From c4dbcffebdda9f35ad6c55f1aff299277263faff Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 25 Feb 2026 14:40:44 +0100
Subject: [PATCH 1/8] Add automatic updater using ansible-pull

---
 roles/lmn_misc/tasks/main.yml                 | 20 +++++++++++++++++++
 .../lmn_misc/templates/lmn-updater.service.j2 |  9 +++++++++
 roles/lmn_misc/templates/lmn-updater.timer.j2 |  9 +++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 roles/lmn_misc/templates/lmn-updater.service.j2
 create mode 100644 roles/lmn_misc/templates/lmn-updater.timer.j2

diff --git a/roles/lmn_misc/tasks/main.yml b/roles/lmn_misc/tasks/main.yml
index 23dce2b..6eb1a71 100644
--- a/roles/lmn_misc/tasks/main.yml
+++ b/roles/lmn_misc/tasks/main.yml
@@ -190,6 +190,26 @@
   tags:
     - baseinstall
 
+# Updater
+
+- name: Provide services and timers for updater
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: '0644'
+  loop:
+    - lmn-updater.service
+    - lmn-updater.timer
+  when: misc_updater_repository | default(false) is truthy
+
+- name: Enable updater.timer
+  ansible.builtin.systemd:
+    name: lmn-updater.timer
+    enabled: true
+  when:
+    - misc_updater_repository | default(false) is truthy
+    - misc_updater_autostart | default(false) is truthy
+
 # Prepare CloneScreen on Presenter PCs
 
 - name: Fix primary screen for class room PCs with projector
diff --git a/roles/lmn_misc/templates/lmn-updater.service.j2 b/roles/lmn_misc/templates/lmn-updater.service.j2
new file mode 100644
index 0000000..64a65d9
--- /dev/null
+++ b/roles/lmn_misc/templates/lmn-updater.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run LMN Client updates via ansible-pull
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/bin/ansible-pull --verbose --vault-password-file /root/.inventory-pw -l %H -d /root/lmn-client \
+           -i {{ misc_updater_inventory }} --url={{ misc_updater_repository }} -C {{ misc_updater_branch }} lmn-client.yml
+
diff --git a/roles/lmn_misc/templates/lmn-updater.timer.j2 b/roles/lmn_misc/templates/lmn-updater.timer.j2
new file mode 100644
index 0000000..17c9d17
--- /dev/null
+++ b/roles/lmn_misc/templates/lmn-updater.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run LMN Updater every day
+Requires=lmn-updater.service
+
+[Timer]
+OnBootSec=5min
+
+[Install]
+WantedBy=timers.target

From 8ee551761278d8540934220fe2fa501f6e18626f Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Thu, 26 Feb 2026 12:35:30 +0100
Subject: [PATCH 2/8] Restricting the Ansible pull operation (lmn-updater) on
 changes in the repository

---
 roles/lmn_misc/templates/lmn-updater.service.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/lmn_misc/templates/lmn-updater.service.j2 b/roles/lmn_misc/templates/lmn-updater.service.j2
index 64a65d9..76aad89 100644
--- a/roles/lmn_misc/templates/lmn-updater.service.j2
+++ b/roles/lmn_misc/templates/lmn-updater.service.j2
@@ -4,6 +4,6 @@ Description=Run LMN Client updates via ansible-pull
 [Service]
 Type=oneshot
 User=root
-ExecStart=/usr/bin/ansible-pull --verbose --vault-password-file /root/.inventory-pw -l %H -d /root/lmn-client \
+ExecStart=/usr/bin/ansible-pull --only-if-changed --verbose --vault-password-file /root/.inventory-pw -l %H -d /root/lmn-client \
            -i {{ misc_updater_inventory }} --url={{ misc_updater_repository }} -C {{ misc_updater_branch }} lmn-client.yml
 

From 51135966d3e06c3f4288098fd3c29e25c24360c5 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Thu, 26 Feb 2026 13:02:41 +0100
Subject: [PATCH 3/8] Fix start-condition in lmn-updater.timer

---
 roles/lmn_misc/templates/lmn-updater.timer.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/lmn_misc/templates/lmn-updater.timer.j2 b/roles/lmn_misc/templates/lmn-updater.timer.j2
index 17c9d17..b64fdea 100644
--- a/roles/lmn_misc/templates/lmn-updater.timer.j2
+++ b/roles/lmn_misc/templates/lmn-updater.timer.j2
@@ -1,6 +1,6 @@
 [Unit]
 Description=Run LMN Updater every day
-Requires=lmn-updater.service
+After=network-online.target
 
 [Timer]
 OnBootSec=5min

From 6558f376f5ac55eb3476f2f2bd28a6fcd147e44a Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Tue, 3 Mar 2026 20:12:22 +0100
Subject: [PATCH 4/8] Add inventory vault password for updater service

---
 roles/lmn_misc/tasks/main.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/lmn_misc/tasks/main.yml b/roles/lmn_misc/tasks/main.yml
index 6eb1a71..27fb25c 100644
--- a/roles/lmn_misc/tasks/main.yml
+++ b/roles/lmn_misc/tasks/main.yml
@@ -210,6 +210,16 @@
     - misc_updater_repository | default(false) is truthy
     - misc_updater_autostart | default(false) is truthy
 
+- name: Deploy inventory password file
+  ansible.builtin.copy:
+    dest: /root/.inventory-pw
+    owner: root
+    mode: '0640'
+    content: "{{ misc_updater_inventory_password }}"
+  when:
+    - misc_updater_repository | default(false) is truthy
+    - misc_updater_inventory_password | default(false) is truthy
+
 # Prepare CloneScreen on Presenter PCs
 
 - name: Fix primary screen for class room PCs with projector

From 3deccfb88fea6b9864602e0a01860e70fcd9e744 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 4 Mar 2026 10:19:12 +0100
Subject: [PATCH 5/8] Remove reporter file because reporter template is used

---
 roles/lmn_misc/files/reporter | 33 ---------------------------------
 1 file changed, 33 deletions(-)
 delete mode 100755 roles/lmn_misc/files/reporter

diff --git a/roles/lmn_misc/files/reporter b/roles/lmn_misc/files/reporter
deleted file mode 100755
index 2ee481f..0000000
--- a/roles/lmn_misc/files/reporter
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/bash
-#
-# Send stdout of some commands to monitoring server.
-# Collect the reports with 'nc -u -k -l 1234' on 'sendto'.
-# Use /bin/nc.openbsd, /bin/nc.traditional seems not to work.
-#
-set -eu
-
-sendto="collector.steinbeis.schule 1234"
-n=0
-
-cmds=(
-    'uname -a'
-    'tail -1 /var/local/ansible-stamps'
-    'ip route list default'
-    'ip link show | \
-       sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
-       paste - -'
-)
-#    'w'
-#    'uptime'
-#    'ls -d --full-time /home/ansible/.ansible/tmp/'
-#    'ip addr show'
-#    'apt list --upgradeable -o Apt::Cmd::Disable-Script-Warning=true'
-
-r="$HOSTNAME ------- $(date --rfc-3339=seconds) -------
-$(for c in "${cmds[@]}" ; do
-      n=$(( n + 1 ))
-      echo -n "$n"
-      eval "$c" | sed 's/^/\t/'
-done | sed "s/^/$HOSTNAME /")
-## -------------------------------------------------"
-echo "$r" | nc -w 1 -u $sendto

From cf5e11d7f1093753dcc8393bf63f05654b317fbe Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 4 Mar 2026 10:24:44 +0100
Subject: [PATCH 6/8] Report failed services (e.g. lmn-updater)

---
 roles/lmn_misc/templates/reporter.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/lmn_misc/templates/reporter.j2 b/roles/lmn_misc/templates/reporter.j2
index 6a19bec..e652b55 100755
--- a/roles/lmn_misc/templates/reporter.j2
+++ b/roles/lmn_misc/templates/reporter.j2
@@ -16,6 +16,7 @@ cmds=(
     'ip link show | \
        sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
        paste - -'
+    'systemctl --failed | grep -v "^$"'
 )
 #    'w'
 #    'uptime'

From c90e626e3dec4a1ab673d65750fadc7d05538de7 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 4 Mar 2026 10:39:07 +0100
Subject: [PATCH 7/8] Add comment line to prevent empty content

---
 roles/lmn_localhome/tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/lmn_localhome/tasks/main.yml b/roles/lmn_localhome/tasks/main.yml
index a06998b..ea3cf2e 100644
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@@ -33,6 +33,7 @@
     dest: /etc/profile.d/lmn-logout.sh
     mode: '0755'
     content: |
+      # logout script (may be empty)
       {% if localhome_logout_missing_serverhome %}
       [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
       {% endif %}

From fb98d53fad342add0c2a5527e13b1e9ac5fdd365 Mon Sep 17 00:00:00 2001
From: Daniel Werz <d.werz@kalisch-systems.de>
Date: Tue, 3 Mar 2026 16:15:03 +0100
Subject: [PATCH 8/8] Fix conditional check of string variable

---
 roles/lmn_misc/tasks/main.yml    | 2 +-
 roles/lmn_network/tasks/main.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/lmn_misc/tasks/main.yml b/roles/lmn_misc/tasks/main.yml
index 27fb25c..212e418 100644
--- a/roles/lmn_misc/tasks/main.yml
+++ b/roles/lmn_misc/tasks/main.yml
@@ -98,7 +98,7 @@
       export superusers
       password_pbkdf2 root {{ grub_pwd }}
   notify: Run update-grub
-  when: grub_pwd | bool | default(false)
+  when: grub_pwd is defined and grub_pwd is truthy
 
 - name: Allow booting grub menu entries
   ansible.builtin.lineinfile:
diff --git a/roles/lmn_network/tasks/main.yml b/roles/lmn_network/tasks/main.yml
index 571c107..416a173 100644
--- a/roles/lmn_network/tasks/main.yml
+++ b/roles/lmn_network/tasks/main.yml
@@ -5,14 +5,14 @@
     mode: '0644'
     content: >
       {{ apt_conf }}
-  when: apt_conf | bool | default(false)
+  when: apt_conf is defined and apt_conf is truthy
 
 - name: Set NTP server
   ansible.builtin.lineinfile:
     path: /etc/systemd/timesyncd.conf
     insertafter: '^#NTP='
     line: NTP={{ ntp_serv }}
-  when: ntp_serv | bool | default(false)
+  when: ntp_serv is defined and ntp_serv is truthy
 
 - name: Add proposed-updates repository
   ansible.builtin.apt_repository: