WIP: run ALL userdir tasks on basic_users_homedir_host

Author: sjpb

ansible/roles/basic_users/README.md

@@ -12,8 +12,8 @@ without requiring LDAP etc. Features:
 
 > [!IMPORTANT] This role assumes that `$HOME` for users managed by this role 
 (e.g. not `rocky` and other system users) is on a shared filesystem. The export
-of this sharef filesystem may be root squashed if the server is in the
-`basic_user` group - see configuration advice below.
+of this shared filesystem may be root squashed if its server is in the
+`basic_user` group - see configuration examples below.
 
 Role Variables
 --------------
@@ -35,8 +35,8 @@ Role Variables
   - Any other keys may present for other purposes (i.e. not used by this role).
 - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there.
 - `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted each time this role is run.
-- `basic_users_homedir_host`: Optional inventory hostname. Host to run actions
-  which manipulate the home directories. If home directories are exported with
+- `basic_users_homedir_host`: Optional inventory hostname specifying the host
+  on which to manipulate home directories (assuming `create_home` is true). If home directories are exported with
   root squash, this *must* specify that server. If root squash is not used it
   can be any node in the `basic_users` group. Default is the `control` node,
   which assumes the default appliance NFS-exported home directory configuration.

ansible/roles/basic_users/defaults/main.yml

@@ -1,11 +1,9 @@
 basic_users_homedir_host: "{{ groups['control'] | first }}" # no way, generally, to find the nfs_server
 basic_users_homedir_host_path: /exports/home
-_basic_users_manage_homedir: "{{ ansible_hostname == basic_users_homedir_host }}"
+# _basic_users_manage_homedir: "{{ ansible_hostname == basic_users_homedir_host }}"
 basic_users_userdefaults:
-  state: present
-  home: "{{ basic_users_homedir_host_path }}/{{ item.name }}"
-  create_home: "{{ _basic_users_manage_homedir }}"
-  generate_ssh_key:  "{{ _basic_users_manage_homedir }}"
+  state: present # need this here so don't have to add default() everywhere
+  generate_ssh_key:  true
   ssh_key_comment: "{{ item.name }}"
   ssh_key_type: ed25519
   shell: "{{'/sbin/nologin' if 'control' in group_names else omit }}"

ansible/roles/basic_users/tasks/main.yml

@@ -21,48 +21,110 @@
   ansible.builtin.group: "{{ item }}"
   loop:  "{{ basic_users_groups }}"
 
-- name: Create users and generate public keys
-  user: "{{ basic_users_userdefaults | combine(item) | filter_user_params() }}"
+- name: Create users
+  user: "{{ basic_users_userdefaults | combine(item) | filter_user_params() | combine(_disable_homedir) }}"
   loop: "{{ basic_users_users }}"
   loop_control:
-    label: "{{ item.name }} [{{ item.state | default('present') }}]"
-  register: basic_users_info
+    label: "{{ item.name }}"
+  vars:
+    _disable_homedir: # ensure this task doesn't touch $HOME
+      create_home: false
+      generate_ssh_key: false
 
 - name: Restart sssd if required
   systemd:
     name: sssd
     state: started
   when: _stop_sssd is changed
 
-- name: Write supplied public key as authorized for SSH access
-  authorized_key:
-    user: "{{ item.name }}"
-    state: present
-    key: "{{ item.public_key }}"
-  become_user: "{{ item.name }}"
-  loop: "{{ basic_users_users }}"
-  loop_control:
-    label: "{{ item.name }} [{{ item.state | default('present') }}]"
-  when:
-    - item.state | default('present') == 'present'
-    - item.public_key is defined
-    - _basic_users_manage_homedir
+- name: Modify home directories
+  delegate_to: "{{ basic_users_homedir_host }}"
+  run_once: true
+  block:
+    - name: Create home directories
+      # doesn't delete with state=absent, same as ansible.builtin.user
+      file:
+        state: directory
+        path: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
+        owner: "{{ item.name }}"
+        group: "{{ item.name }}"
+        mode: u=rwX,go=
+      loop: "{{ basic_users_users }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when:
+        - item.state | default('present') == 'present'
+        - item.create_home | default(true) | bool
 
-- name: Write generated public key as authorized for SSH access
-  # this only runs on the _basic_users_manage_homedir so has registered var
-  # from that host too
-  authorized_key:
-    user: "{{ item.name }}"
-    state: present
-    manage_dir: no
-    key: "{{ item.ssh_public_key }}"
-  become_user: "{{ item.name }}"
-  loop: "{{ basic_users_info.results }}"
-  loop_control:
-    label: "{{ item.name }}"
-  when:
-  - item.ssh_public_key is defined
-  - _basic_users_manage_homedir
+    - name: Create ~/.ssh directories
+      file:
+        state: directory
+        path: "{{ _homedir }}/.ssh/"
+        owner: "{{ item.name }}"
+        group: "{{ item.name }}"
+        mode: u=rwX,go=
+      vars:
+        _homedir: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
+      become_user: "{{ item.name }}"
+      loop: "{{ basic_users_users }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when:
+        - item.state | default('present') == 'present'
+  
+    - name: Generate cluster ssh key
+      community.crypto.openssh_keypair:
+        path: "{{ item.ssh_key_file | default(_homedir + '/.ssh/' + _ssh_key_type )}}"
+        type: "{{ _ssh_key_type }}"
+      vars:
+        _homedir: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
+        _ssh_key_type: "{{ item.ssh_key_type | default('ed25519') }}"
+      become_user: "{{ item.name }}"
+      loop: "{{ basic_users_users }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when:
+        - item.state | default('present') == 'present'
+        - item.generate_ssh_key | default(true) | bool
+      register: _cluster_ssh_keypair
+
+      # - debug:
+      #     var: _cluster_ssh_keypair
+      # - meta: end_here
+
+    - name: Write supplied public key as authorized for SSH access
+      ansible.posix.authorized_key:
+        user: "{{ item.name }}"
+        state: present
+        manage_dir: false
+        key: "{{ item.public_key }}"
+        path: "{{ _homedir }}/.ssh/authorized_keys"
+      vars:
+        _homedir: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
+      become_user: "{{ item.name }}"
+      loop: "{{ basic_users_users }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when:
+        - item.state | default('present') == 'present'
+        - item.public_key is defined
+
+    - name: Write generated public key as authorized for SSH access
+      ansible.posix.authorized_key:
+        user: "{{ item.item.name }}"
+        state: present
+        manage_dir: false
+        key: "{{ item.public_key }}"
+        path: "{{ _homedir }}/.ssh/authorized_keys"
+      vars:
+        _homedir: "{{ item.item.home | default( basic_users_homedir_host_path + '/' + item.item.name ) }}"
+      become_user: "{{ item.item.name }}"
+      loop: "{{ _cluster_ssh_keypair.results }}"
+      loop_control:
+        label: "{{ item.item.name }}"
+      when:
+        - item.item.state | default('present') == 'present'
+        - "'public_key' in item"
 
 - name: Write sudo rules
   blockinfile:
@@ -72,4 +134,6 @@
   loop: "{{ basic_users_users }}"
   loop_control:
     label: "{{ item.name }}"
-  when: "'sudo' in item"
+  when:
+    - item.state | default('present') == 'present'
+    - "'sudo' in item"