Mounthome is no longer required

Use vm_torrent_srv to configure the torrent server
Use wlan_eap_ca_crl for URL of the certificate revocation list
2025-04-01 15:52:11 +02:00 · 2025-04-01 15:45:11 +02:00 · 2025-04-01 15:31:19 +02:00 · 2025-04-01 15:09:25 +02:00
12 changed files with 531 additions and 587 deletions
--- a/doc/vm_support.md
+++ b/doc/vm_support.md
@ -26,10 +26,10 @@ Default: `vm_support: false
 ### Torrent Server
 ```
-torrent_srv: "myseedbox.linuxmuster.net"
+vm_torrent_srv: "myseedbox.linuxmuster.net"
 ```
-Default: `torrent_srv: "seedbox.{{ domain }}"`
+Default: `vm_torrent_srv: "seedbox.{{ domain }}"`
 ## Example
@ -41,5 +41,5 @@ inventory.yml
 all:
  vars:
    vm_support: true
-    torrent_srv: "myseedbox.linuxmuster.net" # default: seedbox.{{ domain }}
+    vm_torrent_srv: "myseedbox.linuxmuster.net" # default: seedbox.{{ domain }}
 ```
--- a/doc/wlan.md
+++ b/doc/wlan.md
@ -106,6 +106,10 @@ Every devices gets his own certificate. When creating new certificates, the old
  Values:
  * true
  * false <-- (default)
 * **wlan_eap_ca_crl**
  URL of the certificate revocation list
  Type: *String*
  Default: "http://radius.{{ domain }}/radius-ca.crl"
 ### Examples
@ -128,6 +132,7 @@ laptop:
      emailAddress: "admin@example.com"
      CN: "Radius Certificate Authority"
      password: "secret4radiusCA"
    wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
 ```
 ## complex example with both modes
@ -139,12 +144,15 @@ inventory.yml
 all:
  vars:
    wlan_ssid: "WLAName" # teacher and staff are using the same ssid
-    radiusca_password: "secret4radiusCA"
+    wlan_eap_ca:
-    country_name: "DE"
+      C: "DE"
-    state_or_province_name: "Baden-Württemberg"
+      ST: "Baden-Wuerttemberg"
-    locality_name: "Stuttgart"
+      L: "Reutlingen"
-    organization_name: "Baumschule"
+      O: "Linuxschule"
-    admin_email: "admin@example.com"
+      emailAddress: "admin@example.com"
      CN: "Radius Certificate Authority"
      password: "secret4radiusCA"
    wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
 infrastructure:
  hosts:
@ -179,4 +187,4 @@ The issue of certificates can be forced.
 Force issue of new certs for hosts in group laptop_teacher.
 If there is a valid certificate, the old one will be revoked and a new certificate will be issued.
-ansible-playbook -i myinventory.yml -l laptop_teachers lmn-client.yml -e "wlan_force_issue=true"
+ansible-playbook -i myinventory.yml -l laptop_teachers lmn-client.yml -e "wlan_force_issue=true"
--- a/inventory.yml
+++ b/inventory.yml
--- a/lmn-client.yml
+++ b/lmn-client.yml
@ -48,7 +48,6 @@
  vars_files: lmn-vault
  vars:
    domain: "{{ ansible_domain }}"
    kerberize_uris: "{{ vault_kerberize_uris | default('example.org') }}"
    apt_conf: "{{ vault_apt_conf }}"  ## Acquire::http::Proxy "http://aptcache.example.org:3142/";
    ntp_serv: "{{ vault_ntp_serv }}"  ## ntp.example.org
    nfs_server: "{{ vault_nfs_server }}"  ## nfs.example.org
--- a/roles/kerberize/tasks/main.yml
+++ b/roles/kerberize/tasks/main.yml
@ -45,5 +45,5 @@
    mode: '0644'
    content: |
      {
-        "AuthServerAllowlist": "idam.steinbeis.schule"
+        "AuthServerAllowlist": "{{ kerberize_uris | default(ansible_domain) }}"
      }
--- a/roles/lmn_vm/defaults/main.yml
+++ b/roles/lmn_vm/defaults/main.yml
@ -1,3 +1,3 @@
 ---
 vm_support: false
-torrent_srv: "seedbox.{{ domain }}"
+vm_torrent_srv: "seedbox.{{ domain }}"
--- a/roles/lmn_vm/files/lmn-mounthome
+++ b/roles/lmn_vm/files/lmn-mounthome
@ -1,3 +0,0 @@
 %examusers ALL=(root) NOPASSWD: /usr/local/bin/mounthome.sh
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/mounthome.sh
 %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/mounthome.sh
--- a/roles/lmn_vm/files/mounthome.sh
+++ b/roles/lmn_vm/files/mounthome.sh
@ -1,66 +0,0 @@
 #!/usr/bin/bash
 set -eu
 home="$(getent passwd "$SUDO_UID" | cut -d : -f 6 | sed 's|/srv/samba/schools/default-school/||')"
 exit_script() {
    echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
    findmnt "/lmn/media/${SUDO_USER}/oldhome" && umount "/lmn/media/${SUDO_USER}/oldhome" && rmdir "/lmn/media/${SUDO_USER}/oldhome"
    findmnt "/lmn/media/${SUDO_USER}/oldprojects" && umount "/lmn/media/${SUDO_USER}/oldprojects" && rmdir "/lmn/media/${SUDO_USER}/oldprojects"
    findmnt "/lmn/media/${SUDO_USER}/linuxhome" && umount "/lmn/media/${SUDO_USER}/linuxhome" && rmdir "/lmn/media/${SUDO_USER}/linuxhome"
    trap - SIGHUP SIGINT SIGTERM # clear the trap
    kill -- -$$ # Sends SIGTERM to child/sub processes
 }
 exit_script_home() {
    echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
    umount "/lmn/media/${SUDO_USER}/home"
    trap - SIGHUP SIGINT SIGTERM # clear the trap
    kill -- -$$ # Sends SIGTERM to child/sub processes
 }
 ##########################
 if [[ "$#" -gt 0 ]] && [[ "$1" = '-u' ]]; then
    findmnt "/lmn/media/${SUDO_USER}/home"    && umount "/lmn/media/${SUDO_USER}/home"    && rmdir "/lmn/media/${SUDO_USER}/home"
    #findmnt "/lmn/media/${SUDO_USER}/share"   && umount "/lmn/media/${SUDO_USER}/share"   && rmdir "/lmn/media/${SUDO_USER}/share"
    findmnt "/lmn/media/${SUDO_USER}/oldhome" && umount "/lmn/media/${SUDO_USER}/oldhome" && rmdir "/lmn/media/${SUDO_USER}/oldhome"
    findmnt "/lmn/media/${SUDO_USER}/oldprojects" && umount "/lmn/media/${SUDO_USER}/oldprojects" && rmdir "/lmn/media/${SUDO_USER}/oldprojects"
    findmnt "/lmn/media/${SUDO_USER}/linuxhome" && umount "/lmn/media/${SUDO_USER}/linuxhome" && rmdir "/lmn/media/${SUDO_USER}/linuxhome"
 elif [ "$#" -gt 0 ] && [ "$1" = '-o' ]; then
    echo "Einbinden der Daten des alten/bisherigen Systems (PaedML Novell)."
    echo "Bitte den Username und Passwort aus dem ALTEN System eingeben."
    read -rp "Username: " username
    read -srp "Passwort: " PASSWD
    export PASSWD
    echo
    mkdir -p "/lmn/media/${SUDO_USER}/oldhome"
    mkdir -p "/lmn/media/${SUDO_USER}/oldprojects"
    #errcode=$(mount -t cifs -o "username=${username},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,forceuid,forcegid" \
    #	    "//192.168.1.2/DOCS/fvs" "/lmn/media/${SUDO_USER}/oldhome")
    #if [[ ! "${errcode}" ]]; then
    mount -t cifs -o "username=${username},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,forceuid,forcegid,nobrl,mfsymlinks" \
 	    "//192.168.1.2/DOCS/fvs" "/lmn/media/${SUDO_USER}/oldhome"
    mount -t cifs -o "username=${username},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,forceuid,forcegid,nobrl,mfsymlinks" \
 	    "//192.168.1.2/DATA/fvs/projekte" "/lmn/media/${SUDO_USER}/oldprojects"
    #echo "Mounting successfull!"
    echo "Einbindung erfolgreich!"
    echo "Dieses Fenster bitte nicht schließen!"
    #echo "Um weiter zu arbeiten: <Strg> + <Z>"
    trap exit_script SIGHUP SIGINT SIGTERM
    sleep infinity 
 elif [ "$#" -gt 0 ] && [ "$1" = '-l' ]; then
    echo "Einbinden des Netboot-Home-Verzeichnises. Daten des alten/bisherigen Systems (PaedML Novell)."
    echo "Bitte den Username und Passwort aus dem ALTEN System (PaedML Novell) eingeben."
    echo "Bitte auch Groß- und Kleinschreibung achten."
    read -rp "Username: " username
    mkdir -p "/lmn/media/${SUDO_USER}/linuxhome"
    mount -t fuse -o "allow_other,uid=${SUDO_UID},gid=${SUDO_GID},reconnect" \
          "sshfs#${username}@home.steinbeisschule-reutlingen.de:" "/lmn/media/${SUDO_USER}/linuxhome"
    #echo "Mounting successfull!"
    echo "Einbindung erfolgreich!"
    echo "Dieses Fenster bitte nicht schließen!"
    #echo "Um weiter zu arbeiten: <Strg> + <Z>"
    trap exit_script SIGHUP SIGINT SIGTERM
    sleep infinity 
 fi
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -128,14 +128,11 @@
 - name: Deploy sudo configurations
  ansible.builtin.copy:
-    src: "{{ item }}"
+    src: lmn-vm
    dest: "/etc/sudoers.d/90-{{ item }}"
    owner: root
    group: root
    mode: '0700'
  loop:
    - lmn-mounthome
    - lmn-vm
 - name: Deploy vmimages scripts
  ansible.builtin.copy:
@ -145,7 +142,6 @@
    group: root
    mode: '0755'
  loop:
    - mounthome.sh
    - vm-create
    - vm-rebase
    - vm-run
@ -159,8 +155,8 @@
    - desktop-sync
 - name: Deploy vm configuration file vm.conf
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: vm.conf
+    src: vm.conf.j2
    dest: /etc/lmn/vm.conf
    owner: root
    group: root
--- a/roles/lmn_vm/templates/vm.conf.j2
+++ b/roles/lmn_vm/templates/vm.conf.j2
@ -1,6 +1,6 @@
 # variables for LMN VM submodule
-SEEDBOX_HOST="seedbox.pn.steinbeis.schule"
+SEEDBOX_HOST="{{ vm_torrent_srv }}"
 SEEDBOX_PORT=6789
 SEEDBOX_RPC_PORT=6800
 SEEDBOX_PWFILE="/etc/lmn/uploadseed.conf"
--- a/roles/lmn_wlan/defaults/main.yaml
+++ b/roles/lmn_wlan/defaults/main.yaml
@ -11,4 +11,5 @@ wlan_eap_ca:
  emailAddress: "admin@example.com"
  CN: "Radius Certificate Authority"
  password: "OtherVerySecurePassw0rd"
 wlan_eap_ca_crl: "http://radius.{{ domain }}/radius-ca.crl"
 wlan_enable_on_boot: true
--- a/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
+++ b/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
@ -15,7 +15,7 @@
  ansible.builtin.get_url:
    force: true
    mode: "0644"
-    url: "http://radius.steinbeis.schule/radius-ca.crl"
+    url: "{{ wlan_eap_ca_crl }}"
    dest: /tmp/radius-ca.crl
  when: cert_client_active.stat.exists
Author	SHA1	Message	Date
Raphael Dannecker	89fa704ea2	Mounthome is no longer required	2025-04-01 15:52:11 +02:00
Raphael Dannecker	0f4e455717	Use `vm_torrent_srv` to configure the torrent server	2025-04-01 15:45:11 +02:00
Raphael Dannecker	320ad3a51d	Use `wlan_eap_ca_crl` for URL of the certificate revocation list	2025-04-01 15:31:19 +02:00
Raphael Dannecker	f6b77c64cf	Use `kerberize_uris` for chromium AuthServerAllowlist too	2025-04-01 15:09:25 +02:00