From c95a96a33c50c9bec15f904dd2e9fd72d8690c66 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 23 Nov 2024 19:22:02 -0600
Subject: [PATCH] users: Manage static user accounts

The Samba AD domain performs two important functions: centralized user
identity mapping via LDAP, and centralized authentication via
Kerberos/GSSAPI.  Unfortunately, Samba, on both domain controllers and
members, is quite frustrating.  The client, _winbind_, frequently just
stops working and needs to have its cache flushed in order to resolve
user IDs again.  It also takes quite a lot of memory, something rather
precious on Raspberry Pis.  The DC is also somewhat flaky at times, and
cumbersome to upgrade.  In short, I really would like to get rid of as
much of it as possible.

For most use cases, OIDC can replace Kereros.  For SSH specifically, we
can use SSH certificates (which are issued to OIDC tokens).
Unfortunately, user and group accounts still need ID numbers assigned,
which is what _winbind_ does.  In reality, there's only one user that's
necessary: _dustin_.  It doesn't make sense to bring along all the
baggage of Samba just to map that one account.  Instead, it's a lot
simpler and more robust to create it statically.
---
 group_vars/all.yml |  7 +++++++
 users.yml          | 15 +++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 users.yml

diff --git a/group_vars/all.yml b/group_vars/all.yml
index 3ceed45..29b87fe 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,3 +1,10 @@
+managed_users:
+- name: dustin
+  comment: Dustin C. Hatch
+  uid: 3000016
+  groups:
+  - wheel
+
 sshca_url: https://sshca.pyrocufflink.blue
 ssh_trusted_user_ca_keys: >-
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
diff --git a/users.yml b/users.yml
new file mode 100644
index 0000000..61301c9
--- /dev/null
+++ b/users.yml
@@ -0,0 +1,15 @@
+- hosts: all
+  tasks:
+  - name: ensure users exist
+    user:
+      name: '{{ item.name }}'
+      comment: '{{ item.comment | d(omit) }}'
+      uid: '{{ item.uid | d(omit) }}'
+      groups: '{{ item.groups | d(omit) }}'
+      create_home: true
+      local: true
+      password: '*'
+      state: present
+    loop: '{{ managed_users | d([]) }}'
+    tags:
+    - user