readd 2fa pam enforcement

pillar.example

@@ -58,6 +58,7 @@ users:
         options:
           - "StrictHostKeyChecking yes"
 
+    google_2fa: True
     google_auth:
       ssh: |
         SOMEGAUTHHASHVAL

users/googleauth.sls

@@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}:
     - user: root
     - group: {{ users.root_group }}
     - mode: 600
+
+{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if 'google_auth' in user %}
+{%- for svc in user['google_auth'] %}
+{%- if user.get('google_2fa', True) %}
+users_googleauth-pam-{{ svc }}-{{ name }}:
+  file.replace:
+    - name: /etc/pam.d/{{ svc }}
+    - pattern: "^@include common-auth"
+    - repl: "auth       [success=done new_authtok_reqd=done default=die]   pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
+    - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
+    - backup: .bak
+{%- endif %}
+{%- endfor %}
+{%- endif %}
+{%- endfor %}