Remove unnecessary systemd-resolved

doc/install_ontop.md

@@ -1,6 +1,12 @@
 # Installation on existing client
 
-An easy method to test the lmn-client is to run the playbook manual on a fresh installed client.
+A straightforward way to test the lmn-client is to manually run the playbook on a freshly installed client.
+
+This can be done in the following ways:
+
+    On the client using ansible-pull
+    On the client by checking out the lmn-client repository and running the playbook locally
+    On a target device by checking out the lmn-client repository locally and executing the playbook against the target device
 
 ## Direct call via ansible-pull
 
@@ -12,7 +18,7 @@ Steps:
 * Install additional packages: ansible  
   `sudo apt install ansible`
 * Run Playbook  
-  `ansible-pull -i inventory.yml -l localhost, --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
+  `sudo ansible-pull --verbose -i inventory-sample.yml -l localhost --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
 
 ## Checkout git and run ansible locally
 
@@ -26,8 +32,10 @@ Steps:
   `sudo apt install ansible git`
 * Checkout Repository  
   `git clone https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git`
+* Change into repository directory  
+  `cd lmn-client`
 * Create inventory  
-  `cp inventory.yml inventory-myschool.yml`
+  `cp inventory-sample.yml inventory-myschool.yml`
 * Edit inventory-myschool.yml  
   e.g.: `nano inventory-myschool.yml`
 * Run Playbook  

doc/install_pxe.md

@@ -3,14 +3,27 @@
 * **Using DigitalSouveraeneSchule repository and LinuxMuster.Net tftp**  
   Simplest solution. Playbook and default inventory from DigitalSouveraeneSchule codeberg repository.  
   Linux kernel and initial Ramdisk from debian repository.  
+  Client must have access to the internet (noproxy group).
 * **Using your own repository and LinuxMuster.Net tftp**  
   Here you can use your own inventory and make many custom settings.  
   Linux kernel and initial Ramdisk from debian repository.  
+  Client must have access to the internet (noproxy group).
 * **Using your own repository and livebox tftp**  
   Additional kernel and Ramdisk from your own infrastrukture.  
+  Client does not need direct internet access.
 
 ## Using codeberg repository and LinuxMuster.Net tftp
 
+### Requirements / firewall settings
+
+The computer on which the linuxclient is to be installed must have access to the Internet (add host to noproxy group)
+
+The following resources are downloaded from the internet:
+
+* The repository is provided by codeberg.org
+* the Linux kernel, the initial ramdisk and the installation files are loaded from debian.org.
+* mscorefonts from Microsoft
+
 ### Modification LinuxMuster.Net server
 
 Create grub config for device group `lmnclient` on your schools server:
@@ -25,9 +38,12 @@ set default=1
 menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
    echo -n "Enter domain join password: "
    read adpw
+   set vaultpw="dummy"
+   # echo -n "Enter vault password"
+   # read vaultpw
    linux   (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/linux auto=true priority=high \
-           url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/fvs/misc/preseed.cfg interface=auto \
+           url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/main/misc/preseed.cfg interface=auto \
-           playbook=lmn-client.yml adpw="${adpw}" ---
+           playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
    initrd  (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/initrd.gz
 }
 ```
@@ -47,4 +63,52 @@ classroom;mypc01;lmnclient;F2:81:6B:C9:E3:EF;10.0.5.51;;;;classroom-studentcompu
 * confirm `hostname` and `domain` (you will be asked in network setup)
 * ... Get a cup of coffee ... wait until reboot ... login (Logging in may take a few minutes after installation)
 
-## Using your own livebox server
+
+## Using your own repository and LinuxMuster.Net tftp
+
+If you fork the lmn-client repository, you can customize the preseeding and inventory to your needs.
+Use the instructions in the previous section and customize the repository in `/srv/linbo/boot/grub/lmnclient.cfg`.
+
+It makes sense to encrypt your inventory via `ansible-vault`.
+When using encrypted inventories you have to provide the vault password by commenting in the two lines in the `/srv/linbo/boot/grub/lmnclient.cfg`.
+
+## Using your own repository and livebox tftp
+
+The next improvement will be to use your own livebox with following functionalities:
+
+* Providing linux kernel and initial ramdisk for installer
+* Can be used as cache for debian packages (aptcacher)
+* Can provide mscorefonts and libdvdcss (multimedia codecs)
+* Can be used to boot live systems (netboot) via pxe
+
+### Installing the livebox server
+
+* Install debian VM and configure network
+* Install additional packages: ansible  
+  `sudo apt install ansible`
+* Run livebox playbook  
+  `ansible-pull -i localhost, --url=https://salsa.debian.org/andi/debian-lan-ansible.git -C master livebox.yml`
+* Set DNS entry for your new livebox server
+
+### Modification LinuxMuster.Net server
+
+The file `/srv/linbo/boot/grub/lmnclient.cfg` might look like this:
+
+```
+# ### NOT managed by linuxmuster.net ###
+
+# edit to your needs
+set default=1
+
+menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
+   echo -n "Enter domain join password: "
+   read adpw
+   set vaultpw="dummy"
+   # echo -n "Enter vault password"
+   # read vaultpw
+   linux   (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/linux auto=true priority=high \
+           url=https://codeberg.org/MySchool/lmn-client/raw/branch/main/misc/preseed-myschool.cfg interface=auto \
+           playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
+   initrd  (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/initrd.gz
+}
+```

inventory-sample.yml

@@ -2,10 +2,9 @@
 all:
   vars:
     domain: "{{ ansible_domain }}"
-    security_defaultuser_login_disable: false
-    kde_desktop_pkg:
-      - akonadi-backend-sqlite
 
+    # Comment out on productive systems when ssh key is provided
+    security_defaultuser_login_disable: false
 
     ## Proxy configuration (see: doc/localproxy.md)
     # localproxy: true
@@ -59,7 +58,6 @@ all:
     #   - vim
     #   - mc
     #   - tmux
-    #   - debconf-utils
 
     ## WLAN configuration (see: doc/vpn.md):
     ##
@@ -105,6 +103,7 @@ all:
 
   hosts:
     localhost:
+      ansible_connection: local
 
 laptops:
   children:

misc/preseed.cfg

@@ -50,13 +50,11 @@ d-i apt-setup/contrib boolean true
 d-i mirror/country string manual
 d-i mirror/http/hostname string deb.debian.org
 d-i mirror/http/directory string /debian
-#d-i mirror/http/proxy string http://10.167.0.253:3142/
+#d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
-#d-i mirror/http/proxy string http://192.168.1.17:3142/
+d-i mirror/http/proxy string
-#d-i mirror/http/proxy string http://aptcache.steinbeisschule-reutlingen.de:3142/
-d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
 
 # NTP server to use:
-d-i clock-setup/ntp-server string server.pn.steinbeis.schule
+#d-i clock-setup/ntp-server string server.pn.steinbeis.schule
 
 ### Backports:
 #apt-setup-udeb apt-setup/services-select multiselect security, updates, backports
@@ -129,10 +127,9 @@ d-i preseed/late_command string \
         in-target mount -v -t tmpfs tmpfs /dev/shm ; \
         echo "$vaultpw" > /target/dev/shm/vaultpw ; \
         in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
-           -l localhost \
+           --vault-password-file /dev/shm/vaultpw -l localhost \
-           -i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C fvs $playbook ; \
+           -i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main $playbook ; \
       fi
-##           --vault-password-file /dev/shm/vaultpw -l localhost \
 #
 ## When installing in combination with ansible-pull,
 ## export your ansible playbook like:

roles/lmn_vpn/tasks/wg_config.yml

@@ -5,7 +5,7 @@
       - wireguard
 
 - name: Check if wg_server is reachable
-  ansible.builtin.command: echo "Test if wg_server is reachable"
+  ansible.builtin.command: echo "reachable"
   delegate_to: wireguard_server
   register: result
   changed_when: false
@@ -17,10 +17,12 @@
       * server not reachable
       * no matching ssh-key
   changed_when: true
-  when: result.unreachable is defined and result.unreachable
+  when: result.stdout is not defined or result.stdout!="reachable"
 
 - name: Configure WG Server
-  when: result.unreachable is not defined or not result.unreachable
+  when:
+    - result.stdout is defined and result.stdout=="reachable"
+    - not run_in_installer|default(false)|bool
   block:
     - name: Set facts wg_clientname
       ansible.builtin.set_fact:

roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml

@@ -27,7 +27,7 @@
   when: cert_client_active.stat.exists
 
 - name: Check if radius-server is reachable
-  ansible.builtin.command: echo "Test if radius-server is reachable"
+  ansible.builtin.command: echo "reachable"
   delegate_to: radius_server
   register: radius_reachable
   changed_when: false
@@ -40,12 +40,13 @@
       - "* server not reachable"
       - "* no matching ssh-key"
   changed_when: true
-  when: radius_reachable.unreachable is defined and radius_reachable.unreachable
+  when: radius_reachable.stdout is not defined or radius_reachable.stdout!='reachable'
 
 - name: Issue radius certificate
   ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml
   when:
-    - radius_reachable.unreachable is not defined or not radius_reachable.unreachable
+    - radius_reachable.stdout is defined and radius_reachable.stdout=="reachable"
+    - not run_in_installer|default(false)|bool
     - |
       ( not cert_client_active.stat.exists ) or
       (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or

roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml

@@ -105,6 +105,7 @@
   ansible.builtin.systemd:
     name: iwd.service
     enabled: false
+  failed_when: false
 
 - name: Remove deprecated NetworkManager config
   ansible.builtin.blockinfile:

roles/lmn_wlan/tasks/main.yaml

@@ -3,7 +3,6 @@
 - name: Install packages related to wifi
   ansible.builtin.apt:
     name:
-      - systemd-resolved
       - firmware-realtek # for our wifi sticks
 
 - name: Provide service to enable WiFi on boot