users: Manage static user accounts

The Samba AD domain performs two important functions: centralized user
identity mapping via LDAP, and centralized authentication via
Kerberos/GSSAPI.  Unfortunately, Samba, on both domain controllers and
members, is quite frustrating.  The client, _winbind_, frequently just
stops working and needs to have its cache flushed in order to resolve
user IDs again.  It also takes quite a lot of memory, something rather
precious on Raspberry Pis.  The DC is also somewhat flaky at times, and
cumbersome to upgrade.  In short, I really would like to get rid of as
much of it as possible.

For most use cases, OIDC can replace Kereros.  For SSH specifically, we
can use SSH certificates (which are issued to OIDC tokens).
Unfortunately, user and group accounts still need ID numbers assigned,
which is what _winbind_ does.  In reality, there's only one user that's
necessary: _dustin_.  It doesn't make sense to bring along all the
baggage of Samba just to map that one account.  Instead, it's a lot
simpler and more robust to create it statically.

group_vars/all.yml

@@ -1,3 +1,10 @@
+managed_users:
+- name: dustin
+  comment: Dustin C. Hatch
+  uid: 3000016
+  groups:
+  - wheel
+
 sshca_url: https://sshca.pyrocufflink.blue
 ssh_trusted_user_ca_keys: >-
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue

users.yml

@@ -0,0 +1,15 @@
+- hosts: all
+  tasks:
+  - name: ensure users exist
+    user:
+      name: '{{ item.name }}'
+      comment: '{{ item.comment | d(omit) }}'
+      uid: '{{ item.uid | d(omit) }}'
+      groups: '{{ item.groups | d(omit) }}'
+      create_home: true
+      local: true
+      password: '*'
+      state: present
+    loop: '{{ managed_users | d([]) }}'
+    tags:
+    - user