The virt-viewer package must be explicitly selected for trixie

doc/install_ontop.md

@@ -1,6 +1,12 @@
 # Installation on existing client
 
-An easy method to test the lmn-client is to run the playbook manual on a fresh installed client.
+A straightforward way to test the lmn-client is to manually run the playbook on a freshly installed client.
+
+This can be done in the following ways:
+
+    On the client using ansible-pull
+    On the client by checking out the lmn-client repository and running the playbook locally
+    On a target device by checking out the lmn-client repository locally and executing the playbook against the target device
 
 ## Direct call via ansible-pull
 
@@ -9,10 +15,10 @@ With two simple commands you can install the lmn-client with default configurati
 Steps:
 
 * Install debian on client (via USB or PXE)
-* Install additional packages: ansible
+* Install additional packages: ansible  
   `sudo apt install ansible`
-* Run Playbook
-  `ansible-pull -i inventory.yml -l localhost, --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
+* Run Playbook  
+  `sudo ansible-pull --verbose -i inventory-sample.yml -l localhost --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
 
 ## Checkout git and run ansible locally
 
@@ -24,10 +30,12 @@ Steps:
 * Install debian on client (via USB or PXE)
 * Install additional packages: ansible, git  
   `sudo apt install ansible git`
-* Checkout Repository
+* Checkout Repository  
   `git clone https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git`
+* Change into repository directory  
+  `cd lmn-client`
 * Create inventory  
-  `cp inventory.yml inventory-myschool.yml`
+  `cp inventory-sample.yml inventory-myschool.yml`
 * Edit inventory-myschool.yml  
   e.g.: `nano inventory-myschool.yml`
 * Run Playbook  

doc/install_pxe.md

@@ -2,15 +2,28 @@
 
 * **Using DigitalSouveraeneSchule repository and LinuxMuster.Net tftp**  
   Simplest solution. Playbook and default inventory from DigitalSouveraeneSchule codeberg repository.  
-  Linux kernel and initial Ramdisk from debian repository.
+  Linux kernel and initial Ramdisk from debian repository.  
+  Client must have access to the internet (noproxy group).
 * **Using your own repository and LinuxMuster.Net tftp**  
   Here you can use your own inventory and make many custom settings.  
-  Linux kernel and initial Ramdisk from debian repository.
+  Linux kernel and initial Ramdisk from debian repository.  
+  Client must have access to the internet (noproxy group).
 * **Using your own repository and livebox tftp**  
-  Additional kernel and Ramdisk from your own infrastrukture.
+  Additional kernel and Ramdisk from your own infrastrukture.  
+  Client does not need direct internet access.
 
 ## Using codeberg repository and LinuxMuster.Net tftp
 
+### Requirements / firewall settings
+
+The computer on which the linuxclient is to be installed must have access to the Internet (add host to noproxy group)
+
+The following resources are downloaded from the internet:
+
+* The repository is provided by codeberg.org
+* the Linux kernel, the initial ramdisk and the installation files are loaded from debian.org.
+* mscorefonts from Microsoft
+
 ### Modification LinuxMuster.Net server
 
 Create grub config for device group `lmnclient` on your schools server:
@@ -25,9 +38,12 @@ set default=1
 menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
    echo -n "Enter domain join password: "
    read adpw
+   set vaultpw="dummy"
+   # echo -n "Enter vault password"
+   # read vaultpw
    linux   (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/linux auto=true priority=high \
-           url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/fvs/misc/preseed.cfg interface=auto \
-           playbook=lmn-client.yml adpw="${adpw}" ---
+           url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/main/misc/preseed.cfg interface=auto \
+           playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
    initrd  (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/initrd.gz
 }
 ```
@@ -47,4 +63,52 @@ classroom;mypc01;lmnclient;F2:81:6B:C9:E3:EF;10.0.5.51;;;;classroom-studentcompu
 * confirm `hostname` and `domain` (you will be asked in network setup)
 * ... Get a cup of coffee ... wait until reboot ... login (Logging in may take a few minutes after installation)
 
-## Using your own livebox server
+
+## Using your own repository and LinuxMuster.Net tftp
+
+If you fork the lmn-client repository, you can customize the preseeding and inventory to your needs.
+Use the instructions in the previous section and customize the repository in `/srv/linbo/boot/grub/lmnclient.cfg`.
+
+It makes sense to encrypt your inventory via `ansible-vault`.
+When using encrypted inventories you have to provide the vault password by commenting in the two lines in the `/srv/linbo/boot/grub/lmnclient.cfg`.
+
+## Using your own repository and livebox tftp
+
+The next improvement will be to use your own livebox with following functionalities:
+
+* Providing linux kernel and initial ramdisk for installer
+* Can be used as cache for debian packages (aptcacher)
+* Can provide mscorefonts and libdvdcss (multimedia codecs)
+* Can be used to boot live systems (netboot) via pxe
+
+### Installing the livebox server
+
+* Install debian VM and configure network
+* Install additional packages: ansible  
+  `sudo apt install ansible`
+* Run livebox playbook  
+  `ansible-pull -i localhost, --url=https://salsa.debian.org/andi/debian-lan-ansible.git -C master livebox.yml`
+* Set DNS entry for your new livebox server
+
+### Modification LinuxMuster.Net server
+
+The file `/srv/linbo/boot/grub/lmnclient.cfg` might look like this:
+
+```
+# ### NOT managed by linuxmuster.net ###
+
+# edit to your needs
+set default=1
+
+menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
+   echo -n "Enter domain join password: "
+   read adpw
+   set vaultpw="dummy"
+   # echo -n "Enter vault password"
+   # read vaultpw
+   linux   (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/linux auto=true priority=high \
+           url=https://codeberg.org/MySchool/lmn-client/raw/branch/main/misc/preseed-myschool.cfg interface=auto \
+           playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
+   initrd  (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/initrd.gz
+}
+```

inventory-sample.yml

@@ -2,10 +2,9 @@
 all:
   vars:
     domain: "{{ ansible_domain }}"
-    security_defaultuser_login_disable: false
-    kde_desktop_pkg:
-      - akonadi-backend-sqlite
 
+    # Comment out on productive systems when ssh key is provided
+    security_defaultuser_login_disable: false
 
     ## Proxy configuration (see: doc/localproxy.md)
     # localproxy: true
@@ -59,7 +58,6 @@ all:
     #   - vim
     #   - mc
     #   - tmux
-    #   - debconf-utils
 
     ## WLAN configuration (see: doc/vpn.md):
     ##
@@ -105,6 +103,7 @@ all:
 
   hosts:
     localhost:
+      ansible_connection: local
 
 laptops:
   children:

misc/preseed.cfg

@@ -50,13 +50,11 @@ d-i apt-setup/contrib boolean true
 d-i mirror/country string manual
 d-i mirror/http/hostname string deb.debian.org
 d-i mirror/http/directory string /debian
-#d-i mirror/http/proxy string http://10.167.0.253:3142/
-#d-i mirror/http/proxy string http://192.168.1.17:3142/
-#d-i mirror/http/proxy string http://aptcache.steinbeisschule-reutlingen.de:3142/
-d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
+#d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
+d-i mirror/http/proxy string
 
 # NTP server to use:
-d-i clock-setup/ntp-server string server.pn.steinbeis.schule
+#d-i clock-setup/ntp-server string server.pn.steinbeis.schule
 
 ### Backports:
 #apt-setup-udeb apt-setup/services-select multiselect security, updates, backports
@@ -129,10 +127,9 @@ d-i preseed/late_command string \
         in-target mount -v -t tmpfs tmpfs /dev/shm ; \
         echo "$vaultpw" > /target/dev/shm/vaultpw ; \
         in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
-           -l localhost \
-           -i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C fvs $playbook ; \
+           --vault-password-file /dev/shm/vaultpw -l localhost \
+           -i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main $playbook ; \
       fi
-##           --vault-password-file /dev/shm/vaultpw -l localhost \
 #
 ## When installing in combination with ansible-pull,
 ## export your ansible playbook like:

roles/custom/fvs/tasks/main.yml

@@ -220,7 +220,7 @@
   ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK
-    insertbefore: '\s+//Footer'
+    insertbefore: '^}$'
     block: |
       Text {
          id: hostname

roles/lmn_finish/tasks/main.yaml

@@ -14,7 +14,7 @@
       main non-free-firmware
     state: present
     update_cache: true
-#  when: extra_pkgs_bpo|length
+  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
 
 - name: Install extra packages from backports
   ansible.builtin.apt:
@@ -25,6 +25,7 @@
     - "{{ extra_pkgs_bpo }}"
     - "{{ extra_pkgs_bpo1 }}"
     - "{{ extra_pkgs_bpo2 }}"
+  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
 
 - name: Timestamp successfull run and send up-to-date report
   ansible.builtin.shell:

roles/lmn_kde/defaults/main.yml

@@ -6,6 +6,7 @@ kde_desktop_pkg:
   - calligra
   - codeblocks
   - dia
+  - filius
   - flameshot
   - freecad
   - fritzing
@@ -14,8 +15,9 @@ kde_desktop_pkg:
   - inkscape
   - kde-full
   - keepassxc
+  - kicad
+  - kicad-doc-de
   - librecad
-  - mu-editor
   - openboard
   - qtcreator
   - spyder
@@ -34,3 +36,5 @@ kde_desktop_pkg:
   - xdg-desktop-portal-kde
   - xdg-desktop-portal-wlr # share screen in browser
   - xournalpp
+
+kde_desktop_pkg_bpo: [ ]

roles/lmn_kde/tasks/main.yml

@@ -8,19 +8,14 @@
     repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
     state: present
     update_cache: true
+  when: kde_desktop_pkg_bpo | length > 0
 
 - name: Install extra packages from backports
   ansible.builtin.apt:
-    name:
-      - filius
-      - kicad
-      - kicad-doc-de
-      - libreoffice
-      - libreoffice-l10n-de
-      - libreoffice-qt5
-    state: latest # noqa package-latest
+    name: "{{ kde_desktop_pkg_bpo }}"
     autoremove: true
     default_release: "{{ ansible_distribution_release }}-backports"
+  when: kde_desktop_pkg_bpo | length > 0
 
 
 - name: Create akonadi config dir

roles/lmn_localhome/tasks/main.yml

@@ -9,7 +9,7 @@
   ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK localhome
-    insertbefore: '\s+//Footer'
+    insertbefore: '^}$'
     block: |
       Text {
          id: localhome

roles/lmn_misc/tasks/main.yml

@@ -98,7 +98,7 @@
       export superusers
       password_pbkdf2 root {{ grub_pwd }}
   notify: Run update-grub
-  when: grub_pwd|default(false)
+  when: grub_pwd | bool | default(false)
 
 - name: Allow booting grub menu entries
   ansible.builtin.lineinfile:

roles/lmn_network/tasks/main.yml

@@ -5,14 +5,14 @@
     mode: '0644'
     content: >
       {{ apt_conf }}
-  when: apt_conf|default(false)
+  when: apt_conf | bool | default(false)
 
 - name: Set NTP server
   ansible.builtin.lineinfile:
     path: /etc/systemd/timesyncd.conf
     insertafter: '^#NTP='
     line: NTP={{ ntp_serv }}
-  when: ntp_serv|default(false)
+  when: ntp_serv | bool | default(false)
 
 - name: Add proposed-updates repository
   ansible.builtin.apt_repository:

roles/lmn_printer/tasks/main.yml

@@ -37,7 +37,7 @@
     line: "SystemGroup root lpadmin {{ printer_admin_group }}"
     regexp: '^SystemGroup'
     state: present
-  when: printer_admin_group | length
+  when: printer_admin_group | length > 0
 
 - name: Disable cups-browsed
   ansible.builtin.systemd:

roles/lmn_vm/files/vm-run

@@ -216,7 +216,7 @@ while true; do
 	    shift
 	    ;;
     -o | --options )
-            LIBVIRTOPTS=$2
+	    LIBVIRTOPTS="${LIBVIRTOPTS} $2"
 	    shift 2
 	    ;;
     --no-viewer )
@@ -267,6 +267,7 @@ while true; do
               type="ethernet,mac=${mac},target.dev=${interface},xpath1.set=./target/@managed=no,model.type=virtio"
 	      LIBVIRTOPTS="${LIBVIRTOPTS} --network type=$type"
 	    done
+	    LIBVIRTOPTS="${LIBVIRTOPTS} --check mac_in_use=off"
 	    shift
 	    ;;
     --os )

roles/lmn_vm/tasks/main.yml

@@ -18,6 +18,7 @@
       - mktorrent
       - libvirt-daemon-system
       - virt-manager
+      - virt-viewer
       - dialog # for vm-netboot menu
 
     # - name: allow all users to use VMs

roles/lmn_vpn/tasks/wg_config.yml

@@ -5,7 +5,7 @@
       - wireguard
 
 - name: Check if wg_server is reachable
-  ansible.builtin.command: echo "Test if wg_server is reachable"
+  ansible.builtin.command: echo "reachable"
   delegate_to: wireguard_server
   register: result
   changed_when: false
@@ -17,10 +17,12 @@
       * server not reachable
       * no matching ssh-key
   changed_when: true
-  when: result.unreachable is defined and result.unreachable
+  when: result.stdout is not defined or result.stdout!="reachable"
 
 - name: Configure WG Server
-  when: result.unreachable is not defined or not result.unreachable
+  when:
+    - result.stdout is defined and result.stdout=="reachable"
+    - not run_in_installer|default(false)|bool
   block:
     - name: Set facts wg_clientname
       ansible.builtin.set_fact:

roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml

@@ -27,7 +27,7 @@
   when: cert_client_active.stat.exists
 
 - name: Check if radius-server is reachable
-  ansible.builtin.command: echo "Test if radius-server is reachable"
+  ansible.builtin.command: echo "reachable"
   delegate_to: radius_server
   register: radius_reachable
   changed_when: false
@@ -40,12 +40,13 @@
       - "* server not reachable"
       - "* no matching ssh-key"
   changed_when: true
-  when: radius_reachable.unreachable is defined and radius_reachable.unreachable
+  when: radius_reachable.stdout is not defined or radius_reachable.stdout!='reachable'
 
 - name: Issue radius certificate
   ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml
   when:
-    - radius_reachable.unreachable is not defined or not radius_reachable.unreachable
+    - radius_reachable.stdout is defined and radius_reachable.stdout=="reachable"
+    - not run_in_installer|default(false)|bool
     - |
       ( not cert_client_active.stat.exists ) or
       (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or

roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml

@@ -105,6 +105,7 @@
   ansible.builtin.systemd:
     name: iwd.service
     enabled: false
+  failed_when: false
 
 - name: Remove deprecated NetworkManager config
   ansible.builtin.blockinfile:

roles/lmn_wlan/tasks/main.yaml

@@ -3,7 +3,6 @@
 - name: Install packages related to wifi
   ansible.builtin.apt:
     name:
-      - systemd-resolved
       - firmware-realtek # for our wifi sticks
 
 - name: Provide service to enable WiFi on boot