[fix] Fixed openwisp_user and openwisp_group variables

[pandafy]

⚠️ Warning

This PR requires careful review before merging. I made these changes hastily.

In current state, the PR should be considered unfinished.

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Problem

The role exposes the following variables:

openwisp_user
openwisp_group

However, several tasks still hardcoded the default openwisp
user/group, which caused partial or broken support for customized
deployments.

Examples included:

• become_user: openwisp
• static sudoers paths/files
• hardcoded group assignments
• variables defined in vars/ instead of defaults/

As a result, overriding openwisp_user and openwisp_group did not
work consistently across the role.

Goal

The main objective of this PR is to make the role fully support
customized Linux users/groups instead of implicitly depending on the
default openwisp account.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 76f819bc-3f79-4d5c-9fd2-47d9f2b89d24

📥 Commits

Reviewing files that changed from the base of the PR and between ef44366 and 88daa05.

📒 Files selected for processing (1)

• tasks/user_management.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (python)
• GitHub Check: Build debian13
• GitHub Check: Build debian11
• GitHub Check: Build ubuntu2404
• GitHub Check: Build debian12
• GitHub Check: Build ubuntu2204
• GitHub Check: Kilo Code Review

🔇 Additional comments (1)

tasks/user_management.yml (1)

12-12: LGTM!

Also applies to: 15-19

---

📝 Walkthrough

Walkthrough

This pull request refactors the Ansible role to support configurable OpenWISP user and group names instead of hardcoded "openwisp" values. New variables openwisp_user and openwisp_group are added to defaults, user creation is updated to use the configurable group, and sudoers provisioning migrates from a static file to a templated configuration with group-specific destination paths. Tasks and tests are updated to reference these variables, and documentation is clarified with examples showing the new configuration options.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openwisp/ansible-wireguard-openwisp#97: Modifies tasks/user_management.yml with overlapping user/group and sudoers-related task changes, suggesting potential interaction with this PR's configurable user/group work.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the problem statement and goal, but critical checklist items for manual testing and documentation updates are unchecked, and the author explicitly warns the PR is unfinished.	Complete manual testing, update documentation, and remove the unfinished/hastily-made warning before merging. Ensure all checklist items are properly addressed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title uses the required [fix] prefix and clearly describes the main changes: fixing hardcoded references to openwisp_user and openwisp_group variables.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Bug Fixes	✅ Passed	Fixes root cause by templating hardcoded user/group values. Regression test with custom group/user overrides verifies sudoers path and file ownership changes correctly.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-openwisp-user

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

The PR properly addresses the issue of hardcoded openwisp user/group values by:

1. Moving variables to defaults - openwisp_user and openwisp_group moved from vars/main.yml (high precedence) to defaults/main.yml (overridable by users)

2. Replacing hardcoded references - All task files now use {{ openwisp_user }} and {{ openwisp_group }} variables instead of hardcoded values

3. Template-based sudoers with validation - Replaced static files/sudoers.d/openwisp with template templates/sudoers.d/openwisp_user, and added validate: /usr/sbin/visudo -cf %s for security

4. Proper test coverage - Molecule tests updated with non-default values (owvpnuser/owvpngroup) and new verification tasks confirm the custom user/group configuration works correctly

5. Documentation updated - README.md reflects the new configurable variables

Files Reviewed (10 files)

• defaults/main.yml - Added openwisp_group and openwisp_user defaults
• vars/main.yml - Removed hardcoded user/group values
• tasks/user_management.yml - Uses variables for user/group and sudoers file; includes visudo validation
• tasks/complete.yml - Uses {{ openwisp_user }} for become_user
• tasks/flask.yml - Uses variables (already correct, unchanged)
• tasks/uwsgi.yml - Uses variables (already correct, unchanged)
• templates/sudoers.d/openwisp_user - New template using {{ openwisp_group }}
• files/sudoers.d/openwisp - Deleted (replaced by template)
• molecule/resources/verify.yml - Added verification tests for custom user/group
• molecule/vars/main.yml - Uses non-default test values
• README.md - Documentation updated
• .github/workflows/backport.yml - YAML linting fix

---

_{Updated review: No new issues in incremental changes. The added validate parameter for sudoers file is a good security improvement.}

---

_{Reviewed by kimi-k2.5-0127 · 285,919 tokens}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/backport.yml:
- Line 1: This PR includes unrelated linting changes (the YAML document marker
`---` and the `# yamllint disable` directive) that should be split out; remove
or revert those lint-only edits from this PR and create a separate focused PR
containing the YAML document marker and yamllint suppression so this PR only
contains the fixes for openwisp_user/openwisp_group support, ensuring clearer
review history and backporting; mention the separate PR in the current PR
description if needed.

In `@tasks/user_management.yml`:
- Around line 15-18: The task using ansible.builtin.template to write
sudoers.d/{{ openwisp_group }} must validate the rendered file with visudo
before replacing the target; update the template task (ansible.builtin.template)
in tasks/user_management.yml to add a validate step such as validate: "visudo
-cf %s" so Ansible checks syntax on the temporary file and fails safely if
rendering/substitution is invalid, keeping the existing src, dest and mode
settings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 35c050e2-a1f3-4564-b405-2185f3180389

📥 Commits

Reviewing files that changed from the base of the PR and between e2ba0ed and ef44366.

📒 Files selected for processing (10)

• .github/workflows/backport.yml
• README.md
• defaults/main.yml
• files/sudoers.d/openwisp
• molecule/resources/verify.yml
• molecule/vars/main.yml
• tasks/complete.yml
• tasks/user_management.yml
• templates/sudoers.d/openwisp_user
• vars/main.yml

💤 Files with no reviewable changes (2)

• vars/main.yml
• files/sudoers.d/openwisp

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: Kilo Code Review
• GitHub Check: Build debian13
• GitHub Check: Analyze (python)
• GitHub Check: Build debian11
• GitHub Check: Build ubuntu2404
• GitHub Check: Build ubuntu2204
• GitHub Check: Build debian12

🧰 Additional context used

🪛 Checkov (3.2.528)

molecule/resources/verify.yml

[low] 28-44: Ensure block is handling task errors properly

(CKV2_ANSIBLE_3)

🔇 Additional comments (7)

defaults/main.yml (1)

51-52: LGTM!

molecule/vars/main.yml (1)

9-10: LGTM!

templates/sudoers.d/openwisp_user (1)

1-1: LGTM!

tasks/user_management.yml (1)

12-12: LGTM!

tasks/complete.yml (1)

4-4: LGTM!

molecule/resources/verify.yml (1)

28-64: LGTM!

README.md (1)

176-179: LGTM!

Also applies to: 250-250

[nemesifier]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.