---

- name: 'Install TOTP authenticator and pam_u2f'
  ansible.builtin.apt:
    name:
      - libpam-google-authenticator
      - libpam-u2f
      - pamu2fcfg
    state: present
  when: ansible_pkg_mgr == "apt"

- name: 'Install TOTP authenticator'
  community.general.pacman:
    name:
      - libpam-google-authenticator
      - pam-u2f
    state: present
  when: ansible_pkg_mgr == "pacman"

- name: 'Deploy PAM remote-user allowlist'
  ansible.builtin.copy:
    src: remote-switch.access.conf
    dest: /etc/security/remote-switch.access.conf
    owner: root
    group: root
    mode: "0644"

- name: 'Deploy local-users first auth factor'
  ansible.builtin.copy:
    src: first-factor
    dest: /etc/pam.d/first-factor
    owner: root
    group: root
    mode: "0644"
  # Only deploy when we're not using Kanidm for native or ldap
  when: user_source == "local"

- name: 'Deploy local-access second auth factor'
  ansible.builtin.template:
    src: second-factor.j2
    dest: /etc/pam.d/second-factor
    owner: root
    group: root
    mode: "0644"

- name: 'Deploy PAM common-auth file'
  ansible.builtin.copy:
    src: common-auth
    dest: /etc/pam.d/
    owner: root
    group: root
    mode: "0644"

- name: 'Deploy PAM system-auth file'
  ansible.builtin.copy:
    src: system-auth
    dest: /etc/pam.d/
    owner: root
    group: root
    mode: "0644"
  when: ansible_os_family == "Archlinux"

- name: 'Deploy local-users common PAM files'
  ansible.builtin.copy:
    src: 'common-{{ item }}'
    dest: '/etc/pam.d/'
    owner: root
    group: root
    mode: "0644"
  when: user_source == "local"
  with_items:
    - password
    - session
    - account