Make lmn-client a separate repository.

Remove all playbooks and roles not used for the lmn-client playbook. They are almost all maintained within the debian-lan-ansible project at: https://salsa.debian.org/andi/debian-lan-ansible/
2024-03-12 18:34:58 +01:00 · 2024-03-12 18:34:58 +01:00 · e7aa91e7f8
commit e7aa91e7f8
parent fe7ec2f2e9
209 changed files with 0 additions and 5758 deletions
--- a/123
+++ b/123
@ -1,123 +0,0 @@
        Run Debian in your Local Area Network
       =======================================
 The goal of the "Debian Local Area Network"-project is to make setting
 up Debian in a local area network as easy as possible.  This repository
 offers ansible playbooks and instructions for the following machines:
 • installbox:  orchestration of automatic installs in the LAN
     - set up as gateway to some external network (WAN)
     - provides TFTP installations on the LAN interface
     - automatic installs: preseeding and ansible playbooks
     - package cache
 • kerberox:  serving a minimalistic kerberized LAN
     - automatic TFTP installation of clients
     - centralized home directories on kerberized NFS
     - simple script to manage users and machines
 • kerberox-client:  the client for the kerberized LAN
 • sambox and -client:  comparable to the kerberox setup, but
   home directories are shared via sshfs or the smb protocol. 
 • cloudbox:  nextcloud server in the basement
     - setup of a home cloud server
     - dynamic DNS name
     - nextcloud
     - backup with borg
     - …
 • kiosk:  school's computer, hackerspace, …
     - auto login user
     - reasonable defaults
     - temporary home directory on tmpfs, reset at boot
 • edubox:  deploy a set of containers for training/teaching
 Contributions like patches, suggestions, pull requests and/or further
 profiles are highly appreciated!
 ----------------------------
 Instructions
 ==============
 Installbox
 ~~~~~~~~~~
 • standard Debian installation:
   - user 'ansible' in sudo group
   - WAN interface configured and connected
   - LAN interface not configured/managed
 • optional:  customize installbox.yml
 • run ansible:
     ssh-copy-id ansible@1.2.3.4
     ansible-playbook installbox.yml -v --become --ask-become-pass -u ansible -i 1.2.3.4,
 • the installbox can be used to install all other profiles
 Kerberox, Sambox
 ~~~~~~~~~~~~~~~~
 • standard Debian installation:
   - user 'ansible' in sudo group
   - WAN interface configured and connected
   - LAN interface not configured/managed
 • optional:  customize kerberox.yml
 • run ansible:
     ssh-copy-id ansible@1.2.3.4
     ansible-playbook kerberox.yml -v --become --ask-become-pass -u ansible -i 1.2.3.4,
 Kerberox and installbox provide a local ansible configuration space
 which can be used to install clients and/or to check/modify the local
 installation.  To do the latter, cd into 'debian-lan' and run:
   'ansible-playbook --ask-become-pass -v  -i localhost, -c local  kerberox.yml'
 The kerberox-clients are automatically installed using the included TFTP netboot
 installer within the LAN.
 Cloudbox
 ~~~~~~~~
 • Debian installation:
   - user 'ansible' in sudo group
 • check/customize cloudbox.yml
 • download latest nextcloud-*.*.*.tar.bz2 archive and place it as nextcloud.tar.bz2
   in your debian-lan-ansible directory
 • run ansible:
     ssh-copy-id ansible@1.2.3.4
     ansible-playbook cloudbox.yml -v --become --ask-become-pass -u ansible -i 1.2.3.4,
 • use 'nc-admin' with password in '/root/nc-admin.pwd' to log into nextcloud.
 Kiosk
 ~~~~~
 • Debian installation:
   - user 'ansible' in sudo group
 • customize kiosk.yml:
   - WiFi parameters
   - package selection: extra_pkgs and extra_pkgs_bpo for backports
   - desktop environment
 • run ansible:
     ssh-copy-id ansible@1.2.3.4
     ansible-playbook kiosk.yml -v --become --ask-become-pass -u ansible -i 1.2.3.4,
 Edubox
 ~~~~~~
 • Debian installation:
   - user 'ansible' in sudo group
 • customize edubox.yml
 • run ansible:
     ssh-copy-id ansible@1.2.3.4
     ansible-playbook edubox.yml -v --become --ask-become-pass -u ansible -i 1.2.3.4,
--- a/README.kerberox
+++ b/README.kerberox
@ -1,14 +0,0 @@
 ## After installation of the clients, prepare and copy all machine
 ## credentials to the machines in the following way:
 ## Log into the Kerberos KDC (kerberox).
 ## Find the kadmin password to be used soon:
     sudo cat /root/kadmin.pwd
 ## Then:
     cd /home/ansible/debian-lan/
     ansible-playbook --ask-become-pass kerberox-client.yml \
                      --ssh-common-args='-o StrictHostKeyChecking=no'
 ## Enter the 'BECOME' password and the kadmin password obtained above.
--- a/cloudbox.yml
+++ b/cloudbox.yml
@ -1,54 +0,0 @@
 ---
 # This playbook deploys the cloudbox on a minimal installation.
 - name: apply configuration to the cloudbox
  # hosts: cloudboxes ## 'all' is needed to make ansible-pull work
  hosts: all
  remote_user: ansible
  become: true
  vars:
    if_lan: "enp1s0"
    ipaddr: "192.168.2.50/24"
    gateway: "192.168.2.1"
    dns: "192.168.2.1"
    ddns_domain: "something.ddnss.de"
    ddns_updkey: "138638.some.key.here.635620"
    ## 'nc_download' and 'nc_checksum' are only
    ## used for ansible-pull during installation:
    nc_download: "https://download.nextcloud.com/server/releases/latest.tar.bz2"
    nc_checksum: "sha256:d32a8f6c4722a45cb67de7018163cfafcfa22a871fbac0f623c3875fa4304e5a"
    nc_apps:
      - calendar
      - notes
    backup_opts: "--exclude-caches -e '*/updater-*/' -e '*/preview/*' -e '*/files_trashbin/*'"
    backup_dirs:
      - "/etc"
      - "{{ nc_dir }}"
      - "{{ data_dir }}"
    ansible_python_interpreter: "/usr/bin/python3"
  roles:
    - up2date_debian
 #    - ddnsupdate
 #    - lowpower
    - nextcloud
    - nextcloudupgrade
    - kerberize
 #    - backup
 ## Hosts in the the 'only_nextcloud'-group are only upgraded:
 - name: upgrade nextcloud only
  hosts: only_nextcloud
  remote_user: ansible
  become: true
  vars:
    nc_dir: "/var/www/nextcloud"
    nc_apps:
      - calendar
      - notes
    ansible_python_interpreter: "/usr/bin/python3"
  roles:
    - up2date_debian
    - nextcloudupgrade
--- a/edubox.yml
+++ b/edubox.yml
@ -1,68 +0,0 @@
 ---
 ## This playbook deploys a series of minimal systemd-nspawn containers
 ## for educational use on a host, for example to learn ansible!
 ## All containers use an apt cache on the host system and forward port
 ## 22 (ssh), 80 (http) and 443 (https) to ports >= 10000, 10100 and 10200
 ## respectively.  A user 'ansi' in the 'sudo' group is prepared,
 ## either with empty password or an initial password to be set below.
 ##
 ## Modifications of the initial containers are kept in an overlay
 ## directory next to the container images in '/var/lib/machines/'.
 ## This allows to visit and compare the work of students on the host.
 ## To manage the containers after installation, run the playbook with
 ## one of the the following tags:
 ##
 ##    --tags=start    start all containers
 ##    --tags=stop     stop all containers
 ##    --tags=restart  stop, then start all containers
 ##    --tags=reset    reset all containers to the initial image
 ##    --tags=purge    purge all containers
 ##    --tags=setup    purge all containers and setup again
 ##
 - name: apply configuration to the edubox
  hosts: all # eduboxes
  remote_user: ansible
  become: true
  vars:
    contname: cont
    ## User name for the user in the container:
    contuser: ansi
    ## Password for the user 'ansible' in the container,
    ## leave empty to log in without password:
    contpwd: ""
    ## Adjust the number of containers here:
    containers: "{{ range(0, 49 + 1) | list }}"
    ## Additional packages to be installed in the container:
    cont_packages_extra:
      - bind9-dnsutils
      - file
      - locales
      - xz-utils
      - lsof
      - wget
      - bind9-host
      - libc-l10n
      - traceroute
      - bzip2
      - netcat-traditional
      - telnet
  pre_tasks:
    - name: install apt-cacher-ng
      apt:
        name:
          - apt-cacher-ng
          - auto-apt-proxy
        state: latest # noqa package-latest
    - name: enable and start systemd-networkd on the host
      systemd:
        name: systemd-networkd
        state: started
        enabled: true
  roles:
    - up2date_debian
    - educontainer
    - networkdresolved
--- a/fvs-desktop.yml
+++ b/fvs-desktop.yml
@ -1,58 +0,0 @@
 ## This playbook deploys a FvS desktop machine.
 ---
 - name: apply configuration to the machines
  hosts: all
  remote_user: ansible
  become: yes
  vars:
    extra_pkgs:
      - webext-privacy-badger
      - webext-ublock-origin
      - vim
      - emacs
      - elpa-magit
      - elpa-color-theme-modern
      - vlc
      - gimp
      - inkscape
      - bluefish
      - git
      - gitk
      - gitg
      - mc
      - tmux
      - wireshark
      - nmap
      - netcat-openbsd
      - net-tools
      - ghex
      - thonny
      - spyder
      - mu-editor
      - dia
      - vym
      - tree
      - console-setup
      - virt-manager
      - libreoffice-l10n-de
    extra_pkgs_bpo: [ libreoffice ] # [ linux-image-amd64 ]  # [ libreoffice ]
    ansible_python_interpreter: "/usr/bin/python3"
  roles:
    - up2date_debian
    - fvs-sssd
    - fvs-mount
    - fvs-client
    ## Choose either gnome or KDE:
    - gnome
    #- kde
  tasks:
    - name: Add local user 'virti' in the 'libvirt' group
      ansible.builtin.user:
        name: virti
        password: $y$j9T$DuSvAO63v5LvoJmJ1rB0B0$D4tovIz79AdLHs5I6tYa7rxr3SWknQeUFvGaaKvUpo3
        comment: Libvirt VM User,,,
        shell: /bin/bash
        groups: libvirt
        append: yes
--- a/fvs-home-server.yml
+++ b/fvs-home-server.yml
@ -1,21 +0,0 @@
 ## This playbook deploys a FvS home server machine.
 ---
 - name: apply configuration to the home server
  hosts: all
  remote_user: ansible
  become: yes
  vars:
    extra_pkgs:
      - vim
    extra_pkgs_bpo: [ ]  # [ libreoffice ]
  roles:
    - up2date_debian
    - fvs-sssd
  tasks:
    - name: enable pam_mkhomedir.so
      lineinfile:
        dest: /etc/pam.d/common-session
        line: "session	optional	pam_mkhomedir.so  umask=0027"
        insertbefore: "session	optional	pam_mount.so"
--- a/fvs-homex-server.yml
+++ b/fvs-homex-server.yml
@ -1,17 +0,0 @@
 ## This playbook deploys a FvS homex server machine.
 ---
 - name: apply configuration to the homex server
  hosts: all
  remote_user: ansible
  become: yes
  vars:
    extra_pkgs:
      - vim
      - systemd-journal-remote
      - python3-ldap
    extra_pkgs_bpo: [ ]
  roles:
    - up2date_debian
    - fvs-sssd
    - exam_homes
--- a/fvs-vm-server.yml
+++ b/fvs-vm-server.yml
@ -1,34 +0,0 @@
 ## This playbook deploys a FvS VM server machine.
 ---
 - name: apply configuration to the VM server
  hosts: all
  remote_user: ansible
  become: yes
  vars:
    extra_pkgs:
      - vim
      - libvirt-daemon-system
    extra_pkgs_bpo: [ ]  # [ libreoffice ]
  roles:
    - up2date_debian
    - fvs-sssd
  tasks:
    - name: enable pam_mkhomedir.so
      lineinfile:
        dest: /etc/pam.d/common-session
        line: "session	optional	pam_mkhomedir.so  umask=0027"
        insertbefore: "session	optional	pam_mount.so"
    - name: allow all users to use VMs
      lineinfile:
        dest: /etc/libvirt/libvirtd.conf
        line: 'auth_unix_rw = "none"'
        insertafter: '#auth_unix_rw = "polkit"'
    - name: shared directory for ISO installer images
      file:
        path: /home/ISOsVM
        state: directory
        mode: '1777'
--- a/fvs-www-server.yml
+++ b/fvs-www-server.yml
@ -1,29 +0,0 @@
 ## This playbook deploys a FvS web server machine.
 ---
 - name: apply configuration to the web server
  hosts: all
  remote_user: ansible
  become: yes
  vars:
    extra_pkgs:
      - vim
      - apache2
      - python3-flask
    extra_pkgs_bpo: [ ]  # [ libreoffice ]
  roles:
    - up2date_debian
    - fvs-sssd
  tasks:
    - name: enable pam_mkhomedir.so
      lineinfile:
        dest: /etc/pam.d/common-session
        line: "session	optional	pam_mkhomedir.so  umask=0026"
        insertbefore: "session	optional	pam_mount.so"
    - name: enable apache mod userdir
      apache2_module:
        state: present
        name: userdir
--- a/host_vars/blackbox.yml
+++ b/host_vars/blackbox.yml
@ -1,4 +0,0 @@
 allow_download: true
 backup_dirs_extra:
  - /home
 backup_opts_extra: ""
--- a/host_vars/bluebox.yml
+++ b/host_vars/bluebox.yml
@ -1 +0,0 @@
 allow_download: true
--- a/installbox.yml
+++ b/installbox.yml
@ -1,46 +0,0 @@
 ---
 ## This playbook deploys the installbox.  Add 'hostname=XXX' and
 ## 'domain=YYY' to the installer boot parameters to set hostname and
 ## domain.
 - name: apply configuration to the installbox
  hosts: all
  remote_user: ansible
  become: true
  vars:
    ## This interface provides the default route:
    if_wan: "{{ ansible_default_ipv4.interface }}"
    ## Use the first remaining interface for the LAN:
    if_lan: "{{ ansible_interfaces | difference([if_wan, 'lo']) | first }}"
    ## LAN IP address range:
    ipaddr_lan: 192.168.0.10/24
    dhcp_start: 192.168.0.50
    dhcp_stop: 192.168.0.150
    in_inventory: 192.168.0.[50:150]
    di_dist: "{{ ansible_distribution_release }}"
    di_version: "{{ ansible_distribution_major_version }}"
    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
    ansible_user: ansible
    repo_dir: "/home/{{ ansible_user }}/debian-lan"
    ansible_python_interpreter: "/usr/bin/python3"  ## needed for firewalld module
  pre_tasks:
    - name: validate if interfaces are available
      fail:
        msg: "Interfaces {{ ansible_interfaces }} found. WAN: '{{ if_wan }}', LAN: '{{ if_lan }}'.  Two NICs needed."
      when: (if_lan not in ansible_interfaces) or (if_wan not in ansible_interfaces) or (if_lan == if_wan)
  roles:
    - up2date_debian
    - firewalld2if
    - dnsmasq
    - netbootinstaller
    - aptcacher
    - prepare4clients
--- a/installbox6.yml
+++ b/installbox6.yml
@ -1,36 +0,0 @@
 ---
 ## This playbook deploys the installbox6.  Add 'hostname=XXX' and
 ## 'domain=YYY' to the installer boot parameters to set hostname and
 ## domain.
 ## FIXME: works only on bookworm (kea-dhcp6, atftpd)
 - name: apply configuration to the installbox6
  hosts: all
  remote_user: ansible
  become: true
  vars:
    ## This interface provides the default route:
    if_lan: "{{ ansible_default_ipv4.interface }}"
    prefix: '2001:db8:b001::/64'
    ## Find the IPv6 address: FIXME: not needed anymore?
    ipv6_lan: "{{ prefix | ipaddr('address') | slaac(ansible_default_ipv4.macaddress) }}"
    di_dist: "{{ ansible_distribution_release }}"
    di_version: 11 # "{{ ansible_distribution_major_version }}"
    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
    extra_pkgs: [binutils] # FIXME: missing dependency in di-netboot-assistant
    ansible_user: ansible
    repo_dir: "/home/{{ ansible_user }}/debian-lan"
    ansible_python_interpreter: "/usr/bin/python3"  ## needed for firewalld module
  roles:
    - up2date_debian
    - dhcp6radvdatftpd
    - netbootinstaller
    - aptcacher
    - prepare4clients
--- a/kerberox-client.yml
+++ b/kerberox-client.yml
@ -1,27 +0,0 @@
 ---
 # This playbook deploys a client for the kerberox LAN.
 - name: apply configuration to the machines
  hosts: all
  remote_user: ansible
  become: true
  vars:
    extra_pkgs:
      - webext-privacy-badger
      - webext-ublock-origin
      - krb5-auth-dialog
    extra_pkgs_bpo: []  # [ libreoffice ]
    ansible_python_interpreter: "/usr/bin/python3"
  vars_prompt:
    - name: "kadmin_pwd"
      prompt: "Provide kadmin password to fetch kerberos keytab.\nLeave empty if done already"
      private: true
  roles:
    - up2date_debian
    - lanclient
    - kerberize
    ## Choose either gnome or KDE:
    # - gnome
    # - kde
--- a/kerberox.yml
+++ b/kerberox.yml
@ -1,62 +0,0 @@
 ---
 ## This playbook deploys the kerberox server.   Add 'hostname=XXX' and
 ## 'domain=YYY' to the installer boot parameters to set hostname and domain.
 - name: apply configuration to the kerberox server
  hosts: all
  remote_user: ansible
  become: true
  vars:
    ## This interface provides the default route:
    if_wan: "{{ ansible_default_ipv4.interface }}"
    ## Use the first remaining interface for the LAN:
    if_lan: "{{ ansible_interfaces | difference([if_wan, 'lo']) | first }}"
    ## LAN IP address range:
    ipaddr_lan: 192.168.0.10/24
    ipaddr_lan_threeoct: "{{ ipaddr_lan.split('.')[0:3] | join('.') }}"
    ipaddr_lan_ptr: "{{ (ipaddr_lan | ipaddr('revdns')).split('.')[1:] | join('.') }}"
    ipaddr_lan_ptr_threeoct: "{{ ipaddr_lan_ptr.split('.')[0:3] | join('.') }}"
    dhcp_start: 192.168.0.50
    dhcp_stop: 192.168.0.150
    in_inventory: 192.168.0.[50:150]
    di_dist: "{{ ansible_distribution_release }}"
    di_version: "{{ ansible_distribution_major_version }}"
    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
    ansible_user: ansible
    repo_dir: "/home/{{ ansible_user }}/debian-lan"
    ansible_python_interpreter: "/usr/bin/python3"  ## needed for firewalld module
  vars_prompt:
    - name: "foo_pwd"
      prompt:
        In case you would like to prepare a test user 'foo' and have
        not done so yet, provide foo's password here.  Leave empty to
        just continue
      private: true
  pre_tasks:
    - name: validate if interfaces are available
      fail:
        msg: "Interfaces {{ ansible_interfaces }} found. WAN: '{{ if_wan }}', LAN: '{{ if_lan }}'.  Two NICs needed."
      when: (if_lan not in ansible_interfaces) or (if_wan not in ansible_interfaces) or (if_lan == if_wan)
  roles:
    - up2date_debian
    - firewalld2if
    - dnsmasq
    - netbootinstaller
    - aptcacher
    - role: krb5kdcldap
      when: not run_in_installer|default(false)|bool
    - role: nfsserver
      when: not run_in_installer|default(false)|bool
    - prepare4clients
    - kerberize
--- a/kiosk.yml
+++ b/kiosk.yml
@ -1,22 +0,0 @@
 ---
 # This playbook deploys a kiosk-computer
 - name: apply configuration to the machines
  hosts: all
  remote_user: ansible
  become: true
  vars:
    auto_user: debi
    wifi_ssid: "YOUR SSID HERE"
    wifi_passwd: "YOUR WIFI-PW HERE"
    extra_pkgs:
      - webext-privacy-badger
      - webext-ublock-origin
    extra_pkgs_bpo: []  # [ libreoffice ]
  roles:
    - up2date_debian
    ## Choose either gnome or KDE:
    - gnome
    # - kde
    - kiosk
--- a/livebox.yml
+++ b/livebox.yml
@ -1,89 +0,0 @@
 ## This playbook deploys the LiveBox.
 ##
 ## The LiveBox provides Debian Live and Installer images on top
 ## of an already existing network with minimal modifications to
 ## existing infrastructure.  It does not provide DHCP; the idea
 ## is to chainload the LiveBox' menu (iPXE or Grub) from PXE
 ## infrastructure already in place.
 ##
 ## To chainload the LiveBox in iPXE use:
 ##  > item livebox Chainload Menu from LiveBox
 ##  > …
 ##  > :livebox chain tftp://livebox.lan/d-i/n-a/menu.ipxe
 ##
 ## To chainload the LiveBox in Grub use:
 ##  > menuentry 'Chainload Menu from LiveBox' {
 ##  >   configfile (tftp,livebox.lan)/d-i/n-a/grub/grub.cfg
 ##  > }
 ##
 ---
 - name: apply configuration to the livebox
  hosts: all
  remote_user: ansible
  become: true
  vars:
    extra_pkgs:
      - lighttpd
      - nfs-kernel-server
    extra_pkgs_bpo:
      - atftpd
      - di-netboot-assistant
      - apt-cacher-ng
    live_desktop:
      - gnome
      - kde
      - standard
    live_url: 'https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current-live/amd64/iso-hybrid/'
    # The edulive role generates customized Debian-Live images.
    # Make sure you have sufficient disk space available (~30GiB?).
    build_images:
      - gnome-edu
    di_dist: "{{ ansible_distribution_release }}"
    di_version: "{{ ansible_distribution_major_version }}"
    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
    boot_params:
      - boot=live
      - netboot=nfs
      - components
      - locales=de_DE.UTF-8
      - keyboard-layouts=de
      - quiet
      - splash
 #      - noroot
    ansible_python_interpreter: "/usr/bin/python3"
  pre_tasks:
    - name: preseed atftpd
      debconf:
        name: atftpd
        question: atftpd/basedir
        value: /var/lib/tftpboot
        vtype: string
    - name: find available iso images
      uri:
        url: "{{ live_url }}"
        return_content: true
      register: idx
    - name: find and set ISO image version
      set_fact:
        version: "{{ idx.content | regex_findall('debian-live-(\\d+\\.\\d+\\.\\d+)-amd64-', '\\1') | first }}"
    - name: define ISO image map
      set_fact:
        live_iso: "{{ live_iso | default({}) | combine({ item: 'debian-live-' + version + '-amd64-' + item + '+nonfree.iso' }) }}"
      loop: "{{ live_desktop }}"
  roles:
    - up2date_debian
    - netbootinstaller
    - aptcacher
    - debianlive
    - edulive
--- a/lmn-teacher.yml
+++ b/lmn-teacher.yml
@ -1,72 +0,0 @@
 ## This playbook deploys a KDE teacher's laptop machine for LinuxMuster.
 ---
 - name: apply configuration to the machines
  hosts: all
  remote_user: ansible
  become: yes
  pre_tasks:
    - name: Preseed unattended-upgrades
      debconf:
        name: unattended-upgrades
        question: unattended-upgrades/enable_auto_updates
        value: True
        vtype: boolean
  vars:
    domain: "{{ ansible_domain }}"
    kerberize_uris: steinbeis.schule
    apt_conf: Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
    ntp_serv: server.pn.steinbeis.schule
    proxy: http://firewall.pn.steinbeis.schule:3128
    no_proxy: firewall.pn.steinbeis.schule,server.pn.steinbeis.schule,idam.steinbeis.schule,dw.steinbeis.schule,.pn.steinbeis.schule,.steinbeis.schule
    ## PAM mount nextcloud, remove or leave empty to skip:
    web_dav: https://nc.steinbeis.schule/remote.php/dav/files/%(USER)
    ## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
    mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/
    rsyncsecret: Muster!
    keys2deploy:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOY0hChWaCDtuiuQcM0v4/u1499esjTtnMjl4uYlnS0 andi@netboot'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN5ylqP936MPjGNxzrzV5jMwIfMhKJdOGuVh3xGQKTM andi@yogi'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxgeu7Rpb/1++531+MopqP9haUkyh1XXpv5kmbgSjx6'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbdOT+WSDmsBcaVFfzPRcmvOfd3CqO/FBOH44UVm7c7 raphael@uranus'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGICjy88HnMg5oaz4BJ20hgzqFWSem+HHD2PQ+As42pA raphael@pluto'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm9lu9dDo5TG99QWTkl2G5G+ZbYikLlRNOXfs/bRTHy sascha@america'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMR4TP7jE+wS7zcH0iUBmlxCbvy9saYeEjonX/0yYfEJ daniel@NB-20-DW'
    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
    grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
    nfs4: false
    extra_pkgs:
      - vim
      - mc
      - tmux
      - krb5-user
      - unattended-upgrades
      - debconf-utils
    extra_pkgs_bpo: [] # [ linux-image-amd64 ]
  roles:
    - lmn_network
    - up2date_debian
    - lmn_sssd
    - lmn_kde
    - lmn_fvs ## school specific customization
 #    - lmn_vm
    - kerberize
 #    - lmn_security
  tasks:
    - name: enable pam_mkhomedir.so
      lineinfile:
        dest: /etc/pam.d/common-session
        line: "session  optional        pam_mkhomedir.so  umask=0022"
        insertbefore: "# end of pam-auth-update config"
    - name: Fix unattended-upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";
--- a/minimal-krb5.yml
+++ b/minimal-krb5.yml
@ -1,10 +0,0 @@
 ---
 # This playbook does almost nothing.  Useful for testing only preseeding.
 - name: apply a minimal configuration with kerberos LAN integration
  hosts: all
  remote_user: ansible
  become: true
  roles:
    - up2date_debian
    - lan-client
--- a/minimal.yml
+++ b/minimal.yml
@ -1,9 +0,0 @@
 ---
 # This playbook does almost nothing.  Useful for testing only preseeding.
 - name: apply a minimal configuration to the machine
  hosts: all
  remote_user: ansible
  become: true
  roles:
    - up2date_debian
--- a/roles/aptcacher/handlers/main.yml
+++ b/roles/aptcacher/handlers/main.yml
@ -1,3 +0,0 @@
 - name: start apt-cacher-ng
  service: name=apt-cacher-ng state=started enabled=yes
  listen: "start apt-cacher-ng"
--- a/roles/aptcacher/tasks/main.yml
+++ b/roles/aptcacher/tasks/main.yml
@ -1,37 +0,0 @@
 - name: install apt-cacher-ng package
  apt:
    name:
      - apt-cacher-ng
      - auto-apt-proxy
    state: latest # noqa package-latest
 - name: check if preseeded installer is available
  stat: path={{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg
  register: preseedcfg
 - name: enable apt-cacher-ng for install-clients
  replace:
    dest: "{{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg"
    regexp: '^d-i mirror/http/proxy string$'
    replace: 'd-i mirror/http/proxy string http://{{ ansible_hostname }}:3142/'
  when: preseedcfg.stat.exists
 - name: test if firewalld is available
  stat: path=/usr/sbin/firewalld
  register: firewalld
 - name: allow apt-cacher-ng service in firewalld
  firewalld:
    zone: internal
    port: 3142/tcp
    permanent: true
    immediate: true
    state: enabled
  when: not run_in_installer|default(false)|bool and firewalld.stat.exists
 - name: allow apt-cacher-ng service in firewalld, offline
  command: "firewall-offline-cmd --zone=internal --add-port=3142/tcp"
  when: run_in_installer|default(false)|bool and firewalld.stat.exists
 - name: flush handler to make apt-cacher available
  meta: flush_handlers
--- a/roles/backup/defaults/main.yml
+++ b/roles/backup/defaults/main.yml
@ -1,15 +0,0 @@
 borg_pwd: "{{ lookup('password', '/tmp/borg.pwd chars=ascii_letters,digits length=32') }}"
 borg_pwd_file: "/root/borg.pwd"
 borg_key_backup: "/root/borg-key.backup"
 ## alternative: "ssh://user@host:port/path/to/repo"
 backup_repo: "/var/backups/mnt/backup/borg"
 backup_dirs_extra: ""
 backup_opts: "--exclude-caches"
 backup_opts_extra: ""
 www_root: "/var/www"
 nc_dir: "{{ www_root }}/nextcloud"
 data_dir: "/var/nc-data"
--- a/roles/backup/files/backup.service
+++ b/roles/backup/files/backup.service
@ -1,6 +0,0 @@
 [Unit]
 Description=Run backup script
 [Service]
 Type=simple
 ExecStart=/usr/local/bin/backup
--- a/roles/backup/files/backup.timer
+++ b/roles/backup/files/backup.timer
@ -1,10 +0,0 @@
 [Unit]
 Description=Run backup script daily
 [Timer]
 OnCalendar=*-*-* 4:00:00
 Persistent=true
 AccuracySec=15min
 [Install]
 WantedBy=timers.target
--- a/roles/backup/handlers/main.yml
+++ b/roles/backup/handlers/main.yml
@ -1,6 +0,0 @@
 - name: enable backup.service and .timer
  systemd:
    name: backup.timer
    state: started
    enabled: true
  listen: "enable backup.timer"
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@ -1,33 +0,0 @@
 - name: install borg
  apt:
    name: borgbackup
    state: latest # noqa package-latest
 - name: check if borg password is available
  stat: path="{{ borg_pwd_file }}"
  register: borg
 - name: dump borg password
  shell: echo -n "{{ borg_pwd }}" > "{{ borg_pwd_file }}" ; chmod 0600 "{{ borg_pwd_file }}"
  no_log: true
  when: not borg.stat.exists
 - name: provide backup script
  template:
    src: "backup"
    dest: "/usr/local/bin/backup"
    mode: "0750"
 - name: provide backup.service and .timer
  copy:
    src: "{{ item }}"
    dest: "/etc/systemd/system/{{ item }}"
    mode: 0644
  with_items:
    - backup.service
    - backup.timer
  notify: "enable backup.timer"
 - name: run first backup
  command: /usr/local/bin/backup
  when: not borg.stat.exists
--- a/roles/backup/templates/backup
+++ b/roles/backup/templates/backup
@ -1,51 +0,0 @@
 #!/bin/bash
 set -eu
 BACKUP=({{ backup_dirs|join(' ') }} {{ backup_dirs_extra|join(' ') }})
 OPTIONS=({{ backup_opts }} {{ backup_opts_extra }})
 export BORG_REPO="{{ backup_repo }}"
 export BORG_PASSCOMMAND="cat {{ borg_pwd_file }}"
 KEY_BACKUP="{{ borg_key_backup }}"
 MOUNTED=""
 MNT="$(echo "$BORG_REPO" | sed "s|\(^.*/mnt\).*|\1|")"
 if grep -q "$MNT" /etc/fstab ; then
    [ -d "$BORG_REPO" ] || mount -v "$MNT" && MOUNTED="TRUE"
 fi
 if [ ! -e "$KEY_BACKUP" ] ; then
    [[ "$BORG_REPO" =~ @ ]] || mkdir -vp --mode=0750 "$BORG_REPO"
    borg init --encryption=repokey
    borg key export "$BORG_REPO" "$KEY_BACKUP"
 fi
 if [ -e "{{ nc_dir }}/config/config.php" ] ; then
    NCDB="{{ data_dir }}/nextcloud-database.dump"
    sudo -u www-data /usr/bin/php {{ nc_dir }}/occ maintenance:mode --on
    PW="$(grep dbpassword {{ nc_dir }}/config/config.php | \
                   sed -e "s/\W*'dbpassword' => '//" -e "s/',$//")"
    echo -n "Dumping data base into '$NCDB' … "
    mysqldump --single-transaction -h localhost -u nextcloud -p"$PW" nextcloud > "$NCDB"
    chmod 600 "$NCDB"
    echo  "done."
 fi
 echo "Backup ${BACKUP[@]} to $BORG_REPO."
 borg create -v --show-rc "${OPTIONS[@]}" ::'{hostname}-{now}' "${BACKUP[@]}"
 borg prune -v --list --prefix='{hostname}-' --show-rc \
     --keep-daily   14 \
     --keep-weekly   8 \
     --keep-monthly  6 \
     --keep-yearly  10
 if [ -e "{{ nc_dir }}/config/config.php" ] ; then
    sudo -u www-data /usr/bin/php {{ nc_dir }}/occ maintenance:mode --off
 fi
 if [ "$MOUNTED" = "TRUE" ] ; then
    umount -v "$MNT"
 fi
--- a/roles/ddnsupdate/files/ddns-update
+++ b/roles/ddnsupdate/files/ddns-update
@ -1,35 +0,0 @@
 #!/bin/bash
 set -eu
 . /etc/ddns-update/ddns-update.conf
 DDHOST="https://www.ddnss.de/upd.php"
 if ! DNSRESULT="$(host $DDNSNAME)" ; then
    echo "Could not resolve IP address for '$DDNSNAME', no update."
    exit 0
 fi
 DNSIP4="$(echo "$DNSRESULT" | grep -m 1 -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$' || true )"
 DNSIP6="$(echo "$DNSRESULT" | grep -m 1 -oE '[0-9a-f]{1,4}:.+:[0-9a-f]{1,4}' || true )"
 REALIP4="$(wget -q -O - https://ip4.ddnss.de/meineip.php | \
               grep -m 1 -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' || true )"
 REALIP6="$(wget -q -O - https://ip6.ddnss.de/meineip.php | \
                grep -m 1 -oE '[0-9a-f]{1,4}:.+:[0-9a-f]{1,4}' || true )"
 if [ -z "$REALIP4" -a -z "$REALIP6" ] ; then
    echo "Could not detect real IP addresses, exiting."
    exit 0
 fi
 echo "Current DNS: IPv4=$DNSIP4, IPv6=$DNSIP6."
 echo "Detected:    IPv4=$REALIP4, IPv6=$REALIP6."
 if [ "$REALIP4" == "$DNSIP4" -a "$REALIP6" == "$DNSIP6" ] ; then
    echo "IP address unchanged, no update."
 else
    echo "IP address changed: $DNSIP4 → ${REALIP4}, $DNSIP6 → ${REALIP6}, updating ddns."
    wget -q -O - $DDHOST'?key='$KEYAUTH'&host='$DDNSNAME'&ip='$REALIP4'&ip6='$REALIP6 \
        | grep -oE "Updated .+ hostname." || echo "Update not confirmed, it might have failed."
 fi
--- a/roles/ddnsupdate/files/ddns-update.service
+++ b/roles/ddnsupdate/files/ddns-update.service
@ -1,6 +0,0 @@
 [Unit]
 Description=Update ddns
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/ddns-update
--- a/roles/ddnsupdate/files/ddns-update.timer
+++ b/roles/ddnsupdate/files/ddns-update.timer
@ -1,11 +0,0 @@
 [Unit]
 Description=Update ddns IP-address
 [Timer]
 OnBootSec=0
 OnUnitActiveSec=20min
 AccuracySec=3min
 [Install]
 WantedBy=timers.target
--- a/roles/ddnsupdate/handlers/main.yml
+++ b/roles/ddnsupdate/handlers/main.yml
@ -1,7 +0,0 @@
 - name: enable ddns-update timer
  systemd:
    name: ddns-update.timer
    state: restarted
    daemon_reload: true
    enabled: true
  listen: "enable ddns-update timer"
--- a/roles/ddnsupdate/tasks/main.yml
+++ b/roles/ddnsupdate/tasks/main.yml
@ -1,27 +0,0 @@
 - name: make sure /etc/ddns-update/ exists
  file: path=/etc/ddns-update/ state=directory recurse=yes
 - name: install ddns-update config
  template:
    src: ddns-update.conf.j2
    dest: /etc/ddns-update/ddns-update.conf
    mode: 0644
 - name: install ddns-update script
  copy:
    src: ddns-update
    dest: /usr/local/bin/ddns-update
    mode: 0755
 - name: install ddns-update.service
  copy:
    src: ddns-update.service
    dest: /etc/systemd/system/ddns-update.service
    mode: 0644
 - name: install ddns-update.timer
  copy:
    src: ddns-update.timer
    dest: /etc/systemd/system/ddns-update.timer
    mode: 0644
  notify: enable ddns-update timer
--- a/roles/ddnsupdate/templates/ddns-update.conf.j2
+++ b/roles/ddnsupdate/templates/ddns-update.conf.j2
@ -1,2 +0,0 @@
 DDNSNAME="{{ ddns_domain }}"
 KEYAUTH="{{ ddns_updkey }}"
--- a/roles/debianlive/handlers/main.yml
+++ b/roles/debianlive/handlers/main.yml
@ -1,10 +0,0 @@
 ---
 - name: rebuild di-netboot assistant menu
  command:
    cmd: di-netboot-assistant rebuild-menu
  listen: rebuild di-netboot menu
 - name: export nfs
  command:
    cmd: exportfs -ra
  listen: export nfs
--- a/roles/debianlive/tasks/main.yml
+++ b/roles/debianlive/tasks/main.yml
@ -1,128 +0,0 @@
 ---
 - name: download debian-live images
  get_url:
    url: "{{ live_url }}{{ item.value }}"
    dest: "/var/cache/di-netboot-assistant/{{ item.value }}"
    checksum: "sha256:{{ live_url }}/SHA256SUMS"
  register: new_iso
  loop:
    "{{ live_iso | dict2items }}"
 - name: umount old iso images
  mount:
    path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
    state: unmounted
  loop:
    "{{ live_iso | dict2items }}"
  when: new_iso.changed
 - name: prepare live image directory
  file:
    path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
    state: directory
    mode: 0755
  loop:
    "{{ live_iso | dict2items }}"
 - name: make sure loop module is loaded
  modprobe:
    name: loop
    state: present
 - name: loop mount iso images
  mount:
    path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
    src: "/var/cache/di-netboot-assistant/{{ item.value }}"
    fstype: iso9660
    opts: loop,ro,nofail
    state: mounted
  loop:
    "{{ live_iso | dict2items }}"
  notify: rebuild di-netboot menu
 - name: prepare http downloads
  file:
    src: "/var/lib/tftpboot/d-i/"
    dest: "/var/www/html/d-i"
    state: link
 - name: export live image squashfs
  lineinfile:
    path: /etc/exports
    line: "/var/lib/tftpboot/d-i/n-live/ *(ro,crossmnt,no_subtree_check)"
  notify: export nfs
 - name: configure ipxe boot menu address and headline
  replace:
    path: /etc/di-netboot-assistant/ipxemenu.HEAD
    regexp: "{{ item.reg }}"
    replace: "{{ item.rep }}"
  loop:
    - reg: '^set 210:string .+$'
      rep: 'set 210:string http://{{ ansible_default_ipv4.address }}/'
    - reg: '^#(item --gap -- -- Customized Boot Entries.*)$'
      rep: '\1'
  notify: rebuild di-netboot menu
 - name: configure grub boot menu addresses
  lineinfile:
    path: /etc/di-netboot-assistant/grub.cfg.HEAD
    line: "{{ item.line }}"
    regexp: "{{ item.reg }}"
  loop:
    - line: "set root=(http,{{ ansible_default_ipv4.address }})"
      reg: "^set root="
    - line: "set pxe_default_server={{ ansible_default_ipv4.address }}"
      reg: "^set pxe_default_server="
  notify: rebuild di-netboot menu
 - name: prepare debian live nfs boot entry title
  lineinfile:
    path: /etc/di-netboot-assistant/ipxemenu.HEAD
    insertafter: '-- Customized Boot Entries --'
    line: "item {{ item.key }} Debian GNU/Linux {{ item.key }} NFS"
  loop:
    "{{ live_iso | dict2items }}"
  notify: rebuild di-netboot menu
 - name: find kernel version
  shell:
    cmd: >-
      basename /var/lib/tftpboot/d-i/n-live/{{ item.key }}/live/vmlinuz*
      | sed "s/vmlinuz-//"
  register: images
  changed_when: false
  loop:
    "{{ live_iso | dict2items }}"
 - name: prepare debian live boot loader ipxe
  blockinfile:
    path: /etc/di-netboot-assistant/ipxemenu.HEAD
    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.key }}"
    block: |
      :{{ item.item.key }}
          echo Booting Debian GNU/Linux {{ item.item.key }} NFS
          kernel ${210:string}d-i/n-live/{{ item.item.key }}/live/vmlinuz-{{ item.stdout }} \
          initrd=initrd.img-{{ item.stdout }} {{ boot_params|join(' ') }} \
          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.key }}/
          initrd ${210:string}d-i/n-live/{{ item.item.key }}/live/initrd.img-{{ item.stdout }}
          boot
  loop:
    "{{ images.results }}"
  notify: rebuild di-netboot menu
 - name: prepare debian live boot loader grub
  blockinfile:
    path: /etc/di-netboot-assistant/grub.cfg.HEAD
    insertbefore: "^menuentry 'Boot from local disk..'"
    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.key }}"
    block: |
      menuentry 'Debian GNU/Linux Live {{ item.item.key }} NFS' {
          linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.key }}/live/vmlinuz-{{ item.stdout }} \
          {{ boot_params|join(' ') }} \
          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.key }}/
          initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.key }}/live/initrd.img-{{ item.stdout }}
      }
  loop:
    "{{ images.results }}"
  notify: rebuild di-netboot menu
--- a/roles/dhcp6radvdatftp/handlers/main.yml
+++ b/roles/dhcp6radvdatftp/handlers/main.yml
@ -1,20 +0,0 @@
 ---
 - name: restart radvd
  systemd:
    name: radvd.service
    state: restarted
    enabled: true
  listen: restart radvd
 - name: restart kea-dhcp6-server
  systemd:
    name: kea-dhcp6-server.service
    state: restarted
    enabled: true
  listen: restart kea-dhcp6-server
 - name: restart network interfaces
  systemd:
    name: networking
    state: restarted
  listen: reconfigure network
--- a/roles/dhcp6radvdatftp/tasks/main.yml
+++ b/roles/dhcp6radvdatftp/tasks/main.yml
@ -1,39 +0,0 @@
 ## DHCPv6, RAs and TFTP
 ---
 - name: preseed aftpd
  debconf:
    name: atftpd
    question: atftpd/basedir
    value: /var/lib/tftpboot
    vtype: string
 - name: install di-netboot-assistant and installer package
  apt:
    name:
      - kea-dhcp6-server
      - radvd
      - atftpd
    state: latest # noqa package-latest
 - name: configure radvd
  template:
    src: radvd.conf.j2
    dest: /etc/radvd.conf
    mode: 0644
  notify: restart radvd
 - name: configure kea-dhcp-server
  template:
    src: kea-dhcp6.conf.j2
    dest: /etc/kea/kea-dhcp6.conf
    mode: 0644
  notify: restart kea-dhcp6-server
 - name: set IPv6 address on interface
  blockinfile:
    path: /etc/network/interfaces
    block: |
      allow-hotplug {{ if_lan }}
      iface {{ if_lan }} inet6 static
         address 2001:db8:b001::1/64
  notify: reconfigure network
--- a/roles/dhcp6radvdatftp/templates/kea-dhcp6.conf.j2
+++ b/roles/dhcp6radvdatftp/templates/kea-dhcp6.conf.j2
@ -1,20 +0,0 @@
 {
   "Dhcp6": {
      "interfaces-config": {
         "interfaces": [ "{{ if_lan }}" ]
      },
      "option-data": [
         {
            "name": "bootfile-url",
            "data": "tftp://[2001:db8:b001::1]/d-i/n-a/grubx64.efi"
         }
      ],
      "subnet6": [
         {
            "subnet": "2001:db8:b001::/64",
            "pools": [ { "pool": "2001:db8:b001::2 - 2001:db8:b001::ffff" } ],
            "interface": "enp1s0"
         }
      ]
   }
 }
--- a/roles/dhcp6radvdatftp/templates/radvd.conf.j2
+++ b/roles/dhcp6radvdatftp/templates/radvd.conf.j2
@ -1,10 +0,0 @@
 interface {{ if_lan }}
 {
   AdvSendAdvert on;
   AdvManagedFlag on;
   AdvOtherConfigFlag on;
   prefix {{ prefix }}
   {
   };
 };
--- a/roles/dnsdhcptftp/defaults/main.yml
+++ b/roles/dnsdhcptftp/defaults/main.yml
@ -1 +0,0 @@
 name_servers: ns1.{{ ansible_domain }}
--- a/roles/dnsdhcptftp/handlers/main.yml
+++ b/roles/dnsdhcptftp/handlers/main.yml
@ -1,15 +0,0 @@
 - name: restart isc-dhcp-server
  systemd: name=isc-dhcp-server state=restarted enabled=yes
  listen: restart isc-dhcp-server
 - name: restart bind
  systemd: name=bind9 state=restarted enabled=yes
  listen: restart bind
 - name: restart tftpd-hpa
  systemd: name=tftpd-hpa state=restarted enabled=yes
  listen: restart tftpd-hpa
 - name: restart dhcp-client
  systemd: name=ifup@{{ if_wan }} state=restarted enabled=yes
  listen: restart dhcp-client
--- a/roles/dnsdhcptftp/tasks/main.yml
+++ b/roles/dnsdhcptftp/tasks/main.yml
@ -1,100 +0,0 @@
 ---
 - name: preseed tftpd-hpa
  debconf:
    name: tftpd-hpa
    question: tftpd-hpa/directory
    value: /var/lib/tftpboot
    vtype: string
 - name: install tftpd, dhcpd and named packages
  apt:
    name:
      - isc-dhcp-server
      - tftpd-hpa
      - bind9
    state: latest # noqa package-latest
 ## FIXME: preseeding seems to be ignored
 - name: configure TFTP root directory
  replace:
    path: /etc/default/tftpd-hpa
    regexp: '^TFTP_DIRECTORY=".*"$'
    replace: 'TFTP_DIRECTORY="/var/lib/tftpboot"'
  notify: restart tftpd-hpa
 - name: serve dhcp on LAN interface
  replace:
    path: /etc/default/isc-dhcp-server
    regexp: '^INTERFACESv4=".*"$'
    replace: 'INTERFACESv4="{{ if_lan }}"'
  notify: restart isc-dhcp-server
 - name: deploy config files for isc-dhcp-server
  template:
    src: dhcpd.conf.j2
    dest: /etc/dhcp/dhcpd.conf
    mode: 0644
    backup: true
  notify: restart isc-dhcp-server
 - name: deploy config files for bind9
  template:
    src: "{{ item.src }}.j2"
    dest: "/etc/bind/{{ item.dest }}"
    mode: 0644
  loop:
    - src: db.RR
      dest: "db.{{ ansible_domain }}"
    - src: db.RRinv
      dest: "db.{{ ipaddr_lan_threeoct }}"
    - src: localzones
      dest: localzones
  notify: restart bind
 - name: link zone files to writeable directory for DDNS
  file:
    src: "/etc/bind/{{ item }}"
    dest: "/var/lib/bind/{{ item }}"
    state: link
  loop:
    - "db.{{ ansible_domain }}"
    - "db.{{ ipaddr_lan_threeoct }}"
  notify: restart bind
 - name: enable local bind config
  lineinfile:
    path: /etc/bind/named.conf.local
    line: 'include "/etc/bind/localzones";'
  notify: restart bind
 - name: adapt resolv.conf
  template:
    src: resolv.conf.j2
    dest: /etc/resolv.conf
    mode: 0644
  notify: restart isc-dhcp-server
 ## stop dhclient from overwriting /etc/resolv.conf:
 - name: supersede dhcp client data
  blockinfile:
    dest: /etc/dhcp/dhclient.conf
    block: |
      supersede domain-search "{{ ansible_domain }}";
      supersede domain-name-servers 127.0.0.1;
    insertbefore: "#send dhcp-client-identifier.*"
  notify: restart dhcp-client
 - name: generate rndc key
  command:
    cmd: rndc-confgen -a
    creates: /etc/bind/rndc.key
 - name: copy rndc key
  copy:
    src: /etc/bind/rndc.key
    dest: /etc/dhcp/
    owner: root
    group: root
    mode: 0640
    remote_src: true
  notify: restart isc-dhcp-server
--- a/roles/dnsdhcptftp/templates/db.RR.j2
+++ b/roles/dnsdhcptftp/templates/db.RR.j2
@ -1,17 +0,0 @@
 $TTL 500
@               IN      SOA     {{ ansible_fqdn }}. root.{{ ansible_domain }}. (
                                1          ; Serial
                                3600       ; Refresh
                                1800       ; Retry
                                720000     ; Expire
                                6400 )     ; Negative Cache TTL
 ;
@                       NS      {{ ansible_fqdn }}.
                        MX      10 {{ ansible_fqdn }}.
 {{ ansible_hostname }}                  A       {{ ipaddr_lan | ipaddr("address") }}
 _ldap._tcp              SRV     100 0 389 {{ ansible_fqdn }}.
 ns1                     CNAME   {{ ansible_fqdn }}.
 ns2                     CNAME   {{ ansible_fqdn }}.
 aptcache                CNAME   {{ ansible_fqdn }}.
 homes                   CNAME   {{ ansible_fqdn }}.
 ldap                    CNAME   {{ ansible_fqdn }}.
--- a/roles/dnsdhcptftp/templates/db.RRinv.j2
+++ b/roles/dnsdhcptftp/templates/db.RRinv.j2
@ -1,11 +0,0 @@
 $TTL 500
@               IN      SOA     {{ ansible_fqdn }}. root.{{ ansible_domain }}. (
                                1          ; Serial
                                3600       ; Refresh
                                1800       ; Retry
                                720000     ; Expire
                                6400 )     ; Negative Cache TTL
 ;
@                       NS      {{ ansible_fqdn }}.
                        MX      10 {{ ansible_fqdn }}.
 {{ ipaddr_lan | ipaddr("address") | regex_replace("^.*\.(.+$)", "\\1") }}                      PTR     {{ ansible_fqdn }}.
--- a/roles/dnsdhcptftp/templates/dhcpd.conf.j2
+++ b/roles/dnsdhcptftp/templates/dhcpd.conf.j2
@ -1,139 +0,0 @@
 # dhcpd.conf
 #
 # Sample configuration file for ISC dhcpd
 #
 # option definitions common to all supported networks...
 option domain-name "{{ ansible_domain }}";
 option domain-name-servers {{ name_servers }};
 default-lease-time 600;
 max-lease-time 7200;
 # The ddns-updates-style parameter controls whether or not the server will
 # attempt to do a DNS update when a lease is confirmed. We default to the
 # behavior of the version 2 packages ('none', since DHCP v2 didn't
 # have support for DDNS.)
 #ddns-update-style none;
 use-host-decl-names on;
 ddns-update-style standard;
 include "/etc/dhcp/rndc.key";
 zone {{ ansible_domain }}. {
  primary 127.0.0.1;
  key rndc-key;
 }
 zone {{ ipaddr_lan_ptr }} {
  primary 127.0.0.1;
  key rndc-key;
 }
 # If this DHCP server is the official DHCP server for the local
 # network, the authoritative directive should be uncommented.
 authoritative;
 # Use this to send dhcp log messages to a different log file (you also
 # have to hack syslog.conf to complete the redirection).
 #log-facility local7;
 ## The tftpd server IP address, for all clients.
 next-server {{ ipaddr_lan | ipaddr("address") }};
 option arch code 93 = unsigned integer 16;
 if option arch = 00:07 {
      filename "d-i/n-a/bootnetx64.efi";
 } else {
      filename "d-i/n-a/pxelinux.0";
 }
 subnet {{ ipaddr_lan | ipaddr("network") }} netmask {{ ipaddr_lan | ipaddr("netmask") }} {
      option routers {{ ipaddr_lan | ipaddr("address") }};
      range {{ dhcp_start }} {{ dhcp_stop }};
 }
 # No service will be given on this subnet, but declaring it helps the
 # DHCP server to understand the network topology.
 #subnet 10.152.187.0 netmask 255.255.255.0 {
 #}
 # This is a very basic subnet declaration.
 #subnet 10.254.239.0 netmask 255.255.255.224 {
 #  range 10.254.239.10 10.254.239.20;
 #  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
 #}
 # This declaration allows BOOTP clients to get dynamic addresses,
 # which we don't really recommend.
 #subnet 10.254.239.32 netmask 255.255.255.224 {
 #  range dynamic-bootp 10.254.239.40 10.254.239.60;
 #  option broadcast-address 10.254.239.31;
 #  option routers rtr-239-32-1.example.org;
 #}
 # A slightly different configuration for an internal subnet.
 #subnet 10.5.5.0 netmask 255.255.255.224 {
 #  range 10.5.5.26 10.5.5.30;
 #  option domain-name-servers ns1.internal.example.org;
 #  option domain-name "internal.example.org";
 #  option routers 10.5.5.1;
 #  option broadcast-address 10.5.5.31;
 #  default-lease-time 600;
 #  max-lease-time 7200;
 #}
 # Hosts which require special configuration options can be listed in
 # host statements.   If no address is specified, the address will be
 # allocated dynamically (if possible), but the host-specific information
 # will still come from the host declaration.
 #host passacaglia {
 #  hardware ethernet 0:0:c0:5d:bd:95;
 #  filename "vmunix.passacaglia";
 #  server-name "toccata.example.com";
 #}
 # Fixed IP addresses can also be specified for hosts.   These addresses
 # should not also be listed as being available for dynamic assignment.
 # Hosts for which fixed IP addresses have been specified can boot using
 # BOOTP or DHCP.   Hosts for which no fixed address is specified can only
 # be booted with DHCP, unless there is an address range on the subnet
 # to which a BOOTP client is connected which has the dynamic-bootp flag
 # set.
 #host fantasia {
 #  hardware ethernet 08:00:07:26:c0:a5;
 #  fixed-address fantasia.example.com;
 #}
 # You can declare a class of clients and then do address allocation
 # based on that.   The example below shows a case where all clients
 # in a certain class get addresses on the 10.17.224/24 subnet, and all
 # other clients get addresses on the 10.0.29/24 subnet.
 #class "foo" {
 #  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
 #}
 #shared-network 224-29 {
 #  subnet 10.17.224.0 netmask 255.255.255.0 {
 #    option routers rtr-224.example.org;
 #  }
 #  subnet 10.0.29.0 netmask 255.255.255.0 {
 #    option routers rtr-29.example.org;
 #  }
 #  pool {
 #    allow members of "foo";
 #    range 10.17.224.10 10.17.224.250;
 #  }
 #  pool {
 #    deny members of "foo";
 #    range 10.0.29.10 10.0.29.230;
 #  }
 #}
--- a/roles/dnsdhcptftp/templates/localzones.j2
+++ b/roles/dnsdhcptftp/templates/localzones.j2
@ -1,17 +0,0 @@
 include "/etc/bind/rndc.key";
 zone "{{ ipaddr_lan_ptr[:-1] }}" {
        type master;
        notify no;
        file "/etc/bind/db.{{ ipaddr_lan_threeoct }}";
        journal "/var/lib/bind/db.{{ ipaddr_lan_threeoct }}.jnl";
        allow-update { key rndc-key; };
 };
 zone "{{ ansible_domain }}" {
        type master;
        notify no;
        file "/etc/bind/db.{{ ansible_domain }}";
        journal "/var/lib/bind/db.{{ ansible_domain }}.jnl";
        allow-update { key rndc-key; };
 };
--- a/roles/dnsdhcptftp/templates/resolv.conf.j2
+++ b/roles/dnsdhcptftp/templates/resolv.conf.j2
@ -1,2 +0,0 @@
 search {{ ansible_domain }}.
 nameserver 127.0.0.1
--- a/roles/dnsmasq/handlers/main.yml
+++ b/roles/dnsmasq/handlers/main.yml
@ -1,3 +0,0 @@
 - name: restart dnsmasq
  service: name=dnsmasq state=restarted enabled=yes
  listen: "restart dnsmasq"
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@ -1,24 +0,0 @@
 - name: check if dnsmasq is already there
  stat: path=/etc/dnsmasq.d/dnsmasq-dhcp
  register: dnsmasq
 - name: install dnsmasq package
  apt:
    name:
      - dnsmasq
      - resolvconf
    state: latest # noqa package-latest
 - name: configure dnsmasq dhcp
  template:
    src: dnsmasq-dhcp.j2
    dest: /etc/dnsmasq.d/dnsmasq-dhcp
    mode: 0644
  notify: "restart dnsmasq"
 - name: configure dnsmasq tftp
  template:
    src: dnsmasq-tftp-netboot-installer.j2
    dest: /etc/dnsmasq.d/tftp-netboot-installer
    mode: 0644
  notify: "restart dnsmasq"
--- a/roles/dnsmasq/templates/dnsmasq-dhcp.j2
+++ b/roles/dnsmasq/templates/dnsmasq-dhcp.j2
@ -1,3 +0,0 @@
 interface={{ if_lan }}
 dhcp-range={{ dhcp_start }},{{ dhcp_stop }},2h
 # dhcp-generate-names ## better use grub to generate names
--- a/roles/dnsmasq/templates/dnsmasq-tftp-netboot-installer.j2
+++ b/roles/dnsmasq/templates/dnsmasq-tftp-netboot-installer.j2
@ -1,5 +0,0 @@
 enable-tftp
 tftp-root={{ tftp_root }}
 dhcp-boot=d-i/n-a/pxelinux.0
 dhcp-match=set:efi-x86_64,option:client-arch,7
 dhcp-boot=tag:efi-x86_64,d-i/n-a/bootnetx64.efi
--- a/roles/educontainer/defaults/main.yml
+++ b/roles/educontainer/defaults/main.yml
@ -1,13 +0,0 @@
 ## generate most of this list with 'tasksel --task-packages standard'
 cont_packages:
  - systemd-container
  - openssh-server
  - sudo
  - python3
  - auto-apt-proxy
  - bash-completion
  - ca-certificates
  - man-db
  - manpages
 cont_packages_extra: []
--- a/roles/educontainer/handlers/main.yml
+++ b/roles/educontainer/handlers/main.yml
@ -1,7 +0,0 @@
 - name: enable and restart containers
  systemd:
    name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
    state: restarted
    enabled: true
  loop: "{{ containers }}"
  listen: enable and restart containers
--- a/roles/educontainer/tasks/main.yml
+++ b/roles/educontainer/tasks/main.yml
@ -1,70 +0,0 @@
 ## Prepare minimal systemd-nspawn containers for educational use.
 ##
 ## Port mapping to the host:
 ##
 ##  container 0: ssh → host port 10000,  HTTP → 10100
 ##  container 1: ssh → host port 10001,  HTTP → 10101
 ##     ...                        ...            ...
 ##
 ##  User '{{ contuser }}' in the sudo group.  Password is '{{ contpwd }}'.
 ##
 - name: stop all containers
  systemd:
    name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
    state: stopped
  loop: "{{ containers | reverse }}"
  tags:
    - never
    - stop
    - reset
    - purge
    - setup
    - restart
 - name: purge all containers
  command:
    cmd: machinectl remove {{ contname }}{{ "%02d" | format(item|int) }}
    removes: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}
  loop: "{{ containers | reverse }}"
  tags:
    - never
    - purge
    - setup
 - name: remove container overlay
  file:
    path: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}-delta
    state: absent
  loop: "{{ containers | reverse }}"
  tags:
    - never
    - reset
    - purge
    - setup
 - name: start all containers
  systemd:
    name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
    state: started
  loop: "{{ containers | reverse }}"
  tags:
    - never
    - start
    - reset
    - restart
 ###########
 - name: check if container template exists
  ansible.builtin.stat:
    path: "/var/lib/machines/{{ contname }}00"
  register: cont
  tags:
    - always
 - name: import setup.yml tasks
  import_tasks: setup.yml
  when: cont.stat.isdir is not defined
  tags:
    - always
--- a/roles/educontainer/tasks/setup.yml
+++ b/roles/educontainer/tasks/setup.yml
@ -1,181 +0,0 @@
 ---
 - name: install packages
  apt:
    name:
      - systemd-container
      - debootstrap
      - auto-apt-proxy
    state: latest # noqa package-latest
 - name: prepare machine directory
  file:
    path: /var/lib/machines/
    state: directory
    mode: 0700
 - name: debootstrap base system
  command:
    cmd: >
      auto-apt-proxy debootstrap
      --include={{ cont_packages | union(cont_packages_extra) | join(',') }}
      --components=main,contrib,non-free stable
      {{ contname }}00 http://deb.debian.org/debian
  args:
    chdir: /var/lib/machines/
    creates: /var/lib/machines/{{ contname }}00
  notify: enable and restart containers
 - name: provide complete apt sources
  copy:
    src: /etc/apt/sources.list
    dest: /var/lib/machines/{{ contname }}00/etc/apt/sources.list
    mode: 0644
    remote_src: true
 - name: configure locale
  lineinfile:
    path: /var/lib/machines/{{ contname }}00/etc/profile
    line: 'export LANG=C'
 ## Use 'chroot' here instead of 'systemd-nspawn -D …' to make it work
 ## with ansible-pull in the preseed debian installer:
 - name: upgrade container
  command:
    cmd: "{{ item }}"
  args:
    chdir: /var/lib/machines/{{ contname }}00
  loop:
    - mount --bind /proc proc
    - mount --bind /sys sys
    - mount --bind /dev/pts dev/pts
    - chroot . sh -c '/usr/bin/apt-get update && DEBIAN_FRONTEND=noninteractive /usr/bin/apt-get full-upgrade --yes'
    - umount proc sys dev/pts
  register: cmd_result
  changed_when: cmd_result.stdout is not search('0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.')
 - name: provide {{ contuser }} user account
  command:
    cmd: >
      chroot . sh -c '/usr/sbin/useradd -m -s /bin/bash
      -c "User {{ contuser }},,," -G sudo {{ contuser }}'
  args:
    chdir: /var/lib/machines/{{ contname }}00
    creates: /var/lib/machines/{{ contname }}00/home/{{ contuser }}
  register: user_account
 - name: provide empty password for {{ contuser }} user
  command:
    cmd: chroot . sh -c "passwd -d {{ contuser }}"
  args:
    chdir: /var/lib/machines/{{ contname }}00
  when: user_account.changed | default(false) and contpwd | length == 0
 - name: provide password for container {{ contuser }} user
  command:
    cmd: chroot . sh -c "echo {{ contuser }}:{{ contpwd }} | chpasswd"
  args:
    chdir: /var/lib/machines/{{ contname }}00
  when: user_account.changed | default(true) and contpwd | length > 0
 - name: allow empty passwords in ssh
  lineinfile:
    path: /var/lib/machines/{{ contname }}00/etc/ssh/sshd_config
    insertafter: '#PermitEmptyPasswords no'
    line: 'PermitEmptyPasswords yes'
  when: user_account.changed | default(false) and contpwd | length == 0
 - name: prepare directories
  file:
    path: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item }}
    state: directory
    mode: 0755
  loop:
    - multi-user.target.wants
    - sockets.target.wants
    - network-online.target.wants
  notify: enable and restart containers
 - name: enable systemd-networkd service
  file:
    src: /lib/systemd/system/{{ item.src }}
    dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
    state: link
    follow: false
    force: true
  loop:
    - src: systemd-networkd.service
      dest: dbus-org.freedesktop.network1.service
    - src: systemd-networkd.service
      dest: multi-user.target.wants/systemd-networkd.service
    - src: systemd-networkd.socket
      dest: sockets.target.wants/systemd-networkd.socket
    - src: systemd-networkd-wait-online.service
      dest: network-online.target.wants/systemd-networkd-wait-online.service
  notify: enable and restart containers
 - name: enable systemd-resolved in containers
  file:
    src: /lib/systemd/system/{{ item.src }}
    dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
    state: link
    follow: false
    force: true
  loop:
    - src: systemd-resolved.service
      dest: dbus-org.freedesktop.resolve1.service
    - src: systemd-resolved.service
      dest: multi-user.target.wants/systemd-resolved.service
  notify: enable and restart containers
 ########
 - name: prepare local sysctl config file
  copy:
    content: "# Avoid 'too many open files' error:"
    dest: /etc/sysctl.d/inotify.conf
    mode: 0644
    force: false
 - name: fix too many open files error
  sysctl:
    name: fs.inotify.max_user_instances
    value: '1024'
    sysctl_file: /etc/sysctl.d/inotify.conf
 - name: generate links to the initial container
  file:
    src: "{{ contname }}00"
    dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}
    state: link
  loop: "{{ containers[1:] }}"
  notify: enable and restart containers
 - name: prepare nspawn config directory
  file:
    path: /etc/systemd/nspawn
    state: directory
    mode: 0755
 - name: provide container configuration
  template:
    src: contcfg.nspawn.j2
    dest: /etc/systemd/nspawn/{{ contname }}{{ "%02d" | format(item|int) }}.nspawn
    mode: 0644
  loop: "{{ containers }}"
  notify: enable and restart containers
 - name: provide container hostname file
  template:
    src: hostname.j2
    dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hostname
    mode: 0644
  loop: "{{ containers }}"
  notify: enable and restart containers
 - name: provide container hosts file
  template:
    src: hosts.j2
    dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hosts
    mode: 0644
  loop: "{{ containers }}"
  notify: enable and restart containers
--- a/roles/educontainer/templates/contcfg.nspawn.j2
+++ b/roles/educontainer/templates/contcfg.nspawn.j2
@ -1,15 +0,0 @@
 [Exec]
 Capability=CAP_NET_ADMIN
 ResolvConf=copy-host
 [Network]
 Port=10{{ "%03d" | format(item|int) }}:22
 Port=10{{ "%03d" | format(item|int + 100) }}:80
 Port=10{{ "%03d" | format(item|int + 200) }}:443
 [Files]
 ReadOnly=yes
 Overlay=+/:/var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}-delta:/
 PrivateUsersChown=false
 BindReadOnly=/var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hostname:/etc/hostname
 BindReadOnly=/var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hosts:/etc/hosts
--- a/roles/educontainer/templates/hostname.j2
+++ b/roles/educontainer/templates/hostname.j2
@ -1 +0,0 @@
 {{ contname }}{{ "%02d" | format(item|int) }}
--- a/roles/educontainer/templates/hosts.j2
+++ b/roles/educontainer/templates/hosts.j2
@ -1,4 +0,0 @@
 127.0.0.1       localhost {{ contname }}{{ "%02d" | format(item|int) }}
 ::1             localhost {{ contname }}{{ "%02d" | format(item|int) }} ip6-localhost ip6-loopback
 ff02::1         ip6-allnodes
 ff02::2         ip6-allrouters
--- a/roles/edulive/defaults/main.yml
+++ b/roles/edulive/defaults/main.yml
@ -1 +0,0 @@
 build_dir: /opt/live-build/
--- a/roles/edulive/files/gnome-edu/README
+++ b/roles/edulive/files/gnome-edu/README
@ -1,2 +0,0 @@
 This config space is based on:
  https://salsa.debian.org/live-team/live-images/-/tree/debian/images/gnome-desktop
--- a/roles/edulive/files/gnome-edu/auto/build
+++ b/roles/edulive/files/gnome-edu/auto/build
@ -1,5 +0,0 @@
 #!/bin/sh
 set -e
 lb build noauto "${@}" 2>&1 | tee build.log
--- a/roles/edulive/files/gnome-edu/auto/clean
+++ b/roles/edulive/files/gnome-edu/auto/clean
@ -1,10 +0,0 @@
 #!/bin/sh
 set -e
 lb clean noauto "${@}"
 rm -f config/binary config/bootstrap config/chroot config/common config/source
 rm -f config/control
 rm -f build.log
--- a/roles/edulive/files/gnome-edu/auto/config
+++ b/roles/edulive/files/gnome-edu/auto/config
@ -1,18 +0,0 @@
 #!/bin/sh
 set -e
 lb config noauto \
 	--clean \
 	--cache false \
 	--net-tarball false \
 	--ignore-system-defaults \
 	--distribution bullseye \
 	--binary-images netboot \
 	--mode debian \
 	--backports true \
 	--linux-packages linux-image \
 	--archive-areas "main contrib non-free" \
 	--mirror-bootstrap http://localhost:3142/deb.debian.org/debian/ \
 	--mirror-chroot-security http://localhost:3142/security.debian.org/debian-security/ \
 "${@}"
--- a/roles/edulive/files/gnome-edu/config/hooks/0001-plymouth-theme.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/0001-plymouth-theme.hook.chroot
@ -1,8 +0,0 @@
 #!/bin/sh
 set -e
 if [ -e /usr/sbin/plymouth-set-default-theme ] && [ -e /usr/share/plymouth/themes/lines ]
 then
 	plymouth-set-default-theme lines
 fi
--- a/roles/edulive/files/gnome-edu/config/hooks/live/0010-disable-kexec-tools.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/live/0010-disable-kexec-tools.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/live/0010-disable-kexec-tools.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/live/0050-disable-sysvinit-tmpfs.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/live/0050-disable-sysvinit-tmpfs.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/live/0050-disable-sysvinit-tmpfs.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/live/0500-desktop.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/live/0500-desktop.hook.chroot
@ -1,15 +0,0 @@
 #!/bin/sh
 set -e
 echo 'pref("browser.startup.homepage", "https://www.startpage.com");' >> /etc/firefox-esr/firefox-esr.js
 echo 'pref("network.proxy.type", 4);' >> /etc/firefox-esr/firefox-esr.js
 dconf update
 #sed -i "s/^/#/" /etc/xdg/user-dirs.defaults
 sed -i "s/^#WaylandEnable=false$/WaylandEnable=false/" /etc/gdm3/daemon.conf
 ## workaround https://bugzilla.gnome.org/show_bug.cgi?id=730587
 #dpkg-divert --divert /usr/bin/gnome-keyring-daemon.bak --rename /usr/bin/gnome-keyring-daemon
--- a/roles/edulive/files/gnome-edu/config/hooks/live/0600-wireshark.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/live/0600-wireshark.hook.chroot
@ -1,5 +0,0 @@
 #!/bin/sh
 set -e
 ## allow everybody to run wireshark:
 chmod 0755 /usr/bin/dumpcap
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0020-create-mtab-symlink.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0020-create-mtab-symlink.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0020-create-mtab-symlink.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0030-enable-cryptsetup.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0030-enable-cryptsetup.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0030-enable-cryptsetup.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0040-create-locales-files.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0040-create-locales-files.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0040-create-locales-files.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0100-remove-adjtime-configuration.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0100-remove-adjtime-configuration.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0100-remove-adjtime-configuration.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0110-remove-backup-files.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0110-remove-backup-files.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0110-remove-backup-files.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0120-remove-dbus-machine-id.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0120-remove-dbus-machine-id.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0120-remove-dbus-machine-id.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0130-remove-gnome-icon-cache.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0130-remove-gnome-icon-cache.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0130-remove-gnome-icon-cache.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0140-remove-log-files.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0140-remove-log-files.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0140-remove-log-files.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0150-remove-mdadm-configuration.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0150-remove-mdadm-configuration.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0150-remove-mdadm-configuration.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0160-remove-openssh-server-host-keys.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0160-remove-openssh-server-host-keys.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0160-remove-openssh-server-host-keys.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0170-remove-python-py.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0170-remove-python-py.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0170-remove-python-py.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0180-remove-systemd-machine-id.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0180-remove-systemd-machine-id.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0180-remove-systemd-machine-id.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0190-remove-temporary-files.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0190-remove-temporary-files.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0190-remove-temporary-files.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0195-remove-ssl-cert-snakeoil.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0195-remove-ssl-cert-snakeoil.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0195-remove-ssl-cert-snakeoil.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0200-remove-udev-persistent-cd-rules.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0200-remove-udev-persistent-cd-rules.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0200-remove-udev-persistent-cd-rules.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0300-remove-udev-persistent-net-rules.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0300-remove-udev-persistent-net-rules.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0300-remove-udev-persistent-net-rules.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0400-update-apt-file-cache.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0400-update-apt-file-cache.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0400-update-apt-file-cache.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0410-update-apt-xapian-index.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0410-update-apt-xapian-index.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0410-update-apt-xapian-index.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0420-update-glx-alternative.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0420-update-glx-alternative.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0420-update-glx-alternative.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0430-update-mlocate-database.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0430-update-mlocate-database.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0430-update-mlocate-database.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0440-update-nvidia-alternative.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0440-update-nvidia-alternative.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0440-update-nvidia-alternative.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/hooks/normal/0500-reproducible-glibc.hook.chroot
+++ b/roles/edulive/files/gnome-edu/config/hooks/normal/0500-reproducible-glibc.hook.chroot
@ -1 +0,0 @@
 /usr/share/live/build/hooks/normal/0500-reproducible-glibc.hook.chroot
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/db/gdm.d/00-login-screen
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/db/gdm.d/00-login-screen
@ -1,8 +0,0 @@
 [org/gnome/login-screen]
 disable-user-list=true
 logo='/usr/share/desktop-base/debian-logos/logo-text-64.png'
 [org/gnome/settings-daemon/plugins/power]
 power-button-action='interactive'
 sleep-inactive-ac-timeout=600
 sleep-inactive-ac-type='interactive'
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/db/local.d/defaults
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/db/local.d/defaults
@ -1,34 +0,0 @@
 [org/gnome/shell]
 enabled-extensions=['apps-menu@gnome-shell-extensions.gcampax.github.com', 'window-list@gnome-shell-extensions.gcampax.github.com', 'places-menu@gnome-shell-extensions.gcampax.github.com', 'drive-menu@gnome-shell-extensions.gcampax.github.com', 'dash-to-dock@micxgx.gmail.com']
 [org/gnome/desktop/input-sources]
 sources=[('xkb', 'de'), ('xkb', 'us')]
 [org/gnome/desktop/wm/preferences]
 button-layout='appmenu:minimize,maximize,close'
 [org/gnome/desktop/peripherals/touchpad]
 natural-scroll=false
 edge-scrolling-enabled=true
 tap-to-click=true
 [org/gnome/nautilus/preferences]
 default-folder-viewer='list-view'
 [org/gnome/nautilus/list-view]
 use-tree-view=true
 [org/gnome/settings-daemon/plugins/power]
 power-button-action='interactive'
 sleep-inactive-battery-timeout=600
 sleep-inactive-battery-type='hibernate'
 sleep-inactive-ac-timeout=6000
 sleep-inactive-ac-type='nothing'
 [org/gnome/desktop/screensaver]
 lock-enabled=false
 [org/gnome/desktop/interface]
 clock-show-date=true
 clock-show-seconds=true
 clock-show-weekday=true
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/profile/gdm
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/profile/gdm
@ -1,3 +0,0 @@
 user-db:user
 system-db:gdm
 file-db:/usr/share/gdm/greeter.dconf-defaults
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/profile/user
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/profile/user
@ -1,2 +0,0 @@
 user-db:user
 system-db:local
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/netboot.xml
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/netboot.xml
@ -1,151 +0,0 @@
 <!--
 WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
 OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh edit netboot
 or other application using the libvirt API.
 -->
 <domain type='kvm'>
  <name>netboot</name>
  <uuid>60ea84db-de6c-493c-8e3f-8e9a99ee19c2</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://debian.org/debian/11"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='x86_64' machine='pc-q35-3.1'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/netboot_VARS.fd</nvram>
    <boot dev='network'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='sata' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'/>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </controller>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <controller type='pci' index='6' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='6' port='0x15'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
    <interface type='direct'>
      <mac address='52:54:00:VMMAC'/>
      <source dev='INTERFACE' mode='bridge'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <interface type='network'>
      <mac address='52:54:00:46:a6:25'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
    </interface>
    <interface type='network'>
      <mac address='52:54:00:5c:fc:08'/>
      <source network='intern'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <listen type='address'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich9'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </rng>
  </devices>
 </domain>
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/autostart/default.xml
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/autostart/default.xml
@ -1 +0,0 @@
 ../default.xml
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/autostart/intern.xml
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/autostart/intern.xml
@ -1 +0,0 @@
 ../intern.xml
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/intern.xml
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/intern.xml
@ -1,14 +0,0 @@
 <!--
 WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
 OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh net-edit intern
 or other application using the libvirt API.
 -->
 <network>
  <name>intern</name>
  <uuid>399d67ae-263b-4aeb-995d-fe0a44f00132</uuid>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:93:e1:ee'/>
  <domain name='intern'/>
 </network>
--- a/roles/edulive/files/gnome-edu/config/includes.chroot/etc/sysctl.d/sysctl.conf
+++ b/roles/edulive/files/gnome-edu/config/includes.chroot/etc/sysctl.d/sysctl.conf
@ -1,3 +0,0 @@
 # Uncomment the following to stop low-level messages on console
 kernel.printk = 3 4 1 3
--- a/Show more
+++ b/Show more
		`@ -1,2 +0,0 @@`
			`DDNSNAME="{{ ddns_domain }}"`
			`KEYAUTH="{{ ddns_updkey }}"`
		`@ -1,2 +0,0 @@`
			`search {{ ansible_domain }}.`
			`nameserver 127.0.0.1`
		`@ -1 +0,0 @@`
			`{{ contname }}{{ "%02d" \| format(item\|int) }}`
		`@ -1,2 +0,0 @@`
			`This config space is based on:`
			`https://salsa.debian.org/live-team/live-images/-/tree/debian/images/gnome-desktop`
		`@ -1 +0,0 @@`
			`/usr/share/live/build/hooks/live/0010-disable-kexec-tools.hook.chroot`
		`@ -1 +0,0 @@`
			`/usr/share/live/build/hooks/live/0050-disable-sysvinit-tmpfs.hook.chroot`
		`@ -1 +0,0 @@`
			`/usr/share/live/build/hooks/normal/0020-create-mtab-symlink.hook.chroot`
		`@ -1 +0,0 @@`
			`/usr/share/live/build/hooks/normal/0030-enable-cryptsetup.hook.chroot`
		`@ -1 +0,0 @@`
			`/usr/share/live/build/hooks/normal/0040-create-locales-files.hook.chroot`
		`@ -1 +0,0 @@`
			`/usr/share/live/build/hooks/normal/0100-remove-adjtime-configuration.hook.chroot`