marcus/ansible_role_nixconfig
1
0
Fork 0
Code Releases 5 Activity
Ansible role to configure linux servers.
79 commits 2 branches 5 tags 157 KiB
Find a file
Exact
marcus bca6d5b767 Merge pull request 'release/v0.5.0' (#33) from release/v0.5.0 into main 
Reviewed-on: https://code.m4rcu5.lan/marcus/ansible_role_nixconfig/pulls/33
2026-02-10 00:27:04 +01:00
defaults feat(accounts): refine password handling 2026-02-08 03:44:46 +01:00
files Version 0.2.0 (#11) 2023-09-22 22:50:38 +02:00
handlers fix(facts): replace deprecated fact lookups 2026-01-05 02:24:49 +01:00
meta feature/private_ca (#27) 2025-03-16 22:26:42 +01:00
tasks feat(accounts): refine password handling 2026-02-08 03:44:46 +01:00
templates fix(sshd): reuse normalized principals 2025-11-19 04:44:03 +01:00
tests refactor(sshd): drop legacy authorized principals var 2026-02-08 03:25:27 +01:00
vars Removed unused variable include. 2024-05-01 03:45:58 +02:00
.gitignore User management rework. Resolves #2 and #3. 2023-08-29 20:24:24 +02:00
AGENTS.md docs(handlers): document block-rescue flush guidance 2026-01-12 20:21:58 +01:00
ansible.cfg feat(accounts): unify account declarations 2025-11-22 02:38:22 +01:00
CHANGELOG.md chore(release): finalize the release 2026-02-10 00:19:16 +01:00
README.md refactor(sshd): drop legacy authorized principals var 2026-02-08 03:25:27 +01:00

README.md

WARNING: Before the release of version 1.0.0, backwards compatibility is not a thing! This means that the role's API may change between releases. If you want to use this role in a production environment, please lock the role to a specific version or commit.

nixconfig

An Ansible role designed to cover the basic configuration tasks you would do on any freshly provisioned Linux server.

Currently implemented features:

  • Set the hostname.
  • Set the timezone.
  • Install packages from standard repositories.
  • Configure sshd.
  • Manage users and groups (including sudoers).
  • Install and trust private CA certificates.

Dependencies

None.

Requirements

None.

Variables

For a comprehensive overview of all available variables and their default values, see defaults/main.yml. The table below presents a brief overview of the most commonly used ones.

Variable Description Type Default
nixconfig_hostname The hostname for the target host. string ""
nixconfig_timezone The timezone for the target host. string ""
nixconfig_packages A list of packages to install. list[string] []
nixconfig_sshd_config A list of sshd settings to apply to the entire server. User/group matches are part of the user/group settings. list[string] []
nixconfig_sshd_trusted_user_ca_keys SSH certificate authority public keys to trust for user certificates. list[dict] []
nixconfig_groups a list of groups to create/reconfigure on target hosts (supports system: true and sudoers fields). list[dict] []
nixconfig_accounts unified list of accounts to manage (state/system/keys/principals/sudo/groups/etc.). list[dict] []
nixconfig_ca_certs a list of private CA certificates to install and trust. list[dict] []

Tags

The following tags are available to fine tune the execution of this role:

Tag Description
nixconfig Covers the entire role.
nixconfig:packages Covers package installation tasks.
nixconfig:hostname Covers hostname configuration tasks.
nixconfig:timezone Covers timezone configuration tasks.
nixconfig:sshd Covers sshd configuration tasks.
nixconfig:sshd:certs Covers sshd signed certificate support tasks.
nixconfig:groups Covers group management tasks.
nixconfig:accounts Covers all user-related tasks.
nixconfig:accounts:present Covers tasks related to user creation and modification.
nixconfig:accounts:absent Covers tasks related to user removal.
nixconfig:ca Covers tasks related to private CA certificates.

Examples

Basic standalone Playbook:

- name: Example Playbook.
  hosts: all
  become: true
  roles:
    - role: nixconfig
      nixconfig_hostname: myhost
      nixconfig_timezone: Europe/Amsterdam
      nixconfig_packages:
        - vim
        - git
      nixconfig_ca_certs:
        - name: MyCA.crt
          content: "{{ lookup('file', 'files/MyCA.crt')  | b64encode }}"

Advanced

Packages

Consider the following playbook

- name: Common configuration tasks.
  hosts: all
  gather_facts: true

  vars:
    nixconfig_packages_combined: >-
      {{
        hostvars[inventory_hostname]
        | dict2items
        | selectattr('key', 'match', '^nixconfig_.*_packages$')
        | map(attribute='value')
        | list
        | flatten
      }}

  pre_tasks:
    - name: Group hosts based on OS family.
      tags: "always"
      changed_when: false
      ansible.builtin.group_by:
        key: "{{ ansible_facts['os_family'] | lower }}"

  roles:
    - role: "nixconfig"
      become: true
      nixconfig_packages: "{{ nixconfig_packages_combined | unique }}"

This allows you to do something like this:

# group_vars/all/nixconfig.yml
nixconfig_base_packages:
  - "vim"
  - "htop"

# group_vars/debian/nixconfig.yml
nixconfig_distro_packages:
  - "netcat-openbsd"

# group_vars/redhat/nixconfig/yml
nixconfig_distro_packages:
  - "epel-release"
  - "netcat"

Accounts

Similar to the above, but you need to be aware of sorting.

- name: Common configuration tasks.
  hosts: all
  gather_facts: true

  vars:
    nixconfig_accounts_flat: >-
      {{
        hostvars[inventory_hostname]
        | dict2items
        | selectattr('key', 'match', '^nixconfig_.*_accounts$')
        | sort(attribute='key')
        | map(attribute='value')
        | list
        | flatten
      }}

    nixconfig_accounts_combined: >-
      {{
        dict(
          (nixconfig_accounts_flat | map(attribute='name') | zip(nixconfig_accounts_flat))
        ).values()
        | list
      }}

  roles:
    - role: "nixconfig"
      become: true
      nixconfig_accounts: "{{ nixconfig_accounts_combined }}"

This allows you to do something like this:

# group_vars/all/nixconfig.yml
nixconfig_00-core_accounts:
  - name: "ansible"
    authorized_principals:
      - "ansible"
      - "automation"

# inv/dev/group_vars/all/nixconfig.yml
nixconfig_01-invcore_accounts:
  - name: "ansible"
    authorized_principals:
      - "ansible"
      - "foobar"
  - name: "alice"
    groups: ["devs"]

This would result in a difference in authorized_principals for the user ansible in the inv/dev inventory compared to everywhere else. And the user alice only exists in the dev inventory.

You need to use variable names that ensure the final result you need. The name key is the unique factor and the last found will be used. So the one in nixconfig_01-invcore_accounts will overwrite the one in nixconfig_00-core_accounts.