Compare commits
2 commits
4a254588cc
...
d34a2d78e8
| Author | SHA1 | Date | |
|---|---|---|---|
|
d34a2d78e8 | ||
|
|
02aac5ab15 |
2 changed files with 103 additions and 8 deletions
84
bookworm-to-trixie.yml
Normal file
84
bookworm-to-trixie.yml
Normal file
|
|
@ -0,0 +1,84 @@
|
|||
---
|
||||
- name: Upgrade Client from Bookworm to Trixie
|
||||
hosts: all
|
||||
remote_user: ansible
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: Update system to latest Bookworm
|
||||
ansible.builtin.apt:
|
||||
upgrade: full
|
||||
update_cache: false
|
||||
dpkg_options: "force-confdef,force-confold"
|
||||
environment:
|
||||
DEBIAN_FRONTEND: noninteractive
|
||||
|
||||
- name: Run apt autoremove
|
||||
ansible.builtin.apt:
|
||||
autoremove: true
|
||||
|
||||
- name: Remove backports for {{ ansible_distribution_release }}
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware"
|
||||
state: absent
|
||||
update_cache: false
|
||||
|
||||
- name: Change Debian Release from Bookworm to Trixie in /etc/apt/sources.list
|
||||
ansible.builtin.replace:
|
||||
path: "/etc/apt/sources.list"
|
||||
regexp: "bookworm"
|
||||
replace: "trixie"
|
||||
|
||||
- name: Run full package upgrade to Trixie
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
upgrade: full
|
||||
dpkg_options: "force-confdef,force-confold"
|
||||
environment:
|
||||
DEBIAN_FRONTEND: noninteractive
|
||||
|
||||
- name: Reboot client
|
||||
ansible.builtin.reboot:
|
||||
msg: "Client Reboot after Upgrade to Trixie"
|
||||
reboot_timeout: 600
|
||||
|
||||
- name: Wait until the client is reachable after reboot
|
||||
ansible.builtin.wait_for_connection:
|
||||
timeout: 600
|
||||
|
||||
- name: Find all user home directories
|
||||
ansible.builtin.find:
|
||||
paths: /home
|
||||
file_type: directory
|
||||
register: user_homes
|
||||
|
||||
- name: Remove Nextcloud from Dolphin bookmarks
|
||||
ansible.builtin.command: >
|
||||
sed -i '/<bookmark href="file:\/\/\/lmn\/media\/.*\/nextcloud">/,/<\/bookmark>/d' {{ item }}/.local/share/user-places.xbel
|
||||
loop: "{{ user_homes.files | map(attribute='path') | list }}"
|
||||
when: item is match('^/home/.+')
|
||||
ignore_errors: true
|
||||
|
||||
- name: Remove PAM Bind-Mounts block
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/security/pam_mount.conf.xml
|
||||
state: absent
|
||||
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK $bind mounts for VMs$ -->"
|
||||
|
||||
- name: Remove PAM Nextcloud-Mounts block
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/security/pam_mount.conf.xml
|
||||
state: absent
|
||||
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK $mount Nextcloud$ -->"
|
||||
|
||||
- name: Install qemu spice support
|
||||
ansible.builtin.apt:
|
||||
name: qemu-system-modules-spice
|
||||
|
||||
- name: Disable systemd-networkd.service
|
||||
ansible.builtin.systemd:
|
||||
name: systemd-networkd.service
|
||||
enabled: false
|
||||
|
||||
|
||||
- import_playbook: lmn-client.yml
|
||||
|
|
@ -2,12 +2,15 @@
|
|||
|
||||
## Description / use cases
|
||||
|
||||
Activating exam_mode provides following functionalities:
|
||||
* when -exam user logs in, firewalld.service will start and prevent communication between devices in the same local network
|
||||
* home- and media-directory of -exam users will be renamed (on the next day) and removed (after some days).
|
||||
This is important due the fact, that -exam user will be new created (with new user-id) on exam-mode initialisation.
|
||||
Without renaming/deleting the home- and media-directory, the -exam user couldn't log in twice on the same pc.
|
||||
Particularly important on machines with localhome
|
||||
**Activating Exam Mode: Functionalities**
|
||||
|
||||
When a user logs in with the `-exam` designation, the following functionalities will be activated:
|
||||
|
||||
* The `firewalld.service` will start, blocking all incoming traffic. Additionally, it will restrict outgoing traffic to the addresses specified in `exam_destination_allowed_ipv4`, if this variable is set. Communication is permitted with devices listed in `exam_teacherpc_ips`, including the teacher PCs. By default, the IP of the teacher PC is determined by the client's IP, with the last digit in the last octet specified by `exam_teacherpc_last_digit`.
|
||||
|
||||
* The home and media directories of `-exam` users will be renamed the following day and removed after a certain period. This is crucial because the `-exam` user will be created anew (with a new user ID) upon the initialization of Exam Mode. Without renaming/deleting the home and media directories, the new `-exam` user would be unable to log in on the same PC, especially on machines with local home configurations.
|
||||
|
||||
|
||||
|
||||
## Requirements
|
||||
|
||||
|
|
@ -15,10 +18,18 @@ none
|
|||
|
||||
## Example
|
||||
|
||||
Per default, all hosts will get exam_mode. But we don't want exam_mode on teacher devices
|
||||
Per default, all hosts will get `exam_mode`. But we don't want `exam_mode` on teacher devices. In `exam_mode` the Networks `10.0.0.0/24`, `10.0.1.0/24`, `192.168.122.0/24/24` will be reachable.
|
||||
|
||||
inventory.yml
|
||||
```
|
||||
|
||||
```yml
|
||||
all:
|
||||
vars:
|
||||
exam_destination_allowed_ipv4:
|
||||
- 10.0.0.0/24
|
||||
- 10.0.1.0/24
|
||||
- 192.168.122.0/24
|
||||
|
||||
teacherdevices:
|
||||
hosts:
|
||||
10.0.14.[1..75]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue