---
# Install the 2FA packages and setup the config in PAM and SSH
- name: Install google authenticator PAM module
  apt:
    name: 'libpam-google-authenticator'
    state: present
  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

- name: Install google authenticator PAM module
  yum:
    name: 'google-authenticator'
    state: present
  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'

- name: Add google auth module to PAM
  pamd:
    name: 'sshd'
    type: 'auth'
    control: 'required'
    module_path: 'pam_google_authenticator.so'

- name: Remove password auth from PAM
  pamd:
    name: 'sshd'
    type: 'auth'
    control: 'substack'
    module_path: 'password-auth'
    state: absent
  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' or ansible_distribution == 'Amazon'

- name: Remove password auth from PAM
  replace:
    dest: '/etc/pam.d/sshd'
    regexp: '^@include common-auth'
    replace: '#@include common-auth'
  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'