Optimized security with administrator user

roles/native-sudo/templates/sudoers

@@ -85,7 +85,7 @@ root ALL=(ALL) ALL
 # %wheel ALL=(ALL) NOPASSWD: ALL
 
 ## Uncomment to allow members of group sudo to execute any command
-%sudo	ALL=(ALL) ALL
+# %sudo	ALL=(ALL) ALL
 
 ## Uncomment to allow any user to run sudo if they know the password
 ## of the user they are running the command as (root by default).

roles/native-user-administrator/Readme.md

@@ -1,4 +1,4 @@
 # Role Administrator
 This role creates an standard administrator user.
+This user needs to type in his password before executing sudo. 
 For security reasons it's recommended to use this user instead of the standard root user.
-Please consider the concerns in this article https://unix.stackexchange.com/questions/92123/rsync-all-files-of-remote-machine-over-ssh-without-root-user.  

roles/native-user-administrator/files/administrator.conf

@@ -0,0 +1,2 @@
+Defaults targetpw
+administrator ALL=(ALL) ALL

roles/native-user-administrator/tasks/main.yml

@@ -14,7 +14,7 @@
     group: administrator
     mode: '0644'
 
-- name: grant administrator sudo rights without password
+- name: grant administrator sudo rights with password
   copy:
-    content: '%administrator ALL=(ALL) NOPASSWD: ALL'
+    src: "administrator.conf"
-    dest: /etc/sudoers.d/administrator
+    dest: /etc/sudoers.d/administrator.conf

roles/system-security/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
 - native-ssh
 - native-user-alarm
+- native-user-administrator