it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Introduction of a new device class (teacherlaptop).

Browse source 
- Wifi-devices will be managed by NetworkManager
 - (USB-)Dockingstation with same MAC as internal device
   will be assigned to virbr1
 - users with role-teacher have privilege
   - to create new NetworkManager connections
   - install additional software
   - change luks-key
 - package plasma-discover will not be removed (for teacherlaptops)
 - http-proxy-Settings will be configured by auto-detect
 - providing sudo-script to mount default-school from server after
   wireguard-connection is established
This commit is contained in:
Raphael Dannecker 2024-04-28 18:38:11 +02:00
parent d46e1199ad
commit 06d7360677
9 changed files with 112 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lmn-client.yml
View file

@ -87,6 +87,8 @@
- lmn_security - lmn_security
- role: lmn_localhome - role: lmn_localhome
when: when: groups.localhome is defined and inventory_hostname in groups.localhome when: when: groups.localhome is defined and inventory_hostname in groups.localhome
- role: lmn_teacherlaptop
when: groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop
- role: lmn_networkd - role: lmn_networkd
when: ansible_interfaces | select('search', 'enp2s.+') | first is defined when: ansible_interfaces | select('search', 'enp2s.+') | first is defined

2
roles/lmn_fvs/files/policies.json
View file

@ -1,7 +1,7 @@
{ {
"policies": { "policies": {
"Proxy": { "Proxy": {
"Mode": "system" "Mode": "autoDetect"
}, },
"OverrideFirstRunPage": "https://www.steinbeisschule-reutlingen.de", "OverrideFirstRunPage": "https://www.steinbeisschule-reutlingen.de",
"Homepage": { "Homepage": {

1
roles/lmn_fvs/tasks/main.yml
View file

@ -90,6 +90,7 @@
- plasma-discover - plasma-discover
autoremove: true autoremove: true
state: absent state: absent
when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
- name: Make sure wireshark works for all users after installation and upgrades - name: Make sure wireshark works for all users after installation and upgrades
ansible.builtin.copy: ansible.builtin.copy:

9
roles/lmn_network/tasks/main.yml
View file

@ -7,6 +7,15 @@
https_proxy="{{ proxy }}" https_proxy="{{ proxy }}"
ftp_proxy="{{ proxy }}" ftp_proxy="{{ proxy }}"
no_proxy="{{ no_proxy }}" no_proxy="{{ no_proxy }}"
when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
- name: Set chromium proxy-policy to auto_detect
copy:
dest: /etc/chromium/policies/managed/proxy.json
content: |
{
"ProxyMode": "auto_detect"
}
- name: Set aptcache - name: Set aptcache
ansible.builtin.copy: ansible.builtin.copy:

33
roles/lmn_networkd/tasks/main.yml
View file

@ -1,6 +1,20 @@
--- ---
# temporary disable network manager # temporary disable network manager
- name: Use iwd but ignore interfaces managed by systemd-networkd (wlan0,en*) - name: Use iwd but ignore interfaces managed by systemd-networkd (en*)
blockinfile:
dest: /etc/NetworkManager/NetworkManager.conf
block: |
[device]
match-device=interface-name:wl*
wifi.backend=iwd
[connection]
match-device=interface-name:wl*
ipv4.route-metric=2048
[keyfile]
unmanaged-devices=interface-name:en*;interface-name:vm*
when: groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop
- name: Use iwd for USB-Wlan-Sticks but ignore interfaces managed by systemd-networkd (wlan0,en*)
blockinfile: blockinfile:
dest: /etc/NetworkManager/NetworkManager.conf dest: /etc/NetworkManager/NetworkManager.conf
block: | block: |
@ -12,6 +26,7 @@
ipv4.route-metric=2048 ipv4.route-metric=2048
[keyfile] [keyfile]
unmanaged-devices=interface-name:wlan0;interface-name:en*;interface-name:vm* unmanaged-devices=interface-name:wlan0;interface-name:en*;interface-name:vm*
when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
- name: Enable Networkmanager - name: Enable Networkmanager
ansible.builtin.systemd: ansible.builtin.systemd:
@ -36,6 +51,16 @@
line: "MACAddress={{ ansible_facts[ansible_interfaces | select('search', '^en.*') | first].macaddress }}" line: "MACAddress={{ ansible_facts[ansible_interfaces | select('search', '^en.*') | first].macaddress }}"
when: ansible_interfaces | select('search', '^en.*') when: ansible_interfaces | select('search', '^en.*')
- name: Configure systemd-networkd ethernet.network
ansible.builtin.copy:
dest: /etc/systemd/network/35-ethernet.network
content: |
[Match]
Name=enx{{ ansible_facts[ansible_interfaces | select('search', '^enp.*') | first].macaddress | replace(':','') }}
[Network]
Bridge=virbr1
when: groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop
- name: Configure systemd-networkd ethernet.network - name: Configure systemd-networkd ethernet.network
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/systemd/network/40-ethernet.network dest: /etc/systemd/network/40-ethernet.network
@ -88,3 +113,9 @@
DHCP=yes DHCP=yes
[DHCPv4] [DHCPv4]
UseDomains=true UseDomains=true
when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
- name: Enable systemd-networkd
ansible.builtin.systemd:
name: systemd-networkd.service
enabled: True

6
roles/lmn_teacherlaptop/files/lmn-networkmanager.rules Normal file
View file

@ -0,0 +1,6 @@
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
subject.isInGroup("role-teacher")) {
return polkit.Result.YES;
}
});

9
roles/lmn_teacherlaptop/files/lmn-packagekit.rules Normal file
View file

@ -0,0 +1,9 @@
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.packagekit.package-install" ||
action.id == "org.freedesktop.packagekit.package-reinstall" ||
action.id == "org.freedesktop.packagekit.system-update" ||
action.id == "org.freedesktop.packagekit.upgrade-system") &&
subject.isInGroup("role-teacher")) {
return polkit.Result.YES;
}
});

26
roles/lmn_teacherlaptop/files/mountserver Normal file
View file

@ -0,0 +1,26 @@
#!/usr/bin/bash
set -eu
exit_script() {
echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share"
findmnt "/srv/samba/schools/default-school" && umount "/srv/samba/schools/default-school"
trap - SIGHUP SIGINT SIGTERM # clear the trap
kill -- -$$ # Sends SIGTERM to child/sub processes
}
findmnt /srv/samba/schools/default-school > /dev/null && exit 0
umask 0002
mkdir -p /srv/samba/schools/default-school
chmod 777 /srv/samba/schools/default-school
mkdir -p "/lmn/media/${SUDO_USER}/share"
mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
-o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
mount --bind /srv/samba/schools/default-school/share "/lmn/media/${SUDO_USER}/share"
echo "Einbindung erfolgreich!"
echo "Dieses Fenster bitte nicht schließen!"
trap exit_script SIGHUP SIGINT SIGTERM
sleep infinity

26
roles/lmn_teacherlaptop/tasks/main.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Copy polkit rule to allow install packages by role-teacher
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/polkit-1/rules.d/
mode: "0644"
loop:
- lmn-packagekit.rules
- lmn-networkmanager.rules
- name: Copy mountserver script to /usr/local/bin
ansible.builtin.copy:
src: mountserver
dest: /usr/local/bin/
mode: "0755"
- name: Deploy sudo configurations (apt for role-teacher)
copy:
dest: /etc/sudoers.d/90-lmn-teacherlaptop
owner: root
group: root
mode: '0700'
content: |
%role-teacher ALL=(root) NOPASSWD: /usr/bin/apt
%role-teacher ALL=(root) NOPASSWD: /usr/sbin/cryptsetup
%role-teacher ALL=(root) NOPASSWD: /usr/local/bin/mountserver