## This playbook deploys a client for LinuxMuster. # # Use the following in the installer's preseed file: # # d-i preseed/late_command string \ # mkdir -p /target/home/ansible/.ssh && \ # echo "ssh-ed25519 A...YOUR.KEY...Z" >> /target/home/ansible/.ssh/authorized_keys ; \ # in-target chown -R ansible:ansible /home/ansible/.ssh/ ; \ # in-target chmod -R og= /home/ansible/.ssh/ ; \ # if [ -n "$playbook" ] ; then \ # mkdir -v /target/dev/shm ; \ # in-target mount -v -t tmpfs tmpfs /dev/shm ; \ # echo "$vaultpw" > /target/dev/shm/vaultpw ; \ # in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \ # --vault-password-file /dev/shm/vaultpw \ # -i localhost, --url=git://ansible.example.org/.git -C YOUR_BRANCH $playbook ; \ # fi # --- - name: Apply common configuration to the machines hosts: all # desktop:laptop remote_user: ansible become: yes pre_tasks: - pause: prompt: "Enter global-admin AD password. Leave empty to skip domain join" echo: false register: adpw no_log: true when: "ansible_cmdline.adpw is not defined" - name: Preseed apparmor debconf: name: apparmor question: apparmor/homedirs value: >- /srv/samba/schools/default-school/teachers/ /srv/samba/schools/default-school/students/*/ /srv/samba/schools/default-school/examusers/ vtype: string vars_files: lmn-vault vars: domain: "{{ ansible_domain }}" kerberize_uris: "{{ vault_kerberize_uris }}" ## example.org apt_conf: "{{ vault_apt_conf }}" ## Acquire::http::Proxy "http://aptcache.example.org:3142/"; ntp_serv: "{{ vault_ntp_serv }}" ## ntp.example.org proxy: "{{ vault_proxy }}" ## http://firewall.example.org:3128 no_proxy: "{{ vault_no_proxy }}" ## firewall.example.org,server.example.org,idam.example.org,dw.example.org printservers: "{{ vault_printservers }}" ## ['10.0.0.1', '10.0.0.15'] ## PAM mount nextcloud, remove or leave empty to skip: web_dav: "{{ vault_web_dav }}" ## https://nc.example.org/remote.php/dav/files/%(USER) ## Local mirror for mscorefonts. Remove or leave empty to use no mirror: mirror_msfonts: "{{ vault_mirror_msfonts }}" ## http://livebox.example.org/mscorefonts/ ## Local mirror for libdvdcss. Remove or leave empty to use no mirror: mirror_dvdcss: "{{ vault_mirror_dvdcss }}" ## http://livebox.example.org/libdvdcss/ uploadseed_pwd: "{{ vault_uploadseed_pwd }}" rsyncsecret: "{{ vault_rsyncsecret }}" keys2deploy: "{{ vault_keys2deploy }}" ## ['ssh-ed25519 AAAAC…uYlnS0', 'ssh-ed25519 AAAA…KTM'] localuser: "{{ vault_localuser }}" ## needed here for the (universal) pam-mount configuration ## Use grub-mkpasswd-pbkdf2 to calculate the password hash: grub_pwd: "{{ vault_grub_pwd }}" nfs4: false extra_pkgs: - vim - mc - tmux - krb5-user - debconf-utils extra_pkgs_bpo: [] # [ linux-image-amd64 ] roles: - lmn_network - role: up2date_debian tags: upgrade - lmn_sssd - lmn_mount - lmn_kde - lmn_fvs ## school specific customization - lmn_vm - lmn_printer - kerberize - lmn_security tasks: ## Temporary fixes and quirks: - name: Fix 8086:4909 external graphics card replace: dest: "/etc/default/grub" regexp: 'GRUB_CMDLINE_LINUX=""$' replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"' notify: Run update-grub when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB" - name: Fix sound on 312A replace: dest: "/etc/default/grub" regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$' replace: 'GRUB_CMDLINE_LINUX=""' notify: Run update-grub when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A" - name: Fix sound on 312A and 312D apt: name: firmware-sof-signed state: latest when: > ansible_board_vendor == "LENOVO" and (ansible_board_name == "312D" or ansible_board_name == "312A") ## Temporarily fix boot order - name: Check for the buggy kernel stat: path: /boot/vmlinuz-6.1.0-17-amd64 register: bug - name: Check for the fixed kernel stat: path: /boot/vmlinuz-6.1.0-18-amd64 register: fix - name: Work around kernel with CIFS regression block: - name: Make sure kernel package -16 is available ansible.builtin.apt: name: linux-image-6.1.0-16-amd64 state: present - name: Set 6.1.0-16 as default kernel in grub lineinfile: dest: /etc/default/grub regexp: '^(GRUB_DEFAULT=).*' line: '\g<1>"Debian GNU/Linux, with Linux 6.1.0-16-amd64"' backrefs: yes notify: Run update-grub when: bug.stat.exists and not fix.stat.exists - name: Set latest kernel in grub lineinfile: dest: /etc/default/grub regexp: '^(GRUB_DEFAULT=).*' line: '\g<1>0' backrefs: yes when: fix.stat.exists or not bug.stat.exists notify: Run update-grub ## Clean up stuff from obsolete/faulty tasks: - name: Remove "unattended-upgrades" package ansible.builtin.apt: name: unattended-upgrades state: absent purge: True - name: Remove virtiofs service file: path: /etc/systemd/system/virtiofs@.service state: absent - name: Fix mount point permissions and owner file: path: "{{ item }}" mode: '0755' owner: root group: root loop: - /srv/samba - /srv/samba/schools - name: Remove pam_mount sysvol mount blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | rootansibleDebian-gdmsddm{{ localuser }} state: absent - name: check if rmlpr.timer is installed stat: path=/etc/systemd/system/rmlpr.timer register: rmlpr - name: disable rmlpr.timer systemd: name: rmlpr.timer enabled: false when: rmlpr.stat.exists - name: check if vmimage-torrent.service is installed stat: path=/etc/systemd/system/vmimage-torrent.service register: vmimagetorrent - name: disable vmimage-torrent.service systemd: name: vmimage-torrent.service enabled: false when: vmimagetorrent.stat.exists - name: Remove deprecated files and directories file: path: "{{ item }}" state: absent with_items: - /etc/linuxmuster-linuxclient7 - /usr/lib/python3/dist-packages/linuxmusterLinuxclient7 - /usr/share/linuxmuster-linuxclient7 - /usr/local/bin/onLogin - /etc/sudoers.d/90-lmn-sudotools - /etc/systemd/system/rmlpr.service - /etc/systemd/system/rmlpr.timer - /usr/local/bin/sync-vm.sh - /usr/local/bin/run-vm.sh - /usr/local/bin/rebase-vm.sh - /usr/local/bin/create-vm.sh - /usr/local/bin/upload-vm.sh - /usr/local/bin/vmimage-torrent - /etc/systemd/system/vmimage-torrent.service - /usr/local/bin/linbo-torrenthelper.sh - /usr/local/bin/link-images.sh - /usr/local/bin/start-virtiofsd.sh - /etc/sudoers.d/90-lmn-upload-vm - /etc/sudoers.d/90-lmn-sync-vm - /etc/sudoers.d/90-lmn-startvirtiofsd - /etc/sudoers.d/90-lmn-link-images - /etc/rsync.secret ## bookworm fixes/hacks: - name: Work around sddm hang on shutdown ansible.builtin.lineinfile: path: /etc/systemd/system.conf line: DefaultTimeoutStopSec=5s insertafter: '^#DefaultTimeoutStopSec=.*' ################# - name: Timestamp successfull run and send up-to-date report ansible.builtin.shell: cmd: date --iso-8601=seconds >> /root/.ansible/stamps && /usr/local/sbin/reporter changed_when: False tags: upgrade ################# - name: Apply additional laptop configuration hosts: laptop remote_user: ansible become: yes vars_files: lmn-vault vars: ssid: "{{ vault_ssid }}" wifipasswd: "{{ vault_wifipasswd }}" localuser: "{{ vault_localuser }}" localuser_pwd: "{{ vault_localuser_pwd }}" roles: - role: lmn_wlan_iwd when: ansible_interfaces | select('search', 'wl.+') | first is defined - lmn_networkd - lmn_localuser tasks: - name: Remove deprecated files and directories (laptop-class) file: path: "{{ item }}" state: absent with_items: - /etc/systemd/network/80-wlan-dhcp.network - /etc/systemd/network/wlan-dhcp.network - /etc/systemd/network/virbr1.netdev - /etc/systemd/network/virbr1.network - /etc/systemd/network/wlan-dhcp.network