it-team/lmn-client
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: it-team:405fed1fcf4202e66aea3fbc84a66c1ca659da39
Branches Tags
it-team:main
it-team:bookworm
it-team:tpm2
it-team:dev
it-team:fvs
..
compare: it-team:63dec2f8b7815f00318c84a69f00b968c686b824
Branches Tags
it-team:main
it-team:bookworm
it-team:tpm2
it-team:dev
it-team:fvs

No commits in common. "405fed1fcf4202e66aea3fbc84a66c1ca659da39" and "63dec2f8b7815f00318c84a69f00b968c686b824" have entirely different histories.
405fed1fcf ... 63dec2f8b7

20 changed files with 694 additions and 898 deletions
Download patch file Download diff file Expand all files Collapse all files

1358
inventory.yml
View file

File diff suppressed because it is too large Load diff

21
lmn-client.yml
View file

@ -49,7 +49,6 @@
- lmn_network - lmn_network
- role: up2date_debian - role: up2date_debian
tags: upgrade tags: upgrade
- lmn_encrypt
- lmn_sssd - lmn_sssd
- lmn_mount - lmn_mount
- lmn_kde - lmn_kde
@ -81,17 +80,15 @@
loop_var: rolename loop_var: rolename
when: custom_roles is defined when: custom_roles is defined
- name: Import role security - name: Final tasks
ansible.builtin.import_role: ansible.builtin.include_role:
name: lmn_security name: "{{ role }}"
loop_control:
- name: Import role finish loop_var: role
ansible.builtin.import_role: loop:
name: lmn_finish - lmn_security
- lmn_finish
- name: Import role tmpfixes - lmn_tmpfixes
ansible.builtin.import_role:
name: lmn_tmpfixes
- name: Apply roles that must run serial - name: Apply roles that must run serial

11
roles/custom/fvs/files/lmn-patch-dolphin.sh
View file

@ -16,16 +16,11 @@ fi
id="$(grep ID "$file" | sed -E "s|^.+ID>([[:digit:]]+)/([[:digit:]]+)</ID.+$|\1:\2|" \ id="$(grep ID "$file" | sed -E "s|^.+ID>([[:digit:]]+)/([[:digit:]]+)</ID.+$|\1:\2|" \
| sort -n -t: -k2 | tail -1 )" | sort -n -t: -k2 | tail -1 )"
for dir in teachers examusers staff parents; do if id | grep -q teachers; then
if [[ -d "/srv/samba/schools/default-school/${dir}/${USER}" ]]; then NETHOME=/srv/samba/schools/default-school/teachers/$USER
NETHOME="/srv/samba/schools/default-school/${dir}/${USER}" else
break
fi
done
if [[ -z "${NETHOME+x}" ]]; then
NETHOME=(/srv/samba/schools/default-school/students/*/"$USER") NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
fi fi
[[ -d $NETHOME ]] || exit 0 [[ -d $NETHOME ]] || exit 0
IDENTITY="${id%%:*}" IDENTITY="${id%%:*}"

1
roles/custom/fvs/tasks/main.yml
View file

@ -62,7 +62,6 @@
- okular-extra-backends ## needed for CHM files - okular-extra-backends ## needed for CHM files
- pdf-presenter-console - pdf-presenter-console
- php-cli - php-cli
- php-sqlite3
- pipx - pipx
- planner - planner
- pulseview - pulseview

3
roles/lmn_encrypt/defaults/main.yml
View file

@ -1,3 +0,0 @@
---
encrypt_passphrase_initial: Muster!
encrypt_tpm2: false

5
roles/lmn_encrypt/handlers/main.yml
View file

@ -1,5 +0,0 @@
- name: Run update-grub
ansible.builtin.command: update-grub
- name: Run update-dracut
ansible.builtin.command: dracut -f

45
roles/lmn_encrypt/tasks/main.yml
View file

@ -1,45 +0,0 @@
---
- name: Find device with LUKS holder
vars:
partitions: "{{ item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') }}"
ansible.builtin.set_fact:
encrypt_device: "/dev/disk/by-id/{{ partitions[0].value.links.ids[0] }}"
when:
- item.value.partitions is defined
- item.value.partitions | dict2items | length > 0
loop: "{{ ansible_devices | dict2items }}"
- name: Get luks slots
ansible.builtin.command:
cmd: "systemd-cryptenroll {{ encrypt_device }}"
register: encrypt_slots_result
changed_when: false
when: encrypt_device is defined
- name: Change Password of Luks password slot
ansible.builtin.command:
cmd: >
systemd-run -P --wait
-p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase_initial }}
-p SetCredential=cryptenroll.new-passphrase:{{ encrypt_passphrase }}
systemd-cryptenroll --password {{ encrypt_device }} --wipe-slot=password
no_log: true
when:
- encrypt_device is defined
- encrypt_passphrase is defined
- encrypt_slots_result.stdout_lines | length == 2
- encrypt_slots_result.stdout_lines[1].startswith(' 0')
- name: TPM Device Check
ansible.builtin.stat:
path: /dev/tpm0
register: tpm_device
when: encrypt_device is defined
- name: Include TPM2 role
ansible.builtin.include_tasks:
file: tpm2.yml
when:
- encrypt_device is defined
- encrypt_tpm2
- tpm_device.stat.exists

42
roles/lmn_encrypt/tasks/tpm2.yml
View file

@ -1,42 +0,0 @@
---
- name: Install tpm2-tools and dracut
ansible.builtin.apt:
name:
- tpm2-tools
- dracut
- name: Enable tpm2-tss crypt module on dracut
ansible.builtin.copy:
dest: /etc/dracut.conf.d/crypt.conf
content: add_dracutmodules+=" tpm2-tss crypt "
mode: '0644'
notify: Run update-dracut
- name: Comment out root device in crypttab
ansible.builtin.lineinfile:
dest: /etc/crypttab
regexp: '^([^#].*)'
line: '#\1'
backrefs: true
- name: Insert luks support to GRUB_CMDLINE_LINUX
ansible.builtin.lineinfile:
dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=).*'
line: '\1"rd.auto rd.luks=1"'
backrefs: true
notify: Run update-grub
- name: Insert TPM2 to Luks slot
ansible.builtin.command:
cmd: >
systemd-run -P --wait
-p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }}
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 {{ encrypt_device }} --wipe-slot=tpm2
no_log: true
when: "'tpm2' not in encrypt_slots_result.stdout"
# - name: Update TPM2 Luks slot
# ansible.builtin.command:
# cmd: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 --unlock-tpm2-device=auto {{ encrypt_device }} --wipe-slot=tpm2
# when: not grub_config.changed

1
roles/lmn_exam/defaults/main.yml
View file

@ -1,3 +1,2 @@
--- ---
exam_mode: true exam_mode: true
exam_teacherpc_last_digit: 80

19
roles/lmn_exam/tasks/main.yml
View file

@ -50,25 +50,6 @@
- pam-exec.sh - pam-exec.sh
- rmexam - rmexam
- name: Append teacherPC to exam_destination_allowed_ipv4 addresses
ansible.builtin.set_fact:
exam_destination_allowed_ipv4: "{{ exam_destination_allowed_ipv4 + [ ansible_default_ipv4.address[:-1] ~ exam_teacherpc_last_digit ] }}"
when:
- exam_destination_allowed_ipv4 is defined
- exam_destination_allowed_ipv4 | length > 0
- name: Install no-way-out-policy
ansible.builtin.template:
src: no-way-out.xml.j2
dest: "/etc/firewalld/policies/no-way-out-{{ item }}.xml"
mode: '0644'
loop:
- HOST
- libvirt
when:
- exam_destination_allowed_ipv4 is defined
- exam_destination_allowed_ipv4 | length > 0
- name: Enable login script via pam_exec.so - name: Enable login script via pam_exec.so
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/pam.d/common-session dest: /etc/pam.d/common-session

10
roles/lmn_exam/templates/no-way-out.xml.j2
View file

@ -1,10 +0,0 @@
<policy target="REJECT">
{% for address in exam_destination_allowed_ipv4 %}
<rule family="ipv4">
<destination address="{{ address }}"/>
<accept/>
</rule>
{% endfor %}
<ingress-zone name="{{ item }}"/>
<egress-zone name="ANY"/>
</policy>

4
roles/lmn_finish/handlers/main.yml
View file

@ -1,4 +0,0 @@
---
- name: Reboot client
ansible.builtin.command:
cmd: "shutdown -r -t 60"

14
roles/lmn_finish/tasks/main.yaml
View file

@ -6,8 +6,6 @@
- "{{ extra_pkgs }}" - "{{ extra_pkgs }}"
- "{{ extra_pkgs1 }}" - "{{ extra_pkgs1 }}"
- "{{ extra_pkgs2 }}" - "{{ extra_pkgs2 }}"
tags:
- baseinstall
- name: Add backports for {{ ansible_distribution_release }} - name: Add backports for {{ ansible_distribution_release }}
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
@ -29,18 +27,6 @@
- "{{ extra_pkgs_bpo2 }}" - "{{ extra_pkgs_bpo2 }}"
when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0 when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
- name: Check if former ansible-stamp exists
ansible.builtin.stat:
path: /var/local/ansible-stamps
register: stamp_exists
- name: Trigger Reboot if no former ansible-run is found
ansible.builtin.debug:
msg: "First Ansible-Run on Client - Reboot handler started"
changed_when: not stamp_exists.stat.exists
notify: "Reboot client"
- name: Timestamp successfull run and send up-to-date report - name: Timestamp successfull run and send up-to-date report
ansible.builtin.shell: ansible.builtin.shell:
cmd: date --iso-8601=seconds >> /var/local/ansible-stamps && /usr/local/sbin/reporter cmd: date --iso-8601=seconds >> /var/local/ansible-stamps && /usr/local/sbin/reporter

1
roles/lmn_localhome/tasks/main.yml
View file

@ -33,6 +33,7 @@
dest: /etc/profile.d/lmn-logout.sh dest: /etc/profile.d/lmn-logout.sh
mode: '0755' mode: '0755'
content: | content: |
[[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
{% if localhome_logout_missing_serverhome %} {% if localhome_logout_missing_serverhome %}
[[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0 [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
{% endif %} {% endif %}

6
roles/lmn_misc/tasks/main.yml
View file

@ -167,8 +167,6 @@
src: reporter.j2 src: reporter.j2
dest: /usr/local/sbin/reporter dest: /usr/local/sbin/reporter
mode: '0755' mode: '0755'
tags:
- baseinstall
- name: Provide services and timers for reporter - name: Provide services and timers for reporter
ansible.builtin.copy: ansible.builtin.copy:
@ -179,16 +177,12 @@
- reporter.service - reporter.service
- reporter.timer - reporter.timer
when: misc_reporter when: misc_reporter
tags:
- baseinstall
- name: Enable reporter.timer - name: Enable reporter.timer
ansible.builtin.systemd: ansible.builtin.systemd:
name: reporter.timer name: reporter.timer
enabled: true enabled: true
when: misc_reporter when: misc_reporter
tags:
- baseinstall
# Prepare CloneScreen on Presenter PCs # Prepare CloneScreen on Presenter PCs

6
roles/lmn_security/tasks/main.yml
View file

@ -5,8 +5,6 @@
key: "{{ item }}" key: "{{ item }}"
loop: "{{ keys2deploy }}" loop: "{{ keys2deploy }}"
when: keys2deploy is defined when: keys2deploy is defined
tags:
- baseinstall
- name: Allow sudo without password for ansible - name: Allow sudo without password for ansible
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -16,16 +14,12 @@
owner: root owner: root
group: root group: root
mode: '0700' mode: '0700'
tags:
- baseinstall
- name: Disable ansible user login - name: Disable ansible user login
ansible.builtin.user: ansible.builtin.user:
name: ansible name: ansible
password_lock: true password_lock: true
when: security_defaultuser_login_disable when: security_defaultuser_login_disable
tags:
- baseinstall
- name: Limit SSH access to user ansible - name: Limit SSH access to user ansible
ansible.builtin.blockinfile: ansible.builtin.blockinfile:

2
roles/lmn_sssd/defaults/main.yml
View file

@ -1,2 +0,0 @@
---
sssd_domjoin_user: global-admin

23
roles/lmn_sssd/tasks/main.yml
View file

@ -13,23 +13,12 @@
mode: '0600' mode: '0600'
notify: Restart sssd notify: Restart sssd
- name: Check if the machine account password and the join are still valid ## Either one of the variables is defined:
ansible.builtin.shell:
cmd: adcli testjoin -D {{ domain | upper }}
register: adcli_test_result
failed_when: false
changed_when: false
# If domjoin not valid:
- name: Join the domain - name: Join the domain
ansible.builtin.shell: ansible.builtin.shell:
cmd: > cmd: >
echo "{{ ad_passwd }}" | adcli join --stdin-password -U {{ ad_user }} {{ domain | upper }} echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
no_log: true adcli join --stdin-password -U global-admin {{ domain | upper }}
vars: when: >
- ad_user: "{{ 'global-admin' if (adpw.user_input | default(ansible_cmdline.adpw) | default('') | length > 0) else sssd_domjoin_user }}" ansible_cmdline.adpw | default('') | length > 0 or
- ad_passwd: "{{ adpw.user_input | default('') if adpw.user_input | length > 0 else ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') }}" adpw.user_input | default('') | length > 0
when:
- adpw.user_input | length > 0 or
ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') | length > 0
- adcli_test_result.rc != 0

11
roles/lmn_vm/files/vm-run
View file

@ -346,16 +346,11 @@ if ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
virsh --connect=qemu:///session undefine --nvram "${VM_NAME}-clone" || echo "${VM_NAME}-clone did not exist" virsh --connect=qemu:///session undefine --nvram "${VM_NAME}-clone" || echo "${VM_NAME}-clone did not exist"
#trap exit_script SIGHUP SIGINT SIGTERM #trap exit_script SIGHUP SIGINT SIGTERM
for dir in teachers examusers staff parents; do if id | grep -q teachers; then
if [[ -d "/srv/samba/schools/default-school/${dir}/${USER}" ]]; then NETHOME=/srv/samba/schools/default-school/teachers/$USER
NETHOME="/srv/samba/schools/default-school/${dir}/${USER}" else
break
fi
done
if [[ -z "${NETHOME+x}" ]]; then
NETHOME=(/srv/samba/schools/default-school/students/*/"$USER") NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
fi fi
if [[ "${HOME}" != "${NETHOME}" ]]; then if [[ "${HOME}" != "${NETHOME}" ]]; then
VMINFO_DIR="${HOME}" VMINFO_DIR="${HOME}"
else else

9
roles/lmn_vm/files/vm-vminfo
View file

@ -93,12 +93,9 @@ def main():
vminfo['User'] = environ.get('USER') vminfo['User'] = environ.get('USER')
vminfo['Groups'] = get_groups(environ.get('USER')) vminfo['Groups'] = get_groups(environ.get('USER'))
for dir in ['teachers','examusers','staff','parents']: if 'teachers' in vminfo['Groups']:
potential_path = f"/srv/samba/schools/default-school/{dir}/{vminfo['User']}" nethome = f"/srv/samba/schools/default-school/teachers/{vminfo['User']}"
if path.isdir(potential_path): else:
nethome = potential_path
break
if not nethome:
result = subprocess.run(['find', '/srv/samba/schools/default-school/students/', '-name', vminfo['User'], '-maxdepth', '2', '-type', 'd'], capture_output=True, text=True, check=False) result = subprocess.run(['find', '/srv/samba/schools/default-school/students/', '-name', vminfo['User'], '-maxdepth', '2', '-type', 'd'], capture_output=True, text=True, check=False)
nethome = result.stdout.splitlines()[0] nethome = result.stdout.splitlines()[0]