it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: it-team:main
Branches Tags
it-team:main
it-team:bookworm
it-team:dev
it-team:fvs
..
compare: it-team:fvs
Branches Tags
it-team:main
it-team:bookworm
it-team:dev
it-team:fvs

No commits in common. "main" and "fvs" have entirely different histories.
main ... fvs

36 changed files with 783 additions and 1392 deletions
Show stats Expand all files Collapse all files

14
doc/install_ontop.md
View file

@ -1,12 +1,6 @@
# Installation on existing client
A straightforward way to test the lmn-client is to manually run the playbook on a freshly installed client.
This can be done in the following ways:
On the client using ansible-pull
On the client by checking out the lmn-client repository and running the playbook locally
On a target device by checking out the lmn-client repository locally and executing the playbook against the target device
An easy method to test the lmn-client is to run the playbook manual on a fresh installed client.
## Direct call via ansible-pull
@ -18,7 +12,7 @@ Steps:
* Install additional packages: ansible
`sudo apt install ansible`
* Run Playbook
`sudo ansible-pull --verbose -i inventory-sample.yml -l localhost --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
`ansible-pull -i inventory.yml -l localhost, --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
## Checkout git and run ansible locally
@ -32,10 +26,8 @@ Steps:
`sudo apt install ansible git`
* Checkout Repository
`git clone https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git`
* Change into repository directory
`cd lmn-client`
* Create inventory
`cp inventory-sample.yml inventory-myschool.yml`
`cp inventory.yml inventory-myschool.yml`
* Edit inventory-myschool.yml
e.g.: `nano inventory-myschool.yml`
* Run Playbook

70
doc/install_pxe.md
View file

@ -3,27 +3,14 @@
* **Using DigitalSouveraeneSchule repository and LinuxMuster.Net tftp**
Simplest solution. Playbook and default inventory from DigitalSouveraeneSchule codeberg repository.
Linux kernel and initial Ramdisk from debian repository.
Client must have access to the internet (noproxy group).
* **Using your own repository and LinuxMuster.Net tftp**
Here you can use your own inventory and make many custom settings.
Linux kernel and initial Ramdisk from debian repository.
Client must have access to the internet (noproxy group).
* **Using your own repository and livebox tftp**
Additional kernel and Ramdisk from your own infrastrukture.
Client does not need direct internet access.
## Using codeberg repository and LinuxMuster.Net tftp
### Requirements / firewall settings
The computer on which the linuxclient is to be installed must have access to the Internet (add host to noproxy group)
The following resources are downloaded from the internet:
* The repository is provided by codeberg.org
* the Linux kernel, the initial ramdisk and the installation files are loaded from debian.org.
* mscorefonts from Microsoft
### Modification LinuxMuster.Net server
Create grub config for device group `lmnclient` on your schools server:
@ -38,12 +25,9 @@ set default=1
menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
echo -n "Enter domain join password: "
read adpw
set vaultpw="dummy"
# echo -n "Enter vault password"
# read vaultpw
linux (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/linux auto=true priority=high \
url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/main/misc/preseed.cfg interface=auto \
playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/fvs/misc/preseed.cfg interface=auto \
playbook=lmn-client.yml adpw="${adpw}" ---
initrd (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/initrd.gz
}
```
@ -63,52 +47,4 @@ classroom;mypc01;lmnclient;F2:81:6B:C9:E3:EF;10.0.5.51;;;;classroom-studentcompu
* confirm `hostname` and `domain` (you will be asked in network setup)
* ... Get a cup of coffee ... wait until reboot ... login (Logging in may take a few minutes after installation)
## Using your own repository and LinuxMuster.Net tftp
If you fork the lmn-client repository, you can customize the preseeding and inventory to your needs.
Use the instructions in the previous section and customize the repository in `/srv/linbo/boot/grub/lmnclient.cfg`.
It makes sense to encrypt your inventory via `ansible-vault`.
When using encrypted inventories you have to provide the vault password by commenting in the two lines in the `/srv/linbo/boot/grub/lmnclient.cfg`.
## Using your own repository and livebox tftp
The next improvement will be to use your own livebox with following functionalities:
* Providing linux kernel and initial ramdisk for installer
* Can be used as cache for debian packages (aptcacher)
* Can provide mscorefonts and libdvdcss (multimedia codecs)
* Can be used to boot live systems (netboot) via pxe
### Installing the livebox server
* Install debian VM and configure network
* Install additional packages: ansible
`sudo apt install ansible`
* Run livebox playbook
`ansible-pull -i localhost, --url=https://salsa.debian.org/andi/debian-lan-ansible.git -C master livebox.yml`
* Set DNS entry for your new livebox server
### Modification LinuxMuster.Net server
The file `/srv/linbo/boot/grub/lmnclient.cfg` might look like this:
```
# ### NOT managed by linuxmuster.net ###
# edit to your needs
set default=1
menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
echo -n "Enter domain join password: "
read adpw
set vaultpw="dummy"
# echo -n "Enter vault password"
# read vaultpw
linux (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/linux auto=true priority=high \
url=https://codeberg.org/MySchool/lmn-client/raw/branch/main/misc/preseed-myschool.cfg interface=auto \
playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
initrd (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/initrd.gz
}
```
## Using your own livebox server

7
inventory-sample.yml
View file

@ -2,9 +2,10 @@
all:
vars:
domain: "{{ ansible_domain }}"
# Comment out on productive systems when ssh key is provided
security_defaultuser_login_disable: false
kde_desktop_pkg:
- akonadi-backend-sqlite
## Proxy configuration (see: doc/localproxy.md)
# localproxy: true
@ -58,6 +59,7 @@ all:
# - vim
# - mc
# - tmux
# - debconf-utils
## WLAN configuration (see: doc/vpn.md):
##
@ -103,7 +105,6 @@ all:
hosts:
localhost:
ansible_connection: local
laptops:
children:

1315
inventory.yml
View file

File diff suppressed because it is too large Load diff

2
lmn-client.yml
View file

@ -63,7 +63,7 @@
- role: lmn_localhome
when: localhome
- role: lmn_localuser
when: localuser|bool
when: localuser
- role: lmn_exam
when: exam_mode
- role: lmn_wlan

13
misc/preseed.cfg
View file

@ -50,11 +50,13 @@ d-i apt-setup/contrib boolean true
d-i mirror/country string manual
d-i mirror/http/hostname string deb.debian.org
d-i mirror/http/directory string /debian
#d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
d-i mirror/http/proxy string
#d-i mirror/http/proxy string http://10.167.0.253:3142/
#d-i mirror/http/proxy string http://192.168.1.17:3142/
#d-i mirror/http/proxy string http://aptcache.steinbeisschule-reutlingen.de:3142/
d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
# NTP server to use:
#d-i clock-setup/ntp-server string server.pn.steinbeis.schule
d-i clock-setup/ntp-server string server.pn.steinbeis.schule
### Backports:
#apt-setup-udeb apt-setup/services-select multiselect security, updates, backports
@ -127,9 +129,10 @@ d-i preseed/late_command string \
in-target mount -v -t tmpfs tmpfs /dev/shm ; \
echo "$vaultpw" > /target/dev/shm/vaultpw ; \
in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
--vault-password-file /dev/shm/vaultpw -l localhost \
-i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main $playbook ; \
-l localhost \
-i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C fvs $playbook ; \
fi
## --vault-password-file /dev/shm/vaultpw -l localhost \
#
## When installing in combination with ansible-pull,
## export your ansible playbook like:

BIN
misc/vm/Netzlaufwerke neu verbinden.lnk
View file

Binary file not shown.

155
misc/vm/injector.ps1
View file

@ -1,155 +0,0 @@
param(
[string]$ticketb64
)
# BASE64
$ticket = New-Object System.Byte
#reading from b64
$ticket = [System.Convert]::FromBase64String($ticketb64)
if ($ticket -eq $null){
write-host "[-] Be Sure entering the correct mode"
write-host "[-] Cannot receive ticket from file or b64"
exit;
}
# ------------------- FUNCTIONS -----------------------#
$ptt = @"
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public Int32 HighPart;
}
public enum KERB_PROTOCOL_MESSAGE_TYPE
{
KerbDebugRequestMessage,
KerbQueryTicketCacheMessage,
KerbChangeMachinePasswordMessage,
KerbVerifyPacMessage,
KerbRetrieveTicketMessage,
KerbUpdateAddressesMessage,
KerbPurgeTicketCacheMessage,
KerbChangePasswordMessage,
KerbRetrieveEncodedTicketMessage,
KerbDecryptDataMessage,
KerbAddBindingCacheEntryMessage,
KerbSetPasswordMessage,
KerbSetPasswordExMessage,
KerbVerifyCredentialMessage,
KerbQueryTicketCacheExMessage,
KerbPurgeTicketCacheExMessage,
KerbRefreshSmartcardCredentialsMessage,
KerbAddExtraCredentialsMessage,
KerbQuerySupplementalCredentialsMessage,
KerbTransferCredentialsMessage,
KerbQueryTicketCacheEx2Message,
KerbSubmitTicketMessage,
KerbAddExtraCredentialsExMessage
}
[StructLayout(LayoutKind.Sequential)]
public struct KERB_CRYPTO_KEY32
{
public int KeyType;
public int Length;
public int Offset;
}
[StructLayout(LayoutKind.Sequential)]
public struct KERB_SUBMIT_TKT_REQUEST
{
public KERB_PROTOCOL_MESSAGE_TYPE MessageType;
public LUID LogonId;
public int Flags;
public KERB_CRYPTO_KEY32 Key;
public int KerbCredSize;
public int KerbCredOffset;
}
[StructLayout(LayoutKind.Sequential)]
public struct LSA_STRING_IN
{
public ushort Length;
public ushort MaximumLength;
public IntPtr buffer;
}
[DllImport("secur32.dll", SetLastError=false)]
public static extern int LsaLookupAuthenticationPackage([In] IntPtr LsaHandle,[In] ref LSA_STRING_IN PackageName,[Out] out UInt32 AuthenticationPackage);
[DllImport("Secur32.dll", SetLastError = true)]
public static extern int LsaCallAuthenticationPackage(IntPtr LsaHandle,uint AuthenticationPackage,IntPtr ProtocolSubmitBuffer,int SubmitBufferLength,out IntPtr ProtocolReturnBuffer,out ulong ReturnBufferLength,out int ProtocolStatus);
[DllImport("secur32.dll", SetLastError=false)]
public static extern int LsaConnectUntrusted([Out] out IntPtr LsaHandle);
[DllImport("secur32.dll", SetLastError=false)]
public static extern int LsaDeregisterLogonProcess([In] IntPtr LsaHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern uint LsaNtStatusToWinError(uint status);
"@
Function ConnectToLsa()
{
$lsahandle = New-Object System.IntPtr
[int]$retcode = [KRB.PTT]::LsaConnectUntrusted([ref]$lsahandle)
if ($retcode -ne 0){
write-host "[-] LsaConnectUntrusted Error (NTSTATUS): ", $retcode -ForegroundColor Red
exit;
}
return $lsahandle
}
#-------------------------------- ENTRY POINT ----------------------------#
$assemblies = [System.Reflection.Assembly]::LoadWithPartialName("System.Security.Principal")
Add-Type -MemberDefinition $ptt -Namespace "KRB" -Name "PTT" -ReferencedAssemblies $assemblies.location -UsingNamespace System.Security.Principal
# CONNECTING TO LSA
$LsaHandle = ConnectToLsa
write-host "[?] LSA HANDLE: ", $LsaHandle
# EXTRACTING KERBEROS AP
$retcode = New-Object System.Int32
$authPackage = New-Object System.Int32
$name = "kerberos"
$importnantlsastring = New-Object KRB.PTT+LSA_STRING_IN
$importnantlsastring.Length = [uint16]$name.Length
$importnantlsastring.MaximumLength = [uint16]($name.Length + 1)
$importnantlsastring.buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalAnsi($name)
$retcode = [KRB.PTT]::LsaLookupAuthenticationPackage($lsaHandle,[ref]$importnantlsastring,[ref]$authPackage)
if ($retcode -ne 0){
write-host "[-] Error LsaLookupAuthPckg (NTSTATUS): ", $retcode -ForegroundColor Red
exit;
}
write-host "[?] Kerberos Package: ", $authPackage
# GETTING CURRENT LUID (INJECT PURPOSES)
$output = klist
$CurrLuid = $output.split("`n")[1].split(":")[1]
$sysIntCurrLuid = [convert]::ToInt32($CurrLuid,16)
$luidFinally = New-Object KRB.PTT+LUID
$luidFinally.LowPart = $sysIntCurrLuid
# TICKET INJECTING
$protocolReturnBuffer = New-Object System.IntPtr
$ReturnBufferLength = New-Object System.Int32
$ProtocolStatus = New-Object System.Int32
$KrbRequestInfo = New-Object KRB.PTT+KERB_SUBMIT_TKT_REQUEST
$KrbRequestInfoType = $KrbRequestInfo.getType()
$KrbRequestInfo.MessageType = [KRB.PTT+KERB_PROTOCOL_MESSAGE_TYPE]::KerbSubmitTicketMessage
$KrbRequestInfo.KerbCredSize = $ticket.Length
$KrbRequestInfo.KerbCredOffset = [System.Runtime.InteropServices.Marshal]::SizeOf([type]$KrbRequestInfoType)
$KrbRequestInfo.LogonId = $luidFinally
$inputBufferSize = [System.Runtime.InteropServices.Marshal]::SizeOf([type]$KrbRequestInfoType) + $ticket.Length
$inputBuffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($inputBufferSize)
[System.Runtime.InteropServices.Marshal]::StructureToPtr($KrbRequestInfo,$inputBuffer,$false)
[System.IntPtr]$PtrToCred = $inputBuffer.ToInt64() + $KrbRequestInfo.KerbCredOffset
[System.Runtime.InteropServices.Marshal]::Copy($ticket,0,$PtrToCred,$ticket.Length)
$ntstatus = [KRB.PTT]::LsaCallAuthenticationPackage($lsaHandle,$authPackage,$inputBuffer,$inputBufferSize,[ref]$protocolReturnBuffer,[ref]$ReturnBufferLength,[ref]$ProtocolStatus)
if(($ProtocolStatus -ne 0) -or ($ntstatus -ne 0))
{
Write-Host "[!] Error in LsaCallAuthenticationPackage" -ForegroundColor Red
write-host " NTSTATUS: ", $ntstatus, " Protocol Status: ", $ProtocolStatus
if ($ProtocolStatus -eq -1073741517){
" Ticket may be out of date"
}
exit;
}
if($inputBuffer -ne [System.IntPtr]::Zero)
{
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($inputBuffer)
[System.Object]$ticket = $null
}
klist

73
misc/vm/vm-prepare-sys.ps1
View file

@ -1,73 +0,0 @@
# Installiere alle Mounts aus target.csv
# Geprüft wird, ob das Laufwerk bereits vorhanden
# 11.05.2025 da
function Mount-Drive {
param (
[string]$DriveLetter,
[string]$TargetPath
)
try {
& "C:\Program Files (x86)\WinFsp\bin\launchctl-x64.exe" start virtiofs viofs$DriveLetter $TargetPath \\.\${DriveLetter}:
Write-Verbose "Laufwerk hinzugefügt: $DriveLetter"
} catch {
Write-Error "Fehler beim Hinzufügen des Laufwerks ${DriveLetter}: $_"
}
}
function Import-VMInfo {
param (
[string]$Path
)
if (Test-Path $Path) {
return Get-Content -Path $Path -Raw | ConvertFrom-Json
} else {
Write-Error "Fehler beim Einlesen der VMInfo Datei ($Path nicht gefunden)."
Write-Error "Tipp: Beim Neustart der VM wird diese Datei neu angelegt."
Pause
exit
}
}
# Laufwerk Y: mit weiteren Mountpoint-Infos mounten
& "C:\Program Files\Virtio-Win\VioFS\virtiofs.exe" -m Y:
#Mount-Drive -DriveLetter "Y" -TargetPath "VM-Data"
# VMInfo aus JSON File einlesen
$VMInfoPath = "Y:\.vminfo.json"
# Schleife, die auf das Laufwerk wartet
while (-not (Test-Path $VMInfoPath)) {
Write-Host "Warte auf $VMInfoPath..."
Start-Sleep -Seconds 1
}
$VMInfo = Import-VMInfo -Path $VMInfoPath
# Weitere Laufwerke einbinden
#foreach ($virtiofs in $VMInfo.VirtioFS) {
# $targetDrive = $virtiofs.Drive
# if (-not (Get-PSDrive -Name $targetDrive -ErrorAction SilentlyContinue)) {
# Mount-Drive -DriveLetter $targetDrive -TargetPath $virtiofs.Target
# } else {
# Write-Error "Laufwerk bereits vorhanden: $targetDrive"
# }
#}
# Drucker installieren
foreach ($drucker in $VMInfo.Printers) {
# Überprüfen, ob der Drucker bereits vorhanden ist
$druckerName = $drucker.Name
$druckerVorhanden = Get-Printer | Where-Object { $_.Name -eq $druckerName }
# Umwandlung in HTTP-URL
$httpUrl = $drucker.IppURL -replace "ipp://", "http://" -replace "122.1", "122.1:631"
if (-not $druckerVorhanden) {
# Drucker hinzufügen, wenn er nicht vorhanden ist
Add-Printer -PortName $httpUrl -Name $druckerName -DriverName "Microsoft IPP Class Driver"
Write-Host "Drucker hinzugefuegt: $druckerName"
} else {
Write-Host "Drucker bereits vorhanden: $druckerName"
}
}

BIN
misc/vm/vm-prepare-sys.xml
View file

Binary file not shown.

102
misc/vm/vm-prepare-user.ps1
View file

@ -1,102 +0,0 @@
# Installiere alle Mounts aus target.csv
# Geprüft wird, ob das Laufwerk bereits vorhanden
# 11.05.2025 da
function Import-VMInfo {
param (
[string]$Path
)
if (Test-Path $Path) {
return Get-Content -Path $Path -Raw | ConvertFrom-Json
} else {
Write-Error "Fehler beim Einlesen der VMInfo Datei ($Path nicht gefunden)."
Write-Error "Tipp: Beim Neustart der VM wird diese Datei neu angelegt."
Pause
exit
}
}
function Add-PathToQuickAccess([string[]]$path){
$path | %{
write-host "Adding path '$($_)' to Quick acccess list." -F Green
try{
$link = (New-Object -Com Shell.Application).NameSpace($_).Self
if(!$link){throw "Item path not valid to be pinned."}
$link.Verbs()| ?{$_.Name.replace('&','') -match 'An Schnellzugriff anheften|Pin to Quick access'} | %{$_.DoIt()}
}catch{
write-error "Error adding path. $($_.Exception.Message)"
}
}
}
$VMInfoPath = "Y:\.vminfo.json"
# Schleife, die auf das Laufwerk wartet
while (-not (Test-Path $VMInfoPath)) {
Write-Host "Warte auf $VMInfoPath..."
Start-Sleep -Seconds 1
}
# VMInfo aus JSON File einlesen
$VMInfo = Import-VMInfo -Path $VMInfoPath
& $PSScriptRoot\injector.ps1 $VMInfo.krb5.cred
$klistOutput = klist
$serverping = Test-Connection -ComputerName "server.pn.steinbeis.schule" -Count 2 -Quiet
if ($serverping) {
if ($klistOutput -like "*Client*") {
foreach ($Mount in $VMInfo.Mounts) {
net use /persistent:no "$($Mount.Drive):" "$($Mount.RemotePath)"
#New-SMBMapping -Localpath "$($Mount.Drive):" -Remotepath $Mount.RemotePath
Write-Host("net use $($Mount.Drive): $($Mount.RemotePath)")
}
} else {
#if (-not ($klistOutput -like "*Client*") -or (-not (Test-Path "H:"))) {
$Credential = Get-Credential -Message "Die automatische Einbindung der Netzlaufwerke ist fehlgeschlagen.`nBitte geben Sie Ihre Anmeldeinformationen für das Netzlaufwerk ein" $VMInfo.User
# Laufwerke einbinden
foreach ($Mount in $VMInfo.Mounts) {
net use /persistent:no "$($Mount.Drive):" "$($Mount.RemotePath)" /user:"$($Credential.UserName)" "$($Credential.GetNetworkCredential().Password)"
Write-Host("net use /persistent:no `"$($Mount.Drive):`" `"$($Mount.RemotePath)`"")
#New-SMBMapping -Localpath "$($Mount.Drive):" -Remotepath "$($Mount.RemotePath)" -UserName "$($Credential.UserName)" -Password "$($Credential.GetNetworkCredential().Password)"
#Write-Host("New-SMBMapping -Localpath $($Mount.Drive): -Remotepath $Mount.RemotePath")
}
}
} else {
Add-Type -AssemblyName System.Windows.Forms
$message = "Der Server kann derzeit nicht erreicht werden.`nDaher können die Netzlaufwerke derzeit nicht verbunden werden.`nVersuchen Sie es zu einem späteren Zeitpunkt erneut mit dem Skript: Netzlaufwerke-verbinden"
$title = "Server nicht erreichbar"
[System.Windows.Forms.MessageBox]::Show($message, $title, [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Warning)
}
# Ändere den Namen der Netzlaufwerke
$shell = New-Object -ComObject Shell.Application
foreach ($Mount in $VMInfo.Mounts) {
$folder = $shell.Namespace("$($Mount.Drive):")
if ($folder) {
$folder.Self.Name = $Mount.Name
Write-Host "Das Netzlaufwerk $($Mount.Drive): wurde in '$($Mount.Name)' umbenannt."
} else {
Write-Host "Fehler beim Zugriff auf das Netzlaufwerk."
}
}
# Pfade zur Schnellzugriff hinzufügen
Add-PathToQuickAccess $VMInfo.QuickAccess
# Pfade für Standardorte ändern
$regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
foreach ($USF in $VMInfo.UserShellFolders) {
Write-Host "Set-ItemProperty -Path $regPath -Name $($USF.Name) -Value $($USF.Path)"
Set-ItemProperty -Path $regPath -Name "$($USF.Name)" -Value "$($USF.Path)"
}
# Explorer Neustart erzwingen (evtl. nicht notwendig)
Stop-Process -Name explorer -Force
# Start-Process explorer
# Bei Lehrern Papercut-Client starten
if (($VMInfo.Groups -contains "teachers") -and -not (Get-Process -Name pc-client -ErrorAction SilentlyContinue)) {
& "C:\custom\papercut\pc-client.exe" -m --user $VMInfo.User
}

BIN
misc/vm/vm-prepare-user.xml
View file

Binary file not shown.

30
misc/vm/vm-update-user.ps1
View file

@ -1,30 +0,0 @@
# Injects krb5-credential from .vminfo.json if available
# 02.07.2025 da
function Import-VMInfo {
param (
[string]$Path
)
if (Test-Path $Path) {
return Get-Content -Path $Path -Raw | ConvertFrom-Json
} else {
Write-Error "Fehler beim Einlesen der VMInfo Datei ($Path nicht gefunden)."
Write-Error "Tipp: Beim Neustart der VM wird diese Datei neu angelegt."
Pause
exit
}
}
$VMInfoPath = "Y:\.vminfo.json"
# Schleife, die auf das Laufwerk wartet
if (-not (Test-Path $VMInfoPath)) {
Write-Host "$VMInfoPath nicht gefunden. Skript beenden."
exit
}
# VMInfo aus JSON File einlesen
$VMInfo = Import-VMInfo -Path $VMInfoPath
& $PSScriptRoot\injector.ps1 $VMInfo.krb5.cred

BIN
misc/vm/vm-update-user.xml
View file

Binary file not shown.

14
roles/custom/fvs/files/lmn-patch-dolphin.sh
View file

@ -49,7 +49,7 @@ fi
patch="
--- a/$file
+++ b/$file
@@ -98,9 +98,33 @@
@@ -98,9 +98,45 @@
<isSystemItem>true</isSystemItem>
</metadata>
</info>
@ -66,6 +66,18 @@ $HOMEONSERVER
+ <isSystemItem>true</isSystemItem>
+ </metadata>
+ </info>
+ </bookmark>
+ <bookmark href=\"file:///lmn/media/$USER/nextcloud\">
+ <title>Nextcloud</title>
+ <info>
+ <metadata owner=\"http://freedesktop.org\">
+ <bookmark:icon name=\"folder-cloud\"/>
+ </metadata>
+ <metadata owner=\"http://www.kde.org\">
+ <ID>$IDENTITY/${NUM3}</ID>
+ <isSystemItem>true</isSystemItem>
+ </metadata>
+ </info>
+ </bookmark>
<bookmark href=\"remote:/\">
<title>Network</title>

2
roles/custom/fvs/files/lmn-sync
View file

@ -12,7 +12,7 @@ fi
#rsync -rlptD --chown=pgmadmin:root --chmod=F755,D755 rsync://server:/local-program/ /usr/local/lmn
RSYNC_COMMAND=$(rsync -ai --delete --exclude=mimeinfo.cache \
--chown=root:root --chmod=F644,D755 "rsync://fileserver:/desktopstarter" \
--chown=root:root --chmod=F644,D755 "rsync://server:/desktopstarter" \
/usr/local/share/applications/ | sed '/ \.\//d')
if [[ $? -eq 0 ]] && [[ -n "${RSYNC_COMMAND}" ]]; then
echo "${RSYNC_COMMAND}"

14
roles/custom/fvs/files/policies.json
View file

@ -27,7 +27,7 @@
"name": "FvS-eMail"
},
{
"url": "https://info.steinbeis.schule",
"url": "https://dw.steinbeis.schule",
"name": "FvS-Hilfesystem"
},
{
@ -35,16 +35,8 @@
"name": "FvS-Moodle"
},
{
"url": "https://cloud.steinbeis.schule",
"name": "FvS-Schulcloud"
},
{
"url": "https://nct.steinbeis.schule",
"name": "FvS-Nextcloud-Teacher (Nur für Lehrer)"
},
{
"url": "https://git.steinbeis.schule",
"name": "FvS-Git Versionsverwaltung"
"url": "https://nc.steinbeis.schule",
"name": "FvS-Nextcloud"
},
{
"url": "https://server.pn.steinbeis.schule",

19
roles/custom/fvs/tasks/main.yml
View file

@ -29,6 +29,7 @@
- elpa-magit
- emacs
- filezilla
- freeplane
- git
- git-cola
- gitg
@ -81,7 +82,7 @@
- unison-gtk
- w3m
- wireshark
# - zulucrypt-gui ## no longer in trixie
- zulucrypt-gui
autoremove: true
state: latest
environment:
@ -161,16 +162,6 @@
dest: /usr/share/plasma/shells/org.kde.plasma.desktop/contents/updates/fvs-config.js
mode: '0644'
- name: Configure default KDE applications
ansible.builtin.blockinfile:
path: /etc/xdg/mimeapps.list
create: true
mode: '0644'
block: |
[Default Applications]
x-scheme-handler/http=firefox-esr.desktop;
x-scheme-handler/https=firefox-esr.desktop;
x-scheme-handler/mailto=thunderbird.desktop;
- name: Configure some KDE aspects
ansible.builtin.blockinfile:
@ -179,11 +170,11 @@
mode: '0644'
block: |
[KDE]
#SingleClick=false
SingleClick=false
[KDE Action Restrictions][$i]
action/start_new_session=false
action/switch_user=false
#action/switch_user=false
#action/lock_screen=false
- name: Start with empty session by default
@ -229,7 +220,7 @@
ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK
insertbefore: '^}$'
insertbefore: '\s+//Footer'
block: |
Text {
id: hostname

3
roles/lmn_finish/tasks/main.yaml
View file

@ -14,7 +14,7 @@
main non-free-firmware
state: present
update_cache: true
when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
# when: extra_pkgs_bpo|length
- name: Install extra packages from backports
ansible.builtin.apt:
@ -25,7 +25,6 @@
- "{{ extra_pkgs_bpo }}"
- "{{ extra_pkgs_bpo1 }}"
- "{{ extra_pkgs_bpo2 }}"
when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
- name: Timestamp successfull run and send up-to-date report
ansible.builtin.shell:

6
roles/lmn_kde/defaults/main.yml
View file

@ -6,7 +6,6 @@ kde_desktop_pkg:
- calligra
- codeblocks
- dia
- filius
- flameshot
- freecad
- fritzing
@ -15,9 +14,8 @@ kde_desktop_pkg:
- inkscape
- kde-full
- keepassxc
- kicad
- kicad-doc-de
- librecad
- mu-editor
- openboard
- qtcreator
- spyder
@ -36,5 +34,3 @@ kde_desktop_pkg:
- xdg-desktop-portal-kde
- xdg-desktop-portal-wlr # share screen in browser
- xournalpp
kde_desktop_pkg_bpo: [ ]

11
roles/lmn_kde/tasks/main.yml
View file

@ -8,14 +8,19 @@
repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
state: present
update_cache: true
when: kde_desktop_pkg_bpo | length > 0
- name: Install extra packages from backports
ansible.builtin.apt:
name: "{{ kde_desktop_pkg_bpo }}"
name:
- filius
- kicad
- kicad-doc-de
- libreoffice
- libreoffice-l10n-de
- libreoffice-qt5
state: latest # noqa package-latest
autoremove: true
default_release: "{{ ansible_distribution_release }}-backports"
when: kde_desktop_pkg_bpo | length > 0
- name: Create akonadi config dir

2
roles/lmn_localhome/tasks/main.yml
View file

@ -9,7 +9,7 @@
ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK localhome
insertbefore: '^}$'
insertbefore: '\s+//Footer'
block: |
Text {
id: localhome

2
roles/lmn_misc/tasks/main.yml
View file

@ -98,7 +98,7 @@
export superusers
password_pbkdf2 root {{ grub_pwd }}
notify: Run update-grub
when: grub_pwd | bool | default(false)
when: grub_pwd|default(false)
- name: Allow booting grub menu entries
ansible.builtin.lineinfile:

4
roles/lmn_network/tasks/main.yml
View file

@ -5,14 +5,14 @@
mode: '0644'
content: >
{{ apt_conf }}
when: apt_conf | bool | default(false)
when: apt_conf|default(false)
- name: Set NTP server
ansible.builtin.lineinfile:
path: /etc/systemd/timesyncd.conf
insertafter: '^#NTP='
line: NTP={{ ntp_serv }}
when: ntp_serv | bool | default(false)
when: ntp_serv|default(false)
- name: Add proposed-updates repository
ansible.builtin.apt_repository:

2
roles/lmn_printer/tasks/main.yml
View file

@ -37,7 +37,7 @@
line: "SystemGroup root lpadmin {{ printer_admin_group }}"
regexp: '^SystemGroup'
state: present
when: printer_admin_group | length > 0
when: printer_admin_group | length
- name: Disable cups-browsed
ansible.builtin.systemd:

1
roles/lmn_sssd/templates/sssd.conf.j2
View file

@ -17,7 +17,6 @@ ad_gpo_access_control = disabled
ad_gpo_ignore_unreadable = True
ad_maximum_machine_account_password_age = 0
ignore_group_members = True
krb5_renew_interval = 1h
{% if localhome is defined and localhome %}
override_homedir = /home/%u
{% endif %}

5
roles/lmn_vm/files/vm-link-images
View file

@ -19,9 +19,8 @@ done
shift "$((OPTIND -1))"
# link system-VM-Images to User VM Directory
for filename in "$@"; do
filename="$(basename ${filename})"
[[ -f "${VM_DIR}/${filename}" ]] || ln "${filename}" "${VM_DIR}/${filename}"
for i in *.qcow2; do
[[ -f "${VM_DIR}/${i}" ]] || ln "${i}" "${VM_DIR}/${i}"
done
# allow lmnsynci to remove old vm images

87
roles/lmn_vm/files/vm-run
View file

@ -90,21 +90,17 @@ create_clone() {
local VM_NAME="$1"
if ! [[ -f "${VM_SYSDIR}/${VM_NAME}.qcow2" || -f "${VM_DIR}/${VM_NAME}.qcow2" ]]; then
echo "qcow2 File does not exists." >&2
exit 1
echo "qcow2 File does not exists." >&2
exit 1
fi
# Create User-VM-Dir and link system VM-Images
[[ -d "${VM_DIR}" ]] || mkdir -p "${VM_DIR}"
IMAGE="${VM_NAME}.qcow2"
while [[ -n ${IMAGE} ]]; do
if [[ "${PERSISTENT}" -eq 1 ]]; then
sudo /usr/local/bin/vm-link-images -p "${IMAGE}"
else
sudo /usr/local/bin/vm-link-images "${IMAGE}"
fi
IMAGE="$(qemu-img info -U "${VM_DIR}/${IMAGE}" | grep "^backing file:" | cut -d ' ' -f 3)"
done
if [[ "${PERSISTENT}" -eq 1 ]]; then
sudo /usr/local/bin/vm-link-images -p
else
sudo /usr/local/bin/vm-link-images
fi
# Create backing file
cd "${VM_DIR}"
@ -134,30 +130,18 @@ create_printerlist() {
}
create_mountlist() {
NETHOMEPART="${NETHOME#/srv/samba/schools}"
cat << EOF > "${VMINFO_DIR}/.mounts.csv"
Drive;Remotepath
H;\\\\server.pn.steinbeis.schule${NETHOMEPART//\//\\}
T;\\\\server.pn.steinbeis.schule\\default-school\\share
EOF
echo "${USER}" > "/${VMINFO_DIR}/.user"
}
start_virtiofs_service() {
local target_name=$1
local shared_dir=$2
local drive_letter=$3
local socket="/run/user/${UID}/virtiofs-${VM_NAME}-${target_name,,}.sock"
systemd-run --user /usr/local/bin/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
--socket-path "${socket}" --shared-dir "${shared_dir}" --syslog
if [[ $? -ne 0 ]]; then
echo "Error starting virtiofsd for ${target_name}." >&2
return 1
if id | grep -q teachers; then
NETHOME=/srv/samba/schools/default-school/teachers/$USER
else
NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
fi
LIBVIRTOPTS="${LIBVIRTOPTS} --filesystem driver.type=virtiofs,accessmode=passthrough,target.dir=${target_name},xpath1.set=./source/@socket=${socket}"
NETHOME="${NETHOME#/srv/samba/schools}"
cat << EOF > "/lmn/media/${USER}/.mounts.csv"
Drive;Remotepath
H;\\\\10.190.1.1${NETHOME//\//\\}
T;\\\\10.190.1.1\default-school\share
EOF
echo "${USER}" > "/lmn/media/${USER}/.user"
}
start_virtiofsd() {
@ -167,17 +151,9 @@ start_virtiofsd() {
[[ "$GUEST_GID" == 0 ]] && GUEST_GID=1010
fi
# END temporary fix
# start_virtiofs_service "VM-Data" "/lmn/media/${USER}" "Y"
# start_virtiofs_service "default-school" "/srv/samba/schools/default-school" "Y"
# Home@PC / VM-Data
# if the environment variable VMLEGACY is set, /lmn/media/USER is forced
if [[ "${HOME}" != "${NETHOME}" && ! -v VMLEGACY ]]; then
start_virtiofs_service "Home_Linux" "${HOME}" "Y"
else
start_virtiofs_service "VM-Data" "/lmn/media/${USER}" "Y"
fi
socket="/run/user/$(id -u $USER)/virtiofs-${VM_NAME}.sock"
systemd-run --user /usr/local/bin/virtiofsd --uid-map=:${GUEST_UID}:${UID}:1: --gid-map=:${GUEST_GID}:$(id -g):1: \
--socket-path "$socket" --shared-dir "/lmn/media/${USER}" --syslog
}
ask_really_persistent() {
@ -240,7 +216,7 @@ while true; do
shift
;;
-o | --options )
LIBVIRTOPTS="${LIBVIRTOPTS} $2"
LIBVIRTOPTS=$2
shift 2
;;
--no-viewer )
@ -291,7 +267,6 @@ while true; do
type="ethernet,mac=${mac},target.dev=${interface},xpath1.set=./target/@managed=no,model.type=virtio"
LIBVIRTOPTS="${LIBVIRTOPTS} --network type=$type"
done
LIBVIRTOPTS="${LIBVIRTOPTS} --check mac_in_use=off"
shift
;;
--os )
@ -340,33 +315,18 @@ if ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
check_images
fi
if [[ "${NEWCLONE}" = 1 ]] || [[ ! -f "${VM_DIR}/${VM_NAME}-clone.qcow2" ]]; then
create_clone "${VM_NAME}"
create_clone "${VM_NAME}"
fi
# delete the old vm
virsh --connect=qemu:///session undefine --nvram "${VM_NAME}-clone" || echo "${VM_NAME}-clone did not exist"
#trap exit_script SIGHUP SIGINT SIGTERM
if id | grep -q teachers; then
NETHOME=/srv/samba/schools/default-school/teachers/$USER
else
NETHOME=(/srv/samba/schools/default-school/students/*/"$USER")
fi
if [[ "${HOME}" != "${NETHOME}" ]]; then
VMINFO_DIR="${HOME}"
else
VMINFO_DIR="/lmn/media/${USER}"
fi
create_printerlist
create_mountlist
# start virtiofsd-service
[[ "${QEMU}" = 'qemu:///session' ]] && start_virtiofsd
# Create VMInfo Json file
#( umask 027; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
# Start vminfo.timer
systemctl --user restart vminfo.timer
uuid=$(openssl rand -hex 16)
uuid="${uuid:0:8}-${uuid:8:4}-${uuid:12:4}-${uuid:16:4}-${uuid:20:12}"
@ -388,6 +348,7 @@ if ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
--memorybacking source.type=memfd,access.mode=shared \
--disk "${VM_DIR}/${VM_NAME}-clone.qcow2",driver.discard=unmap,target.bus=scsi,cache=writeback \
--network=bridge=virbr0,model.type=virtio \
--filesystem driver.type=virtiofs,accessmode=passthrough,target.dir=virtiofs,xpath1.set=./source/@socket="/run/user/${UID}/virtiofs-${VM_NAME}.sock" \
--controller type=scsi,model=virtio-scsi \
--check path_in_use=off \
--connect="${QEMU}" \

114
roles/lmn_vm/files/vm-vminfo
View file

@ -1,114 +0,0 @@
#!/usr/bin/python3
import argparse
import struct
import subprocess
import json
import sys
from os import environ,path
from impacket.krb5.ccache import CCache
from base64 import b64encode
home = ""
nethome = ""
vminfo = {}
def get_printers():
printers = []
try:
result = subprocess.run(['lpstat', '-v'], capture_output=True, text=True, check=True)
for line in result.stdout.splitlines():
# Extrahiere den Druckernamen
printer_name = line.split()[2].rstrip(':')
ipp_url = f"ipp://192.168.122.1/printers/{printer_name}"
printer = { 'Name': printer_name, 'IppURL': ipp_url }
printers.append(printer)
return printers
except subprocess.CalledProcessError as e:
sys.stderr.write(f"Fehler beim Abrufen der Drucker: {e}")
return []
def get_groups(username):
try:
result = subprocess.run(['id', '-Gnz', username], capture_output=True, text=True, check=True)
groups = result.stdout.strip().split('\0')
return groups
except subprocess.CalledProcessError as e:
sys.stderr.write(f"Fehler beim Abrufen der Gruppen: {e}")
return []
def get_krb5 ():
krb5 = {}
ccachefilename = environ.get('KRB5CCNAME').replace('FILE:', '')
if ccachefilename:
try:
ccache = CCache.loadFile(ccachefilename)
cred = ccache.toKRBCRED()
cred_enc = b64encode(cred)
krb5['cred'] = cred_enc.decode('utf-8')
krb5['starttime'] = ccache.credentials[0]['time']['starttime']
krb5['endtime'] = ccache.credentials[0]['time']['endtime']
krb5['renew_till'] = ccache.credentials[0]['time']['renew_till']
except:
sys.stderr.write("Fehler beim Ticket laden")
return krb5
def get_mounts():
mounts = []
mounts.append({ 'Drive': 'H', 'RemotePath': '\\\\server.pn.steinbeis.schule' + nethome.replace('/srv/samba/schools','').replace('/','\\'), 'Name': 'Home_Server' })
mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\default-school\share', 'Name': 'Tausch' })
return mounts
def get_user_folders():
HOME="H:"
if environ.get('HOME') != nethome:
HOME="Y:"
folders = []
folders.append( {'Name': 'Personal', 'Path': f"{HOME}\Dokumente"} )
folders.append( {'Name': 'My Pictures', 'Path': f"{HOME}\Bilder"} )
folders.append( {'Name': 'My Music', 'Path': f"{HOME}\Musik"} )
folders.append( {'Name': 'My Video', 'Path': f"{HOME}\Videos"} )
return folders
def get_quickaccess():
quickaccess = []
quickaccess.append( 'H:\\transfer' )
return quickaccess
def parse_args():
parser = argparse.ArgumentParser()
#parser.add_argument('input_file', help="File in kirbi (KRB-CRED) or ccache format")
#parser.add_argument('output_file', help="Output file")
return parser.parse_args()
def main():
global home, nethome
args = parse_args()
home = environ.get('HOME')
vminfo['User'] = environ.get('USER')
vminfo['Groups'] = get_groups(environ.get('USER'))
if 'teachers' in vminfo['Groups']:
nethome = f"/srv/samba/schools/default-school/teachers/{vminfo['User']}"
else:
result = subprocess.run(['find', '/srv/samba/schools/default-school/students/', '-name', vminfo['User'], '-maxdepth', '2', '-type', 'd'], capture_output=True, text=True, check=False)
nethome = result.stdout.splitlines()[0]
vminfo['Printers'] = get_printers()
vminfo['krb5'] = get_krb5()
vminfo['Mounts'] = get_mounts()
vminfo['UserShellFolders'] = get_user_folders()
vminfo['QuickAccess'] = get_quickaccess()
vminfo_json = json.dumps(vminfo, ensure_ascii=False, indent=4)
print(vminfo_json)
if __name__ == '__main__':
main()

52
roles/lmn_vm/tasks/main.yml
View file

@ -18,9 +18,7 @@
- mktorrent
- libvirt-daemon-system
- virt-manager
- virt-viewer
- dialog # for vm-netboot menu
- python3-impacket
# - name: allow all users to use VMs
# lineinfile:
@ -29,6 +27,32 @@
# insertafter: '#auth_unix_rw = "polkit"'
# notify: reload libvirtd
- name: Configure pam_mount for VM bind mounts
ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
block: |
<!-- bind mounts for the VMs, setting gid here does not work -->
<volume
path="~"
mountpoint="/lmn/media/%(USER)/home"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
</volume>
<volume
path="/srv/samba/schools/default-school/share"
mountpoint="/lmn/media/%(USER)/share"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
</volume>
<volume
path="/srv/samba/schools/default-school"
mountpoint="/lmn/media/%(USER)/school"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
</volume>
insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
- name: Use umount script for proper cleanup
ansible.builtin.blockinfile:
dest: /etc/security/pam_mount.conf.xml
@ -125,7 +149,6 @@
- vm-sync
- vm-link-images
- vm-virtiofsd
- vm-vminfo
- virtiofsd
- vm-aria2
- uploadseed
@ -213,26 +236,3 @@
src: vm-netboot
dest: /usr/local/bin/
mode: '0755'
- name: Provide vminfo service
ansible.builtin.copy:
content: |
[Unit]
Description=Create .vminfo.json for VMs
[Service]
Type=simple
ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
dest: /etc/systemd/user/vminfo.service
mode: '0644'
- name: Provide vminfo timer
ansible.builtin.copy:
content: |
[Unit]
Description=Timer for vm-info
[Timer]
OnActiveSec=0s
OnUnitActiveSec=1h
Persistent=true
dest: /etc/systemd/user/vminfo.timer
mode: '0644'

22
roles/lmn_vpn/files/10-lmn-mount.sh
View file

@ -13,32 +13,30 @@ if [[ "$CONNECTION_ID" = "VPN-Schule" ]]; then
# Exit if server is already mounted
findmnt /srv/samba/schools/default-school > /dev/null && exit 0
counter=1
while ! klist -s -c "${KRB5CCNAME}"; do
(( counter > 30 )) && exit 0
echo "KRB5-Ticket is expired. Sleep 1 seconds and hope it will be renewed after." >&2
# if (( counter == 10 )); then
# echo "try to renew KRB5-Ticket" >&2
# sudo -u "${USERNAME}" kinit -R -c "${KRB5CCNAME}"
# fi
sleep 1
((counter++))
done
if ! klist -s -c "${KRB5CCNAME}"; then
#echo "try to renew KRB5-Ticket" >&2
#sudo -u "${USERNAME}" kinit -R -c "${KRB5CCNAME}"
echo "KRB5-Ticket is expired. Sleep 3 seconds and hope it will be renewed after." >&2
sleep 3
fi
echo "prepare mountpoints" >&2
umask 0002
mkdir -p /srv/samba/schools/default-school
chmod 777 /srv/samba/schools/default-school
mkdir -p "/lmn/media/${USERNAME}/share"
mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
-o "sec=krb5i,cruid=${USERID},user=${USERNAME},uid=${USERID},gid=${GROUPID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
echo "after mount" >&2
mount --bind /srv/samba/schools/default-school/share "/lmn/media/${USERNAME}/share"
SUDO_USER=$USERNAME /usr/local/bin/install-printers.sh
elif [[ "$NM_DISPATCHER_ACTION" = "pre-down" ]]; then
# FIXME: Only umount server when Wireguard-Connection was the only connection to server.
# Dirty fix (works only in fvs-IP-Range)
if ! (ip r s | grep "10.190." | grep -v wg0); then
echo "Try to umount server"
echo "Try to umount server shares"
umount "/lmn/media/${USERNAME}/share"
umount /srv/samba/schools/default-school
fi
fi

3
roles/lmn_vpn/files/mountserver
View file

@ -3,6 +3,7 @@ set -eu
exit_script() {
echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share"
findmnt "/srv/samba/schools/default-school" && umount "/srv/samba/schools/default-school"
trap - SIGHUP SIGINT SIGTERM # clear the trap
kill -- -$$ # Sends SIGTERM to child/sub processes
@ -13,9 +14,11 @@ findmnt /srv/samba/schools/default-school > /dev/null && exit 0
umask 0002
mkdir -p /srv/samba/schools/default-school
chmod 777 /srv/samba/schools/default-school
mkdir -p "/lmn/media/${SUDO_USER}/share"
mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
-o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=${SUDO_GID},file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
mount --bind /srv/samba/schools/default-school/share "/lmn/media/${SUDO_USER}/share"
echo "Einbindung erfolgreich!"
echo "Dieses Fenster bitte nicht schließen!"

8
roles/lmn_vpn/tasks/wg_config.yml
View file

@ -5,7 +5,7 @@
- wireguard
- name: Check if wg_server is reachable
ansible.builtin.command: echo "reachable"
ansible.builtin.command: echo "Test if wg_server is reachable"
delegate_to: wireguard_server
register: result
changed_when: false
@ -17,12 +17,10 @@
* server not reachable
* no matching ssh-key
changed_when: true
when: result.stdout is not defined or result.stdout!="reachable"
when: result.unreachable is defined and result.unreachable
- name: Configure WG Server
when:
- result.stdout is defined and result.stdout=="reachable"
- not run_in_installer|default(false)|bool
when: result.unreachable is not defined or not result.unreachable
block:
- name: Set facts wg_clientname
ansible.builtin.set_fact:

7
roles/lmn_wlan/tasks/eap-tls_check-certificate.yaml
View file

@ -27,7 +27,7 @@
when: cert_client_active.stat.exists
- name: Check if radius-server is reachable
ansible.builtin.command: echo "reachable"
ansible.builtin.command: echo "Test if radius-server is reachable"
delegate_to: radius_server
register: radius_reachable
changed_when: false
@ -40,13 +40,12 @@
- "* server not reachable"
- "* no matching ssh-key"
changed_when: true
when: radius_reachable.stdout is not defined or radius_reachable.stdout!='reachable'
when: radius_reachable.unreachable is defined and radius_reachable.unreachable
- name: Issue radius certificate
ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml
when:
- radius_reachable.stdout is defined and radius_reachable.stdout=="reachable"
- not run_in_installer|default(false)|bool
- radius_reachable.unreachable is not defined or not radius_reachable.unreachable
- |
( not cert_client_active.stat.exists ) or
(cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or

1
roles/lmn_wlan/tasks/eap-tls_issue-certificate.yaml
View file

@ -105,7 +105,6 @@
ansible.builtin.systemd:
name: iwd.service
enabled: false
failed_when: false
- name: Remove deprecated NetworkManager config
ansible.builtin.blockinfile:

1
roles/lmn_wlan/tasks/main.yaml
View file

@ -3,6 +3,7 @@
- name: Install packages related to wifi
ansible.builtin.apt:
name:
- systemd-resolved
- firmware-realtek # for our wifi sticks
- name: Provide service to enable WiFi on boot