From ff4c77407bb7a99173ef548a61e910ccd29ccda9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geoffrey=20=E2=80=9CFrogeye=E2=80=9D=20Preud=27homme?= Date: Mon, 21 Jun 2021 23:19:46 +0200 Subject: [PATCH] encrypt_home_stacked_fs --- config/automatrop/group_vars/all | 4 +++ .../host_vars/pindakaas.geoffrey.frogeye.fr | 1 + config/automatrop/playbooks/default.yml | 3 ++ .../roles/ecryptfs_automount/README.md | 17 ++++++++++ .../roles/ecryptfs_automount/meta/main.yml | 2 ++ .../roles/ecryptfs_automount/tasks/main.yml | 34 +++++++++++++++++++ .../software/templates/package_manager.j2 | 3 ++ .../software/templates/snippets/pm_system.j2 | 5 +++ 8 files changed, 69 insertions(+) create mode 100644 config/automatrop/roles/ecryptfs_automount/README.md create mode 100644 config/automatrop/roles/ecryptfs_automount/meta/main.yml create mode 100644 config/automatrop/roles/ecryptfs_automount/tasks/main.yml diff --git a/config/automatrop/group_vars/all b/config/automatrop/group_vars/all index 10aded9..7c00f32 100644 --- a/config/automatrop/group_vars/all +++ b/config/automatrop/group_vars/all @@ -23,3 +23,7 @@ auto_numlock: no # Machine has SSH key to access git.frogeye.fr has_forge_access: no + +# Wether to permit /home/$USER to be encrypted +# with stacked filesystem encryption +encrypt_home_stacked_fs: no diff --git a/config/automatrop/host_vars/pindakaas.geoffrey.frogeye.fr b/config/automatrop/host_vars/pindakaas.geoffrey.frogeye.fr index 9e3f6b9..e1e2100 100644 --- a/config/automatrop/host_vars/pindakaas.geoffrey.frogeye.fr +++ b/config/automatrop/host_vars/pindakaas.geoffrey.frogeye.fr @@ -5,3 +5,4 @@ dev_stuffs: - network - ansible has_battery: yes +encrypt_home_stacked_fs: yes diff --git a/config/automatrop/playbooks/default.yml b/config/automatrop/playbooks/default.yml index b06dc3e..605ef93 100644 --- a/config/automatrop/playbooks/default.yml +++ b/config/automatrop/playbooks/default.yml @@ -11,6 +11,9 @@ - role: system tags: system when: root_access + - role: ecryptfs_automount + tags: ecryptfs_automount + when: encrypt_home_stacked_fs - role: dotfiles tags: dotfiles - role: mnussbaum.base16-builder-ansible # Required for desktop_environment diff --git a/config/automatrop/roles/ecryptfs_automount/README.md b/config/automatrop/roles/ecryptfs_automount/README.md new file mode 100644 index 0000000..de12a3b --- /dev/null +++ b/config/automatrop/roles/ecryptfs_automount/README.md @@ -0,0 +1,17 @@ +# ecryptfs_automount + +Configure pam to allow auto-mounting of encrypted home directories with eCryptfs. + +## Usage + +You still need to run the following for an user directory to be encrypted: + +```bash +modprobe ecryptfs +ecryptfs-migrate-home -u username +``` + +## Source + +https://wiki.archlinux.org/title/ECryptfs#Auto-mounting + diff --git a/config/automatrop/roles/ecryptfs_automount/meta/main.yml b/config/automatrop/roles/ecryptfs_automount/meta/main.yml new file mode 100644 index 0000000..a3df829 --- /dev/null +++ b/config/automatrop/roles/ecryptfs_automount/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: system diff --git a/config/automatrop/roles/ecryptfs_automount/tasks/main.yml b/config/automatrop/roles/ecryptfs_automount/tasks/main.yml new file mode 100644 index 0000000..9cc3a2c --- /dev/null +++ b/config/automatrop/roles/ecryptfs_automount/tasks/main.yml @@ -0,0 +1,34 @@ +- name: Setup pam_encryptfs auth + blockinfile: + path: /etc/pam.d/system-auth + block: | + auth [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet + auth required pam_ecryptfs.so unwrap + insertafter: '^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$' + marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH" + become: yes + notify: + - etc changed + +- name: Setup pam_encryptfs password + blockinfile: + path: /etc/pam.d/system-auth + block: | + password optional pam_ecryptfs.so unwrap + insertbefore: '^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$' + marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD" + become: yes + notify: + - etc changed + +- name: Setup pam_encryptfs session + blockinfile: + path: /etc/pam.d/system-auth + block: | + session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet + session optional pam_ecryptfs.so unwrap + insertafter: '^session\s+required\s+pam_unix.so$' + marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION" + become: yes + notify: + - etc changed diff --git a/config/automatrop/roles/software/templates/package_manager.j2 b/config/automatrop/roles/software/templates/package_manager.j2 index af43bc0..f8305b4 100644 --- a/config/automatrop/roles/software/templates/package_manager.j2 +++ b/config/automatrop/roles/software/templates/package_manager.j2 @@ -18,6 +18,9 @@ {% include 'snippets/pm_multimedia_common.j2' %} {% include 'snippets/pm_data_management.j2' %} {# Include rules-determined snippets #} +{% if root_access %} +{% include 'snippets/pm_system.j2' %} +{% endif %} {% if display_server %} {% include 'snippets/pm_desktop_environment.j2' %} {% endif %} diff --git a/config/automatrop/roles/software/templates/snippets/pm_system.j2 b/config/automatrop/roles/software/templates/snippets/pm_system.j2 index a0e3177..9192a68 100644 --- a/config/automatrop/roles/software/templates/snippets/pm_system.j2 +++ b/config/automatrop/roles/software/templates/snippets/pm_system.j2 @@ -1,5 +1,10 @@ etckeeper +{% if has_batttery %} tlp +{% endif %} dhcpcd wpa_supplicant chrony +{% if encrypt_home_stacked_fs %} +ecryptfs-utils +{% endif %}