From 86bfb48752ed295af9c178d79a1495ee7afed75b Mon Sep 17 00:00:00 2001
From: Ben Kristinsson <ben@sudo.is>
Date: Wed, 26 Oct 2022 01:32:14 +0200
Subject: [PATCH 1/2] openldap: fix user enabled/disabled handling with
 selectattr

---
 roles/openldap/defaults/main.yml  | 14 ++++++++------
 roles/openldap/tasks/openldap.yml | 14 ++++++++------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml
index d987af5..15ac975 100644
--- a/roles/openldap/defaults/main.yml
+++ b/roles/openldap/defaults/main.yml
@@ -4,10 +4,12 @@ openldap_uid: "{{systemuserlist.openldap.uid}}"
 openldap_gid: "{{systemuserlist.openldap.gid}}"
 openldap_root: "{{ systemuserlist.openldap.home }}"
 
-ldap_users: "{{ userlist.values()|selectattr('ldap_enabled', 'true') }}"
-ldap_usernames: "{{ ldap_users | map(attribute='username') | list }}"
-ldap_users_in_groups: "{{ ldap_users | selectattr('ldap_groups') }}"
 
-ldap_usernames_disabled_ldap: "{{ userlist.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') | unique }}"
-ldap_usernames_disabled_system: "{{ userlist.values()|selectattr('enabled', 'false') | map(attribute='username') | unique }}"
-ldap_usernames_disabled: "{{ ldap_usernames_disabled_ldap + ldap_usernames_disabled_system }}"
+ldap_human_users: "{{ userlist.values()|selectattr('ldap_enabled', 'true') }}"
+ldap_human_users_in_groups: "{{ ldap_human_users | selectattr('ldap_groups') }}"
+
+ldap_only_users_enabled: "{{ ldap_only_users.values() | selectattr('ldap_enabled', 'true') }}"
+
+ldap_linux_usernames_disabled: "{{ userlist.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') }}"
+ldap_only_usernames_disabled: "{{ ldap_only_users.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') }}"
+ldap_usernames_disabled: "{{ ldap_only_usernames_disabled + ldap_linux_usernames_disabled }}"
diff --git a/roles/openldap/tasks/openldap.yml b/roles/openldap/tasks/openldap.yml
index e33b260..59adae4 100644
--- a/roles/openldap/tasks/openldap.yml
+++ b/roles/openldap/tasks/openldap.yml
@@ -196,7 +196,7 @@
 
 # this module doesnt change existing users if they exist, so it is setting anything that a user
 # should be able to change themselves
-- name: add inventory users
+- name: add inventory human users
   community.general.ldap_entry:
     dn: "uid={{ item.username }},ou=users,{{ openldap_dc }}"
     objectClass:
@@ -217,7 +217,7 @@
     bind_pw: "{{ openldap_admin_pass }}"
   loop_control:
     label: "{{ item.username }}"
-  with_items: "{{ ldap_users }}" # see role/openldap/defaults/main.yml
+  with_items: "{{ ldap_human_users }}" # see role/openldap/defaults/main.yml
   tags:
     - ldap-users
 
@@ -237,9 +237,10 @@
     bind_pw: "{{ openldap_admin_pass }}"
   loop_control:
     label: "{{ item.username }}"
-  with_items: "{{ ldap_only_users.values() }}"
+  with_items: "{{ ldap_only_users_enabled }}"
   tags:
     - ldap-users
+    - ldap-only-users
 
 
 - name: add inventory user groups
@@ -256,7 +257,7 @@
     bind_pw: "{{ openldap_admin_pass }}"
   loop_control:
     label: "{{ item.username }}"
-  with_items: "{{ ldap_users }}"
+  with_items: "{{ ldap_human_users }}"
   tags:
     - ldap-users
 
@@ -292,7 +293,7 @@
     label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
   with_nested:
     - "{{ openldap_groups }}"
-    - "{{ ldap_users }}"
+    - "{{ ldap_human_users }}"
   # when:
   #   - item[1] in item[0].ldap_groups|default([])
   tags:
@@ -311,7 +312,7 @@
     label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
   with_nested:
     - "{{ openldap_groups }}"
-    - "{{ ldap_only_users.values() }}"
+    - "{{ ldap_only_users_enabled }}"
   tags:
     - ldap-users
 
@@ -327,6 +328,7 @@
   with_items: "{{ ldap_usernames_disabled }}"
   tags:
     - ldap-users
+    - ldap-users-disabled
 
 # # this task will change attrs if they dont match
 # - name: adding attrs that are
-- 
2.40.1


From 23d8a9568ae27173e402b6ad7390203b2664de02 Mon Sep 17 00:00:00 2001
From: Ben Kristinsson <ben@sudo.is>
Date: Wed, 26 Oct 2022 01:36:05 +0200
Subject: [PATCH 2/2] system users with ssh keys

---
 roles/users/tasks/users.yml | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/roles/users/tasks/users.yml b/roles/users/tasks/users.yml
index 51aeeaa..98ddee2 100644
--- a/roles/users/tasks/users.yml
+++ b/roles/users/tasks/users.yml
@@ -135,19 +135,17 @@
 
     - name: set authorized_keys for system users with pubkeys
       template:
-        src: "private/sshkeys/{{ item.key }}.authorized_keys"
+        src: "private/sshkeys/{{ item.username }}.authorized_keys"
         dest: "~/.ssh/authorized_keys"
-        owner: "{{ item.key }}"
-        group: "{{ item.key }}"
+        owner: "{{ item.username }}"
+        group: "{{ item.username }}"
         mode: 0600
       become: true
-      become_user: "{{ item.key }}"
+      become_user: "{{ item.username }}"
       ignore_errors: "{{ ansible_check_mode }}"
       loop_control:
-        label: "{{ item.key }}"
-      with_dict: "{{ systemuserlist }}"
-      when:
-        - item.value.sshkey|default(false)
+        label: "{{ item.username }}"
+      with_items: "{{ systemuserlist.values() | selectattr('sshkey', 'true') }}"
 
     - name: remove disabled system users
       user:
-- 
2.40.1