diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a8b42eb
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.retry
diff --git a/dot_scripts/ansible/mac_playbook.yaml b/dot_scripts/ansible/mac_playbook.yaml
new file mode 100644
index 0000000..62f6e92
--- /dev/null
+++ b/dot_scripts/ansible/mac_playbook.yaml
@@ -0,0 +1,12 @@
+---
+- hosts: localhost
+  connection: local
+  become_method: sudo
+  become: yes
+  tasks:
+   - name: Ensure yubikey is needed for authentication
+     lineinfile:
+       path: /etc/pam.d/authorization
+       regexp: '^auth.*pam_yubico.so.*'
+       line: "auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response"
+       insertbefore: "^account    required       pam_opendirectory.so"