lmn-client/lmn-desktop.yml

## This playbook deploys a KDE desktop machine for LinuxMuster.
---
- name: apply configuration to the machines
  hosts: all
  remote_user: ansible
  become: yes
  pre_tasks:
    - pause:
        prompt: "Enter global-admin AD password. Leave empty to skip domain join"
        echo: false
      register: adpw
      no_log: true
      when: "ansible_cmdline.adpw is not defined"
    - name: Preseed apparmor
      debconf:
        name: apparmor
        question: apparmor/homedirs
        value: >-
          /srv/samba/schools/default-school/teachers/
          /srv/samba/schools/default-school/students/*/
        vtype: string
    - name: Preseed unattended-upgrades
      debconf:
        name: unattended-upgrades
        question: unattended-upgrades/enable_auto_updates
        value: True
        vtype: boolean

  vars:
    domain: "{{ ansible_domain }}"
    kerberize_uris: steinbeis.schule
    apt_conf: Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
    ntp_serv: server.pn.steinbeis.schule
    proxy: http://firewall.pn.steinbeis.schule:3128
    no_proxy: firewall.pn.steinbeis.schule,server.pn.steinbeis.schule,idam.steinbeis.schule,dw.steinbeis.schule,.pn.steinbeis.schule,.steinbeis.schule

    ## PAM mount nextcloud, remove or leave empty to skip:
    web_dav: https://nc.steinbeis.schule/remote.php/dav/files/%(USER)

    ## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
    mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/

    rsyncsecret: Muster!
    keys2deploy:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOY0hChWaCDtuiuQcM0v4/u1499esjTtnMjl4uYlnS0 andi@netboot'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN5ylqP936MPjGNxzrzV5jMwIfMhKJdOGuVh3xGQKTM andi@yogi'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxgeu7Rpb/1++531+MopqP9haUkyh1XXpv5kmbgSjx6'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbdOT+WSDmsBcaVFfzPRcmvOfd3CqO/FBOH44UVm7c7 raphael@uranus'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGICjy88HnMg5oaz4BJ20hgzqFWSem+HHD2PQ+As42pA raphael@pluto'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm9lu9dDo5TG99QWTkl2G5G+ZbYikLlRNOXfs/bRTHy sascha@america'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMR4TP7jE+wS7zcH0iUBmlxCbvy9saYeEjonX/0yYfEJ daniel@NB-20-DW'

    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
    grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
    nfs4: false
    extra_pkgs:
      - vim
      - mc
      - tmux
      - krb5-user
      - unattended-upgrades
      - debconf-utils
    extra_pkgs_bpo: [] # [ linux-image-amd64 ]

  roles:
    - lmn_network
    - up2date_debian
    - lmn_sssd
    - lmn_mount
    - lmn_kde
    - lmn_fvs ## school specific customization
    - lmn_vm
    - lmn_printer
    - kerberize
    - lmn_security

  tasks:
    - name: Add local user 'virti' in the 'libvirt' group
      ansible.builtin.user:
        name: virti
        password: $y$j9T$DuSvAO63v5LvoJmJ1rB0B0$D4tovIz79AdLHs5I6tYa7rxr3SWknQeUFvGaaKvUpo3
        comment: Libvirt VM User,,,
        shell: /bin/bash
        groups: libvirt
        append: yes
      when: false

## Temporary fixes and quirks:
    - name: Fix 8086:4909 external graphics card
      replace:
        dest: "/etc/default/grub"
        regexp: 'GRUB_CMDLINE_LINUX=""$'
        replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
      notify: Run update-grub
      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"

    - name: Fix sound on 312A
      replace:
        dest: "/etc/default/grub"
        regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
        replace: 'GRUB_CMDLINE_LINUX=""'
      notify: Run update-grub
      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"

    - name: Fix sound on 312A and 312D
      apt:
        name: firmware-sof-signed
        state: latest
      when: >
        ansible_board_vendor == "LENOVO" and
        (ansible_board_name == "312D" or ansible_board_name == "312A")

## Clean up stuff from obsolete/faulty tasks:
    - name: Remove virtiofs service
      file:
        path: /etc/systemd/system/virtiofs@.service
        state: absent

    - name: Fix mount point permissions and owner
      file:
        path: "{{ item }}"
        mode: '0755'
        owner: root
        group: root
      loop:
        - /srv/samba
        - /srv/samba/schools
        - /srv/samba/schools/default-school

    - name: Fix unattended-upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

## bullseye fixes:
    - name: Add bookworm firmware repository if needed
      apt_repository:
        repo: deb http://deb.debian.org/debian/ bookworm non-free-firmware
        state: present
        update_cache: true
      when: >
        ansible_board_vendor == "LENOVO" and
        ansible_board_name == "32CB" and
        ansible_distribution_release == "bullseye"

    - name: upgrade non-free-firmware packages
      apt:
        upgrade: true
        autoremove: true
        autoclean: true
      when: >
        ansible_board_vendor == "LENOVO" and
        ansible_board_name == "32CB" and
        ansible_distribution_release == "bullseye"