exolobe1: play with libpam-yubico

Sponsored-by: author

1 files changed, 17 insertions, 9 deletions

diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml
index 2447a67..b5425d4 100644
--- a/ansible/exolobe1.yml
+++ b/ansible/exolobe1.yml
@@ -1,17 +1,26 @@
 - hosts: exolobe1
   remote_user: root
   become: no
+  roles:
+    - sane_debian_system
+    - unix_users
   tasks:
     - apt:
         name:
-          - yubikey-luks
-          - usbutils
-    - crypttab:
-        name: pv0
-        opts: keyscript=/usr/share/yubikey-luks/ykluks-keyscript
-        state: opts_present
-    - shell: |
-        update-initramfs -u
+          - libpam-yubico
+    - lineinfile:
+        path: /etc/pam.d/common-auth
+        regex: pam_yubico.so
+        line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp"
+    - file:
+        state: directory
+        path: /etc/yubikey_chalresp
+        mode: 0700
+    - copy:
+        content: |
+          {{ lookup('pipe', 'pass libpam-yubico/liw/y5.chalresp') }}
+        dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y5.serial') }}"
+        mode: 0600
   vars:
     ansible_python_interpreter: /usr/bin/python3
 
@@ -33,7 +42,6 @@
     unix_users:
       - username: liw
         comment: Lars Wirzenius
-        sudo: yes
         authorized_keys: |
           {{ liw_personal_ssh_pub }}