Added better use for admin user.

author: Luke Hoersten <[email protected]> 2020-02-15 16:15:13 -0600
committer: Luke Hoersten <[email protected]> 2020-02-15 16:15:13 -0600
commit: 41ab10ae4dc6e9346ba5ac274f9575c33b210a5d (patch)
tree: 2cb1bac13a16d7f9a6f7362d2e90bb76a00d256a /rpi-base
parent: 3f7393b3f5c68e96546b0ba35a9e1390e6d92f04 (diff)
2 files changed, 27 insertions, 0 deletions
diff --git a/rpi-base/tasks/main.yml b/rpi-base/tasks/main.yml
index 04df469..a6bc0ac 100644
--- a/rpi-base/tasks/main.yml
+++ b/rpi-base/tasks/main.yml
@@ -37,6 +37,32 @@
   become: yes
   copy: src="jail.local" dest="/etc/fail2ban/jail.local"
 
+- name: add users
+  become: yes
+  user:
+    name: "{{admin_user_name}}"
+    password: "{{admin_user_password}}"
+    groups: "sudo,users"
+    append: yes
+
 - name: authorize admin ssh keys
   become: yes
+  authorized_key: user="{{admin_user_name}}" key="https://github.com/{{github_user}}.keys"
+
+- name: authorize pi ssh keys
+  become: yes
   authorized_key: user="{{ansible_user}}" key="https://github.com/{{github_user}}.keys"
+
+- name: nopasswd sudo for admin user
+  become: yes
+  template:
+    src: "010_admin-nopasswd"
+    dest: "/etc/sudoers.d/010_admin-nopasswd"
+
+- name: disable ssh password login
+  become: yes
+  lineinfile:
+    path: "/etc/ssh/sshd_config"
+    regexp: "^PasswordAuthentication"
+    insertafter: "^#PasswordAuthentication"
+    line: "PasswordAuthentication no"
diff --git a/rpi-base/templates/010_admin-nopasswd b/rpi-base/templates/010_admin-nopasswd
new file mode 100644
index 0000000..5b76b5d
--- /dev/null
+++ b/rpi-base/templates/010_admin-nopasswd
@@ -0,0 +1 @@
+{{admin_user_name}} ALL=(ALL) NOPASSWD: ALL
author	Luke Hoersten <[email protected]>	2020-02-15 16:15:13 -0600
committer	Luke Hoersten <[email protected]>	2020-02-15 16:15:13 -0600
commit	41ab10ae4dc6e9346ba5ac274f9575c33b210a5d (patch)
tree	2cb1bac13a16d7f9a6f7362d2e90bb76a00d256a /rpi-base
parent	3f7393b3f5c68e96546b0ba35a9e1390e6d92f04 (diff)