From 08f0f082fdc4a700f07572941ab41247ce5b792c Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Sun, 28 Apr 2024 17:48:08 +0200
Subject: [PATCH] Introduction of a new device class (localhome).

- user-home is on local disk
- additional entry in dolphin: home@server
- display info about localhome on login-screen
- provide unison-config for sync home with home@server
- force user to be logged out immediately after first login, because
  home-dir must exists for bind-mounts on /lmn/media
---
 lmn-client.yml                                |  2 ++
 roles/lmn_fvs/files/lmn-patch-dolphin.sh      | 31 ++++++++++++++--
 .../files/lmn-create-unisonconfig.sh          | 29 +++++++++++++++
 roles/lmn_localhome/tasks/main.yml            | 35 +++++++++++++++++++
 roles/lmn_sssd/templates/sssd.conf.j2         |  3 ++
 roles/lmn_vm/tasks/main.yml                   | 14 ++++++++
 6 files changed, 111 insertions(+), 3 deletions(-)
 create mode 100644 roles/lmn_localhome/files/lmn-create-unisonconfig.sh
 create mode 100644 roles/lmn_localhome/tasks/main.yml

diff --git a/lmn-client.yml b/lmn-client.yml
index 3c0a471..2733d0d 100644
--- a/lmn-client.yml
+++ b/lmn-client.yml
@@ -85,6 +85,8 @@
     - lmn_printer
     - kerberize
     - lmn_security
+    - role: lmn_localhome
+      when: when: groups.localhome is defined and inventory_hostname in groups.localhome
 
   tasks:
     ## Temporary fixes and quirks:
diff --git a/roles/lmn_fvs/files/lmn-patch-dolphin.sh b/roles/lmn_fvs/files/lmn-patch-dolphin.sh
index 7e7c8e2..4c807d6 100755
--- a/roles/lmn_fvs/files/lmn-patch-dolphin.sh
+++ b/roles/lmn_fvs/files/lmn-patch-dolphin.sh
@@ -16,19 +16,44 @@ fi
 id="$(grep ID "$file" | sed -E "s|^.+ID>([[:digit:]]+)/([[:digit:]]+)</ID.+$|\1:\2|" \
 	    | sort -n -t: -k2 | tail -1 )"
 
+if id | grep teachers; then
+  NETHOME=/srv/samba/schools/default-school/teachers/$USER
+else
+  NETHOME=/srv/samba/schools/default-school/students/*/$USER
+fi
+
 IDENTITY="${id%%:*}"
 NUM0="${id##*:}"
 NUM1=$(( NUM0 + 1 ))
 NUM2=$(( NUM0 + 2 ))
+NUM3=$(( NUM0 + 3 ))
+
+if [[ $HOME =~ ^/home/ ]]; then
+  HOMEONSERVER="+ <bookmark href=\"file://$NETHOME\">
++  <title>Home@Server</title>
++  <info>
++   <metadata owner=\"http://freedesktop.org\">
++    <bookmark:icon name=\"user-home-symbolic\"/>
++   </metadata>
++   <metadata owner=\"http://www.kde.org\">
++    <ID>$IDENTITY/${NUM1}</ID>
++    <isSystemItem>true</isSystemItem>
++   </metadata>
++  </info>
++ </bookmark>"
+else
+  HOMEONSERVER=$'\n\n\n\n\n\n\n\n\n\n\n\n'
+fi
 
 patch="
 --- a/$file
 +++ b/$file
-@@ -98,9 +98,33 @@
+@@ -98,9 +98,45 @@
      <isSystemItem>true</isSystemItem>
     </metadata>
    </info>
   </bookmark>
+$HOMEONSERVER
 + <bookmark href=\"file:///srv/samba/schools/default-school/share\">
 +  <title>Tausch</title>
 +  <info>
@@ -36,7 +61,7 @@ patch="
 +    <bookmark:icon name=\"folder-publicshare\"/>
 +   </metadata>
 +   <metadata owner=\"http://www.kde.org\">
-+    <ID>$IDENTITY/${NUM1}</ID>
++    <ID>$IDENTITY/${NUM2}</ID>
 +    <isSystemItem>true</isSystemItem>
 +   </metadata>
 +  </info>
@@ -48,7 +73,7 @@ patch="
 +    <bookmark:icon name=\"folder-cloud\"/>
 +   </metadata>
 +   <metadata owner=\"http://www.kde.org\">
-+    <ID>$IDENTITY/${NUM2}</ID>
++    <ID>$IDENTITY/${NUM3}</ID>
 +    <isSystemItem>true</isSystemItem>
 +   </metadata>
 +  </info>
diff --git a/roles/lmn_localhome/files/lmn-create-unisonconfig.sh b/roles/lmn_localhome/files/lmn-create-unisonconfig.sh
new file mode 100644
index 0000000..56f3b4e
--- /dev/null
+++ b/roles/lmn_localhome/files/lmn-create-unisonconfig.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/bash
+#
+# create ~/.unison/SyncHome.prf if not exists
+#
+set -eu
+
+[[ -f ~/.unison/SyncHome.prf ]] && exit 0
+
+mkdir -p ~/.unison
+
+if id | grep teachers; then
+  NETHOME="$(find /srv/samba/schools/default-school/teachers/ -maxdepth 1 -type d -name "${USER}")"
+else
+  NETHOME="$(find /srv/samba/schools/default-school/students/ -maxdepth 2 -type d -name "${USER}")"
+fi
+
+if [[ ! -f ~/.unison/SyncHome.prf ]]; then
+  echo "# Unison preferences
+label = Sync Home on Server
+path = Bilder
+path = Dokumente
+path = Musik
+path = Videos
+root = $HOME
+root = $NETHOME
+dontchmod = true
+perms = 0" > ~/.unison/SyncHome.prf
+fi
+
diff --git a/roles/lmn_localhome/tasks/main.yml b/roles/lmn_localhome/tasks/main.yml
new file mode 100644
index 0000000..1f8b499
--- /dev/null
+++ b/roles/lmn_localhome/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: enable pam_mkhomedir.so
+  lineinfile:
+    dest: /etc/pam.d/common-session
+    line: "session  optional        pam_mkhomedir.so  umask=0077"
+    insertbefore: "session  optional        pam_mount.so"
+
+- name: Patch sddm login screen to inform about localhome
+  blockinfile:
+    path: /usr/share/sddm/themes/debian-breeze/Main.qml
+    marker: // {mark} ANSIBLE MANAGED BLOCK localhome
+    insertbefore: '\s+//Footer'
+    block: |
+      Text {
+         id: localhome
+         anchors.top: parent.top
+         anchors.left: parent.left
+         anchors.topMargin: 10
+         anchors.leftMargin: 15
+         color: "#ffffff"
+         text: "Lokale Anmeldung!\nHome-Verzeichnis liegt nicht im Netz!"
+         font.pointSize: config.fontSize
+      }
+
+- name: Copy unison-createconfig scripts
+  ansible.builtin.copy:
+    src: lmn-create-unisonconfig.sh
+    dest: /usr/local/bin/
+    mode: 0755
+
+- name: Install auto-logout-script for first login in /etc/profile.d/
+  copy:
+    dest: /etc/profile.d/lmn-logout.sh
+    content: |
+      [[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
diff --git a/roles/lmn_sssd/templates/sssd.conf.j2 b/roles/lmn_sssd/templates/sssd.conf.j2
index 0c10c3c..f059f14 100644
--- a/roles/lmn_sssd/templates/sssd.conf.j2
+++ b/roles/lmn_sssd/templates/sssd.conf.j2
@@ -17,3 +17,6 @@ ad_gpo_access_control = disabled
 ad_gpo_ignore_unreadable = True
 ad_maximum_machine_account_password_age = 0
 ignore_group_members = True
+{% if groups.localhome is defined and inventory_hostname in groups.localhome %}
+override_homedir = /home/%u
+{% endif %}
diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml
index 0d87a4e..d109fca 100644
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@@ -48,6 +48,20 @@
       </volume>
     insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
 
+- name: Configure pam_mount for VM bind mounts
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mount school for VMs) -->"
+    block: |
+      <volume
+        path="/srv/samba/schools/default-school"
+        mountpoint="/lmn/media/%(USER)/school"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>{{ localuser }}</user></or></not>
+      </volume>
+    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+  when: groups.localhome is defined and inventory_hostname in groups.localhome
+
 - name: Use umount script for proper cleanup
   blockinfile:
     dest: /etc/security/pam_mount.conf.xml