[ansible-project] creating users - how to filter a vars dict from within a given playbook per inventory class

[Dave Cottlehuber]

Hi folks,

I have a presumably typical setup - see end for the yaml files.

- a generic role to create users
- a vars file with all the users across my environment

Which works fine if I want all users on every box.

However  I need to apply only a subset of these users to various systems
- for example, all boxes should have the ansible user created, but only
webservers should have the additional ops user created.

I couldn't find a way from within the playbook only to require the
ansible user from `vars/users.yml`. So I tried instead splitting the
vars up into 2 separate files in the playbook:

```bootstrap.yml
---
- name: deploy and configure site
  hosts: all
  become: yes
  gather_facts: yes
  vars_files:
    - vars/ansible.yml
    - vars/ops.yml
  roles:
    - users
...
```

however as expected, only the 2nd user is created/defined, as the users
dict is replaced, and not merged.

What's the best way to selectively apply users to various servers,
without needing to duplicate the user details in different vars files? I
feel like I'm missing something *really* obvious here. 

Thanks!

exact role & vars follow.

```roles/users/tasks/main.yml
---
- name: create user groups
  group:
    name: "{{ item.key }}"
    gid: "{{ item.value.gid | default(omit) }}"
  with_dict: "{{ users }}"
  tags:
  - users
  - groups

- name: create user accounts
  user:
    name: "{{ item.key }}"
    state: "{{ item.value.state | default(omit) }}"
    uid: "{{ item.value.uid }}"
    group: "{{ item.key }}"
    groups: "{{ item.value.groups | default(omit) }}"
    shell: "{{ item.value.shell | default(omit) }}"
    comment: "{{ item.value.email | default('root@localhost') |
    regex_replace('@', '%')}}"
  with_dict: "{{ users }}"
  tags:
  - users
  - accounts

- name: manage ssh keys
  authorized_key:
    user: "{{ item.key }}"
    manage_dir: yes
    exclusive: yes
    key: "{{ item.value.ssh_options }} {{ item.value.ssh_key }}"
  with_dict: "{{ users }}"
  tags:
  - users
  - sshkeys
```


```
# vars/users.yml
---
users:
# users defaults
#   state: present (or absent to delete entirely)
#   uid: optional, numeric
#   gid: optional, numeric
#   groups:optional
#   shell: optional, string path to installed valid shell
#   email: optional, applied to GeCOS and similar fields
#   ssh_options:  optional, ssh-ed25519 | ssh-rsa ...
#   ssh_key: required
#   pgp_key: optional, for http://pgp.mit.edu/pks/lookup?op=get&search=
  ansible:
    uid:          333
    gid:          333
    groups:       ansible,wheel
    shell:        /bin/sh
    email:        f...@bar.com
    ssh_key:      AAAAC3N1234561273451276345216
    ssh_options:  ssh-ed25519
  
  ops:
    groups:       mail,www
    uid:          9000
    gid:          9000
    ssh_key:      AAAAC3N1234561273451276345216
    ssh_options:  ssh-ed25519
```

A+ Dave
—
  Dave Cottlehuber

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/1465756675.3164282.635390425.15DBA4F9%40webmail.messagingengine.com.
For more options, visit https://groups.google.com/d/optout.