---

- name: 'Install 2FA plugins for Arch'
  ansible.builtin.include_tasks:
    file: arch.yaml
  when: ansible_os_family | lower == "archlinux"

- name: 'Install 2FA plugins for Debian'
  ansible.builtin.include_tasks:
    file: debian.yml
  when: ansible_os_family | lower == "debian"

- name: 'Configure Kanidm Native'
  ansible.builtin.import_role:
    name: kanidm_native
  when: sso_type == "native"

- name: 'Configure Kanidm via SSSD'
  ansible.builtin.import_role:
    name: kanidm_sssd
  when: sso_type == "ldap"

- name: 'Compile passkey switch'
  ansible.builtin.template:
    src: passkey-users.access.conf.j2
    dest: /etc/security/passkey-users.access.conf
    owner: root
    group: root
    mode: "0644"

- name: 'Copy remote session switch'
  ansible.builtin.copy:
    src: remote-switch.access.conf
    dest: /etc/security/remote-sqitch.access.conf
    owner: root
    group: root
    mode: "0644"

- name: 'Compile common-auth'
  ansible.builtin.template:
    src: common-auth.j2
    dest: /etc/pam.d/common-auth
    owner: root
    group: root
    mode: "0644"

- name: 'Copy common PAM configs'
  ansible.builtin.copy:
    src: common-{{ item }}
    dest: /etc/pam.d/
    owner: root
    group: root
    mode: "0644"
  loop:
    - account
    - password
    - session