r/doas: Configure sudo alternative

In the spirit of replacing bloated tools with unnecessary functionality with smaller, more focused alternatives, we can use `doas` instead of `sudo`. Originally, it was a BSD tool, but the Linux port supports PAM, so we can still use `pam_auth_ssh_agent` for ppasswordless authentication.
2024-11-23 20:01:37 -06:00
parent c95a96a33c
commit 7a5f01f8a3
4 changed files with 47 additions and 0 deletions
--- a/roles/doas/files/pam.conf
+++ b/roles/doas/files/pam.conf
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth       required     pam_ssh_agent_auth.so file=/etc/security/doas.authorized_keys
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
+session    include      system-auth
--- a/roles/doas/tasks/main.yml
+++ b/roles/doas/tasks/main.yml
@@ -0,0 +1,31 @@
+- name: ensure required packages are installed
+  package:
+    name:
+    - libuser
+    - opendoas
+    - pam_ssh_agent_auth
+    state: present
+  tags:
+  - install
+
+- name: ensure pam is configured for doas
+  copy:
+    src: pam.conf
+    dest: /etc/pam.d/doas
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - pam
+  - pam-ssh-agent
+
+- name: ensure doas authorized ssh_keys are configured
+  copy:
+    dest: /etc/security/doas.authorized_keys
+    content: '{{ doas_authorized_ssh_keys }}'
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys