pve_auth: disable root user

2023-04-06 18:22:37 +02:00 · 2023-04-06 18:22:37 +02:00 · bbaab0b767
commit bbaab0b767
parent 676dabd76b
3 changed files with 22 additions and 7 deletions
--- a/playbooks/pve.yml
+++ b/playbooks/pve.yml
@ -6,6 +6,9 @@
    pve_auth__groups:
      admin:
        - Administrator
+    pve_auth__pam_users:
+      root:
+        enabled: false
    pve_auth__users:
      jeltz:
        password: "{{ vault_pve_passwords.jeltz }}"
--- a/roles/pve_auth/defaults/main.yml
+++ b/roles/pve_auth/defaults/main.yml
@ -1,4 +1,5 @@
 ---
 pve_auth__groups: {}
 pve_auth__users: {}
+pve_auth__pam_users: {}
 ...
--- a/roles/pve_auth/templates/user.cfg.j2
+++ b/roles/pve_auth/templates/user.cfg.j2
@ -5,14 +5,25 @@
 user:{{ name }}@pve:{{ enabled | ternary(1, 0) }}:0::::::
 {% endfor %}

+{% for name, user in pve_auth__pam_users.items() %}
+{% set enabled = user.enabled | default(True) %}
+user:{{ name }}@pam:{{ enabled | ternary(1, 0) }}:0::::::
+{% endfor %}
+
 {% for group in pve_auth__groups.keys() %}
-{% set users = pve_auth__users
+{% set pve_users = pve_auth__users
                   | dict2items
                   | selectattr("value.groups", "defined")
 	           | selectattr("value.groups", "contains", group)
 	           | map(attribute="key")
 	           | map("suffix", "@pve") %}
-group:{{ group }}:{{ users | join(",") }}::
+{% set pam_users = pve_auth__pam_users
+                   | dict2items
+		   | selectattr("value.groups", "defined")
+	           | selectattr("value.groups", "contains", group)
+	           | map(attribute="key")
+	           | map("suffix", "@pam") %}
+group:{{ group }}:{{ (pve_users + pam_users) | join(",") }}::
 {% endfor %}

 {% for group, roles in pve_auth__groups.items() %}