## This playbook deploys a client for LinuxMuster. # # Use the following in the installer's preseed file: # # d-i preseed/late_command string \ # mkdir -p /target/home/ansible/.ssh && \ # echo "ssh-ed25519 A...YOUR.KEY...Z" >> /target/home/ansible/.ssh/authorized_keys ; \ # in-target chown -R ansible:ansible /home/ansible/.ssh/ ; \ # in-target chmod -R og= /home/ansible/.ssh/ ; \ # if [ -n "$playbook" ] ; then \ # mkdir -v /target/dev/shm ; \ # in-target mount -v -t tmpfs tmpfs /dev/shm ; \ # echo "$vaultpw" > /target/dev/shm/vaultpw ; \ # in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \ # --vault-password-file /dev/shm/vaultpw \ # -i localhost, --url=git://ansible.example.org/.git -C YOUR_BRANCH $playbook ; \ # fi # --- - name: Apply common configuration to the machines hosts: all # desktop:laptop remote_user: ansible become: yes pre_tasks: - pause: prompt: "Enter global-admin AD password. Leave empty to skip domain join" echo: false register: adpw no_log: true when: "ansible_cmdline.adpw is not defined" - name: Preseed apparmor debconf: name: apparmor question: apparmor/homedirs value: >- /srv/samba/schools/default-school/teachers/ /srv/samba/schools/default-school/students/*/ /srv/samba/schools/default-school/examusers/ vtype: string - name: Preseed unattended-upgrades debconf: name: unattended-upgrades question: unattended-upgrades/enable_auto_updates value: true vtype: boolean vars_files: lmn-vault vars: domain: "{{ ansible_domain }}" kerberize_uris: "{{ vault_kerberize_uris }}" ## example.org apt_conf: "{{ vault_apt_conf }}" ## Acquire::http::Proxy "http://aptcache.example.org:3142/"; ntp_serv: "{{ vault_ntp_serv }}" ## ntp.example.org proxy: "{{ vault_proxy }}" ## http://firewall.example.org:3128 no_proxy: "{{ vault_no_proxy }}" ## firewall.example.org,server.example.org,idam.example.org,dw.example.org printservers: "{{ vault_printservers }}" ## ['10.0.0.1', '10.0.0.15'] ## PAM mount nextcloud, remove or leave empty to skip: web_dav: "{{ vault_web_dav }}" ## https://nc.example.org/remote.php/dav/files/%(USER) ## Local mirror for mscorefonts. Remove or leave empty to use no mirror: mirror_msfonts: "{{ vault_mirror_msfonts }}" ## http://livebox.example.org/mscorefonts/ ## Local mirror for libdvdcss. Remove or leave empty to use no mirror: mirror_dvdcss: "{{ vault_mirror_dvdcss }}" ## http://livebox.example.org/libdvdcss/ uploadseed_pwd: "{{ vault_uploadseed_pwd }}" rsyncsecret: "{{ vault_rsyncsecret }}" keys2deploy: "{{ vault_keys2deploy }}" ## ['ssh-ed25519 AAAAC…uYlnS0', 'ssh-ed25519 AAAA…KTM'] localuser: "{{ vault_localuser }}" ## needed here for the (universal) pam-mount configuration ## Use grub-mkpasswd-pbkdf2 to calculate the password hash: grub_pwd: "{{ vault_grub_pwd }}" nfs4: false extra_pkgs: - vim - mc - tmux - krb5-user - unattended-upgrades - debconf-utils extra_pkgs_bpo: [] # [ linux-image-amd64 ] # Wireguad config wg_endpoint: "{{ vault_wg_endpoint }}" wg_allowed_ips: "{{ vault_wg_allowed_ips }}" wg_ip_cdr: "{{ vault_wg_ip_cdr }}" wg_dns: "{{ vault_wg_dns }}" wg_dns_search: "{{ vault_wg_dns_search }}" roles: - lmn_network - role: up2date_debian tags: upgrade - lmn_sssd - lmn_mount - lmn_kde - lmn_fvs ## school specific customization - lmn_vm - lmn_printer - kerberize - lmn_security - role: lmn_localhome when: groups.localhome is defined and inventory_hostname in groups.localhome - role: lmn_teacherlaptop when: groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop tasks: ## Temporary fixes and quirks: - name: Remove disturbing NetworkManager connection file: path: "/etc/NetworkManager/system-connections/Wired connection 1" state: absent when: ansible_interfaces | select('search', '^en[pso].+') | length > 1 - name: Fix 8086:4909 external graphics card replace: dest: "/etc/default/grub" regexp: 'GRUB_CMDLINE_LINUX=""$' replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"' notify: Run update-grub when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB" - name: Fix sound on 312A replace: dest: "/etc/default/grub" regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$' replace: 'GRUB_CMDLINE_LINUX=""' notify: Run update-grub when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A" - name: Fix sound on 312A and 312D apt: name: firmware-sof-signed state: latest when: > ansible_board_vendor == "LENOVO" and (ansible_board_name == "312D" or ansible_board_name == "312A") - name: Install customized CodeBlocks packages block: - name: Check for old CodeBlocks command: cmd: dpkg -l codeblocks register: codeblocks_version changed_when: False - name: Download codeblocks zip archive ansible.builtin.get_url: url: "http://livebox.pn.steinbeis.schule/codeblocks/CodeBlocks.zip" dest: /tmp/CodeBlocks.zip use_proxy: False register: new_codeblocks when: codeblocks_version.stdout is not search('svn13544') - name: Unpack zip archive and install packages manually shell: cmd: unzip -d /tmp/cb/ CodeBlocks.zip && dpkg -i cb/*.deb chdir: /tmp/ when: new_codeblocks.changed | default(false) when: groups.PCroom is defined and inventory_hostname in groups.PCroom ## Clean up stuff from obsolete/faulty tasks: - name: Remove sddm login screen patch with deprecated marker (homeondisk) blockinfile: path: /usr/share/sddm/themes/debian-breeze/Main.qml marker: // {mark} ANSIBLE MANAGED BLOCK homeondisk state: absent - name: Remove packages we do not need anymore ansible.builtin.apt: name: - cachefilesd - mosquitto state: absent purge: True - name: Remove virtiofs service file: path: /etc/systemd/system/virtiofs@.service state: absent - name: Fix mount point permissions and owner file: path: "{{ item }}" mode: '0755' owner: root group: root loop: - /srv/samba - /srv/samba/schools - name: Remove pam_mount sysvol mount blockinfile: dest: /etc/security/pam_mount.conf.xml marker: "" block: | rootansibleDebian-gdmsddm{{ localuser }} state: absent - name: check if rmlpr.timer is installed stat: path=/etc/systemd/system/rmlpr.timer register: rmlpr - name: disable rmlpr.timer systemd: name: rmlpr.timer enabled: false when: rmlpr.stat.exists - name: check if vmimage-torrent.service is installed stat: path=/etc/systemd/system/vmimage-torrent.service register: vmimagetorrent - name: disable vmimage-torrent.service systemd: name: vmimage-torrent.service enabled: false when: vmimagetorrent.stat.exists - name: Remove deprecated files and directories file: path: "{{ item }}" state: absent with_items: - /etc/linuxmuster-linuxclient7 - /usr/lib/python3/dist-packages/linuxmusterLinuxclient7 - /usr/share/linuxmuster-linuxclient7 - /usr/local/bin/onLogin - /etc/sudoers.d/90-lmn-sudotools - /etc/systemd/system/rmlpr.service - /etc/systemd/system/rmlpr.timer - /usr/local/bin/sync-vm.sh - /usr/local/bin/run-vm.sh - /usr/local/bin/rebase-vm.sh - /usr/local/bin/create-vm.sh - /usr/local/bin/upload-vm.sh - /usr/local/bin/vmimage-torrent - /etc/systemd/system/vmimage-torrent.service - /usr/local/bin/linbo-torrenthelper.sh - /usr/local/bin/link-images.sh - /usr/local/bin/start-virtiofsd.sh - /etc/sudoers.d/90-lmn-upload-vm - /etc/sudoers.d/90-lmn-sync-vm - /etc/sudoers.d/90-lmn-startvirtiofsd - /etc/sudoers.d/90-lmn-link-images - /etc/rsync.secret - /etc/systemd/network/30-virbr1.netdev - /etc/systemd/network/30-virbr2.netdev - /etc/systemd/network/40-ethernet.network - /etc/systemd/network/40-ethernet-usb.network - /etc/systemd/network/50-virbr1.network - /etc/systemd/network/50-virbr2.network - /etc/systemd/network/60-wlan0-dhcp.network - /etc/NetworkManager/system-connections/macvlan-vm-macvtap.nmconnection - name: check if vm_usage_information.txt exists stat: path=/lmn/vm/vm_usage_information.txt register: vm_usage_information - name: pre-fill vm_usage_information.txt shell: cmd: | ls -tr *.qcow2 > vm_usage_information.txt || touchvm_usage_information.txt chown lmnsynci:lmnsynci vm_usage_information.txt chdir: /lmn/vm/ when: not vm_usage_information.stat.exists - name: Detect if IPP-Everywhere printers exist ansible.builtin.shell: cmd: grep "IPP Everywhere" /etc/cups/printers.conf register: ipp_everywhere failed_when: False changed_when: False - name: Delete old IPP-Everywhere printers shell: cmd: | for p in $(lpstat -p | cut -d" " -f2); do lpadmin -x "$p" done when: not ipp_everywhere.rc - name: Remove old VM-printerlists shell: cmd: rm -f /lmn/media/*/.printerlist.csv - name: Remove Listen on VMBridge lineinfile: dest: /etc/cups/cupsd.conf line: 'Listen 192.168.122.1:631' state: absent - name: Remove NetworkManager Ansible-Block for non-laptops blockinfile: path: /etc/NetworkManager/NetworkManager.conf state: absent when: groups.laptop is defined and inventory_hostname not in groups.laptop ## bookworm fixes/hacks: - name: Work around sddm hang on shutdown ansible.builtin.lineinfile: path: /etc/systemd/system.conf line: DefaultTimeoutStopSec=5s insertafter: '^#DefaultTimeoutStopSec=.*' - name: Patch spyder to fix 'file-has-changed' issues on CIFS ansible.posix.patch: src: spyder.patch dest: /usr/lib/python3/dist-packages/spyder/plugins/editor/widgets/editor.py ################# - name: Timestamp successfull run and send up-to-date report ansible.builtin.shell: cmd: date --iso-8601=seconds >> /var/local/ansible-stamps && /usr/local/sbin/reporter changed_when: False tags: upgrade ################# - name: Apply additional laptop configuration hosts: laptop remote_user: ansible become: yes vars_files: lmn-vault vars: wifipasswd: "{{ vault_wifipasswd[ssid] }}" localuser: "{{ vault_localuser }}" localuser_pwd: "{{ vault_localuser_pwd }}" roles: - role: lmn_wlan_iwd when: ansible_interfaces | select('search', 'wl.+') | first is defined - role: lmn_localuser when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop) tasks: - name: Remove deprecated files and directories (laptop-class) file: path: "{{ item }}" state: absent with_items: - /etc/systemd/network/80-wlan-dhcp.network - /etc/systemd/network/wlan-dhcp.network - /etc/systemd/network/virbr1.netdev - /etc/systemd/network/virbr1.network - /etc/systemd/network/wlan-dhcp.network