---
all:
  vars:
    domain: "{{ ansible_domain }}"

    # Comment out on productive systems when ssh key is provided
    security_defaultuser_login_disable: false

    ## Proxy configuration (see: doc/localproxy.md)
    # localproxy: true
    # no_proxy: "firewall.{{ domain }},server.{{ domain }},.{{ domain }}"

    # kerberize_uris: "idam.{{ domain }}, server.{{ domain }}, *.{{ domain }}"

    ## Configure additional apt options. E.g. Apt-cacher?
    # apt_conf: "Acquire::http::Proxy \"http://aptcache.{{ domain }}:3142/\";"

    ## Configure NTP-Server
    # ntp_serv: "server.{{ domain }}"

    ## NFS-Server for additional mount. Comment out or leave empty to use no additional NFS-Server:
    # nfs_server: "files.{{ domain }}"

    ## List of print servers. The order of the print servers determines which print server the printer will be installed from:
    # printservers:
    #   - "server.{{ domain }}"
    #   - "print.{{ domain }}"

    ## PAM mount nextcloud. Comment out or leave empty to skip:
    # web_dav: "https://nc.{{ domain }}/remote.php/dav/files/%(USER)"

    ## Local mirror for mscorefonts. Comment out or leave empty to use no mirror:
    # mirror_msfonts: "http://livebox.{{ domain }}/mscorefonts/"

    ## Local mirror for libdvdcss. Comment out or leave empty to use no mirror:
    # mirror_dvdcss: "http://livebox.{{ domain }}/libdvdcss/"

    ## SSH-keys to deploy:
    ## passwordless login for default-user (ansible)
    ##
    # keys2deploy:
    #   - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI........ admin1@example.com'
    #   - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI........ admin2@example.com'

    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
    # grub_pwd: 'grub.pbkdf2.sha512.10000.EF6E2F4F758771751EF4A8A85B1F3F25F35A3AF859DBF0BB8153D9DF6B48D27A2DCDF4ECDC0711D2A93DCBBCF2C4D6FC69D02E1179AB14B62750BDD502C81C95.442C213A064A98E5FF089F3E647C6481327750127D310ABC39596176233C0CE75311EE818EE7F77BD961BBB723A15F853DE6DDD3BF30C7273769C7AC2587CD28'

    ## Installs VM-support (QEMU/KVM)
    ## Additional infrastructure (seedbox) nedded. See: doc/vm.md
    ##
    # vm_support: true
    # vm_torrent_serv: "seedbox.{{ domain }}"
    # vm_uploadseed_pwd: secret = "token:topsecret"

    ## Additional packages to install
    ##
    # extra_pkgs:
    #   - vim
    #   - mc
    #   - tmux

    ## WLAN configuration (see: doc/vpn.md):
    ##
    ## WPA Personal
    # wlan: psk
    # wlan_ssid: devicesPSK
    # wlan_password: "topsecretpasswd"
    #
    ## WPA Enterprise with EAP-TLS
    ## Additional infrastructure (radius server) needed. See: doc/vpn.md
    # wlan: eap-tls
    # wlan_ssid: devicesEAPtls
    # wlan_eap_ca:
    #   C: DE
    #   ST: Baden-Wuerttemberg
    #   L: Reutlingen
    #   O: Linuxschule
    #   emailAddress: admin@example.com
    #   CN: Radius Certificate Authority
    #   password: "secret4radiusCA"
    # wlan_eap_ca_crl: "http://radius.{{ domain }}/radius-ca.crl"

    ## VPN Configuration (Wireguard)
    ## Additional infrastructure needed (see: doc/vpn.md)
    ##
    # vpn: wg # only set on hosts/groups, which will get wireguard profiles
    # wg_endpoint: "203.0.113.1:51820"
    # wg_allowed_ips: "10.0.0.0/16;"
    # wg_ip_cdr: 24
    # wg_dns: "9.9.9.9"
    # wg_dns_search: "{{ domain }}"

    ## Reporter service
    ## Enable automatic reports
    # misc_reporter: true
    ## Server to which reports should be sent. If you don't want to use reporting, this can be empty:
    # misc_reporter_serv: "collector.{{ domain }}"

    ## Additional roles to run (see: doc/custom_roles.md):
    ##
    # custom_roles:
    #   - fvs

  hosts:
    localhost:
      ansible_connection: local

laptops:
  children:
    teacherlaptop: # teacherlaptops will get laptop vars too
  hosts:
  vars:
    ## Activate WLAN and select authentication mode (see: doc/wlan.md)
    wlan: psk # (none|psk|eap-tls)

    ## Use localhome on mobile devices
    localhome: true

    ## Create local guest user
    localuser: guest
    localuser_password: !unsafe Muster!

teacherlaptop:
  hosts:
  vars:
    exam_mode: false
    # vpn: wg
    extra_pkgs1:
      - plasma-discover
      - nextcloud-desktop
      - dolphin-nextcloud
    sudo_permissions:
      "%role-teacher":
        - /usr/bin/apt
        - /usr/sbin/cryptsetup
    polkit_rules:
      "role-teacher":
        - "org.freedesktop.NetworkManager.settings.modify.system"
        - "org.freedesktop.packagekit.package-install"
        - "org.freedesktop.packagekit.package-reinstall"
        - "org.freedesktop.packagekit.system-update"
        - "org.freedesktop.packagekit.upgrade-system"
        - "org.freedesktop.packagekit.package-install-untrusted"
    localuser: false
    localhome_logout_missing_serverhome: false
    wlan_enable_on_boot: false
    misc_avoid_suspend: false
    misc_pwroff: false
    misc_pwroff_idle: false
    misc_reporter: false # privacy for teachers
    printer_admin_group: role-teacher
    fvs_remove_discover: false # Custom role feature to give teachers package store