXO6QWQHfTHBSBFVzST1UVjo2SHj15wy3JSG
                HHqgyVdXpT+mwm/JfZtyuJP6Wx41YIyEQi17A/sgoD7531AUWiuyFmVqknNBAyQLe/kx3p
                LFX+JGpsc2ZZ1n5rCd9t4L5LZTIwYUnynQemF5g/DEBjj6gEwG8Hnf9WQwFy/dBss2DQcM
                fo1MQjjiLRhDMF0BCJmlTup34huWYJ+jMIz9oEN5Q1WYI4WlyTOgdz2UFOLTCw5fI2Xgpo
                25baaSkOjicfEMCJq0lnF6/pRSoexQAAAAMBAAEAAAGAVBC/R/PCErQGO2QoXvJZPmIX1l
                jzcpnBOpim+0ak1BB7F5rOTzr1t5AKdgEOiEsGofkChjbRL35/A9XD+Yl00jLm8urO4gLG
                7DL8j9sOERLWEtS8f/Pm7bH38dY2zkrAdimvsqfVPx8vKIXmKZE09tfriXAoR6RFX8hpp1
                XLPtvATr4t0S4hckEfMAmmEZMsYnadABx9RSQzLeMrSuTrF2vht6umDs8NinsXj7MdbSjp
                k/8nZBPgW9A2MM50t5o76LNGa2UwIlAtEQRTGcSyEqMTZ9TOndiNUT9vtx1/ddq6YwH8S3
                mF5CqLW92nOr8dE6lUwSmGgHquMKGNjjIWtJO9vdV6/m4SOo6Sxiq14w+NSlJpkGAssJlb
                lyxbRiKK3tEpLOLQMS4i0SK++MsDgyxfBgDKCpBlfQRs3/RJzWO82abTMuyJj3XkN3DkiN
                fppX4S7nVjtYV1TD4e5kMHgfKHHckvMgwzxrtyLB1r7D+qDcH3D7wUWJS4cs3ECuCFAAAA
                wC+Hw6tg38zIFBF4h2nqbYRy7ifGUT3Wo0I5V6rJtEwSMXx71ZocLH/synywdITu8koZD7
                JIYze4Zey9kdsgc8ZKTwSAsZoYqx8YKaICM61yQ9JaoyA9oFIFtaJ/+XLjAgoYr4VN3/T3
                Jv57DjEzl5FAAuWGkmSWDEEJiE1BcBH+QuodWIhdZrUdbbb26XjVBea3N2THckkavjj4eD
                m0tzzDO0VeTxM0bB+gG/bi07I8vs1EcDCAism29PdSEL6D8AAAAMEA+7N2Q9DK9MihH0+J
                TYcaucrPN6U09FKjo/2wbitO2/IbTsmHcilJUcCdXDMFPg6bSPl1MRzxBKnkfZO8xW9NRq
                lg4NL6SwaBj3stV/WqQpdCzrvu9mMPbu6dY6O8qvbv6GKknBlYiLjbeW+Ov43GYWKC3QNU
                w7d7Yx2wEfMmVACp4vsjhxgI6KEKAG6dlf25CbTvxRWYcaprrmMn0h9m8UOCRNPdPyOQ/t
                aIjGBEPHzOf/dxGCZXGQEKk9ABMsDXAAAAwQDj+psz4GORg10kHVxRwdkKRIUBTZSk8nzo
                ml45KYDkTnLtRxJvh8jy0/NLGU0xFEew3+MfZIMGOcU7cezXtLhMkEVtKCgCXq2kqMHzta
                rLGVWU0xcXVygKQmUva3kdscEHO1voRIzn1dZPOZQMIZoQysdOF0mUflbVVSE1why8lMkM
                wwWPYUZK7yTOYnZ08HusE9M0A77Th2SzTCDz2Vlw4YwJU0+4PD7i2wEGNgbzt/WnAj6kOG
                ql74i8K7EiPcMAAAAlcm9iZXJ0ZGJATWFjQm9vay1Qcm8tdmFuLVJvYmVydC5sb2NhbAEC
                AwQFBg==
                -----END OPENSSH PRIVATE KEY-----

The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:

---
- name: Prepare
  hosts: all
  become: true
  gather_facts: false

  roles:
    - role: robertdebock.bootstrap
    - role: robertdebock.core_dependencies

  tasks:
    - name: Set authorized keys for root
      ansible.posix.authorized_key:
        user: root
        state: present
        key: "ssh-rsa XYZYX54321"

Also see a full explanation and example on how to use these roles.

Role Variables

The default values for the variables are set in defaults/main.yml:

---
# defaults file for users

# The location to store ssh keys for user
users_ssh_key_directory: ssh_keys

# The default shell if not overwritten.
users_shell: /bin/bash

# manage cron permissions via /etc/cron.allow
users_cron_allow: true

# should homedirectories be created?
users_create_home: true

Requirements

pip packages listed in requirements.txt.

State of used roles

The following roles are used to prepare a system. You can prepare your system in another way.

Requirement	GitHub	GitLab
robertdebock.bootstrap
robertdebock.core_dependencies

Context

This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.

Here is an overview of related roles:

Compatibility

This role has been tested on these container images:

container	tags
Alpine	all
Amazon	Candidate
EL	8, 9
Debian	all
Fedora	all
opensuse	all
Ubuntu	all

The minimum version of Ansible required is 2.12, tests have been done to:

The previous version.
The current version.
The development version.

If you find issues, please register them in GitHub.

Author Information

robertdebock

Please consider sponsoring me.

ansible-role-users's People

Contributors

Stargazers

Watchers

ansible-role-users's Issues

Allow disabling deployment of /etc/cron.allow

Describe the bug
When deploying users with this role (without setting cron_allow: true), an empty file /etc/cron.allow is created (except the ansible_managed header).

Quoting crontab(8):

If the /etc/cron.allow file exists, then you must be listed (one user per line) therein in order to be allowed to use this command.

This means that after using this role, no (other) user is allowed to run cron.

Expected behavior
It should be possible to disable the deployment of /etc/cron.allow. Maybe setting a variable like users_cron_allow: false could do the trick. The default could be true, but I am also fine with false.

Environment

Control node OS: Debian 9 (Debian/stretch)
Control node Ansible version: 2.8.0
Managed node OS: Debian 9 (Debian/stretch)

Add update_password option

Is your feature request related to a problem? Please describe.
When setting a password for a user (on creation) we usually don't want to revert the password once it was changed.

Describe the solution you'd like
The Ansible user module has an update_password parameter which allows to only set the password on_create. It would be nice if we could add this option in user.yml.
I am not sure if we should default to always though, I would vote for on_create, but I would like to hear your opinon.

For root user wrong home directory is used

Describe the bug

When using this role to set root user configurations, the wrong home directory is used: Keys are placed in /home/root instead of /root

Playbook

---
users_user_list:
    - name: root
      authorized_keys: "{{ authorized_keys }}"
      private_keys:
        - name: id_ed25519
          content: "{{ lookup('hashi_vault', 'secret=credentials/keys/machine:private') }}"

---
- name: Bootstrap machines
  hosts: all
  roles:
    - name: robertdebock.core_dependencies
    - name: robertdebock.bootstrap
    - name: robertdebock.auto_update
    - name: robertdebock.locale
    - name: robertdebock.openssh
    - name: robertdebock.users

Output

$ find /root/.ssh/
/root/.ssh/
/root/.ssh/authorized_keys
/root/.ssh/known_hosts

$ find /home/root/.ssh/
/home/root/.ssh/
/home/root/.ssh/id_ed25519

Environment

Target: Fedora release 38 (Thirty Eight)
Role version: 5.5.0

Remove sudo options for user if user.sudo_options is not defined

Describe the bug
When user.sudo_options is removed, /etc/suders.d/{{ user.name }} is not removed.

Expected behavior
When user.sudo_options is removed, we should make sure that /etc/suders.d/{{ user.name }} is removed.

Environment

Control node: Debian 9 (Debian/stretch)
Control node Ansible version: 2.8.0
Managed node OS: Debian 9 (Debian/stretch)

Use task (filename) prefix for the task name

Proposed feature

Use task name prefix like - name: lsp | Install Cargo crates and enable_list: - name[prefix] in Ansible Lint.

Rationale

Because this role is organized into multiple files and can be imported in larger playbook it is important to provide observability for the users. It is common to rely on --list-tasks to quickly identify executable tasks and their locations in the roles.

$ molecule --base-config .config/molecule/config.yml converge -s dev -- --limit workstations --tags nvim --list-tasks
.......

 play #3 (workstations): PPE     TAGS: [ppe]
    tasks:
      namespace.generic.nodejs : prepare | Ensure Nodejs directory exists    TAGS: [deps, nodejs.prepare, nodejs.setup, nvim, ppe]
      namespace.generic.nodejs : prepare | Install unzip package    TAGS: [deps, nodejs.prepare, nodejs.setup, nvim, ppe]
      namespace.generic.nodejs : install | Download NodeJS release source   TAGS: [deps, nodejs.install, nodejs.setup, nvim, ppe]
      namespace.generic.nodejs : environment | Setup NodeJS environment     TAGS: [deps, nodejs.environment, nodejs.setup, nvim, ppe]
      namespace.generic.yarn : install | Install Yarn     TAGS: [deps, install, nvim, ppe, yarn, yarn.install]
      namespace.generic.yarn : config | Add environment     TAGS: [deps, nvim, ppe, yarn, yarn.config]
      namespace.generic.nvim : prepare | Install Neovim build prerequisites     TAGS: [deps, nvim, nvim.prepare, ppe]

As you can see, user is able easily identify the source of particular task.

Same goes to spot the source of failing tasks.

"msg": "groupdel: cannot remove the primary group of user

playbook:

---

- name: user mgr
  hosts: demo
  become: yes
  gather_facts: yes

  roles:
    - role: users
      users_user_list:
        - name: tim
          state: absent

      users_group_list:
        - name: tim
          state: absent

Error in "Ensure the sudoers.d directory is checked..." ?

Describe the bug

Hi,
Ty for you're hard work.

I'm read you're code and, perhaps they have an mistake in tasks/user.yml near line 55 :

- name: user | Ensure the sudoers.d directory is checked for user sudoers files (will be put after EOF if not exists)
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    state: present
    line: "#includedir /etc/sudoers.d"

is a comment, no ?

In my /etc/sudoers file on an debian 11, i have @includedir /etc/sudoers.d

is this an mistake or not ?

Refactor role for real idempotence and enhance users and ssh key features

Is your feature request related to a problem? Please describe.
Currently there is no real idempotence for adding cron.allow and bootstrapping in general.
Furthermore there is no support for managing users and multiple ssh keys over time.

Describe the solution you'd like

add support for bootstrap remote user
add support for more Ansible user attributes
add support for multiple authorized ssh keys per user
add management features for users and ssh keys (create & delete)
add support for openssh password authentication configuration (optional)
add real test case to playbooks

Describe alternatives you've considered
None.

Additional context

GitHub Fork

Let this role create a key pair

It would be great if this role could create a key pair and send the private key to the user.

Both .pub and .ppk

Describe the solution you'd like
Create a key pair on the controlenode, send the private key to the user.

The passphrase should either be generated, or it should be possible to set a passphase.

Option to copy public key or generate SSH keys only on instance

Proposed feature

Either add an option to copy the public key to the node or allow creation of SSH keys on the node itself.

Rationale

When provisioning a new development machine I want to generate an SSH key on the machine which can be uploaded to GitLab/GitHub.

Currently, it is only possible to copy the private key to the machine but not both.
And in the end, I don't need the generated keys on the controller but on the node itself.

Implementation option

The ansible.builtin.user module that is used has this option generate_ssh_key: true which would be enough for my needs.

My users are not created

Describe the bug

When I run my playbooks it does not create my users and also in the /etc/ssh/sshd_config file the ALLOW USERS section does it as follows, the name separated by spaces. Example:

AllowUsers f e r n a n d o

Requirements

run command:
ansible-galaxy install -r requirements.yml

---
roles:
- name: robertdebock.bootstrap
- name: robertdebock.core_dependencies
- name: robertdebock.epel
- name: robertdebock.fail2ban
- name: robertdebock.firewall
- name: robertdebock.openssh
- name: robertdebock.selinux
- name: robertdebock.software
- name: robertdebock.sysctl
- name: robertdebock.users
- name: robertdebock.ntp

collections:
- name: community.general
- name: ansible.posix

Playbook 1

run command:
ansible-playbook -K create_user.yml

---
- hosts: localhost
  become: yes
  become_user: root
  gather_facts: yes

  roles:
    - role: robertdebock.bootstrap
    - role: robertdebock.core_dependencies

    - role: robertdebock.users
      users_group_list:
        - name: root

      users_user_list:
        - name: user_name
          group: root
          password: "{{'123456x' |  password_hash('sha512')}}"
          update_password: on_create
          cron_allow: no
          sudo_options: "ALL=(ALL) ALL"
          authorized_keys:
            - "https://gitlab.com/path/path/-/raw/master/playbooks/keys.pub"

Playbook 2

run command:
ansible-playbook -K site.yml

---
---
- hosts: localhost
  become: yes
  become_user: root
  gather_facts: yes

  roles:
  - role: robertdebock.bootstrap
  - role: robertdebock.core_dependencies
  - role: robertdebock.epel

  - role: openpyme.ius

  - role: robertdebock.selinux
    selinux_reboot: false
    selinux_state: enforcing
    selinux_booleans:
    - name: httpd_can_network_connect
      state: true
      persistent: true
    - name: httpd_enable_homedirs
      state: true
      persistent: true
    - name: httpd_read_user_content
      state: true
      persistent: true

  - role: robertdebock.sysctl
    sysctl_items:
    - name: vm.swappiness
      value: 10
    - name: vm.vfs_cache_pressure
      value: 50

  - role: robertdebock.openssh
    openssh_allow_users: user_name
    openssh_permit_root_login: "no"
    openssh_password_authentication: "no"

  - role: robertdebock.firewall
    firewall_services:
    - name: ssh
    - name: http
    - name: https

  - role: robertdebock.fail2ban
  
  - role: robertdebock.ntp
    ntp_timezone: America/Mexico_City

  - role: robertdebock.software
    software_packages:
    - name: byobu

  - role: robertdebock.users
    users_group_list:
      - name: no_root

    users_user_list:
      - name: user_name2
        group: no_root
        password: "{{'123456x' | password_hash('sha512')}}"
        update_password: on_create
        cron_allow: yes

Output playbook requirements.yml

[root@localhost playbooks]# ansible-galaxy install -r requirements.yml
Starting galaxy role install process

changing role robertdebock.bootstrap from 6.2.4 to unspecified
downloading role 'bootstrap', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-bootstrap/archive/6.2.4.tar.gz
extracting robertdebock.bootstrap to /tmp/bench-master/playbooks/roles/robertdebock.bootstrap
robertdebock.bootstrap (6.2.4) was installed successfully
changing role robertdebock.core_dependencies from 2.2.10 to unspecified
downloading role 'core_dependencies', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-core_dependencies/archive/2.2.10.tar.gz
extracting robertdebock.core_dependencies to /tmp/bench-master/playbooks/roles/robertdebock.core_dependencies
robertdebock.core_dependencies (2.2.10) was installed successfully
changing role robertdebock.epel from 4.1.3 to unspecified
downloading role 'epel', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-epel/archive/4.1.3.tar.gz
extracting robertdebock.epel to /tmp/bench-master/playbooks/roles/robertdebock.epel
robertdebock.epel (4.1.3) was installed successfully
changing role robertdebock.fail2ban from 5.0.4 to unspecified
downloading role 'fail2ban', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-fail2ban/archive/5.0.4.tar.gz
extracting robertdebock.fail2ban to /tmp/bench-master/playbooks/roles/robertdebock.fail2ban
robertdebock.fail2ban (5.0.4) was installed successfully
changing role robertdebock.firewall from 5.1.9 to unspecified
downloading role 'firewall', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-firewall/archive/5.1.9.tar.gz
extracting robertdebock.firewall to /tmp/bench-master/playbooks/roles/robertdebock.firewall
robertdebock.firewall (5.1.9) was installed successfully
changing role robertdebock.openssh from 5.0.2 to unspecified
downloading role 'openssh', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-openssh/archive/5.0.2.tar.gz
extracting robertdebock.openssh to /tmp/bench-master/playbooks/roles/robertdebock.openssh
robertdebock.openssh (5.0.2) was installed successfully
changing role robertdebock.selinux from 3.1.10 to unspecified
downloading role 'selinux', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-selinux/archive/3.1.10.tar.gz
extracting robertdebock.selinux to /tmp/bench-master/playbooks/roles/robertdebock.selinux
robertdebock.selinux (3.1.10) was installed successfully
changing role robertdebock.software from 2.1.10 to unspecified
downloading role 'software', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-software/archive/2.1.10.tar.gz
extracting robertdebock.software to /tmp/bench-master/playbooks/roles/robertdebock.software
robertdebock.software (2.1.10) was installed successfully
changing role robertdebock.sysctl from 2.1.8 to unspecified
downloading role 'sysctl', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-sysctl/archive/2.1.8.tar.gz
extracting robertdebock.sysctl to /tmp/bench-master/playbooks/roles/robertdebock.sysctl
robertdebock.sysctl (2.1.8) was installed successfully
changing role robertdebock.users from 6.1.4 to unspecified
downloading role 'users', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-users/archive/6.1.4.tar.gz
extracting robertdebock.users to /tmp/bench-master/playbooks/roles/robertdebock.users
robertdebock.users (6.1.4) was installed successfully
changing role robertdebock.ntp from 3.1.6 to unspecified
downloading role 'ntp', owned by robertdebock
downloading role from https://github.com/robertdebock/ansible-role-ntp/archive/3.1.6.tar.gz
extracting robertdebock.ntp to /tmp/bench-master/playbooks/roles/robertdebock.ntp
robertdebock.ntp (3.1.6) was installed successfully
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/ansible-posix-1.5.4.tar.gz to /root/.ansible/tmp/ansible-local-56772muwcayx9/tmpyi31ma13/ansible-posix-1.5.4-8phymkzz
Installing 'ansible.posix:1.5.4' to '/root/.ansible/collections/ansible_collections/ansible/posix'
ansible.posix:1.5.4 was installed successfully
Downloading https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/community-general-8.2.0.tar.gz to /root/.ansible/tmp/ansible-local-56772muwcayx9/tmpyi31ma13/community-general-8.2.0-sdfq2z2b
Installing 'community.general:8.2.0' to '/root/.ansible/collections/ansible_collections/community/general'
community.general:8.2.0 was installed successfully

Output playbook create_user.yml

[root@localhost playbooks]# ansible-playbook -K create_user.yml
BECOME password:
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] ***********************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.bootstrap : Validating arguments against arg spec 'main' - Prepare a system to be managed by Ansible.] **************************************************************
ok: [localhost]

TASK [robertdebock.bootstrap : assert | Test bootstrap_wait_for_host] ******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.bootstrap : assert | Test bootstrap_timeout] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.bootstrap : assert | Test bootstrap_become] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.bootstrap : Wait for port to be available] **************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.bootstrap : Test connection] ****************************************************************************************************************************************
[WARNING]: Reset is not implemented for this connection
ok: [localhost]

TASK [robertdebock.bootstrap : Test sudo] **********************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.bootstrap : Gather ansible facts] ***********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.bootstrap : Install bootstrap packages (package)] *******************************************************************************************************************
ok: [localhost] => (item=python3)
ok: [localhost] => (item=sudo)

TASK [robertdebock.core_dependencies : Remove conflicting packages] ********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.core_dependencies : Install packages] *******************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.core_dependencies : Flush handlers] *********************************************************************************************************************************

TASK [robertdebock.users : assert | Test users_ssh_key_directory] **********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.users : assert | Test users_shell] **********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.users : assert | Test users_cron_allow] *****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.users : assert | Test users_create_home] ****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.users : assert | Test users_groups] *********************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.name in users_groups] ********************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.gid in users_groups] *********************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.state in users_groups] *******************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.system in users_groups] ******************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.name in users] ***************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.cron_allow in users] *********************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.uid in users] ****************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.authorized_keys in users] ****************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.manage_ssh_key in users] *****************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.update_password in users] ****************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.exipres in users] ************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.password_validity_days in users] *********************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : assert | Test item.system in users] *************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : Install required software] **********************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : Loop over users_groups] *************************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : Ensure the /etc/sudoers.d directory is included] ************************************************************************************************************
ok: [localhost]

TASK [robertdebock.users : Loop over users] ********************************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.users : Manage cron permission] *************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.users : Check existence of /etc/cron.allow] *************************************************************************************************************************
skipping: [localhost]

PLAY RECAP *****************************************************************************************************************************************************************************
localhost : ok=17 changed=0 unreachable=0 failed=0 skipped=19 rescued=0 ignored=0

Output playbook site.yml

[root@localhost playbooks]# ansible-playbook -K site.yml
BECOME password:
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] ***********************************************************************************************************************************************************************

TASK [robertdebock.core_dependencies : Flush handlers] *********************************************************************************************************************************

TASK [robertdebock.epel : Install epel gpg key] ****************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.epel : Install epel-release] ****************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.epel : Install epel-next-release] ***********************************************************************************************************************************
skipping: [localhost]

TASK [openpyme.ius : install ius] ******************************************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.selinux : assert | Test selinux_state] ******************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.selinux : assert | Test selinux_policy] *****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.selinux : assert | Test selinux_reboot] *****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.selinux : assert | Test selinux_booleans] ***************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.selinux : assert | Test item.name in selinux_booleans] **************************************************************************************************************
ok: [localhost] => (item=httpd_can_network_connect)
ok: [localhost] => (item=httpd_enable_homedirs)
ok: [localhost] => (item=httpd_read_user_content)

TASK [robertdebock.selinux : assert | Test item.state in selinux_booleans] *************************************************************************************************************
ok: [localhost] => (item=httpd_can_network_connect)
ok: [localhost] => (item=httpd_enable_homedirs)
ok: [localhost] => (item=httpd_read_user_content)

TASK [robertdebock.selinux : assert | Test item.persistent in selinux_booleans] ********************************************************************************************************
ok: [localhost] => (item=httpd_can_network_connect)
ok: [localhost] => (item=httpd_enable_homedirs)
ok: [localhost] => (item=httpd_read_user_content)

TASK [robertdebock.selinux : Install required packages] ********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.selinux : Flush handlers] *******************************************************************************************************************************************

TASK [robertdebock.selinux : Manage selinux] *******************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.selinux : Manage selinux booleans] **********************************************************************************************************************************
ok: [localhost] => (item=httpd_can_network_connect)
ok: [localhost] => (item=httpd_enable_homedirs)
ok: [localhost] => (item=httpd_read_user_content)

TASK [robertdebock.sysctl : assert | Test sysctl_set] **********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.sysctl : assert | Test sysctl_reload] *******************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.sysctl : Install requirements] **************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.sysctl : Set sysctl setting] ****************************************************************************************************************************************
ok: [localhost] => (item=vm.swappiness)
ok: [localhost] => (item=vm.vfs_cache_pressure)

TASK [robertdebock.openssh : assert | Test ssh_port] ***********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_address_family] *********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_listen_addresses] *******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_host_keys] **************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_rekey_limit] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_syslog_facility] ********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_loglevel] ***************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_login_grace_time] *******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_permit_root_login] ******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_strict_modes] ***********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_max_auth_tries] *********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_max_sessions] ***********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_pub_key_authentication] *************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_authorized_key_file] ****************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_authorized_prinicpals_file] *********************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_authorized_keys_command] ************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_authorized_keys_command_user] *******************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_host_based_authentication] **********************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_ignore_user_known_hosts] ************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_ignore_rhosts] **********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_permit_empty_passwords] *************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_password_authentication] ************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_challenge_response_authentication] **************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_gssapi_authentication] **************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_gssapi_cleanup_credentials] *********************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_gssapi_strict_acceptor_check] *******************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_gssapi_key_exchange] ****************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_gssaip_enable_k5_users] *************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_use_pam] ****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_allow_agent_forwarding] *************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_allow_tcp_forwarding] ***************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_gateway_ports] **********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_x11_forwarding] *********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_x11_display_offset] *****************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_x11_use_localhost] ******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_permit_tty] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_print_motd] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_print_last_log] *********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_tcp_keep_alive] *********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_permit_user_environment] ************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_compression] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_client_alive_interval] **************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_client_alive_count_max] *************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_show_patch_level] *******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_use_dns] ****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_pid_file] ***************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_max_startups] ***********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_permit_tunnel] **********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_chroot_directory] *******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_version_addendum] *******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_banner] *****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_accept_envs] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_subsystem] **************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_trusted_user_ca_keys] ***************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_allow_users] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : assert | Test openssh_allow_groups] ***********************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.openssh : Install openssh] ******************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : Configure selinux to allow openssh_port] ******************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : Generate host key] ****************************************************************************************************************************************
ok: [localhost] => (item=rsa)
ok: [localhost] => (item=ecdsa)
ok: [localhost] => (item=ed25519)

TASK [robertdebock.openssh : Make run directory] ***************************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.openssh : Configure openssh] ****************************************************************************************************************************************
changed: [localhost]

TASK [robertdebock.openssh : Start and enable openssh] *********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.openssh : Flush handlers] *******************************************************************************************************************************************

RUNNING HANDLER [robertdebock.openssh : Restart openssh] *******************************************************************************************************************************
changed: [localhost]

TASK [robertdebock.firewall : assert | Test firewall_default_protocol] *****************************************************************************************************************
ok: [localhost]

TASK [robertdebock.firewall : assert | Test firewall_default_rule] *********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.firewall : assert | Test firewall_services] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.firewall : assert | Test non-numeric item in firewall_services] *****************************************************************************************************
ok: [localhost] => (item=ssh)
ok: [localhost] => (item=http)
ok: [localhost] => (item=https)

TASK [robertdebock.firewall : assert | Test numeric item in firewall_services] *********************************************************************************************************
skipping: [localhost] => (item=ssh)
skipping: [localhost] => (item=http)
skipping: [localhost] => (item=https)
skipping: [localhost]

TASK [robertdebock.firewall : assert | Test item with state in firewall_services] ******************************************************************************************************
skipping: [localhost] => (item=unset)
skipping: [localhost] => (item=unset)
skipping: [localhost] => (item=unset)
skipping: [localhost]

TASK [robertdebock.firewall : Remove conflicting software] *****************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.firewall : Install required software] *******************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.firewall : Start and enable firewall service] ***********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.firewall : Open ports (ufw)] ****************************************************************************************************************************************
ok: [localhost] => (item=ssh)
ok: [localhost] => (item=http)
ok: [localhost] => (item=https)

TASK [robertdebock.firewall : Close ports (ufw)] ***************************************************************************************************************************************
skipping: [localhost] => (item=ssh)
skipping: [localhost] => (item=http)
skipping: [localhost] => (item=https)
skipping: [localhost]

TASK [robertdebock.firewall : Open ports (firewalld-port)] *****************************************************************************************************************************
skipping: [localhost] => (item=ssh)
skipping: [localhost] => (item=http)
skipping: [localhost] => (item=https)
skipping: [localhost]

TASK [robertdebock.firewall : Close ports (firewalld-port)] ****************************************************************************************************************************
skipping: [localhost] => (item=ssh)
skipping: [localhost] => (item=http)
skipping: [localhost] => (item=https)
skipping: [localhost]

TASK [robertdebock.firewall : Open ports (firewalld-service)] **************************************************************************************************************************
skipping: [localhost] => (item=ssh)
skipping: [localhost] => (item=http)
skipping: [localhost] => (item=https)
skipping: [localhost]

TASK [robertdebock.firewall : Close ports (firewalld-service)] *************************************************************************************************************************
skipping: [localhost] => (item=ssh)
skipping: [localhost] => (item=http)
skipping: [localhost] => (item=https)
skipping: [localhost]

TASK [robertdebock.firewall : Enable ufw] **********************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.firewall : Configure iptables] **************************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_loglevel] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_logtarget] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_ignoreself] ***********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_ignoreips] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_bantime] **************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_findtime] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_maxretry] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_destemail] ************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_sender] ***************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_configuration] ********************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : assert | Test item in fail2ban_configuration] ************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.fail2ban : assert | Test fail2ban_jail_configuration] ***************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.fail2ban : assert | Test item in fail2ban_filterd_path] *************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.fail2ban : Install fail2ban] ****************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : Copy filters in filter.d] ********************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.fail2ban : Configure fail2ban.local] ********************************************************************************************************************************
ok: [localhost] => (item=loglevel)
ok: [localhost] => (item=logtarget)
ok: [localhost] => (item=ignoreip)

TASK [robertdebock.fail2ban : Configure jail.local] ************************************************************************************************************************************
ok: [localhost] => (item=ignoreself)
ok: [localhost] => (item=bantime)
ok: [localhost] => (item=findtime)
ok: [localhost] => (item=maxretry)
ok: [localhost] => (item=destemail)
ok: [localhost] => (item=sender)

TASK [robertdebock.fail2ban : Stat auth log file] **************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.fail2ban : Touch auth log file] *************************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.fail2ban : Start and enable fail2ban] *******************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : Validating arguments against arg spec 'main' - Install and configure ntp on your system.] *********************************************************************
ok: [localhost]

TASK [robertdebock.ntp : assert | Test ntp_state] **************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : assert | Test ntp_enabled] ************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : assert | Test ntp_interfaces] *********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : assert | Test item in ntp_interfaces] *************************************************************************************************************************
ok: [localhost] => (item=127.0.0.1)

TASK [robertdebock.ntp : assert | Test ntp_pool] ***************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : assert | Test item in ntp_pool] *******************************************************************************************************************************
ok: [localhost] => (item=0.pool.ntp.org iburst)
ok: [localhost] => (item=1.pool.ntp.org iburst)
ok: [localhost] => (item=2.pool.ntp.org iburst)
ok: [localhost] => (item=3.pool.ntp.org iburst)

TASK [robertdebock.ntp : assert | Test ntp_server] *************************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.ntp : assert | Test item in ntp_server] *****************************************************************************************************************************
skipping: [localhost]

TASK [robertdebock.ntp : assert | Test ntp_timezone] ***********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : Install packages] *********************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : Configure /etc/chrony.conf] ***********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : Install timezone information] *********************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : Configure timezone] *******************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.ntp : Manage chronyd] ***********************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.software : assert | Test software_packages] *************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.software : assert | Test item.name in software_packages] ************************************************************************************************************
ok: [localhost] => (item=byobu)

TASK [robertdebock.software : assert | Test item.state in software_packages] ***********************************************************************************************************
skipping: [localhost] => (item=byobu)
skipping: [localhost]

TASK [robertdebock.software : Install packages] ****************************************************************************************************************************************
ok: [localhost] => (item=byobu)

TASK [openpyme.nginx : create symbolic link for openssl] *******************************************************************************************************************************
skipping: [localhost]

TASK [openpyme.nginx : allow openperp reload nginx] ************************************************************************************************************************************
skipping: [localhost]

PLAY RECAP *****************************************************************************************************************************************************************************
localhost : ok=134 changed=2 unreachable=0 failed=0 skipped=41 rescued=0 ignored=0

Environment

Control node Ansible version: 2.15.8
OS: Rocky Linux 9.3 (Blue Onyx)

Please consider @robertdebock

'create local ssh_key_directory' should be optional?

As I understand ssh_key_directory is used to store the generated ssh keys. If I don't want to generate the keys (e.g. provide already existing keys) this directory should not be created.

local ssh_key_directory is created on every ansible (check) run

Describe the bug
Every (check) run of this role triggers a change at the task "create local ssh_key_directory".
The directory should either only be created when needed or should not trigger a change. (I prefer the former, but discussion welcome.. 😉)

To Reproduce

% ansible-playbook -D -C site.yml
[...]
TASK [robertdebock.users : create local ssh_key_directory] 
--- before
+++ after
@@ -1,4 +1,4 @@
 {
     "path": "ssh_keys",
-    "state": "absent"
+    "state": "directory"
 }

changed: [site.example.com]
[...]

Expected behavior
A change should not be triggered.

Environment

Control node OS: Debian 9 (Debian/stretch)
Control node Ansible version: 2.8.0
Managed node OS: Debian 9 (Debian/stretch)

syntax error near line 120

Looks like regression.
When I execute playbook with version 6.0.0, following error occurred:

[0;32m    packer.amazon-ebs.amazon_linux2: TASK [users : Ensure the /etc/sudoers.d directory is included] *****************[0m
[0;32m    packer.amazon-ebs.amazon_linux2: fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1694096904.2884834-4728-121955127142261/tmplp8wizy1: syntax error near line 120 <<<\n"}[0m

In version 5.6.0 work as expected

Environment

Control node OS: Amazon Linux 2
Control node Ansible version: [core 2.13.11]
Managed node OS: Amazon Linux 2

Descriptions of more scary variable names

Proposed feature

Some of the variable names suggest (to me as N00B) that they might be risky.
Can I add some descriptions, or a link to a main doc?

Rationale

As a newcomer, I was about to install the minikube role and I noticed a reference to this role. It seems really cool and there is some ninja $#@! going on in the user settings which I would love to understand.

Perhaps there is a comprehensive doc somewhere. I could not immediately tell what module the groups variable related to.

Additional context

      users_user_list:
        - name: root                         # What if I already have a root account with a passwd ?
          cron_allow: yes
          unauthorized_keys:          # required? Is this a known-bad key?
            - "ssh-rsa ZYX54321"
        - name: blaise
          comment: Blaise Pabon
          uid: 1024
          group: blaise
          groups: users                  # how do I list more than one group? `users, wheel, libvirt` ? Also the word `groups` means something in Ansible...
          cron_allow: yes
          sudo_options: "ALL=(ALL) NOPASSWD: ALL"
          authorized_keys:
            - "ssh-rsa ABC123"
          expires: -1                                        # Does this mean the account never expires?
          password_validity_days: 9
        - name: notuser                               # Does this remove pre-existing users from the host?
          state: absent

and also:

        - name: remotekey                       # Who is Shaan and why do I add his key?
          authorized_keys:
            - "https://raw.githubusercontent.com/shaanr/smdb/master/file.pub"
        - name: systemuser
          system: yes
        - name: multisudo                       # This seems interesting, is this for a service account?
          sudo_options:
            - "ALL= NOPASSWD: /usr/bin/systemctl restart httpd"
            - "ALL= NOPASSWD: /usr/bin/systemctl start httpd"

Please consider sponsoring me.

Make role work well with usernames containing a '.' (dot) sign.

Proposed feature

Make role work well with usernames containing a '.' (dot) sign.
Currently it doesn't work for such users.

Rationale

This is from sudoers(5) manual:

 The #includedir directive can be used to create a sudoers.d directory that the system package manager can drop sudoers file rules into as part of package installation.  For example, given:

     #includedir /etc/sudoers.d

 sudo will suspend processing of the current file and read each file in /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’ character to avoid causing problems with package manager or editor temporary/backup
 files.  Files are parsed in sorted lexical order.  That is, /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.  Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops would be
 loaded after /etc/sudoers.d/10_second.  Using a consistent number of leading zeroes in the file names can be used to avoid such problems.  After parsing the files in the directory, control returns to the file that contained the
 #includedir directive.

Additional context

I'll do some code changes right away with a PR.

ERROR! this task 'ansible.builtin.import_tasks' has extra params... when running playbook with the role

Describe the bug

Error using the role in my playbook

Playbook

playbook:

---
- hosts: redacted

  tags:
    - user

  vars:
    ansible_user: "{{ base_user }}"
    ansible_password: "{{ base_user_password }}"
    ansible_sudo_pass: "{{ base_sudo_pass }}"

  become: true

  roles:
    - robertdebock.users

  tasks:
    - name: "Change password for {{ default_user }}"
      user:
        name: "{{ default_user }}"
        password: "{{ default_user_password | string | password_hash('sha512', 'A512') }}"

requirements.yml (excerpt)

- src: robertdebock.users
  version: 5.4.0

# ansible-galaxy list -p ./roles/ | grep 'robertdebock.users'
- robertdebock.users, 5.4.0

Output

# ansible-playbook playbook.yml -i inventories/redacted/ --vault-password-file ~/.vault_pass.txt
ERROR! this task 'ansible.builtin.import_tasks' has extra params, which is only allowed in the following modules: ansible.windows.win_command, shell, win_shell, include_vars, ansible.windows.win_shell, import_role, script, meta, include, include_tasks, group_by, raw, include_role, command, import_tasks, win_command, add_host, set_fact

The error appears to be in '/git/ansible/roles/robertdebock.users/tasks/main.yml': line 4, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: import assert.yml
  ^ here

vscode linter of extension Ansible v0.7.1 JSON Schema Ansible Tasks File on the main.yml (lines):

4 - name: import assert.yml
5   ansible.builtin.import_tasks: assert.yml
6   run_once: yes
7   delegate_to: localhost

4: Missing property "action".yaml-schema: TaskModel | BeremothTaskModel
5: Property ansible.builtin.import_tasks is not allowed.yaml-schema: TaskModel
6: Incorrect type. Expected "boolean".yaml-schema: Run Once | BeremothTaskModel

Environment

Control node OS: 18.04.6 LTS (Bionic Beaver)
Control node Ansible version: 2.10.2
Managed node OS: 20.04.2 LTS (Focal Fossa)

authorized_key(s) issue

Describe the bug
Perhaps I don't understand the intent but,

Setting authorized_key without setting authorized_keys has no effect:
"skip_reason": "Conditional result was False"
Setting authorized_keys without setting authorized_key causes an error:
"'dict object' has no attribute 'authorized_key'"
Using both together work.

To Reproduce
Playbook fragment:

users_user_list:
  - name: fred
    uid: 1003
    group: fred
    groups: 'adm,sudo'
    authorized_key: "{{ lookup('file', '/home/fred/.ssh/id_rsa.pub') }}"
    authorized_keys:
      - "{{ lookup('file', '/home/fred/.ssh/id_rsa.pub') }}"
    shell: /bin/bash

Allow private key to be given and placed on a machine.

Proposed feature

It would be nice if this role can place a user-specified private key. Something like this:

users_user_list:
  - name: privkeyuser
    private_keys:
      - name: id_rsa
        content: >
        -----BEGIN RSA PRIVATE KEY-----
        MIIEowxyz
        -----END RSA PRIVATE KEY-----

Rationale

Provisioning a user with private key is user-friendly.

Please consider sponsoring me.

no test named 'boolean'

Describe the bug

Using AWX 19.3.0 with this EE https://github.com/tomoliveri/ansible_aio_ee, and running this role returns an error:

template error while templating string: no test named 'boolean'

The role works fine for me normally, this is the first time I've tried to use the role in AWX however.

Playbook

---
- hosts: all
  become: yes
  become_user: root
  vars:
    users_user_list:
        <snip>    
  roles:
    - robertdebock.users

Output

{
  "msg": "The conditional check 'users_cron_allow is boolean' failed. The error was: template error while templating string: no test named 'boolean'. String: {% if users_cron_allow is boolean %} True {% else %} False {% endif %}",
  "_ansible_no_log": false
}

Environment

Control node OS: AWX 19.3.0
Ansible version: 2.11.6rc1.post0
Managed node OS: Oracle Linux 8.4

Also, this looks to be a similar problem to here: robertdebock/ansible-role-tomcat#37

Option to copy SSH keys into authorized_keys from GitHub

Is your feature request related to a problem? Please describe.
Listing all of the keys for multiple users seems a bit tiresome. We could, instead, copy the keys from GitHub to a users authorized_keys file.

Describe the solution you'd like
GitHub exposes the users public key at https://github.com/username.keys. If we could pass GitHub username as a variable then we can copy the keys over to the users authorized_keys file. I believe the authorized_keys module has provision for this (https://docs.ansible.com/ansible/latest/modules/authorized_key_module.html#examples)

Describe alternatives you've considered
Alternative is to list all the keys for the users, as we do now.

Additional context
N/A

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

robertdebock / ansible-role-users Goto Github PK

ansible-role-users's Introduction

ansible-role-users's People

Contributors

Stargazers

Watchers

Forkers

ansible-role-users's Issues

Describe the bug

Playbook

Output

Environment

Proposed feature

Rationale

Describe the bug

is a comment, no ?

Proposed feature

Rationale

Implementation option

Describe the bug

Requirements

Playbook 1

Playbook 2

Output playbook requirements.yml

Output playbook create_user.yml

Output playbook site.yml

Environment

Environment

Proposed feature

Rationale

Additional context

Proposed feature

Rationale

Additional context

Describe the bug

Playbook

Output

Environment

Proposed feature

Rationale

Describe the bug

Playbook

Output

Environment

Recommend Projects

Recommend Topics

Recommend Org