# SPDX-FileCopyrightText: 2023 Max Mehl # # SPDX-License-Identifier: Apache-2.0 --- - name: Unset password_value fact set_fact: password_value: "" special_pass: false # Handle cases in which password variable is undefined or empty - name: Disable password login for user unless empty password allowed for user {{ username }} when: - password is not defined or password|length == 0 - not allow_no_password ansible.builtin.set_fact: password_value: "*" special_pass: true - name: Disable password login because given password was * for user {{ username }} when: - password == "*" ansible.builtin.set_fact: password_value: "*" special_pass: true - name: Allow login without password as it is explicitely allowed for user {{ username }} when: - password is not defined or password|length == 0 - allow_no_password ansible.builtin.set_fact: password_value: "" special_pass: true - name: Hash provided password for user {{ username }} when: # Non-empty password has been provided - password is defined # None of the special cases has been handled before - not special_pass block: - name: Create idempotent salt for password of {{ username }} set_fact: salt: "{{ ((username + inventory_hostname) | hash('sha512'))[:16] }}" - name: Encrypt password for user {{ username }} ansible.builtin.command: openssl passwd -6 -salt "{{ salt }}" "{{ password }}" register: username_shadowpw changed_when: false check_mode: false - name: Set password value fact for user {{ username }} ansible.builtin.set_fact: password_value: "{{ username_shadowpw.stdout }}" - name: "Ensure user is configured correctly: {{ username }}" ansible.builtin.user: name: "{{ username }}" password: "{{ password_value }}" shell: "{{ shell }}" # SSH generate_ssh_key: "{{ generate_ssh_key }}" ssh_key_type: "{{ ssh_key_type }}" # Groups groups: "{{ user_groups }}" append: "{{ groups_append }}" - name: Ensure correct directory settings for user {{ username }} ansible.builtin.file: path: "/home/{{ username }}" state: directory mode: "{{ homedir_permissions }}" when: username != "root"