Use variable instead of group membership to install localhome

Use variable localhome to determines whether the localhome module is installed. Default: localhome=false Further changes: - Move pam-exec from common-auth to common-session - Move pam-mkhomedir before pam-mount to avoid double login on first use on localhome devices
2025-03-19 11:08:57 +01:00 · 2025-03-19 11:08:57 +01:00 · 9f1c60eefd
commit 9f1c60eefd
parent 3d01394820
8 changed files with 487 additions and 424 deletions
--- a/roles/lmn_exam/tasks/main.yml
+++ b/roles/lmn_exam/tasks/main.yml
@ -45,21 +45,21 @@
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /usr/local/sbin/
-    mode: 0755
+    mode: '0755'
  loop:
    - pam-exec.sh
    - rmexam

 - name: Enable login script via pam_exec.so
  ansible.builtin.lineinfile:
-    dest: /etc/pam.d/common-auth
-    line: "auth    optional        pam_exec.so /usr/local/sbin/pam-exec.sh"
+    dest: /etc/pam.d/common-session
+    line: 'session optional        pam_exec.so /usr/local/sbin/pam-exec.sh'

 - name: Provide rmexam services and timers for some scripts
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
+    mode: '0644'
  loop:
    - rmexam.service
    - rmexam.timer
--- a/roles/lmn_localhome/defaults/main.yml
+++ b/roles/lmn_localhome/defaults/main.yml
@ -0,0 +1,2 @@
+---
+localhome: false
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@ -2,8 +2,8 @@
 - name: enable pam_mkhomedir.so
  lineinfile:
    dest: /etc/pam.d/common-session
-    line: "session  optional        pam_mkhomedir.so  umask=0077"
-    insertbefore: "session  optional        pam_mount.so"
+    line: "session optional        pam_mkhomedir.so  umask=0077"
+    insertbefore: '^session\s*optional\s*pam_mount.so'

 - name: Patch sddm login screen to inform about localhome
  blockinfile:
--- a/roles/lmn_sssd/templates/sssd.conf.j2
+++ b/roles/lmn_sssd/templates/sssd.conf.j2
@ -17,6 +17,6 @@ ad_gpo_access_control = disabled
 ad_gpo_ignore_unreadable = True
 ad_maximum_machine_account_password_age = 0
 ignore_group_members = True
-{% if 'localhome' in group_names %}
+{% if localhome is defined and localhome %}
 override_homedir = /home/%u
 {% endif %}
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -60,7 +60,7 @@
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>{{ localuser }}</user></or></not>
      </volume>
    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
-  when: "'localhome' in group_names"
+  when: localhome is defined and localhome

 - name: Use umount script for proper cleanup
  blockinfile: