feat: add users and groups support

docs/data-sources/group.md

@@ -0,0 +1,45 @@
+---
+page_title: "truenas_group Data Source - terraform-provider-truenas"
+subcategory: ""
+description: |-
+  Fetches information about a TrueNAS group.
+---
+
+# truenas_group (Data Source)
+
+Fetches information about a TrueNAS group.
+
+## Example Usage
+
+```terraform
+# Look up the wheel group
+data "truenas_group" "wheel" {
+  name = "wheel"
+}
+
+output "wheel_gid" {
+  value = data.truenas_group.wheel.gid
+}
+
+output "wheel_members" {
+  value = data.truenas_group.wheel.users
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the group to look up.
+
+### Read-Only
+
+- `builtin` (Boolean) Whether this is a built-in system group.
+- `gid` (Number) UNIX group ID.
+- `id` (String) Internal group ID.
+- `local` (Boolean) Whether this is a local group (vs. directory service).
+- `smb` (Boolean) Whether the group is eligible for SMB share ACLs.
+- `sudo_commands` (List of String) List of allowed sudo commands.
+- `sudo_commands_nopasswd` (List of String) List of allowed sudo commands without password.
+- `users` (List of Number) List of user IDs that are members of this group.

docs/data-sources/user.md

@@ -0,0 +1,58 @@
+---
+page_title: "truenas_user Data Source - terraform-provider-truenas"
+subcategory: ""
+description: |-
+  Fetches information about a TrueNAS user.
+---
+
+# truenas_user (Data Source)
+
+Fetches information about a TrueNAS user.
+
+## Example Usage
+
+```terraform
+# Look up the root user
+data "truenas_user" "root" {
+  username = "root"
+}
+
+output "root_uid" {
+  value = data.truenas_user.root.uid
+}
+
+output "root_home" {
+  value = data.truenas_user.root.home
+}
+
+output "root_group_id" {
+  value = data.truenas_user.root.group_id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `username` (String) The username to look up.
+
+### Read-Only
+
+- `builtin` (Boolean) Whether this is a built-in system user.
+- `email` (String) Email address.
+- `full_name` (String) Full name of the user.
+- `group_id` (Number) Primary group internal ID.
+- `groups` (List of Number) List of secondary group IDs.
+- `home` (String) Home directory path.
+- `id` (String) Internal user ID.
+- `local` (Boolean) Whether this is a local user (vs. directory service).
+- `locked` (Boolean) Whether the account is locked.
+- `password_disabled` (Boolean) Whether password login is disabled.
+- `shell` (String) Login shell path.
+- `smb` (Boolean) Whether SMB authentication is enabled.
+- `ssh_password_enabled` (Boolean) Whether SSH password authentication is enabled.
+- `sshpubkey` (String) SSH public key.
+- `sudo_commands` (List of String) List of allowed sudo commands.
+- `sudo_commands_nopasswd` (List of String) List of allowed sudo commands without password.
+- `uid` (Number) UNIX user ID.

docs/resources/group.md

@@ -0,0 +1,58 @@
+---
+page_title: "truenas_group Resource - terraform-provider-truenas"
+subcategory: ""
+description: |-
+  Manages local groups on TrueNAS.
+---
+
+# truenas_group (Resource)
+
+Manages local groups on TrueNAS.
+
+## Example Usage
+
+### Basic Group
+
+```terraform
+# Create a group for developers
+resource "truenas_group" "developers" {
+  name = "developers"
+  smb  = false
+}
+
+# Create a group with a specific GID and sudo access
+resource "truenas_group" "admins" {
+  name = "admins"
+  gid  = 5000
+  smb  = false
+
+  sudo_commands_nopasswd = ["ALL"]
+}
+```
+
+## Import
+
+Groups can be imported using the UNIX GID:
+
+```shell
+terraform import truenas_group.wheel 0
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Group name.
+
+### Optional
+
+- `gid` (Number) UNIX group ID. If not specified, TrueNAS assigns the next available GID.
+- `smb` (Boolean) Allow group to be used for SMB permissions.
+- `sudo_commands` (List of String) List of allowed sudo commands.
+- `sudo_commands_nopasswd` (List of String) List of allowed sudo commands without password.
+
+### Read-Only
+
+- `builtin` (Boolean) Whether this is a built-in system group.
+- `id` (String) Group ID.

docs/resources/user.md

@@ -0,0 +1,83 @@
+---
+page_title: "truenas_user Resource - terraform-provider-truenas"
+subcategory: ""
+description: |-
+  Manages local users on TrueNAS.
+---
+
+# truenas_user (Resource)
+
+Manages local users on TrueNAS.
+
+## Example Usage
+
+### Basic User
+
+```terraform
+# Create a basic user with an auto-created primary group
+resource "truenas_user" "jdoe" {
+  username     = "jdoe"
+  full_name    = "John Doe"
+  email        = "jdoe@example.com"
+  password     = var.user_password
+  group_create = true
+  shell        = "/usr/bin/bash"
+  smb          = false
+}
+
+# Create a user assigned to an existing group
+resource "truenas_user" "deploy" {
+  username          = "deploy"
+  full_name         = "Deploy User"
+  password_disabled = true
+  group_id          = truenas_group.developers.gid
+  sshpubkey         = file("~/.ssh/deploy.pub")
+  shell             = "/usr/bin/bash"
+  smb               = false
+}
+```
+
+> **Note:** Either `password` or `password_disabled = true` must be set. The `password` attribute is write-only and will not be read back from the API.
+
+> **Note:** `group_create` and `home_create` are only used during resource creation and are ignored on updates.
+
+## Import
+
+Users can be imported using the UNIX UID:
+
+```shell
+terraform import truenas_user.root 0
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `full_name` (String) Full name (GECOS field).
+- `username` (String) Login username.
+
+### Optional
+
+- `email` (String) Email address.
+- `group_create` (Boolean) Create a new primary group with the same name as the user. Only used during creation.
+- `group_id` (Number) Primary group ID.
+- `groups` (List of Number) List of secondary group IDs.
+- `home` (String) Home directory path.
+- `home_create` (Boolean) Create the home directory if it does not exist. Only used during creation.
+- `home_mode` (String) Home directory permissions (octal).
+- `locked` (Boolean) Lock user account.
+- `password` (String, Sensitive) User password.
+- `password_disabled` (Boolean) Disable password login.
+- `shell` (String) Login shell path.
+- `smb` (Boolean) Allow user for SMB authentication.
+- `ssh_password_enabled` (Boolean) Allow SSH password authentication.
+- `sshpubkey` (String) SSH public key.
+- `sudo_commands` (List of String) List of allowed sudo commands.
+- `sudo_commands_nopasswd` (List of String) List of allowed sudo commands without password.
+- `uid` (Number) UNIX user ID. If not specified, TrueNAS assigns the next available UID.
+
+### Read-Only
+
+- `builtin` (Boolean) Whether this is a built-in system user.
+- `id` (String) User ID.

examples/data-sources/group/main.tf

@@ -0,0 +1,12 @@
+# Look up the wheel group
+data "truenas_group" "wheel" {
+  name = "wheel"
+}
+
+output "wheel_gid" {
+  value = data.truenas_group.wheel.gid
+}
+
+output "wheel_members" {
+  value = data.truenas_group.wheel.users
+}

examples/data-sources/user/main.tf

@@ -0,0 +1,16 @@
+# Look up the root user
+data "truenas_user" "root" {
+  username = "root"
+}
+
+output "root_uid" {
+  value = data.truenas_user.root.uid
+}
+
+output "root_home" {
+  value = data.truenas_user.root.home
+}
+
+output "root_group_id" {
+  value = data.truenas_user.root.group_id
+}

examples/resources/group/main.tf

@@ -0,0 +1,14 @@
+# Create a group for developers
+resource "truenas_group" "developers" {
+  name = "developers"
+  smb  = false
+}
+
+# Create a group with a specific GID and sudo access
+resource "truenas_group" "admins" {
+  name = "admins"
+  gid  = 5000
+  smb  = false
+
+  sudo_commands_nopasswd = ["ALL"]
+}

examples/resources/user/main.tf

@@ -0,0 +1,21 @@
+# Create a basic user with an auto-created primary group
+resource "truenas_user" "jdoe" {
+  username     = "jdoe"
+  full_name    = "John Doe"
+  email        = "jdoe@example.com"
+  password     = var.user_password
+  group_create = true
+  shell        = "/usr/bin/bash"
+  smb          = false
+}
+
+# Create a user assigned to an existing group
+resource "truenas_user" "deploy" {
+  username          = "deploy"
+  full_name         = "Deploy User"
+  password_disabled = true
+  group_id          = truenas_group.developers.gid
+  sshpubkey         = file("~/.ssh/deploy.pub")
+  shell             = "/usr/bin/bash"
+  smb               = false
+}

internal/api/group.go

@@ -0,0 +1,15 @@
+package api
+
+// GroupResponse represents a group from the TrueNAS API.
+type GroupResponse struct {
+	ID                   int64    `json:"id"`
+	GID                  int64    `json:"gid"`
+	Name                 string   `json:"name"`
+	Builtin              bool     `json:"builtin"`
+	SMB                  bool     `json:"smb"`
+	SudoCommands         []string `json:"sudo_commands"`
+	SudoCommandsNopasswd []string `json:"sudo_commands_nopasswd"`
+	Users                []int64  `json:"users"`
+	Local                bool     `json:"local"`
+	Immutable            bool     `json:"immutable"`
+}

internal/api/user.go

@@ -0,0 +1,32 @@
+package api
+
+// UserGroupResponse represents the nested group object in a user response.
+type UserGroupResponse struct {
+	ID        int64  `json:"id"`
+	GID       int64  `json:"bsdgrp_gid"`
+	GroupName string `json:"bsdgrp_group"`
+}
+
+// UserResponse represents a user from the TrueNAS API.
+type UserResponse struct {
+	ID                   int64             `json:"id"`
+	UID                  int64             `json:"uid"`
+	Username             string            `json:"username"`
+	FullName             string            `json:"full_name"`
+	Email                *string           `json:"email"`
+	Home                 string            `json:"home"`
+	Shell                string            `json:"shell"`
+	HomeMode             string            `json:"home_mode"`
+	Group                UserGroupResponse `json:"group"`
+	Groups               []int64           `json:"groups"`
+	SMB                  bool              `json:"smb"`
+	PasswordDisabled     bool              `json:"password_disabled"`
+	SSHPasswordEnabled   bool              `json:"ssh_password_enabled"`
+	SSHPubKey            *string           `json:"sshpubkey"`
+	Locked               bool              `json:"locked"`
+	SudoCommands         []string          `json:"sudo_commands"`
+	SudoCommandsNopasswd []string          `json:"sudo_commands_nopasswd"`
+	Builtin              bool              `json:"builtin"`
+	Local                bool              `json:"local"`
+	Immutable            bool              `json:"immutable"`
+}