Fix conditionals for ansible version in trixie

The error messages were corrupting the contents of the .vminfo.json file.
Error messages are now sent to stderr.

lmn-client.yml

@@ -49,7 +49,6 @@
     - lmn_network
     - role: up2date_debian
       tags: upgrade
-    - lmn_encrypt
     - lmn_sssd
     - lmn_mount
     - lmn_kde
@@ -64,7 +63,7 @@
     - role: lmn_localhome
       when: localhome
     - role: lmn_localuser
-      when: localuser|bool
+      when: localuser
     - role: lmn_exam
       when: exam_mode
     - role: lmn_wlan
@@ -81,17 +80,15 @@
         loop_var: rolename
       when: custom_roles is defined
 
-    - name: Import role security
+    - name: Final tasks
-      ansible.builtin.import_role:
+      ansible.builtin.include_role:
-        name: lmn_security
+        name: "{{ role }}"
-
+      loop_control:
-    - name: Import role finish
+        loop_var: role
-      ansible.builtin.import_role:
+      loop:
-        name: lmn_finish
+        - lmn_security
-
+        - lmn_finish
-    - name: Import role tmpfixes
+        - lmn_tmpfixes
-      ansible.builtin.import_role:
-        name: lmn_tmpfixes
 
 
 - name: Apply roles that must run serial

roles/custom/fvs/files/lmn-codeblocks.sh

@@ -1,15 +0,0 @@
-if [[ "$UID" -gt 10000 ]] && [[ ! -f ~/.config/codeblocks/default.conf ]] ; then
-  mkdir -p ~/.config/codeblocks
-  cat <<EOF > ~/.config/codeblocks/default.conf
-<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
-<CodeBlocksConfig version="1">
-        <editor>
-                <FONT>
-                        <str>
-                                <![CDATA[Monospace 18]]>
-                        </str>
-                </FONT>
-        </editor>
-</CodeBlocksConfig>
-EOF
-fi

roles/custom/fvs/files/lmn-patch-dolphin.sh

@@ -54,7 +54,7 @@ fi
 patch="
 --- a/$file
 +++ b/$file
-@@ -98,9 +98,33 @@
+@@ -98,9 +98,45 @@
      <isSystemItem>true</isSystemItem>
     </metadata>
    </info>
@@ -71,6 +71,18 @@ $HOMEONSERVER
 +    <isSystemItem>true</isSystemItem>
 +   </metadata>
 +  </info>
++ </bookmark>
++ <bookmark href=\"file:///lmn/media/$USER/nextcloud\">
++  <title>Nextcloud</title>
++  <info>
++   <metadata owner=\"http://freedesktop.org\">
++    <bookmark:icon name=\"folder-cloud\"/>
++   </metadata>
++   <metadata owner=\"http://www.kde.org\">
++    <ID>$IDENTITY/${NUM3}</ID>
++    <isSystemItem>true</isSystemItem>
++   </metadata>
++  </info>
 + </bookmark>
   <bookmark href=\"remote:/\">
    <title>Network</title>

roles/custom/fvs/tasks/main.yml

@@ -29,6 +29,7 @@
       - elpa-magit
       - emacs
       - filezilla
+      - freeplane
       - git
       - git-cola
       - gitg
@@ -83,7 +84,7 @@
       - unison-gtk
       - w3m
       - wireshark
-      # - zulucrypt-gui ## no longer in trixie
+      - zulucrypt-gui
     autoremove: true
     state: latest
   environment:
@@ -156,11 +157,6 @@
     dest: /etc/profile.d/
     mode: '0644'
 
-- name: Copy codeblocks config scripts
-  ansible.builtin.copy:
-    src: lmn-codeblocks.sh
-    dest: /etc/profile.d/
-    mode: '0644'
 
 - name: Copy fvs-config.js to configure plasma
   ansible.builtin.copy:
@@ -168,16 +164,6 @@
     dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
     mode: '0644'
 
-- name: Configure default KDE applications
-  ansible.builtin.blockinfile:
-    path: /etc/xdg/mimeapps.list
-    create: true
-    mode: '0644'
-    block: |
-      [Default Applications]
-      x-scheme-handler/http=firefox-esr.desktop;
-      x-scheme-handler/https=firefox-esr.desktop;
-      x-scheme-handler/mailto=thunderbird.desktop;
 
 - name: Configure some KDE aspects
   ansible.builtin.blockinfile:
@@ -186,22 +172,13 @@
     mode: '0644'
     block: |
       [KDE]
-      #SingleClick=false
+      SingleClick=false
 
       [KDE Action Restrictions][$i]
       action/start_new_session=false
-      action/switch_user=false
+      #action/switch_user=false
       #action/lock_screen=false
 
-- name: Configure NumLock ON
-  ansible.builtin.blockinfile:
-    path: /etc/xdg/kcminputrc
-    create: true
-    mode: '0644'
-    block: |
-      [Keyboard]
-      NumLock=0
-
 - name: Start with empty session by default
   ansible.builtin.copy:
     dest: /etc/xdg/ksmserverrc
@@ -245,7 +222,7 @@
   ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK
-    insertbefore: '^}$'
+    insertbefore: '\s+//Footer'
     block: |
       Text {
          id: hostname

roles/lmn_encrypt/defaults/main.yml

@@ -1,3 +0,0 @@
----
-encrypt_passphrase_initial: Muster!
-encrypt_tpm2: false

roles/lmn_encrypt/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: Run update-grub
-  ansible.builtin.command: update-grub
-
-- name: Run update-dracut
-  ansible.builtin.command: dracut -f

roles/lmn_encrypt/tasks/main.yml

@@ -1,46 +0,0 @@
----
-- name: Find device with LUKS holder
-  vars:
-    partitions: "{{ item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') }}"
-  ansible.builtin.set_fact:
-    encrypt_device: "/dev/disk/by-id/{{ partitions[0].value.links.ids[0] }}"
-  when:
-    - item.value.partitions is defined
-    - item.value.partitions | dict2items | length > 0
-    - item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') | length > 0
-  loop: "{{ ansible_devices | dict2items }}"
-
-- name: Get luks slots
-  ansible.builtin.command:
-    cmd: "systemd-cryptenroll {{ encrypt_device }}"
-  register: encrypt_slots_result
-  changed_when: false
-  when: encrypt_device is defined
-
-- name: Change Password of Luks password slot
-  ansible.builtin.command:
-    cmd: >
-      systemd-run -P --wait
-      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase_initial }}
-      -p SetCredential=cryptenroll.new-passphrase:{{ encrypt_passphrase }}
-      systemd-cryptenroll --password {{ encrypt_device }} --wipe-slot=password
-  no_log: true
-  when:
-    - encrypt_device is defined
-    - encrypt_passphrase is defined
-    - encrypt_slots_result.stdout_lines | length == 2
-    - encrypt_slots_result.stdout_lines[1].startswith('   0')
-
-- name: TPM Device Check
-  ansible.builtin.stat:
-    path: /dev/tpm0
-  register: tpm_device
-  when: encrypt_device is defined
-
-- name: Include TPM2 role
-  ansible.builtin.include_tasks:
-    file: tpm2.yml
-  when:
-    - encrypt_device is defined
-    - encrypt_tpm2
-    - tpm_device.stat.exists

roles/lmn_encrypt/tasks/tpm2.yml

@@ -1,42 +0,0 @@
----
-- name: Install tpm2-tools and dracut
-  ansible.builtin.apt:
-    name:
-      - tpm2-tools
-      - dracut
-
-- name: Enable tpm2-tss crypt module on dracut
-  ansible.builtin.copy:
-    dest: /etc/dracut.conf.d/crypt.conf
-    content: add_dracutmodules+=" tpm2-tss crypt "
-    mode: '0644'
-  notify: Run update-dracut
-
-- name: Comment out root device in crypttab
-  ansible.builtin.lineinfile:
-    dest: /etc/crypttab
-    regexp: '^([^#].*)'
-    line: '#\1'
-    backrefs: true
-
-- name: Insert luks support to GRUB_CMDLINE_LINUX
-  ansible.builtin.lineinfile:
-    dest: /etc/default/grub
-    regexp: '^(GRUB_CMDLINE_LINUX=).*'
-    line: '\1"rd.auto rd.luks=1"'
-    backrefs: true
-  notify: Run update-grub
-
-- name: Insert TPM2 to Luks slot
-  ansible.builtin.command:
-    cmd: >
-      systemd-run -P --wait
-      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }}
-      systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 {{ encrypt_device }} --wipe-slot=tpm2
-  no_log: true
-  when: "'tpm2' not in encrypt_slots_result.stdout"
-
-# - name: Update TPM2 Luks slot
-#   ansible.builtin.command:
-#     cmd: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 --unlock-tpm2-device=auto {{ encrypt_device }} --wipe-slot=tpm2
-#   when: not grub_config.changed

roles/lmn_finish/handlers/main.yml

@@ -1,4 +0,0 @@
----
-- name: Reboot client
-  ansible.builtin.command:
-    cmd: "shutdown -r -t 60"

roles/lmn_finish/tasks/main.yaml

@@ -6,8 +6,6 @@
     - "{{ extra_pkgs }}"
     - "{{ extra_pkgs1 }}"
     - "{{ extra_pkgs2 }}"
-  tags:
-    - baseinstall
 
 - name: Add backports for {{ ansible_distribution_release }}
   ansible.builtin.apt_repository:
@@ -16,7 +14,7 @@
       main non-free-firmware
     state: present
     update_cache: true
-  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
+#  when: extra_pkgs_bpo|length
 
 - name: Install extra packages from backports
   ansible.builtin.apt:
@@ -27,19 +25,6 @@
     - "{{ extra_pkgs_bpo }}"
     - "{{ extra_pkgs_bpo1 }}"
     - "{{ extra_pkgs_bpo2 }}"
-  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
-
-
-- name: Check if former ansible-stamp exists
-  ansible.builtin.stat:
-    path: /var/local/ansible-stamps
-  register: stamp_exists
-
-- name: Trigger Reboot if no former ansible-run is found
-  ansible.builtin.debug:
-    msg: "First Ansible-Run on Client - Reboot handler started"
-  changed_when: not stamp_exists.stat.exists
-  notify: "Reboot client"
 
 - name: Timestamp successfull run and send up-to-date report
   ansible.builtin.shell:

roles/lmn_kde/defaults/main.yml

@@ -6,7 +6,6 @@ kde_desktop_pkg:
   - calligra
   - codeblocks
   - dia
-  - filius
   - flameshot
   - freecad
   - fritzing
@@ -15,9 +14,8 @@ kde_desktop_pkg:
   - inkscape
   - kde-full
   - keepassxc
-  - kicad
-  - kicad-doc-de
   - librecad
+  - mu-editor
   - openboard
   - qtcreator
   - spyder
@@ -36,5 +34,3 @@ kde_desktop_pkg:
   - xdg-desktop-portal-kde
   - xdg-desktop-portal-wlr # share screen in browser
   - xournalpp
-
-kde_desktop_pkg_bpo: [ ]

roles/lmn_kde/tasks/main.yml

@@ -8,14 +8,19 @@
     repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
     state: present
     update_cache: true
-  when: kde_desktop_pkg_bpo | length > 0
 
 - name: Install extra packages from backports
   ansible.builtin.apt:
-    name: "{{ kde_desktop_pkg_bpo }}"
+    name:
+      - filius
+      - kicad
+      - kicad-doc-de
+      - libreoffice
+      - libreoffice-l10n-de
+      - libreoffice-qt5
+    state: latest # noqa package-latest
     autoremove: true
     default_release: "{{ ansible_distribution_release }}-backports"
-  when: kde_desktop_pkg_bpo | length > 0
 
 
 - name: Create akonadi config dir

roles/lmn_localhome/tasks/main.yml

@@ -9,7 +9,7 @@
   ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK localhome
-    insertbefore: '^}$'
+    insertbefore: '\s+//Footer'
     block: |
       Text {
          id: localhome
@@ -33,6 +33,7 @@
     dest: /etc/profile.d/lmn-logout.sh
     mode: '0755'
     content: |
+      [[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
       {% if localhome_logout_missing_serverhome %}
       [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
       {% endif %}

roles/lmn_misc/files/bootorder.sh

@@ -5,11 +5,11 @@
 set -eu
 
 cur="$(efibootmgr | grep -Ei 'BootOrder:' | \
-                    sed -E 's/^BootOrder: ([[:xdigit:]]{4}),.+$/\1/')"
+		     sed -E 's/^BootOrder: ([[:xdigit:]]{4}),.+$/\1/')"
-pxeip4="$(efibootmgr | grep -Ei "IP.{0,5}4" | \
+pxeip4="$(efibootmgr | grep -Ei "IP.*4" | \
-                    sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/' | paste -sd, -)"
+		     sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/')"
 debian="$(efibootmgr | grep -Ei "debian" | \
-                    sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/' | paste -sd, -)"
+		     sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/')"
 
 if [[ "$cur" != "$pxeip4" ]] && [[ -n "$pxeip4" ]] && [[ -n "$debian" ]] ; then
     efibootmgr -o $pxeip4,$debian

roles/lmn_misc/tasks/main.yml

@@ -167,8 +167,6 @@
     src: reporter.j2
     dest: /usr/local/sbin/reporter
     mode: '0755'
-  tags:
-    - baseinstall
 
 - name: Provide services and timers for reporter
   ansible.builtin.copy:
@@ -179,16 +177,12 @@
     - reporter.service
     - reporter.timer
   when: misc_reporter
-  tags:
-    - baseinstall
 
 - name: Enable reporter.timer
   ansible.builtin.systemd:
     name: reporter.timer
     enabled: true
   when: misc_reporter
-  tags:
-    - baseinstall
 
 # Prepare CloneScreen on Presenter PCs
 

roles/lmn_security/tasks/main.yml

@@ -5,8 +5,6 @@
     key: "{{ item }}"
   loop: "{{ keys2deploy }}"
   when: keys2deploy is defined
-  tags:
-    - baseinstall
 
 - name: Allow sudo without password for ansible
   ansible.builtin.lineinfile:
@@ -16,16 +14,12 @@
     owner: root
     group: root
     mode: '0700'
-  tags:
-    - baseinstall
 
 - name: Disable ansible user login
   ansible.builtin.user:
     name: ansible
     password_lock: true
   when: security_defaultuser_login_disable
-  tags:
-    - baseinstall
 
 - name: Limit SSH access to user ansible
   ansible.builtin.blockinfile:

roles/lmn_sssd/defaults/main.yml

@@ -1,2 +0,0 @@
----
-sssd_domjoin_user: global-admin

roles/lmn_sssd/tasks/main.yml

@@ -13,23 +13,12 @@
     mode: '0600'
   notify: Restart sssd
 
-- name: Check if the machine account password and the join are still valid
+  ## Either one of the variables is defined:
-  ansible.builtin.shell:
-    cmd: adcli testjoin -D {{ domain | upper }}
-  register: adcli_test_result
-  failed_when: false
-  changed_when: false
-
-  # If domjoin not valid:
 - name: Join the domain
   ansible.builtin.shell:
     cmd: >
-      echo "{{ ad_passwd }}" | adcli join --stdin-password -U {{ ad_user }} {{ domain | upper }}
+      echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
-  no_log: true
+      adcli join --stdin-password -U global-admin {{ domain | upper }}
-  vars:
+  when: >
-    ad_user: "{{ 'global-admin' if (adpw.user_input | default(ansible_cmdline.adpw) | default('') | length > 0) else sssd_domjoin_user }}"
+    ansible_cmdline.adpw | default('') | length > 0 or
-    ad_passwd: "{{ adpw.user_input | default('') if  adpw.user_input | default ('') | length > 0 else ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') }}"
+    adpw.user_input | default('') | length > 0
-  when:
-    - adpw.user_input | default('') | length > 0 or
-      ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') | length > 0
-    - adcli_test_result.rc != 0

roles/lmn_tmpfixes/tasks/main.yml

@@ -16,11 +16,3 @@
       export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --use-gl=desktop"
   when: ansible_board_vendor == "LENOVO" and
     (ansible_board_name == "312D" or ansible_board_name == "312A")
-
-- name: Fix 8086:4909 external graphics card
-  ansible.builtin.replace:
-    dest: "/etc/default/grub"
-    regexp: 'GRUB_CMDLINE_LINUX=""$'
-    replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
-  notify: Run update-grub
-  when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"

roles/lmn_vm/tasks/main.yml

@@ -18,7 +18,6 @@
       - mktorrent
       - libvirt-daemon-system
       - virt-manager
-      - virt-viewer
       - dialog # for vm-netboot menu
       - python3-impacket
 
@@ -29,6 +28,32 @@
     #     insertafter: '#auth_unix_rw = "polkit"'
     #   notify: reload libvirtd
 
+- name: Configure pam_mount for VM bind mounts
+  ansible.builtin.blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
+    block: |
+      <!-- bind mounts for the VMs, setting gid here does not work -->
+      <volume
+        path="~"
+        mountpoint="/lmn/media/%(USER)/home"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school/share"
+        mountpoint="/lmn/media/%(USER)/share"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school"
+        mountpoint="/lmn/media/%(USER)/school"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+
 - name: Use umount script for proper cleanup
   ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml

roles/lmn_vpn/files/10-lmn-mount.sh

@@ -29,16 +29,19 @@ if [[ "$CONNECTION_ID" = "VPN-Schule" ]]; then
     umask 0002
     mkdir -p /srv/samba/schools/default-school
     chmod 777  /srv/samba/schools/default-school
+    mkdir -p "/lmn/media/${USERNAME}/share"
 
     mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
           -o "sec=krb5i,cruid=${USERID},user=${USERNAME},uid=${USERID},gid=${GROUPID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
 	  echo "after mount" >&2
+    mount --bind /srv/samba/schools/default-school/share "/lmn/media/${USERNAME}/share"
     SUDO_USER=$USERNAME /usr/local/bin/install-printers.sh
   elif [[ "$NM_DISPATCHER_ACTION" = "pre-down" ]]; then
     # FIXME: Only umount server when Wireguard-Connection was the only connection to server.
     # Dirty fix (works only in fvs-IP-Range)
     if ! (ip r s | grep "10.190." | grep -v wg0); then
-      echo "Try to umount server"
+      echo "Try to umount server shares"
+      umount "/lmn/media/${USERNAME}/share"
       umount /srv/samba/schools/default-school
     fi
   fi

roles/lmn_vpn/files/mountserver

@@ -3,6 +3,7 @@ set -eu
 
 exit_script() {
     echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
+    findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share"
     findmnt "/srv/samba/schools/default-school" && umount "/srv/samba/schools/default-school"
     trap - SIGHUP SIGINT SIGTERM # clear the trap
     kill -- -$$ # Sends SIGTERM to child/sub processes
@@ -13,9 +14,11 @@ findmnt /srv/samba/schools/default-school > /dev/null && exit 0
 umask 0002
 mkdir -p /srv/samba/schools/default-school
 chmod 777  /srv/samba/schools/default-school
+mkdir -p "/lmn/media/${SUDO_USER}/share"
 
 mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
       -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
+mount --bind /srv/samba/schools/default-school/share "/lmn/media/${SUDO_USER}/share"
 
 echo "Einbindung erfolgreich!"
 echo "Dieses Fenster bitte nicht schließen!"