---
# tasks file for auth_duo
- name: Include repository install
  include_tasks: duo-repo.yml
  when: auth_duo_install_repo

- name: Ensure duo is installed
  yum:
    name: duo_unix
    enablerepo: "{{ auth_duo_reponame }}"
    state: installed

# - name: Ensure ikey is populated
#   fail:
#     msg: "ikey should not be 'someikey' see defaults/main.yml"
#   when: 
- name: Ensure Duo configuration in place
  ini_file: 
    path: /etc/duo/pam_duo.conf
    section: duo
    option: "{{ item.key }}"
    value: "{{ item.value }}"
  with_items: "{{ auth_duo_settings }}"

- name: Ensure PAM for SSH is configured with duo MFA
  copy:
    src: etc.pam.d.sshd
    dest: /etc/pam.d/sshd
  notify: restart sshd

- name: Ensure PAM is enabled for SSH 
  lineinfile: 
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regex }}"
    line: "{{ item.line }}"
  with_items: 
    - regex: '^UsePAM '
      line: 'UsePAM yes'
    - regex: '^ChallengeResponseAuthentication '
      line: 'ChallengeResponseAuthentication yes'
  notify: restart sshd

- name: Flush Handlers
  meta: flush_handlers