diff --git a/lmn-client.yml b/lmn-client.yml index 935a45d..a3d44fd 100644 --- a/lmn-client.yml +++ b/lmn-client.yml @@ -20,16 +20,17 @@ - name: Apply common configuration to the machines hosts: all # desktop:laptop remote_user: ansible - become: yes + become: true pre_tasks: - - pause: + - name: Ask for global-admin AD password + ansible.builtin.pause: prompt: "Enter global-admin AD password. Leave empty to skip domain join" echo: false register: adpw no_log: true when: "ansible_cmdline.adpw is not defined" - name: Preseed apparmor - debconf: + ansible.builtin.debconf: name: apparmor question: apparmor/homedirs value: >- @@ -38,7 +39,7 @@ /srv/samba/schools/default-school/examusers/ vtype: string - name: Preseed unattended-upgrades - debconf: + ansible.builtin.debconf: name: unattended-upgrades question: unattended-upgrades/enable_auto_updates value: true @@ -115,13 +116,13 @@ tasks: ## Temporary fixes and quirks: - name: Remove disturbing NetworkManager connection - file: + ansible.builtin.file: path: "/etc/NetworkManager/system-connections/Wired connection 1" state: absent when: ansible_interfaces | select('search', '^en[pso].+') | length > 1 - name: Fix 8086:4909 external graphics card - replace: + ansible.builtin.replace: dest: "/etc/default/grub" regexp: 'GRUB_CMDLINE_LINUX=""$' replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"' @@ -129,7 +130,7 @@ when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB" - name: Fix sound on 312A - replace: + ansible.builtin.replace: dest: "/etc/default/grub" regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$' replace: 'GRUB_CMDLINE_LINUX=""' @@ -137,7 +138,7 @@ when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A" - name: Fix sound on 312A and 312D - apt: + ansible.builtin.apt: name: firmware-sof-signed state: latest when: > @@ -145,31 +146,32 @@ (ansible_board_name == "312D" or ansible_board_name == "312A") - name: Install customized CodeBlocks packages + when: "'PCroom' in group_names" block: - name: Check for old CodeBlocks - command: + ansible.builtin.command: cmd: dpkg -l codeblocks register: codeblocks_version - changed_when: False + changed_when: false - name: Download codeblocks zip archive ansible.builtin.get_url: url: "http://livebox.pn.steinbeis.schule/codeblocks/CodeBlocks.zip" dest: /tmp/CodeBlocks.zip - use_proxy: False + mode: '0644' + use_proxy: false register: new_codeblocks when: codeblocks_version.stdout is not search('svn13544') - name: Unpack zip archive and install packages manually - shell: + ansible.builtin.shell: cmd: unzip -d /tmp/cb/ CodeBlocks.zip && dpkg -i cb/*.deb chdir: /tmp/ when: new_codeblocks.changed | default(false) - when: "'PCroom' in group_names" ## Clean up stuff from obsolete/faulty tasks: - name: Remove sddm login screen patch with deprecated marker (homeondisk) - blockinfile: + ansible.builtin.blockinfile: path: /usr/share/sddm/themes/debian-breeze/Main.qml marker: // {mark} ANSIBLE MANAGED BLOCK homeondisk state: absent @@ -180,15 +182,15 @@ - cachefilesd - mosquitto state: absent - purge: True + purge: true - name: Remove virtiofs service - file: + ansible.builtin.file: path: /etc/systemd/system/virtiofs@.service state: absent - name: Fix mount point permissions and owner - file: + ansible.builtin.file: path: "{{ item }}" mode: '0755' owner: root @@ -198,7 +200,7 @@ - /srv/samba/schools - name: Remove pam_mount sysvol mount - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | @@ -212,28 +214,30 @@ state: absent - - name: check if rmlpr.timer is installed - stat: path=/etc/systemd/system/rmlpr.timer + - name: Check if rmlpr.timer is installed + ansible.builtin.stat: + path: /etc/systemd/system/rmlpr.timer register: rmlpr - - name: disable rmlpr.timer - systemd: + - name: Disable rmlpr.timer + ansible.builtin.systemd: name: rmlpr.timer enabled: false when: rmlpr.stat.exists - - name: check if vmimage-torrent.service is installed - stat: path=/etc/systemd/system/vmimage-torrent.service + - name: Check if vmimage-torrent.service is installed + ansible.builtin.stat: + path: /etc/systemd/system/vmimage-torrent.service register: vmimagetorrent - - name: disable vmimage-torrent.service - systemd: + - name: Disable vmimage-torrent.service + ansible.builtin.systemd: name: vmimage-torrent.service enabled: false when: vmimagetorrent.stat.exists - name: Remove deprecated files and directories - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -269,12 +273,13 @@ - /etc/NetworkManager/system-connections/macvlan-vm-macvtap.nmconnection - /etc/tmpfiles.d/clean-exam.conf - - name: check if vm_usage_information.txt exists - stat: path=/lmn/vm/vm_usage_information.txt + - name: Check if vm_usage_information.txt exists + ansible.builtin.stat: + path: /lmn/vm/vm_usage_information.txt register: vm_usage_information - - name: pre-fill vm_usage_information.txt - shell: + - name: Pre-fill vm_usage_information.txt + ansible.builtin.shell: cmd: | ls -tr *.qcow2 > vm_usage_information.txt || touchvm_usage_information.txt chown lmnsynci:lmnsynci vm_usage_information.txt @@ -285,11 +290,11 @@ ansible.builtin.shell: cmd: grep "IPP Everywhere" /etc/cups/printers.conf register: ipp_everywhere - failed_when: False - changed_when: False + failed_when: false + changed_when: false - name: Delete old IPP-Everywhere printers - shell: + ansible.builtin.shell: cmd: | for p in $(lpstat -p | cut -d" " -f2); do lpadmin -x "$p" @@ -297,17 +302,17 @@ when: not ipp_everywhere.rc - name: Remove old VM-printerlists - shell: + ansible.builtin.shell: cmd: rm -f /lmn/media/*/.printerlist.csv - name: Remove Listen on VMBridge - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cups/cupsd.conf line: 'Listen 192.168.122.1:631' state: absent - name: Remove NetworkManager Ansible-Block for non-laptops - blockinfile: + ansible.builtin.blockinfile: path: /etc/NetworkManager/NetworkManager.conf state: absent when: "'laptop' not in group_names" @@ -343,7 +348,7 @@ - name: Timestamp successfull run and send up-to-date report ansible.builtin.shell: cmd: date --iso-8601=seconds >> /var/local/ansible-stamps && /usr/local/sbin/reporter - changed_when: False + changed_when: false tags: upgrade - name: Force ansible-run after install trough emitter by setting timestamp in the past @@ -356,7 +361,7 @@ - name: Apply additional laptop configuration hosts: laptop remote_user: ansible - become: yes + become: true vars_files: lmn-vault vars: localuser: "{{ vault_localuser }}" @@ -366,7 +371,7 @@ when: "'teacherlaptop' not in group_names" tasks: - name: Remove deprecated files and directories (laptop-class) - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -380,7 +385,7 @@ - name: Enable wpa-supplicant ansible.builtin.systemd: name: wpa_supplicant.service - enabled: True + enabled: true tags: - never - wlan_8021x @@ -388,13 +393,13 @@ - name: Disable iwd ansible.builtin.systemd: name: iwd.service - enabled: False + enabled: false tags: - never - wlan_8021x - name: Remove deprecated NetworkManager config - blockinfile: + ansible.builtin.blockinfile: path: /etc/NetworkManager/NetworkManager.conf state: absent tags: @@ -405,7 +410,7 @@ - name: Apply roles that must run serial hosts: all remote_user: ansible - become: yes + become: true serial: 1 ignore_unreachable: true diff --git a/roles/kerberize/handlers/main.yml b/roles/kerberize/handlers/main.yml index 3ac7e3e..1e2ceab 100644 --- a/roles/kerberize/handlers/main.yml +++ b/roles/kerberize/handlers/main.yml @@ -1,5 +1,5 @@ -- name: reload sshd - systemd: +- name: Reload sshd + ansible.builtin.systemd: name: sshd state: reloaded when: not run_in_installer|default(false)|bool diff --git a/roles/kerberize/tasks/main.yml b/roles/kerberize/tasks/main.yml index ee17a3e..92f11fe 100644 --- a/roles/kerberize/tasks/main.yml +++ b/roles/kerberize/tasks/main.yml @@ -1,28 +1,30 @@ - name: Install kerberos packages - apt: + ansible.builtin.apt: name: krb5-user - state: latest - name: Kerberize sshd server ansible.builtin.copy: dest: /etc/ssh/sshd_config.d/kerberize.conf + mode: '0644' content: | GSSAPIAuthentication yes - notify: "reload sshd" + notify: "Reload sshd" - name: Kerberize ssh client, authenticate and delegate credentials ansible.builtin.copy: dest: /etc/ssh/ssh_config.d/kerberize.conf + mode: '0644' content: | GSSAPIAuthentication yes GSSAPIDelegateCredentials yes - name: Check if firefox is available - stat: path=/etc/firefox-esr/firefox-esr.js + ansible.builtin.stat: + path: /etc/firefox-esr/firefox-esr.js register: firefox - name: Kerberize firefox for sites in the local domain - lineinfile: + ansible.builtin.lineinfile: dest: /etc/firefox-esr/firefox-esr.js line: "{{ item }}" with_items: @@ -32,13 +34,15 @@ when: firefox.stat.exists - name: Ensures /etc/chromium/policies/managed dir exists - file: + ansible.builtin.file: path: "/etc/chromium/policies/managed" state: directory + mode: '0755' - name: Kerberize chromium for sites in the local domain - copy: + ansible.builtin.copy: dest: /etc/chromium/policies/managed/idam.json + mode: '0644' content: | { "AuthServerAllowlist": "idam.steinbeis.schule" diff --git a/roles/lmn_exam/tasks/main.yml b/roles/lmn_exam/tasks/main.yml index b604ea8..0e3bc4e 100644 --- a/roles/lmn_exam/tasks/main.yml +++ b/roles/lmn_exam/tasks/main.yml @@ -10,7 +10,7 @@ ansible.builtin.systemd: name: firewalld state: stopped - when: result.changed + when: result.changed # noqa: no-handler - name: Disable firewalld-service ansible.builtin.systemd: diff --git a/roles/lmn_fvs/handlers/main.yml b/roles/lmn_fvs/handlers/main.yml index 8d70859..d6688c6 100644 --- a/roles/lmn_fvs/handlers/main.yml +++ b/roles/lmn_fvs/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Run update-desktop-database - command: update-desktop-database "{{ item }}" + ansible.builtin.command: update-desktop-database "{{ item }}" loop: - /usr/local/share/applications - /usr/local/share/desktop-directories diff --git a/roles/lmn_fvs/tasks/main.yml b/roles/lmn_fvs/tasks/main.yml index 79e4682..075b68d 100644 --- a/roles/lmn_fvs/tasks/main.yml +++ b/roles/lmn_fvs/tasks/main.yml @@ -14,9 +14,8 @@ vtype: string when: mirror_msfonts is defined and mirror_msfonts | length > 0 - - name: Install desktop EDU packages and some more - apt: + ansible.builtin.apt: name: - atftp - audacity @@ -90,7 +89,7 @@ http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher - name: Remove update notifications from plasma-discover - apt: + ansible.builtin.apt: name: - plasma-discover autoremove: true @@ -100,6 +99,7 @@ - name: Make sure wireshark works for all users after installation and upgrades ansible.builtin.copy: dest: /etc/apt/apt.conf.d/92wireshark4all + mode: '0644' content: | ## Modify permissions after installation/upgrade to allow all ## users dumping packages on network interfaces for wireshark @@ -122,6 +122,7 @@ ansible.builtin.copy: src: policies.json dest: /etc/firefox-esr/policies/ + mode: '0644' - name: Create chromium policies directory ansible.builtin.file: @@ -130,8 +131,9 @@ mode: '0755' - name: Set chromium proxy-policy to auto_detect - copy: + ansible.builtin.copy: dest: /etc/chromium/policies/managed/proxy.json + mode: '0644' content: | { "ProxyMode": "auto_detect" @@ -144,20 +146,20 @@ replace: ' \1' - name: Copy some scripts - copy: + ansible.builtin.copy: src: "{{ item }}" dest: /usr/local/sbin/ - mode: 0755 + mode: '0755' loop: - pwroff - bootorder.sh - reporter - name: Provide services and timers for some scripts - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "/etc/systemd/system/{{ item }}" - mode: 0644 + mode: '0644' loop: - pwroff.service - pwroff.timer @@ -166,7 +168,7 @@ when: "'teacherlaptop' not in group_names" - name: Enable pwroff.timer - systemd: + ansible.builtin.systemd: name: "{{ item }}" enabled: true loop: @@ -175,7 +177,7 @@ when: "'teacherlaptop' not in group_names" - name: PXE first boot order - command: /usr/local/sbin/bootorder.sh + ansible.builtin.command: /usr/local/sbin/bootorder.sh register: cmd_result changed_when: cmd_result.stdout is not search('Nothing to do.') when: "'PCroom' in group_names" @@ -184,7 +186,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: /usr/local/bin/ - mode: 0755 + mode: '0755' loop: - lmn-reset-dolphin.sh - lmn-patch-dolphin.sh @@ -194,19 +196,21 @@ ansible.builtin.copy: src: lmn-dolphin.sh dest: /etc/profile.d/ + mode: '0644' - name: Copy fvs-config.js to configure plasma ansible.builtin.copy: src: fvs-config.js dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js - mode: 0644 + mode: '0644' - name: Configure some KDE aspects - blockinfile: + ansible.builtin.blockinfile: path: /etc/xdg/kdeglobals create: true + mode: '0644' block: | [KDE] SingleClick=false @@ -219,6 +223,7 @@ - name: Shut down when idle for too long ansible.builtin.copy: dest: /etc/xdg/powermanagementprofilesrc + mode: '0644' content: | [AC][SuspendSession] idleTime=7200000 @@ -228,20 +233,22 @@ - name: Start with empty session by default ansible.builtin.copy: dest: /etc/xdg/ksmserverrc + mode: '0644' content: | [General] loginMode=emptySession - name: Fix primary screen for class room PCs with projector + when: "'CloneScreen' in group_names" block: - name: Set primary screen for login - blockinfile: + ansible.builtin.blockinfile: path: /usr/share/sddm/scripts/Xsetup block: | xrandr --output {{ dual_screen[0] }} --primary when: dual_screen is defined - name: Reset primary screen for login - blockinfile: + ansible.builtin.blockinfile: path: /usr/share/sddm/scripts/Xsetup state: absent when: dual_screen is not defined @@ -253,35 +260,36 @@ - name: Deploy fix-screen autostarter ansible.builtin.copy: dest: /etc/xdg/autostart/lmn-fix-screen.desktop + mode: '0644' content: | [Desktop Entry] Name=fix-screen Exec=lmn-fix-screen Type=Application NoDisplay=true - when: "'CloneScreen' in group_names" -#- name: Avoid starting kscreen (confusing autodetection) -# ansible.builtin.copy: -# dest: /etc/xdg/kded5rc -# content: | -# [Module-kscreen] -# autoload=false +# - name: Avoid starting kscreen (confusing autodetection) +# ansible.builtin.copy: +# dest: /etc/xdg/kded5rc +# content: | +# [Module-kscreen] +# autoload=false # -#- name: Disable automatic lock screen and user specific modifications -# ansible.builtin.copy: -# path: /etc/xdg/kscreenlockerrc -# content: | -# [Daemon][$i] -# Autolock=false -# LockOnResume=false +# - name: Disable automatic lock screen and user specific modifications +# ansible.builtin.copy: +# path: /etc/xdg/kscreenlockerrc +# content: | +# [Daemon][$i] +# Autolock=false +# LockOnResume=false # - name: Download libdvdcss from mirror ansible.builtin.get_url: url: "{{ mirror_dvdcss }}/libdvdcss.so.2.2.0" dest: /usr/lib/x86_64-linux-gnu/libdvdcss.so.2.2.0 - use_proxy: False + mode: '0644' + use_proxy: false when: mirror_dvdcss is defined and mirror_dvdcss | length > 0 - name: Link library so name @@ -292,7 +300,7 @@ when: mirror_dvdcss is defined and mirror_dvdcss | length > 0 - name: Patch sddm login screen to show hostname - blockinfile: + ansible.builtin.blockinfile: path: /usr/share/sddm/themes/debian-breeze/Main.qml marker: // {mark} ANSIBLE MANAGED BLOCK insertbefore: '\s+//Footer' @@ -311,6 +319,7 @@ - name: Set git default-branch to main ansible.builtin.copy: dest: /etc/gitconfig + mode: '0644' content: | [init] defaultBranch = main @@ -318,7 +327,7 @@ - name: Adjust mmcblk-device gid to allow users to access SD-cards ansible.builtin.copy: dest: /etc/udev/rules.d/80-mmcblk.rules - mode: "0644" + mode: '0644' content: | KERNEL=="mmcblk[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users" KERNEL=="mmcblk[0-9]p[0-9]*", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users" diff --git a/roles/lmn_fvs/tasks/sync.yml b/roles/lmn_fvs/tasks/sync.yml index fca5788..0aed203 100644 --- a/roles/lmn_fvs/tasks/sync.yml +++ b/roles/lmn_fvs/tasks/sync.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0755 + mode: '0755' loop: - /usr/local/share/applications - /usr/local/share/desktop-directories @@ -13,24 +13,26 @@ ansible.builtin.copy: src: fvs.directory dest: /usr/local/share/desktop-directories/ + mode: '0644' notify: Run update-desktop-database - name: Copy fvs.menu ansible.builtin.copy: src: fvs.menu dest: /etc/xdg/menus/applications-merged/ + mode: '0644' notify: Run update-desktop-database - name: Copy lmn-sync script ansible.builtin.copy: src: lmn-sync dest: /usr/local/sbin/ - mode: 0755 + mode: '0755' register: lmn_sync - name: Run lmn-sync script ansible.builtin.shell: /usr/local/sbin/lmn-sync - when: lmn_sync.changed + when: lmn_sync.changed # noqa: no-handler - name: Deploy sudo configurations (lmn-sync for role-teacher) ansible.builtin.copy: @@ -42,15 +44,15 @@ %role-teacher ALL=(root) NOPASSWD: /usr/local/sbin/lmn-sync - name: Provide lmn-sync service and timer - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "/etc/systemd/system/{{ item }}" - mode: 0644 + mode: '0644' loop: - lmn-sync.service - lmn-sync.timer - name: Enable lmn-sync.timer - systemd: + ansible.builtin.systemd: name: lmn-sync.timer enabled: true diff --git a/roles/lmn_kde/handlers/main.yml b/roles/lmn_kde/handlers/main.yml index e2b8cdf..8a20c3b 100644 --- a/roles/lmn_kde/handlers/main.yml +++ b/roles/lmn_kde/handlers/main.yml @@ -1,2 +1,2 @@ - name: Run update-grub - command: update-grub + ansible.builtin.command: update-grub diff --git a/roles/lmn_kde/tasks/main.yml b/roles/lmn_kde/tasks/main.yml index 627f9b3..d65fc31 100644 --- a/roles/lmn_kde/tasks/main.yml +++ b/roles/lmn_kde/tasks/main.yml @@ -39,7 +39,7 @@ autoremove: true state: latest -- name: Add {{ ansible_distribution_release }}-backports +- name: Add backports {{ ansible_distribution_release }} ansible.builtin.apt_repository: repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware state: present @@ -69,6 +69,7 @@ ansible.builtin.blockinfile: path: /etc/xdg/akonadi/akonadiserverrc create: true + mode: '0644' block: | [%General] Driver=QSQLITE3 @@ -83,10 +84,11 @@ /srv/samba/schools/default-school/examusers/ -- name: tune SDDM login +- name: Tune SDDM login ansible.builtin.blockinfile: path: /etc/sddm.conf create: true + mode: '0644' block: | [Users] MaximumUid=999 @@ -96,6 +98,7 @@ - name: Enable wake-on-lan for all ethernet connections ansible.builtin.copy: dest: /etc/NetworkManager/conf.d/wake-on-lan.conf + mode: '0644' content: | [connection] ethernet.wake-on-lan=64 @@ -103,12 +106,14 @@ - name: Prepare directory for apt-daily override ansible.builtin.file: path: /etc/systemd/system/apt-daily.timer.d/ - recurse: True + recurse: true + mode: '0755' state: directory - name: Run apt update early to avoid outdated package lists ansible.builtin.copy: dest: /etc/systemd/system/apt-daily.timer.d/override.conf + mode: '0644' content: | [Timer] RandomizedDelaySec=30m @@ -124,6 +129,7 @@ ansible.builtin.blockinfile: path: /etc/systemd/sleep.conf.d/nosuspend.conf create: true + mode: '0644' block: | [Sleep] AllowSuspend=no @@ -175,7 +181,7 @@ dest: /etc/default/grub regexp: '^(GRUB_TIMEOUT=).*' line: '\g<1>1' - backrefs: yes + backrefs: true notify: Run update-grub - name: Keyboard compose key @@ -183,10 +189,11 @@ dest: /etc/default/keyboard regexp: '^(XKBOPTIONS=).*' line: '\1"compose:caps"' - backrefs: yes + backrefs: true - name: Default KDE filepicker ansible.builtin.lineinfile: path: /etc/environment.d/90lmn-filepicker.conf create: true + mode: '0644' line: GTK_USE_PORTAL=1 diff --git a/roles/lmn_localhome/tasks/main.yml b/roles/lmn_localhome/tasks/main.yml index 37fc329..05a5a6b 100644 --- a/roles/lmn_localhome/tasks/main.yml +++ b/roles/lmn_localhome/tasks/main.yml @@ -1,12 +1,12 @@ --- -- name: enable pam_mkhomedir.so - lineinfile: +- name: Enable pam_mkhomedir.so + ansible.builtin.lineinfile: dest: /etc/pam.d/common-session line: "session optional pam_mkhomedir.so umask=0077" insertbefore: '^session\s*optional\s*pam_mount.so' - name: Patch sddm login screen to inform about localhome - blockinfile: + ansible.builtin.blockinfile: path: /usr/share/sddm/themes/debian-breeze/Main.qml marker: // {mark} ANSIBLE MANAGED BLOCK localhome insertbefore: '\s+//Footer' @@ -26,11 +26,12 @@ ansible.builtin.copy: src: lmn-create-unisonconfig.sh dest: /usr/local/bin/ - mode: 0755 + mode: '0755' - name: Install auto-logout-script for first login in /etc/profile.d/ - copy: + ansible.builtin.copy: dest: /etc/profile.d/lmn-logout.sh + mode: '0755' content: | [[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0 {% if 'teacherlaptop' not in group_names %} diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml index 177724d..572e061 100644 --- a/roles/lmn_mount/tasks/main.yml +++ b/roles/lmn_mount/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install needed packages - apt: + ansible.builtin.apt: name: - libpam-mount - cifs-utils @@ -10,7 +10,7 @@ state: latest - name: Configure pam_mount for Webdav Nextcloud - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | @@ -25,7 +25,7 @@ when: web_dav is defined and web_dav | length > 0 - name: Configure pam_mount for LMN homes - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | @@ -55,6 +55,7 @@ ansible.builtin.file: path: /etc/systemd/user-environment-generators/ state: directory + mode: '0755' - name: Prepare generator for persistent user cache directory ansible.builtin.copy: diff --git a/roles/lmn_network/tasks/main.yml b/roles/lmn_network/tasks/main.yml index 2fc95f4..965256d 100644 --- a/roles/lmn_network/tasks/main.yml +++ b/roles/lmn_network/tasks/main.yml @@ -1,7 +1,8 @@ --- - name: Deploy http proxy config - copy: + ansible.builtin.copy: dest: /etc/environment.d/10-lmn-proxy.conf + mode: '0644' content: | http_proxy="{{ proxy }}" https_proxy="{{ proxy }}" @@ -12,6 +13,7 @@ - name: Set aptcache ansible.builtin.copy: dest: /etc/apt/apt.conf + mode: '0644' content: > {{ apt_conf }} @@ -22,7 +24,7 @@ line: NTP={{ ntp_serv }} - name: Add proposed-updates repository - apt_repository: + ansible.builtin.apt_repository: repo: > deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-proposed-updates main non-free-firmware diff --git a/roles/lmn_printer/tasks/main.yml b/roles/lmn_printer/tasks/main.yml index 394c07c..171a2fa 100644 --- a/roles/lmn_printer/tasks/main.yml +++ b/roles/lmn_printer/tasks/main.yml @@ -1,26 +1,25 @@ --- - name: Install cups - apt: + ansible.builtin.apt: name: - cups - state: latest - name: Disable cups printer browsing - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cups/cupsd.conf regexp: '^(Browsing ).*' line: '\1No' - backrefs: yes + backrefs: true - name: Listen on all Interfaces - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cups/cupsd.conf line: 'Listen *:631' regexp: '^Listen localhost' state: present - name: Allow access from localhost and from VM - blockinfile: + ansible.builtin.blockinfile: dest: /etc/cups/cupsd.conf block: | Allow localhost @@ -33,7 +32,7 @@ - "/admin" - name: Allow group role-teacher to manage printers - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cups/cups-files.conf line: 'SystemGroup root lpadmin role-teacher' regexp: '^SystemGroup' @@ -44,24 +43,25 @@ ansible.builtin.systemd: name: cups-browsed.service state: stopped - enabled: no + enabled: false - name: Install install-printers.sh - template: + ansible.builtin.template: src: install-printers.sh.j2 dest: /usr/local/bin/install-printers.sh - mode: 0755 + mode: '0755' - name: Install lmn-install-printers sudoers - copy: + ansible.builtin.copy: src: 90-lmn-install-printers dest: /etc/sudoers.d/ - mode: 0660 + mode: '0660' owner: root group: root - name: Run printer script from /etc/profile.d/ - copy: + ansible.builtin.copy: dest: /etc/profile.d/lmn-printer.sh + mode: '0644' content: | [[ "${UID}" -gt 10000 ]] && (sudo /usr/local/bin/install-printers.sh > /dev/null &) diff --git a/roles/lmn_security/handlers/main.yml b/roles/lmn_security/handlers/main.yml index 4a3b124..1e2ceab 100644 --- a/roles/lmn_security/handlers/main.yml +++ b/roles/lmn_security/handlers/main.yml @@ -1,5 +1,5 @@ - name: Reload sshd - systemd: + ansible.builtin.systemd: name: sshd state: reloaded when: not run_in_installer|default(false)|bool diff --git a/roles/lmn_security/tasks/main.yml b/roles/lmn_security/tasks/main.yml index 3ce31d5..10a2d69 100644 --- a/roles/lmn_security/tasks/main.yml +++ b/roles/lmn_security/tasks/main.yml @@ -9,7 +9,7 @@ ansible.builtin.lineinfile: path: /etc/sudoers.d/95-lmn-ansible line: 'ansible ALL=(root) NOPASSWD: ALL' - create: True + create: true owner: root group: root mode: '0700' @@ -17,12 +17,13 @@ - name: Disable ansible user login ansible.builtin.user: name: ansible - password_lock: True + password_lock: true - name: Limit SSH access to user ansible ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config.d/local.conf create: true + mode: '0644' block: | PasswordAuthentication no AllowUsers ansible diff --git a/roles/lmn_sssd/handlers/main.yml b/roles/lmn_sssd/handlers/main.yml index c7c508b..6fdda36 100644 --- a/roles/lmn_sssd/handlers/main.yml +++ b/roles/lmn_sssd/handlers/main.yml @@ -1,3 +1,6 @@ -- name: restart sssd - service: name=sssd state=restarted enabled=yes - listen: "restart sssd" +- name: Restart sssd + ansible.builtin.service: + name: sssd + state: restarted + enabled: true + listen: "Restart sssd" diff --git a/roles/lmn_sssd/tasks/main.yml b/roles/lmn_sssd/tasks/main.yml index 069f67c..ed44ce5 100644 --- a/roles/lmn_sssd/tasks/main.yml +++ b/roles/lmn_sssd/tasks/main.yml @@ -1,22 +1,21 @@ --- - name: Install needed packages - apt: + ansible.builtin.apt: name: - sssd-ad - sssd-tools - adcli - state: latest - name: Provide user identities from AD - template: + ansible.builtin.template: src: sssd.conf.j2 dest: /etc/sssd/sssd.conf - mode: 0600 - notify: restart sssd + mode: '0600' + notify: Restart sssd ## Either one of the variables is defined: - name: Join the domain - shell: + ansible.builtin.shell: cmd: > echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" | adcli join --stdin-password -U global-admin {{ domain | upper }} diff --git a/roles/lmn_vm/defaults/main.yml b/roles/lmn_vm/defaults/main.yml index ad2a507..55cb580 100644 --- a/roles/lmn_vm/defaults/main.yml +++ b/roles/lmn_vm/defaults/main.yml @@ -1,2 +1,3 @@ --- vm_support: false +torrent_srv: "seedbox.{{ domain }}" diff --git a/roles/lmn_vm/handlers/main.yml b/roles/lmn_vm/handlers/main.yml index 9c550b0..e8829ac 100644 --- a/roles/lmn_vm/handlers/main.yml +++ b/roles/lmn_vm/handlers/main.yml @@ -1,5 +1,5 @@ - name: Reload libvirtd - systemd: + ansible.builtin.systemd: name: libvirtd.service listen: reload libvirtd diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml index 5a79cf3..7212db0 100644 --- a/roles/lmn_vm/tasks/main.yml +++ b/roles/lmn_vm/tasks/main.yml @@ -4,32 +4,31 @@ - name: Allow users to attach to bridge ansible.builtin.copy: dest: /etc/apt/apt.conf.d/94qemu-bridge-suid + mode: '0644' content: | ## Modify permissions after installation/upgrade ## to run qemu-bridge as root DPkg::Post-Invoke {"/usr/bin/chmod 4755 /usr/lib/qemu/qemu-bridge-helper || true"; }; -- name: install libvirt packages - apt: +- name: Install libvirt packages + ansible.builtin.apt: name: - aria2 - mktorrent - libvirt-daemon-system - virt-manager - dialog # for vm-netboot menu - state: latest - autoremove: true - #- name: allow all users to use VMs - # lineinfile: - # dest: /etc/libvirt/libvirtd.conf - # line: 'auth_unix_rw = "none"' - # insertafter: '#auth_unix_rw = "polkit"' - # notify: reload libvirtd + # - name: allow all users to use VMs + # lineinfile: + # dest: /etc/libvirt/libvirtd.conf + # line: 'auth_unix_rw = "none"' + # insertafter: '#auth_unix_rw = "polkit"' + # notify: reload libvirtd - name: Configure pam_mount for VM bind mounts - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | @@ -49,7 +48,7 @@ insertafter: "" - name: Configure pam_mount for VM bind mounts - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | @@ -63,7 +62,7 @@ when: localhome is defined and localhome - name: Use umount script for proper cleanup - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | @@ -75,16 +74,16 @@ ansible.builtin.copy: src: pam-umount.sh dest: /usr/local/sbin/pam-umount.sh - mode: "0755" + mode: '0755' - name: Insert domain in default-network - lineinfile: + ansible.builtin.lineinfile: path: /etc/libvirt/qemu/networks/default.xml line: ' ' insertafter: '' - name: Autostart default network for VMs - file: + ansible.builtin.file: src: /etc/libvirt/qemu/networks/default.xml dest: /etc/libvirt/qemu/networks/autostart/default.xml state: link @@ -97,56 +96,57 @@ create_home: false - name: Create /etc/lmn directory - file: + ansible.builtin.file: path: /etc/lmn state: directory + mode: '0755' - name: Create /lmn directory - file: + ansible.builtin.file: path: /lmn state: directory + mode: '0755' - name: Create /lmn/media directory - file: + ansible.builtin.file: path: /lmn/media state: directory mode: '1777' - name: Create /var/vm directory - file: + ansible.builtin.file: path: /var/vm state: directory mode: '1777' - name: Create vm directory - file: + ansible.builtin.file: path: /lmn/vm state: directory owner: lmnsynci group: lmnsynci - mode: 0755 + mode: '0755' - name: Create cleanup-vm.conf ansible.builtin.copy: dest: /etc/tmpfiles.d/clean-vm.conf + mode: '0644' content: | D /var/tmp/vm 1777 root root - - name: Install squid - apt: + ansible.builtin.apt: name: - squid - state: latest - autoremove: true - name: Disable squid - systemd: + ansible.builtin.systemd: name: squid enabled: false state: stopped - name: Deploy squid user mode configuration - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "/etc/squid/{{ item }}" mode: '0644' @@ -155,16 +155,16 @@ - squid-usermode-external.conf - name: Deploy startusersquid script - template: + ansible.builtin.template: src: startusersquid.sh.j2 dest: /usr/local/bin/startusersquid.sh mode: '0755' - name: Provide usersquid service - copy: + ansible.builtin.copy: src: usersquid.service dest: /etc/systemd/user/usersquid.service - mode: 0644 + mode: '0644' - name: Enable usersquid service ansible.builtin.systemd: @@ -173,7 +173,7 @@ enabled: true - name: Deploy sudo configurations - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "/etc/sudoers.d/90-{{ item }}" owner: root @@ -184,7 +184,7 @@ - lmn-vm - name: Deploy vmimages scripts - copy: + ansible.builtin.copy: src: "{{ item }}" dest: /usr/local/bin/ owner: root @@ -210,6 +210,7 @@ dest: /etc/lmn/vm.conf owner: root group: root + mode: '0644' - name: Deploy aria2 RPC password file ansible.builtin.copy: @@ -226,15 +227,18 @@ state: directory owner: lmnsynci group: lmnsynci + mode: '0755' - name: Prepare directory for qemu bridge config ansible.builtin.file: path: /etc/qemu/ state: directory + mode: '0755' - name: Deploy bridge.conf needed for qemu session mode ansible.builtin.copy: dest: /etc/qemu/bridge.conf + mode: '0644' content: | allow virbr0 allow virbr1 @@ -263,6 +267,7 @@ - name: Adjust interface permissions for user mode VMs ansible.builtin.copy: dest: /etc/udev/rules.d/80-macvlan.rules + mode: '0644' content: | {% for interface in (ansible_interfaces | select('search', '^en[pso].+')) %} SUBSYSTEMS=="net", KERNELS=="macvtap-{{ interface[3:9] }}", MODE="0666" diff --git a/roles/lmn_vpn/defaults/main.yml b/roles/lmn_vpn/defaults/main.yml index 935b340..2c6e23f 100644 --- a/roles/lmn_vpn/defaults/main.yml +++ b/roles/lmn_vpn/defaults/main.yml @@ -1,6 +1,5 @@ --- vpn: none - # Wireguad config wg_endpoint: "203.0.113.1:51820" wg_allowed_ips: "10.0.0.0/16;" diff --git a/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml b/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml index 5f13000..f444369 100644 --- a/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml +++ b/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml @@ -45,9 +45,8 @@ - name: Issue radius certificate ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml when: - - radius_reachable.unreachable is not defined or not radius_reachable.unreachable - - | - ( not cert_client_active.stat.exists ) or - (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or - wlan_force_issue - + - radius_reachable.unreachable is not defined or not radius_reachable.unreachable + - | + ( not cert_client_active.stat.exists ) or + (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or + wlan_force_issue diff --git a/roles/up2date_debian/tasks/main.yml b/roles/up2date_debian/tasks/main.yml index b71d0d8..39f11f7 100644 --- a/roles/up2date_debian/tasks/main.yml +++ b/roles/up2date_debian/tasks/main.yml @@ -1,39 +1,40 @@ # Update lists and upgrade packages. -- name: update apt package lists - apt: +- name: Update apt package lists + ansible.builtin.apt: update_cache: true cache_valid_time: 86400 -- block: - - name: upgrade packages - apt: +- name: Try to upgrade packages + block: + - name: Upgrade packages + ansible.builtin.apt: upgrade: dist autoremove: true autoclean: true rescue: - name: Looks like dpkg was interrupted, configure manually - command: + ansible.builtin.command: cmd: dpkg --configure -a - name: Try again to upgrade packages - apt: + ansible.builtin.apt: upgrade: dist autoremove: true autoclean: true -- name: install etckeeper - apt: +- name: Install etckeeper + ansible.builtin.apt: name: etckeeper state: latest # noqa package-latest -- name: install extra packages from stable - apt: +- name: Install extra packages from stable + ansible.builtin.apt: name: "{{ extra_pkgs }}" state: latest # noqa package-latest when: extra_pkgs|length -- name: add {{ ansible_distribution_release }}-backports - apt_repository: +- name: Add backports for {{ ansible_distribution_release }} + ansible.builtin.apt_repository: repo: > deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware @@ -41,8 +42,8 @@ update_cache: true when: extra_pkgs_bpo|length -- name: install extra packages from backports - apt: +- name: Install extra packages from backports + ansible.builtin.apt: name: "{{ extra_pkgs_bpo }}" state: latest # noqa package-latest default_release: "{{ ansible_distribution_release }}-backports"