From 431acebfa3289c07f8ef4dbe62242caf97fa3703 Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andreas.mundt@steinbeisschule-reutlingen.de>
Date: Sat, 2 Sep 2023 15:46:27 +0200
Subject: [PATCH] Make playbook more general: Split into general and specific
 roles, use variables.

---
 lmn-desktop.yml                               |  13 +-
 .../{lmn_kde => lmn_fvs}/files/fvs-config.js  |   0
 roles/lmn_fvs/files/lmn-patch-dolphin.sh      |  61 +++++++
 .../files/lmn-reset-dolphin.sh                |   0
 .../{lmn_kde => lmn_fvs}/files/policies.json  |   0
 roles/{lmn_kde => lmn_fvs}/files/pwroff       |   0
 .../{lmn_kde => lmn_fvs}/files/pwroff.service |   0
 roles/{lmn_kde => lmn_fvs}/files/pwroff.timer |   0
 roles/lmn_fvs/tasks/main.yml                  | 126 +++++++++++++++
 roles/lmn_kde/handlers/main.yml               |  12 --
 roles/lmn_kde/tasks/main.yml                  | 152 ++++--------------
 roles/lmn_mount/tasks/main.yml                |  23 ++-
 roles/lmn_network/tasks/main.yml              |   4 +-
 13 files changed, 247 insertions(+), 144 deletions(-)
 rename roles/{lmn_kde => lmn_fvs}/files/fvs-config.js (100%)
 create mode 100755 roles/lmn_fvs/files/lmn-patch-dolphin.sh
 rename roles/{lmn_kde => lmn_fvs}/files/lmn-reset-dolphin.sh (100%)
 rename roles/{lmn_kde => lmn_fvs}/files/policies.json (100%)
 rename roles/{lmn_kde => lmn_fvs}/files/pwroff (100%)
 rename roles/{lmn_kde => lmn_fvs}/files/pwroff.service (100%)
 rename roles/{lmn_kde => lmn_fvs}/files/pwroff.timer (100%)
 create mode 100644 roles/lmn_fvs/tasks/main.yml

diff --git a/lmn-desktop.yml b/lmn-desktop.yml
index 3c30831..d6e3c01 100644
--- a/lmn-desktop.yml
+++ b/lmn-desktop.yml
@@ -1,4 +1,4 @@
-## This playbook deploys a FvS KDE desktop machine for LinuxMuster.
+## This playbook deploys a KDE desktop machine for LinuxMuster.
 ---
 - name: apply configuration to the machines
   hosts: all
@@ -24,6 +24,15 @@
   vars:
     domain: "{{ ansible_domain }}"
     kerberize_uris: steinbeis.schule
+    apt_conf: Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
+    ntp_serv: server.pn.steinbeis.schule
+
+    ## PAM mount nextcloud, remove or leave empty to skip:
+    web_dav: https://nc.steinbeis.schule/remote.php/dav/files/%(USER)
+
+    ## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
+    mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/
+
     rsyncsecret: Muster!
     ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
     grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
@@ -38,7 +47,6 @@
       - debconf-utils
       - ctorrent
     extra_pkgs_bpo: [] # [ linux-image-amd64 ]
-    ansible_python_interpreter: "/usr/bin/python3"
 
   roles:
     - lmn_network
@@ -46,6 +54,7 @@
     - lmn_sssd
     - lmn_mount
     - lmn_kde
+    - lmn_fvs ## school specific customization
     - lmn_vm
     - lmn_printer
     - kerberize
diff --git a/roles/lmn_kde/files/fvs-config.js b/roles/lmn_fvs/files/fvs-config.js
similarity index 100%
rename from roles/lmn_kde/files/fvs-config.js
rename to roles/lmn_fvs/files/fvs-config.js
diff --git a/roles/lmn_fvs/files/lmn-patch-dolphin.sh b/roles/lmn_fvs/files/lmn-patch-dolphin.sh
new file mode 100755
index 0000000..f5b060e
--- /dev/null
+++ b/roles/lmn_fvs/files/lmn-patch-dolphin.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# patch 'Tausch' and 'Nextcloud' into dolphin's bookmarks
+#
+set -eu
+
+file="${1:-$HOME/.local/share/user-places.xbel}"
+
+if grep -q "Tausch\|Nextcloud" "$file" ; then
+   echo "Your Dolphin seems to already contain 'Tausch' and/or 'Nextcloud'."
+   exit 0
+fi
+
+id="$(grep ID "$file" | sed -E "s|^.+ID>([[:digit:]]+)/([[:digit:]]+)</ID.+$|\1:\2|" \
+	    | sort -n -t: -k2 | tail -1 )"
+
+IDENTITY="${id%%:*}"
+NUM0="${id##*:}"
+NUM1=$(( NUM0 + 1 ))
+NUM2=$(( NUM0 + 2 ))
+
+patch="
+--- a/$file
++++ b/$file
+@@ -98,9 +98,33 @@
+     <isSystemItem>true</isSystemItem>
+    </metadata>
+   </info>
+  </bookmark>
++ <bookmark href=\"file:///srv/samba/schools/default-school/share\">
++  <title>Tausch</title>
++  <info>
++   <metadata owner=\"http://freedesktop.org\">
++    <bookmark:icon name=\"folder-publicshare\"/>
++   </metadata>
++   <metadata owner=\"http://www.kde.org\">
++    <ID>$IDENTITY/${NUM1}</ID>
++    <isSystemItem>true</isSystemItem>
++   </metadata>
++  </info>
++ </bookmark>
++ <bookmark href=\"file:///lmn/media/$USER/nextcloud\">
++  <title>Nextcloud</title>
++  <info>
++   <metadata owner=\"http://freedesktop.org\">
++    <bookmark:icon name=\"folder-cloud\"/>
++   </metadata>
++   <metadata owner=\"http://www.kde.org\">
++    <ID>$IDENTITY/${NUM2}</ID>
++    <isSystemItem>true</isSystemItem>
++   </metadata>
++  </info>
++ </bookmark>
+  <bookmark href=\"remote:/\">
+   <title>Network</title>
+   <info>
+    <metadata owner=\"http://freedesktop.org\">
+     <bookmark:icon name=\"folder-network\"/>
+"
+
+echo "$patch" | patch --fuzz=0 --backup "$file"
diff --git a/roles/lmn_kde/files/lmn-reset-dolphin.sh b/roles/lmn_fvs/files/lmn-reset-dolphin.sh
similarity index 100%
rename from roles/lmn_kde/files/lmn-reset-dolphin.sh
rename to roles/lmn_fvs/files/lmn-reset-dolphin.sh
diff --git a/roles/lmn_kde/files/policies.json b/roles/lmn_fvs/files/policies.json
similarity index 100%
rename from roles/lmn_kde/files/policies.json
rename to roles/lmn_fvs/files/policies.json
diff --git a/roles/lmn_kde/files/pwroff b/roles/lmn_fvs/files/pwroff
similarity index 100%
rename from roles/lmn_kde/files/pwroff
rename to roles/lmn_fvs/files/pwroff
diff --git a/roles/lmn_kde/files/pwroff.service b/roles/lmn_fvs/files/pwroff.service
similarity index 100%
rename from roles/lmn_kde/files/pwroff.service
rename to roles/lmn_fvs/files/pwroff.service
diff --git a/roles/lmn_kde/files/pwroff.timer b/roles/lmn_fvs/files/pwroff.timer
similarity index 100%
rename from roles/lmn_kde/files/pwroff.timer
rename to roles/lmn_fvs/files/pwroff.timer
diff --git a/roles/lmn_fvs/tasks/main.yml b/roles/lmn_fvs/tasks/main.yml
new file mode 100644
index 0000000..c9b331a
--- /dev/null
+++ b/roles/lmn_fvs/tasks/main.yml
@@ -0,0 +1,126 @@
+---
+- name: Preseed wireshark to allow users sniffing packets
+  ansible.builtin.debconf:
+    name: wireshark-common
+    question: wireshark-common/install-setuid
+    value: 'true'
+    vtype: boolean
+
+- name: Preseed ttf-mscorefonts-installer
+  ansible.builtin.debconf:
+    name: ttf-mscorefonts-installer
+    question: msttcorefonts/dlurl
+    value: "{{ mirror_msfonts }}"
+    vtype: string
+  when: mirror_msfonts is defined and mirror_msfonts | length > 0
+
+
+- name: Install desktop EDU packages and some more
+  apt:
+    name:
+      - atftp
+      - curl
+      - elpa-color-theme-modern
+      - elpa-magit
+      - emacs
+      - git
+      - gitg
+      - gitk
+      - neovim
+      - net-tools
+      - netcat-openbsd
+      - nmap
+      - pulseview
+      - sigrok
+      - sigrok-cli
+      - tmux
+      - tree
+      - ttf-mscorefonts-installer
+      - wireshark
+    autoremove: true
+    state: latest
+  environment:
+    http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher
+
+
+- name: Allow users to dump packets for wireshark without group membership
+  ansible.builtin.file:
+    path: /usr/bin/dumpcap
+    mode: '0755'
+
+
+- name: Create firefox policies directory
+  ansible.builtin.file:
+    path: /etc/firefox-esr/policies
+    state: directory
+    mode: '0755'
+
+- name: Create a symbolic link firefox to firefox-esr
+  ansible.builtin.file:
+    src: /etc/firefox-esr
+    dest: /etc/firefox
+    state: link
+
+- name: Copy firefox policy
+  ansible.builtin.copy:
+    src: policies.json
+    dest: /etc/firefox-esr/policies/
+
+
+- name: Copy pwroff script
+  copy:
+    src: pwroff
+    dest: /usr/local/sbin/
+    mode: 0755
+
+- name: Provide service and timer for pwroff script
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: 0644
+  with_items:
+    - pwroff.service
+    - pwroff.timer
+
+- name: Enable pwroff.timer
+  systemd:
+    name: pwroff.timer
+    enabled: true
+
+
+- name: Copy dolphin config scripts
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /usr/local/bin/
+    mode: 0755
+  loop:
+    - lmn-reset-dolphin.sh
+    - lmn-patch-dolphin.sh
+
+
+- name: Copy fvs-config.js to configure plasma
+  ansible.builtin.copy:
+    src: fvs-config.js
+    dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
+    mode: 0644
+
+
+- name: Restrict some user actions
+  blockinfile:
+    path: /etc/xdg/kdeglobals
+    create: true
+    block: |
+      [KDE Action Restrictions][$i]
+      action/start_new_session=false
+      #action/switch_user=false
+      #action/lock_screen=false
+
+#- name: Disable automatic lock screen and user specific modifications
+#  ansible.builtin.copy:
+#    path: /etc/xdg/kscreenlockerrc
+#    create: true
+#    content: |
+#      [Daemon][$i]
+#      Autolock=false
+#      LockOnResume=false
+#
diff --git a/roles/lmn_kde/handlers/main.yml b/roles/lmn_kde/handlers/main.yml
index 1a21074..e2b8cdf 100644
--- a/roles/lmn_kde/handlers/main.yml
+++ b/roles/lmn_kde/handlers/main.yml
@@ -1,14 +1,2 @@
 - name: Run update-grub
   command: update-grub
-
-- name: Enable tmp.mount
-  systemd:
-    daemon_reload: yes
-    name: tmp.mount
-    enabled: yes
-  listen: enable tmp.mount
-
-- name: enable pwroff.timer
-  systemd:
-    name: pwroff.timer
-    enabled: true
diff --git a/roles/lmn_kde/tasks/main.yml b/roles/lmn_kde/tasks/main.yml
index afd969e..74bed30 100644
--- a/roles/lmn_kde/tasks/main.yml
+++ b/roles/lmn_kde/tasks/main.yml
@@ -1,74 +1,39 @@
 ---
-- name: Preseed wireshark to allow users sniffing packets
-  ansible.builtin.debconf:
-    name: wireshark-common
-    question: wireshark-common/install-setuid
-    value: 'true'
-    vtype: boolean
-
-- name: Preseed ttf-mscorefonts-installer
-  ansible.builtin.debconf:
-    name: ttf-mscorefonts-installer
-    question: msttcorefonts/dlurl
-    value: http://livebox.pn.steinbeis.schule/mscorefonts/
-    vtype: string
-
-- name: Install desktop EDU packages and some more
+- name: Install desktop and educational packages
   apt:
     name:
-      - task-kde-desktop
-      - task-german-kde-desktop
-      - task-german-desktop
-      - xdg-desktop-portal-kde
-      - xdg-desktop-portal-wlr # share screen in browser
-      - kde-full
       - akonadi-backend-sqlite
-      - thunderbird-l10n-de
-      - webext-privacy-badger
-      - webext-ublock-origin-firefox
-      - webext-ublock-origin-chromium
-      - atftp
-      - emacs
-      - elpa-magit
-      - elpa-color-theme-modern
-      - vlc
+      - arduino
+      - bluefish
+      - codeblocks
+      - dia
+      - flameshot
+      - freecad
+      - ghex
       - gimp
       - inkscape
-      - flameshot
-      - bluefish
-      - git
-      - gitk
-      - gitg
-      - wireshark
-      - nmap
-      - netcat-openbsd
-      - net-tools
-      - ghex
-      - thonny
-      - spyder
+      - kde-full
+      - keepassxc
+      - librecad
       - mu-editor
-      - dia
-      - vym
-      - tree
+      - qtcreator
+      - spyder
       - sqlite3
       - sqlitebrowser
-      - neovim
-      - qtcreator
-      - freecad
-      - librecad
-      - arduino
-      - keepassxc
-      - tmux
-      - curl
-      - pulseview
-      - sigrok
-      - sigrok-cli
-      - codeblocks
-      - ttf-mscorefonts-installer
+      - task-german-desktop
+      - task-german-kde-desktop
+      - task-kde-desktop
+      - thonny
+      - thunderbird-l10n-de
+      - vlc
+      - vym
+      - webext-privacy-badger
+      - webext-ublock-origin-chromium
+      - webext-ublock-origin-firefox
+      - xdg-desktop-portal-kde
+      - xdg-desktop-portal-wlr # share screen in browser
     autoremove: true
     state: latest
-  environment:
-    http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher
 
 - name: Add {{ ansible_distribution_release }}-backports
   apt_repository:
@@ -88,14 +53,6 @@
     default_release: "{{ ansible_distribution_release }}-backports"
 
 
-- name: Enable splash screen
-  replace:
-    dest: "/etc/default/grub"
-    regexp: '"quiet"$'
-    replace: '"quiet splash"'
-  notify: Run update-grub
-
-
 - name: Create akonadi config dir
   ansible.builtin.file:
     path: /etc/xdg/akonadi/
@@ -111,12 +68,6 @@
       Driver=QSQLITE3
 
 
-- name: Allow users to dump packets for wireshark without group membership
-  ansible.builtin.file:
-    path: /usr/bin/dumpcap
-    mode: '0755'
-
-
 - name: Add home dirs to apparmor
   lineinfile:
     dest: /etc/apparmor.d/tunables/home.d/ubuntu
@@ -125,24 +76,6 @@
       /srv/samba/schools/default-school/students/*/
 
 
-- name: Create firefox policies directory
-  ansible.builtin.file:
-    path: /etc/firefox-esr/policies
-    state: directory
-    mode: '0755'
-
-- name: Create a symbolic link firefox to firefox-esr
-  ansible.builtin.file:
-    src: /etc/firefox-esr
-    dest: /etc/firefox
-    state: link
-
-- name: copy policy
-  ansible.builtin.copy:
-    src: policies.json
-    dest: /etc/firefox-esr/policies/
-
-
 - name: tune SDDM login
   blockinfile:
     path: /etc/sddm.conf
@@ -172,35 +105,14 @@
       AllowHybridSleep=no
 
 
-- name: Copy pwroff script
-  copy:
-    src: pwroff
-    dest: /usr/local/sbin/
-    mode: 0755
-
-- name: Provide service and timer for pwroff script
-  copy:
-    src: "{{ item }}"
-    dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
-  with_items:
-    - pwroff.service
-    - pwroff.timer
-  notify: enable pwroff.timer
-
-- name: copy lmn-reset-dolphin.sh
-  ansible.builtin.copy:
-    src: lmn-reset-dolphin.sh
-    dest: /usr/local/bin/
-    mode: 0755
-
-- name: Copy fvs-config.js to configure plasma
-  ansible.builtin.copy:
-    src: fvs-config.js
-    dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
-    mode: 0644
-
 ################# general settings ##################
+- name: Enable boot splash screen
+  replace:
+    dest: "/etc/default/grub"
+    regexp: '"quiet"$'
+    replace: '"quiet splash"'
+  notify: Run update-grub
+
 - name: Protect grub menu entries
   blockinfile:
     path: /etc/grub.d/40_custom
diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index 195e85e..969f188 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -9,12 +9,26 @@
       - davfs2
     state: latest
 
+- name: Configure pam_mount for Webdav Nextcloud
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount Nextcloud) -->"
+    block: |
+      <volume
+        fstype="davfs"
+        path="{{ web_dav }}"
+        mountpoint="/lmn/media/%(USER)/nextcloud"
+        options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
+    insertafter: "<!-- Volume definitions -->"
+  when: web_dav is defined and web_dav | length > 0
+
 - name: Configure pam_mount for LMN homes
   blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
     block: |
-      <!-- mounts for home and nextcloud -->
       <volume
         fstype="cifs"
         server="{{ smb_server }}"
@@ -23,13 +37,6 @@
         options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl"
         ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
       </volume>
-      <volume
-        fstype="davfs"
-        path="https://nc.steinbeis.schule/remote.php/dav/files/%(USER)"
-        mountpoint="/lmn/media/%(USER)/nextcloud"
-        options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
-        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
-      </volume>
     insertafter: "<!-- Volume definitions -->"
 
 
diff --git a/roles/lmn_network/tasks/main.yml b/roles/lmn_network/tasks/main.yml
index 58b5c15..0cbd144 100644
--- a/roles/lmn_network/tasks/main.yml
+++ b/roles/lmn_network/tasks/main.yml
@@ -4,10 +4,10 @@
   ansible.builtin.copy:
     dest: /etc/apt/apt.conf
     content: >
-      Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
+      {{ apt_conf }}
 
 - name: set ntp Server
   ansible.builtin.lineinfile:
     path: /etc/systemd/timesyncd.conf
     insertafter: '^#NTP='
-    line: NTP=server.pn.steinbeis.schule
+    line: NTP={{ ntp_serv }}