19 changed files with 696 additions and 800 deletions
--- a/doc/install_ontop.md
+++ b/doc/install_ontop.md
@ -1,12 +1,6 @@
 # Installation on existing client
-A straightforward way to test the lmn-client is to manually run the playbook on a freshly installed client.
+An easy method to test the lmn-client is to run the playbook manual on a fresh installed client.
 This can be done in the following ways:
    On the client using ansible-pull
    On the client by checking out the lmn-client repository and running the playbook locally
    On a target device by checking out the lmn-client repository locally and executing the playbook against the target device
 ## Direct call via ansible-pull
@ -15,10 +9,10 @@ With two simple commands you can install the lmn-client with default configurati
 Steps:
 * Install debian on client (via USB or PXE)
-* Install additional packages: ansible  
+* Install additional packages: ansible
  `sudo apt install ansible`
-* Run Playbook  
+* Run Playbook
-  `sudo ansible-pull --verbose -i inventory-sample.yml -l localhost --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
+  `ansible-pull -i inventory.yml -l localhost, --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
 ## Checkout git and run ansible locally
@ -30,12 +24,10 @@ Steps:
 * Install debian on client (via USB or PXE)
 * Install additional packages: ansible, git  
  `sudo apt install ansible git`
-* Checkout Repository  
+* Checkout Repository
  `git clone https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git`
 * Change into repository directory  
  `cd lmn-client`
 * Create inventory  
-  `cp inventory-sample.yml inventory-myschool.yml`
+  `cp inventory.yml inventory-myschool.yml`
 * Edit inventory-myschool.yml  
  e.g.: `nano inventory-myschool.yml`
 * Run Playbook  
--- a/doc/install_pxe.md
+++ b/doc/install_pxe.md
@ -2,28 +2,15 @@
 * **Using DigitalSouveraeneSchule repository and LinuxMuster.Net tftp**  
  Simplest solution. Playbook and default inventory from DigitalSouveraeneSchule codeberg repository.  
-  Linux kernel and initial Ramdisk from debian repository.  
+  Linux kernel and initial Ramdisk from debian repository.
  Client must have access to the internet (noproxy group).
 * **Using your own repository and LinuxMuster.Net tftp**  
  Here you can use your own inventory and make many custom settings.  
-  Linux kernel and initial Ramdisk from debian repository.  
+  Linux kernel and initial Ramdisk from debian repository.
  Client must have access to the internet (noproxy group).
 * **Using your own repository and livebox tftp**  
-  Additional kernel and Ramdisk from your own infrastrukture.  
+  Additional kernel and Ramdisk from your own infrastrukture.
  Client does not need direct internet access.
 ## Using codeberg repository and LinuxMuster.Net tftp
 ### Requirements / firewall settings
 The computer on which the linuxclient is to be installed must have access to the Internet (add host to noproxy group)
 The following resources are downloaded from the internet:
 * The repository is provided by codeberg.org
 * the Linux kernel, the initial ramdisk and the installation files are loaded from debian.org.
 * mscorefonts from Microsoft
 ### Modification LinuxMuster.Net server
 Create grub config for device group `lmnclient` on your schools server:
@ -38,12 +25,9 @@ set default=1
 menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
   echo -n "Enter domain join password: "
   read adpw
   set vaultpw="dummy"
   # echo -n "Enter vault password"
   # read vaultpw
   linux   (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/linux auto=true priority=high \
-           url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/main/misc/preseed.cfg interface=auto \
+           url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/fvs/misc/preseed.cfg interface=auto \
-           playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
+           playbook=lmn-client.yml adpw="${adpw}" ---
   initrd  (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/initrd.gz
 }
 ```
@ -63,52 +47,4 @@ classroom;mypc01;lmnclient;F2:81:6B:C9:E3:EF;10.0.5.51;;;;classroom-studentcompu
 * confirm `hostname` and `domain` (you will be asked in network setup)
 * ... Get a cup of coffee ... wait until reboot ... login (Logging in may take a few minutes after installation)
-
+## Using your own livebox server
 ## Using your own repository and LinuxMuster.Net tftp
 If you fork the lmn-client repository, you can customize the preseeding and inventory to your needs.
 Use the instructions in the previous section and customize the repository in `/srv/linbo/boot/grub/lmnclient.cfg`.
 It makes sense to encrypt your inventory via `ansible-vault`.
 When using encrypted inventories you have to provide the vault password by commenting in the two lines in the `/srv/linbo/boot/grub/lmnclient.cfg`.
 ## Using your own repository and livebox tftp
 The next improvement will be to use your own livebox with following functionalities:
 * Providing linux kernel and initial ramdisk for installer
 * Can be used as cache for debian packages (aptcacher)
 * Can provide mscorefonts and libdvdcss (multimedia codecs)
 * Can be used to boot live systems (netboot) via pxe
 ### Installing the livebox server
 * Install debian VM and configure network
 * Install additional packages: ansible  
  `sudo apt install ansible`
 * Run livebox playbook  
  `ansible-pull -i localhost, --url=https://salsa.debian.org/andi/debian-lan-ansible.git -C master livebox.yml`
 * Set DNS entry for your new livebox server
 ### Modification LinuxMuster.Net server
 The file `/srv/linbo/boot/grub/lmnclient.cfg` might look like this:
 ```
 # ### NOT managed by linuxmuster.net ###
 # edit to your needs
 set default=1
 menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
   echo -n "Enter domain join password: "
   read adpw
   set vaultpw="dummy"
   # echo -n "Enter vault password"
   # read vaultpw
   linux   (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/linux auto=true priority=high \
           url=https://codeberg.org/MySchool/lmn-client/raw/branch/main/misc/preseed-myschool.cfg interface=auto \
           playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
   initrd  (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/initrd.gz
 }
 ```
--- a/inventory-sample.yml
+++ b/inventory-sample.yml
@ -2,9 +2,10 @@
 all:
  vars:
    domain: "{{ ansible_domain }}"
    # Comment out on productive systems when ssh key is provided
    security_defaultuser_login_disable: false
    kde_desktop_pkg:
      - akonadi-backend-sqlite
    ## Proxy configuration (see: doc/localproxy.md)
    # localproxy: true
@ -58,6 +59,7 @@ all:
    #   - vim
    #   - mc
    #   - tmux
    #   - debconf-utils
    ## WLAN configuration (see: doc/vpn.md):
    ##
@ -103,7 +105,6 @@ all:
  hosts:
    localhost:
      ansible_connection: local
 laptops:
  children:
--- a/inventory.yml
+++ b/inventory.yml
--- a/misc/preseed.cfg
+++ b/misc/preseed.cfg
@ -50,11 +50,13 @@ d-i apt-setup/contrib boolean true
 d-i mirror/country string manual
 d-i mirror/http/hostname string deb.debian.org
 d-i mirror/http/directory string /debian
-#d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
+#d-i mirror/http/proxy string http://10.167.0.253:3142/
-d-i mirror/http/proxy string
+#d-i mirror/http/proxy string http://192.168.1.17:3142/
 #d-i mirror/http/proxy string http://aptcache.steinbeisschule-reutlingen.de:3142/
 d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
 # NTP server to use:
-#d-i clock-setup/ntp-server string server.pn.steinbeis.schule
+d-i clock-setup/ntp-server string server.pn.steinbeis.schule
 ### Backports:
 #apt-setup-udeb apt-setup/services-select multiselect security, updates, backports
@ -127,9 +129,10 @@ d-i preseed/late_command string \
        in-target mount -v -t tmpfs tmpfs /dev/shm ; \
        echo "$vaultpw" > /target/dev/shm/vaultpw ; \
        in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
-           --vault-password-file /dev/shm/vaultpw -l localhost \
+           -l localhost \
-           -i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main $playbook ; \
+           -i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C fvs $playbook ; \
      fi
 ##           --vault-password-file /dev/shm/vaultpw -l localhost \
 #
 ## When installing in combination with ansible-pull,
 ## export your ansible playbook like:
--- a/roles/custom/fvs/tasks/main.yml
+++ b/roles/custom/fvs/tasks/main.yml
@ -220,7 +220,7 @@
  ansible.builtin.blockinfile:
    path: /usr/share/sddm/themes/debian-breeze/Main.qml
    marker: // {mark} ANSIBLE MANAGED BLOCK
-    insertbefore: '^}$'
+    insertbefore: '\s+//Footer'
    block: |
      Text {
         id: hostname
--- a/roles/lmn_finish/tasks/main.yaml
+++ b/roles/lmn_finish/tasks/main.yaml
@ -14,7 +14,7 @@
      main non-free-firmware
    state: present
    update_cache: true
-  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
+#  when: extra_pkgs_bpo|length
 - name: Install extra packages from backports
  ansible.builtin.apt:
@ -25,7 +25,6 @@
    - "{{ extra_pkgs_bpo }}"
    - "{{ extra_pkgs_bpo1 }}"
    - "{{ extra_pkgs_bpo2 }}"
  when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
 - name: Timestamp successfull run and send up-to-date report
  ansible.builtin.shell:
--- a/roles/lmn_kde/defaults/main.yml
+++ b/roles/lmn_kde/defaults/main.yml
@ -6,7 +6,6 @@ kde_desktop_pkg:
  - calligra
  - codeblocks
  - dia
  - filius
  - flameshot
  - freecad
  - fritzing
@ -15,9 +14,8 @@ kde_desktop_pkg:
  - inkscape
  - kde-full
  - keepassxc
  - kicad
  - kicad-doc-de
  - librecad
  - mu-editor
  - openboard
  - qtcreator
  - spyder
@ -36,5 +34,3 @@ kde_desktop_pkg:
  - xdg-desktop-portal-kde
  - xdg-desktop-portal-wlr # share screen in browser
  - xournalpp
 kde_desktop_pkg_bpo: [ ]
--- a/roles/lmn_kde/tasks/main.yml
+++ b/roles/lmn_kde/tasks/main.yml
@ -8,14 +8,19 @@
    repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
    state: present
    update_cache: true
  when: kde_desktop_pkg_bpo | length > 0
 - name: Install extra packages from backports
  ansible.builtin.apt:
-    name: "{{ kde_desktop_pkg_bpo }}"
+    name:
      - filius
      - kicad
      - kicad-doc-de
      - libreoffice
      - libreoffice-l10n-de
      - libreoffice-qt5
    state: latest # noqa package-latest
    autoremove: true
    default_release: "{{ ansible_distribution_release }}-backports"
  when: kde_desktop_pkg_bpo | length > 0
 - name: Create akonadi config dir
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@ -9,7 +9,7 @@
  ansible.builtin.blockinfile:
    path: /usr/share/sddm/themes/debian-breeze/Main.qml
    marker: // {mark} ANSIBLE MANAGED BLOCK localhome
-    insertbefore: '^}$'
+    insertbefore: '\s+//Footer'
    block: |
      Text {
         id: localhome
--- a/roles/lmn_misc/tasks/main.yml
+++ b/roles/lmn_misc/tasks/main.yml
@ -98,7 +98,7 @@
      export superusers
      password_pbkdf2 root {{ grub_pwd }}
  notify: Run update-grub
-  when: grub_pwd | bool | default(false)
+  when: grub_pwd|default(false)
 - name: Allow booting grub menu entries
  ansible.builtin.lineinfile:
--- a/roles/lmn_network/tasks/main.yml
+++ b/roles/lmn_network/tasks/main.yml
@ -5,14 +5,14 @@
    mode: '0644'
    content: >
      {{ apt_conf }}
-  when: apt_conf | bool | default(false)
+  when: apt_conf|default(false)
 - name: Set NTP server
  ansible.builtin.lineinfile:
    path: /etc/systemd/timesyncd.conf
    insertafter: '^#NTP='
    line: NTP={{ ntp_serv }}
-  when: ntp_serv | bool | default(false)
+  when: ntp_serv|default(false)
 - name: Add proposed-updates repository
  ansible.builtin.apt_repository:
--- a/roles/lmn_printer/tasks/main.yml
+++ b/roles/lmn_printer/tasks/main.yml
@ -37,7 +37,7 @@
    line: "SystemGroup root lpadmin {{ printer_admin_group }}"
    regexp: '^SystemGroup'
    state: present
-  when: printer_admin_group | length > 0
+  when: printer_admin_group | length
 - name: Disable cups-browsed
  ansible.builtin.systemd:
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@ -216,7 +216,7 @@ while true; do
 	    shift
 	    ;;
    -o | --options )
-	    LIBVIRTOPTS="${LIBVIRTOPTS} $2"
+            LIBVIRTOPTS=$2
 	    shift 2
 	    ;;
    --no-viewer )
@ -267,7 +267,6 @@ while true; do
              type="ethernet,mac=${mac},target.dev=${interface},xpath1.set=./target/@managed=no,model.type=virtio"
 	      LIBVIRTOPTS="${LIBVIRTOPTS} --network type=$type"
 	    done
 	    LIBVIRTOPTS="${LIBVIRTOPTS} --check mac_in_use=off"
 	    shift
 	    ;;
    --os )
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -18,7 +18,6 @@
      - mktorrent
      - libvirt-daemon-system
      - virt-manager
      - virt-viewer
      - dialog # for vm-netboot menu
    # - name: allow all users to use VMs
--- a/roles/lmn_vpn/tasks/wg_config.yml
+++ b/roles/lmn_vpn/tasks/wg_config.yml
@ -5,7 +5,7 @@
      - wireguard
 - name: Check if wg_server is reachable
-  ansible.builtin.command: echo "reachable"
+  ansible.builtin.command: echo "Test if wg_server is reachable"
  delegate_to: wireguard_server
  register: result
  changed_when: false
@ -17,12 +17,10 @@
      * server not reachable
      * no matching ssh-key
  changed_when: true
-  when: result.stdout is not defined or result.stdout!="reachable"
+  when: result.unreachable is defined and result.unreachable
 - name: Configure WG Server
-  when:
+  when: result.unreachable is not defined or not result.unreachable
    - result.stdout is defined and result.stdout=="reachable"
    - not run_in_installer|default(false)|bool
  block:
    - name: Set facts wg_clientname
      ansible.builtin.set_fact:
--- a/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
+++ b/roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
@ -27,7 +27,7 @@
  when: cert_client_active.stat.exists
 - name: Check if radius-server is reachable
-  ansible.builtin.command: echo "reachable"
+  ansible.builtin.command: echo "Test if radius-server is reachable"
  delegate_to: radius_server
  register: radius_reachable
  changed_when: false
@ -40,13 +40,12 @@
      - "* server not reachable"
      - "* no matching ssh-key"
  changed_when: true
-  when: radius_reachable.stdout is not defined or radius_reachable.stdout!='reachable'
+  when: radius_reachable.unreachable is defined and radius_reachable.unreachable
 - name: Issue radius certificate
  ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml
  when:
-    - radius_reachable.stdout is defined and radius_reachable.stdout=="reachable"
+    - radius_reachable.unreachable is not defined or not radius_reachable.unreachable
    - not run_in_installer|default(false)|bool
    - |
      ( not cert_client_active.stat.exists ) or
      (cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or
--- a/roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml
+++ b/roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml
@ -105,7 +105,6 @@
  ansible.builtin.systemd:
    name: iwd.service
    enabled: false
  failed_when: false
 - name: Remove deprecated NetworkManager config
  ansible.builtin.blockinfile:
--- a/roles/lmn_wlan/tasks/main.yaml
+++ b/roles/lmn_wlan/tasks/main.yaml
@ -3,6 +3,7 @@
 - name: Install packages related to wifi
  ansible.builtin.apt:
    name:
      - systemd-resolved
      - firmware-realtek # for our wifi sticks
 - name: Provide service to enable WiFi on boot