# Onboarding 2fa:
# Create a secret and authenticator using the tool in git:
# https://portal.dualinventive.com/git/devops/tools/src/branch/master/2fa
#
# In vars/users.yml:
# add for the user the following fields:
# secret: <<secret from the application above>>
# authenticator: << authenticator from the application above>>
#
# The secret and authenticator is the same value, but encoded in a different way
# secret is used by pam for 2fa
# authenticator is used for generating a QR-code.
#
# You can generate the QR-code using the following url:
# https://cdn.rawgit.com/Daplie/browser-authenticator/gh-pages/index.html
# or using the program:
# https://portal.dualinventive.com/git/devops/tools/src/branch/master/2fa/browser-authenticator (fork)

- include_vars: users.yml

- name: Install libpam-oath
  apt: name=libpam-oath state=latest
  become: true
- name: Install oathtool
  apt: name=oathtool state=latest
  become: true

- set_fact: auth_file=/etc/security/users.oath

- template: src=pamd-sshd.j2 dest=/etc/pam.d/sshd owner=root group=root mode=0600
  notify:
  - restart sshd
  become: true

- template: src=users.oath.j2 dest={{ auth_file }} owner=root group=root mode=0600
  notify:
  - restart sshd
  become: true