Added ability to setup target main replacement user, and remove the d…

…efault one.
mikolak-net · Apr 7, 2015 · d11052e · d11052e
1 parent 6f3a9e9
commit d11052e
Show file tree

Hide file tree

Showing 8 changed files with 47 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -53,6 +53,11 @@ raspi_config_hostname: pi
 raspi_config_enable_camera: no
 # specify whether to fail deployment when user/password is default
 raspi_config_fail_on_auth_test: yes
+# user to replace the default "pi" user with
+# NOTE: if you use this for the first time as "pi", any post_tasks will fail!
+raspi_config_replace_user:
+ name:
+ path_to_ssh_key: #LOCAL path to your public key file
 # use this to add any additional options to the config in raw form
 raspi_config_other_options: {}
 ```
@@ -68,8 +73,13 @@ Example Playbook
 
 ```yaml
 - hosts: pi*
+ remote_user: pi
+ sudo: true
  roles:
- - { role: mikołak.raspi-config }
+ - role: mikołak.raspi-config
+ raspi_config_replace_user:
+ name: mainuser
+ path_to_ssh_key: "~/.ssh/my_pub_key_id_rsa.pub"
 ```
 
 License

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -17,5 +17,10 @@ raspi_config_hostname: pi
 raspi_config_enable_camera: no
 # specify whether to fail deployment when user/password is default
 raspi_config_fail_on_auth_test: yes
+# user to replace the default "pi" user with
+# NOTE: if you use this for the first time as "pi", any post_tasks will fail!
+raspi_config_replace_user:
+ name:
+ path_to_ssh_key: #LOCAL path to your public key file
 # use this to add any additional options to the config in raw form
 raspi_config_other_options: {}
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -13,5 +13,11 @@
 - name: wait for reboot
  local_action: wait_for host={{ inventory_hostname }}
  state=started
- timeout=15 # doesn't appear to work correctly now, instead a simple delay is imposed - that's fine for now
- sudo: false
+ timeout=30 # doesn't appear to work correctly now, instead a simple delay is imposed - that's fine for now
+ sudo: false
+- name: remove default user
+ when: "raspi_config_replace_user['name'] != raspi_config_auth_test_username"
+ user: name={{raspi_config_auth_test_username}} state=absent force=yes
+ async: 0
+ poll: 0
+ ignore_errors: True
diff --git a/meta/main.yml b/meta/main.yml
@@ -11,7 +11,6 @@ galaxy_info:
  - development
  - system
 dependencies:
- - { role: knopki.locale, version: "v1.0.3", locale_all: "{{raspi_config_locale}}" }
- - { role: Stouts.timezone, version: "2.0.1", timezone_timezone: "{{raspi_config_timezone}}" }
- - { role: Stouts.hostname, version: "1.0.3", hostname_hostname: "{{raspi_config_hostname}}" }
-
+ - { role: "knopki.locale", version: "v1.0.3", locale_all: "{{raspi_config_locale}}" }
+ - { role: "Stouts.timezone", version: "2.0.1", timezone_timezone: "{{raspi_config_timezone}}" }
+ - { role: "Stouts.hostname", version: "1.0.3", hostname_hostname: "{{raspi_config_hostname}}" }
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -2,6 +2,8 @@
 - name: update all packages
  apt: update_cache=yes upgrade=dist
  when: raspi_config_update_packages
+- include: setup_replace_user.yml
+ when: raspi_config_replace_user["name"] != ''
 - include: security_check.yml
 - name: ensure filesystem is resized
  expand_fs:

diff --git a/tasks/security_check.yml b/tasks/security_check.yml
@@ -10,4 +10,7 @@
  debug: msg="{{raspi_config_auth_test_fail_msg}}"
  when: "raspi_config_auth_test_string == auth_test.stdout"
  changed_when: "raspi_config_auth_test_string == auth_test.stdout" # for highlighting purposes
- failed_when: raspi_config_fail_on_auth_test
+ failed_when: "raspi_config_fail_on_auth_test and raspi_config_replace_user['name'] == ''"
+- name: additional info
+ debug: msg="{{raspi_config_auth_test_replace_info}}"
+ when: "raspi_config_auth_test_string == auth_test.stdout and raspi_config_replace_user['name'] != ''"
diff --git a/tasks/setup_replace_user.yml b/tasks/setup_replace_user.yml
@@ -0,0 +1,13 @@
+---
+- name: Create user {{raspi_config_replace_user['name']}}
+ user: name={{raspi_config_replace_user['name']}}
+ changed_when: True #to force handler call
+ notify:
+ - remove default user
+- name: Add your login key to {{raspi_config_replace_user['name']}}
+ authorized_key: user={{raspi_config_replace_user['name']}} key="{{ lookup('file', raspi_config_replace_user['path_to_ssh_key']) }}"
+- name: Add {{raspi_config_replace_user['name']}} to sudoers
+ lineinfile:
+ args:
+ dest: /etc/sudoers
+ line: "{{raspi_config_replace_user['name']}} ALL=(ALL) NOPASSWD: ALL"
diff --git a/vars/main.yml b/vars/main.yml
@@ -5,5 +5,6 @@ raspi_config_pi_cpu:
 raspi_config_min_camera_mem: 128
 raspi_config_auth_test_string: VULN
 raspi_config_auth_test_fail_msg: ABLE TO SSH IN WITH FACTORY CREDENTIALS - ASSUME PWNED IF SSH OPEN TO THE INTERNET
+raspi_config_auth_test_replace_info: User "pi" will be replaced by {{raspi_config_replace_user['name']}} at the end of role execution
 raspi_config_auth_test_username: pi
 raspi_config_auth_test_password: raspberry