# {{ ansible_managed }}

{% if pve_auth_pam_enabled %}
pam: {{ pve_auth_pam_realm }}
    comment {{ pve_auth_pam_description }}
    default {{ 1 if pve_auth_pam_is_default else 0 }}
    {% if pve_auth_pam_tfa_oath_enabled and not pve_auth_pam_tfa_yubico_enabled -%}
    tfa type=oath,step={{ pve_auth_pam_tfa_oath_timestep }},digits={{ pve_auth_pam_tfa_oath_pwlength }}
    {% elif pve_auth_pam_tfa_yubico_enabled and not pve_auth_pam_tfa_oath_enabled -%}
    tfa type=yubico,id={{ pve_auth_pam_tfa_yubico_api_id }},key={{ pve_auth_pam_tfa_yubico_api_key }},url={{ pve_auth_pam_tfa_yubico_url }}
    {% endif -%}
{% endif %}

{% if pve_auth_pve_enabled %}
pve: {{ pve_auth_pve_realm }}
    comment {{ pve_auth_pve_description }}
    default {{ 1 if pve_auth_pve_is_default else 0 }}
    {% if pve_auth_pve_tfa_oath_enabled and not pve_auth_pve_tfa_yubico_enabled -%}
    tfa type=oath,step={{ pve_auth_pve_tfa_oath_timestep }},digits={{ pve_auth_pve_tfa_oath_pwlength }}
    {% elif pve_auth_pve_tfa_yubico_enabled and not pve_auth_pve_tfa_oath_enabled -%}
    tfa type=yubico,id={{ pve_auth_pve_tfa_yubico_api_id }},key={{ pve_auth_pve_tfa_yubico_api_key }},url={{ pve_auth_pve_tfa_yubico_url }}
    {% endif -%}
{% endif %}

{% if pve_auth_ldap_enabled %}
ldap: {{ pve_auth_ldap_realm }}
    comment {{ pve_auth_ldap_description }}
    base_dn {{ pve_auth_ldap_base_dn }}
    server1 {{ pve_auth_ldap_primary_server }}
    {% if pve_auth_ldap_secondary_server is defined -%}
    server2 {{ pve_auth_ldap_secondary_server }}
    {% endif -%}
    user_attr {{ pve_auth_ldap_user_attr }}
    {% if pve_auth_ldap_bind_dn is defined -%}
    bind_dn {{ pve_auth_ldap_bind_dn }}
    {% endif -%}
    default {{ 1 if pve_auth_ldap_is_default else 0 }}
    port {{ pve_auth_ldap_port }}
    secure {{ 1 if pve_auth_ldap_tls_enabled else 0 }}
    {% if pve_auth_ldap_tfa_oath_enabled and not pve_auth_ldap_tfa_yubico_enabled -%}
    tfa type=oath,step={{ pve_auth_ldap_tfa_oath_timestep }},digits={{ pve_auth_ldap_tfa_oath_pwlength }}
    {% elif pve_auth_ldap_tfa_yubico_enabled and not pve_auth_ldap_tfa_oath_enabled -%}
    tfa type=yubico,id={{ pve_auth_ldap_tfa_yubico_api_id }},key={{ pve_auth_ldap_tfa_yubico_api_key }},url={{ pve_auth_ldap_tfa_yubico_url }}
    {% endif -%}
{% endif %}