fix basic_users not modifying default nfs-shared home correctly

sjpb · sjpb · commit 339f19514714 · 2025-02-20T09:17:01.000Z
diff --git a/ansible/roles/basic_users/README.md b/ansible/roles/basic_users/README.md
@@ -2,16 +2,19 @@
 basic_users
 ===========
 
-Setup users on cluster nodes using `/etc/passwd` and manipulating `$HOME`, i.e. without requiring LDAP etc. Features:
+Setup users on cluster nodes using `/etc/passwd` and manipulating `$HOME`, i.e.
+without requiring LDAP etc. Features:
 - UID/GID is consistent across cluster (and explicitly defined).
 - SSH key generated and propagated to all nodes to allow login between cluster nodes.
 - An "external" SSH key can be added to allow login from elsewhere.
-- Login to the control node is prevented.
+- Login to the control node is prevented (by default)
 - When deleting users, systemd user sessions are terminated first.
 
 Requirements
 ------------
-- $HOME (for normal users, i.e. not `centos`) is assumed to be on a shared filesystem.
+- `$HOME` (for normal users, i.e. not `rocky`) is assumed to be on a shared
+  filesystem. Actions affecting that shared filesystem are run on a single host,
+  see `basic_users_manage_homedir` below.
 
 Role Variables
 --------------
@@ -25,6 +28,11 @@ Role Variables
   - Any other keys may present for other purposes (i.e. not used by this role).
 - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there.
 - `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted each time this role is run.
+- `basic_users_manage_homedir`: Optional bool, must be true on a single host to
+  determine which host runs tasks affecting the shared filesystem. The default
+  is to use the first play host which is not the control node, because the
+  default NFS configuration does not have the shared `/home` directory mounted
+  on the control node.
 
 Dependencies
 ------------
diff --git a/ansible/roles/basic_users/defaults/main.yml b/ansible/roles/basic_users/defaults/main.yml
@@ -1,4 +1,4 @@
-basic_users_manage_homedir: "{{ (ansible_hostname == (ansible_play_hosts | first)) }}"
+basic_users_manage_homedir: "{{ ansible_hostname == (ansible_play_hosts | difference(groups['control']) | first) }}"
 basic_users_userdefaults:
   state: present
   create_home: "{{ basic_users_manage_homedir }}"
diff --git a/ansible/roles/basic_users/tasks/main.yml b/ansible/roles/basic_users/tasks/main.yml
@@ -46,7 +46,6 @@
     - item.state | default('present') == 'present'
     - item.public_key is defined
     - basic_users_manage_homedir
-  run_once: true
 
 - name: Write generated public key as authorized for SSH access
   authorized_key:

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-basic_users_manage_homedir: "{{ (ansible_hostname == (ansible_play_hosts \| first)) }}"`
	`1`	`+basic_users_manage_homedir: "{{ ansible_hostname == (ansible_play_hosts \| difference(groups['control']) \| first) }}"`
`2`	`2`	`basic_users_userdefaults:`
`3`	`3`	`state: present`
`4`	`4`	`create_home: "{{ basic_users_manage_homedir }}"`