From b70fffe0fefe3b50161f95980b793b1bc8219727 Mon Sep 17 00:00:00 2001
From: Matthew Fennell <matthew@fennell.dev>
Date: Sun, 3 Mar 2024 13:22:58 +0000
Subject: Ensure non-root admin account is created

Initially, I used AWS Lightsail for deployment. However, I am now using Vultr
via libcloud, which does not create a user named "admin" by default. Therefore,
this commit aims to ensure that such an account is created, even on providers
that don't create it by default.
---
 playbook.yaml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/playbook.yaml b/playbook.yaml
index 25bf1fe..b972331 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -5,9 +5,58 @@
 ---
 
 - name: Ensure XMPP server is set up
+  gather_facts: false
   hosts: xmpp_server
   tasks:
 
+   # Now, we create a non-root user with sudo privileges
+   - name: Ensure wheel group exists
+     remote_user: root
+     ansible.builtin.group:
+      name: wheel
+      state: present
+
+   - name: Ensure wheel group allows passwordless sudo
+     remote_user: root
+     ansible.builtin.lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: "^%wheel"
+      line: "%wheel ALL=(ALL) NOPASSWD: ALL"
+      validate: visudo -cf %s
+
+   - name: Ensure non-root admin account is created in wheel group
+     remote_user: root
+     ansible.builtin.user:
+      name: admin
+      groups: wheel
+      append: true
+
+   - name: Ensure admin ssh directory exists
+     remote_user: root
+     ansible.builtin.file:
+      path: /home/admin/.ssh
+      state: directory
+      owner: admin
+      group: admin
+      mode: "0700"
+
+   - name: Copy authorised keys to admin account
+     remote_user: root
+     ansible.builtin.copy:
+      src: /root/.ssh/authorized_keys
+      dest: /home/admin/.ssh/authorized_keys
+      remote_src: true
+      owner: admin
+      group: admin
+      mode: preserve
+
+   - name: Remove authorised keys from root account
+     remote_user: root
+     ansible.builtin.file:
+      path: /root/.ssh/authorized_keys
+      state: absent
+
    # We allow status code 400 here as this is returned by deSEC if the domain
    # already exists. Ideally, we should filter out genuinely good/bad requests
    # here using the response.
-- 
cgit v1.2.3