Example 1: Update or create passwords

Let’s start with no passwords stored in passwordstore <single: password; passwordstore> for users at host test_01. The command shows no results

shell> pass test_01

Create a playbook

shell> cat lp.yml
- hosts: test_01
  become: true
  roles:
    - vbotka.linux_postinstall

Create host_vars/test_01/lp-users.yml with two users user1 and user2

 shell> cat host_vars/test_01/lp-users.yml
 lp_users:
   - {name: user1, shell: /bin/sh}
   - {name: user2, shell: /bin/bash}
   - {name: user3, shell: /bin/bash, disabled_password: true}

Note

  • If disabled_password is set true (default: false) the password won’t be created, but login is still possible (for example with SSH RSA keys).

Create users. This step will create the users and configure their login shell. Other parameters of the Ansible module user will be omitted because the only required parameter is name. It’s a good idea to create one account with the login shell /bin/sh and use it as Ansible remote_user.

 shell> ansible-playbook lp.yml -t lp_users
 ...
 TASK [vbotka.linux_postinstall : users: Manage user accounts] *********
 changed: [test_01] => (item=user1)
 changed: [test_01] => (item=user2)

Create host_vars/test_01/lp-passwords.yml

 shell> cat host_vars/test_01/lp-passwords.yml
 lp_passwords: true
 lp_passwordstore: true
 lp_passwordstore_create: false
 lp_passwordstore_overwrite: false

Create passwords. This step will use passwordstore to create the passwords and configure them. New passwords will be created only if allowed by the configuration of lp_passwordstore_create. We set this variable to True in this command but keep it False in the configuration to keep the passwords once created. The value of lp_passwordstore_overwrite is False. New passwords will be assigned to the users if no passwords have been assigned to the users before. To change the passwords in the future set both variables True on the command-line.

shell> ansible-playbook lp.yml -t lp_passwords -e lp_passwordstore_create=True
...

TASK [vbotka.ansible_lib : al_pws_user_host: Retrieve, create or update ...]
ok: [test_01] => (item=user1)
ok: [test_01] => (item=user2)
...
TASK [vbotka.linux_postinstall : users: Manage user accounts] **********
changed: [test_01] => (item=user1)
changed: [test_01] => (item=user2)

The command is idempotent

shell> ansible-playbook lp.yml -t lp_passwords
...
PLAY RECAP *************************************************************
test_01: ok=18 changed=0 unreachable=0 failed=0 skipped=20 rescued=0 ...

Show the passwords stored in passwordstore at the controller

shell> pass test_01
test_01
├── user1
└── user2

shell> pass test_01/user1
1rLy0eVpJiTpzj-4
lookup_pass: First generated by ansible on 01/07/2020 16:59:00

shell> pass test_01/user2
u4FLTCkKOHAyJxkg
lookup_pass: First generated by ansible on 01/07/2020 16:59:00

Show the passwordstore log at the controller

shell> cd ~/.password-store
shell> git log

commit 61bb8bcd7c2a359f53c8b3d4bacb8854b4dd9f89 (HEAD -> master)
Author: Vladimir Botka <vbotka@gmail.com>
Date:   Wed Jul 1 16:59:00 2020 +0200

    Add given password for test_01/user2 to store.

commit 97b23a5221e721fb892d739b2817923a6db8614b
Author: Vladimir Botka <vbotka@gmail.com>
Date:   Wed Jul 1 16:59:00 2020 +0200

    Add given password for test_01/user1 to store.

Show the created users at the remote host

test_01> grep user /etc/passwd
user1:x:1003:1003::/home/user1:/bin/sh
user2:x:1004:1004::/home/user2:/bin/bash