mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-12-02 15:39:57 +00:00
Kevin Veen-Birkenbach
26dfab147d
Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic.
Changes:
- Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator.
- cli/build/defaults/users.py: propagate flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved.
- Add reserved_users filter plugin with and helpers for Ansible templates and tasks.
- Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator.
- group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks.
- svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning.
- svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict.
- networks: assign dedicated subnet for web-app-roulette-wheel.
- web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames.
- web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field.
- web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging.
- web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED.
- user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names.
- svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter.
- sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper.
- sys-daemon handlers: quote handler name for consistency.
Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9
172 lines
3.9 KiB
YAML
172 lines
3.9 KiB
YAML
# Reserved usernames
|
|
users:
|
|
sld:
|
|
description: "Auto Generated Account to reserve the SLD"
|
|
username: "{{ PRIMARY_DOMAIN.split('.')[0] }}"
|
|
reserved: true
|
|
tld:
|
|
description: "Auto Generated Account to reserve the TLD"
|
|
username: "{{ PRIMARY_DOMAIN.split('.')[1] if (PRIMARY_DOMAIN is defined and (PRIMARY_DOMAIN.split('.') | length) > 1) else (PRIMARY_DOMAIN ~ '_tld ') }}"
|
|
reserved: true
|
|
root:
|
|
username: root
|
|
uid: 0
|
|
gid: 0
|
|
description: "System superuser"
|
|
reserved: true
|
|
daemon:
|
|
username: daemon
|
|
description: "Daemon processes owner"
|
|
reserved: true
|
|
bin:
|
|
username: bin
|
|
description: "Owner of essential binaries"
|
|
reserved: true
|
|
sys:
|
|
username: sys
|
|
description: "System files owner"
|
|
reserved: true
|
|
sync:
|
|
username: sync
|
|
description: "Sync user for filesystem synchronization"
|
|
reserved: true
|
|
games:
|
|
username: games
|
|
description: "Games and educational software owner"
|
|
reserved: true
|
|
man:
|
|
username: man
|
|
description: "Manual pages viewer"
|
|
reserved: true
|
|
lp:
|
|
username: lp
|
|
description: "Printer spooler"
|
|
reserved: true
|
|
mail:
|
|
username: mail
|
|
description: "Mail system"
|
|
reserved: true
|
|
news:
|
|
username: news
|
|
description: "Network news system"
|
|
reserved: true
|
|
uucp:
|
|
username: uucp
|
|
description: "UUCP system"
|
|
reserved: true
|
|
proxy:
|
|
username: proxy
|
|
description: "Proxy user"
|
|
reserved: true
|
|
backup:
|
|
username: backup
|
|
description: "Backup operator"
|
|
reserved: true
|
|
list:
|
|
username: list
|
|
description: "Mailing list manager"
|
|
reserved: true
|
|
irc:
|
|
username: irc
|
|
description: "IRC services user"
|
|
reserved: true
|
|
gnats:
|
|
username: gnats
|
|
description: "GNATS bug-reporting system"
|
|
reserved: true
|
|
nobody:
|
|
username: nobody
|
|
description: "Unprivileged user"
|
|
reserved: true
|
|
messagebus:
|
|
username: messagebus
|
|
description: "D-Bus message bus system"
|
|
reserved: true
|
|
sshd:
|
|
username: sshd
|
|
description: "SSH daemon"
|
|
reserved: true
|
|
rpc:
|
|
username: rpc
|
|
description: "Rpcbind daemon"
|
|
reserved: true
|
|
ftp:
|
|
username: ftp
|
|
description: "FTP server"
|
|
reserved: true
|
|
postfix:
|
|
username: postfix
|
|
description: "Postfix mail transfer agent"
|
|
reserved: true
|
|
mysql:
|
|
username: mysql
|
|
description: "MySQL database server"
|
|
reserved: true
|
|
mongodb:
|
|
username: mongodb
|
|
description: "MongoDB database server"
|
|
reserved: true
|
|
admin:
|
|
username: admin
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
administrator:
|
|
username: administrator
|
|
reserved: true
|
|
user:
|
|
username: user
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
test:
|
|
username: test
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
guest:
|
|
username: guest
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
demo:
|
|
username: demo
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
info:
|
|
username: info
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
support:
|
|
username: support
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
helpdesk:
|
|
username: helpdesk
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
operator:
|
|
username: operator
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
staff:
|
|
username: staff
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
smtp:
|
|
username: smtp
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
imap:
|
|
username: imap
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
pop:
|
|
username: pop
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
webmaster:
|
|
username: webmaster
|
|
description: "Generic reserved username"
|
|
reserved: true
|
|
mailman:
|
|
username: mailman
|
|
description: "Generic reserved username"
|
|
reserved: true
|