configpolicy/roles/doas/tasks/main.yml

- name: ensure required packages are installed
  package:
    name:
    - libuser
    - opendoas
    - pam_ssh_agent_auth
    state: present
  tags:
  - install

- name: ensure pam is configured for doas
  copy:
    src: pam.conf
    dest: /etc/pam.d/doas
    owner: root
    group: root
    mode: u=rw,go=r
  tags:
  - pam
  - pam-ssh-agent

- name: ensure doas authorized ssh_keys are configured
  copy:
    dest: /etc/security/doas.authorized_keys
    content: '{{ doas_authorized_ssh_keys }}'
    mode: u=rw,go=r
    owner: root
    group: root
  tags:
  - pam-ssh-agent
  - pam-ssh-agent-keys