://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) for details on various ways to generate the hash of a password. - To create an account with a locked/disabled password on Linux systems, set this to C('!') or C('*'). - To create an account with a locked/disabled password on OpenBSD, set this to C('*************'). - B(OS X/macOS:) Enter the cleartext password as the value. Be sure to take relevant security precautions. type: str state: description: - Whether the account should exist or not, taking action if the state is different from what is stated. - See this L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos-as-a-target) for additional requirements when removing users on macOS systems. type: str choices: [ absent, present ] default: present create_home: description: - Unless set to C(false), a home directory will be made for the user when the account is created or if the home directory does not exist. - Changed from C(createhome) to C(create_home) in Ansible 2.5. type: bool default: yes aliases: [ createhome ] move_home: description: - "If set to C(true) when used with C(home: ), attempt to move the user's old home directory to the specified directory if it isn't there already and the old home exists." type: bool default: no system: description: - When creating an account C(state=present), setting this to C(true) makes the user a system account. - This setting cannot be changed on existing users. type: bool default: no force: description: - This only affects C(state=absent), it forces removal of the user and associated directories on supported platforms. - The behavior is the same as C(userdel --force), check the man page for C(userdel) on your system for details and support. - When used with C(generate_ssh_key=yes) this forces an existing key to be overwritten. type: bool default: no remove: description: - This only affects C(state=absent), it attempts to remove directories associated with the user. - The behavior is the same as C(userdel --remove), check the man page for details and support. type: bool default: no login_class: description: - Optionally sets the user's login class, a feature of most BSD OSs. type: str generate_ssh_key: description: - Whether to generate a SSH key for the user in question. - This will B(not) overwrite an existing SSH key unless used with C(force=yes). type: bool default: no version_added: "0.9" ssh_key_bits: description: - Optionally specify number of bits in SSH key to create. - The default value depends on ssh-keygen. type: int version_added: "0.9" ssh_key_type: description: - Optionally specify the type of SSH key to generate. - Available SSH key types will depend on implementation present on target host. type: str default: rsa version_added: "0.9" ssh_key_file: description: - Optionally specify the SSH key filename. - If this is a relative filename then it will be relative to the user's home directory. - This parameter defaults to I(.ssh/id_rsa). type: path version_added: "0.9" ssh_key_comment: description: - Optionally define the comment for the SSH key. type: str default: ansible-generated on $HOSTNAME version_added: "0.9" ssh_key_passphrase: description: - Set a passphrase for the SSH key. - If no passphrase is provided, the SSH key will default to having no passphrase. type: str version_added: "0.9" update_password: description: - C(always) will update passwords if they differ. - C(on_create) will only set the password for newly created users. type: str choices: [ always, on_create ] default: always version_added: "1.3" expires: description: - An expiry time for the user in epoch, it will be ignored on platforms that do not support this. - Currently supported on GNU/Linux, FreeBSD, and DragonFlyBSD. - Since Ansible 2.6 you can remove the expiry time by specifying a negative value. Currently supported on GNU/Linux and FreeBSD. type: float version_added: "1.9" password_lock: description: - Lock the password (C(usermod -L), C(usermod -U), C(pw lock)). - Implementation differs by platform. This option does not always mean the user cannot login using other methods. - This option does not disable the user, only lock the password. - This must be set to C(False) in order to unlock a currently locked password. The absence of this parameter will not unlock a password. - Currently supported on Linux, FreeBSD, DragonFlyBSD, NetBSD, OpenBSD. type: bool version_added: "2.6" local: description: - Forces the use of "local" command alternatives on platforms that implement it. - This is useful in environments that use centralized authentication when you want to manipulate the local users (in other words, it uses C(luseradd) instead of C(useradd)). - This will check C(/etc/passwd) for an existing account before invoking commands. If the local account database exists somewhere other than C(/etc/passwd), this setting will not work properly. - This requires that the above commands as well as C(/etc/passwd) must exist on the target host, otherwise it will be a fatal error. type: bool default: no version_added: "2.4" profile: description: - Sets the profile of the user. - Does nothing when used with other platforms. - Can set multiple profiles using comma separation. - To delete all the profiles, use C(profile=''). - Currently supported on Illumos/Solaris. type: str version_added: "2.8" authorization: description: - Sets the authorization of the user. - Does nothing when used with other platforms. - Can set multiple authorizations using comma separation. - To delete all authorizations, use C(authorization=''). - Currently supported on Illumos/Solaris. type: str version_added: "2.8" role: description: - Sets the role of the user. - Does nothing when used with other platforms. - Can set multiple roles using comma separation. - To delete all roles, use C(role=''). - Currently supported on Illumos/Solaris. type: str version_added: "2.8" password_expire_max: description: - Maximum number of days between password change. - Supported on Linux only. type: int version_added: "2.11" password_expire_min: description: - Minimum number of days between password change. - Supported on Linux only. type: int version_added: "2.11" umask: description: - Sets the umask of the user. - Does nothing when used with other platforms. - Currently supported on Linux. - Requires C(local) is omitted or False. type: str version_added: "2.12" extends_documentation_fragment: action_common_attributes attributes: check_mode: support: full diff_mode: support: none platform: platforms: posix notes: - There are specific requirements per platform on user management utilities. However they generally come pre-installed with the system and Ansible will require they are present at runtime. If they are not, a descriptive error message will be shown. - On SunOS platforms, the shadow file is backed up automatically since this module edits it directly. On other platforms, the shadow file is backed up by the underlying tools used by this module. - On macOS, this module uses C(dscl) to create, modify, and delete accounts. C(dseditgroup) is used to modify group membership. Accounts are hidden from the login window by modifying C(/Library/Preferences/com.apple.loginwindow.plist). - On FreeBSD, this module uses C(pw useradd) and C(chpass) to create, C(pw usermod) and C(chpass) to modify, C(pw userdel) remove, C(pw lock) to lock, and C(pw unlock) to unlock accounts. - On all other platforms, this module uses C(useradd) to create, C(usermod) to modify, and C(userdel) to remove accounts. seealso: - module: ansible.posix.authorized_key - module: ansible.builtin.group - module: ansible.windows.win_user author: - Stephen Fromm (@sfromm) aĻ