- Add variable to configure sudo-program permissions (`sudo_permissions`)
- Add variable to configure polkit-rules (`polkit_rules`)
- Migrate sudo and polkit permissions from lmn_teacherlaptop role to inventory
- Separate `lmn_vpn` from `lmn_teacherlaptop`.
- Implement a check for the availability of the wireguard-server during the wg-config rollout.
- Enhance variable support with a standardized naming schema:
- VPN selection via `vpn` variable (`none`, `wg`).
- Wireguard configuration (endpoint, allowed IPs, ip_cdr, dns, searchpath).
- Run wg-config role in separate play with serial 1 to avoid conflicts, when the role attempts
to determine the next free Wireguard IP on the server when role try to Add a check to verify if the radius certificate is revoked.
- Ensure required packages and services are only installed and configured if the `vpn` variable is set.
- Provide documentation for `lmn_vpn` module.
- Consolidate `lmn_wlan`, `lmn_wlan_nm`, and `lmn_wlan_8021x` into single `lmn_wlan` role.
- Implement a check for the availability of the radius-server during the EAP-TLS rollout.
- Enhance variable support with a standardized naming schema:
- Mode selection via `wlan` variable (`none`, `psk`, `eap-tls`).
- EAP-TLS CA configuration (CA information, email address, CA password).
- Introduce a switch to force the (re-)issue of existing certificates.
- PSK configuration through `wlan_ssid` and `wlan_password`.
- Add a check to verify if the radius certificate is revoked.
- Ensure required packages and services are only installed and configured if the `wifi` variable is set.
Use variable localhome to determines whether the localhome module is installed.
Default: localhome=false
Further changes:
- Move pam-exec from common-auth to common-session
- Move pam-mkhomedir before pam-mount to avoid double login on first use
on localhome devices
Starting libvirtd.service provides iptable rules for NATed network virbr0.
When starting firewalld.service after libvirtd, these rules will be
overwritten. So NAT will no longer work. Restart of libvirtd fixes the
rules again.
Sometimes mounting the server shares fails when logging in (missing
krb5-tickts). On devices with localhome, users can still log in. To
prevent this, users are immediately logged out if the server mounts are
missing.
Iwd as wifi-backend has some disadvantages:
- teachers cannot add wpa-Enterprise connections with the
networkManager
- gnome-network-displays (miracast) does not work
Switching to wpa-supplicant will solve these problems.
In Linux socket paths are limited to 108 char length.
/var/tmp/vm/$UID/.config will be too long in some cases.
So we use /var/tmp/vm/$UID
/var/tmp/vm must be
- cleaned on startup
- created with sticky-bit (used by different users)
When terminating screen lock, pam_exec is called in the context of the corresponding user.
Non-root users don't have the permission to start/stop firewalld. So exit immediately.
Exam mode don't collect home-directories on localhome clients.
Deleting home of exam-users will result in potential data loss. But keeping
the home under the same name will prevent new exam at the next day.
Solution: Rename home (and /lmn/media/) of user after 12h and delete after 10d.
For working exam-mode we need to block direct internet access by firewall.
Users have to use squid-proxy on firewall, which can be disabled for exam-users.
To allow VM-traffic (anonymous user), we use a local squid server with users
kerberos-ticket to authenticate on the parent squid.
When using VMs on teacherdevices offsite, the local squid has to use direct internet access.
So we need two squid configs. When switching between offsite and onsite,
the squid has to be restartet with corresponding config.
