feat(cockpit): allow 2FA auth

Fixes #60

Signed-off-by: Matej Focko <me@mfocko.xyz>

group_vars/servers/vars

@@ -1,5 +1,8 @@
 certbot_email: "{{ vault_certbot_email }}"
 
+cockpit_2fa: true
+cockpit_has_reverse_proxy: true
+
 host_fqdn: "{{ vault_host_fqdn }}"
 
 porkbun_apikey: "{{ vault_porkbun_apikey }}"

roles/cockpit/defaults/main.yml

@@ -3,3 +3,9 @@
 # reverse proxy (adjusts the origin, so that the Cockpit doesn't drop sessions,
 # and checks for SSL/TLS connections)
 cockpit_has_reverse_proxy: false
+
+# Boolean variable that denotes whether to install dependencies for 2FA auth
+# to Cockpit (Google Authenticator and QR encoding utilities for enrolling the
+# OTP), also installs the rule to the ‹pam.d› so that the 2FA is required for
+# logging in to the Cockpit.
+cockpit_2fa: false

roles/cockpit/tasks/install.yml

@@ -3,3 +3,11 @@
   ansible.builtin.package:
     name: cockpit
     state: present
+
+- name: Install deps for 2FA in Cockpit
+  ansible.builtin.package:
+    name:
+      - google-authenticator
+      - qrencode-libs
+    state: present
+  when: cockpit_2fa

roles/cockpit/tasks/main.yml

@@ -12,6 +12,16 @@
     group: root
   when: cockpit_has_reverse_proxy
 
+- name: Require 2FA for logging into the Cockpit
+  ansible.builtin.lineinfile:
+    line: auth required pam_google_authenticator.so nullok
+    path: /etc/pam.d/cockpit
+    create: true
+    mode: 0644
+    owner: root
+    group: root
+  when: cockpit_2fa
+
 - name: Enable cockpit
   ansible.builtin.service:
     name: "cockpit.socket"