From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Sat, 4 Feb 2023 01:23:43 -0500 Subject: initial commit --- .../files/etc/profile.d/local-homedirs.sh | 16 +++++ .../files/etc/security/pam_env_xdg.conf | 4 ++ .../files/usr/local/sbin/create-local-homedir.sh | 13 ++++ roles/local_homedirs/tasks/main.yml | 76 ++++++++++++++++++++++ roles/local_homedirs/vars/main.yml | 3 + 5 files changed, 112 insertions(+) create mode 100644 roles/local_homedirs/files/etc/profile.d/local-homedirs.sh create mode 100644 roles/local_homedirs/files/etc/security/pam_env_xdg.conf create mode 100644 roles/local_homedirs/files/usr/local/sbin/create-local-homedir.sh create mode 100644 roles/local_homedirs/tasks/main.yml create mode 100644 roles/local_homedirs/vars/main.yml (limited to 'roles/local_homedirs') diff --git a/roles/local_homedirs/files/etc/profile.d/local-homedirs.sh b/roles/local_homedirs/files/etc/profile.d/local-homedirs.sh new file mode 100644 index 0000000..88d710c --- /dev/null +++ b/roles/local_homedirs/files/etc/profile.d/local-homedirs.sh @@ -0,0 +1,16 @@ +# This file contains various environment variables and hacks to accomodate +# applications that don't play well with NFS-mounted home directories. + +if (( UID >= 1000 )); then + export PYTHONUSERBASE="/usr/local/home/${USER}/.local" + export npm_config_cache="/usr/local/home/${USER}/.npm" + export CARGO_HOME="/usr/local/home/${USER}/.cargo" + export GOPATH="/usr/local/home/${USER}/go" + + # firefox + mkdir -p "/usr/local/home/${USER}/.mozilla" + ln -sfn "/usr/local/home/${USER}/.mozilla" "${HOME}/.mozilla" + + # flatpak + ln -sfn "/opt/flatpak/${USER}" "${HOME}/.var" +fi diff --git a/roles/local_homedirs/files/etc/security/pam_env_xdg.conf b/roles/local_homedirs/files/etc/security/pam_env_xdg.conf new file mode 100644 index 0000000..40ee87c --- /dev/null +++ b/roles/local_homedirs/files/etc/security/pam_env_xdg.conf @@ -0,0 +1,4 @@ +XDG_DATA_HOME DEFAULT=/usr/local/home/@{PAM_USER}/.local/share +XDG_STATE_HOME DEFAULT=/usr/local/home/@{PAM_USER}/.local/state +XDG_CACHE_HOME DEFAULT=/usr/local/home/@{PAM_USER}/.cache +XDG_CONFIG_HOME DEFAULT=/usr/local/home/@{PAM_USER}/.config diff --git a/roles/local_homedirs/files/usr/local/sbin/create-local-homedir.sh b/roles/local_homedirs/files/usr/local/sbin/create-local-homedir.sh new file mode 100644 index 0000000..ed42588 --- /dev/null +++ b/roles/local_homedirs/files/usr/local/sbin/create-local-homedir.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +exec 1> >(logger -s -t $(basename "$0")) 2>&1 + +PAM_UID=$(id -u "$PAM_USER") + +if (( PAM_UID >= 1000 )); then + install -o "$PAM_USER" -g "$PAM_USER" -m 0700 -d "/usr/local/home/$PAM_USER" + + # Flatpak shadows /usr with its own runtime, so we need a path that flatpak + # doesn't touch. /opt seems appropriate. + install -o "$PAM_USER" -g "$PAM_USER" -m 0700 -d "/opt/flatpak/$PAM_USER" +fi diff --git a/roles/local_homedirs/tasks/main.yml b/roles/local_homedirs/tasks/main.yml new file mode 100644 index 0000000..8823672 --- /dev/null +++ b/roles/local_homedirs/tasks/main.yml @@ -0,0 +1,76 @@ +- name: create /usr/local/home + file: + path: /usr/local/home + state: directory + +- name: copy homedir creation scripts + copy: + src: usr/local/sbin/create-local-homedir.sh + dest: '{{ item }}' + mode: 0555 + setype: _default + loop: + - '{{ local_homedir_script_ssh }}' + - '{{ local_homedir_script_gdm }}' + +- name: set xdm_unconfined_exec_t sefcontext on homedir creation script + sefcontext: + target: '{{ local_homedir_script_gdm }}' + state: present + setype: xdm_unconfined_exec_t + tags: selinux + register: local_homedir_sefcontext + +- name: apply selinux context to homedir creation script + command: 'restorecon -R {{ local_homedir_script_gdm }}' + when: local_homedir_sefcontext.changed + tags: selinux + +- name: copy profile script + copy: + src: etc/profile.d/local-homedirs.sh + dest: /etc/profile.d/local-homedirs.sh + +- name: copy pam_env for XDG variables + copy: + src: '{{ local_homedir_pam_env_path[1:] }}' + dest: '{{ local_homedir_pam_env_path }}' + +- name: get fcontext equivalencies + command: semanage fcontext -l -C + changed_when: no + register: selinux_equivalencies + +- name: set selinux fcontext for /usr/local/home + command: semanage fcontext -a -e /home /usr/local/home + register: local_homedirs_fcontext + when: "'/usr/local/home = /home' not in selinux_equivalencies.stdout_lines" + +- name: apply selinux fcontext to /usr/local/home + command: restorecon -R /usr/local/home + when: local_homedirs_fcontext.changed + +- name: check if gdm is installed + package_facts: + manager: auto + +- name: modify GDM PAM configuration for local homedirs + lineinfile: + path: /etc/pam.d/gdm-password + line: '{{ item }}' + insertbefore: ^auth\s+optional\s+pam_gnome_keyring\.so$ + state: present + loop: + - auth optional pam_exec.so {{ local_homedir_script_gdm }} + - auth optional pam_env.so conffile={{ local_homedir_pam_env_path }} + when: "'gdm' in ansible_facts.packages" + +- name: modify pam configs for sshd + lineinfile: + path: /etc/pam.d/sshd + line: '{{ item }}' + insertafter: EOF + state: present + loop: + - session optional pam_exec.so {{ local_homedir_script_ssh }} + - session optional pam_env.so conffile={{ local_homedir_pam_env_path }} diff --git a/roles/local_homedirs/vars/main.yml b/roles/local_homedirs/vars/main.yml new file mode 100644 index 0000000..a004c12 --- /dev/null +++ b/roles/local_homedirs/vars/main.yml @@ -0,0 +1,3 @@ +local_homedir_script_gdm: /usr/local/sbin/create-local-homedir-gdm.sh +local_homedir_script_ssh: /usr/local/sbin/create-local-homedir-ssh.sh +local_homedir_pam_env_path: /etc/security/pam_env_xdg.conf -- cgit