1 files changed, 49 insertions, 0 deletions

diff --git a/playbook.yaml b/playbook.yaml
index 25bf1fe..b972331 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -5,9 +5,58 @@
 ---
 
 - name: Ensure XMPP server is set up
+  gather_facts: false
   hosts: xmpp_server
   tasks:
 
+   # Now, we create a non-root user with sudo privileges
+   - name: Ensure wheel group exists
+     remote_user: root
+     ansible.builtin.group:
+      name: wheel
+      state: present
+
+   - name: Ensure wheel group allows passwordless sudo
+     remote_user: root
+     ansible.builtin.lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: "^%wheel"
+      line: "%wheel ALL=(ALL) NOPASSWD: ALL"
+      validate: visudo -cf %s
+
+   - name: Ensure non-root admin account is created in wheel group
+     remote_user: root
+     ansible.builtin.user:
+      name: admin
+      groups: wheel
+      append: true
+
+   - name: Ensure admin ssh directory exists
+     remote_user: root
+     ansible.builtin.file:
+      path: /home/admin/.ssh
+      state: directory
+      owner: admin
+      group: admin
+      mode: "0700"
+
+   - name: Copy authorised keys to admin account
+     remote_user: root
+     ansible.builtin.copy:
+      src: /root/.ssh/authorized_keys
+      dest: /home/admin/.ssh/authorized_keys
+      remote_src: true
+      owner: admin
+      group: admin
+      mode: preserve
+
+   - name: Remove authorised keys from root account
+     remote_user: root
+     ansible.builtin.file:
+      path: /root/.ssh/authorized_keys
+      state: absent
+
    # We allow status code 400 here as this is returned by deSEC if the domain
    # already exists. Ideally, we should filter out genuinely good/bad requests
    # here using the response.