Create Azimuth user outside of image build

ansible/roles/linux-data-volumes/files/data-volumes-configure-volume.yml

@@ -9,6 +9,15 @@
   set_fact:
     data_volume_id: "{{ openstack_metadata[data_volume.metadata_var] }}"
 
+- name: Get Azimuth user metadata
+  set_fact:
+    azimuth_username: "{{ openstack_metadata['azimuth_workstation_username'] }}"
+    azimuth_uid: "{{ openstack_metadata['azimuth_workstation_uid'] }}"
+    azimuth_gid: "{{ openstack_metadata['azimuth_workstation_gid'] }}"
+    azimuth_is_sudo: "{{ openstack_metadata['azimuth_workstation_is_sudo'] }}"
+    azimuth_user_data: "{{ openstack_userdata }}"
+  when: create_user | bool
+
 # Use the same discovery logic as CSI Cinder, so that we succeed and fail on the same clouds
 # https://github.com/kubernetes/cloud-provider-openstack/blob/34f5f980f523e191285c568a8a77a2ca683272be/pkg/util/mount/mount.go#L152
 
@@ -68,6 +77,39 @@
     fstype: "{{ data_volume.get('fs_type', 'ext4') }}"
     opts: "{{ data_volume.get('opts', omit) }}"
 
+- name: Ensure the Azimuth user is created
+  ansible.builtin.user:
+    name: "{{ azimuth_username }}"
+    uid: "{{ azimuth_uid }}"
+    gid: "{{ azimuth_gid }}"
+    home: "{{ data_volume.mountpoint }}/{{ azimuth_username }}-home"
+  when: create_user | bool
+
+- name: Setup public key for the Azimuth user
+  ansible.posix.authorized_key:
+    user: "{{ azimuth_username }}"
+    state: present
+    key: "{{ item.ssh_authorized_keys[0] }}"
+  with_items: "{{ azimuth_user_data }}"
+  when: create_user | bool
+
+- name: Add the Azimuth user to sudoers
+  ansible.builtin.user:
+    name: "{{ azimuth_username }}"
+    groups: sudo
+  when: 
+    - create_user | bool
+    - azimuth_is_sudo | bool
+
+- name: Make sudo without password for users
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/80-ansible-sudo-user
+    content: "{{ azimuth_username }} ALL=(ALL) NOPASSWD:ALL"
+    mode: 0440
+  when: 
+    - create_user | bool
+    - azimuth_is_sudo | bool
+
 - name: Ensure mountpoint permissions
   ansible.builtin.file:
     state: directory

ansible/roles/linux-data-volumes/files/data-volumes-playbook.yml

@@ -5,8 +5,10 @@
   become: true
   vars:
     openstack_metadata: "{{ (lookup('url', 'http://169.254.169.254/openstack/latest/meta_data.json') | from_json).get('meta', {}) }}"
+    openstack_userdata: "{{ (lookup('url', 'http://169.254.169.254/openstack/latest/user_data.json') | from_json).get('user', {}) }}"
   vars_files:
     - /etc/ansible-init/vars/data-volumes.yml
+    - /etc/ansible-init/vars/user.yml
   tasks:
     - include_tasks: /etc/ansible-init/includes/data-volumes-configure-volume.yml
       loop: "{{ data_volumes }}"

ansible/roles/linux-data-volumes/tasks/main.yml

@@ -16,11 +16,16 @@
   loop:
     - data-volumes-configure-volume.yml
 
-- name: Install ansible-init vars
+- name: Install ansible-init vars for volumes
   copy:
     content: "{{ { 'data_volumes': data_volumes } | to_nice_yaml }}"
     dest: /etc/ansible-init/vars/data-volumes.yml
 
+- name: Install ansible-init vars for users
+  copy:
+    content: "{{ { 'create_user': ( create_user | default('false') ) } | to_nice_yaml }}"
+    dest: /etc/ansible-init/vars/user.yml
+
 - name: Install ansible-init playbook
   copy:
     src: data-volumes-playbook.yml

ansible/roles/linux-webconsole/tasks/main.yml

@@ -39,6 +39,7 @@
 - include_role:
     name: linux-data-volumes
   vars:
+    create_user: true
     data_volumes:
       - metadata_var: zenith_volume_id
         mountpoint: /etc/zenith/ssh

packer/linux-desktop.pkr.hcl

@@ -72,20 +72,6 @@ source "openstack" "linux-desktop" {
   communicator = "ssh"
   ssh_username = var.ssh_username
   ssh_clear_authorized_keys = true
-
-  user_data = <<-EOF
-  #cloud-config
-  users:
-  - default
-  # create a new default-type user matching Slurm platform:
-  - name: azimuth
-    uid: 1005
-    lock_passwd: true
-    gecos: Azimuth User
-    groups: [adm, systemd-journal]
-    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
-    shell: /bin/bash
-  EOF
 }
 
 build {