Further split roles. Mount user home on the clients (sshfs).

The following roles are available:
 fvs-sssd
   Configures LDAP as ID and AUTH provider using sssd.
 fvs-mount
   Provides all private user directories on login with pam_mount.

Machines provided so far are:
  The server providing the home directory: fvs-home.yml
  A standard client: fvs-client.yml

fvs-client.yml

@@ -33,8 +33,9 @@
 
   roles:
     - up2date-debian
+    - fvs-sssd
+    - fvs-mount
+    - fvs-client
     ## Choose either gnome or KDE:
     - gnome
     #- kde
-    - fvs-mkhome
-    - fvs-client

fvs-home.yml

@@ -0,0 +1,20 @@
+---
+- name: apply configuration to the home server
+  hosts: all
+  remote_user: ansible
+  become: yes
+  vars:
+    extra_pkgs:
+      - vim
+    extra_pkgs_bpo: [ ]  # [ libreoffice ]
+
+  roles:
+    - up2date-debian
+    - fvs-sssd
+
+  tasks:
+    - name: enable pam_mkhomedir.so
+      lineinfile:
+        dest: /etc/pam.d/common-session
+        line: "session	optional	pam_mkhomedir.so  umask=0027"
+        insertbefore: "session	optional	pam_mount.so"

roles/fvs-client/tasks/main.yml

@@ -4,11 +4,6 @@
     dest: /etc/firefox-esr/firefox-esr.js
     line: pref("browser.startup.homepage", "https://www.startpage.com");
 
-    #- name: enable pam_umask
-    #  lineinfile:
-    #    dest: /etc/pam.d/common-session
-    #    line: "session optional	pam_umask.so usergroups"
-
 - name: set capabilities (wireshark)
   capabilities:
     path: /usr/bin/dumpcap

roles/fvs-mkhome/tasks/main.yml

@@ -1,79 +0,0 @@
----
-- name: install needed packages
-  apt:
-    name:
-      - sssd-ldap
-      - libpam-mount
-      - cifs-utils
-    state: latest
-
-- name: add URI to ldap.conf
-  lineinfile:
-    dest: /etc/ldap/ldap.conf
-    line: "URI ldaps://{{ ldap_server }}/"
-    insertafter: "#URI.*"
-
-- name: add BASE to ldap.conf
-  lineinfile:
-    dest: /etc/ldap/ldap.conf
-    line: "BASE {{ basedn }}"
-    insertafter: "#BASE.*"
-
-- name: do not verify cert
-  lineinfile:
-    dest: /etc/ldap/ldap.conf
-    line: "LDAPTLS_REQCERT      never"
-
-    #- name: enable pam_umask
-    #  lineinfile:
-    #    dest: /etc/pam.d/common-session
-    #    line: "session optional	pam_umask.so usergroups"
-
-- name: enable pam_mkhomedir.so
-  lineinfile:
-    dest: /etc/pam.d/common-session
-    line: "session	optional	pam_mkhomedir.so  umask=0027"
-    insertbefore: "session	optional	pam_mount.so"
-
-- name: configure pam_mount
-  blockinfile:
-    dest: /etc/security/pam_mount.conf.xml
-    block: |
-      <volume
-        fstype="cifs"
-        server="{{ smb_server }}"
-        path="{{ smb_home }}"
-        mountpoint="/media/%(USER)/winhome"
-        options="dir_mode=0750,file_mode=0640"
-      ><not><user>ansible</user></not></volume>
-      <volume
-        fstype="cifs"
-        server="{{ smb_server }}"
-        path="{{ smb_share }}"
-        mountpoint="/media/%(USER)/winshare"
-        options="dir_mode=0750,file_mode=0640"
-      ><not><user>ansible</user></not></volume>
-      <!--volume
-        fstype="fuse"
-        path="sshfs#%(USER)@homes:"
-        mountpoint="/home/%(USER)"
-        options="StrictHostKeyChecking=no,allow_root"
-      ><not><user>ansible</user></not></volume>
-      <volume
-        path="/home/%(USER)"
-        mountpoint="~"
-        options="bind"
-      /-->
-    insertafter: "<!-- Volume definitions -->"
-
-- name: provide identities from directory
-  template:
-    src: sssd.conf.j2
-    dest: /etc/sssd/sssd.conf
-    mode: 0600
-  notify: restart sssd
-
-  ## FIXME: preseeding grub nvram does not work
-- name: reset boot order
-  command: efibootmgr --delete-bootorder
-  when: run_in_installer|default(false)|bool

roles/fvs-mount/defaults/main.yml

@@ -1,5 +1,4 @@
-basedn: "ou=Benutzer,ou=fvs,ou=SCHULEN,o=ml3"
-ldap_server: "ldap.steinbeisschule-reutlingen.de"
 smb_server: "smb.steinbeisschule-reutlingen.de"
+home_server: "home.steinbeisschule-reutlingen.de"
 smb_home: "DOCS/fvs/home/"
 smb_share: "DOCS/fvs/tausch/"

roles/fvs-mount/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: install needed packages
+  apt:
+    name:
+      - libpam-mount
+      - cifs-utils
+      - sshfs
+    state: latest
+
+- name: configure pam_mount
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    block: |
+      <volume
+        fstype="cifs"
+        server="{{ smb_server }}"
+        path="{{ smb_home }}"
+        mountpoint="/media/%(USER)/winhome"
+        options="dir_mode=0750,file_mode=0640"
+      ><not><or><user>ansible</user><user>Debian-gdm</user></or></not></volume>
+      <volume
+        fstype="cifs"
+        server="{{ smb_server }}"
+        path="{{ smb_share }}"
+        mountpoint="/media/%(USER)/winshare"
+        options="dir_mode=0750,file_mode=0640"
+      ><not><or><user>ansible</user><user>Debian-gdm</user></or></not></volume>
+      <volume
+        fstype="fuse"
+        path="sshfs#%(USER)@{{ home_server }}:"
+        mountpoint="/home/%(USER)"
+        options="allow_other,default_permissions,reconnect,password_stdin"
+        ssh="0" noroot="0"
+      ><not><or><user>ansible</user><user>Debian-gdm</user></or></not></volume>
+    insertafter: "<!-- Volume definitions -->"

roles/fvs-sssd/defaults/main.yml

@@ -0,0 +1,2 @@
+basedn: "ou=Benutzer,ou=fvs,ou=SCHULEN,o=ml3"
+ldap_server: "ldap.steinbeisschule-reutlingen.de"

roles/fvs-sssd/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: install needed packages
+  apt:
+    name:
+      - sssd-ldap
+    state: latest
+
+- name: add URI to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "URI ldaps://{{ ldap_server }}/"
+    insertafter: "#URI.*"
+
+- name: add BASE to ldap.conf
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "BASE {{ basedn }}"
+    insertafter: "#BASE.*"
+
+- name: do not verify cert
+  lineinfile:
+    dest: /etc/ldap/ldap.conf
+    line: "LDAPTLS_REQCERT      never"
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd