From e3396ef06cf8e4dde1bc68d391c613698da9a531 Mon Sep 17 00:00:00 2001 From: Raphael Dannecker Date: Wed, 5 Feb 2025 13:15:42 +0100 Subject: [PATCH] Start firewalld when -exam user logs in --- roles/lmn_fvs/tasks/main.yml | 7 +++++++ roles/lmn_printer/tasks/main.yml | 7 +++++++ roles/lmn_vm/tasks/main.yml | 21 +++++++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/roles/lmn_fvs/tasks/main.yml b/roles/lmn_fvs/tasks/main.yml index de8c0b7..b71e5c9 100644 --- a/roles/lmn_fvs/tasks/main.yml +++ b/roles/lmn_fvs/tasks/main.yml @@ -150,6 +150,7 @@ - pwroff - bootorder.sh - reporter + - pam-exec.sh - name: Provide services and timers for some scripts copy: @@ -306,6 +307,12 @@ font.pointSize: config.fontSize } +- name: enable login script via pam_exec.so + lineinfile: + dest: /etc/pam.d/common-auth + line: "auth optional pam_exec.so /usr/local/sbin/pam-exec.sh" + when: "'teacherlaptop' not in group_names" + - name: Set git default-branch to main ansible.builtin.copy: dest: /etc/gitconfig diff --git a/roles/lmn_printer/tasks/main.yml b/roles/lmn_printer/tasks/main.yml index 394c07c..0e86302 100644 --- a/roles/lmn_printer/tasks/main.yml +++ b/roles/lmn_printer/tasks/main.yml @@ -46,6 +46,13 @@ state: stopped enabled: no +- name: Permit access to cups from libvirt + ansible.posix.firewalld: + zone: libvirt + port: 631/tcp + permanent: true + state: enabled + - name: Install install-printers.sh template: src: install-printers.sh.j2 diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml index e2d750f..16ff512 100644 --- a/roles/lmn_vm/tasks/main.yml +++ b/roles/lmn_vm/tasks/main.yml @@ -17,6 +17,7 @@ - mktorrent - libvirt-daemon-system - virt-manager + - firewalld - dialog # for vm-netboot menu state: latest autoremove: true @@ -28,6 +29,19 @@ # insertafter: '#auth_unix_rw = "polkit"' # notify: reload libvirtd +- name: disable firewalld-service + systemd: + name: firewalld + enabled: false + state: stopped + +- name: Add virbr0 to libvirt zone + ansible.posix.firewalld: + zone: libvirt + interface: virbr0 + permanent: true + state: enabled + - name: Configure pam_mount for VM bind mounts blockinfile: dest: /etc/security/pam_mount.conf.xml @@ -172,6 +186,13 @@ scope: global enabled: true +- name: Permit access to usersquid from libvirt + ansible.posix.firewalld: + zone: libvirt + port: 3128/tcp + permanent: true + state: enabled + - name: Deploy sudo configurations copy: src: "{{ item }}"