ansible/roles/pve_auth/templates/user.cfg.j2

{{ ansible_managed | comment }}

{% for name, user in pve_auth__users.items() %}
{% set enabled = user.enabled | default(True) %}
user:{{ name }}@pve:{{ enabled | ternary(1, 0) }}:0::::::
{% endfor %}

{% for name, user in pve_auth__pam_users.items() %}
{% set enabled = user.enabled | default(True) %}
user:{{ name }}@pam:{{ enabled | ternary(1, 0) }}:0::::::
{% endfor %}

{% for group in pve_auth__groups.keys() %}
{% set pve_users = pve_auth__users
                   | dict2items
                   | selectattr("value.groups", "defined")
	           | selectattr("value.groups", "contains", group)
	           | map(attribute="key")
	           | map("suffix", "@pve") %}
{% set pam_users = pve_auth__pam_users
                   | dict2items
		   | selectattr("value.groups", "defined")
	           | selectattr("value.groups", "contains", group)
	           | map(attribute="key")
	           | map("suffix", "@pam") %}
group:{{ group }}:{{ (pve_users + pam_users) | join(",") }}::
{% endfor %}

{% for group, roles in pve_auth__groups.items() %}
acl:1:/:@{{ group }}:{{ roles | join(",") }}:
{% endfor %}