keisrk
diff --git a/‎README.rst‎
Lines changed: 10 additions & 3 deletions b/‎README.rst‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎main.yml‎
Lines changed: 2 additions & 0 deletions b/‎main.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎roles/opkssh/tasks/main.yml‎
Lines changed: 15 additions & 0 deletions b/‎roles/opkssh/tasks/main.yml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎roles/opkssh_user/tasks/main.yml‎
Lines changed: 14 additions & 0 deletions b/‎roles/opkssh_user/tasks/main.yml‎
Lines changed: 14 additions & 0 deletions
@@ -9,13 +9,20 @@ Usage
 
 When you create an AWS Lightsail instance, cut & paste following lines to the
 "Launch script" field. It may take a while until Ansible completes its tasks. To
-monitor the progress, ``$ tail -f /var/log/cloud-init-output.log``. Ansible also
-creates a fresh disabled user with no login password. To enable it, ``$ sudo
-passwd <USER_NAME>`` and enter a new password for the user.
+monitor the progress, ``$ tail -f /var/log/cloud-init-output.log``.
+
+As part of the setup, Ansible creates a fresh unprivileged user with no login
+password. It also installs the `OPKSSH`_ extension to enable authentication via
+Google SSO. For detailed usage and configuration, refer to the `OPKSSH`_
+documentation.
+
 
 .. code:: bash
 
    export USER_NAME=guest
    export USER_GECOS="Guest Account"
    export USER_EMAIL=guest@morningrouti.ne
    curl -sL https://raw.githubusercontent.com/keisrk/morning_routine/main/bootstrap.sh | sh
+
+
+.. _OPKSSH: https://github.com/openpubkey/opkssh/
@@ -7,6 +7,7 @@
   roles:
     - utils
     - user
+    - opkssh
     - docker
     - terraform
     - golang
@@ -20,6 +21,7 @@
 
   roles:
     - git
+    - opkssh_user
     - rustup
     - jvm
     - gopath
 
@@ -0,0 +1,15 @@
+---
+
+# Install OPKSSH and configure sshd.
+
+- name: Fetch installer script and store it in this.content
+  uri:
+    url: https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh
+    return_content: true
+  register: this
+
+- name: Execute installer script
+  command:
+    cmd: bash
+    stdin: "{{ this.content }}"
+    creates: /usr/local/bin/opkssh
@@ -0,0 +1,14 @@
+---
+
+- name: Create a directory if it does not exist
+  file:
+    path: "{{ ansible_env.HOME }}/.opk"
+    state: directory
+    mode: "0700"
+
+- name: Place a locally scoped auth_id file
+  lineinfile:
+    dest: "{{ ansible_env.HOME }}/.opk/auth_id"
+    line: "{{ user_name }} {{ user_email }} https://accounts.google.com"
+    create: true
+    mode: "0600"