Various improvements to role#62
Open
Zugschlus wants to merge 13 commits intoweareinteractive:masterfrom
Open
Conversation
added 13 commits
April 13, 2026 08:37
This allows later tasks to determine whether the user was just created by ansible.builtin.user or just modified. This allows us to overwrite the password only for a brand new user.
We use a configurable command, defaulting to pwgen --secure 12 1, to generate a random password that can later be poked into the user.
This will always overwrite the password with the user_random_password_hash if user_random_password_hash is set. That will only happen for a newly created user if a random password is asked for. If those preocnditions are not met, behavior remains unchanged.
The new user needs to know their password. We therefore put it in a file in the home directory, only readable for themselves. This is necessary to allow the user to change their password.
This implements an "update_user" parameter which works like "update_password": If set to "on_create", the user is only touched if it already exists. If set to "always", the existing user's data is always forced to match what is set for the user. This is an important distinction, for example between service accounts (which should always match what is in the playbook and local changes should be overwritten) and user accoutns (which might allow to user to, for example, set their own shell of desire without ansible stomping over the user's decision).
This allows to see whether a newly created user has changed the password that was set by this role. With this, it becomes possible to first create a new account, then have the owner change the password, and then add them to the sudoers group only after the password was changed. The setting is only done if a password was actually generated and set. This is necessary because ansible.builtin.user does not expose this setting (see ansible/ansible#86828)
This gets rid of the multiline output for the user loop. If access to the full user dict is desired, a debug task should be added
This allows one to use "when: users_debug | bool" in debugging tasks
... disabled by default
This allows one to disable creating users that have incomplete info
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi,
this is my first attempt to improve a published ansible role. I apologize for mixing up so many different things in one PR. I tried to separate the things in different commits so you can cherry-pick at will. I would love to add unit tests, but the docs don't seem to match reality, the Makefile doesn't actually have a test target.
My changes (see detailed commit comments for more in-depth explanations and use cases):
Thanks for your consideration