## This playbook deploys a client for LinuxMuster.
#
# Use the following in the installer's preseed file:
#
# d-i preseed/late_command string \
#       mkdir -p /target/home/ansible/.ssh && \
#       echo "ssh-ed25519 A...YOUR.KEY...Z" >> /target/home/ansible/.ssh/authorized_keys ; \
#       in-target chown -R ansible:ansible /home/ansible/.ssh/ ; \
#       in-target chmod -R og= /home/ansible/.ssh/ ; \
#       if [ -n "$playbook" ] ; then \
#         mkdir -v /target/dev/shm ; \
#         in-target mount -v -t tmpfs tmpfs /dev/shm ; \
#         echo "$vaultpw" > /target/dev/shm/vaultpw ; \
#         in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
#            --vault-password-file /dev/shm/vaultpw \
#            -i localhost, --url=git://ansible.example.org/.git -C YOUR_BRANCH $playbook ; \
#       fi
#
---
- name: Apply common configuration to the machines
  hosts: all # desktop:laptop
  remote_user: ansible
  become: yes
  pre_tasks:
    - pause:
        prompt: "Enter global-admin AD password. Leave empty to skip domain join"
        echo: false
      register: adpw
      no_log: true
      when: "ansible_cmdline.adpw is not defined"
    - name: Preseed apparmor
      debconf:
        name: apparmor
        question: apparmor/homedirs
        value: >-
          /srv/samba/schools/default-school/teachers/
          /srv/samba/schools/default-school/students/*/
          /srv/samba/schools/default-school/examusers/
        vtype: string
    - name: Preseed unattended-upgrades
      debconf:
        name: unattended-upgrades
        question: unattended-upgrades/enable_auto_updates
        value: True
        vtype: boolean

  vars_files: lmn-vault
  vars:
    domain: "{{ ansible_domain }}"
    kerberize_uris: "{{ vault_kerberize_uris }}"  ##  example.org
    apt_conf: "{{ vault_apt_conf }}"  ## Acquire::http::Proxy "http://aptcache.example.org:3142/";
    ntp_serv: "{{ vault_ntp_serv }}"  ## ntp.example.org
    proxy: "{{ vault_proxy }}"        ## http://firewall.example.org:3128
    no_proxy: "{{ vault_no_proxy }}"  ## firewall.example.org,server.example.org,idam.example.org,dw.example.org
    printservers: "{{ vault_printservers }}" ## ['10.0.0.1', '10.0.0.15']

    ## PAM mount nextcloud, remove or leave empty to skip:
    web_dav: "{{ vault_web_dav }}"    ## https://nc.example.org/remote.php/dav/files/%(USER)

    ## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
    mirror_msfonts: "{{ vault_mirror_msfonts }}" ## http://livebox.example.org/mscorefonts/

    ## Local mirror for libdvdcss. Remove or leave empty to use no mirror:
    mirror_dvdcss: "{{ vault_mirror_dvdcss }}"   ## http://livebox.example.org/libdvdcss/

    rsyncsecret: "{{ vault_rsyncsecret }}"
    keys2deploy: "{{ vault_keys2deploy }}" ## ['ssh-ed25519 AAAAC…uYlnS0', 'ssh-ed25519 AAAA…KTM']
    localuser: "{{ vault_localuser }}"  ##  needed here for the (universal) pam-mount configuration

    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
    grub_pwd: "{{ vault_grub_pwd }}"
    nfs4: false
    extra_pkgs:
      - vim
      - mc
      - tmux
      - krb5-user
      - unattended-upgrades
      - debconf-utils
    extra_pkgs_bpo: [] # [ linux-image-amd64 ]

  roles:
    - lmn_network
    - up2date_debian
    - lmn_sssd
    - lmn_mount
    - lmn_kde
    - lmn_fvs ## school specific customization
    - lmn_vm
    - lmn_printer
    - kerberize
    - lmn_security

  tasks:
## Temporary fixes and quirks:
    - name: Fix 8086:4909 external graphics card
      replace:
        dest: "/etc/default/grub"
        regexp: 'GRUB_CMDLINE_LINUX=""$'
        replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
      notify: Run update-grub
      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"

    - name: Fix sound on 312A
      replace:
        dest: "/etc/default/grub"
        regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
        replace: 'GRUB_CMDLINE_LINUX=""'
      notify: Run update-grub
      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"

    - name: Fix sound on 312A and 312D
      apt:
        name: firmware-sof-signed
        state: latest
      when: >
        ansible_board_vendor == "LENOVO" and
        (ansible_board_name == "312D" or ansible_board_name == "312A")

## Clean up stuff from obsolete/faulty tasks:
    - name: Remove virtiofs service
      file:
        path: /etc/systemd/system/virtiofs@.service
        state: absent

    - name: Fix mount point permissions and owner
      file:
        path: "{{ item }}"
        mode: '0755'
        owner: root
        group: root
      loop:
        - /srv/samba
        - /srv/samba/schools

    - name: Fix unattended-upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

    - name: Remove pam_mount sysvol mount
      blockinfile:
        dest: /etc/security/pam_mount.conf.xml
        marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (SysVol) -->"
        block: |
          <volume
            fstype="cifs"
            server="{{ smb_server }}"
            path="sysvol/"
            mountpoint="/srv/samba/%(USER)/sysvol"
            options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks"
            ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>{{ localuser }}</user></or></not>
          </volume>
        state: absent

    - name: check if rmlpr.timer is installed
      stat: path=/etc/systemd/system/rmlpr.timer
      register: rmlpr

    - name: disable rmlpr.timer
      systemd:
        name: rmlpr.timer
        enabled: false
      when: rmlpr.stat.exists

    - name: Remove deprecated files and directories
      file:
        path: "{{ item }}"
        state: absent
      with_items:
        - /etc/linuxmuster-linuxclient7
        - /usr/lib/python3/dist-packages/linuxmusterLinuxclient7
        - /usr/share/linuxmuster-linuxclient7
        - /usr/local/bin/onLogin
        - /etc/sudoers.d/90-lmn-sudotools
        - /etc/systemd/system/rmlpr.service
        - /etc/systemd/system/rmlpr.timer

## bookworm fixes/hacks:
    - name: Work around sddm hang on shutdown
      ansible.builtin.lineinfile:
        path: /etc/systemd/system.conf
        line: DefaultTimeoutStopSec=5s
        insertafter: '^#DefaultTimeoutStopSec=.*'

#################

- name: Apply additional laptop configuration
  hosts: laptop
  remote_user: ansible
  become: yes
  vars_files: lmn-vault
  vars:
    ssid: "{{ vault_ssid }}"
    wifipasswd: "{{ vault_wifipasswd }}"
    localuser: "{{ vault_localuser }}"
    localuser_pwd: "{{ vault_localuser_pwd }}"
  roles:
    - role: lmn_wlan_iwd
      when: ansible_interfaces | select('search', 'wl.+') | first is defined
    - lmn_networkd
    - lmn_localuser