add possibility to restrict user creation to specific users on a host

areyer · areyer · commit 7496bab99ad3 · 2024-08-11T12:38:25.000+02:00
diff --git a/README.md b/README.md
@@ -122,6 +122,10 @@ selectivly run only parts:
     * sudo without password
 * X.config.users."username".sudo_selfservice: false
     * sudo without password to use passwd, smbpasswd on own user
+* lihas_users_filter: []
+    * only create these users
+* TODO: lihas_users_filter_exclusive: false
+    * remove existing users that would be created without a `lihas_users_filter`
 
 ## Variables example
 ```
diff --git a/tasks/10-users.yml b/tasks/10-users.yml
@@ -1,3 +1,15 @@
+- name: "Check if to create user"
+  ansible.builtin.debug:
+    msg: "Will create {{ user.key }}"
+  when: lihas_users_filter is not defined or ( lihas_users_filter is defined and user.key in lihas_users_filter )
+  tags:
+    - users
+- name: "Check if to create user"
+  ansible.builtin.debug:
+    msg: "Will not create {{ user.key }}"
+  when: lihas_users_filter is defined and user.key not in lihas_users_filter
+  tags:
+    - users
 - name: Create/modify user
   ansible.builtin.user:
     name: "{{ user.key }}"
@@ -9,6 +21,7 @@
     create_home: "{{ user.value.create_home | default(true) }}"
     groups: "{{ user.value.groups | default(omit) }}"
     state: "{{ user.value.state | default('present') }}"
+  when: lihas_users_filter is not defined or ( lihas_users_filter is defined and user.key in lihas_users_filter )
   tags:
     - users
   become: "{{ lihas_become }}"
@@ -18,6 +31,7 @@
     state: directory
     owner: "{{ user.key }}"
     recurse: true
+  when: ( lihas_users_filter is not defined or ( lihas_users_filter is defined and user.key in lihas_users_filter ) ) and user.value.force_home_user | default(false)
   when: user.value.force_home_user | default(false)
   tags:
     - users
@@ -31,6 +45,7 @@
   loop: "{{ user.value.ssh_authorized_keys | default([]) }}"
   loop_control:
     loop_var: sshkey
+  when: lihas_users_filter is not defined or ( lihas_users_filter is defined and user.key in lihas_users_filter )
   tags:
     - users
   become: "{{ lihas_become }}"
@@ -45,5 +60,5 @@
   tags:
     - users
   become: "{{ lihas_become }}"
-  when: user.value.sudo | default(false) or user.value.sudo_selfservice | default(false)
+  when: ( lihas_users_filter is not defined or ( lihas_users_filter is defined and user.key in lihas_users_filter ) ) and ( user.value.sudo | default(false) or user.value.sudo_selfservice | default(false) )
 ...
diff --git a/tasks/users.yml b/tasks/users.yml
@@ -11,8 +11,19 @@
     - users
 - name: "Users: show users"
   ansible.builtin.debug:
-    var: users
+    var: lihas_common_users
     verbosity: 1
+  tags:
+    - users
+- name: "Users: show users, flattened"
+  ansible.builtin.debug:
+    var: lihas_common_users | flatten(levels=1)
+    verbosity: 1
+  tags:
+    - users
+#- name: "Users: filter wanted only"
+#  ansible.builtin.set_fact:
+#
 - name: "Users: include tasks/10-users.yml"
   ansible.builtin.include_tasks: tasks/10-users.yml
   with_dict: "{{ lihas_common_users | default({}) }}"
