encrypt_home_stacked_fs

config/automatrop/group_vars/all

@@ -23,3 +23,7 @@ auto_numlock: no
 
 # Machine has SSH key to access git.frogeye.fr
 has_forge_access: no
+
+# Wether to permit /home/$USER to be encrypted
+# with stacked filesystem encryption
+encrypt_home_stacked_fs: no

config/automatrop/host_vars/pindakaas.geoffrey.frogeye.fr

@@ -5,3 +5,4 @@ dev_stuffs:
   - network
   - ansible
 has_battery: yes
+encrypt_home_stacked_fs: yes

config/automatrop/playbooks/default.yml

@@ -11,6 +11,9 @@
     - role: system
       tags: system
       when: root_access
+    - role: ecryptfs_automount
+      tags: ecryptfs_automount
+      when: encrypt_home_stacked_fs
     - role: dotfiles
       tags: dotfiles
     - role: mnussbaum.base16-builder-ansible # Required for desktop_environment

config/automatrop/roles/ecryptfs_automount/README.md

@@ -0,0 +1,17 @@
+# ecryptfs_automount
+
+Configure pam to allow auto-mounting of encrypted home directories with eCryptfs.
+
+## Usage
+
+You still need to run the following for an user directory to be encrypted:
+
+```bash
+modprobe ecryptfs
+ecryptfs-migrate-home -u username
+```
+
+## Source
+
+https://wiki.archlinux.org/title/ECryptfs#Auto-mounting
+

config/automatrop/roles/ecryptfs_automount/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: system

config/automatrop/roles/ecryptfs_automount/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Setup pam_encryptfs auth
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      auth       [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      auth       required                    pam_ecryptfs.so      unwrap
+    insertafter: '^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs password
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      password   optional                    pam_ecryptfs.so      unwrap
+    insertbefore: '^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD"
+  become: yes
+  notify:
+    - etc changed
+
+- name: Setup pam_encryptfs session
+  blockinfile:
+    path: /etc/pam.d/system-auth
+    block: |
+      session    [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
+      session    optional                    pam_ecryptfs.so      unwrap
+    insertafter: '^session\s+required\s+pam_unix.so$'
+    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION"
+  become: yes
+  notify:
+    - etc changed

config/automatrop/roles/software/templates/package_manager.j2

@@ -18,6 +18,9 @@
 {% include 'snippets/pm_multimedia_common.j2' %}
 {% include 'snippets/pm_data_management.j2' %}
 {# Include rules-determined snippets #}
+{% if root_access %}
+{% include 'snippets/pm_system.j2' %}
+{% endif %}
 {% if display_server %}
 {% include 'snippets/pm_desktop_environment.j2' %}
 {% endif %}

config/automatrop/roles/software/templates/snippets/pm_system.j2

@@ -1,5 +1,10 @@
 etckeeper
+{% if has_batttery %}
 tlp
+{% endif %}
 dhcpcd
 wpa_supplicant
 chrony
+{% if encrypt_home_stacked_fs %}
+ecryptfs-utils
+{% endif %}