[Unit]
Description=Enable pam_mkhomedir so any user gets a home seeded from /etc/skel
ConditionFirstBoot=yes
After=network.target

[Service]
Type=oneshot
# Prefer authselect (Fedora default). Fallback if it's missing.
ExecStart=/usr/bin/bash -ceu '
  if command -v authselect >/dev/null 2>&1; then
    authselect current >/dev/null 2>&1 || authselect select sssd --force
    authselect enable-feature with-mkhomedir
    authselect apply-changes -b
  else
    # Fallback: ensure mkhomedir in postlogin stack
    mkdir -p /etc/pam.d
    if ! grep -q "pam_mkhomedir.so" /etc/pam.d/postlogin 2>/dev/null; then
      printf "session required pam_mkhomedir.so skel=/etc/skel umask=0077\n" >> /etc/pam.d/postlogin
    fi
  fi
'

[Install]
WantedBy=multi-user.target