it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: it-team:89fa704ea2c49ee28e326972e2ff9e0c7532fd5c
Branches Tags
it-team:main
it-team:bookworm
it-team:dev
it-team:fvs
..
compare: it-team:333b57cd8bcc1c74be60383108edffc1ad1af078
Branches Tags
it-team:bookworm
it-team:dev
it-team:main
it-team:fvs

No commits in common. "89fa704ea2c49ee28e326972e2ff9e0c7532fd5c" and "333b57cd8bcc1c74be60383108edffc1ad1af078" have entirely different histories.
89fa704ea2 ... 333b57cd8b

12 changed files with 587 additions and 531 deletions
Show stats Expand all files Collapse all files

6
doc/vm_support.md
View file

@ -26,10 +26,10 @@ Default: `vm_support: false
### Torrent Server ### Torrent Server
``` ```
vm_torrent_srv: "myseedbox.linuxmuster.net" torrent_srv: "myseedbox.linuxmuster.net"
``` ```
Default: `vm_torrent_srv: "seedbox.{{ domain }}"` Default: `torrent_srv: "seedbox.{{ domain }}"`
## Example ## Example
@ -41,5 +41,5 @@ inventory.yml
all: all:
vars: vars:
vm_support: true vm_support: true
vm_torrent_srv: "myseedbox.linuxmuster.net" # default: seedbox.{{ domain }} torrent_srv: "myseedbox.linuxmuster.net" # default: seedbox.{{ domain }}
``` ```

22
doc/wlan.md
View file

@ -106,10 +106,6 @@ Every devices gets his own certificate. When creating new certificates, the old
Values: Values:
* true * true
* false <-- (default) * false <-- (default)
* **wlan_eap_ca_crl**
URL of the certificate revocation list
Type: *String*
Default: "http://radius.{{ domain }}/radius-ca.crl"
### Examples ### Examples
@ -132,7 +128,6 @@ laptop:
emailAddress: "admin@example.com" emailAddress: "admin@example.com"
CN: "Radius Certificate Authority" CN: "Radius Certificate Authority"
password: "secret4radiusCA" password: "secret4radiusCA"
wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
``` ```
## complex example with both modes ## complex example with both modes
@ -144,15 +139,12 @@ inventory.yml
all: all:
vars: vars:
wlan_ssid: "WLAName" # teacher and staff are using the same ssid wlan_ssid: "WLAName" # teacher and staff are using the same ssid
wlan_eap_ca: radiusca_password: "secret4radiusCA"
C: "DE" country_name: "DE"
ST: "Baden-Wuerttemberg" state_or_province_name: "Baden-Württemberg"
L: "Reutlingen" locality_name: "Stuttgart"
O: "Linuxschule" organization_name: "Baumschule"
emailAddress: "admin@example.com" admin_email: "admin@example.com"
CN: "Radius Certificate Authority"
password: "secret4radiusCA"
wlan_eap_ca_crl: "http://radius.example.com/radius-ca.crl"
infrastructure: infrastructure:
hosts: hosts:
@ -187,4 +179,4 @@ The issue of certificates can be forced.
Force issue of new certs for hosts in group laptop_teacher. Force issue of new certs for hosts in group laptop_teacher.
If there is a valid certificate, the old one will be revoked and a new certificate will be issued. If there is a valid certificate, the old one will be revoked and a new certificate will be issued.
ansible-playbook -i myinventory.yml -l laptop_teachers lmn-client.yml -e "wlan_force_issue=true" ansible-playbook -i myinventory.yml -l laptop_teachers lmn-client.yml -e "wlan_force_issue=true"

1001
inventory.yml
View file

File diff suppressed because it is too large Load diff

1
lmn-client.yml
View file

@ -48,6 +48,7 @@
vars_files: lmn-vault vars_files: lmn-vault
vars: vars:
domain: "{{ ansible_domain }}" domain: "{{ ansible_domain }}"
kerberize_uris: "{{ vault_kerberize_uris | default('example.org') }}"
apt_conf: "{{ vault_apt_conf }}" ## Acquire::http::Proxy "http://aptcache.example.org:3142/"; apt_conf: "{{ vault_apt_conf }}" ## Acquire::http::Proxy "http://aptcache.example.org:3142/";
ntp_serv: "{{ vault_ntp_serv }}" ## ntp.example.org ntp_serv: "{{ vault_ntp_serv }}" ## ntp.example.org
nfs_server: "{{ vault_nfs_server }}" ## nfs.example.org nfs_server: "{{ vault_nfs_server }}" ## nfs.example.org

2
roles/kerberize/tasks/main.yml
View file

@ -45,5 +45,5 @@
mode: '0644' mode: '0644'
content: | content: |
{ {
"AuthServerAllowlist": "{{ kerberize_uris | default(ansible_domain) }}" "AuthServerAllowlist": "idam.steinbeis.schule"
} }

2
roles/lmn_vm/defaults/main.yml
View file

@ -1,3 +1,3 @@
--- ---
vm_support: false vm_support: false
vm_torrent_srv: "seedbox.{{ domain }}" torrent_srv: "seedbox.{{ domain }}"

3
roles/lmn_vm/files/lmn-mounthome Normal file
View file

@ -0,0 +1,3 @@
%examusers ALL=(root) NOPASSWD: /usr/local/bin/mounthome.sh
%role-student ALL=(root) NOPASSWD: /usr/local/bin/mounthome.sh
%role-teacher ALL=(root) NOPASSWD: /usr/local/bin/mounthome.sh

66
roles/lmn_vm/files/mounthome.sh Executable file
View file

@ -0,0 +1,66 @@
#!/usr/bin/bash
set -eu
home="$(getent passwd "$SUDO_UID" | cut -d : -f 6 | sed 's|/srv/samba/schools/default-school/||')"
exit_script() {
echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
findmnt "/lmn/media/${SUDO_USER}/oldhome" && umount "/lmn/media/${SUDO_USER}/oldhome" && rmdir "/lmn/media/${SUDO_USER}/oldhome"
findmnt "/lmn/media/${SUDO_USER}/oldprojects" && umount "/lmn/media/${SUDO_USER}/oldprojects" && rmdir "/lmn/media/${SUDO_USER}/oldprojects"
findmnt "/lmn/media/${SUDO_USER}/linuxhome" && umount "/lmn/media/${SUDO_USER}/linuxhome" && rmdir "/lmn/media/${SUDO_USER}/linuxhome"
trap - SIGHUP SIGINT SIGTERM # clear the trap
kill -- -$$ # Sends SIGTERM to child/sub processes
}
exit_script_home() {
echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
umount "/lmn/media/${SUDO_USER}/home"
trap - SIGHUP SIGINT SIGTERM # clear the trap
kill -- -$$ # Sends SIGTERM to child/sub processes
}
##########################
if [[ "$#" -gt 0 ]] && [[ "$1" = '-u' ]]; then
findmnt "/lmn/media/${SUDO_USER}/home" && umount "/lmn/media/${SUDO_USER}/home" && rmdir "/lmn/media/${SUDO_USER}/home"
#findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share" && rmdir "/lmn/media/${SUDO_USER}/share"
findmnt "/lmn/media/${SUDO_USER}/oldhome" && umount "/lmn/media/${SUDO_USER}/oldhome" && rmdir "/lmn/media/${SUDO_USER}/oldhome"
findmnt "/lmn/media/${SUDO_USER}/oldprojects" && umount "/lmn/media/${SUDO_USER}/oldprojects" && rmdir "/lmn/media/${SUDO_USER}/oldprojects"
findmnt "/lmn/media/${SUDO_USER}/linuxhome" && umount "/lmn/media/${SUDO_USER}/linuxhome" && rmdir "/lmn/media/${SUDO_USER}/linuxhome"
elif [ "$#" -gt 0 ] && [ "$1" = '-o' ]; then
echo "Einbinden der Daten des alten/bisherigen Systems (PaedML Novell)."
echo "Bitte den Username und Passwort aus dem ALTEN System eingeben."
read -rp "Username: " username
read -srp "Passwort: " PASSWD
export PASSWD
echo
mkdir -p "/lmn/media/${SUDO_USER}/oldhome"
mkdir -p "/lmn/media/${SUDO_USER}/oldprojects"
#errcode=$(mount -t cifs -o "username=${username},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,forceuid,forcegid" \
# "//192.168.1.2/DOCS/fvs" "/lmn/media/${SUDO_USER}/oldhome")
#if [[ ! "${errcode}" ]]; then
mount -t cifs -o "username=${username},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,forceuid,forcegid,nobrl,mfsymlinks" \
"//192.168.1.2/DOCS/fvs" "/lmn/media/${SUDO_USER}/oldhome"
mount -t cifs -o "username=${username},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,forceuid,forcegid,nobrl,mfsymlinks" \
"//192.168.1.2/DATA/fvs/projekte" "/lmn/media/${SUDO_USER}/oldprojects"
#echo "Mounting successfull!"
echo "Einbindung erfolgreich!"
echo "Dieses Fenster bitte nicht schließen!"
#echo "Um weiter zu arbeiten: <Strg> + <Z>"
trap exit_script SIGHUP SIGINT SIGTERM
sleep infinity
elif [ "$#" -gt 0 ] && [ "$1" = '-l' ]; then
echo "Einbinden des Netboot-Home-Verzeichnises. Daten des alten/bisherigen Systems (PaedML Novell)."
echo "Bitte den Username und Passwort aus dem ALTEN System (PaedML Novell) eingeben."
echo "Bitte auch Groß- und Kleinschreibung achten."
read -rp "Username: " username
mkdir -p "/lmn/media/${SUDO_USER}/linuxhome"
mount -t fuse -o "allow_other,uid=${SUDO_UID},gid=${SUDO_GID},reconnect" \
"sshfs#${username}@home.steinbeisschule-reutlingen.de:" "/lmn/media/${SUDO_USER}/linuxhome"
#echo "Mounting successfull!"
echo "Einbindung erfolgreich!"
echo "Dieses Fenster bitte nicht schließen!"
#echo "Um weiter zu arbeiten: <Strg> + <Z>"
trap exit_script SIGHUP SIGINT SIGTERM
sleep infinity
fi

2
roles/lmn_vm/templates/vm.conf.j2 → roles/lmn_vm/files/vm.conf
View file

@ -1,6 +1,6 @@
# variables for LMN VM submodule # variables for LMN VM submodule
SEEDBOX_HOST="{{ vm_torrent_srv }}" SEEDBOX_HOST="seedbox.pn.steinbeis.schule"
SEEDBOX_PORT=6789 SEEDBOX_PORT=6789
SEEDBOX_RPC_PORT=6800 SEEDBOX_RPC_PORT=6800
SEEDBOX_PWFILE="/etc/lmn/uploadseed.conf" SEEDBOX_PWFILE="/etc/lmn/uploadseed.conf"

10
roles/lmn_vm/tasks/main.yml
View file

@ -128,11 +128,14 @@
- name: Deploy sudo configurations - name: Deploy sudo configurations
ansible.builtin.copy: ansible.builtin.copy:
src: lmn-vm src: "{{ item }}"
dest: "/etc/sudoers.d/90-{{ item }}" dest: "/etc/sudoers.d/90-{{ item }}"
owner: root owner: root
group: root group: root
mode: '0700' mode: '0700'
loop:
- lmn-mounthome
- lmn-vm
- name: Deploy vmimages scripts - name: Deploy vmimages scripts
ansible.builtin.copy: ansible.builtin.copy:
@ -142,6 +145,7 @@
group: root group: root
mode: '0755' mode: '0755'
loop: loop:
- mounthome.sh
- vm-create - vm-create
- vm-rebase - vm-rebase
- vm-run - vm-run
@ -155,8 +159,8 @@
- desktop-sync - desktop-sync
- name: Deploy vm configuration file vm.conf - name: Deploy vm configuration file vm.conf
ansible.builtin.template: ansible.builtin.copy:
src: vm.conf.j2 src: vm.conf
dest: /etc/lmn/vm.conf dest: /etc/lmn/vm.conf
owner: root owner: root
group: root group: root

1
roles/lmn_wlan/defaults/main.yaml
View file

@ -11,5 +11,4 @@ wlan_eap_ca:
emailAddress: "admin@example.com" emailAddress: "admin@example.com"
CN: "Radius Certificate Authority" CN: "Radius Certificate Authority"
password: "OtherVerySecurePassw0rd" password: "OtherVerySecurePassw0rd"
wlan_eap_ca_crl: "http://radius.{{ domain }}/radius-ca.crl"
wlan_enable_on_boot: true wlan_enable_on_boot: true

2
roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
View file

@ -15,7 +15,7 @@
ansible.builtin.get_url: ansible.builtin.get_url:
force: true force: true
mode: "0644" mode: "0644"
url: "{{ wlan_eap_ca_crl }}" url: "http://radius.steinbeis.schule/radius-ca.crl"
dest: /tmp/radius-ca.crl dest: /tmp/radius-ca.crl
when: cert_client_active.stat.exists when: cert_client_active.stat.exists