pve_auth: disable root user

playbooks/pve.yml

@@ -6,6 +6,9 @@
     pve_auth__groups:
       admin:
         - Administrator
+    pve_auth__pam_users:
+      root:
+        enabled: false
     pve_auth__users:
       jeltz:
         password: "{{ vault_pve_passwords.jeltz }}"

roles/pve_auth/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
 pve_auth__groups: {}
 pve_auth__users: {}
+pve_auth__pam_users: {}
 ...

roles/pve_auth/templates/user.cfg.j2

@@ -5,14 +5,25 @@
 user:{{ name }}@pve:{{ enabled | ternary(1, 0) }}:0::::::
 {% endfor %}
 
+{% for name, user in pve_auth__pam_users.items() %}
+{% set enabled = user.enabled | default(True) %}
+user:{{ name }}@pam:{{ enabled | ternary(1, 0) }}:0::::::
+{% endfor %}
+
 {% for group in pve_auth__groups.keys() %}
-{% set users = pve_auth__users
+{% set pve_users = pve_auth__users
                    | dict2items
                    | selectattr("value.groups", "defined")
 	           | selectattr("value.groups", "contains", group)
 	           | map(attribute="key")
 	           | map("suffix", "@pve") %}
-group:{{ group }}:{{ users | join(",") }}::
+{% set pam_users = pve_auth__pam_users
+                   | dict2items
+		   | selectattr("value.groups", "defined")
+	           | selectattr("value.groups", "contains", group)
+	           | map(attribute="key")
+	           | map("suffix", "@pam") %}
+group:{{ group }}:{{ (pve_users + pam_users) | join(",") }}::
 {% endfor %}
 
 {% for group, roles in pve_auth__groups.items() %}