encrypt_home_stacked_fs

config/automatrop/roles/ecryptfs_automount/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Setup pam_encryptfs auth
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      auth       [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      auth       required                    pam_ecryptfs.so      unwrap
+    insertafter: '^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs password
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      password   optional                    pam_ecryptfs.so      unwrap
+    insertbefore: '^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs session
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      session    [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      session    optional                    pam_ecryptfs.so      unwrap
+    insertafter: '^session\s+required\s+pam_unix.so$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION"
+  become: yes
+  notify:
+    - etc changed