From 0532ed1e17078424dcfdb3911dd1d6d16f3f03fe Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andreas.mundt@steinbeisschule-reutlingen.de>
Date: Fri, 20 Jan 2023 20:17:46 +0100
Subject: [PATCH] Switch to NFSv4 homes.

---
 lmn-desktop.yml                       |  3 +++
 roles/lmn-mount/defaults/main.yml     |  2 +-
 roles/lmn-mount/tasks/main.yml        | 21 ++++++++++++++++++---
 roles/lmn-sssd/templates/sssd.conf.j2 |  2 +-
 4 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/lmn-desktop.yml b/lmn-desktop.yml
index 93dc6a9..b986d06 100644
--- a/lmn-desktop.yml
+++ b/lmn-desktop.yml
@@ -16,6 +16,7 @@
   vars:
     domain: "pn.steinbeis.schule"
     extra_pkgs:
+      - thunderbird-l10n-de
       - webext-privacy-badger
       - webext-ublock-origin
       - vim
@@ -25,6 +26,7 @@
       - vlc
       - gimp
       - inkscape
+      - flameshot
       - bluefish
       - git
       - gitk
@@ -46,6 +48,7 @@
       - virt-manager
       - libreoffice-l10n-de
       - krb5-user
+      - unattended-upgrades
     extra_pkgs_bpo: [ libreoffice ] # [ linux-image-amd64 ]  # [ libreoffice ]
     ansible_python_interpreter: "/usr/bin/python3"
 
diff --git a/roles/lmn-mount/defaults/main.yml b/roles/lmn-mount/defaults/main.yml
index 488b052..86e9368 100644
--- a/roles/lmn-mount/defaults/main.yml
+++ b/roles/lmn-mount/defaults/main.yml
@@ -1,2 +1,2 @@
 smb_server: "server"
-smb_home: "default-school/teachers/%(DOMAIN_USER)"
+smb_share: "default-school/share/"
diff --git a/roles/lmn-mount/tasks/main.yml b/roles/lmn-mount/tasks/main.yml
index 294e2f3..7f8d8ed 100644
--- a/roles/lmn-mount/tasks/main.yml
+++ b/roles/lmn-mount/tasks/main.yml
@@ -4,6 +4,7 @@
     name:
       - libpam-mount
       - cifs-utils
+      - nfs-common
     state: latest
 
 - name: configure pam_mount
@@ -13,8 +14,22 @@
       <volume
         fstype="cifs"
         server="{{ smb_server }}"
-        path="{{ smb_home }}"
-        mountpoint="/home/%(DOMAIN_USER)"
-        options="sec=krb5i,vers=3.0,cruid=%(USERUID),user=%(USER)"
+        path="{{ smb_share }}"
+        mountpoint="/media/%(DOMAIN_USER)/share"
+        options="sec=krb5i,cruid=%(USERUID),user=%(USER)"
       ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not></volume>
     insertafter: "<!-- Volume definitions -->"
+
+- name: Mount NFSv4 home directory
+  ansible.posix.mount:
+    src: server:/default-school
+    path: /srv/samba/schools/default-school
+    opts: sec=krb5p,_netdev,x-systemd.automount,x-systemd.idle-timeout=60
+    state: present
+    fstype: nfs4
+
+- name: Kill all user processes on logout
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/logind.conf
+    line: KillUserProcesses=yes
+    insertafter: '#KillUserProcesses=no'
diff --git a/roles/lmn-sssd/templates/sssd.conf.j2 b/roles/lmn-sssd/templates/sssd.conf.j2
index dc15730..24ab69a 100644
--- a/roles/lmn-sssd/templates/sssd.conf.j2
+++ b/roles/lmn-sssd/templates/sssd.conf.j2
@@ -9,7 +9,7 @@ krb5_store_password_if_offline = True
 cache_credentials = True
 krb5_realm = {{ domain | upper }}
 id_provider = ad
-override_homedir = /home/%u
+#override_homedir = /home/%u
 ad_domain = {{ domain }}
 use_fully_qualified_names = False
 ldap_id_mapping = True