From 63d6f82c5b3436a62b3bd035b70139cfcff683e0 Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Tue, 18 Apr 2023 23:49:21 -0400
Subject: local_homedirs: fixes for kwallet

---
 .../files/usr/local/sbin/sync-kwallet-salt.sh      | 13 +++++++++++++
 roles/local_homedirs/tasks/main.yml                | 22 ++++++++++++++++++++++
 roles/local_homedirs/vars/main.yml                 |  1 +
 3 files changed, 36 insertions(+)
 create mode 100644 roles/local_homedirs/files/usr/local/sbin/sync-kwallet-salt.sh

(limited to 'roles/local_homedirs')

diff --git a/roles/local_homedirs/files/usr/local/sbin/sync-kwallet-salt.sh b/roles/local_homedirs/files/usr/local/sbin/sync-kwallet-salt.sh
new file mode 100644
index 0000000..591e697
--- /dev/null
+++ b/roles/local_homedirs/files/usr/local/sbin/sync-kwallet-salt.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+PAM_UID=$(id -u "$PAM_USER")
+
+LOCAL_SALT="/usr/local/home/${PAM_USER}/.local/share/kwalletd/kdewallet.salt"
+NFS_SALT="/home/${PAM_USER}/.local/share/kwalletd/kdewallet.salt"
+
+if (( PAM_UID >= 1000 )) && [ -f "$NFS_SALT" ]; then
+  install -o "$PAM_USER" -g "$PAM_USER" -m 0755 -d "/usr/local/home/${PAM_USER}/.local"
+  install -o "$PAM_USER" -g "$PAM_USER" -m 0755 -d "/usr/local/home/${PAM_USER}/.local/share"
+  install -o "$PAM_USER" -g "$PAM_USER" -m 0755 -d "/usr/local/home/${PAM_USER}/.local/share/kwalletd"
+  install -o "$PAM_USER" -g "$PAM_USER" -m 0600 "$NFS_SALT" "$LOCAL_SALT"
+fi
diff --git a/roles/local_homedirs/tasks/main.yml b/roles/local_homedirs/tasks/main.yml
index 7e90959..2a5859f 100644
--- a/roles/local_homedirs/tasks/main.yml
+++ b/roles/local_homedirs/tasks/main.yml
@@ -26,6 +26,20 @@
   when: local_homedir_sefcontext.changed
   tags: selinux
 
+- name: copy kwallet script
+  copy:
+    src: '{{ local_homedir_kwallet_script[1:] }}'
+    dest: '{{ local_homedir_kwallet_script }}'
+    mode: 0555
+    setype: xdm_unconfined_exec_t
+
+- name: set xdm_unconfined_exec_t sefcontext on kwallet script
+  sefcontext:
+    target: '{{ local_homedir_kwallet_script }}'
+    state: present
+    setype: xdm_unconfined_exec_t
+  tags: selinux
+
 - name: copy profile script
   copy:
     src: etc/profile.d/local-homedirs.sh
@@ -65,6 +79,14 @@
     - auth optional pam_env.so conffile={{ local_homedir_pam_env_path }}
   when: "'sddm' in ansible_facts.packages"
 
+- name: modify sddm PAM configuration for kwallet
+  lineinfile:
+    path: /etc/pam.d/sddm
+    line: auth optional pam_exec.so {{ local_homedir_kwallet_script }}
+    insertafter: auth\s+optional\s+pam_kwallet\.so$
+    state: present
+  when: "'sddm' in ansible_facts.packages"
+
 - name: modify pam configs for sshd
   lineinfile:
     path: /etc/pam.d/sshd
diff --git a/roles/local_homedirs/vars/main.yml b/roles/local_homedirs/vars/main.yml
index 46ee9b6..820c5b8 100644
--- a/roles/local_homedirs/vars/main.yml
+++ b/roles/local_homedirs/vars/main.yml
@@ -1,3 +1,4 @@
 local_homedir_script_sddm: /usr/local/sbin/create-local-homedir-gdm.sh
 local_homedir_script_ssh: /usr/local/sbin/create-local-homedir-ssh.sh
+local_homedir_kwallet_script: /usr/local/sbin/sync-kwallet-script.sh
 local_homedir_pam_env_path: /etc/security/pam_env_xdg.conf
-- 
cgit