Automatically generate the Google authenticator file for the default user

roles/common/tasks/google_auth.yml

@@ -9,17 +9,41 @@
     #- libpam-google-authenticator    wasn't available in wheezy
 
 - name: Download Google authenticator pam module
-  get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2 dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
+  get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
+           dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
 
 - name: Extract Google authenticator
-  command: tar xjf libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2 chdir=/root creates=/root/libpam-google-authenticator-{{ google_auth_version }}
+  command: tar xjf libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
+           chdir=/root creates=/root/libpam-google-authenticator-{{ google_auth_version }}
 
 - name: Install Google authenticator
-  command: make install chdir=/root/libpam-google-authenticator-{{ google_auth_version }} creates=/usr/local/bin/google-authenticator
+  command: make install
+           chdir=/root/libpam-google-authenticator-{{ google_auth_version }}
+           creates=/usr/local/bin/google-authenticator
 
 - name: Update sshd config to enable challenge responses
-  lineinfile: dest=/etc/ssh/sshd_config regexp=^ChallengeResponseAuthentication line="ChallengeResponseAuthentication yes" state=present
+  lineinfile: dest=/etc/ssh/sshd_config
+              regexp=^ChallengeResponseAuthentication
+              line="ChallengeResponseAuthentication yes"
+              state=present
   notify: restart ssh
 
 - name: Add Google authenticator to PAM
-  lineinfile: dest=/etc/pam.d/sshd line="auth required pam_google_authenticator.so" insertbefore=BOF state=present
+  lineinfile: dest=/etc/pam.d/sshd
+              line="auth required pam_google_authenticator.so"
+              insertbefore=BOF
+              state=present
+
+- name: Generate QNR code for default user
+  command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -W --secret=/home/{{ main_user_name }}/.google_authenticator
+           creates=/home/{{ main_user_name }}/.google_authenticator
+
+- name: Fix permissions on generated file
+  file: state=file path=/home/{{ main_user_name }}/.google_authenticator owner={{ main_user_name }} group={{ main_user_name }}
+
+- name: Retrieve generated keys from server
+  fetch: src=/home/{{ main_user_name }}/.google_authenticator
+         dest=/tmp/sovereign-google-auth-files
+
+- pause: seconds=5
+         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."

roles/common/tasks/main.yml

@@ -48,9 +48,9 @@
   notify: restart apache
 
 - include: encfs.yml tags=encfs
-- include: google_auth.yml tags=google_auth
 - include: users.yml tags=users
 - include: ssl.yml tags=ssl
 - include: ufw.yml tags=ufw
 - include: security.yml tags=security
 - include: ntp.yml tags=ntp
+- include: google_auth.yml tags=google_auth