From f965f4466c34e9349afabbad0620b933bd8c3320 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Mon, 24 Mar 2025 07:33:56 +0100
Subject: [PATCH] Improve ansible code so that ansibe-lint shows fewer errors
---
lmn-client.yml | 93 ++++++++++---------
roles/kerberize/handlers/main.yml | 4 +-
roles/kerberize/tasks/main.yml | 18 ++--
roles/lmn_exam/tasks/main.yml | 2 +-
roles/lmn_fvs/handlers/main.yml | 2 +-
roles/lmn_fvs/tasks/main.yml | 73 ++++++++-------
roles/lmn_fvs/tasks/sync.yml | 14 +--
roles/lmn_kde/handlers/main.yml | 2 +-
roles/lmn_kde/tasks/main.yml | 17 +++-
roles/lmn_localhome/tasks/main.yml | 11 ++-
roles/lmn_mount/tasks/main.yml | 7 +-
roles/lmn_network/tasks/main.yml | 6 +-
roles/lmn_printer/tasks/main.yml | 26 +++---
roles/lmn_security/handlers/main.yml | 2 +-
roles/lmn_security/tasks/main.yml | 5 +-
roles/lmn_sssd/handlers/main.yml | 9 +-
roles/lmn_sssd/tasks/main.yml | 11 +--
roles/lmn_vm/defaults/main.yml | 1 +
roles/lmn_vm/handlers/main.yml | 2 +-
roles/lmn_vm/tasks/main.yml | 69 +++++++-------
roles/lmn_vpn/defaults/main.yml | 1 -
.../tasks/eap-tls_check-certificate.yaml | 11 +--
roles/up2date_debian/tasks/main.yml | 31 ++++---
23 files changed, 228 insertions(+), 189 deletions(-)
diff --git a/lmn-client.yml b/lmn-client.yml
index 935a45d..a3d44fd 100644
--- a/lmn-client.yml
+++ b/lmn-client.yml
@@ -20,16 +20,17 @@
- name: Apply common configuration to the machines
hosts: all # desktop:laptop
remote_user: ansible
- become: yes
+ become: true
pre_tasks:
- - pause:
+ - name: Ask for global-admin AD password
+ ansible.builtin.pause:
prompt: "Enter global-admin AD password. Leave empty to skip domain join"
echo: false
register: adpw
no_log: true
when: "ansible_cmdline.adpw is not defined"
- name: Preseed apparmor
- debconf:
+ ansible.builtin.debconf:
name: apparmor
question: apparmor/homedirs
value: >-
@@ -38,7 +39,7 @@
/srv/samba/schools/default-school/examusers/
vtype: string
- name: Preseed unattended-upgrades
- debconf:
+ ansible.builtin.debconf:
name: unattended-upgrades
question: unattended-upgrades/enable_auto_updates
value: true
@@ -115,13 +116,13 @@
tasks:
## Temporary fixes and quirks:
- name: Remove disturbing NetworkManager connection
- file:
+ ansible.builtin.file:
path: "/etc/NetworkManager/system-connections/Wired connection 1"
state: absent
when: ansible_interfaces | select('search', '^en[pso].+') | length > 1
- name: Fix 8086:4909 external graphics card
- replace:
+ ansible.builtin.replace:
dest: "/etc/default/grub"
regexp: 'GRUB_CMDLINE_LINUX=""$'
replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
@@ -129,7 +130,7 @@
when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"
- name: Fix sound on 312A
- replace:
+ ansible.builtin.replace:
dest: "/etc/default/grub"
regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
replace: 'GRUB_CMDLINE_LINUX=""'
@@ -137,7 +138,7 @@
when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"
- name: Fix sound on 312A and 312D
- apt:
+ ansible.builtin.apt:
name: firmware-sof-signed
state: latest
when: >
@@ -145,31 +146,32 @@
(ansible_board_name == "312D" or ansible_board_name == "312A")
- name: Install customized CodeBlocks packages
+ when: "'PCroom' in group_names"
block:
- name: Check for old CodeBlocks
- command:
+ ansible.builtin.command:
cmd: dpkg -l codeblocks
register: codeblocks_version
- changed_when: False
+ changed_when: false
- name: Download codeblocks zip archive
ansible.builtin.get_url:
url: "http://livebox.pn.steinbeis.schule/codeblocks/CodeBlocks.zip"
dest: /tmp/CodeBlocks.zip
- use_proxy: False
+ mode: '0644'
+ use_proxy: false
register: new_codeblocks
when: codeblocks_version.stdout is not search('svn13544')
- name: Unpack zip archive and install packages manually
- shell:
+ ansible.builtin.shell:
cmd: unzip -d /tmp/cb/ CodeBlocks.zip && dpkg -i cb/*.deb
chdir: /tmp/
when: new_codeblocks.changed | default(false)
- when: "'PCroom' in group_names"
## Clean up stuff from obsolete/faulty tasks:
- name: Remove sddm login screen patch with deprecated marker (homeondisk)
- blockinfile:
+ ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK homeondisk
state: absent
@@ -180,15 +182,15 @@
- cachefilesd
- mosquitto
state: absent
- purge: True
+ purge: true
- name: Remove virtiofs service
- file:
+ ansible.builtin.file:
path: /etc/systemd/system/virtiofs@.service
state: absent
- name: Fix mount point permissions and owner
- file:
+ ansible.builtin.file:
path: "{{ item }}"
mode: '0755'
owner: root
@@ -198,7 +200,7 @@
- /srv/samba/schools
- name: Remove pam_mount sysvol mount
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (SysVol) -->"
block: |
@@ -212,28 +214,30 @@
</volume>
state: absent
- - name: check if rmlpr.timer is installed
- stat: path=/etc/systemd/system/rmlpr.timer
+ - name: Check if rmlpr.timer is installed
+ ansible.builtin.stat:
+ path: /etc/systemd/system/rmlpr.timer
register: rmlpr
- - name: disable rmlpr.timer
- systemd:
+ - name: Disable rmlpr.timer
+ ansible.builtin.systemd:
name: rmlpr.timer
enabled: false
when: rmlpr.stat.exists
- - name: check if vmimage-torrent.service is installed
- stat: path=/etc/systemd/system/vmimage-torrent.service
+ - name: Check if vmimage-torrent.service is installed
+ ansible.builtin.stat:
+ path: /etc/systemd/system/vmimage-torrent.service
register: vmimagetorrent
- - name: disable vmimage-torrent.service
- systemd:
+ - name: Disable vmimage-torrent.service
+ ansible.builtin.systemd:
name: vmimage-torrent.service
enabled: false
when: vmimagetorrent.stat.exists
- name: Remove deprecated files and directories
- file:
+ ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
@@ -269,12 +273,13 @@
- /etc/NetworkManager/system-connections/macvlan-vm-macvtap.nmconnection
- /etc/tmpfiles.d/clean-exam.conf
- - name: check if vm_usage_information.txt exists
- stat: path=/lmn/vm/vm_usage_information.txt
+ - name: Check if vm_usage_information.txt exists
+ ansible.builtin.stat:
+ path: /lmn/vm/vm_usage_information.txt
register: vm_usage_information
- - name: pre-fill vm_usage_information.txt
- shell:
+ - name: Pre-fill vm_usage_information.txt
+ ansible.builtin.shell:
cmd: |
ls -tr *.qcow2 > vm_usage_information.txt || touchvm_usage_information.txt
chown lmnsynci:lmnsynci vm_usage_information.txt
@@ -285,11 +290,11 @@
ansible.builtin.shell:
cmd: grep "IPP Everywhere" /etc/cups/printers.conf
register: ipp_everywhere
- failed_when: False
- changed_when: False
+ failed_when: false
+ changed_when: false
- name: Delete old IPP-Everywhere printers
- shell:
+ ansible.builtin.shell:
cmd: |
for p in $(lpstat -p | cut -d" " -f2); do
lpadmin -x "$p"
@@ -297,17 +302,17 @@
when: not ipp_everywhere.rc
- name: Remove old VM-printerlists
- shell:
+ ansible.builtin.shell:
cmd: rm -f /lmn/media/*/.printerlist.csv
- name: Remove Listen on VMBridge
- lineinfile:
+ ansible.builtin.lineinfile:
dest: /etc/cups/cupsd.conf
line: 'Listen 192.168.122.1:631'
state: absent
- name: Remove NetworkManager Ansible-Block for non-laptops
- blockinfile:
+ ansible.builtin.blockinfile:
path: /etc/NetworkManager/NetworkManager.conf
state: absent
when: "'laptop' not in group_names"
@@ -343,7 +348,7 @@
- name: Timestamp successfull run and send up-to-date report
ansible.builtin.shell:
cmd: date --iso-8601=seconds >> /var/local/ansible-stamps && /usr/local/sbin/reporter
- changed_when: False
+ changed_when: false
tags: upgrade
- name: Force ansible-run after install trough emitter by setting timestamp in the past
@@ -356,7 +361,7 @@
- name: Apply additional laptop configuration
hosts: laptop
remote_user: ansible
- become: yes
+ become: true
vars_files: lmn-vault
vars:
localuser: "{{ vault_localuser }}"
@@ -366,7 +371,7 @@
when: "'teacherlaptop' not in group_names"
tasks:
- name: Remove deprecated files and directories (laptop-class)
- file:
+ ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
@@ -380,7 +385,7 @@
- name: Enable wpa-supplicant
ansible.builtin.systemd:
name: wpa_supplicant.service
- enabled: True
+ enabled: true
tags:
- never
- wlan_8021x
@@ -388,13 +393,13 @@
- name: Disable iwd
ansible.builtin.systemd:
name: iwd.service
- enabled: False
+ enabled: false
tags:
- never
- wlan_8021x
- name: Remove deprecated NetworkManager config
- blockinfile:
+ ansible.builtin.blockinfile:
path: /etc/NetworkManager/NetworkManager.conf
state: absent
tags:
@@ -405,7 +410,7 @@
- name: Apply roles that must run serial
hosts: all
remote_user: ansible
- become: yes
+ become: true
serial: 1
ignore_unreachable: true
diff --git a/roles/kerberize/handlers/main.yml b/roles/kerberize/handlers/main.yml
index 3ac7e3e..1e2ceab 100644
--- a/roles/kerberize/handlers/main.yml
+++ b/roles/kerberize/handlers/main.yml
@@ -1,5 +1,5 @@
-- name: reload sshd
- systemd:
+- name: Reload sshd
+ ansible.builtin.systemd:
name: sshd
state: reloaded
when: not run_in_installer|default(false)|bool
diff --git a/roles/kerberize/tasks/main.yml b/roles/kerberize/tasks/main.yml
index ee17a3e..92f11fe 100644
--- a/roles/kerberize/tasks/main.yml
+++ b/roles/kerberize/tasks/main.yml
@@ -1,28 +1,30 @@
- name: Install kerberos packages
- apt:
+ ansible.builtin.apt:
name: krb5-user
- state: latest
- name: Kerberize sshd server
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/kerberize.conf
+ mode: '0644'
content: |
GSSAPIAuthentication yes
- notify: "reload sshd"
+ notify: "Reload sshd"
- name: Kerberize ssh client, authenticate and delegate credentials
ansible.builtin.copy:
dest: /etc/ssh/ssh_config.d/kerberize.conf
+ mode: '0644'
content: |
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
- name: Check if firefox is available
- stat: path=/etc/firefox-esr/firefox-esr.js
+ ansible.builtin.stat:
+ path: /etc/firefox-esr/firefox-esr.js
register: firefox
- name: Kerberize firefox for sites in the local domain
- lineinfile:
+ ansible.builtin.lineinfile:
dest: /etc/firefox-esr/firefox-esr.js
line: "{{ item }}"
with_items:
@@ -32,13 +34,15 @@
when: firefox.stat.exists
- name: Ensures /etc/chromium/policies/managed dir exists
- file:
+ ansible.builtin.file:
path: "/etc/chromium/policies/managed"
state: directory
+ mode: '0755'
- name: Kerberize chromium for sites in the local domain
- copy:
+ ansible.builtin.copy:
dest: /etc/chromium/policies/managed/idam.json
+ mode: '0644'
content: |
{
"AuthServerAllowlist": "idam.steinbeis.schule"
diff --git a/roles/lmn_exam/tasks/main.yml b/roles/lmn_exam/tasks/main.yml
index b604ea8..0e3bc4e 100644
--- a/roles/lmn_exam/tasks/main.yml
+++ b/roles/lmn_exam/tasks/main.yml
@@ -10,7 +10,7 @@
ansible.builtin.systemd:
name: firewalld
state: stopped
- when: result.changed
+ when: result.changed # noqa: no-handler
- name: Disable firewalld-service
ansible.builtin.systemd:
diff --git a/roles/lmn_fvs/handlers/main.yml b/roles/lmn_fvs/handlers/main.yml
index 8d70859..d6688c6 100644
--- a/roles/lmn_fvs/handlers/main.yml
+++ b/roles/lmn_fvs/handlers/main.yml
@@ -1,6 +1,6 @@
---
- name: Run update-desktop-database
- command: update-desktop-database "{{ item }}"
+ ansible.builtin.command: update-desktop-database "{{ item }}"
loop:
- /usr/local/share/applications
- /usr/local/share/desktop-directories
diff --git a/roles/lmn_fvs/tasks/main.yml b/roles/lmn_fvs/tasks/main.yml
index 79e4682..075b68d 100644
--- a/roles/lmn_fvs/tasks/main.yml
+++ b/roles/lmn_fvs/tasks/main.yml
@@ -14,9 +14,8 @@
vtype: string
when: mirror_msfonts is defined and mirror_msfonts | length > 0
-
- name: Install desktop EDU packages and some more
- apt:
+ ansible.builtin.apt:
name:
- atftp
- audacity
@@ -90,7 +89,7 @@
http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher
- name: Remove update notifications from plasma-discover
- apt:
+ ansible.builtin.apt:
name:
- plasma-discover
autoremove: true
@@ -100,6 +99,7 @@
- name: Make sure wireshark works for all users after installation and upgrades
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/92wireshark4all
+ mode: '0644'
content: |
## Modify permissions after installation/upgrade to allow all
## users dumping packages on network interfaces for wireshark
@@ -122,6 +122,7 @@
ansible.builtin.copy:
src: policies.json
dest: /etc/firefox-esr/policies/
+ mode: '0644'
- name: Create chromium policies directory
ansible.builtin.file:
@@ -130,8 +131,9 @@
mode: '0755'
- name: Set chromium proxy-policy to auto_detect
- copy:
+ ansible.builtin.copy:
dest: /etc/chromium/policies/managed/proxy.json
+ mode: '0644'
content: |
{
"ProxyMode": "auto_detect"
@@ -144,20 +146,20 @@
replace: ' \1'
- name: Copy some scripts
- copy:
+ ansible.builtin.copy:
src: "{{ item }}"
dest: /usr/local/sbin/
- mode: 0755
+ mode: '0755'
loop:
- pwroff
- bootorder.sh
- reporter
- name: Provide services and timers for some scripts
- copy:
+ ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
- mode: 0644
+ mode: '0644'
loop:
- pwroff.service
- pwroff.timer
@@ -166,7 +168,7 @@
when: "'teacherlaptop' not in group_names"
- name: Enable pwroff.timer
- systemd:
+ ansible.builtin.systemd:
name: "{{ item }}"
enabled: true
loop:
@@ -175,7 +177,7 @@
when: "'teacherlaptop' not in group_names"
- name: PXE first boot order
- command: /usr/local/sbin/bootorder.sh
+ ansible.builtin.command: /usr/local/sbin/bootorder.sh
register: cmd_result
changed_when: cmd_result.stdout is not search('Nothing to do.')
when: "'PCroom' in group_names"
@@ -184,7 +186,7 @@
ansible.builtin.copy:
src: "{{ item }}"
dest: /usr/local/bin/
- mode: 0755
+ mode: '0755'
loop:
- lmn-reset-dolphin.sh
- lmn-patch-dolphin.sh
@@ -194,19 +196,21 @@
ansible.builtin.copy:
src: lmn-dolphin.sh
dest: /etc/profile.d/
+ mode: '0644'
- name: Copy fvs-config.js to configure plasma
ansible.builtin.copy:
src: fvs-config.js
dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
- mode: 0644
+ mode: '0644'
- name: Configure some KDE aspects
- blockinfile:
+ ansible.builtin.blockinfile:
path: /etc/xdg/kdeglobals
create: true
+ mode: '0644'
block: |
[KDE]
SingleClick=false
@@ -219,6 +223,7 @@
- name: Shut down when idle for too long
ansible.builtin.copy:
dest: /etc/xdg/powermanagementprofilesrc
+ mode: '0644'
content: |
[AC][SuspendSession]
idleTime=7200000
@@ -228,20 +233,22 @@
- name: Start with empty session by default
ansible.builtin.copy:
dest: /etc/xdg/ksmserverrc
+ mode: '0644'
content: |
[General]
loginMode=emptySession
- name: Fix primary screen for class room PCs with projector
+ when: "'CloneScreen' in group_names"
block:
- name: Set primary screen for login
- blockinfile:
+ ansible.builtin.blockinfile:
path: /usr/share/sddm/scripts/Xsetup
block: |
xrandr --output {{ dual_screen[0] }} --primary
when: dual_screen is defined
- name: Reset primary screen for login
- blockinfile:
+ ansible.builtin.blockinfile:
path: /usr/share/sddm/scripts/Xsetup
state: absent
when: dual_screen is not defined
@@ -253,35 +260,36 @@
- name: Deploy fix-screen autostarter
ansible.builtin.copy:
dest: /etc/xdg/autostart/lmn-fix-screen.desktop
+ mode: '0644'
content: |
[Desktop Entry]
Name=fix-screen
Exec=lmn-fix-screen
Type=Application
NoDisplay=true
- when: "'CloneScreen' in group_names"
-#- name: Avoid starting kscreen (confusing autodetection)
-# ansible.builtin.copy:
-# dest: /etc/xdg/kded5rc
-# content: |
-# [Module-kscreen]
-# autoload=false
+# - name: Avoid starting kscreen (confusing autodetection)
+# ansible.builtin.copy:
+# dest: /etc/xdg/kded5rc
+# content: |
+# [Module-kscreen]
+# autoload=false
#
-#- name: Disable automatic lock screen and user specific modifications
-# ansible.builtin.copy:
-# path: /etc/xdg/kscreenlockerrc
-# content: |
-# [Daemon][$i]
-# Autolock=false
-# LockOnResume=false
+# - name: Disable automatic lock screen and user specific modifications
+# ansible.builtin.copy:
+# path: /etc/xdg/kscreenlockerrc
+# content: |
+# [Daemon][$i]
+# Autolock=false
+# LockOnResume=false
#
- name: Download libdvdcss from mirror
ansible.builtin.get_url:
url: "{{ mirror_dvdcss }}/libdvdcss.so.2.2.0"
dest: /usr/lib/x86_64-linux-gnu/libdvdcss.so.2.2.0
- use_proxy: False
+ mode: '0644'
+ use_proxy: false
when: mirror_dvdcss is defined and mirror_dvdcss | length > 0
- name: Link library so name
@@ -292,7 +300,7 @@
when: mirror_dvdcss is defined and mirror_dvdcss | length > 0
- name: Patch sddm login screen to show hostname
- blockinfile:
+ ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK
insertbefore: '\s+//Footer'
@@ -311,6 +319,7 @@
- name: Set git default-branch to main
ansible.builtin.copy:
dest: /etc/gitconfig
+ mode: '0644'
content: |
[init]
defaultBranch = main
@@ -318,7 +327,7 @@
- name: Adjust mmcblk-device gid to allow users to access SD-cards
ansible.builtin.copy:
dest: /etc/udev/rules.d/80-mmcblk.rules
- mode: "0644"
+ mode: '0644'
content: |
KERNEL=="mmcblk[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users"
KERNEL=="mmcblk[0-9]p[0-9]*", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users"
diff --git a/roles/lmn_fvs/tasks/sync.yml b/roles/lmn_fvs/tasks/sync.yml
index fca5788..0aed203 100644
--- a/roles/lmn_fvs/tasks/sync.yml
+++ b/roles/lmn_fvs/tasks/sync.yml
@@ -3,7 +3,7 @@
ansible.builtin.file:
path: "{{ item }}"
state: directory
- mode: 0755
+ mode: '0755'
loop:
- /usr/local/share/applications
- /usr/local/share/desktop-directories
@@ -13,24 +13,26 @@
ansible.builtin.copy:
src: fvs.directory
dest: /usr/local/share/desktop-directories/
+ mode: '0644'
notify: Run update-desktop-database
- name: Copy fvs.menu
ansible.builtin.copy:
src: fvs.menu
dest: /etc/xdg/menus/applications-merged/
+ mode: '0644'
notify: Run update-desktop-database
- name: Copy lmn-sync script
ansible.builtin.copy:
src: lmn-sync
dest: /usr/local/sbin/
- mode: 0755
+ mode: '0755'
register: lmn_sync
- name: Run lmn-sync script
ansible.builtin.shell: /usr/local/sbin/lmn-sync
- when: lmn_sync.changed
+ when: lmn_sync.changed # noqa: no-handler
- name: Deploy sudo configurations (lmn-sync for role-teacher)
ansible.builtin.copy:
@@ -42,15 +44,15 @@
%role-teacher ALL=(root) NOPASSWD: /usr/local/sbin/lmn-sync
- name: Provide lmn-sync service and timer
- copy:
+ ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
- mode: 0644
+ mode: '0644'
loop:
- lmn-sync.service
- lmn-sync.timer
- name: Enable lmn-sync.timer
- systemd:
+ ansible.builtin.systemd:
name: lmn-sync.timer
enabled: true
diff --git a/roles/lmn_kde/handlers/main.yml b/roles/lmn_kde/handlers/main.yml
index e2b8cdf..8a20c3b 100644
--- a/roles/lmn_kde/handlers/main.yml
+++ b/roles/lmn_kde/handlers/main.yml
@@ -1,2 +1,2 @@
- name: Run update-grub
- command: update-grub
+ ansible.builtin.command: update-grub
diff --git a/roles/lmn_kde/tasks/main.yml b/roles/lmn_kde/tasks/main.yml
index 627f9b3..d65fc31 100644
--- a/roles/lmn_kde/tasks/main.yml
+++ b/roles/lmn_kde/tasks/main.yml
@@ -39,7 +39,7 @@
autoremove: true
state: latest
-- name: Add {{ ansible_distribution_release }}-backports
+- name: Add backports {{ ansible_distribution_release }}
ansible.builtin.apt_repository:
repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
state: present
@@ -69,6 +69,7 @@
ansible.builtin.blockinfile:
path: /etc/xdg/akonadi/akonadiserverrc
create: true
+ mode: '0644'
block: |
[%General]
Driver=QSQLITE3
@@ -83,10 +84,11 @@
/srv/samba/schools/default-school/examusers/
-- name: tune SDDM login
+- name: Tune SDDM login
ansible.builtin.blockinfile:
path: /etc/sddm.conf
create: true
+ mode: '0644'
block: |
[Users]
MaximumUid=999
@@ -96,6 +98,7 @@
- name: Enable wake-on-lan for all ethernet connections
ansible.builtin.copy:
dest: /etc/NetworkManager/conf.d/wake-on-lan.conf
+ mode: '0644'
content: |
[connection]
ethernet.wake-on-lan=64
@@ -103,12 +106,14 @@
- name: Prepare directory for apt-daily override
ansible.builtin.file:
path: /etc/systemd/system/apt-daily.timer.d/
- recurse: True
+ recurse: true
+ mode: '0755'
state: directory
- name: Run apt update early to avoid outdated package lists
ansible.builtin.copy:
dest: /etc/systemd/system/apt-daily.timer.d/override.conf
+ mode: '0644'
content: |
[Timer]
RandomizedDelaySec=30m
@@ -124,6 +129,7 @@
ansible.builtin.blockinfile:
path: /etc/systemd/sleep.conf.d/nosuspend.conf
create: true
+ mode: '0644'
block: |
[Sleep]
AllowSuspend=no
@@ -175,7 +181,7 @@
dest: /etc/default/grub
regexp: '^(GRUB_TIMEOUT=).*'
line: '\g<1>1'
- backrefs: yes
+ backrefs: true
notify: Run update-grub
- name: Keyboard compose key
@@ -183,10 +189,11 @@
dest: /etc/default/keyboard
regexp: '^(XKBOPTIONS=).*'
line: '\1"compose:caps"'
- backrefs: yes
+ backrefs: true
- name: Default KDE filepicker
ansible.builtin.lineinfile:
path: /etc/environment.d/90lmn-filepicker.conf
create: true
+ mode: '0644'
line: GTK_USE_PORTAL=1
diff --git a/roles/lmn_localhome/tasks/main.yml b/roles/lmn_localhome/tasks/main.yml
index 37fc329..05a5a6b 100644
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@@ -1,12 +1,12 @@
---
-- name: enable pam_mkhomedir.so
- lineinfile:
+- name: Enable pam_mkhomedir.so
+ ansible.builtin.lineinfile:
dest: /etc/pam.d/common-session
line: "session optional pam_mkhomedir.so umask=0077"
insertbefore: '^session\s*optional\s*pam_mount.so'
- name: Patch sddm login screen to inform about localhome
- blockinfile:
+ ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK localhome
insertbefore: '\s+//Footer'
@@ -26,11 +26,12 @@
ansible.builtin.copy:
src: lmn-create-unisonconfig.sh
dest: /usr/local/bin/
- mode: 0755
+ mode: '0755'
- name: Install auto-logout-script for first login in /etc/profile.d/
- copy:
+ ansible.builtin.copy:
dest: /etc/profile.d/lmn-logout.sh
+ mode: '0755'
content: |
[[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
{% if 'teacherlaptop' not in group_names %}
diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index 177724d..572e061 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install needed packages
- apt:
+ ansible.builtin.apt:
name:
- libpam-mount
- cifs-utils
@@ -10,7 +10,7 @@
state: latest
- name: Configure pam_mount for Webdav Nextcloud
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount Nextcloud) -->"
block: |
@@ -25,7 +25,7 @@
when: web_dav is defined and web_dav | length > 0
- name: Configure pam_mount for LMN homes
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
block: |
@@ -55,6 +55,7 @@
ansible.builtin.file:
path: /etc/systemd/user-environment-generators/
state: directory
+ mode: '0755'
- name: Prepare generator for persistent user cache directory
ansible.builtin.copy:
diff --git a/roles/lmn_network/tasks/main.yml b/roles/lmn_network/tasks/main.yml
index 2fc95f4..965256d 100644
--- a/roles/lmn_network/tasks/main.yml
+++ b/roles/lmn_network/tasks/main.yml
@@ -1,7 +1,8 @@
---
- name: Deploy http proxy config
- copy:
+ ansible.builtin.copy:
dest: /etc/environment.d/10-lmn-proxy.conf
+ mode: '0644'
content: |
http_proxy="{{ proxy }}"
https_proxy="{{ proxy }}"
@@ -12,6 +13,7 @@
- name: Set aptcache
ansible.builtin.copy:
dest: /etc/apt/apt.conf
+ mode: '0644'
content: >
{{ apt_conf }}
@@ -22,7 +24,7 @@
line: NTP={{ ntp_serv }}
- name: Add proposed-updates repository
- apt_repository:
+ ansible.builtin.apt_repository:
repo: >
deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-proposed-updates
main non-free-firmware
diff --git a/roles/lmn_printer/tasks/main.yml b/roles/lmn_printer/tasks/main.yml
index 394c07c..171a2fa 100644
--- a/roles/lmn_printer/tasks/main.yml
+++ b/roles/lmn_printer/tasks/main.yml
@@ -1,26 +1,25 @@
---
- name: Install cups
- apt:
+ ansible.builtin.apt:
name:
- cups
- state: latest
- name: Disable cups printer browsing
- lineinfile:
+ ansible.builtin.lineinfile:
dest: /etc/cups/cupsd.conf
regexp: '^(Browsing ).*'
line: '\1No'
- backrefs: yes
+ backrefs: true
- name: Listen on all Interfaces
- lineinfile:
+ ansible.builtin.lineinfile:
dest: /etc/cups/cupsd.conf
line: 'Listen *:631'
regexp: '^Listen localhost'
state: present
- name: Allow access from localhost and from VM
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/cups/cupsd.conf
block: |
Allow localhost
@@ -33,7 +32,7 @@
- "/admin"
- name: Allow group role-teacher to manage printers
- lineinfile:
+ ansible.builtin.lineinfile:
dest: /etc/cups/cups-files.conf
line: 'SystemGroup root lpadmin role-teacher'
regexp: '^SystemGroup'
@@ -44,24 +43,25 @@
ansible.builtin.systemd:
name: cups-browsed.service
state: stopped
- enabled: no
+ enabled: false
- name: Install install-printers.sh
- template:
+ ansible.builtin.template:
src: install-printers.sh.j2
dest: /usr/local/bin/install-printers.sh
- mode: 0755
+ mode: '0755'
- name: Install lmn-install-printers sudoers
- copy:
+ ansible.builtin.copy:
src: 90-lmn-install-printers
dest: /etc/sudoers.d/
- mode: 0660
+ mode: '0660'
owner: root
group: root
- name: Run printer script from /etc/profile.d/
- copy:
+ ansible.builtin.copy:
dest: /etc/profile.d/lmn-printer.sh
+ mode: '0644'
content: |
[[ "${UID}" -gt 10000 ]] && (sudo /usr/local/bin/install-printers.sh > /dev/null &)
diff --git a/roles/lmn_security/handlers/main.yml b/roles/lmn_security/handlers/main.yml
index 4a3b124..1e2ceab 100644
--- a/roles/lmn_security/handlers/main.yml
+++ b/roles/lmn_security/handlers/main.yml
@@ -1,5 +1,5 @@
- name: Reload sshd
- systemd:
+ ansible.builtin.systemd:
name: sshd
state: reloaded
when: not run_in_installer|default(false)|bool
diff --git a/roles/lmn_security/tasks/main.yml b/roles/lmn_security/tasks/main.yml
index 3ce31d5..10a2d69 100644
--- a/roles/lmn_security/tasks/main.yml
+++ b/roles/lmn_security/tasks/main.yml
@@ -9,7 +9,7 @@
ansible.builtin.lineinfile:
path: /etc/sudoers.d/95-lmn-ansible
line: 'ansible ALL=(root) NOPASSWD: ALL'
- create: True
+ create: true
owner: root
group: root
mode: '0700'
@@ -17,12 +17,13 @@
- name: Disable ansible user login
ansible.builtin.user:
name: ansible
- password_lock: True
+ password_lock: true
- name: Limit SSH access to user ansible
ansible.builtin.blockinfile:
dest: /etc/ssh/sshd_config.d/local.conf
create: true
+ mode: '0644'
block: |
PasswordAuthentication no
AllowUsers ansible
diff --git a/roles/lmn_sssd/handlers/main.yml b/roles/lmn_sssd/handlers/main.yml
index c7c508b..6fdda36 100644
--- a/roles/lmn_sssd/handlers/main.yml
+++ b/roles/lmn_sssd/handlers/main.yml
@@ -1,3 +1,6 @@
-- name: restart sssd
- service: name=sssd state=restarted enabled=yes
- listen: "restart sssd"
+- name: Restart sssd
+ ansible.builtin.service:
+ name: sssd
+ state: restarted
+ enabled: true
+ listen: "Restart sssd"
diff --git a/roles/lmn_sssd/tasks/main.yml b/roles/lmn_sssd/tasks/main.yml
index 069f67c..ed44ce5 100644
--- a/roles/lmn_sssd/tasks/main.yml
+++ b/roles/lmn_sssd/tasks/main.yml
@@ -1,22 +1,21 @@
---
- name: Install needed packages
- apt:
+ ansible.builtin.apt:
name:
- sssd-ad
- sssd-tools
- adcli
- state: latest
- name: Provide user identities from AD
- template:
+ ansible.builtin.template:
src: sssd.conf.j2
dest: /etc/sssd/sssd.conf
- mode: 0600
- notify: restart sssd
+ mode: '0600'
+ notify: Restart sssd
## Either one of the variables is defined:
- name: Join the domain
- shell:
+ ansible.builtin.shell:
cmd: >
echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
adcli join --stdin-password -U global-admin {{ domain | upper }}
diff --git a/roles/lmn_vm/defaults/main.yml b/roles/lmn_vm/defaults/main.yml
index ad2a507..55cb580 100644
--- a/roles/lmn_vm/defaults/main.yml
+++ b/roles/lmn_vm/defaults/main.yml
@@ -1,2 +1,3 @@
---
vm_support: false
+torrent_srv: "seedbox.{{ domain }}"
diff --git a/roles/lmn_vm/handlers/main.yml b/roles/lmn_vm/handlers/main.yml
index 9c550b0..e8829ac 100644
--- a/roles/lmn_vm/handlers/main.yml
+++ b/roles/lmn_vm/handlers/main.yml
@@ -1,5 +1,5 @@
- name: Reload libvirtd
- systemd:
+ ansible.builtin.systemd:
name: libvirtd.service
listen: reload libvirtd
diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml
index 5a79cf3..7212db0 100644
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@@ -4,32 +4,31 @@
- name: Allow users to attach to bridge
ansible.builtin.copy:
dest: /etc/apt/apt.conf.d/94qemu-bridge-suid
+ mode: '0644'
content: |
## Modify permissions after installation/upgrade
## to run qemu-bridge as root
DPkg::Post-Invoke {"/usr/bin/chmod 4755 /usr/lib/qemu/qemu-bridge-helper || true"; };
-- name: install libvirt packages
- apt:
+- name: Install libvirt packages
+ ansible.builtin.apt:
name:
- aria2
- mktorrent
- libvirt-daemon-system
- virt-manager
- dialog # for vm-netboot menu
- state: latest
- autoremove: true
- #- name: allow all users to use VMs
- # lineinfile:
- # dest: /etc/libvirt/libvirtd.conf
- # line: 'auth_unix_rw = "none"'
- # insertafter: '#auth_unix_rw = "polkit"'
- # notify: reload libvirtd
+ # - name: allow all users to use VMs
+ # lineinfile:
+ # dest: /etc/libvirt/libvirtd.conf
+ # line: 'auth_unix_rw = "none"'
+ # insertafter: '#auth_unix_rw = "polkit"'
+ # notify: reload libvirtd
- name: Configure pam_mount for VM bind mounts
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
block: |
@@ -49,7 +48,7 @@
insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
- name: Configure pam_mount for VM bind mounts
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mount school for VMs) -->"
block: |
@@ -63,7 +62,7 @@
when: localhome is defined and localhome
- name: Use umount script for proper cleanup
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
block: |
@@ -75,16 +74,16 @@
ansible.builtin.copy:
src: pam-umount.sh
dest: /usr/local/sbin/pam-umount.sh
- mode: "0755"
+ mode: '0755'
- name: Insert domain in default-network
- lineinfile:
+ ansible.builtin.lineinfile:
path: /etc/libvirt/qemu/networks/default.xml
line: ' <domain name="{{ ansible_domain }}" localOnly="no"/>'
insertafter: '</ip>'
- name: Autostart default network for VMs
- file:
+ ansible.builtin.file:
src: /etc/libvirt/qemu/networks/default.xml
dest: /etc/libvirt/qemu/networks/autostart/default.xml
state: link
@@ -97,56 +96,57 @@
create_home: false
- name: Create /etc/lmn directory
- file:
+ ansible.builtin.file:
path: /etc/lmn
state: directory
+ mode: '0755'
- name: Create /lmn directory
- file:
+ ansible.builtin.file:
path: /lmn
state: directory
+ mode: '0755'
- name: Create /lmn/media directory
- file:
+ ansible.builtin.file:
path: /lmn/media
state: directory
mode: '1777'
- name: Create /var/vm directory
- file:
+ ansible.builtin.file:
path: /var/vm
state: directory
mode: '1777'
- name: Create vm directory
- file:
+ ansible.builtin.file:
path: /lmn/vm
state: directory
owner: lmnsynci
group: lmnsynci
- mode: 0755
+ mode: '0755'
- name: Create cleanup-vm.conf
ansible.builtin.copy:
dest: /etc/tmpfiles.d/clean-vm.conf
+ mode: '0644'
content: |
D /var/tmp/vm 1777 root root -
- name: Install squid
- apt:
+ ansible.builtin.apt:
name:
- squid
- state: latest
- autoremove: true
- name: Disable squid
- systemd:
+ ansible.builtin.systemd:
name: squid
enabled: false
state: stopped
- name: Deploy squid user mode configuration
- template:
+ ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/etc/squid/{{ item }}"
mode: '0644'
@@ -155,16 +155,16 @@
- squid-usermode-external.conf
- name: Deploy startusersquid script
- template:
+ ansible.builtin.template:
src: startusersquid.sh.j2
dest: /usr/local/bin/startusersquid.sh
mode: '0755'
- name: Provide usersquid service
- copy:
+ ansible.builtin.copy:
src: usersquid.service
dest: /etc/systemd/user/usersquid.service
- mode: 0644
+ mode: '0644'
- name: Enable usersquid service
ansible.builtin.systemd:
@@ -173,7 +173,7 @@
enabled: true
- name: Deploy sudo configurations
- copy:
+ ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/sudoers.d/90-{{ item }}"
owner: root
@@ -184,7 +184,7 @@
- lmn-vm
- name: Deploy vmimages scripts
- copy:
+ ansible.builtin.copy:
src: "{{ item }}"
dest: /usr/local/bin/
owner: root
@@ -210,6 +210,7 @@
dest: /etc/lmn/vm.conf
owner: root
group: root
+ mode: '0644'
- name: Deploy aria2 RPC password file
ansible.builtin.copy:
@@ -226,15 +227,18 @@
state: directory
owner: lmnsynci
group: lmnsynci
+ mode: '0755'
- name: Prepare directory for qemu bridge config
ansible.builtin.file:
path: /etc/qemu/
state: directory
+ mode: '0755'
- name: Deploy bridge.conf needed for qemu session mode
ansible.builtin.copy:
dest: /etc/qemu/bridge.conf
+ mode: '0644'
content: |
allow virbr0
allow virbr1
@@ -263,6 +267,7 @@
- name: Adjust interface permissions for user mode VMs
ansible.builtin.copy:
dest: /etc/udev/rules.d/80-macvlan.rules
+ mode: '0644'
content: |
{% for interface in (ansible_interfaces | select('search', '^en[pso].+')) %}
SUBSYSTEMS=="net", KERNELS=="macvtap-{{ interface[3:9] }}", MODE="0666"
diff --git a/roles/lmn_vpn/defaults/main.yml b/roles/lmn_vpn/defaults/main.yml
index 935b340..2c6e23f 100644
--- a/roles/lmn_vpn/defaults/main.yml
+++ b/roles/lmn_vpn/defaults/main.yml
@@ -1,6 +1,5 @@
---
vpn: none
-
# Wireguad config
wg_endpoint: "203.0.113.1:51820"
wg_allowed_ips: "10.0.0.0/16;"
diff --git a/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml b/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
index 5f13000..f444369 100644
--- a/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
+++ b/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
@@ -45,9 +45,8 @@
- name: Issue radius certificate
ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml
when:
- - radius_reachable.unreachable is not defined or not radius_reachable.unreachable
- - |
- ( not cert_client_active.stat.exists ) or
- (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or
- wlan_force_issue
-
+ - radius_reachable.unreachable is not defined or not radius_reachable.unreachable
+ - |
+ ( not cert_client_active.stat.exists ) or
+ (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or
+ wlan_force_issue
diff --git a/roles/up2date_debian/tasks/main.yml b/roles/up2date_debian/tasks/main.yml
index b71d0d8..39f11f7 100644
--- a/roles/up2date_debian/tasks/main.yml
+++ b/roles/up2date_debian/tasks/main.yml
@@ -1,39 +1,40 @@
# Update lists and upgrade packages.
-- name: update apt package lists
- apt:
+- name: Update apt package lists
+ ansible.builtin.apt:
update_cache: true
cache_valid_time: 86400
-- block:
- - name: upgrade packages
- apt:
+- name: Try to upgrade packages
+ block:
+ - name: Upgrade packages
+ ansible.builtin.apt:
upgrade: dist
autoremove: true
autoclean: true
rescue:
- name: Looks like dpkg was interrupted, configure manually
- command:
+ ansible.builtin.command:
cmd: dpkg --configure -a
- name: Try again to upgrade packages
- apt:
+ ansible.builtin.apt:
upgrade: dist
autoremove: true
autoclean: true
-- name: install etckeeper
- apt:
+- name: Install etckeeper
+ ansible.builtin.apt:
name: etckeeper
state: latest # noqa package-latest
-- name: install extra packages from stable
- apt:
+- name: Install extra packages from stable
+ ansible.builtin.apt:
name: "{{ extra_pkgs }}"
state: latest # noqa package-latest
when: extra_pkgs|length
-- name: add {{ ansible_distribution_release }}-backports
- apt_repository:
+- name: Add backports for {{ ansible_distribution_release }}
+ ansible.builtin.apt_repository:
repo: >
deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports
main non-free-firmware
@@ -41,8 +42,8 @@
update_cache: true
when: extra_pkgs_bpo|length
-- name: install extra packages from backports
- apt:
+- name: Install extra packages from backports
+ ansible.builtin.apt:
name: "{{ extra_pkgs_bpo }}"
state: latest # noqa package-latest
default_release: "{{ ansible_distribution_release }}-backports"