Separate exam-mode stuff in own role

roles/lmn_exam/files/pam-exec.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+
+# exit if not running as root. Because other user don't have privileges to start/stop firewalld.
+[[ "${UID}" -eq "0" ]] || exit 0
+
+if [[ "${PAM_USER}" =~ -exam$ ]]; then
+  systemctl start firewalld.service
+  if systemctl is-enabled --quiet libvirtd.service; then
+    systemctl restart libvirtd.service
+  fi
+elif ! (users | grep -q -- "-exam"); then
+  systemctl stop firewalld.service
+  if systemctl is-enabled --quiet libvirtd.service; then
+    systemctl restart libvirtd.service
+  fi
+fi

roles/lmn_exam/files/rmexam

@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+#
+# rename -exam directories in /home and /lmn/media older than 12h
+# remove -exam.* directories in /home and /lmn/media older than 10d
+#
+
+set -eu
+
+for dir in /home/ /lmn/media ; do
+  if [[ -d "${dir}" ]]; then
+    find "${dir}" -maxdepth 1 -mindepth 1 -name '*-exam' -type d -cmin +720 \
+         -exec bash -c 'mv "$0" "$0".$( date +%Y%m%d-%H%M --reference="$0" )' {} \;
+    find "${dir}" -maxdepth 1 -mindepth 1 -name '*-exam.*' -type d -cmin +14400 \
+	 -exec rm -rf {} \;
+  fi
+done

roles/lmn_exam/files/rmexam.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Rename/Remove -exam directories older than 12h/10d
+
+[Service]
+Type=simple
+ExecStart=/usr/local/sbin/rmexam

roles/lmn_exam/files/rmexam.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Run rmexam after boot
+
+[Timer]
+OnBootSec=0min
+
+[Install]
+WantedBy=timers.target