diff options
| author | Matthew Fennell <matthew@fennell.dev> | 2024-03-03 13:22:58 +0000 |
|---|---|---|
| committer | Matthew Fennell <matthew@fennell.dev> | 2024-03-03 13:22:58 +0000 |
| commit | b70fffe0fefe3b50161f95980b793b1bc8219727 (patch) | |
| tree | fb1c267baf3d455f48fbe228b38d60f9618fc24b | |
| parent | ac1aa23695b3654246035c496ba8057fe05b3745 (diff) | |
Ensure non-root admin account is created
Initially, I used AWS Lightsail for deployment. However, I am now using Vultr
via libcloud, which does not create a user named "admin" by default. Therefore,
this commit aims to ensure that such an account is created, even on providers
that don't create it by default.
| -rw-r--r-- | playbook.yaml | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/playbook.yaml b/playbook.yaml index 25bf1fe..b972331 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -5,9 +5,58 @@ --- - name: Ensure XMPP server is set up + gather_facts: false hosts: xmpp_server tasks: + # Now, we create a non-root user with sudo privileges + - name: Ensure wheel group exists + remote_user: root + ansible.builtin.group: + name: wheel + state: present + + - name: Ensure wheel group allows passwordless sudo + remote_user: root + ansible.builtin.lineinfile: + dest: /etc/sudoers + state: present + regexp: "^%wheel" + line: "%wheel ALL=(ALL) NOPASSWD: ALL" + validate: visudo -cf %s + + - name: Ensure non-root admin account is created in wheel group + remote_user: root + ansible.builtin.user: + name: admin + groups: wheel + append: true + + - name: Ensure admin ssh directory exists + remote_user: root + ansible.builtin.file: + path: /home/admin/.ssh + state: directory + owner: admin + group: admin + mode: "0700" + + - name: Copy authorised keys to admin account + remote_user: root + ansible.builtin.copy: + src: /root/.ssh/authorized_keys + dest: /home/admin/.ssh/authorized_keys + remote_src: true + owner: admin + group: admin + mode: preserve + + - name: Remove authorised keys from root account + remote_user: root + ansible.builtin.file: + path: /root/.ssh/authorized_keys + state: absent + # We allow status code 400 here as this is returned by deSEC if the domain # already exists. Ideally, we should filter out genuinely good/bad requests # here using the response. |