From d34bc5f15c5929de2bc2f799e79d301cf7278b6f Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andreas.mundt@steinbeisschule-reutlingen.de>
Date: Wed, 27 Sep 2023 08:21:04 +0200
Subject: [PATCH] School's laptops like desktops. Add teachers (laptop) role.

---
 lmn-laptop.yml   |  23 +++++++---
 lmn-teachers.yml | 115 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+), 6 deletions(-)
 create mode 100644 lmn-teachers.yml

diff --git a/lmn-laptop.yml b/lmn-laptop.yml
index 442ca51..6237d17 100644
--- a/lmn-laptop.yml
+++ b/lmn-laptop.yml
@@ -4,6 +4,22 @@
   hosts: all
   remote_user: ansible
   become: yes
+  pre_tasks:
+    - pause:
+        prompt: "Enter global-admin AD password. Leave empty to skip domain join"
+        echo: false
+      register: adpw
+      no_log: true
+      when: "ansible_cmdline.adpw is not defined"
+    - name: preseed apparmor
+      debconf:
+        name: apparmor
+        question: apparmor/homedirs
+        value: >-
+          /srv/samba/schools/default-school/teachers/
+          /srv/samba/schools/default-school/students/*/
+        vtype: string
+
   vars:
     domain: "{{ ansible_domain }}"
     kerberize_uris: steinbeis.schule
@@ -44,6 +60,7 @@
     - lmn_network
     - up2date_debian
     - lmn_sssd
+    - lmn_mount
     - lmn_kde
     - lmn_fvs ## school specific customization
     - lmn_vm
@@ -62,12 +79,6 @@
         append: yes
       when: false
 
-    - name: enable pam_mkhomedir.so
-      lineinfile:
-        dest: /etc/pam.d/common-session
-        line: "session  optional        pam_mkhomedir.so  umask=0022"
-        insertbefore: "# end of pam-auth-update config"
-
     - name: Fix 8086:4909 external graphics card
       replace:
         dest: "/etc/default/grub"
diff --git a/lmn-teachers.yml b/lmn-teachers.yml
new file mode 100644
index 0000000..b2b5587
--- /dev/null
+++ b/lmn-teachers.yml
@@ -0,0 +1,115 @@
+## This playbook deploys a KDE desktop machine for LinuxMuster.
+---
+- name: apply configuration to the machines
+  hosts: all
+  remote_user: ansible
+  become: yes
+  vars:
+    domain: "{{ ansible_domain }}"
+    kerberize_uris: steinbeis.schule
+    apt_conf: Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
+    ntp_serv: server.pn.steinbeis.schule
+    proxy: http://firewall.pn.steinbeis.schule:3128
+    no_proxy: firewall.pn.steinbeis.schule,server.pn.steinbeis.schule,idam.steinbeis.schule,dw.steinbeis.schule,.pn.steinbeis.schule,.steinbeis.schule
+
+    ## PAM mount nextcloud, remove or leave empty to skip:
+    web_dav: https://nc.steinbeis.schule/remote.php/dav/files/%(USER)
+
+    ## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
+    mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/
+
+    rsyncsecret: Muster!
+    keys2deploy:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOY0hChWaCDtuiuQcM0v4/u1499esjTtnMjl4uYlnS0 andi@netboot'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN5ylqP936MPjGNxzrzV5jMwIfMhKJdOGuVh3xGQKTM andi@yogi'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxgeu7Rpb/1++531+MopqP9haUkyh1XXpv5kmbgSjx6'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbdOT+WSDmsBcaVFfzPRcmvOfd3CqO/FBOH44UVm7c7 raphael@uranus'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGICjy88HnMg5oaz4BJ20hgzqFWSem+HHD2PQ+As42pA raphael@pluto'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm9lu9dDo5TG99QWTkl2G5G+ZbYikLlRNOXfs/bRTHy sascha@america'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMR4TP7jE+wS7zcH0iUBmlxCbvy9saYeEjonX/0yYfEJ daniel@NB-20-DW'
+
+    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
+    grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
+    nfs4: false
+    extra_pkgs:
+      - vim
+      - mc
+      - tmux
+      - krb5-user
+      - unattended-upgrades
+      - debconf-utils
+    extra_pkgs_bpo: [] # [ linux-image-amd64 ]
+
+  roles:
+    - lmn_network
+    - up2date_debian
+    - lmn_sssd
+    - lmn_kde
+    - lmn_mount
+    - lmn_fvs ## school specific customization
+    - lmn_vm
+    - lmn_printer
+    - kerberize
+    - lmn_security
+
+  tasks:
+    - name: Add local user 'virti' in the 'libvirt' group
+      ansible.builtin.user:
+        name: virti
+        password: $y$j9T$DuSvAO63v5LvoJmJ1rB0B0$D4tovIz79AdLHs5I6tYa7rxr3SWknQeUFvGaaKvUpo3
+        comment: Libvirt VM User,,,
+        shell: /bin/bash
+        groups: libvirt
+        append: yes
+      when: false
+
+    - name: enable pam_mkhomedir.so
+      lineinfile:
+        dest: /etc/pam.d/common-session
+        line: "session  optional        pam_mkhomedir.so  umask=0022"
+        insertbefore: "# end of pam-auth-update config"
+
+    - name: Fix 8086:4909 external graphics card
+      replace:
+        dest: "/etc/default/grub"
+        regexp: 'GRUB_CMDLINE_LINUX=""$'
+        replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
+      notify: Run update-grub
+      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"
+
+    - name: Fix sound on 312A
+      replace:
+        dest: "/etc/default/grub"
+        regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
+        replace: 'GRUB_CMDLINE_LINUX=""'
+      notify: Run update-grub
+      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"
+
+    - name: Fix sound on 312A and 312D
+      apt:
+        name: firmware-sof-signed
+        state: latest
+      when: >
+        ansible_board_vendor == "LENOVO" and
+        (ansible_board_name == "312D" or ansible_board_name == "312A")
+
+## bullseye fixes:
+    - name: add bookworm firmware repository if needed
+      apt_repository:
+        repo: deb http://deb.debian.org/debian/ bookworm non-free-firmware
+        state: present
+        update_cache: true
+      when: >
+        ansible_board_vendor == "LENOVO" and
+        ansible_board_name == "32CB" and
+        ansible_distribution_release == "bullseye"
+
+    - name: upgrade non-free-firmware packages
+      apt:
+        upgrade: true
+        autoremove: true
+        autoclean: true
+      when: >
+        ansible_board_vendor == "LENOVO" and
+        ansible_board_name == "32CB" and
+        ansible_distribution_release == "bullseye"