Apply review feedback

canonical · Sep 25, 2024 · d4cbed8 · d4cbed8
1 parent da7af9e
commit d4cbed8
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 174 deletions.
diff --git a/doc/module-docs/cc_users_groups/example3.yaml b/doc/module-docs/cc_users_groups/example3.yaml
@@ -1,9 +1,4 @@
 #cloud-config
 users:
-- gecos: Big Stuff
-  groups: users, admin
-  lock_passwd: true
-  name: newsuper
+- name: newsuper
   shell: /bin/bash
-  ssh_import_id: ['lp:falcojr', 'gh:TheRealFalcon']
-  sudo: ALL=(ALL) NOPASSWD:ALL
diff --git a/doc/module-docs/cc_users_groups/example4.yaml b/doc/module-docs/cc_users_groups/example4.yaml
@@ -1,8 +1,5 @@
 #cloud-config
 users:
 - doas: [permit nopass newsuper, deny newsuper as root]
-  gecos: Big Stuff
-  groups: users, admin
-  lock_passwd: true
   name: newsuper
-  ssh_import_id: ['lp:falcojr', 'gh:TheRealFalcon']
+
diff --git a/doc/rtd/reference/yaml_examples/user_groups.rst b/doc/rtd/reference/yaml_examples/user_groups.rst
@@ -11,14 +11,10 @@ the :ref:`users and groups module <mod_cc_users_groups>` schema.
 Add default user
 ================
 
-
 .. literalinclude:: ../../../module-docs/cc_users_groups/example1.yaml
    :language: yaml
    :linenos:
 
-For Ubuntu systems, see also the Default Users on Ubuntu section at the end
-of this page.
-
 Don't create any default user
 =============================
 
@@ -36,68 +32,6 @@ and ``'sys'``, and the empty group ``cloud-users``.
    :language: yaml
    :linenos:
 
-More complex examples
-=====================
-
-The following two examples are largely similar. In both we:
-
-- Skip creation of the ``default`` user and only create ``newsuper``.
-- Reject password-based login.
-- Allow GitHub user ``TheRealFalcon`` and Launchpad user ``falcojr`` to SSH as
-  ``newsuper``.
-
-Set the default shell
----------------------
-
-The default shell for ``newsuper`` is bash instead of the system default.
-
-.. literalinclude:: ../../../module-docs/cc_users_groups/example3.yaml
-   :language: yaml
-   :linenos:
-
-Configure doas/opendoas
------------------------
-
-Here we configure ``doas``/``opendoas`` to permit this user to run commands as
-other users without being prompted for a password (except not as root).
-
-.. literalinclude:: ../../../module-docs/cc_users_groups/example4.yaml
-   :language: yaml
-   :linenos:
-
-On SELinux
-==========
-
-On a system with SELinux enabled, this example will add ``youruser`` and set
-the SELinux user to ``staff_u``. When omitted on SELinux, the system will
-select the configured default SELinux user.
-
-.. literalinclude:: ../../../module-docs/cc_users_groups/example5.yaml
-   :language: yaml
-   :linenos:
-
-Redirect legacy username
-========================
-
-To redirect a legacy username to the default user for a distribution,
-``ssh_redirect_user`` will accept an SSH connection and show a message telling
-the client to SSH as the default user. SSH clients will get the message:
-
-.. literalinclude:: ../../../module-docs/cc_users_groups/example6.yaml
-   :language: yaml
-   :linenos:
-
-Override default user config
-============================
-
-Override any ``default_user`` config in ``/etc/cloud/cloud.cfg`` with
-supplemental config options. This config will make the default user
-``mynewdefault`` and change the user to not have ``sudo`` rights.
-
-.. literalinclude:: ../../../module-docs/cc_users_groups/example7.yaml
-   :language: yaml
-   :linenos:
-
 Add users to the system
 =======================
 
@@ -151,105 +85,55 @@ exceptions and can be applied to already-existing users:
     - name: nosshlogins
       ssh_redirect_user: true
 
-Values explained
-----------------
-
-* ``name``: The user's login name.
-* ``expiredate``: Date on which the user's account will be disabled.
-* ``gecos``: The user name's real name, i.e. "Bob B. Smith".
-* ``homedir``: (optional) Set to the local path you want to use. Defaults to
-  ``/home/<username>``.
-* ``primary_group``: Define the primary group. Defaults to a new group named
-  after the user.
-* ``groups``: (optional) Additional groups to add the user to. Defaults to
-  ``None``.
-* ``selinux_user``: (optional) The SELinux user for the user's login, such as
-  ``"staff_u"``. When this is omitted, the system will select the default
-  SELinux user.
-* ``lock_passwd``: Defaults to ``true``. Lock the password to disable password
-  login.
-* ``inactive``: Number of days after the password expires until the account is
-  disabled.
-* ``passwd``: The hash -- not the password itself -- of the password you want
-  to use for this user. You can generate a hash via:
-  ``mkpasswd --method=SHA-512 --rounds=4096``
-  (this command creates an SHA-512 password hash from stdin with 4096 salt
-  rounds).
-
-  Note: while the use of a hashed password is better than plain text, the use
-  of this feature is not ideal. Also, using a high number of salting rounds
-  will help, but it should not be relied upon.
-
-  To highlight this risk, running John the Ripper against the example hash
-  above, with a readily available wordlist, revealed the true password in 12
-  seconds on an I7-2620QM.
-
-  In other words, this feature is a potential security risk and is provided for
-  convenience only. If you do not fully trust the medium over which your
-  cloud-config will be transmitted, then you should not use this feature.
-
-* ``no_create_home``: When set to ``true``, do not create home directory.
-* ``no_user_group``: When set to ``true``, do not create a group named after
-  the user.
-* ``no_log_init``: When set to ``true``, do not initialize ``lastlog`` and
-  ``faillog`` database.
-* ``ssh_import_id``: (optional) Import SSH IDs.
-* ``ssh_authorized_keys``: (optional) [list] Add keys to user's authorized keys
-  file. An error is raised if ``no_create_home`` or ``system`` is also set.
-* ``ssh_redirect_user``: (optional) [bool] Set ``true`` to block SSH logins for
-  cloud SSH public keys and emit a message redirecting logins to use
-  ``<default_username>`` instead. This option only disables cloud-provided
-  public keys. An error will be raised if ``ssh_authorized_keys`` or
-  ``ssh_import_id`` is provided for the same user.
-
-* ``sudo``: Defaults to ``none``. Accepts a ``sudo`` rule string, a list of
-  ``sudo`` rule strings or ``False`` to explicitly deny ``sudo`` use. Examples:
-
-  * Allow a user unrestricted sudo access: ::
-
-       sudo:  ALL=(ALL) NOPASSWD:ALL
-
-  * Adding multiple sudo rule strings: ::
-
-       sudo:
-         - ALL=(ALL) NOPASSWD:/bin/mysql``
-         - ALL=(ALL) ALL
-
-  * Prevent sudo access for a user: ::
-
-       sudo: False
-
-  Note: Double check your syntax and make sure it is valid. Cloud-init does not
-  parse/check the syntax of the ``sudo`` directive.
-
-* ``system``: Create the user as a system user. This means no home directory.
-* ``snapuser``: Create a Snappy (Ubuntu-Core) user via the ``snap create-user``
-  command available on Ubuntu systems. If the user has an account on the Ubuntu
-  SSO, specifying the email will allow snap to request a username and any
-  public SSH keys, and will import these into the system with the username
-  specified by their SSO account.
-
-  If the username is not set in SSO, then ``username`` will be the shortname
-  before the email domain.
-
-Default users on Ubuntu
------------------------
-
-Unless you define users, you will get an ``'ubuntu'`` user on Ubuntu systems
-with the legacy permission (no password ``sudo``, locked user, etc). If,
-however, you want to have the ``'ubuntu'`` user in addition to other users,
-you need to instruct cloud-init that you **also** want the default user. To do
-this, use the following syntax:
+Set the default shell
+=====================
 
-.. code-block:: yaml
+The default shell for ``newsuper`` is bash instead of the system default.
+
+.. literalinclude:: ../../../module-docs/cc_users_groups/example3.yaml
+   :language: yaml
+   :linenos:
+
+Configure doas/opendoas
+=======================
+
+Here we configure ``doas``/``opendoas`` to permit this user to run commands as
+other users without being prompted for a password (except not as root).
+
+.. literalinclude:: ../../../module-docs/cc_users_groups/example4.yaml
+   :language: yaml
+   :linenos:
+
+On SELinux
+==========
+
+On a system with SELinux enabled, this example will add ``youruser`` and set
+the SELinux user to ``staff_u``. When omitted on SELinux, the system will
+select the configured default SELinux user.
+
+.. literalinclude:: ../../../module-docs/cc_users_groups/example5.yaml
+   :language: yaml
+   :linenos:
+
+Redirect legacy username
+========================
+
+To redirect a legacy username to the default user for a distribution,
+``ssh_redirect_user`` will accept an SSH connection and show a message telling
+the client to SSH as the default user. SSH clients will get the message:
 
-   users:
-     - default
-     - bob
-     - ....
-   foobar: ...
+.. literalinclude:: ../../../module-docs/cc_users_groups/example6.yaml
+   :language: yaml
+   :linenos:
 
-* ``users[0]`` (the first user in users) overrides the ``user`` directive.
-* The ``'default'`` user above references the distro's config set in
-  ``/etc/cloud/cloud.cfg``.
+Override default user config
+============================
+
+Override any ``default_user`` config in ``/etc/cloud/cloud.cfg`` with
+supplemental config options. This config will make the default user
+``mynewdefault`` and change the user to not have ``sudo`` rights.
+
+.. literalinclude:: ../../../module-docs/cc_users_groups/example7.yaml
+   :language: yaml
+   :linenos: