Linux-GitLab Group Sync Ansible Role
The snippet can be accessed without any authentication.
Authored by
Jonas Zohren
Edited
sync-gitlab-users-to-linux-users.ansible.yml 1.88 KiB
---
# Many parts stolen from https://serverfault.com/a/913211
- name: Get list of users from GitLab group
run_once: true
local_action:
module: ansible.builtin.uri
url: "https://{{ gitlab_host }}/api/v4/groups/{{ group_id }}/members"
method: GET
headers:
Authorization: "Bearer {{ gitlab_token }}"
register: "gitlab_group_members"
- name: Retrieve user keys
loop: "{{ gitlab_group_members.json }}"
loop_control:
label: "{{ item.username }}"
run_once: true
local_action:
module: ansible.builtin.uri
url: "https://{{ gitlab_host }}/{{ item.username }}.keys"
method: GET
headers:
Authorization: "Bearer {{ gitlab_token }}"
return_content: true
register: "user_ssh_keys"
- name: Create "ansiblemanaged" group
ansible.builtin.group:
name: ansiblemanaged
state: present
- name: Create users in the managed group
ansible.builtin.user:
name: "{{ item.username }}"
groups: ["ansiblemanaged"]
shell: /bin/bash
state: present
with_items: "{{ gitlab_group_members.json }}"
- name: Determine existing, ansiblemanaged users
ansible.builtin.shell: 'grep ansiblemanaged /etc/group | cut -d: -f4 | tr "," "\n"'
changed_when: false
register: existing_users
- name: Determine users on linux, but not in GitLab group
ansible.builtin.set_fact:
users_to_remove: "{{ existing_users.stdout_lines | difference(gitlab_group_members.json | map(attribute='username')) }}"
- name: Remove users, who are not in the GitLab group
ansible.builtin.user:
name: "{{ item }}"
state: absent
with_items: "{{ users_to_remove }}"
- name: Add public ssh keys of users
ansible.posix.authorized_key:
user: "{{ item.0 }}"
exclusive: false
key: "{{ item.1 }}"
state: present
with_together:
- "{{ gitlab_group_members.json | map(attribute='username') }}"
- "{{ user_ssh_keys.results | map(attribute='content') }}"
Please register or sign in to comment