lmn-client.yml

@@ -49,7 +49,6 @@
     - lmn_network
     - role: up2date_debian
       tags: upgrade
-    - lmn_encrypt
     - lmn_sssd
     - lmn_mount
     - lmn_kde
@@ -81,17 +80,15 @@
         loop_var: rolename
       when: custom_roles is defined
 
-    - name: Import role security
-      ansible.builtin.import_role:
-        name: lmn_security
-
-    - name: Import role finish
-      ansible.builtin.import_role:
-        name: lmn_finish
-
-    - name: Import role tmpfixes
-      ansible.builtin.import_role:
-        name: lmn_tmpfixes
+    - name: Final tasks
+      ansible.builtin.include_role:
+        name: "{{ role }}"
+      loop_control:
+        loop_var: role
+      loop:
+        - lmn_security
+        - lmn_finish
+        - lmn_tmpfixes
 
 
 - name: Apply roles that must run serial

roles/custom/fvs/files/lmn-patch-dolphin.sh

@@ -16,16 +16,11 @@ fi
 id="$(grep ID "$file" | sed -E "s|^.+ID>([[:digit:]]+)/([[:digit:]]+)</ID.+$|\1:\2|" \
 	    | sort -n -t: -k2 | tail -1 )"
 
-for dir in teachers examusers staff parents; do
-  if [[ -d "/srv/samba/schools/default-school/${dir}/${USER}" ]]; then
-    NETHOME="/srv/samba/schools/default-school/${dir}/${USER}"
-    break
-  fi
-done
-if [[ -z "${NETHOME+x}" ]]; then
+if id | grep -q teachers; then
+  NETHOME=/srv/samba/schools/default-school/teachers/$USER
+else
   NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
 fi
-
 [[ -d $NETHOME ]] || exit 0
 
 IDENTITY="${id%%:*}"

roles/custom/fvs/tasks/main.yml

@@ -62,7 +62,6 @@
       - okular-extra-backends ## needed for CHM files
       - pdf-presenter-console
       - php-cli
-      - php-sqlite3
       - pipx
       - planner
       - pulseview

roles/lmn_encrypt/defaults/main.yml

@@ -1,3 +0,0 @@
----
-encrypt_passphrase_initial: Muster!
-encrypt_tpm2: false

roles/lmn_encrypt/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: Run update-grub
-  ansible.builtin.command: update-grub
-
-- name: Run update-dracut
-  ansible.builtin.command: dracut -f

roles/lmn_encrypt/tasks/main.yml

@@ -1,45 +0,0 @@
----
-- name: Find device with LUKS holder
-  vars:
-    partitions: "{{ item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') }}"
-  ansible.builtin.set_fact:
-    encrypt_device: "/dev/disk/by-id/{{ partitions[0].value.links.ids[0] }}"
-  when:
-    - item.value.partitions is defined
-    - item.value.partitions | dict2items | length > 0
-  loop: "{{ ansible_devices | dict2items }}"
-
-- name: Get luks slots
-  ansible.builtin.command:
-    cmd: "systemd-cryptenroll {{ encrypt_device }}"
-  register: encrypt_slots_result
-  changed_when: false
-  when: encrypt_device is defined
-
-- name: Change Password of Luks password slot
-  ansible.builtin.command:
-    cmd: >
-      systemd-run -P --wait
-      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase_initial }}
-      -p SetCredential=cryptenroll.new-passphrase:{{ encrypt_passphrase }}
-      systemd-cryptenroll --password {{ encrypt_device }} --wipe-slot=password
-  no_log: true
-  when:
-    - encrypt_device is defined
-    - encrypt_passphrase is defined
-    - encrypt_slots_result.stdout_lines | length == 2
-    - encrypt_slots_result.stdout_lines[1].startswith('   0')
-
-- name: TPM Device Check
-  ansible.builtin.stat:
-    path: /dev/tpm0
-  register: tpm_device
-  when: encrypt_device is defined
-
-- name: Include TPM2 role
-  ansible.builtin.include_tasks:
-    file: tpm2.yml
-  when:
-    - encrypt_device is defined
-    - encrypt_tpm2
-    - tpm_device.stat.exists

roles/lmn_encrypt/tasks/tpm2.yml

@@ -1,42 +0,0 @@
----
-- name: Install tpm2-tools and dracut
-  ansible.builtin.apt:
-    name:
-      - tpm2-tools
-      - dracut
-
-- name: Enable tpm2-tss crypt module on dracut
-  ansible.builtin.copy:
-    dest: /etc/dracut.conf.d/crypt.conf
-    content: add_dracutmodules+=" tpm2-tss crypt "
-    mode: '0644'
-  notify: Run update-dracut
-
-- name: Comment out root device in crypttab
-  ansible.builtin.lineinfile:
-    dest: /etc/crypttab
-    regexp: '^([^#].*)'
-    line: '#\1'
-    backrefs: true
-
-- name: Insert luks support to GRUB_CMDLINE_LINUX
-  ansible.builtin.lineinfile:
-    dest: /etc/default/grub
-    regexp: '^(GRUB_CMDLINE_LINUX=).*'
-    line: '\1"rd.auto rd.luks=1"'
-    backrefs: true
-  notify: Run update-grub
-
-- name: Insert TPM2 to Luks slot
-  ansible.builtin.command:
-    cmd: >
-      systemd-run -P --wait
-      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }}
-      systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 {{ encrypt_device }} --wipe-slot=tpm2
-  no_log: true
-  when: "'tpm2' not in encrypt_slots_result.stdout"
-
-# - name: Update TPM2 Luks slot
-#   ansible.builtin.command:
-#     cmd: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 --unlock-tpm2-device=auto {{ encrypt_device }} --wipe-slot=tpm2
-#   when: not grub_config.changed

roles/lmn_exam/defaults/main.yml

@@ -1,3 +1,2 @@
 ---
 exam_mode: true
-exam_teacherpc_last_digit: 80

roles/lmn_exam/tasks/main.yml

@@ -50,25 +50,6 @@
     - pam-exec.sh
     - rmexam
 
-- name: Append teacherPC to exam_destination_allowed_ipv4 addresses
-  ansible.builtin.set_fact:
-    exam_destination_allowed_ipv4: "{{ exam_destination_allowed_ipv4 + [ ansible_default_ipv4.address[:-1] ~ exam_teacherpc_last_digit ] }}"
-  when:
-    - exam_destination_allowed_ipv4 is defined
-    - exam_destination_allowed_ipv4 | length > 0
-
-- name: Install no-way-out-policy
-  ansible.builtin.template:
-    src: no-way-out.xml.j2
-    dest: "/etc/firewalld/policies/no-way-out-{{ item }}.xml"
-    mode: '0644'
-  loop:
-    - HOST
-    - libvirt
-  when:
-    - exam_destination_allowed_ipv4 is defined
-    - exam_destination_allowed_ipv4 | length > 0
-
 - name: Enable login script via pam_exec.so
   ansible.builtin.lineinfile:
     dest: /etc/pam.d/common-session

roles/lmn_exam/templates/no-way-out.xml.j2

@@ -1,10 +0,0 @@
-<policy target="REJECT">
-{% for address in exam_destination_allowed_ipv4 %}
-<rule family="ipv4">
-<destination address="{{ address }}"/>
-<accept/>
-</rule>
-{% endfor %}
-<ingress-zone name="{{ item }}"/>
-<egress-zone name="ANY"/>
-</policy>

roles/lmn_finish/handlers/main.yml

@@ -1,4 +0,0 @@
----
-- name: Reboot client
-  ansible.builtin.command:
-    cmd: "shutdown -r -t 60"

roles/lmn_finish/tasks/main.yaml

@@ -6,8 +6,6 @@
     - "{{ extra_pkgs }}"
     - "{{ extra_pkgs1 }}"
     - "{{ extra_pkgs2 }}"
-  tags:
-    - baseinstall
 
 - name: Add backports for {{ ansible_distribution_release }}
   ansible.builtin.apt_repository:
@@ -29,18 +27,6 @@
     - "{{ extra_pkgs_bpo2 }}"
   when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
 
-
-- name: Check if former ansible-stamp exists
-  ansible.builtin.stat:
-    path: /var/local/ansible-stamps
-  register: stamp_exists
-
-- name: Trigger Reboot if no former ansible-run is found
-  ansible.builtin.debug:
-    msg: "First Ansible-Run on Client - Reboot handler started"
-  changed_when: not stamp_exists.stat.exists
-  notify: "Reboot client"
-
 - name: Timestamp successfull run and send up-to-date report
   ansible.builtin.shell:
     cmd: date --iso-8601=seconds >> /var/local/ansible-stamps && /usr/local/sbin/reporter

roles/lmn_localhome/tasks/main.yml

@@ -33,6 +33,7 @@
     dest: /etc/profile.d/lmn-logout.sh
     mode: '0755'
     content: |
+      [[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
       {% if localhome_logout_missing_serverhome %}
       [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
       {% endif %}

roles/lmn_misc/tasks/main.yml

@@ -167,8 +167,6 @@
     src: reporter.j2
     dest: /usr/local/sbin/reporter
     mode: '0755'
-  tags:
-    - baseinstall
 
 - name: Provide services and timers for reporter
   ansible.builtin.copy:
@@ -179,16 +177,12 @@
     - reporter.service
     - reporter.timer
   when: misc_reporter
-  tags:
-    - baseinstall
 
 - name: Enable reporter.timer
   ansible.builtin.systemd:
     name: reporter.timer
     enabled: true
   when: misc_reporter
-  tags:
-    - baseinstall
 
 # Prepare CloneScreen on Presenter PCs
 

roles/lmn_security/tasks/main.yml

@@ -5,8 +5,6 @@
     key: "{{ item }}"
   loop: "{{ keys2deploy }}"
   when: keys2deploy is defined
-  tags:
-    - baseinstall
 
 - name: Allow sudo without password for ansible
   ansible.builtin.lineinfile:
@@ -16,16 +14,12 @@
     owner: root
     group: root
     mode: '0700'
-  tags:
-    - baseinstall
 
 - name: Disable ansible user login
   ansible.builtin.user:
     name: ansible
     password_lock: true
   when: security_defaultuser_login_disable
-  tags:
-    - baseinstall
 
 - name: Limit SSH access to user ansible
   ansible.builtin.blockinfile:

roles/lmn_sssd/defaults/main.yml

@@ -1,2 +0,0 @@
----
-sssd_domjoin_user: global-admin

roles/lmn_sssd/tasks/main.yml

@@ -13,23 +13,12 @@
     mode: '0600'
   notify: Restart sssd
 
-- name: Check if the machine account password and the join are still valid
-  ansible.builtin.shell:
-    cmd: adcli testjoin -D {{ domain | upper }}
-  register: adcli_test_result
-  failed_when: false
-  changed_when: false
-
-  # If domjoin not valid:
+  ## Either one of the variables is defined:
 - name: Join the domain
   ansible.builtin.shell:
     cmd: >
-      echo "{{ ad_passwd }}" | adcli join --stdin-password -U {{ ad_user }} {{ domain | upper }}
-  no_log: true
-  vars:
-    - ad_user: "{{ 'global-admin' if (adpw.user_input | default(ansible_cmdline.adpw) | default('') | length > 0) else sssd_domjoin_user }}"
-    - ad_passwd: "{{ adpw.user_input | default('') if  adpw.user_input | length > 0 else ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') }}"
-  when:
-    - adpw.user_input | length > 0 or
-      ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') | length > 0
-    - adcli_test_result.rc != 0
+      echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
+      adcli join --stdin-password -U global-admin {{ domain | upper }}
+  when: >
+    ansible_cmdline.adpw | default('') | length > 0 or
+    adpw.user_input | default('') | length > 0

roles/lmn_vm/files/vm-run

@@ -346,16 +346,11 @@ if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
     virsh --connect=qemu:///session undefine --nvram "${VM_NAME}-clone" || echo "${VM_NAME}-clone did not exist"
     #trap exit_script SIGHUP SIGINT SIGTERM
 
-    for dir in teachers examusers staff parents; do
-      if [[ -d "/srv/samba/schools/default-school/${dir}/${USER}" ]]; then
-        NETHOME="/srv/samba/schools/default-school/${dir}/${USER}"
-	break
-      fi
-    done
-    if [[ -z "${NETHOME+x}" ]]; then
+    if id | grep -q teachers; then
+      NETHOME=/srv/samba/schools/default-school/teachers/$USER
+    else
       NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
     fi
-
     if [[ "${HOME}" != "${NETHOME}" ]]; then
       VMINFO_DIR="${HOME}"
     else

roles/lmn_vm/files/vm-vminfo

@@ -93,12 +93,9 @@ def main():
     vminfo['User'] = environ.get('USER')
     vminfo['Groups'] = get_groups(environ.get('USER'))
 
-    for dir in ['teachers','examusers','staff','parents']:
-        potential_path = f"/srv/samba/schools/default-school/{dir}/{vminfo['User']}"
-        if path.isdir(potential_path):
-            nethome = potential_path
-            break
-    if not nethome:
+    if 'teachers' in vminfo['Groups']:
+        nethome = f"/srv/samba/schools/default-school/teachers/{vminfo['User']}"
+    else:
         result = subprocess.run(['find', '/srv/samba/schools/default-school/students/', '-name', vminfo['User'], '-maxdepth', '2', '-type', 'd'], capture_output=True, text=True, check=False)
         nethome = result.stdout.splitlines()[0]