- hosts: exolobe1
  remote_user: root
  become: no
  roles:
    - sane_debian_system
    - unix_users
  tasks:
    - apt:
        name:
          - libpam-yubico
    - lineinfile:
        path: /etc/pam.d/common-auth
        regex: pam_yubico.so
        line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp"
    - file:
        state: directory
        path: /etc/yubikey_chalresp
        mode: 0700
    - copy:
        content: |
          {{ lookup('pipe', 'pass libpam-yubico/liw/y5.chalresp') }}
        dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y5.serial') }}"
        mode: 0600
  vars:
    ansible_python_interpreter: /usr/bin/python3

    sane_debian_system_version: 2
    sane_debian_system_hostname: "{{ inventory_hostname }}"
    sane_debian_system_codename: bullseye
    sane_debian_system_timezone: Europe/Helsinki
    sane_debian_system_sources_lists:
      - repo: |
          deb http://deb.debian.org/debian bullseye contrib non-free

      - repo: |
          deb http://security.debian.org/debian-security bullseye-security main contrib non-free

      - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
        signing_key: "{{ ci_prod_signing_key }}"

    unix_users_version: 2
    unix_users:
      - username: liw
        comment: Lars Wirzenius
        authorized_keys: |
          {{ liw_personal_ssh_pub }}

    rustup_cargo_install: |
      starship