lmn-client/roles/lmn_mount/tasks/main.yml

---
- name: Install needed packages
  ansible.builtin.apt:
    name:
      - libpam-mount
      - cifs-utils
      - nfs-common
      - hxtools
      - davfs2
    state: latest

- name: Configure pam_mount for Webdav Nextcloud
  ansible.builtin.blockinfile:
    dest: /etc/security/pam_mount.conf.xml
    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount Nextcloud) -->"
    block: |
      <volume
        fstype="davfs"
        path="{{ web_dav }}"
        mountpoint="/lmn/media/%(USER)/nextcloud"
        options="username=%(USER),nosuid,nodev,uid=%(USER),gid=%(USERGID),grpid,file_mode=0700,dir_mode=0700,forceuid,forcegid"
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
      </volume>
    insertafter: "<!-- Volume definitions -->"
  when: web_dav is defined and web_dav | length > 0

- name: Configure pam_mount for LMN homes
  ansible.builtin.blockinfile:
    dest: /etc/security/pam_mount.conf.xml
    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
    block: |
      <volume
        fstype="cifs"
        server="{{ smb_server }}"
        path="{{ smb_share }}"
        mountpoint="/srv/samba/schools/default-school"
        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
      </volume>
    insertafter: "<!-- Volume definitions -->"
  when: not nfs4

- name: Prepare mount point for homes
  ansible.builtin.file:
    path: /srv/samba/schools/default-school/
    state: directory
    mode: '0755'
  when: not nfs4

- name: Prepare persistent user cache base directory
  ansible.builtin.file:
    path: /var/cache/user/
    state: directory
    mode: '1777'

- name: Create user-environment-generator directory
  ansible.builtin.file:
    path: /etc/systemd/user-environment-generators/
    state: directory
    mode: '0755'

- name: Prepare generator for persistent user cache directory
  ansible.builtin.copy:
    dest: /etc/systemd/user-environment-generators/50-xdg-cache-home.sh
    content: |
      #!/usr/bin/bash
      set -eu
      ## local users do not need the extra cache dir:
      [[ "$UID" -le 60000 ]] && exit 0
      cp -r -n /etc/skel/.* "$HOME"
      DIR="/var/cache/user/${UID}/"
      [[ -d "$DIR" ]] || mkdir -m 0700 "$DIR"
      echo XDG_CACHE_HOME="$DIR"
      echo JUPYTER_ALLOW_INSECURE_WRITES=1
    mode: "0755"


- name: Clean up all user processes after logout
  ansible.builtin.replace:
    path: /etc/security/pam_mount.conf.xml
    regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
    replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'

- name: Kill all user processes on logout
  ansible.builtin.lineinfile:
    path: /etc/systemd/logind.conf
    line: KillUserProcesses=yes
    insertafter: '#KillUserProcesses=no'

- name: Bind mount /lmn/media with nosuid directory
  ansible.posix.mount:
    src: /lmn/media
    path: /lmn/media
    opts: nosuid,bind
    state: present
    fstype: none

- name: Mount NFSv4 tools directory
  ansible.posix.mount:
    src: "{{ nfs_server }}:tools"
    path: /lmn/tools
    opts: rw,_netdev,x-systemd.automount,x-systemd.idle-timeout=10s,timeo=100,soft
    state: present
    fstype: nfs4
  when: nfs_server is defined

- name: Mount NFSv4 home directory
  ansible.posix.mount:
    src: fileserver:/default-school
    path: /srv/samba/schools/default-school
    opts: sec=krb5p,_netdev,x-systemd.automount,x-systemd.idle-timeout=30,timeo=100,soft,acl
    state: present
    fstype: nfs4
  when: nfs4