infra/ansible/roles/profile_desktop_gnome/tasks/main.yml

---
- name: Ensure GNOME desktop session is enabled for this profile
  tags: [gnome]
  ansible.builtin.assert:
    that:
      - "'gnome' in (desktop_sessions_enabled | default([]))"
    fail_msg: >-
      profile_desktop_gnome requires desktop_sessions_enabled to include gnome.

- name: Ensure systemd boots to the graphical target
  tags: [services, gnome]
  ansible.builtin.file:
    src: /usr/lib/systemd/system/graphical.target
    dest: /etc/systemd/system/default.target
    state: link
    force: true
    owner: root
    group: root

- name: Deploy gpg-agent.conf for GNOME (pinentry-gnome3, no ssh-support)
  tags: [dotfiles, dotfiles:desktop, gnome]
  ansible.builtin.copy:
    src: "{{ playbook_dir }}/../dotfiles/desktop/.gnupg/gpg-agent.arch.conf"
    dest: "{{ user_home }}/.gnupg/gpg-agent.conf"
    owner: "{{ username }}"
    group: "{{ user_group }}"
    mode: "0600"

- name: Enable gnome-keyring PAM auth hook for GDM
  tags: [gnome]
  ansible.builtin.lineinfile:
    path: /etc/pam.d/gdm-password
    insertafter: '^auth\s+include\s+system-local-login$'
    line: "auth       optional  pam_gnome_keyring.so"
    state: present

- name: Enable gnome-keyring PAM session hook for GDM
  tags: [gnome]
  ansible.builtin.lineinfile:
    path: /etc/pam.d/gdm-password
    insertafter: '^session\s+include\s+system-local-login$'
    line: "session    optional  pam_gnome_keyring.so auto_start"
    state: present

- name: Enable gnome-keyring PAM password hook for GDM
  tags: [gnome]
  ansible.builtin.lineinfile:
    path: /etc/pam.d/gdm-password
    insertafter: '^password\s+include\s+system-local-login$'
    line: "password   optional  pam_gnome_keyring.so use_authtok"
    state: present