Compare commits

..

No commits in common. "main" and "fvs" have entirely different histories.
main ... fvs

19 changed files with 696 additions and 800 deletions

View file

@ -1,12 +1,6 @@
# Installation on existing client
A straightforward way to test the lmn-client is to manually run the playbook on a freshly installed client.
This can be done in the following ways:
On the client using ansible-pull
On the client by checking out the lmn-client repository and running the playbook locally
On a target device by checking out the lmn-client repository locally and executing the playbook against the target device
An easy method to test the lmn-client is to run the playbook manual on a fresh installed client.
## Direct call via ansible-pull
@ -18,7 +12,7 @@ Steps:
* Install additional packages: ansible
`sudo apt install ansible`
* Run Playbook
`sudo ansible-pull --verbose -i inventory-sample.yml -l localhost --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
`ansible-pull -i inventory.yml -l localhost, --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main lmn-client.yml`
## Checkout git and run ansible locally
@ -32,10 +26,8 @@ Steps:
`sudo apt install ansible git`
* Checkout Repository
`git clone https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git`
* Change into repository directory
`cd lmn-client`
* Create inventory
`cp inventory-sample.yml inventory-myschool.yml`
`cp inventory.yml inventory-myschool.yml`
* Edit inventory-myschool.yml
e.g.: `nano inventory-myschool.yml`
* Run Playbook

View file

@ -3,27 +3,14 @@
* **Using DigitalSouveraeneSchule repository and LinuxMuster.Net tftp**
Simplest solution. Playbook and default inventory from DigitalSouveraeneSchule codeberg repository.
Linux kernel and initial Ramdisk from debian repository.
Client must have access to the internet (noproxy group).
* **Using your own repository and LinuxMuster.Net tftp**
Here you can use your own inventory and make many custom settings.
Linux kernel and initial Ramdisk from debian repository.
Client must have access to the internet (noproxy group).
* **Using your own repository and livebox tftp**
Additional kernel and Ramdisk from your own infrastrukture.
Client does not need direct internet access.
## Using codeberg repository and LinuxMuster.Net tftp
### Requirements / firewall settings
The computer on which the linuxclient is to be installed must have access to the Internet (add host to noproxy group)
The following resources are downloaded from the internet:
* The repository is provided by codeberg.org
* the Linux kernel, the initial ramdisk and the installation files are loaded from debian.org.
* mscorefonts from Microsoft
### Modification LinuxMuster.Net server
Create grub config for device group `lmnclient` on your schools server:
@ -38,12 +25,9 @@ set default=1
menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
echo -n "Enter domain join password: "
read adpw
set vaultpw="dummy"
# echo -n "Enter vault password"
# read vaultpw
linux (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/linux auto=true priority=high \
url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/main/misc/preseed.cfg interface=auto \
playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client/raw/branch/fvs/misc/preseed.cfg interface=auto \
playbook=lmn-client.yml adpw="${adpw}" ---
initrd (http,ftp.debian.org)/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/initrd.gz
}
```
@ -63,52 +47,4 @@ classroom;mypc01;lmnclient;F2:81:6B:C9:E3:EF;10.0.5.51;;;;classroom-studentcompu
* confirm `hostname` and `domain` (you will be asked in network setup)
* ... Get a cup of coffee ... wait until reboot ... login (Logging in may take a few minutes after installation)
## Using your own repository and LinuxMuster.Net tftp
If you fork the lmn-client repository, you can customize the preseeding and inventory to your needs.
Use the instructions in the previous section and customize the repository in `/srv/linbo/boot/grub/lmnclient.cfg`.
It makes sense to encrypt your inventory via `ansible-vault`.
When using encrypted inventories you have to provide the vault password by commenting in the two lines in the `/srv/linbo/boot/grub/lmnclient.cfg`.
## Using your own repository and livebox tftp
The next improvement will be to use your own livebox with following functionalities:
* Providing linux kernel and initial ramdisk for installer
* Can be used as cache for debian packages (aptcacher)
* Can provide mscorefonts and libdvdcss (multimedia codecs)
* Can be used to boot live systems (netboot) via pxe
### Installing the livebox server
* Install debian VM and configure network
* Install additional packages: ansible
`sudo apt install ansible`
* Run livebox playbook
`ansible-pull -i localhost, --url=https://salsa.debian.org/andi/debian-lan-ansible.git -C master livebox.yml`
* Set DNS entry for your new livebox server
### Modification LinuxMuster.Net server
The file `/srv/linbo/boot/grub/lmnclient.cfg` might look like this:
```
# ### NOT managed by linuxmuster.net ###
# edit to your needs
set default=1
menuentry 'Installer Debian bookworm (amd64) + preseed + ansible inventory' {
echo -n "Enter domain join password: "
read adpw
set vaultpw="dummy"
# echo -n "Enter vault password"
# read vaultpw
linux (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/linux auto=true priority=high \
url=https://codeberg.org/MySchool/lmn-client/raw/branch/main/misc/preseed-myschool.cfg interface=auto \
playbook=lmn-client.yml adpw="${adpw}" vaultpw="${vaultpw}" ---
initrd (http,livebox.example.com)/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/initrd.gz
}
```
## Using your own livebox server

View file

@ -2,9 +2,10 @@
all:
vars:
domain: "{{ ansible_domain }}"
# Comment out on productive systems when ssh key is provided
security_defaultuser_login_disable: false
kde_desktop_pkg:
- akonadi-backend-sqlite
## Proxy configuration (see: doc/localproxy.md)
# localproxy: true
@ -58,6 +59,7 @@ all:
# - vim
# - mc
# - tmux
# - debconf-utils
## WLAN configuration (see: doc/vpn.md):
##
@ -103,7 +105,6 @@ all:
hosts:
localhost:
ansible_connection: local
laptops:
children:

File diff suppressed because it is too large Load diff

View file

@ -50,11 +50,13 @@ d-i apt-setup/contrib boolean true
d-i mirror/country string manual
d-i mirror/http/hostname string deb.debian.org
d-i mirror/http/directory string /debian
#d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
d-i mirror/http/proxy string
#d-i mirror/http/proxy string http://10.167.0.253:3142/
#d-i mirror/http/proxy string http://192.168.1.17:3142/
#d-i mirror/http/proxy string http://aptcache.steinbeisschule-reutlingen.de:3142/
d-i mirror/http/proxy string http://aptcache.pn.steinbeis.schule:3142/
# NTP server to use:
#d-i clock-setup/ntp-server string server.pn.steinbeis.schule
d-i clock-setup/ntp-server string server.pn.steinbeis.schule
### Backports:
#apt-setup-udeb apt-setup/services-select multiselect security, updates, backports
@ -127,9 +129,10 @@ d-i preseed/late_command string \
in-target mount -v -t tmpfs tmpfs /dev/shm ; \
echo "$vaultpw" > /target/dev/shm/vaultpw ; \
in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
--vault-password-file /dev/shm/vaultpw -l localhost \
-i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C main $playbook ; \
-l localhost \
-i inventory-sample.yml --url=https://codeberg.org/DigitalSouveraeneSchule/lmn-client.git -C fvs $playbook ; \
fi
## --vault-password-file /dev/shm/vaultpw -l localhost \
#
## When installing in combination with ansible-pull,
## export your ansible playbook like:

View file

@ -220,7 +220,7 @@
ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK
insertbefore: '^}$'
insertbefore: '\s+//Footer'
block: |
Text {
id: hostname

View file

@ -14,7 +14,7 @@
main non-free-firmware
state: present
update_cache: true
when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
# when: extra_pkgs_bpo|length
- name: Install extra packages from backports
ansible.builtin.apt:
@ -25,7 +25,6 @@
- "{{ extra_pkgs_bpo }}"
- "{{ extra_pkgs_bpo1 }}"
- "{{ extra_pkgs_bpo2 }}"
when: extra_pkgs_bpo | length > 0 or extra_pkgs_bpo1 | length > 0 or extra_pkgs_bpo2 | length > 0
- name: Timestamp successfull run and send up-to-date report
ansible.builtin.shell:

View file

@ -6,7 +6,6 @@ kde_desktop_pkg:
- calligra
- codeblocks
- dia
- filius
- flameshot
- freecad
- fritzing
@ -15,9 +14,8 @@ kde_desktop_pkg:
- inkscape
- kde-full
- keepassxc
- kicad
- kicad-doc-de
- librecad
- mu-editor
- openboard
- qtcreator
- spyder
@ -36,5 +34,3 @@ kde_desktop_pkg:
- xdg-desktop-portal-kde
- xdg-desktop-portal-wlr # share screen in browser
- xournalpp
kde_desktop_pkg_bpo: [ ]

View file

@ -8,14 +8,19 @@
repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main non-free-firmware
state: present
update_cache: true
when: kde_desktop_pkg_bpo | length > 0
- name: Install extra packages from backports
ansible.builtin.apt:
name: "{{ kde_desktop_pkg_bpo }}"
name:
- filius
- kicad
- kicad-doc-de
- libreoffice
- libreoffice-l10n-de
- libreoffice-qt5
state: latest # noqa package-latest
autoremove: true
default_release: "{{ ansible_distribution_release }}-backports"
when: kde_desktop_pkg_bpo | length > 0
- name: Create akonadi config dir

View file

@ -9,7 +9,7 @@
ansible.builtin.blockinfile:
path: /usr/share/sddm/themes/debian-breeze/Main.qml
marker: // {mark} ANSIBLE MANAGED BLOCK localhome
insertbefore: '^}$'
insertbefore: '\s+//Footer'
block: |
Text {
id: localhome

View file

@ -98,7 +98,7 @@
export superusers
password_pbkdf2 root {{ grub_pwd }}
notify: Run update-grub
when: grub_pwd | bool | default(false)
when: grub_pwd|default(false)
- name: Allow booting grub menu entries
ansible.builtin.lineinfile:

View file

@ -5,14 +5,14 @@
mode: '0644'
content: >
{{ apt_conf }}
when: apt_conf | bool | default(false)
when: apt_conf|default(false)
- name: Set NTP server
ansible.builtin.lineinfile:
path: /etc/systemd/timesyncd.conf
insertafter: '^#NTP='
line: NTP={{ ntp_serv }}
when: ntp_serv | bool | default(false)
when: ntp_serv|default(false)
- name: Add proposed-updates repository
ansible.builtin.apt_repository:

View file

@ -37,7 +37,7 @@
line: "SystemGroup root lpadmin {{ printer_admin_group }}"
regexp: '^SystemGroup'
state: present
when: printer_admin_group | length > 0
when: printer_admin_group | length
- name: Disable cups-browsed
ansible.builtin.systemd:

View file

@ -216,7 +216,7 @@ while true; do
shift
;;
-o | --options )
LIBVIRTOPTS="${LIBVIRTOPTS} $2"
LIBVIRTOPTS=$2
shift 2
;;
--no-viewer )
@ -267,7 +267,6 @@ while true; do
type="ethernet,mac=${mac},target.dev=${interface},xpath1.set=./target/@managed=no,model.type=virtio"
LIBVIRTOPTS="${LIBVIRTOPTS} --network type=$type"
done
LIBVIRTOPTS="${LIBVIRTOPTS} --check mac_in_use=off"
shift
;;
--os )

View file

@ -18,7 +18,6 @@
- mktorrent
- libvirt-daemon-system
- virt-manager
- virt-viewer
- dialog # for vm-netboot menu
# - name: allow all users to use VMs

View file

@ -5,7 +5,7 @@
- wireguard
- name: Check if wg_server is reachable
ansible.builtin.command: echo "reachable"
ansible.builtin.command: echo "Test if wg_server is reachable"
delegate_to: wireguard_server
register: result
changed_when: false
@ -17,12 +17,10 @@
* server not reachable
* no matching ssh-key
changed_when: true
when: result.stdout is not defined or result.stdout!="reachable"
when: result.unreachable is defined and result.unreachable
- name: Configure WG Server
when:
- result.stdout is defined and result.stdout=="reachable"
- not run_in_installer|default(false)|bool
when: result.unreachable is not defined or not result.unreachable
block:
- name: Set facts wg_clientname
ansible.builtin.set_fact:

View file

@ -27,7 +27,7 @@
when: cert_client_active.stat.exists
- name: Check if radius-server is reachable
ansible.builtin.command: echo "reachable"
ansible.builtin.command: echo "Test if radius-server is reachable"
delegate_to: radius_server
register: radius_reachable
changed_when: false
@ -40,13 +40,12 @@
- "* server not reachable"
- "* no matching ssh-key"
changed_when: true
when: radius_reachable.stdout is not defined or radius_reachable.stdout!='reachable'
when: radius_reachable.unreachable is defined and radius_reachable.unreachable
- name: Issue radius certificate
ansible.builtin.include_tasks: eap-tls_issue-certificate.yaml
when:
- radius_reachable.stdout is defined and radius_reachable.stdout=="reachable"
- not run_in_installer|default(false)|bool
- radius_reachable.unreachable is not defined or not radius_reachable.unreachable
- |
( not cert_client_active.stat.exists ) or
(cert_serial.stdout | replace('serial=','') | int(base=16) ) in ( radius_crl.revoked_certificates | map(attribute='serial_number') | list ) or

View file

@ -105,7 +105,6 @@
ansible.builtin.systemd:
name: iwd.service
enabled: false
failed_when: false
- name: Remove deprecated NetworkManager config
ansible.builtin.blockinfile:

View file

@ -3,6 +3,7 @@
- name: Install packages related to wifi
ansible.builtin.apt:
name:
- systemd-resolved
- firmware-realtek # for our wifi sticks
- name: Provide service to enable WiFi on boot