- Skip task `Deploy sudo configurations` when `sudo_permissions` is not defined
- Skip task `Deploy polkit configurations` when `polkit_rules` is not defined
- Add variable to configure sudo-program permissions (`sudo_permissions`)
- Add variable to configure polkit-rules (`polkit_rules`)
- Migrate sudo and polkit permissions from lmn_teacherlaptop role to inventory
- Separate `lmn_vpn` from `lmn_teacherlaptop`.
- Implement a check for the availability of the wireguard-server during the wg-config rollout.
- Enhance variable support with a standardized naming schema:
- VPN selection via `vpn` variable (`none`, `wg`).
- Wireguard configuration (endpoint, allowed IPs, ip_cdr, dns, searchpath).
- Run wg-config role in separate play with serial 1 to avoid conflicts, when the role attempts
to determine the next free Wireguard IP on the server when role try to Add a check to verify if the radius certificate is revoked.
- Ensure required packages and services are only installed and configured if the `vpn` variable is set.
- Provide documentation for `lmn_vpn` module.
- Consolidate `lmn_wlan`, `lmn_wlan_nm`, and `lmn_wlan_8021x` into single `lmn_wlan` role.
- Implement a check for the availability of the radius-server during the EAP-TLS rollout.
- Enhance variable support with a standardized naming schema:
- Mode selection via `wlan` variable (`none`, `psk`, `eap-tls`).
- EAP-TLS CA configuration (CA information, email address, CA password).
- Introduce a switch to force the (re-)issue of existing certificates.
- PSK configuration through `wlan_ssid` and `wlan_password`.
- Add a check to verify if the radius certificate is revoked.
- Ensure required packages and services are only installed and configured if the `wifi` variable is set.
Use variable localhome to determines whether the localhome module is installed.
Default: localhome=false
Further changes:
- Move pam-exec from common-auth to common-session
- Move pam-mkhomedir before pam-mount to avoid double login on first use
on localhome devices
Starting libvirtd.service provides iptable rules for NATed network virbr0.
When starting firewalld.service after libvirtd, these rules will be
overwritten. So NAT will no longer work. Restart of libvirtd fixes the
rules again.
Sometimes mounting the server shares fails when logging in (missing
krb5-tickts). On devices with localhome, users can still log in. To
prevent this, users are immediately logged out if the server mounts are
missing.
Iwd as wifi-backend has some disadvantages:
- teachers cannot add wpa-Enterprise connections with the
networkManager
- gnome-network-displays (miracast) does not work
Switching to wpa-supplicant will solve these problems.
In Linux socket paths are limited to 108 char length.
/var/tmp/vm/$UID/.config will be too long in some cases.
So we use /var/tmp/vm/$UID
/var/tmp/vm must be
- cleaned on startup
- created with sticky-bit (used by different users)
When terminating screen lock, pam_exec is called in the context of the corresponding user.
Non-root users don't have the permission to start/stop firewalld. So exit immediately.
Exam mode don't collect home-directories on localhome clients.
Deleting home of exam-users will result in potential data loss. But keeping
the home under the same name will prevent new exam at the next day.
Solution: Rename home (and /lmn/media/) of user after 12h and delete after 10d.
