Use variable instead of group membership to install localhome

Use variable localhome to determines whether the localhome module is installed. Default: localhome=false Further changes: - Move pam-exec from common-auth to common-session - Move pam-mkhomedir before pam-mount to avoid double login on first use on localhome devices
2025-03-19 11:08:57 +01:00 · 2025-03-19 11:08:57 +01:00 · 9f1c60eefd
commit 9f1c60eefd
parent 3d01394820
8 changed files with 487 additions and 424 deletions
--- a/lmn-client.yml
+++ b/lmn-client.yml
@ -101,7 +101,7 @@
    - kerberize
    - lmn_security
    - role: lmn_localhome
-      when: "'localhome' in group_names"
+      when: localhome
    - role: lmn_teacherlaptop
      when: "'teacherlaptop' in group_names"
    - role: lmn_exam
@ -307,6 +307,20 @@
        state: absent
      when: "'laptop' not in group_names"

+    - name: Remove pam-exec from common-auth
+      ansible.builtin.lineinfile:
+        dest: /etc/pam.d/common-auth
+        line: "auth    optional        pam_exec.so /usr/local/sbin/pam-exec.sh"
+        state: absent
+      when: exam_mode
+
+    - name: Remove pam-mkhomedir from common-session
+      ansible.builtin.lineinfile:
+        dest: /etc/pam.d/common-session
+        line: "session  optional        pam_mkhomedir.so  umask=0077"
+        state: absent
+      when: localhome
+
 ## bookworm fixes/hacks:
    - name: Work around sddm hang on shutdown
      ansible.builtin.lineinfile: