pve_auth: create role

2023-04-05 22:06:50 +02:00 · 2023-04-05 22:06:50 +02:00 · 8f51a2fb80
commit 8f51a2fb80
parent 32ed73735f
4 changed files with 46 additions and 0 deletions
--- a/roles/pve_auth/defaults/main.yml
+++ b/roles/pve_auth/defaults/main.yml
@ -0,0 +1,4 @@
+---
+pve_auth__groups: {}
+pve_auth__users: {}
+...
--- a/roles/pve_auth/tasks/main.yml
+++ b/roles/pve_auth/tasks/main.yml
@ -0,0 +1,17 @@
+---
+- name: Configure PVE users
+  template:
+    src: user.cfg.j2
+    dest: /etc/pve/user.cfg
+    owner: root
+    group: www-data
+    mode: u=rw,g=r,o=
+
+- name: Configure PVE passwords
+  template:
+    src: shadow.cfg.j2
+    dest: /etc/pve/priv/shadow.cfg
+    owner: root
+    group: www-data
+    mode: u=rw,g=,o=
+...
--- a/roles/pve_auth/templates/shadow.cfg.j2
+++ b/roles/pve_auth/templates/shadow.cfg.j2
@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+{% for name, user in pve_auth__users.items() %}
+{% if user.enabled | default(True) %}
+{{ name }}:{{ user.password }}:
+{% endif %}
+{% endfor %}
--- a/roles/pve_auth/templates/user.cfg.j2
+++ b/roles/pve_auth/templates/user.cfg.j2
@ -0,0 +1,18 @@
+{{ ansible_managed | comment }}
+
+{% for name, user in pve_auth__users.items() %}
+{% if user.enabled | default(True) %}
+user:{{ name }}@pve:1:0::::::
+{% endif %}
+{% endfor %}
+
+{% for group in pve_auth__groups.keys() %}
+{% set users = pve_auth__users
+               | selectattr("groups", "defined")
+	       | selectattr("groups", "contains", group) %}
+group:{{ group }}:{{ users | join(",") }}::
+{% endfor %}
+
+{% for group, roles in pve_auth__groups.items() %}
+acl:1:/:@{{ group }}:{{ roles | join(",") }}:
+{% endfor %}