---
- name: Setup pam_encryptfs auth
  ansible.builtin.blockinfile:
    path: /etc/pam.d/system-auth
    block: |
      auth       [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
      auth       required                    pam_ecryptfs.so      unwrap
    insertafter: ^(auth\s+required\s+pam_unix.so|auth\s+\[default=die\]\s+pam_faillock.so\s+authfail)$
    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT AUTH"
  become: true
  notify:
    - etc changed

- name: Setup pam_encryptfs password
  ansible.builtin.blockinfile:
    path: /etc/pam.d/system-auth
    block: |
      password   optional                    pam_ecryptfs.so      unwrap
    insertbefore: ^(password\s+required\s+pam_unix.so|-password\s+\[success=1\s+default=ignore\]\s+pam_systemd_home.so)$
    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT PASSWORD"
  become: true
  notify:
    - etc changed

- name: Setup pam_encryptfs session
  ansible.builtin.blockinfile:
    path: /etc/pam.d/system-auth
    block: |
      session    [success=1 default=ignore]  pam_succeed_if.so    service = systemd-user quiet
      session    optional                    pam_ecryptfs.so      unwrap
    insertafter: ^session\s+required\s+pam_unix.so$
    marker: "# {mark} AUTOMATROP ECRYPTFS_AUTOMOUNT SESSION"
  become: true
  notify:
    - etc changed