From 41ab10ae4dc6e9346ba5ac274f9575c33b210a5d Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sat, 15 Feb 2020 16:15:13 -0600
Subject: Added better use for admin user.

---
 rpi-base/tasks/main.yml               | 26 ++++++++++++++++++++++++++
 rpi-base/templates/010_admin-nopasswd |  1 +
 2 files changed, 27 insertions(+)
 create mode 100644 rpi-base/templates/010_admin-nopasswd

diff --git a/rpi-base/tasks/main.yml b/rpi-base/tasks/main.yml
index 04df469..a6bc0ac 100644
--- a/rpi-base/tasks/main.yml
+++ b/rpi-base/tasks/main.yml
@@ -37,6 +37,32 @@
   become: yes
   copy: src="jail.local" dest="/etc/fail2ban/jail.local"
 
+- name: add users
+  become: yes
+  user:
+    name: "{{admin_user_name}}"
+    password: "{{admin_user_password}}"
+    groups: "sudo,users"
+    append: yes
+
 - name: authorize admin ssh keys
+  become: yes
+  authorized_key: user="{{admin_user_name}}" key="https://github.com/{{github_user}}.keys"
+
+- name: authorize pi ssh keys
   become: yes
   authorized_key: user="{{ansible_user}}" key="https://github.com/{{github_user}}.keys"
+
+- name: nopasswd sudo for admin user
+  become: yes
+  template:
+    src: "010_admin-nopasswd"
+    dest: "/etc/sudoers.d/010_admin-nopasswd"
+
+- name: disable ssh password login
+  become: yes
+  lineinfile:
+    path: "/etc/ssh/sshd_config"
+    regexp: "^PasswordAuthentication"
+    insertafter: "^#PasswordAuthentication"
+    line: "PasswordAuthentication no"
diff --git a/rpi-base/templates/010_admin-nopasswd b/rpi-base/templates/010_admin-nopasswd
new file mode 100644
index 0000000..5b76b5d
--- /dev/null
+++ b/rpi-base/templates/010_admin-nopasswd
@@ -0,0 +1 @@
+{{admin_user_name}} ALL=(ALL) NOPASSWD: ALL
-- 
cgit v1.2.3