ansible-role-auth-duo/tasks/main.yml

---
# tasks file for auth_duo
- name: Include repository install
  include_tasks: duo-repo.yml
  when: auth_duo_install_repo

- name: Ensure duo is installed
  yum:
    name: duo_unix
    enablerepo: "{{ auth_duo_reponame }}"
    state: installed

# - name: Ensure ikey is populated
#   fail:
#     msg: "ikey should not be 'someikey' see defaults/main.yml"
#   when: 

- name: Ensure Duo configuration in place
  ini_file: 
    path: /etc/duo/pam_duo.conf
    section: duo
    option: "{{ item.key }}"
    value: "{{ item.value }}"
  with_items: "{{ auth_duo_settings }}"
  no_log: true

- name: Ensure PAM for SSH is configured with duo MFA
  copy:
    src: etc.pam.d.sshd
    dest: /etc/pam.d/sshd
  notify: Restart sshd

- name: Ensure PAM is enabled for SSH 
  lineinfile: 
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regex }}"
    line: "{{ item.line }}"
  with_items: 
    - regex: '^UsePAM '
      line: 'UsePAM yes'
    - regex: '^ChallengeResponseAuthentication '
      line: 'ChallengeResponseAuthentication yes'
  notify: Restart sshd

- name: RHEL9 - Ensure ChallengeResponseAuthentication is enabled
  lineinfile:
    path: /etc/ssh/sshd_config.d/50-redhat.conf
    regex: '^ChallengeResponseAuthentication '
    line: 'ChallengeResponseAuthentication yes'
  notify: Restart sshd
  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 9

- name: Flush Handlers
  meta: flush_handlers

- name: Duo SELinux Enablement
  when: >
    ansible_virtualization_type != 'docker' and
    ansible_virtualization_type != 'container'
  block:
    - name: Copy SELinux Module
      copy:
        src: selinux/duo.pp
        dest: /tmp/duo.pp

    - name: Install Policy (Ensure we can access DUO Api)
      command: /usr/sbin/semodule -i /tmp/duo.pp

    - name: Remove Policy file
      file:
        path: /tmp/duo.pp
        state: absent