Same Google auth install should work for both Jessie and Trusty.

Move Apache task to their own file.

roles/common/tasks/apache.yml

@@ -0,0 +1,24 @@
+---
+# Configures the Apache HTTP server with sane defaults.
+
+- name: Disable default Apache site
+  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
+  notify: restart apache
+
+- name: Enable Apache headers module
+  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
+  notify: restart apache
+
+- name: Set ServerName for Apache
+  template: src=fqdn.j2 dest=/etc/apache2/conf.d/fqdn
+  notify: restart apache
+  when: ansible_distribution_release != 'trusty'
+
+- name: Create ServerName configuration file for Apache for Ubuntu Trusty
+  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
+  when: ansible_distribution_release == 'trusty'
+
+- name: Set ServerName for Apache for Ubuntu Trusty
+  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
+  notify: restart apache
+  when: ansible_distribution_release == 'trusty'

roles/common/tasks/google_auth.yml

@@ -1,29 +1,15 @@
 ---
-# Defines tasks applicable for Google Authenticator
+# Defines tasks applicable for Google Authenticator.
 
 - name: Ensure required packages are installed
   apt: pkg={{ item }} state=present
   with_items:
-    #- libpam-google-authenticator    wasn't available in wheezy
+    - libpam-google-authenticator
     - libpam0g-dev
     - libqrencode3
   tags:
     - dependencies
 
-- name: Download Google authenticator pam module
-  get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
-           dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
-
-- name: Extract Google authenticator
-  unarchive: src=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
-             creates=/root/libpam-google-authenticator-{{ google_auth_version }}
-             dest=/root copy=no
-
-- name: Install Google authenticator
-  command: make install
-           chdir=/root/libpam-google-authenticator-{{ google_auth_version }}
-           creates=/usr/local/bin/google-authenticator
-
 - name: Update sshd config to enable challenge responses
   lineinfile: dest=/etc/ssh/sshd_config
               regexp=^ChallengeResponseAuthentication
@@ -38,7 +24,7 @@
               state=present
 
 - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
-  command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
+  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
            creates=/home/{{ main_user_name }}/.google_authenticator
   sudo: yes
   sudo_user: "{{ main_user_name }}"

roles/common/tasks/google_auth_mod.yml

@@ -1,41 +0,0 @@
----
-# Defines tasks applicable for Google Authenticator
-# Ubuntu trusty version, uses standard libpam-google-authenticator package
-
-- name: Ensure required packages are installed
-  apt: pkg={{ item }} state=present
-  with_items:
-    - libpam-google-authenticator
-    - libpam0g-dev
-    - libqrencode3
-  tags:
-    - dependencies
-
-- name: Update sshd config to enable challenge responses
-  lineinfile: dest=/etc/ssh/sshd_config
-              regexp=^ChallengeResponseAuthentication
-              line="ChallengeResponseAuthentication yes"
-              state=present
-  notify: restart ssh
-
-- name: Add Google authenticator to PAM
-  lineinfile: dest=/etc/pam.d/sshd
-              line="auth required pam_google_authenticator.so"
-              insertbefore=BOF
-              state=present
-
-- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
-  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
-           creates=/home/{{ main_user_name }}/.google_authenticator
-  sudo: yes
-  sudo_user: "{{ main_user_name }}"
-  when: ansible_ssh_user != "vagrant"
-
-- name: Retrieve generated keys from server
-  fetch: src=/home/{{ main_user_name }}/.google_authenticator
-         dest=/tmp/sovereign-google-auth-files
-  when: ansible_ssh_user != "vagrant"
-
-- pause: seconds=5
-         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
-  when: ansible_ssh_user != "vagrant"

roles/common/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 # Defines tasks applicable across all machines in the infrastructure.
-- name: Set up closest mirror autoselect (ubuntu-only)
+- name: Set up closest mirror autoselect (Ubuntu-only)
   template: src=apt_sources.list.j2 dest=/etc/apt/sources.list
   when: ansible_distribution == 'Ubuntu'
   tags:
@@ -28,14 +28,13 @@
     - htop
     - iftop
     - iotop
+    - molly-guard
     - mosh
     - python-software-properties
     - ruby
     - screen
     - sudo
-    - update-notifier-common
     - unattended-upgrades
-    - molly-guard
     - vim
     - zsh
   tags:
@@ -49,33 +48,10 @@
 
 - name: Reconfigure tzdata
   action: command dpkg-reconfigure -f noninteractive tzdata
-  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
 - name: Apticron email configuration
   template: src=apticron.conf.j2 dest=/etc/apticron/apticron.conf
 
-- name: Disable default Apache site
-  command: a2dissite 000-default removes=/etc/apache2/sites-enabled/000-default
-  notify: restart apache
-
-- name: Enable Apache headers module
-  command: a2enmod headers creates=/etc/apache2/mods-enabled/headers.load
-  notify: restart apache
-
-- name: Set ServerName for Apache
-  template: src=fqdn.j2 dest=/etc/apache2/conf.d/fqdn
-  notify: restart apache
-  when: ansible_distribution_release != 'trusty'
-
-- name: Create ServerName configuration file for Apache for Ubuntu Trusty
-  template: src=fqdn.j2 dest=/etc/apache2/conf-available/fqdn.conf
-  when: ansible_distribution_release == 'trusty'
-
-- name: Set ServerName for Apache for Ubuntu Trusty
-  command: a2enconf fqdn creates=/etc/apache2/conf-enabled/fqdn.conf
-  notify: restart apache
-  when: ansible_distribution_release == 'trusty'
-
 - name: Create decrypted directory (even if encfs isn't used)
   file: state=directory path=/decrypted
 
@@ -84,11 +60,9 @@
 
 - include: encfs.yml tags=encfs
 - include: users.yml tags=users
+- include: apache.yml tags=apache
 - include: ssl.yml tags=ssl
 - include: ufw.yml tags=ufw
 - include: security.yml tags=security
 - include: ntp.yml tags=ntp
 - include: google_auth.yml tags=google_auth
-  when: ansible_distribution_release != 'trusty'
-- include: google_auth_mod.yml tags=google_auth
-  when: ansible_distribution_release == 'trusty'