From 662d078fba48c8c0723875f69d90339e4dc568e1 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 6 Aug 2022 13:07:05 +0300
Subject: exolobe1: play with libpam-yubico

Sponsored-by: author
---
 ansible/exolobe1.yml | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml
index 2447a67..b5425d4 100644
--- a/ansible/exolobe1.yml
+++ b/ansible/exolobe1.yml
@@ -1,17 +1,26 @@
 - hosts: exolobe1
   remote_user: root
   become: no
+  roles:
+    - sane_debian_system
+    - unix_users
   tasks:
     - apt:
         name:
-          - yubikey-luks
-          - usbutils
-    - crypttab:
-        name: pv0
-        opts: keyscript=/usr/share/yubikey-luks/ykluks-keyscript
-        state: opts_present
-    - shell: |
-        update-initramfs -u
+          - libpam-yubico
+    - lineinfile:
+        path: /etc/pam.d/common-auth
+        regex: pam_yubico.so
+        line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp"
+    - file:
+        state: directory
+        path: /etc/yubikey_chalresp
+        mode: 0700
+    - copy:
+        content: |
+          {{ lookup('pipe', 'pass libpam-yubico/liw/y5.chalresp') }}
+        dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y5.serial') }}"
+        mode: 0600
   vars:
     ansible_python_interpreter: /usr/bin/python3
 
@@ -33,7 +42,6 @@
     unix_users:
       - username: liw
         comment: Lars Wirzenius
-        sudo: yes
         authorized_keys: |
           {{ liw_personal_ssh_pub }}
 
-- 
cgit v1.2.1