- hosts: all
  roles:
    - role: archf.accounts

- hosts: all
  roles:
  - role: accounts

usergroups:
  - name: vendorgroup
    # gid is optional
    gid: 1001
    # create vendorgroup sudoers file inside /etc/sudoers.d
    sudos:
      - ALL=(ALL) ALL

  - name: customergroup

# Debug output.
debug: false

# An external directory containing sensitive data (group profiles, public ssh
# keys, users's ssh_config, ...etc.
groups_dir: "{{inventory_dir}}/extra_vars/usergroups"

users_usergroups: []

# Avoid trying to install packages. Useful if you know you don't have access to
# repositories.
users_nopkgs: no

# Ignore erros when using users modules on LDAP controlled server.
users_usermod_ignore_errors: false

# Force expiration of new user's so they are prompted to change it on first
# login.
users_expire_passwords: no

# Don't generate private ssh key in user accounts on every machine, consider
# agent forwarding instead. Use this in group_vars to toggle ssh_key creation
# in a group of hosts.
users_generate_ssh_keys: no

# SSH key rotation is disabled by default. Enabling this implicitly enables
# users_generate_ssh_keys.
users_rotate_ssh_keys: no

# Exclusive ssh keys on remote accounts. This is fed to the authorized_key
# module.
users_exclusive_ssh_keys: no

# Max age of keys for ssh_rotation. This is a time specification that must be
# compatbile with the find module.
users_ssh_key_max_age: 60d

# Default ssh key domain. Default key name is the concatenation of the username
# and this value. For public key to be propagated to the right machines, it
# should match the 'ansible_domain' fact and thus hint wich realm the key gives
# access to.
users_default_domain: null

# Configure '/etc/skel' facility. Useful prior accounts creation. Doing it on
# lot of user home directory after they created is costly. This will add
# directories as defined in users_defaults['skel'].
users_gen_skel: no

# Enable this to ensure already created home matches de /etc/skel structure.
# This task can be somewhat slow when managing lots of users on a large
# inventory. This behavior is rather invasive and probably more suitable for
# personal usage and/or when you have no control over /etc/skel.
users_skel_homedir: no

# If yes, 'usergroups' are exclusive. That means that all unstated unix
# usergroups in play variable will be deleted along with all it's members at
# the exception of group `nogroup`.
users_exclusive_usergroups: no

# List of 'usergroups' that will never be removed.
users_exclusive_usergroups_exceptions:
  - vagrant
  - nogroup

# If yes, group members are exclusive. That means that all unstated group
# members in play variables will deleted at the exception of user `nobody`.
users_exclusive_groupmembers: no

# Default args for the user module and sensible defaults for other role
# features on a per user accounts basis. Override these on a per user basis
# inside the 'users.yml' file of the usergroup.
users_defaults:
  state: present
  # FIXME: task should generate something random per user, register it, and send to user by mail.
  shell: "/bin/bash"
  system: no

  groups: omit
  append: yes         # Append to group

  # Default to 'on_create' (will change passwd if they differ). Could also be
  # set to 'always'.
  update_password: 'on_create'

  # Path prefix to the directory that will contain a user account. If you work
  # on Solaris you could set this to '/export/home'. Not to be confused with
  # 'homedir'
  homedir_root: '/home'

  # Module defaults
  createhome: yes     # Defaults to yes
  move_home: no       # Defaults to no
  non_unique: no      # Defaults to no

  # Set the amount of days a password can remain inactive after expiration.
  # This is passed to the 'inactive' options of 'passwd' command.
  inactive: 365

  # SSH configuration defaults.
  # fixme: task should generate something random, register it, and send to user by mail.
  ssh_key_passphrase: q1w2e3
  ssh_key_type: rsa
  ssh_key_bits: 2048

  # Homedir skeleton.
  skel:
    - '.ssh/controlmasters'
    - 'bin'
    - 'tmp'

  # Values for ~/.ssh/config. Those are for a "Host *" clause at the top and
  # will be applied to every users. This doesn't prevent you from having
  # multiple "Host *" statements under it that will supersede this one. I think
  # those are acceptable sane defaults.

  ssh_config:
    ServerAliveInterval: 41
    ControlPersist: 120s
    ControlMaster: auto
    ControlPath: '~/.ssh/controlmasters/%r@%h:%p'

  # This is the list of files in your dotfiles_dir you do not want to rsync
  # to the remote host.
  dotfiles_rsync_exclude:
    - americano
    - i3
    - zsh-autosuggestion
    - debug-refs
    - gnupg
    - hexchat
    - win*
    - wireshark
    - _vimrc

    # directories for building tmux, vim, openssh from source
    - tmux/tmux-?.?
    - vim.d/vim
    - openssh

# Sometimes, remote user account doesn't match the local one. That happens for
# instance when host is 'mostly' controlled by your customer. Fill this dict
# with keys such as { '<remote_username>' : '<local userneame>'}.
users_usermap: {}

# Disabling this for now.
# # You can have shared by multiple users. Define this variable in `users.yml`
# # to have usergroup defaults different than `users_defaults`.
# usergroup_defaults:
#   passwd: ''

### omited parameters

# By default, the first make target is ran but you way want to override. Could
# be useful to if hosts have no www access. This is fed to the make module
# target argument.
# users_dotfiles_makefile_target:

# Include debugging tasks that prints variable information when adding and
# removing unix groups.
groupadd_debug: no
groupdel_debug: no