---
- block:
    - name: Install google authenticator PAM module
      yum:
        name: google-authenticator
        state: present

    - name: Add google auth module to PAM
      pamd:
        name: sshd
        type: account
        control: required
        module_path: pam_nologin.so
        new_type: auth
        new_control: required
        new_module_path: pam_google_authenticator.so
        state: before

    - name: Skip google auth for specific group
      pamd:
        name: sshd
        type: auth
        control: required
        module_path: pam_google_authenticator.so
        new_type: auth
        new_control: "[success=done default=ignore]"
        new_module_path: pam_succeed_if.so
        module_arguments:
          - user
          - ingroup
          - "{{ sshd_google_auth_exclude_group }}"
        state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}"

    - name: Remove password auth from PAM
      pamd:
        name: sshd
        type: auth
        control: substack
        module_path: password-auth
        state: absent
  become: True
  become_user: root