--- - name: get UID_MIN from login.defs shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs args: removes: /etc/login.defs register: uid_min check_mode: false changed_when: false - name: calculate UID_MAX from UID_MIN by substracting 1 set_fact: uid_max: '{{ uid_min.stdout | int - 1 }}' when: uid_min.stdout|int > 0 - name: set UID_MAX on Debian-systems if no login.defs exist set_fact: uid_max: '999' when: - ansible_facts.os_family == 'Debian' - uid_max is not defined - name: set UID_MAX on other systems if no login.defs exist set_fact: uid_max: '499' when: uid_max is not defined - name: get all system accounts command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd args: removes: /etc/passwd changed_when: false check_mode: false register: sys_accs - name: remove always ignored system accounts from list set_fact: sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}' check_mode: false - name: change system accounts not on the user provided ignore-list user: name: '{{ item }}' shell: '{{ os_nologin_shell_path }}' password: '*' createhome: false with_flattened: - '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'