creating users - how to filter a vars dict from within a given playbook per inventory class
667 views
Skip to first unread message
Dave Cottlehuber
Jun 12, 2016, 2:38:04 PM6/12/16
to ansible...@googlegroups.com
Hi folks,
I have a presumably typical setup - see end for the yaml files.
- a generic role to create users
- a vars file with all the users across my environment
Which works fine if I want all users on every box.
However I need to apply only a subset of these users to various systems
- for example, all boxes should have the ansible user created, but only
webservers should have the additional ops user created.
I couldn't find a way from within the playbook only to require the
ansible user from `vars/users.yml`. So I tried instead splitting the
vars up into 2 separate files in the playbook:
```bootstrap.yml
---
- name: deploy and configure site
hosts: all
become: yes
gather_facts: yes
vars_files:
- vars/ansible.yml
- vars/ops.yml
roles:
- users
...
```
however as expected, only the 2nd user is created/defined, as the users
dict is replaced, and not merged.
What's the best way to selectively apply users to various servers,
without needing to duplicate the user details in different vars files? I
feel like I'm missing something *really* obvious here.
Thanks!
exact role & vars follow.
```roles/users/tasks/main.yml
---
- name: create user groups
group:
name: "{{ item.key }}"
gid: "{{ item.value.gid | default(omit) }}"
with_dict: "{{ users }}"
tags:
- users
- groups
- name: create user accounts
user:
name: "{{ item.key }}"
state: "{{ item.value.state | default(omit) }}"
uid: "{{ item.value.uid }}"
group: "{{ item.key }}"
groups: "{{ item.value.groups | default(omit) }}"
shell: "{{ item.value.shell | default(omit) }}"
comment: "{{ item.value.email | default('root@localhost') |
regex_replace('@', '%')}}"
with_dict: "{{ users }}"
tags:
- users
- accounts
- name: manage ssh keys
authorized_key:
user: "{{ item.key }}"
manage_dir: yes
exclusive: yes
key: "{{ item.value.ssh_options }} {{ item.value.ssh_key }}"
with_dict: "{{ users }}"
tags:
- users
- sshkeys
```
```
# vars/users.yml
---
users:
# users defaults
# state: present (or absent to delete entirely)
# uid: optional, numeric
# gid: optional, numeric
# groups:optional
# shell: optional, string path to installed valid shell
# email: optional, applied to GeCOS and similar fields
# ssh_options: optional, ssh-ed25519 | ssh-rsa ...
# ssh_key: required
# pgp_key: optional, for http://pgp.mit.edu/pks/lookup?op=get&search=
ansible:
uid: 333
gid: 333
groups: ansible,wheel
shell: /bin/sh
email: f...@bar.com
ssh_key: AAAAC3N1234561273451276345216
ssh_options: ssh-ed25519
ops:
groups: mail,www
uid: 9000
gid: 9000
ssh_key: AAAAC3N1234561273451276345216
ssh_options: ssh-ed25519
```
A+ Dave
—
Dave Cottlehuber
I have a presumably typical setup - see end for the yaml files.
- a generic role to create users
- a vars file with all the users across my environment
Which works fine if I want all users on every box.
However I need to apply only a subset of these users to various systems
- for example, all boxes should have the ansible user created, but only
webservers should have the additional ops user created.
I couldn't find a way from within the playbook only to require the
ansible user from `vars/users.yml`. So I tried instead splitting the
vars up into 2 separate files in the playbook:
```bootstrap.yml
---
- name: deploy and configure site
hosts: all
become: yes
gather_facts: yes
vars_files:
- vars/ansible.yml
- vars/ops.yml
roles:
- users
...
```
however as expected, only the 2nd user is created/defined, as the users
dict is replaced, and not merged.
What's the best way to selectively apply users to various servers,
without needing to duplicate the user details in different vars files? I
feel like I'm missing something *really* obvious here.
Thanks!
exact role & vars follow.
```roles/users/tasks/main.yml
---
- name: create user groups
group:
name: "{{ item.key }}"
gid: "{{ item.value.gid | default(omit) }}"
with_dict: "{{ users }}"
tags:
- users
- groups
- name: create user accounts
user:
name: "{{ item.key }}"
state: "{{ item.value.state | default(omit) }}"
uid: "{{ item.value.uid }}"
group: "{{ item.key }}"
groups: "{{ item.value.groups | default(omit) }}"
shell: "{{ item.value.shell | default(omit) }}"
comment: "{{ item.value.email | default('root@localhost') |
regex_replace('@', '%')}}"
with_dict: "{{ users }}"
tags:
- users
- accounts
- name: manage ssh keys
authorized_key:
user: "{{ item.key }}"
manage_dir: yes
exclusive: yes
key: "{{ item.value.ssh_options }} {{ item.value.ssh_key }}"
with_dict: "{{ users }}"
tags:
- users
- sshkeys
```
```
# vars/users.yml
---
users:
# users defaults
# state: present (or absent to delete entirely)
# uid: optional, numeric
# gid: optional, numeric
# groups:optional
# shell: optional, string path to installed valid shell
# email: optional, applied to GeCOS and similar fields
# ssh_options: optional, ssh-ed25519 | ssh-rsa ...
# ssh_key: required
# pgp_key: optional, for http://pgp.mit.edu/pks/lookup?op=get&search=
ansible:
uid: 333
gid: 333
groups: ansible,wheel
shell: /bin/sh
email: f...@bar.com
ssh_key: AAAAC3N1234561273451276345216
ssh_options: ssh-ed25519
ops:
groups: mail,www
uid: 9000
gid: 9000
ssh_key: AAAAC3N1234561273451276345216
ssh_options: ssh-ed25519
```
A+ Dave
—
Dave Cottlehuber
Vincent Van der Kussen
Jun 12, 2016, 3:38:02 PM6/12/16
to ansible...@googlegroups.com
Maybe something like
when: 'webservers' in group_names
Might help.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1465756675.3164282.635390425.15DBA4F9%40webmail.messagingengine.com.
For more options, visit https://groups.google.com/d/optout.
Dave Cottlehuber
Jun 12, 2016, 6:45:42 PM6/12/16
to ansible...@googlegroups.com
On Sun, 12 Jun 2016, at 21:37, Vincent Van der Kussen wrote:
> Maybe something like
>
> when: 'webservers' in group_names
>
> Might help.
This is the crux of the issue - I can't put this in the vars file, so
> Maybe something like
>
> when: 'webservers' in group_names
>
> Might help.
how does one keep the roles and vars info reusable? I should be able to
constrain these only in the final playbook.
Here's the error I got trying to limit to a specific user, ignoring the
inventory class for the moment as it's a trivial when: clause.
{"failed": true, "msg": "The conditional check 'users.item.key ==
\"ansible\"' failed. The error was: error while evaluating conditional
(users.item.key == \"ansible\"): 'dict object' has no attribute 'item'"}
& the playbook:
```site.yml
- name: deploy and configure site
hosts: all
become: yes
gather_facts: yes
vars_files:
- vars/users.yml
hosts: all
become: yes
gather_facts: yes
vars_files:
roles:
- { role: users, when: users.item.key == "ansible" }
```
Any other suggestions? Different approaches?
End goal is that on all hosts we have ansible user created, and on Y
hosts, a subset of all hosts, we have additional users set up
A+
Dave
Reply all
Reply to author
Forward
0 new messages