## This playbook deploys a client for LinuxMuster.
#
# Use the following in the installer's preseed file:
#
# d-i preseed/late_command string \
# mkdir -p /target/home/ansible/.ssh && \
# echo "ssh-ed25519 A...YOUR.KEY...Z" >> /target/home/ansible/.ssh/authorized_keys ; \
# in-target chown -R ansible:ansible /home/ansible/.ssh/ ; \
# in-target chmod -R og= /home/ansible/.ssh/ ; \
# if [ -n "$playbook" ] ; then \
# mkdir -v /target/dev/shm ; \
# in-target mount -v -t tmpfs tmpfs /dev/shm ; \
# echo "$vaultpw" > /target/dev/shm/vaultpw ; \
# in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
# --vault-password-file /dev/shm/vaultpw \
# -i localhost, --url=git://ansible.example.org/.git -C YOUR_BRANCH $playbook ; \
# fi
#
---
- name: Apply common configuration to the machines
hosts: all # desktop:laptop
remote_user: ansible
become: true
pre_tasks:
- name: Ask for global-admin AD password
ansible.builtin.pause:
prompt: "Enter global-admin AD password. Leave empty to skip domain join"
echo: false
register: adpw
no_log: true
when: "ansible_cmdline.adpw is not defined"
- name: Preseed apparmor
ansible.builtin.debconf:
name: apparmor
question: apparmor/homedirs
value: >-
/srv/samba/schools/default-school/teachers/
/srv/samba/schools/default-school/students/*/
/srv/samba/schools/default-school/examusers/
vtype: string
- name: Preseed unattended-upgrades
ansible.builtin.debconf:
name: unattended-upgrades
question: unattended-upgrades/enable_auto_updates
value: true
vtype: boolean
vars_files: lmn-vault
vars:
domain: "{{ ansible_domain }}"
kerberize_uris: "{{ vault_kerberize_uris | default('example.org') }}"
apt_conf: "{{ vault_apt_conf }}" ## Acquire::http::Proxy "http://aptcache.example.org:3142/";
ntp_serv: "{{ vault_ntp_serv }}" ## ntp.example.org
nfs_server: "{{ vault_nfs_server }}" ## nfs.example.org
proxy: "{{ vault_proxy }}" ## http://firewall.example.org:3128
no_proxy: "{{ vault_no_proxy }}" ## firewall.example.org,server.example.org,idam.example.org,dw.example.org
printservers: "{{ vault_printservers }}" ## ['10.0.0.1', '10.0.0.15']
## PAM mount nextcloud, remove or leave empty to skip:
web_dav: "{{ vault_web_dav }}" ## https://nc.example.org/remote.php/dav/files/%(USER)
## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
mirror_msfonts: "{{ vault_mirror_msfonts }}" ## http://livebox.example.org/mscorefonts/
## Local mirror for libdvdcss. Remove or leave empty to use no mirror:
mirror_dvdcss: "{{ vault_mirror_dvdcss }}" ## http://livebox.example.org/libdvdcss/
uploadseed_pwd: "{{ vault_uploadseed_pwd }}"
keys2deploy: "{{ vault_keys2deploy }}" ## ['ssh-ed25519 AAAAC…uYlnS0', 'ssh-ed25519 AAAA…KTM']
## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
grub_pwd: "{{ vault_grub_pwd }}"
roles:
- lmn_network
- role: up2date_debian
tags: upgrade
- lmn_sssd
- lmn_mount
- lmn_kde
- role: lmn_vm
when: vm_support
- lmn_printer
- kerberize
- lmn_misc
- role: lmn_localproxy
when: localproxy
- role: lmn_localhome
when: localhome
- role: lmn_localuser
when: localuser
- role: lmn_exam
when: exam_mode
- role: lmn_wlan
when:
- ansible_interfaces | select('search', 'wl.+') | first is defined
- wlan != none
tasks:
- name: Include custom roles
ansible.builtin.include_role:
name: "custom/{{ rolename }}"
loop: "{{ custom_roles }}"
loop_control:
loop_var: rolename
when: custom_roles is defined
#################
- name: Final tasks
ansible.builtin.include_role:
name: "{{ role }}"
loop_control:
loop_var: role
loop:
- lmn_security
- lmn_finish
- lmn_tmpfixes
#################
- name: Apply additional laptop configuration
hosts: laptop
remote_user: ansible
become: true
vars_files: lmn-vault
tasks:
- name: Remove deprecated files and directories (laptop-class)
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- /etc/systemd/network/80-wlan-dhcp.network
- /etc/systemd/network/wlan-dhcp.network
- /etc/systemd/network/virbr1.netdev
- /etc/systemd/network/virbr1.network
- /etc/systemd/network/wlan-dhcp.network
- /etc/NetworkManager/system-connections/FVS-devices.nmconnection
- name: Apply roles that must run serial
hosts: all
remote_user: ansible
become: true
serial: 1
ignore_unreachable: true
roles:
- role: lmn_vpn
when: vpn != "none"