update docs and adding password option for user ansible

README.md

@@ -2,3 +2,5 @@
 Ansible Collection to mamage Users, Groups and SSH Keys
 
 Work in progress!
+
+Requirements: See requirements.yml

requirements.yml

@@ -0,0 +1,8 @@
+---
+collections:
+  - name: "community.general"
+    version: ">=8.3.0"
+  - name: "ansible.posix"
+    version: ">=1.5.4"
+  - name: "community.crypto"
+    version: ">=2.17.1"

roles/admin/README.md

@@ -16,19 +16,20 @@ There are two variables to define users. The ``l3d_users__default_users`` is men
 + The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``.
 The Option of these directory-variables are the following.
 
-| option | values | description |
+| option | values | required | description |
-| ------ | ------ | --- |
+| ------ | ------ | --- | --- |
-| name   | string | The user you want to create |
+| ``name``   | *string* | ``required`` | The user you want to create |
-| state  | ``present`` | Create or delete user |
+| ``state``  | ``present`` | - | Create or delete user |
-| shell | ``/bin/bash`` | The Shell of the User |
+| ``shell`` | ``/bin/bash`` | - | The Shell of the User |
-| create_home | ``true`` | create a user home *(needed to store ssh keys)* |
+| ``create_home`` | ``true`` | - | create a user home *(needed to store ssh keys)* |
-| admin | ``false`` | enable it to give the user superpowers |
+| ``admin | ``false`` | - | enable it to give the user superpowers |
-| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
+| ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
-| admin_nopassword | false | Need no Password for sudo |
+| ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
-| pubkeys | string or lookup | see examples |
+| ``admin_ansible_login`` | ``true`` | - |if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
-| exklusive_pubkeys | ``true`` | delete all undefined ssh keys |
+| ``pubkeys`` | string or lookup | - | see examples |
-| password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
-| remove | ``false`` | completly remove user if state is absent |
+| ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``remove`` | ``false`` | - | completly remove user if ``state: absent`` |
 
 ### Other
 
@@ -36,35 +37,34 @@ The Option of these directory-variables are the following.
 | ---  | --- | --- |
 | ``l3d_users__create_ansible`` | ``true`` | Create an Ansible User |
 | ``l3d_users__ansible_user_state`` | ``present`` | Ansible user state |
+| ``l3d_users__ansible_user_command`` | ``ALL`` | Commans with superpower for ansible user |
+| ``l3d_users__ansible_user_nopassword`` | ``true`` | Allow superpowers without password for ansible user |
 | ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |
 
  Example Playbook
 -----------------
 ```yaml
-- name: Create System with User and Passwords
+- name: Create superpowers for admins
   hosts: example.com
   roles:
-    - {role: l3d.users.user, tags: 'user'}
+    - {role: l3d.users.admin, tags: 'admin'}
   vars:
     l3d_users__local_users:
       - name: 'alice'
         state: 'present'
-        shell: '/bin/bash'
-        create_home: true
         admin: true
         admin_commands: 'ALL'
-        pubkeys: |
+        admin_nopassword: false
-          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvvXN33GwkTF4ZOwPgF21Un4R2z9hWUuQt1qIfzQyhC
+        pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
-          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAG65EdcM+JLv0gnzT9LcqVU47Pkw0SqiIg7XipXENi8
-          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJz7zEvUVgJJJsIgfG3izsqYcM22IaKz4jGVUbNRL2PX
-        exklusive_pubkeys: true
       - name: 'bob'
         state: 'present'
         admin: false
-        pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
+      - name: 'backup'
-
+        state: 'present'
+        admin: true
+        admin_commands: '/opt/backupscript.sh'
+        admin_nopassword: true
+        admin_ansible_login: false
     l3d_users__create_ansible: true
-    l3d_users__set_ansible_ssh_keys: true
-    l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
     submodules_versioncheck: true
 ```

roles/admin/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # create users
-l3d_users__default_users: {}
+l3d_users__default_users: []
 #  - name: 'alice'
 #    state: 'present'
 #    shell: '/bin/bash'
@@ -14,6 +14,7 @@ l3d_users__default_users: {}
 #    admin: true
 #    admin_commands: 'ALL'
 #    admin_nopassword: false
+#    admin_ansible_login: true
 #  - name: 'bob'
 #    state: 'present'
 #    shell: '/bin/zsh'
@@ -21,7 +22,7 @@ l3d_users__default_users: {}
 #    pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
 #    exklusive_pubkeys: false
 
-l3d_users__local_users: {}
+l3d_users__local_users: []
 #  - name: 'charlie'
 #    state: 'present'
 #    admin: false
@@ -29,6 +30,8 @@ l3d_users__local_users: {}
 
 l3d_users__create_ansible: true
 l3d_users__ansible_user_state: 'present'
+l3d_users__ansible_user_command: 'ALL'
+l3d_users__ansible_user_nopassword: true
 
 # run simple versionscheck
 submodules_versioncheck: false

roles/admin/tasks/user_ansible.yml

@@ -3,8 +3,8 @@
   become: true
   community.general.sudoers:
     name: 'ansible_superpowers'
-    commands: 'ALL'
+    commands: "{{ l3d_users__ansible_user_command }}"
-    nopassword: true
+    nopassword: "{{ l3d_users__ansible_user_nopassword | bool }}"
     user: 'ansible'
     state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}"
     validation: 'required'

roles/admin/vars/main.yml

@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 4
+playbook_version_number: 5
 playbook_version_path: 'l3d.users.admin.version'

roles/sshd/README.md

@@ -3,8 +3,6 @@
 
 Ansible role l3d.users.sshd to Manage SSHD Configuration of the system and which Accounts are allowed to login.
 
-# WORK IN PROGRESS
-
 There are two variables to define users. The ``l3d_users__default_users`` is ment to put to your group_vars to define a default for your system. The ``l3d_users__local_users`` could be put in your host_vars to define host-specific user and admin roles.
 
  Variables:
@@ -16,19 +14,20 @@ There are two variables to define users. The ``l3d_users__default_users`` is men
 + The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``.
 The Option of these directory-variables are the following.
 
-| option | values | description |
+| option | values | required | description |
-| ------ | ------ | --- |
+| ------ | ------ | --- | --- |
-| name   | string | The user you want to create |
+| ``name``   | *string* | ``required`` | The user you want to create |
-| state  | ``present`` | Create or delete user |
+| ``state``  | ``present`` | - | Create or delete user |
-| shell | ``/bin/bash`` | The Shell of the User |
+| ``shell`` | ``/bin/bash`` | - | The Shell of the User |
-| create_home | ``true`` | create a user home *(needed to store ssh keys)* |
+| ``create_home`` | ``true`` | - | create a user home *(needed to store ssh keys)* |
-| admin | ``false`` | enable it to give the user superpowers |
+| ``admin | ``false`` | - | enable it to give the user superpowers |
-| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
+| ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
-| admin_nopassword | false | Need no Password for sudo |
+| ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
-| pubkeys | string or lookup | see examples |
+| ``admin_ansible_login`` | ``true`` | - |if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
-| exklusive_pubkeys | ``true`` | delete all undefined ssh keys |
+| ``pubkeys`` | string or lookup | - | see examples |
-| password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
-| remove | ``false`` | completly remove user if state is absent |
+| ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``remove`` | ``false`` | - | completly remove user if ``state: absent`` |
 
 There is a third directory-variable called ``l3d_users__ssh_login: []`` which only support ``name`` and ``state`` for users, that sould be able to login on that system.
 
@@ -36,7 +35,6 @@ There is a third directory-variable called ``l3d_users__ssh_login: []`` which on
 
 | name | default value | description |
 | ---  | --- | --- |
-| ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |
 | ``l3d_users__limit_login`` | ``true`` | Only allow SSH login for specified users |
 | ``l3d_users__sshd_port`` | ``22`` | Port for SSH |
 | ``l3d_users__sshd_password_authentication`` | ``false`` | Allow login with Password |
@@ -54,10 +52,7 @@ There is a third directory-variable called ``l3d_users__ssh_login: []`` which on
 | ``l3d_users__sshd_manage_macs`` | ``true`` | Manage Used MACs |
 | ``l3d_users__sshd_macs`` | ``['hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512']`` | Used MACs |
 | ``l3d_users__sshd_xforwarding`` |``true`` | Enable X-Forwarding |
-
+| ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |
-# run simple versionscheck
-submodules_versioncheck: false
-
 
  Example Playbook
 -----------------

roles/sshd/defaults/main.yml

@@ -14,6 +14,7 @@ l3d_users__default_users: []
 #    admin: true
 #    admin_commands: 'ALL'
 #    admin_nopassword: false
+#    admin_ansible_login: true
 #  - name: 'bob'
 #    state: 'present'
 #    shell: '/bin/zsh'

roles/sshd/vars/main.yml

@@ -1,5 +1,5 @@
 ---
-playbook_version_number: 2
+playbook_version_number: 3
 playbook_version_path: 'l3d.users.sshd.version'
 
 l3d_users_sshd__service_var_path:

roles/user/README.md

@@ -15,29 +15,31 @@ There are two variables to define users. The ``l3d_users__default_users`` is men
 + The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``.
 The Option of these directory-variables are the following.
 
-| option | values | description |
+| option | values | required | description |
-| ------ | ------ | --- |
+| ------ | ------ | --- | --- |
-| name   | string | The user you want to create |
+| ``name``   | *string* | ``required`` | The user you want to create |
-| state  | ``present`` | Create or delete user |
+| ``state``  | ``present`` | - | Create or delete user |
-| shell | ``/bin/bash`` | The Shell of the User |
+| ``shell`` | ``/bin/bash`` | - | The Shell of the User |
-| create_home | ``true`` | create a user home *(needed to store ssh keys)* |
+| ``create_home`` | ``true`` | - | create a user home *(needed to store ssh keys)* |
-| admin | ``false`` | enable it to give the user superpowers |
+| ``admin | ``false`` | - | enable it to give the user superpowers |
-| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
+| ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
-| admin_nopassword | false | Need no Password for sudo |
+| ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
-| pubkeys | string or lookup | see examples |
+| ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
-| exklusive_pubkeys | ``true`` | delete all undefined ssh keys |
+| ``pubkeys`` | string or lookup | - | see examples |
-| password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
-| remove | ``false`` | completly remove user if state is absent |
+| ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``remove`` | ``false`` | - | completly remove user if ``state: absent`` |
 
-### Other
+### Other Variables
 
 | name | default value | description |
 | ---  | --- | --- |
-| l3d_users__create_ansible | ``true`` | Create User ansible |
+| ``l3d_users__create_ansible`` | ``true`` | Create User ansible |
-| l3d_users__ansible_user_state | ``present`` | Create or delete user ansible |
+| ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible |
-| l3d_users__set_ansible_ssh_keys | ``false`` | Set SSH Keys for User ansible |
+| ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible |
-| l3d_users__ansible_ssh_keys | | SSH public Keys. One per line or as lookup |
+| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup |
-| submodules_versioncheck | ``false`` | Optionaly enable simple versionscheck of this role |
+| ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |
 
  Example Playbook
 -----------------

roles/user/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # create users
-l3d_users__default_users: {}
+l3d_users__default_users: []
 #  - name: 'alice'
 #    state: 'present'
 #    shell: '/bin/bash'
@@ -14,6 +14,7 @@ l3d_users__default_users: {}
 #    admin: true
 #    admin_commands: 'ALL'
 #    admin_nopassword: false
+#    admin_ansible_login: true
 #  - name: 'bob'
 #    state: 'present'
 #    shell: '/bin/zsh'
@@ -21,7 +22,7 @@ l3d_users__default_users: {}
 #    pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
 #    exklusive_pubkeys: false
 
-l3d_users__local_users: {}
+l3d_users__local_users: []
 #  - name: 'charlie'
 #    state: 'present'
 #    admin: false
@@ -32,5 +33,7 @@ l3d_users__create_ansible: true
 l3d_users__ansible_user_state: 'present'
 l3d_users__set_ansible_ssh_keys: false
 l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
+l3d_users__ansible_user_password: ''
+
 # run simple versionscheck
 submodules_versioncheck: false

roles/user/tasks/user_ansible.yml

@@ -13,6 +13,7 @@
     shell: '/bin/bash'
     group: 'ansible'
     state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}"
+    password: "{{ l3d_users__ansible_user_password }}"
     create_home: true
 
 - name: Set dedicated SSH keys for User ansible and drop all other keys
@@ -31,6 +32,6 @@
     state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}"
     key: "{{ item.pubkeys | default() }}"
   loop: "{{ _l3d_users__merged_users }}"
-  when: item.admin | default(false) | bool
+  when: item.admin | default(false) | bool and item.admin_ansible_login | default(true) | bool
   loop_control:
     label: "user: ['{{ item.name }}']"

roles/user/vars/main.yml

@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 6
+playbook_version_number: 7
 playbook_version_path: 'l3d.users.user.version'