it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make playbook more general: Split into general and specific roles, use variables.

Browse source
This commit is contained in:
Andreas B. Mundt 2023-09-02 15:46:27 +02:00
parent c59fb67ed0
commit 431acebfa3
13 changed files with 247 additions and 144 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
lmn-desktop.yml
View file

@ -1,4 +1,4 @@
## This playbook deploys a FvS KDE desktop machine for LinuxMuster.
## This playbook deploys a KDE desktop machine for LinuxMuster.
---
- name: apply configuration to the machines
hosts: all
@ -24,6 +24,15 @@
vars:
domain: "{{ ansible_domain }}"
kerberize_uris: steinbeis.schule
apt_conf: Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
ntp_serv: server.pn.steinbeis.schule
## PAM mount nextcloud, remove or leave empty to skip:
web_dav: https://nc.steinbeis.schule/remote.php/dav/files/%(USER)
## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/
rsyncsecret: Muster!
## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
@ -38,7 +47,6 @@
- debconf-utils
- ctorrent
extra_pkgs_bpo: [] # [ linux-image-amd64 ]
ansible_python_interpreter: "/usr/bin/python3"
roles:
- lmn_network
@ -46,6 +54,7 @@
- lmn_sssd
- lmn_mount
- lmn_kde
- lmn_fvs ## school specific customization
- lmn_vm
- lmn_printer
- kerberize

0
roles/lmn_kde/files/fvs-config.js → roles/lmn_fvs/files/fvs-config.js
View file

61
roles/lmn_fvs/files/lmn-patch-dolphin.sh Executable file
View file

@ -0,0 +1,61 @@
#!/bin/bash
#
# patch 'Tausch' and 'Nextcloud' into dolphin's bookmarks
#
set -eu
file="${1:-$HOME/.local/share/user-places.xbel}"
if grep -q "Tausch\|Nextcloud" "$file" ; then
echo "Your Dolphin seems to already contain 'Tausch' and/or 'Nextcloud'."
exit 0
fi
id="$(grep ID "$file" | sed -E "s|^.+ID>([[:digit:]]+)/([[:digit:]]+)</ID.+$|\1:\2|" \
| sort -n -t: -k2 | tail -1 )"
IDENTITY="${id%%:*}"
NUM0="${id##*:}"
NUM1=$(( NUM0 + 1 ))
NUM2=$(( NUM0 + 2 ))
patch="
--- a/$file
+++ b/$file
@@ -98,9 +98,33 @@
<isSystemItem>true</isSystemItem>
</metadata>
</info>
</bookmark>
+ <bookmark href=\"file:///srv/samba/schools/default-school/share\">
+ <title>Tausch</title>
+ <info>
+ <metadata owner=\"http://freedesktop.org\">
+ <bookmark:icon name=\"folder-publicshare\"/>
+ </metadata>
+ <metadata owner=\"http://www.kde.org\">
+ <ID>$IDENTITY/${NUM1}</ID>
+ <isSystemItem>true</isSystemItem>
+ </metadata>
+ </info>
+ </bookmark>
+ <bookmark href=\"file:///lmn/media/$USER/nextcloud\">
+ <title>Nextcloud</title>
+ <info>
+ <metadata owner=\"http://freedesktop.org\">
+ <bookmark:icon name=\"folder-cloud\"/>
+ </metadata>
+ <metadata owner=\"http://www.kde.org\">
+ <ID>$IDENTITY/${NUM2}</ID>
+ <isSystemItem>true</isSystemItem>
+ </metadata>
+ </info>
+ </bookmark>
<bookmark href=\"remote:/\">
<title>Network</title>
<info>
<metadata owner=\"http://freedesktop.org\">
<bookmark:icon name=\"folder-network\"/>
"
echo "$patch" | patch --fuzz=0 --backup "$file"

0
roles/lmn_kde/files/lmn-reset-dolphin.sh → roles/lmn_fvs/files/lmn-reset-dolphin.sh
View file

0
roles/lmn_kde/files/policies.json → roles/lmn_fvs/files/policies.json
View file

0
roles/lmn_kde/files/pwroff → roles/lmn_fvs/files/pwroff
View file

0
roles/lmn_kde/files/pwroff.service → roles/lmn_fvs/files/pwroff.service
View file

0
roles/lmn_kde/files/pwroff.timer → roles/lmn_fvs/files/pwroff.timer
View file

126
roles/lmn_fvs/tasks/main.yml Normal file
View file

@ -0,0 +1,126 @@
---
- name: Preseed wireshark to allow users sniffing packets
ansible.builtin.debconf:
name: wireshark-common
question: wireshark-common/install-setuid
value: 'true'
vtype: boolean
- name: Preseed ttf-mscorefonts-installer
ansible.builtin.debconf:
name: ttf-mscorefonts-installer
question: msttcorefonts/dlurl
value: "{{ mirror_msfonts }}"
vtype: string
when: mirror_msfonts is defined and mirror_msfonts | length > 0
- name: Install desktop EDU packages and some more
apt:
name:
- atftp
- curl
- elpa-color-theme-modern
- elpa-magit
- emacs
- git
- gitg
- gitk
- neovim
- net-tools
- netcat-openbsd
- nmap
- pulseview
- sigrok
- sigrok-cli
- tmux
- tree
- ttf-mscorefonts-installer
- wireshark
autoremove: true
state: latest
environment:
http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher
- name: Allow users to dump packets for wireshark without group membership
ansible.builtin.file:
path: /usr/bin/dumpcap
mode: '0755'
- name: Create firefox policies directory
ansible.builtin.file:
path: /etc/firefox-esr/policies
state: directory
mode: '0755'
- name: Create a symbolic link firefox to firefox-esr
ansible.builtin.file:
src: /etc/firefox-esr
dest: /etc/firefox
state: link
- name: Copy firefox policy
ansible.builtin.copy:
src: policies.json
dest: /etc/firefox-esr/policies/
- name: Copy pwroff script
copy:
src: pwroff
dest: /usr/local/sbin/
mode: 0755
- name: Provide service and timer for pwroff script
copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items:
- pwroff.service
- pwroff.timer
- name: Enable pwroff.timer
systemd:
name: pwroff.timer
enabled: true
- name: Copy dolphin config scripts
ansible.builtin.copy:
src: "{{ item }}"
dest: /usr/local/bin/
mode: 0755
loop:
- lmn-reset-dolphin.sh
- lmn-patch-dolphin.sh
- name: Copy fvs-config.js to configure plasma
ansible.builtin.copy:
src: fvs-config.js
dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
mode: 0644
- name: Restrict some user actions
blockinfile:
path: /etc/xdg/kdeglobals
create: true
block: |
[KDE Action Restrictions][$i]
action/start_new_session=false
#action/switch_user=false
#action/lock_screen=false
#- name: Disable automatic lock screen and user specific modifications
# ansible.builtin.copy:
# path: /etc/xdg/kscreenlockerrc
# create: true
# content: |
# [Daemon][$i]
# Autolock=false
# LockOnResume=false
#

12
roles/lmn_kde/handlers/main.yml
View file

@ -1,14 +1,2 @@
- name: Run update-grub
command: update-grub
- name: Enable tmp.mount
systemd:
daemon_reload: yes
name: tmp.mount
enabled: yes
listen: enable tmp.mount
- name: enable pwroff.timer
systemd:
name: pwroff.timer
enabled: true

152
roles/lmn_kde/tasks/main.yml
View file

@ -1,74 +1,39 @@
---
- name: Preseed wireshark to allow users sniffing packets
ansible.builtin.debconf:
name: wireshark-common
question: wireshark-common/install-setuid
value: 'true'
vtype: boolean
- name: Preseed ttf-mscorefonts-installer
ansible.builtin.debconf:
name: ttf-mscorefonts-installer
question: msttcorefonts/dlurl
value: http://livebox.pn.steinbeis.schule/mscorefonts/
vtype: string
- name: Install desktop EDU packages and some more
- name: Install desktop and educational packages
apt:
name:
- task-kde-desktop
- task-german-kde-desktop
- task-german-desktop
- xdg-desktop-portal-kde
- xdg-desktop-portal-wlr # share screen in browser
- kde-full
- akonadi-backend-sqlite
- thunderbird-l10n-de
- webext-privacy-badger
- webext-ublock-origin-firefox
- webext-ublock-origin-chromium
- atftp
- emacs
- elpa-magit
- elpa-color-theme-modern
- vlc
- arduino
- bluefish
- codeblocks
- dia
- flameshot
- freecad
- ghex
- gimp
- inkscape
- flameshot
- bluefish
- git
- gitk
- gitg
- wireshark
- nmap
- netcat-openbsd
- net-tools
- ghex
- thonny
- spyder
- kde-full
- keepassxc
- librecad
- mu-editor
- dia
- vym
- tree
- qtcreator
- spyder
- sqlite3
- sqlitebrowser
- neovim
- qtcreator
- freecad
- librecad
- arduino
- keepassxc
- tmux
- curl
- pulseview
- sigrok
- sigrok-cli
- codeblocks
- ttf-mscorefonts-installer
- task-german-desktop
- task-german-kde-desktop
- task-kde-desktop
- thonny
- thunderbird-l10n-de
- vlc
- vym
- webext-privacy-badger
- webext-ublock-origin-chromium
- webext-ublock-origin-firefox
- xdg-desktop-portal-kde
- xdg-desktop-portal-wlr # share screen in browser
autoremove: true
state: latest
environment:
http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher
- name: Add {{ ansible_distribution_release }}-backports
apt_repository:
@ -88,14 +53,6 @@
default_release: "{{ ansible_distribution_release }}-backports"
- name: Enable splash screen
replace:
dest: "/etc/default/grub"
regexp: '"quiet"$'
replace: '"quiet splash"'
notify: Run update-grub
- name: Create akonadi config dir
ansible.builtin.file:
path: /etc/xdg/akonadi/
@ -111,12 +68,6 @@
Driver=QSQLITE3
- name: Allow users to dump packets for wireshark without group membership
ansible.builtin.file:
path: /usr/bin/dumpcap
mode: '0755'
- name: Add home dirs to apparmor
lineinfile:
dest: /etc/apparmor.d/tunables/home.d/ubuntu
@ -125,24 +76,6 @@
/srv/samba/schools/default-school/students/*/
- name: Create firefox policies directory
ansible.builtin.file:
path: /etc/firefox-esr/policies
state: directory
mode: '0755'
- name: Create a symbolic link firefox to firefox-esr
ansible.builtin.file:
src: /etc/firefox-esr
dest: /etc/firefox
state: link
- name: copy policy
ansible.builtin.copy:
src: policies.json
dest: /etc/firefox-esr/policies/
- name: tune SDDM login
blockinfile:
path: /etc/sddm.conf
@ -172,35 +105,14 @@
AllowHybridSleep=no
- name: Copy pwroff script
copy:
src: pwroff
dest: /usr/local/sbin/
mode: 0755
- name: Provide service and timer for pwroff script
copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items:
- pwroff.service
- pwroff.timer
notify: enable pwroff.timer
- name: copy lmn-reset-dolphin.sh
ansible.builtin.copy:
src: lmn-reset-dolphin.sh
dest: /usr/local/bin/
mode: 0755
- name: Copy fvs-config.js to configure plasma
ansible.builtin.copy:
src: fvs-config.js
dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
mode: 0644
################# general settings ##################
- name: Enable boot splash screen
replace:
dest: "/etc/default/grub"
regexp: '"quiet"$'
replace: '"quiet splash"'
notify: Run update-grub
- name: Protect grub menu entries
blockinfile:
path: /etc/grub.d/40_custom

23
roles/lmn_mount/tasks/main.yml
View file

@ -9,12 +9,26 @@
- davfs2
state: latest
- name: Configure pam_mount for Webdav Nextcloud
blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount Nextcloud) -->"
block: |
<volume
fstype="davfs"
path="{{ web_dav }}"
mountpoint="/lmn/media/%(USER)/nextcloud"
options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
insertafter: "<!-- Volume definitions -->"
when: web_dav is defined and web_dav | length > 0
- name: Configure pam_mount for LMN homes
blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
block: |
<!-- mounts for home and nextcloud -->
<volume
fstype="cifs"
server="{{ smb_server }}"
@ -23,13 +37,6 @@
options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
<volume
fstype="davfs"
path="https://nc.steinbeis.schule/remote.php/dav/files/%(USER)"
mountpoint="/lmn/media/%(USER)/nextcloud"
options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
insertafter: "<!-- Volume definitions -->"

4
roles/lmn_network/tasks/main.yml
View file

@ -4,10 +4,10 @@
ansible.builtin.copy:
dest: /etc/apt/apt.conf
content: >
Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
{{ apt_conf }}
- name: set ntp Server
ansible.builtin.lineinfile:
path: /etc/systemd/timesyncd.conf
insertafter: '^#NTP='
line: NTP=server.pn.steinbeis.schule
line: NTP={{ ntp_serv }}