disable ssh login as pi for non-dev builds

build/initialization.sh

@@ -60,9 +60,12 @@ EOF
 
 cat /embassy-os/product_key.txt | tr -d '\n' | sha256sum | head -c 32 | sed 's/$/\n/' > /etc/machine-id
 
+passwd -l pi
+
 raspi-config nonint enable_overlayfs
 systemctl disable initialization.service
 sudo systemctl restart NetworkManager
+
 sync
 
 # TODO: clean out ssh host keys

build/write-image.sh

@@ -82,7 +82,12 @@ sudo mkdir -p /tmp/eos-mnt/root/.ssh
 #sudo chmod +x /tmp/eos-mnt/etc/update-motd.d/90-updates-available
 #sudo chmod +x /tmp/eos-mnt/etc/update-motd.d/95-hwe-eol
 
-sudo cp ./build/initialization.sh /tmp/eos-mnt/usr/local/bin
+if [[ "$ENVIRONMENT" =~ (^|-)dev($|-) ]]; then
+	cat ./build/initialization.sh | grep -v "passwd -l pi" | sudo tee /tmp/eos-mnt/usr/local/bin/initialization.sh > /dev/null
+	sudo chmod +x /tmp/eos-mnt/usr/local/bin/initialization.sh
+else
+	sudo cp ./build/initialization.sh /tmp/eos-mnt/usr/local/bin
+fi
 
 sudo cp ./build/initialization.service /tmp/eos-mnt/etc/systemd/system/initialization.service
 sudo ln -s /etc/systemd/system/initialization.service /tmp/eos-mnt/etc/systemd/system/multi-user.target.wants/initialization.service