trixie/roles/exam_homes/tasks/main.yml

- name: enable pam_mkhomedir.so and pam_exec.so
  lineinfile:
    dest: /etc/pam.d/common-session
    line: "{{ item }}"
    insertbefore: "# end of pam-auth-update config"
  loop:
    - "session	optional	pam_mkhomedir.so  umask=0022"
    - "session	optional	pam_exec.so /usr/local/sbin/mkDownloads"

- name: deploy mkDownloads script
  copy:
    src: mkDownloads
    dest: /usr/local/sbin/mkDownloads
    mode: 0755

# https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
- name: only allow sftp for most users
  blockinfile:
    dest: /etc/ssh/sshd_config.d/local.conf
    create: true
    block: |
      Match User !L_*,!ansible,*
         PermitTTY no
         X11Forwarding no
         AllowTcpForwarding no
         AllowAgentForwarding no
         ForceCommand internal-sftp

- name: deploy archive home script
  copy:
    src: archive-homes
    dest: /usr/local/sbin/archive-homes
    mode: 0750

- name: deploy archive home script service and timer
  copy:
    src: "{{ item }}"
    dest: /etc/systemd/system/{{ item }}
    mode: 0655
  loop:
    - archive-homes.service
    - archive-homes.timer
  notify: enable archive-homes.timer

- name: deploy examode helper
  copy:
    src: examode.py
    dest: /usr/local/bin/examode.py
    mode: 0755
Implement home exam server. 2022-10-22 16:44:05 +02:00			`- name: enable pam_mkhomedir.so and pam_exec.so`
			`lineinfile:`
			`dest: /etc/pam.d/common-session`
			`line: "{{ item }}"`
			`insertbefore: "# end of pam-auth-update config"`
			`loop:`
			`- "session optional pam_mkhomedir.so umask=0022"`
			`- "session optional pam_exec.so /usr/local/sbin/mkDownloads"`

			`- name: deploy mkDownloads script`
			`copy:`
			`src: mkDownloads`
			`dest: /usr/local/sbin/mkDownloads`
			`mode: 0755`

			`# https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh`
			`- name: only allow sftp for most users`
			`blockinfile:`
			`dest: /etc/ssh/sshd_config.d/local.conf`
			`create: true`
			`block: \|`
			`Match User !L_,!ansible,`
			`PermitTTY no`
			`X11Forwarding no`
			`AllowTcpForwarding no`
			`AllowAgentForwarding no`
			`ForceCommand internal-sftp`

			`- name: deploy archive home script`
			`copy:`
			`src: archive-homes`
			`dest: /usr/local/sbin/archive-homes`
			`mode: 0750`

			`- name: deploy archive home script service and timer`
			`copy:`
			`src: "{{ item }}"`
			`dest: /etc/systemd/system/{{ item }}`
			`mode: 0655`
			`loop:`
			`- archive-homes.service`
			`- archive-homes.timer`
			`notify: enable archive-homes.timer`

			`- name: deploy examode helper`
			`copy:`
			`src: examode.py`
			`dest: /usr/local/bin/examode.py`
			`mode: 0755`