From 28531a4f0749c61e5c0af85ef97bd6a9af07a46f Mon Sep 17 00:00:00 2001
From: Matej Focko <me@mfocko.xyz>
Date: Fri, 12 Jul 2024 15:02:18 +0200
Subject: [PATCH] feat(system/yubikey): implement PAM auth for Yubikey OTP

Signed-off-by: Matej Focko <me@mfocko.xyz>
---
 roles/system/yubikey/defaults/main.yml         |  9 +++++++++
 roles/system/yubikey/tasks/install.yml         | 18 ++++++++++++++++++
 roles/system/yubikey/tasks/main.yml            | 12 ++++++++++++
 .../yubikey/templates/yubikey-sufficient       |  2 ++
 4 files changed, 41 insertions(+)
 create mode 100644 roles/system/yubikey/defaults/main.yml
 create mode 100644 roles/system/yubikey/tasks/install.yml
 create mode 100644 roles/system/yubikey/tasks/main.yml
 create mode 100644 roles/system/yubikey/templates/yubikey-sufficient

diff --git a/roles/system/yubikey/defaults/main.yml b/roles/system/yubikey/defaults/main.yml
new file mode 100644
index 0000000..5148817
--- /dev/null
+++ b/roles/system/yubikey/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+# Pair of ID and token that are used for verifying the Yubikey OTP against the
+# Yubico servers
+
+# Yubikey App ID for the PAM module
+system_yubikey_id: None
+
+# Yubikey App Token for the PAM module
+system_yubikey_key: None
diff --git a/roles/system/yubikey/tasks/install.yml b/roles/system/yubikey/tasks/install.yml
new file mode 100644
index 0000000..fc7923b
--- /dev/null
+++ b/roles/system/yubikey/tasks/install.yml
@@ -0,0 +1,18 @@
+---
+- name: Install ‹pam_yubico› on Fedora/EPEL
+  ansible.builtin.package:
+    name: pam_yubico
+    state: present
+  when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
+
+- name: Enable PPA on Ubuntu
+  ansible.builtin.apt_repository:
+    repo: ppa:yubico/stable
+    state: present
+  when: ansible_distribution == "Ubuntu"
+
+- name: Install ‹libpam-yubico› on Ubuntu
+  ansible.builtin.package:
+    name: libpam-yubico
+    state: present
+  when: ansible_distribution == "Ubuntu"
diff --git a/roles/system/yubikey/tasks/main.yml b/roles/system/yubikey/tasks/main.yml
new file mode 100644
index 0000000..e5495e1
--- /dev/null
+++ b/roles/system/yubikey/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Install packages
+  ansible.builtin.include_tasks: install.yml
+  tags: install
+
+- name: Set up PAM
+  ansible.builtin.template:
+    src: templates/yubikey-sufficient
+    dest: /etc/pam.d/yubikey-sufficient
+    mode: 0644
+    owner: root
+    group: root
diff --git a/roles/system/yubikey/templates/yubikey-sufficient b/roles/system/yubikey/templates/yubikey-sufficient
new file mode 100644
index 0000000..d04fa9f
--- /dev/null
+++ b/roles/system/yubikey/templates/yubikey-sufficient
@@ -0,0 +1,2 @@
+#%PAM-1.0
+auth    sufficient      pam_yubico.so id={{ system_yubikey_id }} key={{ system_yubikey_key }}