Browse Source

encrypt_home_stacked_fs

master
Geoffrey Frogeye 1 year ago
parent
commit
ff4c77407b
Signed by: geoffrey GPG Key ID: C72403E7F82E6AD8
  1. 4
      config/automatrop/group_vars/all
  2. 1
      config/automatrop/host_vars/pindakaas.geoffrey.frogeye.fr
  3. 3
      config/automatrop/playbooks/default.yml
  4. 17
      config/automatrop/roles/ecryptfs_automount/README.md
  5. 2
      config/automatrop/roles/ecryptfs_automount/meta/main.yml
  6. 34
      config/automatrop/roles/ecryptfs_automount/tasks/main.yml
  7. 3
      config/automatrop/roles/software/templates/package_manager.j2
  8. 5
      config/automatrop/roles/software/templates/snippets/pm_system.j2

4
config/automatrop/group_vars/all

@ -23,3 +23,7 @@ auto_numlock: no
# Machine has SSH key to access git.frogeye.fr
has_forge_access: no
# Wether to permit /home/$USER to be encrypted
# with stacked filesystem encryption
encrypt_home_stacked_fs: no

1
config/automatrop/host_vars/pindakaas.geoffrey.frogeye.fr

@ -5,3 +5,4 @@ dev_stuffs:
- network
- ansible
has_battery: yes
encrypt_home_stacked_fs: yes

3
config/automatrop/playbooks/default.yml

@ -11,6 +11,9 @@
- role: system
tags: system
when: root_access
- role: ecryptfs_automount
tags: ecryptfs_automount
when: encrypt_home_stacked_fs
- role: dotfiles
tags: dotfiles
- role: mnussbaum.base16-builder-ansible # Required for desktop_environment

17
config/automatrop/roles/ecryptfs_automount/README.md

@ -0,0 +1,17 @@
# ecryptfs_automount
Configure pam to allow auto-mounting of encrypted home directories with eCryptfs.
## Usage
You still need to run the following for an user directory to be encrypted:
```bash
modprobe ecryptfs
ecryptfs-migrate-home -u username
```
## Source
https://wiki.archlinux.org/title/ECryptfs#Auto-mounting

2
config/automatrop/roles/ecryptfs_automount/meta/main.yml

@ -0,0 +1,2 @@
dependencies:
- role: system

34
config/automatrop/roles/ecryptfs_automount/tasks/main.yml

@ -0,0 +1,34 @@
- name: Setup pam_encryptfs auth
blockinfile:
path: /etc/pam.d/system-auth
block: |
auth [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet
auth required pam_ecryptfs.so unwrap
insertafter: '^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$'
marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH"
become: yes
notify:
- etc changed
- name: Setup pam_encryptfs password
blockinfile:
path: /etc/pam.d/system-auth
block: |
password optional pam_ecryptfs.so unwrap
insertbefore: '^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$'
marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD"
become: yes
notify:
- etc changed
- name: Setup pam_encryptfs session
blockinfile:
path: /etc/pam.d/system-auth
block: |
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet
session optional pam_ecryptfs.so unwrap
insertafter: '^session\s+required\s+pam_unix.so$'
marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION"
become: yes
notify:
- etc changed

3
config/automatrop/roles/software/templates/package_manager.j2

@ -18,6 +18,9 @@
{% include 'snippets/pm_multimedia_common.j2' %}
{% include 'snippets/pm_data_management.j2' %}
{# Include rules-determined snippets #}
{% if root_access %}
{% include 'snippets/pm_system.j2' %}
{% endif %}
{% if display_server %}
{% include 'snippets/pm_desktop_environment.j2' %}
{% endif %}

5
config/automatrop/roles/software/templates/snippets/pm_system.j2

@ -1,5 +1,10 @@
etckeeper
{% if has_batttery %}
tlp
{% endif %}
dhcpcd
wpa_supplicant
chrony
{% if encrypt_home_stacked_fs %}
ecryptfs-utils
{% endif %}
Loading…
Cancel
Save