it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: it-team:f97a3a8a29722b25853e51a8a1142d71492ed8c3
Branches Tags
it-team:main
it-team:dev
it-team:bookworm
it-team:fvs
..
compare: it-team:ce31924a3cdf6097a89e7f3bbdb6355458b7dba6
Branches Tags
it-team:dev
it-team:bookworm
it-team:main
it-team:fvs

No commits in common. "f97a3a8a29722b25853e51a8a1142d71492ed8c3" and "ce31924a3cdf6097a89e7f3bbdb6355458b7dba6" have entirely different histories.
f97a3a8a29 ... ce31924a3c

27 changed files with 741 additions and 1300 deletions
Show stats Expand all files Collapse all files

1327
inventory.yml
View file

File diff suppressed because it is too large Load diff

2
lmn-client.yml
View file

@ -63,7 +63,7 @@
- role: lmn_localhome
when: localhome
- role: lmn_localuser
when: localuser|bool
when: localuser
- role: lmn_exam
when: exam_mode
- role: lmn_wlan

BIN
misc/vm/Netzlaufwerke neu verbinden.lnk
View file

Binary file not shown.

155
misc/vm/injector.ps1
View file

@ -1,155 +0,0 @@
param(
[string]$ticketb64
)
# BASE64
$ticket = New-Object System.Byte
#reading from b64
$ticket = [System.Convert]::FromBase64String($ticketb64)
if ($ticket -eq $null){
write-host "[-] Be Sure entering the correct mode"
write-host "[-] Cannot receive ticket from file or b64"
exit;
}
# ------------------- FUNCTIONS -----------------------#
$ptt = @"
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public Int32 HighPart;
}
public enum KERB_PROTOCOL_MESSAGE_TYPE
{
KerbDebugRequestMessage,
KerbQueryTicketCacheMessage,
KerbChangeMachinePasswordMessage,
KerbVerifyPacMessage,
KerbRetrieveTicketMessage,
KerbUpdateAddressesMessage,
KerbPurgeTicketCacheMessage,
KerbChangePasswordMessage,
KerbRetrieveEncodedTicketMessage,
KerbDecryptDataMessage,
KerbAddBindingCacheEntryMessage,
KerbSetPasswordMessage,
KerbSetPasswordExMessage,
KerbVerifyCredentialMessage,
KerbQueryTicketCacheExMessage,
KerbPurgeTicketCacheExMessage,
KerbRefreshSmartcardCredentialsMessage,
KerbAddExtraCredentialsMessage,
KerbQuerySupplementalCredentialsMessage,
KerbTransferCredentialsMessage,
KerbQueryTicketCacheEx2Message,
KerbSubmitTicketMessage,
KerbAddExtraCredentialsExMessage
}
[StructLayout(LayoutKind.Sequential)]
public struct KERB_CRYPTO_KEY32
{
public int KeyType;
public int Length;
public int Offset;
}
[StructLayout(LayoutKind.Sequential)]
public struct KERB_SUBMIT_TKT_REQUEST
{
public KERB_PROTOCOL_MESSAGE_TYPE MessageType;
public LUID LogonId;
public int Flags;
public KERB_CRYPTO_KEY32 Key;
public int KerbCredSize;
public int KerbCredOffset;
}
[StructLayout(LayoutKind.Sequential)]
public struct LSA_STRING_IN
{
public ushort Length;
public ushort MaximumLength;
public IntPtr buffer;
}
[DllImport("secur32.dll", SetLastError=false)]
public static extern int LsaLookupAuthenticationPackage([In] IntPtr LsaHandle,[In] ref LSA_STRING_IN PackageName,[Out] out UInt32 AuthenticationPackage);
[DllImport("Secur32.dll", SetLastError = true)]
public static extern int LsaCallAuthenticationPackage(IntPtr LsaHandle,uint AuthenticationPackage,IntPtr ProtocolSubmitBuffer,int SubmitBufferLength,out IntPtr ProtocolReturnBuffer,out ulong ReturnBufferLength,out int ProtocolStatus);
[DllImport("secur32.dll", SetLastError=false)]
public static extern int LsaConnectUntrusted([Out] out IntPtr LsaHandle);
[DllImport("secur32.dll", SetLastError=false)]
public static extern int LsaDeregisterLogonProcess([In] IntPtr LsaHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern uint LsaNtStatusToWinError(uint status);
"@
Function ConnectToLsa()
{
$lsahandle = New-Object System.IntPtr
[int]$retcode = [KRB.PTT]::LsaConnectUntrusted([ref]$lsahandle)
if ($retcode -ne 0){
write-host "[-] LsaConnectUntrusted Error (NTSTATUS): ", $retcode -ForegroundColor Red
exit;
}
return $lsahandle
}
#-------------------------------- ENTRY POINT ----------------------------#
$assemblies = [System.Reflection.Assembly]::LoadWithPartialName("System.Security.Principal")
Add-Type -MemberDefinition $ptt -Namespace "KRB" -Name "PTT" -ReferencedAssemblies $assemblies.location -UsingNamespace System.Security.Principal
# CONNECTING TO LSA
$LsaHandle = ConnectToLsa
write-host "[?] LSA HANDLE: ", $LsaHandle
# EXTRACTING KERBEROS AP
$retcode = New-Object System.Int32
$authPackage = New-Object System.Int32
$name = "kerberos"
$importnantlsastring = New-Object KRB.PTT+LSA_STRING_IN
$importnantlsastring.Length = [uint16]$name.Length
$importnantlsastring.MaximumLength = [uint16]($name.Length + 1)
$importnantlsastring.buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($name)
$retcode = [KRB.PTT]::LsaLookupAuthenticationPackage($lsaHandle,[ref]$importnantlsastring,[ref]$authPackage)
if ($retcode -ne 0){
write-host "[-] Error LsaLookupAuthPckg (NTSTATUS): ", $retcode -ForegroundColor Red
exit;
}
write-host "[?] Kerberos Package: ", $authPackage
# GETTING CURRENT LUID (INJECT PURPOSES)
$output = klist
$CurrLuid = $output.split("`n")[1].split(":")[1]
$sysIntCurrLuid = [convert]::ToInt32($CurrLuid,16)
$luidFinally = New-Object KRB.PTT+LUID
$luidFinally.LowPart = $sysIntCurrLuid
# TICKET INJECTING
$protocolReturnBuffer = New-Object System.IntPtr
$ReturnBufferLength = New-Object System.Int32
$ProtocolStatus = New-Object System.Int32
$KrbRequestInfo = New-Object KRB.PTT+KERB_SUBMIT_TKT_REQUEST
$KrbRequestInfoType = $KrbRequestInfo.getType()
$KrbRequestInfo.MessageType = [KRB.PTT+KERB_PROTOCOL_MESSAGE_TYPE]::KerbSubmitTicketMessage
$KrbRequestInfo.KerbCredSize = $ticket.Length
$KrbRequestInfo.KerbCredOffset = [System.Runtime.InteropServices.Marshal]::SizeOf([type]$KrbRequestInfoType)
$KrbRequestInfo.LogonId = $luidFinally
$inputBufferSize = [System.Runtime.InteropServices.Marshal]::SizeOf([type]$KrbRequestInfoType) + $ticket.Length
$inputBuffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($inputBufferSize)
[System.Runtime.InteropServices.Marshal]::StructureToPtr($KrbRequestInfo,$inputBuffer,$false)
[System.IntPtr]$PtrToCred = $inputBuffer.ToInt64() + $KrbRequestInfo.KerbCredOffset
[System.Runtime.InteropServices.Marshal]::Copy($ticket,0,$PtrToCred,$ticket.Length)
$ntstatus = [KRB.PTT]::LsaCallAuthenticationPackage($lsaHandle,$authPackage,$inputBuffer,$inputBufferSize,[ref]$protocolReturnBuffer,[ref]$ReturnBufferLength,[ref]$ProtocolStatus)
if(($ProtocolStatus -ne 0) -or ($ntstatus -ne 0))
{
Write-Host "[!] Error in LsaCallAuthenticationPackage" -ForegroundColor Red
write-host " NTSTATUS: ", $ntstatus, " Protocol Status: ", $ProtocolStatus
if ($ProtocolStatus -eq -1073741517){
" Ticket may be out of date"
}
exit;
}
if($inputBuffer -ne [System.IntPtr]::Zero)
{
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($inputBuffer)
[System.Object]$ticket = $null
}
klist

73
misc/vm/vm-prepare-sys.ps1
View file

@ -1,73 +0,0 @@
# Installiere alle Mounts aus target.csv
# Geprüft wird, ob das Laufwerk bereits vorhanden
# 11.05.2025 da
function Mount-Drive {
param (
[string]$DriveLetter,
[string]$TargetPath
)
try {
& "C:\Program Files (x86)\WinFsp\bin\launchctl-x64.exe" start virtiofs viofs$DriveLetter $TargetPath \\.\${DriveLetter}:
Write-Verbose "Laufwerk hinzugefügt: $DriveLetter"
} catch {
Write-Error "Fehler beim Hinzufügen des Laufwerks ${DriveLetter}: $_"
}
}
function Import-VMInfo {
param (
[string]$Path
)
if (Test-Path $Path) {
return Get-Content -Path $Path -Raw | ConvertFrom-Json
} else {
Write-Error "Fehler beim Einlesen der VMInfo Datei ($Path nicht gefunden)."
Write-Error "Tipp: Beim Neustart der VM wird diese Datei neu angelegt."
Pause
exit
}
}
# Laufwerk Y: mit weiteren Mountpoint-Infos mounten
& "C:\Program Files\Virtio-Win\VioFS\virtiofs.exe" -m Y:
#Mount-Drive -DriveLetter "Y" -TargetPath "VM-Data"
# VMInfo aus JSON File einlesen
$VMInfoPath = "Y:\.vminfo.json"
# Schleife, die auf das Laufwerk wartet
while (-not (Test-Path $VMInfoPath)) {
Write-Host "Warte auf $VMInfoPath..."
Start-Sleep -Seconds 1
}
$VMInfo = Import-VMInfo -Path $VMInfoPath
# Weitere Laufwerke einbinden
#foreach ($virtiofs in $VMInfo.VirtioFS) {
# $targetDrive = $virtiofs.Drive
# if (-not (Get-PSDrive -Name $targetDrive -ErrorAction SilentlyContinue)) {
# Mount-Drive -DriveLetter $targetDrive -TargetPath $virtiofs.Target
# } else {
# Write-Error "Laufwerk bereits vorhanden: $targetDrive"
# }
#}
# Drucker installieren
foreach ($drucker in $VMInfo.Printers) {
# Überprüfen, ob der Drucker bereits vorhanden ist
$druckerName = $drucker.Name
$druckerVorhanden = Get-Printer | Where-Object { $_.Name -eq $druckerName }
# Umwandlung in HTTP-URL
$httpUrl = $drucker.IppURL -replace "ipp://", "http://" -replace "122.1", "122.1:631"
if (-not $druckerVorhanden) {
# Drucker hinzufügen, wenn er nicht vorhanden ist
Add-Printer -PortName $httpUrl -Name $druckerName -DriverName "Microsoft IPP Class Driver"
Write-Host "Drucker hinzugefuegt: $druckerName"
} else {
Write-Host "Drucker bereits vorhanden: $druckerName"
}
}

BIN
misc/vm/vm-prepare-sys.xml
View file

Binary file not shown.

102
misc/vm/vm-prepare-user.ps1
View file

@ -1,102 +0,0 @@
# Installiere alle Mounts aus target.csv
# Geprüft wird, ob das Laufwerk bereits vorhanden
# 11.05.2025 da
function Import-VMInfo {
param (
[string]$Path
)
if (Test-Path $Path) {
return Get-Content -Path $Path -Raw | ConvertFrom-Json
} else {
Write-Error "Fehler beim Einlesen der VMInfo Datei ($Path nicht gefunden)."
Write-Error "Tipp: Beim Neustart der VM wird diese Datei neu angelegt."
Pause
exit
}
}
function Add-PathToQuickAccess([string[]]$path){
$path | %{
write-host "Adding path '$($_)' to Quick acccess list." -F Green
try{
$link = (New-Object -Com Shell.Application).NameSpace($_).Self
if(!$link){throw "Item path not valid to be pinned."}
$link.Verbs()| ?{$_.Name.replace('&','') -match 'An Schnellzugriff anheften|Pin to Quick access'} | %{$_.DoIt()}
}catch{
write-error "Error adding path. $($_.Exception.Message)"
}
}
}
$VMInfoPath = "Y:\.vminfo.json"
# Schleife, die auf das Laufwerk wartet
while (-not (Test-Path $VMInfoPath)) {
Write-Host "Warte auf $VMInfoPath..."
Start-Sleep -Seconds 1
}
# VMInfo aus JSON File einlesen
$VMInfo = Import-VMInfo -Path $VMInfoPath
& $PSScriptRoot\injector.ps1 $VMInfo.krb5.cred
$klistOutput = klist
$serverping = Test-Connection -ComputerName "server.pn.steinbeis.schule" -Count 2 -Quiet
if ($serverping) {
if ($klistOutput -like "*Client*") {
foreach ($Mount in $VMInfo.Mounts) {
net use /persistent:no "$($Mount.Drive):" "$($Mount.RemotePath)"
#New-SMBMapping -Localpath "$($Mount.Drive):" -Remotepath $Mount.RemotePath
Write-Host("net use $($Mount.Drive): $($Mount.RemotePath)")
}
} else {
#if (-not ($klistOutput -like "*Client*") -or (-not (Test-Path "H:"))) {
$Credential = Get-Credential -Message "Die automatische Einbindung der Netzlaufwerke ist fehlgeschlagen.`nBitte geben Sie Ihre Anmeldeinformationen für das Netzlaufwerk ein" $VMInfo.User
# Laufwerke einbinden
foreach ($Mount in $VMInfo.Mounts) {
net use /persistent:no "$($Mount.Drive):" "$($Mount.RemotePath)" /user:"$($Credential.UserName)" "$($Credential.GetNetworkCredential().Password)"
Write-Host("net use /persistent:no `"$($Mount.Drive):`" `"$($Mount.RemotePath)`"")
#New-SMBMapping -Localpath "$($Mount.Drive):" -Remotepath "$($Mount.RemotePath)" -UserName "$($Credential.UserName)" -Password "$($Credential.GetNetworkCredential().Password)"
#Write-Host("New-SMBMapping -Localpath $($Mount.Drive): -Remotepath $Mount.RemotePath")
}
}
} else {
Add-Type -AssemblyName System.Windows.Forms
$message = "Der Server kann derzeit nicht erreicht werden.`nDaher können die Netzlaufwerke derzeit nicht verbunden werden.`nVersuchen Sie es zu einem späteren Zeitpunkt erneut mit dem Skript: Netzlaufwerke-verbinden"
$title = "Server nicht erreichbar"
[System.Windows.Forms.MessageBox]::Show($message, $title, [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Warning)
}
# Ändere den Namen der Netzlaufwerke
$shell = New-Object -ComObject Shell.Application
foreach ($Mount in $VMInfo.Mounts) {
$folder = $shell.Namespace("$($Mount.Drive):")
if ($folder) {
$folder.Self.Name = $Mount.Name
Write-Host "Das Netzlaufwerk $($Mount.Drive): wurde in '$($Mount.Name)' umbenannt."
} else {
Write-Host "Fehler beim Zugriff auf das Netzlaufwerk."
}
}
# Pfade zur Schnellzugriff hinzufügen
Add-PathToQuickAccess $VMInfo.QuickAccess
# Pfade für Standardorte ändern
$regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
foreach ($USF in $VMInfo.UserShellFolders) {
Write-Host "Set-ItemProperty -Path $regPath -Name $($USF.Name) -Value $($USF.Path)"
Set-ItemProperty -Path $regPath -Name "$($USF.Name)" -Value "$($USF.Path)"
}
# Explorer Neustart erzwingen (evtl. nicht notwendig)
Stop-Process -Name explorer -Force
# Start-Process explorer
# Bei Lehrern Papercut-Client starten
if (($VMInfo.Groups -contains "teachers") -and -not (Get-Process -Name pc-client -ErrorAction SilentlyContinue)) {
& "C:\custom\papercut\pc-client.exe" -m --user $VMInfo.User
}

BIN
misc/vm/vm-prepare-user.xml
View file

Binary file not shown.

30
misc/vm/vm-update-user.ps1
View file

@ -1,30 +0,0 @@
# Injects krb5-credential from .vminfo.json if available
# 02.07.2025 da
function Import-VMInfo {
param (
[string]$Path
)
if (Test-Path $Path) {
return Get-Content -Path $Path -Raw | ConvertFrom-Json
} else {
Write-Error "Fehler beim Einlesen der VMInfo Datei ($Path nicht gefunden)."
Write-Error "Tipp: Beim Neustart der VM wird diese Datei neu angelegt."
Pause
exit
}
}
$VMInfoPath = "Y:\.vminfo.json"
# Schleife, die auf das Laufwerk wartet
if (-not (Test-Path $VMInfoPath)) {
Write-Host "$VMInfoPath nicht gefunden. Skript beenden."
exit
}
# VMInfo aus JSON File einlesen
$VMInfo = Import-VMInfo -Path $VMInfoPath
& $PSScriptRoot\injector.ps1 $VMInfo.krb5.cred

BIN
misc/vm/vm-update-user.xml
View file

Binary file not shown.

2
roles/custom/fvs/files/lmn-sync
View file

@ -12,7 +12,7 @@ fi
#rsync -rlptD --chown=pgmadmin:root --chmod=F755,D755 rsync://server:/local-program/ /usr/local/lmn
RSYNC_COMMAND=$(rsync -ai --delete --exclude=mimeinfo.cache \
--chown=root:root --chmod=F644,D755 "rsync://fileserver:/desktopstarter" \
--chown=root:root --chmod=F644,D755 "rsync://server:/desktopstarter" \
/usr/local/share/applications/ | sed '/ \.\//d')
if [[ $? -eq 0 ]] && [[ -n "${RSYNC_COMMAND}" ]]; then
echo "${RSYNC_COMMAND}"

2
roles/custom/fvs/tasks/main.yml
View file

@ -220,7 +220,7 @@
ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK
insertbefore: '^}$'
insertbefore: '\s+//Footer'
block: |
Text {
id: hostname

3
roles/lmn_finish/tasks/main.yaml
View file

@ -14,7 +14,7 @@
main non-free-firmware
state: present
update_cache: true
when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
# when: extra_pkgs_bpo|length
- name: Install extra packages from backports
ansible.builtin.apt:
@ -25,7 +25,6 @@
- "{{ extra_pkgs_bpo }}"
- "{{ extra_pkgs_bpo1 }}"
- "{{ extra_pkgs_bpo2 }}"
when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
- name: Timestamp successfull run and send up-to-date report
ansible.builtin.shell:

6
roles/lmn_kde/defaults/main.yml
View file

@ -6,7 +6,6 @@ kde_desktop_pkg:
- calligra
- codeblocks
- dia
- filius
- flameshot
- freecad
- fritzing
@ -15,9 +14,8 @@ kde_desktop_pkg:
- inkscape
- kde-full
- keepassxc
- kicad
- kicad-doc-de
- librecad
- mu-editor
- openboard
- qtcreator
- spyder
@ -36,5 +34,3 @@ kde_desktop_pkg:
- xdg-desktop-portal-kde
- xdg-desktop-portal-wlr # share screen in browser
- xournalpp
kde_desktop_pkg_bpo: [ ]

11
roles/lmn_kde/tasks/main.yml
View file

@ -8,14 +8,19 @@
repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
state: present
update_cache: true
when: kde_desktop_pkg_bpo | length > 0
- name: Install extra packages from backports
ansible.builtin.apt:
name: "{{ kde_desktop_pkg_bpo }}"
name:
- filius
- kicad
- kicad-doc-de
- libreoffice
- libreoffice-l10n-de
- libreoffice-qt5
state: latest # noqa package-latest
autoremove: true
default_release: "{{ ansible_distribution_release }}-backports"
when: kde_desktop_pkg_bpo | length > 0
- name: Create akonadi config dir

2
roles/lmn_localhome/tasks/main.yml
View file

@ -9,7 +9,7 @@
ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK localhome
insertbefore: '^}$'
insertbefore: '\s+//Footer'
block: |
Text {
id: localhome

2
roles/lmn_misc/tasks/main.yml
View file

@ -98,7 +98,7 @@
export superusers
password_pbkdf2 root {{ grub_pwd }}
notify: Run update-grub
when: grub_pwd | bool | default(false)
when: grub_pwd|default(false)
- name: Allow booting grub menu entries
ansible.builtin.lineinfile:

6
roles/lmn_mount/tasks/main.yml
View file

@ -38,14 +38,12 @@
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
</volume>
insertafter: "<!-- Volume definitions -->"
when: not nfs4
- name: Prepare mount point for homes
ansible.builtin.file:
path: /srv/samba/schools/default-school/
state: directory
mode: '0755'
when: not nfs4
- name: Prepare persistent user cache base directory
ansible.builtin.file:
@ -106,9 +104,9 @@
- name: Mount NFSv4 home directory
ansible.posix.mount:
src: fileserver:/default-school
src: server:/default-school
path: /srv/samba/schools/default-school
opts: sec=krb5p,_netdev,x-systemd.automount,x-systemd.idle-timeout=30,timeo=100,soft,acl
opts: sec=krb5p,_netdev,x-systemd.automount,x-systemd.idle-timeout=60
state: present
fstype: nfs4
when: nfs4

4
roles/lmn_network/tasks/main.yml
View file

@ -5,14 +5,14 @@
mode: '0644'
content: >
{{ apt_conf }}
when: apt_conf | bool | default(false)
when: apt_conf|default(false)
- name: Set NTP server
ansible.builtin.lineinfile:
path: /etc/systemd/timesyncd.conf
insertafter: '^#NTP='
line: NTP={{ ntp_serv }}
when: ntp_serv | bool | default(false)
when: ntp_serv|default(false)
- name: Add proposed-updates repository
ansible.builtin.apt_repository:

2
roles/lmn_printer/tasks/main.yml
View file

@ -37,7 +37,7 @@
line: "SystemGroup root lpadmin {{ printer_admin_group }}"
regexp: '^SystemGroup'
state: present
when: printer_admin_group | length > 0
when: printer_admin_group | length
- name: Disable cups-browsed
ansible.builtin.systemd:

1
roles/lmn_sssd/templates/sssd.conf.j2
View file

@ -17,7 +17,6 @@ ad_gpo_access_control = disabled
ad_gpo_ignore_unreadable = True
ad_maximum_machine_account_password_age = 0
ignore_group_members = True
krb5_renew_interval = 1h
{% if localhome is defined and localhome %}
override_homedir = /home/%u
{% endif %}

5
roles/lmn_vm/files/vm-link-images
View file

@ -19,9 +19,8 @@ done
shift "$((OPTIND -1))"
# link system-VM-Images to User VM Directory
for filename in "$@"; do
filename="$(basename ${filename})"
[[ -f "${VM_DIR}/${filename}" ]] || ln "${filename}" "${VM_DIR}/${filename}"
for i in *.qcow2; do
[[ -f "${VM_DIR}/${i}" ]] || ln "${i}" "${VM_DIR}/${i}"
done
# allow lmnsynci to remove old vm images

87
roles/lmn_vm/files/vm-run
View file

@ -90,21 +90,17 @@ create_clone() {
local VM_NAME="$1"
if ! [[ -f "${VM_SYSDIR}/${VM_NAME}.qcow2" || -f "${VM_DIR}/${VM_NAME}.qcow2" ]]; then
echo "qcow2 File does not exists." >&2
exit 1
echo "qcow2 File does not exists." >&2
exit 1
fi
# Create User-VM-Dir and link system VM-Images
[[ -d "${VM_DIR}" ]] || mkdir -p "${VM_DIR}"
IMAGE="${VM_NAME}.qcow2"
while [[ -n ${IMAGE} ]]; do
if [[ "${PERSISTENT}" -eq 1 ]]; then
sudo /usr/local/bin/vm-link-images -p "${IMAGE}"
else
sudo /usr/local/bin/vm-link-images "${IMAGE}"
fi
IMAGE="$(qemu-img info -U "${VM_DIR}/${IMAGE}" | grep "^backing file:" | cut -d ' ' -f 3)"
done
if [[ "${PERSISTENT}" -eq 1 ]]; then
sudo /usr/local/bin/vm-link-images -p
else
sudo /usr/local/bin/vm-link-images
fi
# Create backing file
cd "${VM_DIR}"
@ -134,30 +130,18 @@ create_printerlist() {
}
create_mountlist() {
NETHOMEPART="${NETHOME#/srv/samba/schools}"
cat << EOF > "${VMINFO_DIR}/.mounts.csv"
Drive;Remotepath
H;\\\\server.pn.steinbeis.schule${NETHOMEPART//\//\\}
T;\\\\server.pn.steinbeis.schule\\default-school\\share
EOF
echo "${USER}" > "/${VMINFO_DIR}/.user"
}
start_virtiofs_service() {
local target_name=$1
local shared_dir=$2
local drive_letter=$3
local socket="/run/user/${UID}/virtiofs-${VM_NAME}-${target_name,,}.sock"
systemd-run --user /usr/local/bin/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
--socket-path "${socket}" --shared-dir "${shared_dir}" --syslog
if [[ $? -ne 0 ]]; then
echo "Error starting virtiofsd for ${target_name}." >&2
return 1
if id | grep -q teachers; then
NETHOME=/srv/samba/schools/default-school/teachers/$USER
else
NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
fi
LIBVIRTOPTS="${LIBVIRTOPTS} --filesystem driver.type=virtiofs,accessmode=passthrough,target.dir=${target_name},xpath1.set=./source/@socket=${socket}"
NETHOME="${NETHOME#/srv/samba/schools}"
cat << EOF > "/lmn/media/${USER}/.mounts.csv"
Drive;Remotepath
H;\\\\10.190.1.1${NETHOME//\//\\}
T;\\\\10.190.1.1\default-school\share
EOF
echo "${USER}" > "/lmn/media/${USER}/.user"
}
start_virtiofsd() {
@ -167,17 +151,9 @@ start_virtiofsd() {
[[ "$GUEST_GID" == 0 ]] && GUEST_GID=1010
fi
# END temporary fix
# start_virtiofs_service "VM-Data" "/lmn/media/${USER}" "Y"
# start_virtiofs_service "default-school" "/srv/samba/schools/default-school" "Y"
# Home@PC / VM-Data
# if the environment variable VMLEGACY is set, /lmn/media/USER is forced
if [[ "${HOME}" != "${NETHOME}" && ! -v VMLEGACY ]]; then
start_virtiofs_service "Home_Linux" "${HOME}" "Y"
else
start_virtiofs_service "VM-Data" "/lmn/media/${USER}" "Y"
fi
socket="/run/user/$(id -u $USER)/virtiofs-${VM_NAME}.sock"
systemd-run --user /usr/local/bin/virtiofsd --uid-map=:${GUEST_UID}:${UID}:1: --gid-map=:${GUEST_GID}:$(id -g):1: \
--socket-path "$socket" --shared-dir "/lmn/media/${USER}" --syslog
}
ask_really_persistent() {
@ -240,7 +216,7 @@ while true; do
shift
;;
-o | --options )
LIBVIRTOPTS="${LIBVIRTOPTS} $2"
LIBVIRTOPTS=$2
shift 2
;;
--no-viewer )
@ -291,7 +267,6 @@ while true; do
type="ethernet,mac=${mac},target.dev=${interface},xpath1.set=./target/@managed=no,model.type=virtio"
LIBVIRTOPTS="${LIBVIRTOPTS} --network type=$type"
done
LIBVIRTOPTS="${LIBVIRTOPTS} --check mac_in_use=off"
shift
;;
--os )
@ -340,33 +315,18 @@ if ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
check_images
fi
if [[ "${NEWCLONE}" = 1 ]] || [[ ! -f "${VM_DIR}/${VM_NAME}-clone.qcow2" ]]; then
create_clone "${VM_NAME}"
create_clone "${VM_NAME}"
fi
# delete the old vm
virsh --connect=qemu:///session undefine --nvram "${VM_NAME}-clone" || echo "${VM_NAME}-clone did not exist"
#trap exit_script SIGHUP SIGINT SIGTERM
if id | grep -q teachers; then
NETHOME=/srv/samba/schools/default-school/teachers/$USER
else
NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
fi
if [[ "${HOME}" != "${NETHOME}" ]]; then
VMINFO_DIR="${HOME}"
else
VMINFO_DIR="/lmn/media/${USER}"
fi
create_printerlist
create_mountlist
# start virtiofsd-service
[[ "${QEMU}" = 'qemu:///session' ]] && start_virtiofsd
# Create VMInfo Json file
#( umask 027; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
# Start vminfo.timer
systemctl --user start vminfo.timer
uuid=$(openssl rand -hex 16)
uuid="${uuid:0:8}-${uuid:8:4}-${uuid:12:4}-${uuid:16:4}-${uuid:20:12}"
@ -388,6 +348,7 @@ if ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
--memorybacking source.type=memfd,access.mode=shared \
--disk "${VM_DIR}/${VM_NAME}-clone.qcow2",driver.discard=unmap,target.bus=scsi,cache=writeback \
--network=bridge=virbr0,model.type=virtio \
--filesystem driver.type=virtiofs,accessmode=passthrough,target.dir=virtiofs,xpath1.set=./source/@socket="/run/user/${UID}/virtiofs-${VM_NAME}.sock" \
--controller type=scsi,model=virtio-scsi \
--check path_in_use=off \
--connect="${QEMU}" \

113
roles/lmn_vm/files/vm-vminfo
View file

@ -1,113 +0,0 @@
#!/usr/bin/python3
import argparse
import struct
import subprocess
import json
from os import environ,path
from impacket.krb5.ccache import CCache
from base64 import b64encode
home = ""
nethome = ""
vminfo = {}
def get_printers():
printers = []
try:
result = subprocess.run(['lpstat', '-v'], capture_output=True, text=True, check=True)
for line in result.stdout.splitlines():
# Extrahiere den Druckernamen
printer_name = line.split()[2].rstrip(':')
ipp_url = f"ipp://192.168.122.1/printers/{printer_name}"
printer = { 'Name': printer_name, 'IppURL': ipp_url }
printers.append(printer)
return printers
except subprocess.CalledProcessError as e:
print(f"Fehler beim Abrufen der Drucker: {e}")
return []
def get_groups(username):
try:
result = subprocess.run(['id', '-Gnz', username], capture_output=True, text=True, check=True)
groups = result.stdout.strip().split('\0')
return groups
except subprocess.CalledProcessError as e:
print(f"Fehler beim Abrufen der Gruppen: {e}")
return []
def get_krb5 ():
krb5 = {}
ccachefilename = environ.get('KRB5CCNAME').replace('FILE:', '')
if ccachefilename:
try:
ccache = CCache.loadFile(ccachefilename)
cred = ccache.toKRBCRED()
cred_enc = b64encode(cred)
krb5['cred'] = cred_enc.decode('utf-8')
krb5['starttime'] = ccache.credentials[0]['time']['starttime']
krb5['endtime'] = ccache.credentials[0]['time']['endtime']
krb5['renew_till'] = ccache.credentials[0]['time']['renew_till']
except:
print("Fehler beim Ticket laden")
return krb5
def get_mounts():
mounts = []
mounts.append({ 'Drive': 'H', 'RemotePath': '\\\\server.pn.steinbeis.schule' + nethome.replace('/srv/samba/schools','').replace('/','\\'), 'Name': 'Home_Server' })
mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\default-school\share', 'Name': 'Tausch' })
return mounts
def get_user_folders():
HOME="H:"
if environ.get('HOME') != nethome:
HOME="Y:"
folders = []
folders.append( {'Name': 'Personal', 'Path': f"{HOME}\Dokumente"} )
folders.append( {'Name': 'My Pictures', 'Path': f"{HOME}\Bilder"} )
folders.append( {'Name': 'My Music', 'Path': f"{HOME}\Musik"} )
folders.append( {'Name': 'My Video', 'Path': f"{HOME}\Videos"} )
return folders
def get_quickaccess():
quickaccess = []
quickaccess.append( 'H:\\transfer' )
return quickaccess
def parse_args():
parser = argparse.ArgumentParser()
#parser.add_argument('input_file', help="File in kirbi (KRB-CRED) or ccache format")
#parser.add_argument('output_file', help="Output file")
return parser.parse_args()
def main():
global home, nethome
args = parse_args()
home = environ.get('HOME')
vminfo['User'] = environ.get('USER')
vminfo['Groups'] = get_groups(environ.get('USER'))
if 'teachers' in vminfo['Groups']:
nethome = f"/srv/samba/schools/default-school/teachers/{vminfo['User']}"
else:
result = subprocess.run(['find', '/srv/samba/schools/default-school/students/', '-name', vminfo['User'], '-maxdepth', '2', '-type', 'd'], capture_output=True, text=True, check=False)
nethome = result.stdout
vminfo['Printers'] = get_printers()
vminfo['krb5'] = get_krb5()
vminfo['Mounts'] = get_mounts()
vminfo['UserShellFolders'] = get_user_folders()
vminfo['QuickAccess'] = get_quickaccess()
vminfo_json = json.dumps(vminfo, ensure_ascii=False, indent=4)
print(vminfo_json)
if __name__ == '__main__':
main()

78
roles/lmn_vm/tasks/main.yml
View file

@ -18,9 +18,7 @@
- mktorrent
- libvirt-daemon-system
- virt-manager
- virt-viewer
- dialog # for vm-netboot menu
- python3-impacket
# - name: allow all users to use VMs
# lineinfile:
@ -29,20 +27,46 @@
# insertafter: '#auth_unix_rw = "polkit"'
# notify: reload libvirtd
# - name: Use umount script for proper cleanup
# ansible.builtin.blockinfile:
# dest: /etc/security/pam_mount.conf.xml
# marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
# block: |
# <!-- Provide special umount script here to handle bind mounts and proper ordering -->
# <umount>/usr/local/sbin/pam-umount.sh %(USER) %(USERUID) %(MNTPT)</umount>
# insertafter: '^<mntoptions.*'
- name: Configure pam_mount for VM bind mounts
ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
block: |
<!-- bind mounts for the VMs, setting gid here does not work -->
<volume
path="~"
mountpoint="/lmn/media/%(USER)/home"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
</volume>
<volume
path="/srv/samba/schools/default-school/share"
mountpoint="/lmn/media/%(USER)/share"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
</volume>
<volume
path="/srv/samba/schools/default-school"
mountpoint="/lmn/media/%(USER)/school"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
</volume>
insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
# - name: Prepare umount script
# ansible.builtin.copy:
# src: pam-umount.sh
# dest: /usr/local/sbin/pam-umount.sh
# mode: '0755'
- name: Use umount script for proper cleanup
ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
block: |
<!-- Provide special umount script here to handle bind mounts and proper ordering -->
<umount>/usr/local/sbin/pam-umount.sh %(USER) %(USERUID) %(MNTPT)</umount>
insertafter: '^<mntoptions.*'
- name: Prepare umount script
ansible.builtin.copy:
src: pam-umount.sh
dest: /usr/local/sbin/pam-umount.sh
mode: '0755'
- name: Insert domain in default-network
ansible.builtin.lineinfile:
@ -125,7 +149,6 @@
- vm-sync
- vm-link-images
- vm-virtiofsd
- vm-vminfo
- virtiofsd
- vm-aria2
- uploadseed
@ -213,26 +236,3 @@
src: vm-netboot
dest: /usr/local/bin/
mode: '0755'
- name: Provide vminfo service
ansible.builtin.copy:
content: |
[Unit]
Description=Create .vminfo.json for VMs
[Service]
Type=simple
ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}~{% else %}/lmn/media/${USER}{% endif %}/.vminfo.json"'
dest: /etc/systemd/user/vminfo.service
mode: '0644'
- name: Provide vminfo timer
ansible.builtin.copy:
content: |
[Unit]
Description=Timer for vm-info
[Timer]
OnActiveSec=0s
OnUnitActiveSec=1h
Persistent=true
dest: /etc/systemd/user/vminfo.timer
mode: '0644'

22
roles/lmn_vpn/templates/10-lmn-mount.sh.j2 → roles/lmn_vpn/files/10-lmn-mount.sh
View file

@ -4,24 +4,15 @@ set -eu
if [[ "$CONNECTION_ID" = "VPN-Schule" ]]; then
USERNAME=$(ps -o pid,user,args -C sddm-helper | sed -nE 's/.*user (.*)$/\1/p')
USERID=$(id -u "${USERNAME}")
GROUPID=$(id -g "${USERNAME}")
KRB5CCNAME=$(ls /tmp/krb5cc_"${USERID}"_*)
export KRB5CCNAME
printenv >&2
if [[ "$NM_DISPATCHER_ACTION" = "up" ]]; then
# Exit if server is already mounted
findmnt /srv/samba/schools/default-school > /dev/null && exit 0
{% if nfs4 %}
echo "Before systemctl restart autofs" >&2
systemctl restart srv-samba-schools-default\\x2dschool.automount
echo "After systemctl restart autofs" >&2
{% else %}
USERID=$(id -u "${USERNAME}")
GROUPID=$(id -g "${USERNAME}")
KRB5CCNAME=$(ls /tmp/krb5cc_"${USERID}"_*)
export KRB5CCNAME
printenv >&2
# Exit if server is already mounted
findmnt /srv/samba/schools/default-school > /dev/null && exit 0
if ! klist -s -c "${KRB5CCNAME}"; then
#echo "try to renew KRB5-Ticket" >&2
#sudo -u "${USERNAME}" kinit -R -c "${KRB5CCNAME}"
@ -39,9 +30,7 @@ if [[ "$CONNECTION_ID" = "VPN-Schule" ]]; then
-o "sec=krb5i,cruid=${USERID},user=${USERNAME},uid=${USERID},gid=${GROUPID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
echo "after mount" >&2
mount --bind /srv/samba/schools/default-school/share "/lmn/media/${USERNAME}/share"
{% endif %}
SUDO_USER=$USERNAME /usr/local/bin/install-printers.sh
{% if not nfs4 %}
elif [[ "$NM_DISPATCHER_ACTION" = "pre-down" ]]; then
# FIXME: Only umount server when Wireguard-Connection was the only connection to server.
# Dirty fix (works only in fvs-IP-Range)
@ -50,6 +39,5 @@ if [[ "$CONNECTION_ID" = "VPN-Schule" ]]; then
umount "/lmn/media/${USERNAME}/share"
umount /srv/samba/schools/default-school
fi
{% endif %}
fi
fi

6
roles/lmn_vpn/tasks/main.yml
View file

@ -6,9 +6,9 @@
mode: "0755"
- name: Copy NetworkManager dispatcher-script (10-lmn-mount.sh)
ansible.builtin.template:
src: 10-lmn-mount.sh.j2
dest: /etc/NetworkManager/dispatcher.d/10-lmn-mount.sh
ansible.builtin.copy:
src: 10-lmn-mount.sh
dest: /etc/NetworkManager/dispatcher.d/
mode: "0755"
- name: Create link to dispatcher-script (10-lmn-mount.sh)