system-config/playbooks/roles/users/tasks/main.yaml

- name: Add sudo group
  group:
    name: "sudo"
    state: present

# NOTE(mordred): We replace the main file rather than dropping a file in to
# /etc/sudoers.d to deal with divergent base sudoers files from our distros.
# We also want to change some default behavior (we want nopassword sudo, for
# instance).
- name: Setup sudoers file
  copy:
    dest: /etc/sudoers
    src: sudoers
    owner: root
    group: root
    mode: 0440

- name: Setup login.defs file
  copy:
    dest: /etc/login.defs
    src: '{{ ansible_facts.os_family }}/login.defs'
    owner: root
    group: root
    mode: 0644

- name: Delete old users
  loop: "{{ disabled_users }}"
  user:
    name: "{{ item }}"
    state: absent
    remove: yes

- name: Add groups
  loop: "{{ base_users + extra_users }}"
  group:
    name: "{{ item }}"
    state: present
    gid: "{{ all_users[item].gid|default(omit) }}"
  when:
    - item in all_users
    - "'gid' in all_users[item]"

- name: Add users
  loop: "{{ base_users + extra_users }}"
  user:
    name: "{{ item }}"
    state: present
    uid: "{{ all_users[item].uid }}"
    group: "{{ item }}"
    comment: "{{ all_users[item].comment }}"
    groups: sudo
    shell: /bin/bash
  when:
    - item in all_users
    - "'uid' in all_users[item]"

- name: Add ssh keys to users
  loop: "{{ base_users + extra_users }}"
  authorized_key:
    user: "{{ item }}"
    state: present
    key: "{{ all_users[item].key }}"
    exclusive: yes
  when:
    - item in all_users
    - "'key' in all_users[item]"