Fix Ansible boolean syntax for compatibility with new version

The error messages were corrupting the contents of the .vminfo.json file.
Error messages are now sent to stderr.

bookworm-to-trixie.yml

@@ -1,84 +0,0 @@
----
-- name: Upgrade Client from Bookworm to Trixie
-  hosts: all
-  remote_user: ansible
-  become: true
-
-  tasks:
-    - name: Update system to latest Bookworm
-      ansible.builtin.apt:
-        upgrade: full
-        update_cache: false
-        dpkg_options: "force-confdef,force-confold"
-      environment:
-        DEBIAN_FRONTEND: noninteractive
-
-    - name: Run apt autoremove
-      ansible.builtin.apt:
-        autoremove: true
-
-    - name: Remove backports for {{ ansible_distribution_release }}
-      ansible.builtin.apt_repository:
-        repo: "deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware"
-        state: absent
-        update_cache: false
-
-    - name: Change Debian Release from Bookworm to Trixie in /etc/apt/sources.list
-      ansible.builtin.replace:
-        path: "/etc/apt/sources.list"
-        regexp: "bookworm"
-        replace: "trixie"
-
-    - name: Run full package upgrade to Trixie
-      ansible.builtin.apt:
-        update_cache: true
-        upgrade: full
-        dpkg_options: "force-confdef,force-confold"
-      environment:
-        DEBIAN_FRONTEND: noninteractive
-
-    - name: Reboot client
-      ansible.builtin.reboot:
-        msg: "Client Reboot after Upgrade to Trixie"
-        reboot_timeout: 600
-
-    - name: Wait until the client is reachable after reboot
-      ansible.builtin.wait_for_connection:
-        timeout: 600
-
-    - name: Find all user home directories
-      ansible.builtin.find:
-        paths: /home
-        file_type: directory
-      register: user_homes
-
-    - name: Remove Nextcloud from Dolphin bookmarks
-      ansible.builtin.command: >
-        sed -i '/<bookmark href="file:\/\/\/lmn\/media\/.*\/nextcloud">/,/<\/bookmark>/d' {{ item }}/.local/share/user-places.xbel
-      loop: "{{ user_homes.files | map(attribute='path') | list }}"
-      when: item is match('^/home/.+')
-      ignore_errors: true
-
-    - name: Remove PAM Bind-Mounts block
-      ansible.builtin.blockinfile:
-        path: /etc/security/pam_mount.conf.xml
-        state: absent
-        marker: "<!-- {mark} ANSIBLE MANAGED BLOCK $bind mounts for VMs$ -->"
-
-    - name: Remove PAM Nextcloud-Mounts block
-      ansible.builtin.blockinfile:
-        path: /etc/security/pam_mount.conf.xml
-        state: absent
-        marker: "<!-- {mark} ANSIBLE MANAGED BLOCK $mount Nextcloud$ -->"
-
-    - name: Install qemu spice support
-      ansible.builtin.apt:
-        name: qemu-system-modules-spice
-
-    - name: Disable systemd-networkd.service
-      ansible.builtin.systemd:
-        name: systemd-networkd.service
-        enabled: false
-
-
-- import_playbook: lmn-client.yml

doc/exam_mode.md

@@ -2,15 +2,12 @@
 
 ## Description / use cases
 
-**Activating Exam Mode: Functionalities**
-
-When a user logs in with the `-exam` designation, the following functionalities will be activated:
-
-* The `firewalld.service` will start, blocking all incoming traffic. Additionally, it will restrict outgoing traffic to the addresses specified in `exam_destination_allowed_ipv4`, if this variable is set. Communication is permitted with devices listed in `exam_teacherpc_ips`, including the teacher PCs. By default, the IP of the teacher PC is determined by the client's IP, with the last digit in the last octet specified by `exam_teacherpc_last_digit`.
-
-* The home and media directories of `-exam` users will be renamed the following day and removed after a certain period. This is crucial because the `-exam` user will be created anew (with a new user ID) upon the initialization of Exam Mode. Without renaming/deleting the home and media directories, the new `-exam` user would be unable to log in on the same PC, especially on machines with local home configurations.
-
-
+Activating exam_mode provides following functionalities:
+* when -exam user logs in, firewalld.service will start and prevent communication between devices in the same local network
+* home- and media-directory of -exam users will be renamed (on the next day) and removed (after some days).  
+  This is important due the fact, that -exam user will be new created (with new user-id) on exam-mode initialisation.  
+  Without renaming/deleting the home- and media-directory, the -exam user couldn't log in twice on the same pc.  
+  Particularly important on machines with localhome
 
 ## Requirements
 
@@ -18,18 +15,10 @@ none
 
 ## Example
 
-Per default, all hosts will get `exam_mode`. But we don't want `exam_mode` on teacher devices. In `exam_mode` the Networks `10.0.0.0/24`, `10.0.1.0/24`, `192.168.122.0/24/24` will be reachable.
+Per default, all hosts will get exam_mode. But we don't want exam_mode on teacher devices
 
 inventory.yml
-
-```yml
-all:
-  vars:
-    exam_destination_allowed_ipv4:
-      - 10.0.0.0/24
-      - 10.0.1.0/24
-      - 192.168.122.0/24
-
+```
 teacherdevices:
   hosts:
     10.0.14.[1..75]

lmn-client.yml

@@ -49,7 +49,6 @@
     - lmn_network
     - role: up2date_debian
       tags: upgrade
-    - lmn_encrypt
     - lmn_sssd
     - lmn_mount
     - lmn_kde
@@ -81,17 +80,15 @@
         loop_var: rolename
       when: custom_roles is defined
 
-    - name: Import role security
-      ansible.builtin.import_role:
-        name: lmn_security
-
-    - name: Import role finish
-      ansible.builtin.import_role:
-        name: lmn_finish
-
-    - name: Import role tmpfixes
-      ansible.builtin.import_role:
-        name: lmn_tmpfixes
+    - name: Final tasks
+      ansible.builtin.include_role:
+        name: "{{ role }}"
+      loop_control:
+        loop_var: role
+      loop:
+        - lmn_security
+        - lmn_finish
+        - lmn_tmpfixes
 
 
 - name: Apply roles that must run serial

lmn-vault

@@ -0,0 +1,107 @@
+$ANSIBLE_VAULT;1.1;AES256
+30323066396237616634646638353133663731623734383863373431363930356262636162323264
+3737353636623963643737353762663064663935306631320a353231326664353433633339363733
+33333038346638316335333534636163333564633137663063646334333832633935323763336633
+3662303830303363380a663633643139343630373838383337346631366539636333346666383434
+37336232376466613665313934616537313064653566353763613161613866393139656165363835
+61336131343162313566363562303464623938313036396463376463636334356561666136666161
+36333131663432336238303831626137323635323636633966336639616265656637363432393436
+65636338646234363863373666366131333333356166313933376331666633653132396161616661
+32663932666531393066623935663462353534373666313465663034343438303331303632633863
+33623534653031393431646238356135326130643362363238366666306161353237376461356338
+33393738323338643764356363646530653938313633393730323036323030623236643133396366
+31313837336438393035373936656662633330643933323039356539386133653764326639343938
+38323863643338613564633964646432306664353163666231616135353235616233623632623564
+32616636376539303132376130343966666261646434626366393262643131356230353937663530
+66396235333839633461323139663431343634633634663865373564613133633465353861326430
+65356163653162363237303839353930636163663136393831613964306334663863323034336333
+37396265666538316630333937366234366636316233393430353334633433663461626263346666
+61646532613562333663653162356533356465313764363032666166366365636465653037343734
+39613730396262343039373433346237316131343832656539346365383133623964383764393832
+33333138386264376161653261656563613738643563663238656562333066626137656164393036
+62643938656138356134303666353332643263643238326137386264356632616138613436373331
+64653730663332393964323831336332396233333031633832643564313238643334303132393536
+31356633656536306237346366633461353661386530303663376133666562346565356438323036
+35643266646136373132653537646138356238306130613034656539396230356633386330333933
+34393435376266666361383164666266663563396466393239653362663232366164376137376166
+33663634313236366563656537366535363264623861646564336466363665343433383532666562
+66326332636536363836383135343361663636393138623362643636623533363931396563353261
+66383565616432616361353338303038663730343566653438336661656431303837393464643466
+65386436396132323261313361343164393163303830653736626637383531613432343435396630
+66373831396264646464353565363633333666333361386639353165643566376430653264316432
+37353163323337643461636331646561313465383032383761373665336666303535333363613862
+66386132636133623263366436326131666632623238356530396361323962316463666261353137
+34366266303739613462386235616337383334633234336261613231366131316535373866306133
+61356438356235303335363638663861383332383931343032326238383536623437313039383639
+31663632613135383037313032623064623633376663656634323534373463343932323964313464
+62656134623836333835633061626331623461653565336438636431306434323638666336623862
+63343835623661633534646437616134623962323139363265306462656633653463616366613232
+38613830336639316139643732373938396435363966663330366335303232666563303633633463
+33366663623062393262323530633163363363343930343265363430303130303436376664646431
+65303263626263653865343161363064386163323636663264353539393031383639303835636461
+32666462373063346431353732346330636432643534633538316638316661393866303039346333
+32623637336434333836303936613066313562373834653338613139326337366664666231393863
+62653333353736383431383534313164346639663037643366333931633539343137356464643236
+39396561306565666262303337316532623564653632353533316235643732656336613730643361
+36303761346165353561616364326430343763323966643238616630643639323639663932306139
+63333733643536376132383236343937313639623763663161323835353333313838346136386533
+31383065373030623231626533343333646339643231373936663336303834666639623431366336
+37653361313161393433363039633139373338346230366465343261326535303331616437396264
+62356533636436663532663233353938623265663139376636653532303561356130336630393432
+62646331326163366336373164333839626666636335303836363766346264363931626161643039
+62613139306634323162613131393739373133343034373633353532616637373666613131326337
+37613437323132396132333030386132613538313339656234366435383561656331326238306563
+61616133336365656662333064326233313630646633386138333533386435356262323737316335
+64313862366533373235633161363139376638336331373163653762396666373536333663313963
+34396134613633333631653930373965393532313038616331386332376432613032653537356334
+38636362623539336134613832313065653539646366343430356431653361333662323334653663
+61326561313433363561633631653039386662383766326136363266353536393063643532363038
+35613866313634313434636463663138636165356432336234613032336635636263336439313061
+30666639316665353733653338376162643338316533613632303433646239663138376536636330
+32386234626430393833666263623135386561633230326664313137343463336631363763643931
+39616139396261393366313736636265303466333533336430663439303239373963666333613537
+35363138653831653435626132383135633631386462633038363966313838663236396532366163
+62616165376635613164326439623563653037616638383032326339346230663935376635383263
+62306532323764633631366535383233316335316439393539313565306465353365343636333462
+62616231393035646235643734373764326334643366613135346433653639303864323464343034
+31303161353963663839373565396466353033333165316134633936653161346436326362643534
+32366665633338323130633737613934343031323766663164633134373464656132303735316337
+66663361333136333839653062373133343761386439323463643336303137383932386665326136
+64356531353933383235633039326266666232303764326338366462653834623736336362653233
+35353963356231613539656630623334663763313837383261663163343266613463613366666430
+66396534663531633261336162366436333534633461636136643230336466636265663531356336
+62336565646234303765323866316562396561316464393636356262313663316437393634656238
+63613530303164653264373863336238646666323938303631366162636265643161616433343232
+35343638396437376337306262643161626234636338643264396362653836653337633632303166
+65663133396462316466663038346565623132356631343865613462323035666537343134363436
+32373539303763373134336534643930636234643338376536376666346561393731316666343364
+36653561303563646233653865353736356537343938383930336130623964623866313539636335
+32666536396538313032613939666632333839303062386366353639613862653134323162643533
+62663131303233323666353336363461646231376163343563396463356634653532633266306433
+34363930656562366563643937633862646565393930303537626338623631313436613564616530
+39353663623939313235306231373537393535326238623038633232366131303730333838663838
+65366437333665333364336535303434383934663532303035313639646635653833666566383163
+32666334373237326266366337353636636465613963366538326362363132653466333634333534
+63366537653866346133353635356332656164336632333465316363376238653563316661386132
+64343063306663376430363163323161336166313762613066663061346236343731343836643731
+32306365656534353733356561373561386334373661303530326332333061636536363364386233
+63313035653166313164333537313662636136613565323433333738376237626263373538336266
+35646633663165396366613162616338616532383437383630663061666338616131356534656636
+36353036326533316339313833356466386163343065653037363038303239643361306335353262
+66393361363936373630326533306164366237353161346335303136633561363265643135363165
+63333833656637636635363931393965663933396265643239363939363337396666633366373233
+37656630376262643836643063383762623331653761353030333736366462663964363032626536
+63363136343464373230353330313830653730333438393238393232353932316337616636356138
+61326638613433666131643830323565623466643333373432323330626265326363356161326538
+61336537666137333166333439343535313135323438376633326535343964626136386138633038
+62363432613861356134376237393436356361373839316637376234303566313164666534663837
+37613763653636363231396163616236626662323761353065383535623266616561323733326437
+65666662386163643232613664346432386233643534626335353336346561303032653163346234
+61333164613832386631316430643537303161613161613631363534366166303834363230643839
+34363233656165623236323634313566373166373565353837303162313262333035663738326637
+34313435643630393738613462373034303264653964393563393739386537653836363833383534
+37383937316166333533633161643463353961393737353561343933613830623061346235353263
+64633839396466393361383462636635653464343239303736656561303033386465323036323964
+32356536356437643436396162643334653631636339363161373437666538396430343162366139
+39343564366338363965633139633338376436353230356134633163316362393032653561613763
+6465303166646337336264633666363638643436333466306565

roles/custom/fvs/files/lmn-codeblocks.sh

@@ -1,15 +0,0 @@
-if [[ "$UID" -gt 10000 ]] && [[ ! -f ~/.config/codeblocks/default.conf ]] ; then
-  mkdir -p ~/.config/codeblocks
-  cat <<EOF > ~/.config/codeblocks/default.conf
-<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
-<CodeBlocksConfig version="1">
-        <editor>
-                <FONT>
-                        <str>
-                                <![CDATA[Monospace 18]]>
-                        </str>
-                </FONT>
-        </editor>
-</CodeBlocksConfig>
-EOF
-fi

roles/custom/fvs/files/lmn-patch-dolphin.sh

@@ -54,7 +54,7 @@ fi
 patch="
 --- a/$file
 +++ b/$file
-@@ -98,9 +98,33 @@
+@@ -98,9 +98,45 @@
      <isSystemItem>true</isSystemItem>
     </metadata>
    </info>
@@ -71,6 +71,18 @@ $HOMEONSERVER
 +    <isSystemItem>true</isSystemItem>
 +   </metadata>
 +  </info>
++ </bookmark>
++ <bookmark href=\"file:///lmn/media/$USER/nextcloud\">
++  <title>Nextcloud</title>
++  <info>
++   <metadata owner=\"http://freedesktop.org\">
++    <bookmark:icon name=\"folder-cloud\"/>
++   </metadata>
++   <metadata owner=\"http://www.kde.org\">
++    <ID>$IDENTITY/${NUM3}</ID>
++    <isSystemItem>true</isSystemItem>
++   </metadata>
++  </info>
 + </bookmark>
   <bookmark href=\"remote:/\">
    <title>Network</title>

roles/custom/fvs/tasks/main.yml

@@ -29,6 +29,7 @@
       - elpa-magit
       - emacs
       - filezilla
+      - freeplane
       - git
       - git-cola
       - gitg
@@ -66,9 +67,7 @@
       - pipx
       - planner
       - pulseview
-      - python3-legacy-cgi
       - python3-paho-mqtt
-      - python3-pgzero
       - python3-websockets
       - qpdfview
       - shellcheck
@@ -85,7 +84,7 @@
       - unison-gtk
       - w3m
       - wireshark
-      # - zulucrypt-gui ## no longer in trixie
+      - zulucrypt-gui
     autoremove: true
     state: latest
   environment:
@@ -158,11 +157,6 @@
     dest: /etc/profile.d/
     mode: '0644'
 
-- name: Copy codeblocks config scripts
-  ansible.builtin.copy:
-    src: lmn-codeblocks.sh
-    dest: /etc/profile.d/
-    mode: '0644'
 
 - name: Copy fvs-config.js to configure plasma
   ansible.builtin.copy:
@@ -170,16 +164,6 @@
     dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
     mode: '0644'
 
-- name: Configure default KDE applications
-  ansible.builtin.blockinfile:
-    path: /etc/xdg/mimeapps.list
-    create: true
-    mode: '0644'
-    block: |
-      [Default Applications]
-      x-scheme-handler/http=firefox-esr.desktop;
-      x-scheme-handler/https=firefox-esr.desktop;
-      x-scheme-handler/mailto=thunderbird.desktop;
 
 - name: Configure some KDE aspects
   ansible.builtin.blockinfile:
@@ -188,22 +172,13 @@
     mode: '0644'
     block: |
       [KDE]
-      #SingleClick=false
+      SingleClick=false
 
       [KDE Action Restrictions][$i]
       action/start_new_session=false
-      action/switch_user=false
+      #action/switch_user=false
       #action/lock_screen=false
 
-- name: Configure NumLock ON
-  ansible.builtin.blockinfile:
-    path: /etc/xdg/kcminputrc
-    create: true
-    mode: '0644'
-    block: |
-      [Keyboard]
-      NumLock=0
-
 - name: Start with empty session by default
   ansible.builtin.copy:
     dest: /etc/xdg/ksmserverrc
@@ -247,7 +222,7 @@
   ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK
-    insertbefore: '^}$'
+    insertbefore: '\s+//Footer'
     block: |
       Text {
          id: hostname

roles/lmn_encrypt/defaults/main.yml

@@ -1,3 +0,0 @@
----
-encrypt_passphrase_initial: Muster!
-encrypt_tpm2: false

roles/lmn_encrypt/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: Run update-grub
-  ansible.builtin.command: update-grub
-
-- name: Run update-dracut
-  ansible.builtin.command: dracut -f

roles/lmn_encrypt/tasks/main.yml

@@ -1,46 +0,0 @@
----
-- name: Find device with LUKS holder
-  vars:
-    partitions: "{{ item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') }}"
-  ansible.builtin.set_fact:
-    encrypt_device: "/dev/disk/by-id/{{ partitions[0].value.links.ids[0] }}"
-  when:
-    - item.value.partitions is defined
-    - item.value.partitions | dict2items | length > 0
-    - item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') | length > 0
-  loop: "{{ ansible_devices | dict2items }}"
-
-- name: Get luks slots
-  ansible.builtin.command:
-    cmd: "systemd-cryptenroll {{ encrypt_device }}"
-  register: encrypt_slots_result
-  changed_when: false
-  when: encrypt_device is defined
-
-- name: Change Password of Luks password slot
-  ansible.builtin.command:
-    cmd: >
-      systemd-run -P --wait
-      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase_initial }}
-      -p SetCredential=cryptenroll.new-passphrase:{{ encrypt_passphrase }}
-      systemd-cryptenroll --password {{ encrypt_device }} --wipe-slot=password
-  no_log: true
-  when:
-    - encrypt_device is defined
-    - encrypt_passphrase is defined
-    - encrypt_slots_result.stdout_lines | length == 2
-    - encrypt_slots_result.stdout_lines[1].startswith('   0')
-
-- name: TPM Device Check
-  ansible.builtin.stat:
-    path: /dev/tpm0
-  register: tpm_device
-  when: encrypt_device is defined
-
-- name: Include TPM2 role
-  ansible.builtin.include_tasks:
-    file: tpm2.yml
-  when:
-    - encrypt_device is defined
-    - encrypt_tpm2
-    - tpm_device.stat.exists

roles/lmn_encrypt/tasks/tpm2.yml

@@ -1,42 +0,0 @@
----
-- name: Install tpm2-tools and dracut
-  ansible.builtin.apt:
-    name:
-      - tpm2-tools
-      - dracut
-
-- name: Enable tpm2-tss crypt module on dracut
-  ansible.builtin.copy:
-    dest: /etc/dracut.conf.d/crypt.conf
-    content: add_dracutmodules+=" tpm2-tss crypt "
-    mode: '0644'
-  notify: Run update-dracut
-
-- name: Comment out root device in crypttab
-  ansible.builtin.lineinfile:
-    dest: /etc/crypttab
-    regexp: '^([^#].*)'
-    line: '#\1'
-    backrefs: true
-
-- name: Insert luks support to GRUB_CMDLINE_LINUX
-  ansible.builtin.lineinfile:
-    dest: /etc/default/grub
-    regexp: '^(GRUB_CMDLINE_LINUX=).*'
-    line: '\1"rd.auto rd.luks=1"'
-    backrefs: true
-  notify: Run update-grub
-
-- name: Insert TPM2 to Luks slot
-  ansible.builtin.command:
-    cmd: >
-      systemd-run -P --wait
-      -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }}
-      systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" {{ encrypt_device }} --wipe-slot=tpm2
-  no_log: true
-  when: "'tpm2' not in encrypt_slots_result.stdout"
-
-# - name: Update TPM2 Luks slot
-#   ansible.builtin.command:
-#     cmd: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 --unlock-tpm2-device=auto {{ encrypt_device }} --wipe-slot=tpm2
-#   when: not grub_config.changed

roles/lmn_finish/handlers/main.yml

@@ -1,4 +0,0 @@
----
-- name: Reboot client
-  ansible.builtin.command:
-    cmd: "shutdown -r -t 60"

roles/lmn_finish/tasks/main.yaml

@@ -6,8 +6,6 @@
     - "{{ extra_pkgs }}"
     - "{{ extra_pkgs1 }}"
     - "{{ extra_pkgs2 }}"
-  tags:
-    - baseinstall
 
 - name: Add backports for {{ ansible_distribution_release }}
   ansible.builtin.apt_repository:
@@ -16,7 +14,7 @@
       main non-free-firmware
     state: present
     update_cache: true
-  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
+#  when: extra_pkgs_bpo|length
 
 - name: Install extra packages from backports
   ansible.builtin.apt:
@@ -27,19 +25,6 @@
     - "{{ extra_pkgs_bpo }}"
     - "{{ extra_pkgs_bpo1 }}"
     - "{{ extra_pkgs_bpo2 }}"
-  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
-
-
-- name: Check if former ansible-stamp exists
-  ansible.builtin.stat:
-    path: /var/local/ansible-stamps
-  register: stamp_exists
-
-- name: Trigger Reboot if no former ansible-run is found
-  ansible.builtin.debug:
-    msg: "First Ansible-Run on Client - Reboot handler started"
-  changed_when: not stamp_exists.stat.exists
-  notify: "Reboot client"
 
 - name: Timestamp successfull run and send up-to-date report
   ansible.builtin.shell:

roles/lmn_kde/defaults/main.yml

@@ -3,10 +3,9 @@ kde_desktop_pkg:
   - akonadi-backend-sqlite
   - arduino
   - bluefish
-  # - calligra
+  - calligra
   - codeblocks
   - dia
-  - filius
   - flameshot
   - freecad
   - fritzing
@@ -15,9 +14,8 @@ kde_desktop_pkg:
   - inkscape
   - kde-full
   - keepassxc
-  - kicad
-  - kicad-doc-de
   - librecad
+  - mu-editor
   - openboard
   - qtcreator
   - spyder
@@ -36,5 +34,3 @@ kde_desktop_pkg:
   - xdg-desktop-portal-kde
   - xdg-desktop-portal-wlr # share screen in browser
   - xournalpp
-
-kde_desktop_pkg_bpo: [ ]

roles/lmn_kde/tasks/main.yml

@@ -8,14 +8,19 @@
     repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
     state: present
     update_cache: true
-  when: kde_desktop_pkg_bpo | length > 0
 
 - name: Install extra packages from backports
   ansible.builtin.apt:
-    name: "{{ kde_desktop_pkg_bpo }}"
+    name:
+      - filius
+      - kicad
+      - kicad-doc-de
+      - libreoffice
+      - libreoffice-l10n-de
+      - libreoffice-qt5
+    state: latest # noqa package-latest
     autoremove: true
     default_release: "{{ ansible_distribution_release }}-backports"
-  when: kde_desktop_pkg_bpo | length > 0
 
 
 - name: Create akonadi config dir

roles/lmn_localhome/tasks/main.yml

@@ -9,7 +9,7 @@
   ansible.builtin.blockinfile:
     path: /usr/share/sddm/themes/debian-breeze/Main.qml
     marker: // {mark} ANSIBLE MANAGED BLOCK localhome
-    insertbefore: '^}$'
+    insertbefore: '\s+//Footer'
     block: |
       Text {
          id: localhome
@@ -33,7 +33,7 @@
     dest: /etc/profile.d/lmn-logout.sh
     mode: '0755'
     content: |
-      # logout script (may be empty)
+      [[ "${UID}" -gt 10000 ]] && ! findmnt "/lmn/media/${USER}/home" > /dev/null && exit 0
       {% if localhome_logout_missing_serverhome %}
       [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
       {% endif %}

roles/lmn_misc/files/bootorder.sh

@@ -5,11 +5,11 @@
 set -eu
 
 cur="$(efibootmgr | grep -Ei 'BootOrder:' | \
-                    sed -E 's/^BootOrder: ([[:xdigit:]]{4}),.+$/\1/')"
-pxeip4="$(efibootmgr | grep -Ei "IP.{0,5}4" | \
-                    sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/' | paste -sd, -)"
+		     sed -E 's/^BootOrder: ([[:xdigit:]]{4}),.+$/\1/')"
+pxeip4="$(efibootmgr | grep -Ei "IP.*4" | \
+		     sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/')"
 debian="$(efibootmgr | grep -Ei "debian" | \
-                    sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/' | paste -sd, -)"
+		     sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/')"
 
 if [[ "$cur" != "$pxeip4" ]] && [[ -n "$pxeip4" ]] && [[ -n "$debian" ]] ; then
     efibootmgr -o $pxeip4,$debian

roles/lmn_misc/files/reporter

@@ -0,0 +1,33 @@
+#!/usr/bin/bash
+#
+# Send stdout of some commands to monitoring server.
+# Collect the reports with 'nc -u -k -l 1234' on 'sendto'.
+# Use /bin/nc.openbsd, /bin/nc.traditional seems not to work.
+#
+set -eu
+
+sendto="collector.steinbeis.schule 1234"
+n=0
+
+cmds=(
+    'uname -a'
+    'tail -1 /var/local/ansible-stamps'
+    'ip route list default'
+    'ip link show | \
+       sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
+       paste - -'
+)
+#    'w'
+#    'uptime'
+#    'ls -d --full-time /home/ansible/.ansible/tmp/'
+#    'ip addr show'
+#    'apt list --upgradeable -o Apt::Cmd::Disable-Script-Warning=true'
+
+r="$HOSTNAME ------- $(date --rfc-3339=seconds) -------
+$(for c in "${cmds[@]}" ; do
+      n=$(( n + 1 ))
+      echo -n "$n"
+      eval "$c" | sed 's/^/\t/'
+done | sed "s/^/$HOSTNAME /")
+## -------------------------------------------------"
+echo "$r" | nc -w 1 -u $sendto

roles/lmn_misc/tasks/main.yml

@@ -98,7 +98,7 @@
       export superusers
       password_pbkdf2 root {{ grub_pwd }}
   notify: Run update-grub
-  when: grub_pwd is defined and grub_pwd is truthy
+  when: grub_pwd | bool | default(false)
 
 - name: Allow booting grub menu entries
   ansible.builtin.lineinfile:
@@ -167,8 +167,6 @@
     src: reporter.j2
     dest: /usr/local/sbin/reporter
     mode: '0755'
-  tags:
-    - baseinstall
 
 - name: Provide services and timers for reporter
   ansible.builtin.copy:
@@ -179,46 +177,12 @@
     - reporter.service
     - reporter.timer
   when: misc_reporter
-  tags:
-    - baseinstall
 
 - name: Enable reporter.timer
   ansible.builtin.systemd:
     name: reporter.timer
     enabled: true
   when: misc_reporter
-  tags:
-    - baseinstall
-
-# Updater
-
-- name: Provide services and timers for updater
-  ansible.builtin.template:
-    src: "{{ item }}.j2"
-    dest: "/etc/systemd/system/{{ item }}"
-    mode: '0644'
-  loop:
-    - lmn-updater.service
-    - lmn-updater.timer
-  when: misc_updater_repository | default(false) is truthy
-
-- name: Enable updater.timer
-  ansible.builtin.systemd:
-    name: lmn-updater.timer
-    enabled: true
-  when:
-    - misc_updater_repository | default(false) is truthy
-    - misc_updater_autostart | default(false) is truthy
-
-- name: Deploy inventory password file
-  ansible.builtin.copy:
-    dest: /root/.inventory-pw
-    owner: root
-    mode: '0640'
-    content: "{{ misc_updater_inventory_password }}"
-  when:
-    - misc_updater_repository | default(false) is truthy
-    - misc_updater_inventory_password | default(false) is truthy
 
 # Prepare CloneScreen on Presenter PCs
 

roles/lmn_misc/templates/lmn-updater.service.j2

@@ -1,9 +0,0 @@
-[Unit]
-Description=Run LMN Client updates via ansible-pull
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/usr/bin/ansible-pull --only-if-changed --verbose --vault-password-file /root/.inventory-pw -l %H -d /root/lmn-client \
-           -i {{ misc_updater_inventory }} --url={{ misc_updater_repository }} -C {{ misc_updater_branch }} lmn-client.yml
-

roles/lmn_misc/templates/lmn-updater.timer.j2

@@ -1,9 +0,0 @@
-[Unit]
-Description=Run LMN Updater every day
-After=network-online.target
-
-[Timer]
-OnBootSec=5min
-
-[Install]
-WantedBy=timers.target

roles/lmn_misc/templates/reporter.j2

@@ -16,7 +16,6 @@ cmds=(
     'ip link show | \
        sed -nE -e "s/^[2-9]: (\S+): .+/\1/p" -e "s/.+ether ([0-9a-f:]+) .+/\1/p" | \
        paste - -'
-    'systemctl --failed | grep -v "^$"'
 )
 #    'w'
 #    'uptime'

roles/lmn_network/tasks/main.yml

@@ -5,14 +5,14 @@
     mode: '0644'
     content: >
       {{ apt_conf }}
-  when: apt_conf is defined and apt_conf is truthy
+  when: apt_conf | bool | default(false)
 
 - name: Set NTP server
   ansible.builtin.lineinfile:
     path: /etc/systemd/timesyncd.conf
     insertafter: '^#NTP='
     line: NTP={{ ntp_serv }}
-  when: ntp_serv is defined and ntp_serv is truthy
+  when: ntp_serv | bool | default(false)
 
 - name: Add proposed-updates repository
   ansible.builtin.apt_repository:

roles/lmn_security/tasks/main.yml

@@ -5,8 +5,6 @@
     key: "{{ item }}"
   loop: "{{ keys2deploy }}"
   when: keys2deploy is defined
-  tags:
-    - baseinstall
 
 - name: Allow sudo without password for ansible
   ansible.builtin.lineinfile:
@@ -16,16 +14,12 @@
     owner: root
     group: root
     mode: '0700'
-  tags:
-    - baseinstall
 
 - name: Disable ansible user login
   ansible.builtin.user:
     name: ansible
     password_lock: true
   when: security_defaultuser_login_disable
-  tags:
-    - baseinstall
 
 - name: Limit SSH access to user ansible
   ansible.builtin.blockinfile:

roles/lmn_sssd/defaults/main.yml

@@ -1,2 +0,0 @@
----
-sssd_domjoin_user: global-admin

roles/lmn_sssd/handlers/main.yml

@@ -1,5 +1,6 @@
 - name: Restart sssd
-  ansible.builtin.systemd:
+  ansible.builtin.service:
     name: sssd
     state: restarted
     enabled: true
+  listen: "Restart sssd"

roles/lmn_sssd/tasks/main.yml

@@ -10,27 +10,15 @@
   ansible.builtin.template:
     src: sssd.conf.j2
     dest: /etc/sssd/sssd.conf
-    mode: '0640'
+    mode: '0600'
   notify: Restart sssd
 
-- name: Check if the machine account password and the join are still valid
-  ansible.builtin.shell:
-    cmd: adcli testjoin -D {{ domain | upper }}
-  register: adcli_test_result
-  failed_when: false
-  changed_when: false
-
-  # If domjoin not valid:
+  ## Either one of the variables is defined:
 - name: Join the domain
   ansible.builtin.shell:
     cmd: >
-      echo "{{ ad_passwd }}" | adcli join --stdin-password -U {{ ad_user }} {{ domain | upper }}
-  no_log: true
-  vars:
-    ad_user: "{{ 'global-admin' if (adpw.user_input | default(ansible_cmdline.adpw) | default('') | length > 0) else sssd_domjoin_user }}"
-    ad_passwd: "{{ adpw.user_input | default('') if  adpw.user_input | default ('') | length > 0 else ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') }}"
-  throttle: 1
-  when:
-    - adpw.user_input | default('') | length > 0 or
-      ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') | length > 0
-    - adcli_test_result.rc != 0
+      echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
+      adcli join --stdin-password -U global-admin {{ domain | upper }}
+  when: >
+    ansible_cmdline.adpw | default('') | length > 0 or
+    adpw.user_input | default('') | length > 0

roles/lmn_tmpfixes/tasks/main.yml

@@ -16,19 +16,3 @@
       export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --use-gl=desktop"
   when: ansible_board_vendor == "LENOVO" and
     (ansible_board_name == "312D" or ansible_board_name == "312A")
-
-- name: Fix 8086:4909 external graphics card
-  ansible.builtin.replace:
-    dest: "/etc/default/grub"
-    regexp: 'GRUB_CMDLINE_LINUX=""$'
-    replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
-  notify: Run update-grub
-  when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"
-
-- name: Remove calligra
-  ansible.builtin.apt:
-    name:
-      - calligra
-    state: absent
-    purge: true
-    autoremove: true

roles/lmn_vm/tasks/main.yml

@@ -18,7 +18,6 @@
       - mktorrent
       - libvirt-daemon-system
       - virt-manager
-      - virt-viewer
       - dialog # for vm-netboot menu
       - python3-impacket
 
@@ -29,6 +28,32 @@
     #     insertafter: '#auth_unix_rw = "polkit"'
     #   notify: reload libvirtd
 
+- name: Configure pam_mount for VM bind mounts
+  ansible.builtin.blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
+    block: |
+      <!-- bind mounts for the VMs, setting gid here does not work -->
+      <volume
+        path="~"
+        mountpoint="/lmn/media/%(USER)/home"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school/share"
+        mountpoint="/lmn/media/%(USER)/share"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school"
+        mountpoint="/lmn/media/%(USER)/school"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+
 - name: Use umount script for proper cleanup
   ansible.builtin.blockinfile:
     dest: /etc/security/pam_mount.conf.xml

roles/lmn_vpn/files/10-lmn-mount.sh

@@ -29,16 +29,19 @@ if [[ "$CONNECTION_ID" = "VPN-Schule" ]]; then
     umask 0002
     mkdir -p /srv/samba/schools/default-school
     chmod 777  /srv/samba/schools/default-school
+    mkdir -p "/lmn/media/${USERNAME}/share"
 
     mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
           -o "sec=krb5i,cruid=${USERID},user=${USERNAME},uid=${USERID},gid=${GROUPID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
 	  echo "after mount" >&2
+    mount --bind /srv/samba/schools/default-school/share "/lmn/media/${USERNAME}/share"
     SUDO_USER=$USERNAME /usr/local/bin/install-printers.sh
   elif [[ "$NM_DISPATCHER_ACTION" = "pre-down" ]]; then
     # FIXME: Only umount server when Wireguard-Connection was the only connection to server.
     # Dirty fix (works only in fvs-IP-Range)
     if ! (ip r s | grep "10.190." | grep -v wg0); then
-      echo "Try to umount server"
+      echo "Try to umount server shares"
+      umount "/lmn/media/${USERNAME}/share"
       umount /srv/samba/schools/default-school
     fi
   fi

roles/lmn_vpn/files/mountserver

@@ -3,6 +3,7 @@ set -eu
 
 exit_script() {
     echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
+    findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share"
     findmnt "/srv/samba/schools/default-school" && umount "/srv/samba/schools/default-school"
     trap - SIGHUP SIGINT SIGTERM # clear the trap
     kill -- -$$ # Sends SIGTERM to child/sub processes
@@ -13,9 +14,11 @@ findmnt /srv/samba/schools/default-school > /dev/null && exit 0
 umask 0002
 mkdir -p /srv/samba/schools/default-school
 chmod 777  /srv/samba/schools/default-school
+mkdir -p "/lmn/media/${SUDO_USER}/share"
 
 mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
       -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
+mount --bind /srv/samba/schools/default-school/share "/lmn/media/${SUDO_USER}/share"
 
 echo "Einbindung erfolgreich!"
 echo "Dieses Fenster bitte nicht schließen!"