don't require two-factor for sudo

- remove check for historical duo-unix package
- don't modify /etc/pam.d/sudo
- revert /etc/pam.d/sudo to default state on each supported disro
  - this should be removed after all hosts are reverted

manifests/profile/duo.pp

@@ -26,23 +26,11 @@
     'libpam-duo'
   ])
 
-  package { 'duo-unix':
-    ensure => absent
-  }
-
-  ['sudo'].each |$pamfile| {
-    file_line { "/etc/pam.d/${pamfile}: pam_duo":
-      path    => "/etc/pam.d/${pamfile}",
-      line    => 'auth required pam_duo.so',
-      after   => '^@include common-auth',
-      require => Package['sudo', 'libpam-duo'],
-    }
-
-    file_line { "/etc/pam.d/${pamfile}: remove /lib64/security/pam_duo":
-      ensure => absent,
-      path   => "/etc/pam.d/${pamfile}",
-      line   => 'auth required /lib64/security/pam_duo.so'
-    }
+  # Replace default /etc/pam.d/sudo
+  # This is only here to eliminate previous customizations
+  # Remove after January 2025
+  file { '/etc/pam.d/sudo':
+    source  => "puppet:///modules/nebula/default/${facts['os']['distro']['codename']}/etc/pam.d/sudo",
   }
 
   concat_fragment { '/etc/pam.d/sshd: pam_duo':

spec/classes/profile/duo_spec.rb

@@ -24,11 +24,8 @@ def contain_pam_duo
       end
 
       it do
-        expect(subject).to contain_file_line("/etc/pam.d/sudo: pam_duo")
-          .with_path("/etc/pam.d/sudo")
-          .with_line("auth required pam_duo.so")
-          .with_after("^@include common-auth")
-          .that_requires(["Package[sudo]", "Package[libpam-duo]"])
+        expect(subject).to contain_file("/etc/pam.d/sudo")
+          .with_source("puppet:///modules/nebula/default/#{facts[:os]["distro"]["codename"]}/etc/pam.d/sudo")
       end
 
       it do