Introduction of a new device class (localhome).

- user-home is on local disk - additional entry in dolphin: home@server - display info about localhome on login-screen - provide unison-config for sync home with home@server - force user to be logged out immediately after first login, because home-dir must exists for bind-mounts on /lmn/media
2024-04-28 17:48:08 +02:00 · 2024-04-28 17:48:08 +02:00 · 08f0f082fd
commit 08f0f082fd
parent 4aeee9442c
6 changed files with 111 additions and 3 deletions
--- a/lmn-client.yml
+++ b/lmn-client.yml
@ -85,6 +85,8 @@
    - lmn_printer
    - kerberize
    - lmn_security
+    - role: lmn_localhome
+      when: when: groups.localhome is defined and inventory_hostname in groups.localhome

  tasks:
    ## Temporary fixes and quirks:
--- a/roles/lmn_fvs/files/lmn-patch-dolphin.sh
+++ b/roles/lmn_fvs/files/lmn-patch-dolphin.sh
@ -16,19 +16,44 @@ fi
 id="$(grep ID "$file" | sed -E "s|^.+ID>([[:digit:]]+)/([[:digit:]]+)</ID.+$|\1:\2|" \
 	    | sort -n -t: -k2 | tail -1 )"

+if id | grep teachers; then
+  NETHOME=/srv/samba/schools/default-school/teachers/$USER
+else
+  NETHOME=/srv/samba/schools/default-school/students/*/$USER
+fi
+
 IDENTITY="${id%%:*}"
 NUM0="${id##*:}"
 NUM1=$(( NUM0 + 1 ))
 NUM2=$(( NUM0 + 2 ))
+NUM3=$(( NUM0 + 3 ))
+
+if [[ $HOME =~ ^/home/ ]]; then
+  HOMEONSERVER="+ <bookmark href=\"file://$NETHOME\">
+  <title>Home@Server</title>
+  <info>
+   <metadata owner=\"http://freedesktop.org\">
+    <bookmark:icon name=\"user-home-symbolic\"/>
+   </metadata>
+   <metadata owner=\"http://www.kde.org\">
+    <ID>$IDENTITY/${NUM1}</ID>
+    <isSystemItem>true</isSystemItem>
+   </metadata>
+  </info>
+ </bookmark>"
+else
+  HOMEONSERVER=$'\n\n\n\n\n\n\n\n\n\n\n\n'
+fi

 patch="
 --- a/$file
 +++ b/$file
-@@ -98,9 +98,33 @@
+@@ -98,9 +98,45 @@
     <isSystemItem>true</isSystemItem>
    </metadata>
   </info>
  </bookmark>
+$HOMEONSERVER
 + <bookmark href=\"file:///srv/samba/schools/default-school/share\">
 +  <title>Tausch</title>
 +  <info>
@ -36,7 +61,7 @@ patch="
 +    <bookmark:icon name=\"folder-publicshare\"/>
 +   </metadata>
 +   <metadata owner=\"http://www.kde.org\">
-+    <ID>$IDENTITY/${NUM1}</ID>
+    <ID>$IDENTITY/${NUM2}</ID>
 +    <isSystemItem>true</isSystemItem>
 +   </metadata>
 +  </info>
@ -48,7 +73,7 @@ patch="
 +    <bookmark:icon name=\"folder-cloud\"/>
 +   </metadata>
 +   <metadata owner=\"http://www.kde.org\">
-+    <ID>$IDENTITY/${NUM2}</ID>
+    <ID>$IDENTITY/${NUM3}</ID>
 +    <isSystemItem>true</isSystemItem>
 +   </metadata>
 +  </info>
--- a/roles/lmn_localhome/files/lmn-create-unisonconfig.sh
+++ b/roles/lmn_localhome/files/lmn-create-unisonconfig.sh
@ -0,0 +1,29 @@
+#!/usr/bin/bash
+#
+# create ~/.unison/SyncHome.prf if not exists
+#
+set -eu
+
+[[ -f ~/.unison/SyncHome.prf ]] && exit 0
+
+mkdir -p ~/.unison
+
+if id | grep teachers; then
+  NETHOME="$(find /srv/samba/schools/default-school/teachers/ -maxdepth 1 -type d -name "${USER}")"
+else
+  NETHOME="$(find /srv/samba/schools/default-school/students/ -maxdepth 2 -type d -name "${USER}")"
+fi
+
+if [[ ! -f ~/.unison/SyncHome.prf ]]; then
+  echo "# Unison preferences
+label = Sync Home on Server
+path = Bilder
+path = Dokumente
+path = Musik
+path = Videos
+root = $HOME
+root = $NETHOME
+dontchmod = true
+perms = 0" > ~/.unison/SyncHome.prf
+fi
+
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@ -0,0 +1,35 @@
+---
+- name: enable pam_mkhomedir.so
+  lineinfile:
+    dest: /etc/pam.d/common-session
+    line: "session  optional        pam_mkhomedir.so  umask=0077"
+    insertbefore: "session  optional        pam_mount.so"
+
+- name: Patch sddm login screen to inform about localhome
+  blockinfile:
+    path: /usr/share/sddm/themes/debian-breeze/Main.qml
+    marker: // {mark} ANSIBLE MANAGED BLOCK localhome
+    insertbefore: '\s+//Footer'
+    block: |
+      Text {
+         id: localhome
+         anchors.top: parent.top
+         anchors.left: parent.left
+         anchors.topMargin: 10
+         anchors.leftMargin: 15
+         color: "#ffffff"
+         text: "Lokale Anmeldung!\nHome-Verzeichnis liegt nicht im Netz!"
+         font.pointSize: config.fontSize
+      }
+
+- name: Copy unison-createconfig scripts
+  ansible.builtin.copy:
+    src: lmn-create-unisonconfig.sh
+    dest: /usr/local/bin/
+    mode: 0755
+
+- name: Install auto-logout-script for first login in /etc/profile.d/
+  copy:
+    dest: /etc/profile.d/lmn-logout.sh
+    content: |
+      [[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
--- a/roles/lmn_sssd/templates/sssd.conf.j2
+++ b/roles/lmn_sssd/templates/sssd.conf.j2
@ -17,3 +17,6 @@ ad_gpo_access_control = disabled
 ad_gpo_ignore_unreadable = True
 ad_maximum_machine_account_password_age = 0
 ignore_group_members = True
+{% if groups.localhome is defined and inventory_hostname in groups.localhome %}
+override_homedir = /home/%u
+{% endif %}
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -48,6 +48,20 @@
      </volume>
    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"

+- name: Configure pam_mount for VM bind mounts
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mount school for VMs) -->"
+    block: |
+      <volume
+        path="/srv/samba/schools/default-school"
+        mountpoint="/lmn/media/%(USER)/school"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>{{ localuser }}</user></or></not>
+      </volume>
+    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+  when: groups.localhome is defined and inventory_hostname in groups.localhome
+
 - name: Use umount script for proper cleanup
  blockinfile:
    dest: /etc/security/pam_mount.conf.xml