{"id":15051140,"url":"https://github.com/ansibleguy/linux_users","last_synced_at":"2025-04-10T02:40:41.576Z","repository":{"id":53920650,"uuid":"412884764","full_name":"ansibleguy/linux_users","owner":"ansibleguy","description":"Ansible role to provision Linux users \u0026 groups","archived":false,"fork":false,"pushed_at":"2024-10-06T11:42:36.000Z","size":84,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"latest","last_synced_at":"2024-10-13T17:42:58.847Z","etag":null,"topics":["ansible","ansible-role","automation","debian-linux","iac","infrastructure-as-code","linux-server","user-management"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ansibleguy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"ko_fi":"ansible0guy","github":"ansibleguy"}},"created_at":"2021-10-02T18:49:38.000Z","updated_at":"2024-10-06T11:42:40.000Z","dependencies_parsed_at":"2024-06-02T11:42:23.350Z","dependency_job_id":"f941ce6f-efa8-4065-8881-b6a632679fcd","html_url":"https://github.com/ansibleguy/linux_users","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_users","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_users/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_users/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Flinux_users/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ansibleguy","download_url":"https://codeload.github.com/ansibleguy/linux_users/tar.gz/refs/heads/latest","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248144858,"owners_count":21054999,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","automation","debian-linux","iac","infrastructure-as-code","linux-server","user-management"],"created_at":"2024-09-24T21:31:06.191Z","updated_at":"2025-04-10T02:40:41.539Z","avatar_url":"https://github.com/ansibleguy.png","language":"Python","readme":"# Ansible Role - System Users \u0026 Groups\n\nAnsible Role to deploy users and groups on linux servers.\n\n[![Lint](https://github.com/ansibleguy/linux_users/actions/workflows/lint.yml/badge.svg)](https://github.com/ansibleguy/linux_users/actions/workflows/lint.yml)\n[![Ansible Galaxy](https://badges.ansibleguy.net/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/linux_users)\n\n**Molecule Integration-Tests**:\n\n* Status: [![Molecule Test Status](https://badges.ansibleguy.net/linux_users.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2) |\n[![Functional-Tests](https://github.com/ansibleguy/linux_users/actions/workflows/integration_test_result.yml/badge.svg)](https://github.com/ansibleguy/linux_users/actions/workflows/integration_test_result.yml)\n* Logs: [API](https://ci.ansibleguy.net/api/job/ansible-test-molecule-linux_users/logs?token=2b7bba30-9a37-4b57-be8a-99e23016ce70\u0026lines=1000) | [Short](https://badges.ansibleguy.net/log/molecule_linux_users_test_short.log) | [Full](https://badges.ansibleguy.net/log/molecule_linux_users_test.log)\n\nInternal CI: [Tester Role](https://github.com/ansibleguy/_meta_cicd) | [Jobs API](https://github.com/O-X-L/github-self-hosted-jobs-systemd)\n\n**Tested:**\n* Debian 11\n* Debian 12\n\n----\n\n## Install\n\n```bash\n# latest\nansible-galaxy role install git+https://github.com/ansibleguy/linux_users\n\n# from galaxy\nansible-galaxy install ansibleguy.linux_users\n\n# or to custom role-path\nansible-galaxy install ansibleguy.linux_users --roles-path ./roles\n\n# install dependencies\nansible-galaxy install -r requirements.yml\npython3 -m pip install -r requirements.txt\n```\n\n----\n\n## Advertisement\n\n* Need **professional support** using Ansible or Linux? Contact us:\n\n  E-Mail: [contact@oxl.at](mailto:contact@oxl.at)\n\n  Tel: [+43 3115 40 900 0](tel:+433115409000)\n\n  Web: [EN](https://www.o-x-l.com) | [DE](https://www.oxl.at)\n\n  Language: German or English\n\n* You want a simple **Ansible GUI**?\n\n  Check-out this [Ansible WebUI](https://github.com/ansibleguy/webui)\n\n----\n\n## Usage\n\n### Config\n\nDefine the system_auth config as needed:\n```yaml\nsystem_auth:\n  users:\n    guy:\n      comment: 'AnsibleGuy'\n      password: !vault |\n        $ANSIBLE_VAULT;1.1;AES256\n        64373031333937633163366236663237623464336461613334343739323763373330393930666331\n        3333663262346337636536383539303834373733326631310a393865653831663238383937626238\n        35396531316338373030353530663465343838373635363633613035356338353366373231343264\n        3437356663383466630a666161363163346533333139656566386466383733646134616166376638\n        35313765356134396130333439663461353336313230366338646165376666313232\n      ssh_pub:\n        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkIlii1iJM240yPSPS5WhrdQwGFa7BTJZ59ia40wgVWjjg1JlTtr9K2W66fNb2zNO7tLkaNzPddMEsov2bJAno= guy@ansibleguy.net'\n      privileges:\n        - '/usr/bin/rsync'\n        - '/bin/systemctl restart apache2.service'\n      bash_aliases:\n        ll: 'ls -l'\n  \n    other_guy:\n      comment: 'Unusual user'\n      shell: '/bin/fancyshell'\n      always_update_password: true  # else it will only be set on creation\n      password: !vault |\n        $ANSIBLE_VAULT;1.1;AES256\n        61303431646338396364383939626630336436316661623830643636376130636163356234333464\n        3430643134366635356130373139636664363139313831630a376436396134646665306361366464\n        66386166663739316162346638323537346630333761366161386364646532633434613964396264\n        3063306334636331320a653837663432643164626665353638643032336534653239666534373562\n        62323631363638633239383839666337356538366133326136363033373338643138\n      ssh_pub:\n        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBxS1MoeqDyN6+ZKsnLJHIA0/5nVQ6+a1Bgwknx3U7lGlqFIki/HgUX089YUzhbEKcxzTlR3Ji+gLnxhBZhe700= other@ansibleguy.net'\n      scope: 'dc_europe_west'  # only create user on servers that are a member of the inventory-group 'dc_europe_west'\n      privileges:\n        - '/bin/systemctl restart some_service.service'\n      sudoers_prompt: true  # user needs to confirm his/her/its password if running the listed commands via 'sudo'\n  \n    root:\n      dont_touch: true  # user account will not be modified\n      bash_aliases:\n        ll: 'ls -l'\n        la: 'ls -la'\n        tc: 'tar -cJvf'\n        tx: 'tar -xJvf'\n  \n  groups:\n    ag_guest:\n      members: ['joe', 'who?']\n    ag_tester:\n      members: ['hans']\n    ag_users:\n      members: ['lisa']\n      nested_groups: ['ag_tester']\n    ag_superguys:\n      members: ['seppal']\n      parents: ['ag_users']\n    ag_devops:\n      members: ['luis']\n    ag_admins:\n      members: ['reymond']\n      member_of: ['ag_superguys']\n```\n\nYou might want to use 'ansible-vault' to encrypt your passwords:\n```bash\nansible-vault encrypt_string\n```\n\n### Execution\n\nRun the playbook:\n```bash\nansible-playbook -K -D -i inventory/hosts.yml playbook.yml --ask-vault-pass\n```\n\n#### Nested Groups\nYou can link two groups with each other and let them inherit the other ones members.\n\nIf another group should inherit all members of the current one:\n* member_of\n* parents\n\nIf the current group should inherit all members of another one:\n* nested_groups\n* children\n\n----\n\n## Functionality\n\n* **Users**\n  * User-scope =\u003e limit the servers a user should be created on\n  * Sudoers-privileges for specific commands\n  * SSH Authorized-keys\n  * Set Bash aliases\n\n\n* **Groups**\n  * nested groups (_member inheritance_)\n\n## Info\n\n* **Note:** this role currently only supports debian-based systems\n\n\n* **Note:** Most of the role's functionality can be opted in or out.\n\n  For all available options - see the default-config located in [the main defaults-file](https://github.com/ansibleguy/linux_users/blob/latest/defaults/main.yml)!\n\n\n* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!\n\n----\n\n### Example\n\n\n**Config**\n```yaml\nsystem_auth:\n  users:\n    guy:\n      comment: 'AnsibleGuy'\n      password: !vault |\n        $ANSIBLE_VAULT;1.1;AES256\n        64373031333937633163366236663237623464336461613334343739323763373330393930666331\n        3333663262346337636536383539303834373733326631310a393865653831663238383937626238\n        35396531316338373030353530663465343838373635363633613035356338353366373231343264\n        3437356663383466630a666161363163346533333139656566386466383733646134616166376638\n        35313765356134396130333439663461353336313230366338646165376666313232\n      ssh_pub:\n        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkIlii1iJM240yPSPS5WhrdQwGFa7BTJZ59ia40wgVWjjg1JlTtr9K2W66fNb2zNO7tLkaNzPddMEsov2bJAno= guy@ansibleguy.net'\n      privileges:\n        - '/usr/bin/rsync'\n        - '/bin/systemctl restart apache2.service'\n  \n    other_guy:\n      comment: 'Unusual user'\n      scope: 'dc_europe_west'\n      remove: true  # if the files related to the user should be removed once he/she/it gets deleted\n      force_remove: true  # force delete the above\n  \n    another_guy:\n      comment: 'Nice guy'\n      password: !vault |\n            $ANSIBLE_VAULT;1.1;AES256\n            61303431646338396364383939626630336436316661623830643636376130636163356234333464\n            3430643134366635356130373139636664363139313831630a376436396134646665306361366464\n            66386166663739316162346638323537346630333761366161386364646532633434613964396264\n            3063306334636331320a653837663432643164626665353638643032336534653239666534373562\n            62323631363638633239383839666337356538366133326136363033373338643138\n      ssh_pub:\n        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcfYHDR8O4A9uIHnw3v25rDPtqDlRmFIyJc1fxZx90K6BUNXV+TTkFH836EftHVAaMdlMZSfNm9O+o0UbrvbaI= another@ansibleguy.net'\n      force_password_change: true\n  \n  groups:\n    ag_guest:\n      members: []\n    ag_tester:\n      members: ['other_guy', 'another_guy']\n      state: 'absent'\n    ag_users:\n      members: []\n      nested_group: ['ag_tester']\n    ag_superguys:\n      members: []\n      parents: ['ag_users']\n    ag_devops:\n      members: []\n    ag_admins:\n      members: ['guy']\n      member_of: ['ag_superguys']\n\n```\n\n**Result:**\n```bash\nguy@ansible:~# cat /etc/group\n\u003e ...\n\u003e ag_guest:x:1000:\n\u003e ag_users:x:1002:guy,another_guy\n\u003e ag_superguys:x:1003:guy\n\u003e ag_devops:x:1004:\n\u003e ag_admins:x:1005:guy\n\u003e guy:x:1006:\n\u003e another_guy:x:1007:\n\nguy@ansible:~# cat /etc/passwd\n\u003e ...\n\u003e guy:x:1000:1006:Ansible managed - AnsibleGuy:/home/guy:/bin/bash\n\u003e another_guy:x:1001:1007:Ansible managed - Nice guy:/home/another_guy:/bin/bash\n\nguy@ansible:~# cat /etc/sudoers.d/user_priv_guy \n\u003e # Ansible managed\n\u003e \n\u003e Cmnd_Alias USER_PRIV_GUY = \\\n\u003e   /usr/bin/rsync, \\\n\u003e   /bin/systemctl restart apache2.service\n\u003e \n\u003e guy ALL=(ALL) NOPASSWD: USER_PRIV_GUY\n\nguy@ansible:~# cat /etc/sudoers.d/user_priv_another_guy \n\u003e # Ansible managed\n\u003e \n\u003e Cmnd_Alias USER_PRIV_ANOTHERGUY = \\\n\u003e   /bin/systemctl restart myNiceStuff.service\n\u003e \n\u003e another_guy ALL=(ALL) USER_PRIV_ANOTHERGUY\n```","funding_links":["https://ko-fi.com/ansible0guy","https://github.com/sponsors/ansibleguy"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Flinux_users","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fansibleguy%2Flinux_users","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Flinux_users/lists"}