14 changed files with 67 additions and 50 deletions
--- a/roles/custom/fvs/files/policies.json
+++ b/roles/custom/fvs/files/policies.json
@ -30,10 +30,6 @@
                "url": "https://info.steinbeis.schule",
                "name": "FvS-Hilfesystem"
            },
-            {
-                "url": "https://ticket.steinbeis.schule",
-                "name": "FvS-IT-Support"
-            },
            {
                "url": "https://moodle.steinbeis.schule",
                "name": "FvS-Moodle"
--- a/roles/custom/fvs/tasks/main.yml
+++ b/roles/custom/fvs/tasks/main.yml
@ -59,7 +59,6 @@
      - net-tools
      - netcat-openbsd
      - nmap
-      - octave
      - okular-extra-backends ## needed for CHM files
      - pdf-presenter-console
      - php-cli
--- a/roles/lmn_misc/templates/lmn-fix-screen.j2
+++ b/roles/lmn_misc/templates/lmn-fix-screen.j2
@ -22,8 +22,8 @@ fi
  pactl set-card-profile alsa_card.{{ audio_output[0] }} output:{{ audio_output[1] }}
  pactl set-default-sink alsa_output.{{ audio_output[0] }}.{{ audio_output[1] }}
 {% else %}
-if pactl list cards | grep output:hdmi-stereo: | grep -E "verfügbar: ja|available: yes"; then
+if pactl list cards | grep output:hdmi-stereo: | grep verfügbar:\ ja; then
  pactl set-card-profile $(pactl list short cards | grep -m1 pci | head -1 | cut -f2) output:hdmi-stereo
-  pactl set-default-sink $(pactl list short cards | grep -m1 pci | head -1 | cut -f2 | sed s/card/output/g).hdmi-stereo
+  pactl set-default-sink $(pactl list short cards | grep -m1 pci | head -1 | cut -f2 | sed s/card/output/g).output:hdmi-stereo
 fi
 {% endif %}
--- a/roles/lmn_misc/templates/lmn-updater.service.j2
+++ b/roles/lmn_misc/templates/lmn-updater.service.j2
@ -5,5 +5,5 @@ Description=Run LMN Client updates via ansible-pull
 Type=oneshot
 User=root
 ExecStart=/usr/bin/ansible-pull --only-if-changed --verbose --vault-password-file /root/.inventory-pw -l %H -d /root/lmn-client \
-           --skip-tags no_ansible_pull -i {{ misc_updater_inventory }} --url={{ misc_updater_repository }} -C {{ misc_updater_branch }} lmn-client.yml
+           -i {{ misc_updater_inventory }} --url={{ misc_updater_repository }} -C {{ misc_updater_branch }} lmn-client.yml

--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@ -97,7 +97,7 @@
  ansible.posix.mount:
    src: "{{ nfs_server }}:tools"
    path: /lmn/tools
-    opts: rw,_netdev,x-systemd.automount,x-systemd.idle-timeout=10s,x-systemd.mount-timeout=10,timeo=100,soft
+    opts: rw,_netdev,x-systemd.automount,x-systemd.idle-timeout=10s,timeo=100,soft
    state: present
    fstype: nfs4
  when: nfs_server is defined
--- a/roles/lmn_tmpfixes/tasks/main.yml
+++ b/roles/lmn_tmpfixes/tasks/main.yml
@ -32,29 +32,3 @@
    state: absent
    purge: true
    autoremove: true
-
-# CVE-2026-31431 https://copy.fail/#mitigation
- name: Create modprobe config to disable algif_aead
-  ansible.builtin.lineinfile:
-    path: /etc/modprobe.d/disable-algif.conf
-    line: "install algif_aead /bin/false"
-    create: true
-    mode: '0644'
-
- name: Remove algif_aead module if loaded
-  community.general.modprobe:
-    name: algif_aead
-    state: absent
-
-# Dirty.Frag
- name: Create modprobe config to disable modules needed for dirty.frag
-  ansible.builtin.copy:
-    dest: /etc/modprobe.d/dirtyfrag.conf
-    content: |
-      install esp4 /bin/false
-      install esp6 /bin/false
-      install rxrpc /bin/false
-    mode: '0644'
-
- name: Set VM permissions
-  ansible.builtin.command: chmod -R o+r /lmn/vm
--- a/roles/lmn_vm/files/lmn-vm
+++ b/roles/lmn_vm/files/lmn-vm
@ -16,6 +16,11 @@ lmnsynci ALL=(root) NOPASSWD: /usr/local/bin/vm-aria2
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/vm-link-images
 %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/vm-link-images

+# vm-virtiofsd: Start Virtiofsd as systemd-service
+%examusers ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
+%role-student ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
+%role-teacher ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
+
 # desktop-sync:
 %examusers ALL=(root) NOPASSWD: /usr/local/bin/desktop-sync
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/desktop-sync
--- a/roles/lmn_vm/files/virtiofsd
+++ b/roles/lmn_vm/files/virtiofsd
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@ -125,6 +125,8 @@ create_clone() {

 create_printerlist() {
  ## Prepare .printerlist.csv
+  mkdir -p "${VM_MEDIADIR}"
+  chgrp "$(id -g)" "${VM_MEDIADIR}"
  echo "Name;IppURL" > "${VM_MEDIADIR}/.printerlist.csv"
  for p in $(lpstat -v | cut -f 3 -d" " | sed 's/:$//'); do
    echo "$p;ipp://192.168.122.1/printers/$p" >> "${VM_MEDIADIR}/.printerlist.csv"
@ -147,7 +149,7 @@ start_virtiofs_service() {
  local drive_letter=$3
  local socket="/run/user/${UID}/virtiofs-${VM_NAME}-${target_name,,}.sock"

-  systemd-run --user /usr/lib/qemu/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
+  systemd-run --user /usr/local/bin/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
        --socket-path "${socket}" --shared-dir "${shared_dir}" --syslog

  if [[ $? -ne 0 ]]; then
@ -206,7 +208,6 @@ EOF

 QEMU='qemu:///session'

-
 NEWCLONE=0
 PERSISTENT=0
 LIBVIRTOSINFO="win10"
@ -360,8 +361,6 @@ if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
    else
      VMINFO_DIR="/lmn/media/${USER}"
    fi
-    mkdir -p "${VM_MEDIADIR}" -m 700
-    chgrp "$(id -g)" "${VM_MEDIADIR}"
    create_printerlist
    create_mountlist

@ -369,7 +368,7 @@ if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
    [[ "${QEMU}" = 'qemu:///session' ]] && start_virtiofsd

    # Create VMInfo Json file
-    #( umask 077; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
+    #( umask 027; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
    # Start vminfo.timer
    systemctl --user restart vminfo.timer

--- a/roles/lmn_vm/files/vm-virtiofsd
+++ b/roles/lmn_vm/files/vm-virtiofsd
@ -0,0 +1,50 @@
+#!/usr/bin/bash
+
+set -eu
+
+# if less than one arguments supplied, display usage
+if [[  $# -ne 1 ]]; then
+    echo "This script takes as input the name of the VM " >&2
+    echo "Usage: $0 vm_name" >&2
+    exit 1
+fi
+
+VM_NAME="$1"
+
+## Make sure VMs can read the base directory:
+chgrp 1010 "/lmn/media/${SUDO_USER}"
+chmod 0775 "/lmn/media/${SUDO_USER}"
+
+socket="/run/user/$(id -u $SUDO_USER)/virtiofs-${VM_NAME}.sock"
+
+#  FIXME: This does not work.  In windows, there is no virtiofs device.
+#  In GNU/Linux it's only readable.
+#
+#if ! systemctl -q is-active virtiofs-${VM_NAME}.socket ; then
+#    systemd-run --unit=virtiofs-${VM_NAME} \
+#		--slice=system-virtiofs \
+#		--collect \
+#		--socket-property=ListenStream="$socket" \
+#		--socket-property=Accept=no \
+#		--socket-property=SocketMode=0700 \
+#		--socket-property=SocketUser=${SUDO_USER} \
+#		--property=Type=exec \
+#		--property=StandardInput=socket \
+#		/usr/local/bin/virtiofsd --log-level debug --sandbox none \
+#		--syslog --fd=0 --shared-dir "/lmn/media/${SUDO_USER}"
+#else
+#    systemctl restart virtiofs-${VM_NAME}.socket
+#fi
+
+if [[ ! -S "$socket" ]] ; then
+    systemd-run --unit=virtiofs-${VM_NAME} \
+		--slice=system-virtiofs \
+		--collect \
+		--property=Type=exec \
+		--property=SuccessExitStatus=1 \
+		--property="ExecStopPost=rm $socket" \
+		/usr/local/bin/virtiofsd --socket-path "$socket" \
+		--shared-dir "/lmn/media/${SUDO_USER}"
+fi
+sleep 1
+chown "${SUDO_USER}" "$socket"
--- a/roles/lmn_vm/files/vm-vminfo
+++ b/roles/lmn_vm/files/vm-vminfo
@ -57,9 +57,7 @@ def get_krb5 ():
 def get_mounts():
    mounts = []
    mounts.append({ 'Drive': 'H', 'RemotePath': '\\\\server.pn.steinbeis.schule' + nethome.replace('/srv/samba/schools','').replace('/','\\'), 'Name': 'Home_Server' })
-    mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\\default-school\\share', 'Name': 'Tausch' })
-    if "role-teacher" in vminfo['Groups']:
-        mounts.append({ 'Drive': 'S', 'RemotePath': '\\\\server.pn.steinbeis.schule\\default-school\\students', 'Name': 'SuS' })
+    mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\default-school\share', 'Name': 'Tausch' })
    return mounts

 def get_user_folders():
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -16,13 +16,11 @@
    name:
      - aria2
      - mktorrent
-      - guestfs-tools
      - libvirt-daemon-system
      - virt-manager
      - virt-viewer
      - dialog # for vm-netboot menu
      - python3-impacket
-      - virtiofsd

    # - name: allow all users to use VMs
    #   lineinfile:
@ -127,7 +125,9 @@
    - vm-upload
    - vm-sync
    - vm-link-images
+    - vm-virtiofsd
    - vm-vminfo
+    - virtiofsd
    - vm-aria2
    - uploadseed
    - desktop-sync
@ -222,7 +222,7 @@
      Description=Create .vminfo.json for VMs
      [Service]
      Type=simple
-      ExecStart=/usr/bin/bash -c 'umask 077; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
+      ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
    dest: /etc/systemd/user/vminfo.service
    mode: '0644'

--- a/roles/lmn_vpn/tasks/main.yml
+++ b/roles/lmn_vpn/tasks/main.yml
@ -29,5 +29,3 @@
 - name: Configure Wireguard
  ansible.builtin.include_tasks: wg_config.yml
  when: vpn is defined and vpn == "wg"
-  tags:
-    - no_ansible_pull
--- a/roles/lmn_wlan/tasks/main.yaml
+++ b/roles/lmn_wlan/tasks/main.yaml
@ -39,5 +39,3 @@
 - name: Configure WPA-Enterprise (EAP-TLS)
  ansible.builtin.include_tasks: eap-tls_check-certificate.yaml
  when: wlan == 'eap-tls'
-  tags:
-    - no_ansible_pull