encrypt_home_stacked_fs

config/automatrop/roles/ecryptfs_automount/README.md

@@ -0,0 +1,17 @@
+# ecryptfs_automount
+
+Configure pam to allow auto-mounting of encrypted home directories with eCryptfs.
+
+## Usage
+
+You still need to run the following for an user directory to be encrypted:
+
+```bash
+modprobe ecryptfs
+ecryptfs-migrate-home -u username
+```
+
+## Source
+
+https://wiki.archlinux.org/title/ECryptfs#Auto-mounting
+

config/automatrop/roles/ecryptfs_automount/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: system

config/automatrop/roles/ecryptfs_automount/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Setup pam_encryptfs auth
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      auth       [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      auth       required                    pam_ecryptfs.so      unwrap
+    insertafter: '^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs password
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      password   optional                    pam_ecryptfs.so      unwrap
+    insertbefore: '^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs session
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      session    [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      session    optional                    pam_ecryptfs.so      unwrap
+    insertafter: '^session\s+required\s+pam_unix.so$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION"
+  become: yes
+  notify:
+    - etc changed