ghost-automation/ds_users
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
DeadSwitch 54c2c94f55
All checks were successful
Test the role / test-the-role (push) Successful in 8s
Details
Added $HOME management to the role. 
home and move_home can be set now.
2026-02-26 10:04:56 +01:00
.gitea/workflows
Linting and CI.
2026-02-20 12:13:46 +01:00
defaults
Reworked the users role.
2026-02-20 10:46:53 +01:00
tasks
Added $HOME management to the role.
2026-02-26 10:04:56 +01:00
README.org
Added $HOME management to the role.
2026-02-26 10:04:56 +01:00

README.org

User Management Role

ds_users

This role manages user and group creation, as well as public SSH key deployment, on Debian-based systems. It ensures that users exist, that their groups are created and assigned correctly, and that their SSH keys are installed.

Optionally sets the initial user password during creation.

Privilege configuration is delegated to the ds_sudo role.

Features

  • Creates users defined in user_data.

  • Ensures groups exist:

    • Groups explicitly listed in user_data.groups.
    • Groups defined in group_data.
  • Adds users to groups (using append: yes to preserve existing memberships).
  • Deploys SSH keys per user.
  • Sets the user's full name (GECOS field) if provided.
  • Fully compatible with ds-sudo for privilege management.

Variables

group_data

Dictionary of groups. Groups may be defined here, typically with sudo attributes for ds_sudo.

group_data:
  ansible:
    sudo:             # Used only by ds_sudo
      type: nopasswd
      commands: all

user_data

Dictionary of users and their attributes:

user_data:
  user1:
    ssh_key: "ssh-rsa ..."
    full_name: "User 1"
    password: "*"       # Default disabled password or define it in SOPS
    groups:
      - ansible
    sudo:               # Ignored by ds_users; consumed by ds_sudo
      type: nopasswd
      commands: all
Variable Type Default Comment
ssh_key string - SSH public key deployed to authorized_keys.
full_name string - User's GECOS/comment field.
prompt string - Sets the BASH prompt in .bashrc.
home string omit Sets the $HOME directory for the user.
move_home boolean false Tries to move the user $HOME.
password string * Sets password only at user creation.
groups list - List of groups to add the user to.
sudo dict - Ignored, used by ds_sudo.

For real password hashes, store them in an Ansible Vault or SOPS. (Hash the passwords with openssl passwd -6.)

Examples

Minimal user creation 

user_data:
  alice:
    groups:
      - ansible

This will create the ansible group if missing, then create user alice and add them to that group.

Full example with SSH key and sudo (sudo handled by ds_sudo) 

user_data:
  tom:
    ssh_key: "Tom's SSH public key"
    full_name: "The Ghost Operator"
    password: "{{ sops_users_tom_password }}"
    prompt: Tom's shell prompt (PS1=...)
    groups:
      - ansible
    sudo:
      type: nopasswd
      commands: all

In a SOPS encrypted file:

sops_users_tom_password: "$6$hashedpassword"

Safety

  • Existing users and group memberships are preserved; append: yes is used.
  • Groups are auto-created if referenced in either user_data or group_data.
  • SSH keys are only deployed if defined.
  • Password is set only at user creation. Default: "*" (account locked, SSH-key-only authentication)
  • Sudo privileges are not modified by this role; use ds_sudo.

Integration

This role is designed to integrate with ds_sudo and ds_ssh, forming the base layer of the Ghost Operator's system provisioning.

License

MIT.

[Fear the Silence. Fear the Switch.]

Reference in New Issue View Git Blame Copy Permalink
Description
Ansible role that manages users and groups.
Readme 46 KiB