mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-12-02 23:49:14 +00:00
Implement reserved username handling for users, LDAP and Keycloak
Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic.
Changes:
- Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator.
- cli/build/defaults/users.py: propagate flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved.
- Add reserved_users filter plugin with and helpers for Ansible templates and tasks.
- Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator.
- group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks.
- svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning.
- svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict.
- networks: assign dedicated subnet for web-app-roulette-wheel.
- web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames.
- web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field.
- web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging.
- web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED.
- user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names.
- svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter.
- sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper.
- sys-daemon handlers: quote handler name for consistency.
Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9
This commit is contained in:
@@ -3,127 +3,169 @@ users:
|
||||
sld:
|
||||
description: "Auto Generated Account to reserve the SLD"
|
||||
username: "{{ PRIMARY_DOMAIN.split('.')[0] }}"
|
||||
reserved: true
|
||||
tld:
|
||||
description: "Auto Generated Account to reserve the TLD"
|
||||
username: "{{ PRIMARY_DOMAIN.split('.')[1] if (PRIMARY_DOMAIN is defined and (PRIMARY_DOMAIN.split('.') | length) > 1) else (PRIMARY_DOMAIN ~ '_tld ') }}"
|
||||
reserved: true
|
||||
root:
|
||||
username: root
|
||||
uid: 0
|
||||
gid: 0
|
||||
description: "System superuser"
|
||||
reserved: true
|
||||
daemon:
|
||||
username: daemon
|
||||
description: "Daemon processes owner"
|
||||
reserved: true
|
||||
bin:
|
||||
username: bin
|
||||
description: "Owner of essential binaries"
|
||||
reserved: true
|
||||
sys:
|
||||
username: sys
|
||||
description: "System files owner"
|
||||
reserved: true
|
||||
sync:
|
||||
username: sync
|
||||
description: "Sync user for filesystem synchronization"
|
||||
reserved: true
|
||||
games:
|
||||
username: games
|
||||
description: "Games and educational software owner"
|
||||
reserved: true
|
||||
man:
|
||||
username: man
|
||||
description: "Manual pages viewer"
|
||||
reserved: true
|
||||
lp:
|
||||
username: lp
|
||||
description: "Printer spooler"
|
||||
reserved: true
|
||||
mail:
|
||||
username: mail
|
||||
description: "Mail system"
|
||||
reserved: true
|
||||
news:
|
||||
username: news
|
||||
description: "Network news system"
|
||||
reserved: true
|
||||
uucp:
|
||||
username: uucp
|
||||
description: "UUCP system"
|
||||
reserved: true
|
||||
proxy:
|
||||
username: proxy
|
||||
description: "Proxy user"
|
||||
reserved: true
|
||||
backup:
|
||||
username: backup
|
||||
description: "Backup operator"
|
||||
reserved: true
|
||||
list:
|
||||
username: list
|
||||
description: "Mailing list manager"
|
||||
reserved: true
|
||||
irc:
|
||||
username: irc
|
||||
description: "IRC services user"
|
||||
reserved: true
|
||||
gnats:
|
||||
username: gnats
|
||||
description: "GNATS bug-reporting system"
|
||||
reserved: true
|
||||
nobody:
|
||||
username: nobody
|
||||
description: "Unprivileged user"
|
||||
reserved: true
|
||||
messagebus:
|
||||
username: messagebus
|
||||
description: "D-Bus message bus system"
|
||||
reserved: true
|
||||
sshd:
|
||||
username: sshd
|
||||
description: "SSH daemon"
|
||||
reserved: true
|
||||
rpc:
|
||||
username: rpc
|
||||
description: "Rpcbind daemon"
|
||||
reserved: true
|
||||
ftp:
|
||||
username: ftp
|
||||
description: "FTP server"
|
||||
reserved: true
|
||||
postfix:
|
||||
username: postfix
|
||||
description: "Postfix mail transfer agent"
|
||||
reserved: true
|
||||
mysql:
|
||||
username: mysql
|
||||
description: "MySQL database server"
|
||||
reserved: true
|
||||
mongodb:
|
||||
username: mongodb
|
||||
description: "MongoDB database server"
|
||||
reserved: true
|
||||
admin:
|
||||
username: admin
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
administrator:
|
||||
username: administrator
|
||||
reserved: true
|
||||
user:
|
||||
username: user
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
test:
|
||||
username: test
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
guest:
|
||||
username: guest
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
demo:
|
||||
username: demo
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
info:
|
||||
username: info
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
support:
|
||||
username: support
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
helpdesk:
|
||||
username: helpdesk
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
operator:
|
||||
username: operator
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
staff:
|
||||
username: staff
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
smtp:
|
||||
username: smtp
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
imap:
|
||||
username: imap
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
pop:
|
||||
username: pop
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
webmaster:
|
||||
username: webmaster
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
mailman:
|
||||
username: mailman
|
||||
description: "Generic reserved username"
|
||||
reserved: true
|
||||
|
||||
Reference in New Issue
Block a user