---

- name: Install gauth OTP
  ansible.builtin.apt:
    install_recommends: false
    update_cache: true
    state: present
    name:
      - libpam-google-authenticator
      - libpam0g-dev

- name: Generate a time-based code for maverik
  command:
    cmd: '/usr/bin/google-authenticator -t -f -d --label="maverik@INFRA01" --qr-mode=ANSI -r 3 -R 120 -w 1 --secret=/home/maverik/.google_authenticator'
  ignore_errors: True

- name: Generate a time-based code for charlie
  ansible.builtin.command:
    cmd: '/usr/bin/google-authenticator -t -f -d --label="charlie@INFRA01" --qr-mode=ANSI -r 3 -R 120 -w 1 --secret=/home/charlie/.google_authenticator'
  ignore_errors: True

- name: Generate a time-based code for goose
  ansible.builtin.command:
    cmd: '/usr/bin/google-authenticator -t -f -d --label="goose@INFRA01" --qr-mode=ANSI -r 3 -R 120 -w 1 --secret=/home/goose/.google_authenticator'
  ignore_errors: True

- name: Add Google auth PAM
  ansible.builtin.lineinfile:
    dest: "/etc/pam.d/sshd"
    line: "auth required pam_google_authenticator.so"
    insertbefore: BOF
    state: present

- name: Add Google PAM
  ansible.builtin.lineinfile:
    dest: "/etc/pam.d/sshd"
    line: "auth required pam_google_authenticator.so"
    insertbefore: BOF
    state: present

- name: Delete Old authentication
  ansible.builtin.lineinfile:
    path: "/etc/pam.d/sshd"
    regexp: "^@include common-auth"
    line: "#@include common-auth"
    owner: root
    group: root
    mode: '0644'