I am setting up user administration through Ansible for the first time. I handle large batches of users a few times a year, since I work for a college. Can I use Ansible’s user module to remove expired accounts? What conditional statement would I use?
Pardon my untested pseudocode, but I am looking for something like the following:
tasks:
name: remove expired users
user: name=students.key state=absent force=yes
when: expired <----- what condition do I put here?
with_dict: students
Thanks for your response. I am working on building my student dictionary entries from a csv file produced by the college admissions/administration, and one of the values I create will be a future-dated expiration in epoch. I understand the user module will set the expiration on the system for the user account based on the value of the epoch in “user: expires=epoch”.
I will write a playbook comparing the current date with the expiry date in my dictionary to decide whether to remove accounts (fast, limited processing for remote host). Or, I could use the shell command to look up each user individually on the remote host (slower, but verifying live data instead of dictionary data). Actually, I should combine the two: I’ll process the list to decide which accounts to target, and then look up the targeted user account(s) on the remote host to verify the expiration hasn’t been changed manually.
I was hoping that a boolean for expired might be built in to the user module, since the OS knows whether an account is expired. If it’s not built in before I get to it, I’ll contribute to it. It could take me a long time to get to it, though.
You can use the getent module to the data on the existing users, iirc
the 5th column has expire data. It should be faster as it gets all the
user data in one shot.