---
# Defines tasks applicable for Google Authenticator.

- name: Ensure required packages are installed
  apt: pkg={{ item }} state=present
  with_items:
    - libpam-google-authenticator
    - libpam0g-dev
    - libqrencode3
  tags:
    - dependencies

- name: Update sshd config to enable challenge responses
  lineinfile: dest=/etc/ssh/sshd_config
              regexp=^ChallengeResponseAuthentication
              line="ChallengeResponseAuthentication yes"
              state=present
  notify: restart ssh

- name: Add Google authenticator to PAM
  lineinfile: dest=/etc/pam.d/sshd
              line="auth required pam_google_authenticator.so"
              insertbefore=BOF
              state=present

- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
           creates=/home/{{ main_user_name }}/.google_authenticator
  become: yes
  become_user: "{{ main_user_name }}"
  when: ansible_ssh_user != "vagrant"

- name: Retrieve generated keys from server
  fetch: src=/home/{{ main_user_name }}/.google_authenticator
         dest=/tmp/sovereign-google-auth-files
  when: ansible_ssh_user != "vagrant"

- pause: seconds=5
         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
  when: ansible_ssh_user != "vagrant"