From 23a9b6ff97351787f7448428d76e0bfad94ddf15 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 11 Dec 2024 13:09:30 +0100
Subject: [PATCH] Enable firewall activation for exam-mode

For working exam-mode we need to block direct internet access by firewall.
Users have to use squid-proxy on firewall, which can be disabled for exam-users.
To allow VM-traffic (anonymous user), we use a local squid server with users
kerberos-ticket to authenticate on the parent squid.

When using VMs on teacherdevices offsite, the local squid has to use direct internet access.
So we need two squid configs. When switching between offsite and onsite,
the squid has to be restartet with corresponding config.
---
 roles/lmn_vm/files/usersquid.service          | 10 ++++++++++
 roles/lmn_vm/files/vm-run                     |  6 +-----
 roles/lmn_vm/handlers/main.yml                |  5 +++++
 roles/lmn_vm/tasks/main.yml                   | 20 +++++++++++++++++--
 .../templates/squid-usermode-external.conf.j2 | 11 ++++++++++
 roles/lmn_vm/templates/squid-usermode.conf.j2 |  2 +-
 6 files changed, 46 insertions(+), 8 deletions(-)
 create mode 100644 roles/lmn_vm/files/usersquid.service
 create mode 100644 roles/lmn_vm/templates/squid-usermode-external.conf.j2

diff --git a/roles/lmn_vm/files/usersquid.service b/roles/lmn_vm/files/usersquid.service
new file mode 100644
index 0000000..bae6d11
--- /dev/null
+++ b/roles/lmn_vm/files/usersquid.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Run squid in usermode using user kerberos ticket
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/startusersquid.sh
+Restart=on-failure
+
+#[Install]
+#WantedBy=default.target
diff --git a/roles/lmn_vm/files/vm-run b/roles/lmn_vm/files/vm-run
index 8c4355d..1200b39 100755
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@@ -287,11 +287,7 @@ fi
 
 VM_NAME=$1
 
-# check, if we have to start squid
-if ! killall -s 0 squid; then
-    echo "starting squid."
-    /usr/sbin/squid -f /etc/squid/squid-usermode.conf
-fi
+systemctl --user restart usersquid.service &
 
 # check, if persistent VM is really wanted
 if [[ "${PERSISTENT}" == 1 ]] && [[ ! -f "${VM_DIR_PERSISTENT}/${VM_NAME}.qcow2" ]]; then
diff --git a/roles/lmn_vm/handlers/main.yml b/roles/lmn_vm/handlers/main.yml
index 6af3160..8f7c2e3 100644
--- a/roles/lmn_vm/handlers/main.yml
+++ b/roles/lmn_vm/handlers/main.yml
@@ -3,6 +3,11 @@
     name: libvirtd.service
   listen: reload libvirtd
 
+- name: Just force systemd to reread configs
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  listen: daemon reload
+
 - name: Run update-desktop-database
   command: update-desktop-database "{{ item }}"
   loop:
diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml
index 5a7e004..6145959 100644
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@@ -147,9 +147,25 @@
 
 - name: Deploy squid user mode configuration
   template:
-    src: squid-usermode.conf.j2
-    dest: /etc/squid/squid-usermode.conf
+    src: "{{ item }}.j2"
+    dest: "/etc/squid/{{ item }}"
     mode: '0644'
+  loop:
+    - squid-usermode.conf
+    - squid-usermode-external.conf
+
+- name: Deploy startusersquid script
+  template:
+    src: startusersquid.sh.j2
+    dest: /usr/local/bin/startusersquid.sh
+    mode: '0755'
+  notify: daemon reload
+
+- name: Provide usersquid service
+  copy:
+    src: usersquid.service
+    dest: /etc/systemd/user/usersquid.service
+    mode: 0644
 
 - name: Deploy sudo configurations
   copy:
diff --git a/roles/lmn_vm/templates/squid-usermode-external.conf.j2 b/roles/lmn_vm/templates/squid-usermode-external.conf.j2
new file mode 100644
index 0000000..ba1b2c7
--- /dev/null
+++ b/roles/lmn_vm/templates/squid-usermode-external.conf.j2
@@ -0,0 +1,11 @@
+acl local-servers dstdomain .{{ domain }}
+cache_peer firewall.{{ domain }} parent 3128 0 no-query default login=NEGOTIATE auth-no-keytab
+never_direct deny local-servers
+always_direct allow all
+#access_log stdio:/tmp/access.log squid
+access_log none
+cache_log /dev/null
+logfile_rotate 0
+pid_filename none
+http_port 192.168.122.1:3128
+http_access allow all
diff --git a/roles/lmn_vm/templates/squid-usermode.conf.j2 b/roles/lmn_vm/templates/squid-usermode.conf.j2
index ba1b2c7..586dbb1 100644
--- a/roles/lmn_vm/templates/squid-usermode.conf.j2
+++ b/roles/lmn_vm/templates/squid-usermode.conf.j2
@@ -1,7 +1,7 @@
 acl local-servers dstdomain .{{ domain }}
 cache_peer firewall.{{ domain }} parent 3128 0 no-query default login=NEGOTIATE auth-no-keytab
 never_direct deny local-servers
-always_direct allow all
+never_direct allow all
 #access_log stdio:/tmp/access.log squid
 access_log none
 cache_log /dev/null