From 3c33cde8c621cd7b5fb272ebd045e37e6bbc893f Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Wed, 24 Jan 2024 13:00:59 +0100 Subject: [PATCH 1/5] Webserver playbook for linuxmuster. --- lmn-www-server.yml | 43 ++++++++++++++++++++++++++++++++++ roles/kerberize/tasks/main.yml | 43 +++++++++++++++++----------------- 2 files changed, 64 insertions(+), 22 deletions(-) create mode 100644 lmn-www-server.yml diff --git a/lmn-www-server.yml b/lmn-www-server.yml new file mode 100644 index 0000000..fb751fc --- /dev/null +++ b/lmn-www-server.yml @@ -0,0 +1,43 @@ +## This playbook deploys a FvS web server machine. +--- +- name: apply configuration to the web server + hosts: all + remote_user: ansible + become: yes + pre_tasks: + - pause: + prompt: "Enter global-admin AD password. Leave empty to skip domain join" + echo: false + register: adpw + no_log: true + when: "ansible_cmdline.adpw is not defined" + vars: + domain: "pn.steinbeis.schule" + extra_pkgs: + - vim + - apache2 + - python3-flask + + extra_pkgs_bpo: [ ] # [ libreoffice ] + + roles: + - up2date_debian + - lmn_sssd + - kerberize + + tasks: + - name: Override home dir location + lineinfile: + dest: /etc/sssd/sssd.conf + line: override_homedir = /home/%u + + - name: enable pam_mkhomedir.so + lineinfile: + dest: /etc/pam.d/common-session + line: "session optional pam_mkhomedir.so umask=0026" + insertbefore: "session optional pam_mount.so" + + - name: enable apache mod userdir + apache2_module: + state: present + name: userdir diff --git a/roles/kerberize/tasks/main.yml b/roles/kerberize/tasks/main.yml index 25ec4db..ee17a3e 100644 --- a/roles/kerberize/tasks/main.yml +++ b/roles/kerberize/tasks/main.yml @@ -1,28 +1,27 @@ -- name: kerberize sshd server - lineinfile: - dest: /etc/ssh/sshd_config - line: "GSSAPIAuthentication yes" - insertafter: "#GSSAPIAuthentication no" +- name: Install kerberos packages + apt: + name: krb5-user + state: latest + +- name: Kerberize sshd server + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/kerberize.conf + content: | + GSSAPIAuthentication yes notify: "reload sshd" -- name: kerberize ssh client, authenticate - lineinfile: - dest: /etc/ssh/ssh_config - line: "GSSAPIAuthentication yes" - insertafter: "# GSSAPIAuthentication no" +- name: Kerberize ssh client, authenticate and delegate credentials + ansible.builtin.copy: + dest: /etc/ssh/ssh_config.d/kerberize.conf + content: | + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes -- name: kerberize ssh client, delegate credentials - lineinfile: - dest: /etc/ssh/ssh_config - line: "GSSAPIDelegateCredentials yes" - insertafter: "# GSSAPIDelegateCredentials no" - - -- name: check if firefox is available +- name: Check if firefox is available stat: path=/etc/firefox-esr/firefox-esr.js register: firefox -- name: kerberize firefox for sites in the local domain +- name: Kerberize firefox for sites in the local domain lineinfile: dest: /etc/firefox-esr/firefox-esr.js line: "{{ item }}" @@ -32,12 +31,12 @@ - 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris | default(ansible_domain) }}");' when: firefox.stat.exists -- name: ensures /etc/chromium/policies/managed dir exists - file: +- name: Ensures /etc/chromium/policies/managed dir exists + file: path: "/etc/chromium/policies/managed" state: directory -- name: kerberize chromium for sites in the local domain +- name: Kerberize chromium for sites in the local domain copy: dest: /etc/chromium/policies/managed/idam.json content: | From 0a0e942fd09e04e9992a157da3f81febc85ebed9 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Thu, 25 Jan 2024 10:35:55 +0100 Subject: [PATCH 2/5] Remove update notification in task bar. Updates are managed centrally now and users cannot install them anyway. --- roles/lmn_fvs/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/lmn_fvs/tasks/main.yml b/roles/lmn_fvs/tasks/main.yml index adc3357..afffe10 100644 --- a/roles/lmn_fvs/tasks/main.yml +++ b/roles/lmn_fvs/tasks/main.yml @@ -50,6 +50,7 @@ - pulseview - python3-websockets - qpdfview + - shellcheck - sigrok - sigrok-cli - tmux @@ -64,6 +65,12 @@ environment: http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher +- name: Remove update notifications from plasma-discover + apt: + name: + - plasma-discover + autoremove: true + state: absent - name: Make sure wireshark works for all users after installation and upgrades ansible.builtin.copy: From 138c4f7d7e28237c8b3209001f8da8ec128fd8b8 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Thu, 25 Jan 2024 10:47:49 +0100 Subject: [PATCH 3/5] Simplify netboot VM start by script. --- roles/lmn_vm/files/vm-netboot | 24 ++++++++++++++++++++++++ roles/lmn_vm/tasks/main.yml | 14 ++++++++++++++ 2 files changed, 38 insertions(+) create mode 100755 roles/lmn_vm/files/vm-netboot diff --git a/roles/lmn_vm/files/vm-netboot b/roles/lmn_vm/files/vm-netboot new file mode 100755 index 0000000..2b18831 --- /dev/null +++ b/roles/lmn_vm/files/vm-netboot @@ -0,0 +1,24 @@ +#!/usr/bin/bash +# +# Start a netboot VM +# +set -eu + +if [[ $# -eq 0 ]] ; then + arg="--memory 4096 --vcpu 4" +fi + +# find macvtap interface MAC address: +MAC="$(ip link | grep -A1 "vm-macvtap" | \ + sed -nE "s%\s+link/ether ([[:xdigit:]:]{17}) .+%\1%p")" + +XDG_CONFIG_HOME="/tmp/${UID}/.config" \ + exec virt-install \ + --name bookworm \ + --osinfo debiantesting \ + --nodisks --import \ + --pxe --boot loader=/usr/share/OVMF/OVMF_CODE_4M.fd,\ +loader.readonly=yes,loader.type=pflash,\ +nvram.template=/usr/share/OVMF/OVMF_VARS_4M.fd \ + --network type=ethernet,mac=${MAC},\ +target.dev=vm-macvtap,xpath1.set=./target/@managed=no $@ ${arg:-} diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml index 46f0c20..8681ffe 100644 --- a/roles/lmn_vm/tasks/main.yml +++ b/roles/lmn_vm/tasks/main.yml @@ -247,3 +247,17 @@ command: sudo -u lmnsynci /usr/local/bin/sync-vm.sh -t register: result changed_when: result.stdout | length > 0 + +- name: Start virt-manager in session mode by default + ansible.builtin.copy: + dest: /usr/local/bin/virt-manager + content: | + #!/usr/bin/sh + exec /usr/bin/virt-manager --connect qemu:///session $@ + mode: '0755' + +- name: Copy vm-netboot script + ansible.builtin.copy: + src: vm-netboot + dest: /usr/local/bin/ + mode: '0755' From 1622106e3c9851c700f778a4045e47bc05bb3d02 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Thu, 25 Jan 2024 16:36:15 +0100 Subject: [PATCH 4/5] Calculate memory and number of CPUs for the VM. --- roles/lmn_vm/files/vm-netboot | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/roles/lmn_vm/files/vm-netboot b/roles/lmn_vm/files/vm-netboot index 2b18831..19036a9 100755 --- a/roles/lmn_vm/files/vm-netboot +++ b/roles/lmn_vm/files/vm-netboot @@ -1,24 +1,30 @@ #!/usr/bin/bash # -# Start a netboot VM +# Start a netboot VM connected to macvtap device and fraction of mem/cpus # set -eu -if [[ $# -eq 0 ]] ; then - arg="--memory 4096 --vcpu 4" -fi - -# find macvtap interface MAC address: -MAC="$(ip link | grep -A1 "vm-macvtap" | \ +mac="$(ip link | grep -A1 "vm-macvtap" | \ sed -nE "s%\s+link/ether ([[:xdigit:]:]{17}) .+%\1%p")" +if [[ $# -eq 0 ]] ; then + mem=$(sed -En "s/^MemTotal:\s+([0-9]+)\s+kB/\1/p" /proc/meminfo) + cpu=$(sed -En "0,/^cpu cores/s/^cpu cores\s+:\s+([0-9]+)/\1/p" /proc/cpuinfo) + arg="--memory $((mem/2048)) --vcpu $((cpu/2))" + echo "Set options: $arg" +fi + +loader='/usr/share/OVMF/OVMF_CODE_4M.fd,\ +loader.readonly=yes,loader.type=pflash,\ +nvram.template=/usr/share/OVMF/OVMF_VARS_4M.fd' + +type="ethernet,mac=${mac},target.dev=vm-macvtap,xpath1.set=./target/@managed=no" + XDG_CONFIG_HOME="/tmp/${UID}/.config" \ - exec virt-install \ + exec "virt-install \ --name bookworm \ --osinfo debiantesting \ --nodisks --import \ - --pxe --boot loader=/usr/share/OVMF/OVMF_CODE_4M.fd,\ -loader.readonly=yes,loader.type=pflash,\ -nvram.template=/usr/share/OVMF/OVMF_VARS_4M.fd \ - --network type=ethernet,mac=${MAC},\ -target.dev=vm-macvtap,xpath1.set=./target/@managed=no $@ ${arg:-} + --pxe --boot loader=$loader \ + --network type=$type \ + $* ${arg:-}" From cfae3f22edd89dcb004231bad60b5dae1c051395 Mon Sep 17 00:00:00 2001 From: "Andreas B. Mundt" Date: Sat, 27 Jan 2024 10:05:27 +0100 Subject: [PATCH 5/5] VM chooser menu and much faster direct kernel loading. --- roles/lmn_vm/files/vm-netboot | 59 ++++++++++++++++++++++++++--------- roles/lmn_vm/tasks/main.yml | 1 + 2 files changed, 46 insertions(+), 14 deletions(-) diff --git a/roles/lmn_vm/files/vm-netboot b/roles/lmn_vm/files/vm-netboot index 19036a9..dbb13bd 100755 --- a/roles/lmn_vm/files/vm-netboot +++ b/roles/lmn_vm/files/vm-netboot @@ -4,27 +4,58 @@ # set -eu +menu=(standard "CLI Standard Debian GNU/Linux" + kde-desktop "KDE Plasma Desktop Debian GNU/Linux" + gnome-desktop "Gnome Desktop Debian GNU/Linux") +img=$(dialog --clear --backtitle "Virtual Machine Chooser" \ + --title "Choose the Virtual Machine to Start" \ + --menu "Start VM:" 12 60 6 \ + "${menu[@]}" 2>&1 >/dev/tty) + +if [[ -z $img ]] ; then + echo "Starting VM canceled." + exit 1 +fi + mac="$(ip link | grep -A1 "vm-macvtap" | \ - sed -nE "s%\s+link/ether ([[:xdigit:]:]{17}) .+%\1%p")" + sed -nE "s%\s+link/ether ([[:xdigit:]:]{17}) .+%\1%p")" if [[ $# -eq 0 ]] ; then mem=$(sed -En "s/^MemTotal:\s+([0-9]+)\s+kB/\1/p" /proc/meminfo) cpu=$(sed -En "0,/^cpu cores/s/^cpu cores\s+:\s+([0-9]+)/\1/p" /proc/cpuinfo) - arg="--memory $((mem/2048)) --vcpu $((cpu/2))" - echo "Set options: $arg" + arg=("--memory=$((mem/2048))" "--vcpu=$((cpu/2))") + echo Set options: "${arg[@]}" +else + arg=("$@") fi -loader='/usr/share/OVMF/OVMF_CODE_4M.fd,\ -loader.readonly=yes,loader.type=pflash,\ -nvram.template=/usr/share/OVMF/OVMF_VARS_4M.fd' +kernel="http://livebox/d-i/n-live/$img/live/vmlinuz" +initrd="http://livebox/d-i/n-live/$img/live/initrd.img" +kargs=(boot=live components splash locales=de_DE.UTF-8 keyboard-layouts=de \ + swap=true live-config.timezone=Europe/Berlin netboot=nfs \ + "nfsroot=10.190.1.2:/srv/nfs/debian-live/$img/") type="ethernet,mac=${mac},target.dev=vm-macvtap,xpath1.set=./target/@managed=no" -XDG_CONFIG_HOME="/tmp/${UID}/.config" \ - exec "virt-install \ - --name bookworm \ - --osinfo debiantesting \ - --nodisks --import \ - --pxe --boot loader=$loader \ - --network type=$type \ - $* ${arg:-}" +## FIXME: use passt, needs more settings for correct DNS/gateway +# type=user,xpath1.create=./backend,xpath2.set=./backend/@type=passt,xpath3.create=./ip,xpath4.set=./ip/@family=ipv4,xpath5.set=./ip/@address=172.16.1.1,xpath6.set=./ip/@prefix=24,xpath7.create=./portForward,xpath8.set=./portForward/@proto=tcp,xpath9.set=./portForward/range/@start=2001,xpath10.set=./portForward/range/@end=2500,xpath11.set=./portForward/range/@to=1 + +case "$img" in + standard) + arg+=("--autoconsole=text") + kargs+=("console=ttyS0") + ;; + *) + ;; +esac + +http_proxy='' XDG_CONFIG_HOME="/tmp/${UID}/.config" \ + exec virt-install \ + --name "$img" \ + --osinfo debiantesting \ + --nodisks --import --noreboot --transient \ + --install kernel="$kernel",initrd="$initrd",kernel_args="${kargs[*]}" \ + --network "type=$type" "${arg[@]}" + +# --filesystem "$HOME",share +# mount -t 9p share /mnt diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml index 8681ffe..7d7e1b6 100644 --- a/roles/lmn_vm/tasks/main.yml +++ b/roles/lmn_vm/tasks/main.yml @@ -16,6 +16,7 @@ - ctorrent - libvirt-daemon-system - virt-manager + - dialog # for vm-netboot menu state: latest autoremove: true