From f911c78946f175b631b05e6584c40ede303d1c54 Mon Sep 17 00:00:00 2001
From: therojam <github@therojam.tech>
Date: Sat, 1 May 2021 19:57:06 +0200
Subject: [PATCH] added steps to secure Authentication w/o Password

---
 README.md             |  9 +++++++--
 default/main.yml      |  1 +
 tasks/admin_users.yml | 13 +++++++++++++
 tasks/main.yml        |  4 ++++
 4 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 tasks/admin_users.yml

diff --git a/README.md b/README.md
index 217647d..d73a8e7 100644
--- a/README.md
+++ b/README.md
@@ -39,11 +39,16 @@ yunohost:
       firstname: Jane
       lastname: Doe
       domain: {{ domain }} 
-    - name: user1 # user which uses the first extra_domain for its account
+    - name: user2 # user which uses the first extra_domain for its account
       pass: p@ssw0rd
-      firstname: Jane
+      firstname: John 
       lastname: Doe
       domain: {{ extra_domain.[1] }} 
+  admin_users: 
+    - name: admin # user generated by yunohost as its admin user  
+      key: ssh-rsa ... # key for admin user 
+    - name: user1 # user generated by yunohost and defined by you  
+      key: ssh-rsa ... # key for  
 ```
 
 Dependencies
diff --git a/default/main.yml b/default/main.yml
index 3f3a500..80bb4c5 100644
--- a/default/main.yml
+++ b/default/main.yml
@@ -6,3 +6,4 @@ yunohost:
   ignore_dyndns: False
   apps: ~
   users: ~
+  admin_users: 
diff --git a/tasks/admin_users.yml b/tasks/admin_users.yml
new file mode 100644
index 0000000..b515866
--- /dev/null
+++ b/tasks/admin_users.yml
@@ -0,0 +1,13 @@
+---
+- name: add sshkey for admin user:
+  ansible.posix.authorized_key:
+    user: "{{ item.name }}"
+    state: present
+    key: "{{ item.key }}"
+  loop: "{{ yunohost.admin_users }}"
+
+- name: Disable Password Authentication for ssh.usage
+  ansible.builtin.replace:
+    path: /etc/ssh/sshd_config
+    regex: PasswordAuthentication
+    replace: 'PasswordAuthentication no\1' 
diff --git a/tasks/main.yml b/tasks/main.yml
index b01d51b..2dbc71a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -45,6 +45,10 @@
   ansible.builtin.include: users.yml
   when: yunohost.users
 
+- name: Add ssh for admin user
+  ansible.builtin.include: admin_users.yml
+  when: yunohost.admin_users is defined
+
 - name: Install apps
   ansible.builtin.include: apps.yml
   when: yunohost.apps
-- 
GitLab