encrypt_home_stacked_fs

This commit is contained in:
Geoffrey Frogeye 2021-06-21 23:19:46 +02:00
parent 34f8692dc2
commit ff4c77407b
Signed by: geoffrey
GPG key ID: C72403E7F82E6AD8
8 changed files with 69 additions and 0 deletions

View file

@ -23,3 +23,7 @@ auto_numlock: no
# Machine has SSH key to access git.frogeye.fr
has_forge_access: no
# Wether to permit /home/$USER to be encrypted
# with stacked filesystem encryption
encrypt_home_stacked_fs: no

View file

@ -5,3 +5,4 @@ dev_stuffs:
- network
- ansible
has_battery: yes
encrypt_home_stacked_fs: yes

View file

@ -11,6 +11,9 @@
- role: system
tags: system
when: root_access
- role: ecryptfs_automount
tags: ecryptfs_automount
when: encrypt_home_stacked_fs
- role: dotfiles
tags: dotfiles
- role: mnussbaum.base16-builder-ansible # Required for desktop_environment

View file

@ -0,0 +1,17 @@
# ecryptfs_automount
Configure pam to allow auto-mounting of encrypted home directories with eCryptfs.
## Usage
You still need to run the following for an user directory to be encrypted:
```bash
modprobe ecryptfs
ecryptfs-migrate-home -u username
```
## Source
https://wiki.archlinux.org/title/ECryptfs#Auto-mounting

View file

@ -0,0 +1,2 @@
dependencies:
- role: system

View file

@ -0,0 +1,34 @@
- name: Setup pam_encryptfs auth
blockinfile:
path: /etc/pam.d/system-auth
block: |
auth [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet
auth required pam_ecryptfs.so unwrap
insertafter: '^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$'
marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH"
become: yes
notify:
- etc changed
- name: Setup pam_encryptfs password
blockinfile:
path: /etc/pam.d/system-auth
block: |
password optional pam_ecryptfs.so unwrap
insertbefore: '^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$'
marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD"
become: yes
notify:
- etc changed
- name: Setup pam_encryptfs session
blockinfile:
path: /etc/pam.d/system-auth
block: |
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet
session optional pam_ecryptfs.so unwrap
insertafter: '^session\s+required\s+pam_unix.so$'
marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION"
become: yes
notify:
- etc changed

View file

@ -18,6 +18,9 @@
{% include 'snippets/pm_multimedia_common.j2' %}
{% include 'snippets/pm_data_management.j2' %}
{# Include rules-determined snippets #}
{% if root_access %}
{% include 'snippets/pm_system.j2' %}
{% endif %}
{% if display_server %}
{% include 'snippets/pm_desktop_environment.j2' %}
{% endif %}

View file

@ -1,5 +1,10 @@
etckeeper
{% if has_batttery %}
tlp
{% endif %}
dhcpcd
wpa_supplicant
chrony
{% if encrypt_home_stacked_fs %}
ecryptfs-utils
{% endif %}