it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lmn-client/lmn-client.yml
Raphael Dannecker eab3b75bff Fix implementing printing from virtual machines. 
Already installed "IPP everywhere" printers have to be replaced by
"driverless" printers.

Fix Listen address in cupsd.conf because VMBridge IP is not yet avaible
when cups is starting.
2024-03-13 13:06:47 +01:00

334 lines
11 KiB
YAML
Raw Blame History

## This playbook deploys a client for LinuxMuster.
#
# Use the following in the installer's preseed file:
#
# d-i preseed/late_command string \
# mkdir -p /target/home/ansible/.ssh && \
# echo "ssh-ed25519 A...YOUR.KEY...Z" >> /target/home/ansible/.ssh/authorized_keys ; \
# in-target chown -R ansible:ansible /home/ansible/.ssh/ ; \
# in-target chmod -R og= /home/ansible/.ssh/ ; \
# if [ -n "$playbook" ] ; then \
# mkdir -v /target/dev/shm ; \
# in-target mount -v -t tmpfs tmpfs /dev/shm ; \
# echo "$vaultpw" > /target/dev/shm/vaultpw ; \
# in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
# --vault-password-file /dev/shm/vaultpw \
# -i localhost, --url=git://ansible.example.org/.git -C YOUR_BRANCH $playbook ; \
# fi
#
---
- name: Apply common configuration to the machines
hosts: all # desktop:laptop
remote_user: ansible
become: yes
pre_tasks:
- pause:
prompt: "Enter global-admin AD password. Leave empty to skip domain join"
echo: false
register: adpw
no_log: true
when: "ansible_cmdline.adpw is not defined"
- name: Preseed apparmor
debconf:
name: apparmor
question: apparmor/homedirs
value: >-
/srv/samba/schools/default-school/teachers/
/srv/samba/schools/default-school/students/*/
/srv/samba/schools/default-school/examusers/
vtype: string
vars_files: lmn-vault
vars:
domain: "{{ ansible_domain }}"
kerberize_uris: "{{ vault_kerberize_uris }}" ## example.org
apt_conf: "{{ vault_apt_conf }}" ## Acquire::http::Proxy "http://aptcache.example.org:3142/";
ntp_serv: "{{ vault_ntp_serv }}" ## ntp.example.org
proxy: "{{ vault_proxy }}" ## http://firewall.example.org:3128
no_proxy: "{{ vault_no_proxy }}" ## firewall.example.org,server.example.org,idam.example.org,dw.example.org
printservers: "{{ vault_printservers }}" ## ['10.0.0.1', '10.0.0.15']
## PAM mount nextcloud, remove or leave empty to skip:
web_dav: "{{ vault_web_dav }}" ## https://nc.example.org/remote.php/dav/files/%(USER)
## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
mirror_msfonts: "{{ vault_mirror_msfonts }}" ## http://livebox.example.org/mscorefonts/
## Local mirror for libdvdcss. Remove or leave empty to use no mirror:
mirror_dvdcss: "{{ vault_mirror_dvdcss }}" ## http://livebox.example.org/libdvdcss/
uploadseed_pwd: "{{ vault_uploadseed_pwd }}"
rsyncsecret: "{{ vault_rsyncsecret }}"
keys2deploy: "{{ vault_keys2deploy }}" ## ['ssh-ed25519 AAAAC…uYlnS0', 'ssh-ed25519 AAAA…KTM']
localuser: "{{ vault_localuser }}" ## needed here for the (universal) pam-mount configuration
## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
grub_pwd: "{{ vault_grub_pwd }}"
nfs4: false
extra_pkgs:
- vim
- mc
- tmux
- krb5-user
- debconf-utils
extra_pkgs_bpo: [] # [ linux-image-amd64 ]
roles:
- lmn_network
- role: up2date_debian
tags: upgrade
- lmn_sssd
- lmn_mount
- lmn_kde
- lmn_fvs ## school specific customization
- lmn_vm
- lmn_printer
- kerberize
- lmn_security
tasks:
## Temporary fixes and quirks:
- name: Fix 8086:4909 external graphics card
replace:
dest: "/etc/default/grub"
regexp: 'GRUB_CMDLINE_LINUX=""$'
replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
notify: Run update-grub
when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"
- name: Fix sound on 312A
replace:
dest: "/etc/default/grub"
regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
replace: 'GRUB_CMDLINE_LINUX=""'
notify: Run update-grub
when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"
- name: Fix sound on 312A and 312D
apt:
name: firmware-sof-signed
state: latest
when: >
ansible_board_vendor == "LENOVO" and
(ansible_board_name == "312D" or ansible_board_name == "312A")
- name: Install customized CodeBlocks packages
block:
- name: Check for old CodeBlocks
command:
cmd: dpkg -l codeblocks
register: codeblocks_version
changed_when: False
- name: Download codeblocks zip archive
ansible.builtin.get_url:
url: "http://livebox.pn.steinbeis.schule/codeblocks/CodeBlocks.zip"
dest: /tmp/CodeBlocks.zip
use_proxy: False
when: codeblocks_version.stdout is not search('svn13456')
- name: Unpack zip archive and install packages manually
shell:
cmd: unzip -d /tmp/cb/ CodeBlocks.zip && dpkg -i cb/*.deb
chdir: /tmp/
when: codeblocks_version.stdout is not search('svn13456')
when: groups.PCroom is defined and inventory_hostname in groups.PCroom
## Temporarily fix boot order
- name: Check for the buggy kernel
stat:
path: /boot/vmlinuz-6.1.0-17-amd64
register: bug
- name: Check for the fixed kernel
stat:
path: /boot/vmlinuz-6.1.0-18-amd64
register: fix
- name: Work around kernel with CIFS regression
block:
- name: Make sure kernel package -16 is available
ansible.builtin.apt:
name: linux-image-6.1.0-16-amd64
state: present
- name: Set 6.1.0-16 as default kernel in grub
lineinfile:
dest: /etc/default/grub
regexp: '^(GRUB_DEFAULT=).*'
line: '\g<1>"Debian GNU/Linux, with Linux 6.1.0-16-amd64"'
backrefs: yes
notify: Run update-grub
when: bug.stat.exists and not fix.stat.exists
- name: Set latest kernel in grub
lineinfile:
dest: /etc/default/grub
regexp: '^(GRUB_DEFAULT=).*'
line: '\g<1>0'
backrefs: yes
when: fix.stat.exists or not bug.stat.exists
notify: Run update-grub
## Clean up stuff from obsolete/faulty tasks:
- name: Remove packages we do not need anymore
ansible.builtin.apt:
name:
- unattended-upgrades
- cachefilesd
state: absent
purge: True
- name: Remove virtiofs service
file:
path: /etc/systemd/system/virtiofs@.service
state: absent
- name: Fix mount point permissions and owner
file:
path: "{{ item }}"
mode: '0755'
owner: root
group: root
loop:
- /srv/samba
- /srv/samba/schools
- name: Remove pam_mount sysvol mount
blockinfile:
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (SysVol) -->"
block: |
<volume
fstype="cifs"
server="{{ smb_server }}"
path="sysvol/"
mountpoint="/srv/samba/%(USER)/sysvol"
options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>{{ localuser }}</user></or></not>
</volume>
state: absent
- name: check if rmlpr.timer is installed
stat: path=/etc/systemd/system/rmlpr.timer
register: rmlpr
- name: disable rmlpr.timer
systemd:
name: rmlpr.timer
enabled: false
when: rmlpr.stat.exists
- name: check if vmimage-torrent.service is installed
stat: path=/etc/systemd/system/vmimage-torrent.service
register: vmimagetorrent
- name: disable vmimage-torrent.service
systemd:
name: vmimage-torrent.service
enabled: false
when: vmimagetorrent.stat.exists
- name: Remove deprecated files and directories
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/linuxmuster-linuxclient7
- /usr/lib/python3/dist-packages/linuxmusterLinuxclient7
- /usr/share/linuxmuster-linuxclient7
- /usr/local/bin/onLogin
- /etc/sudoers.d/90-lmn-sudotools
- /etc/systemd/system/rmlpr.service
- /etc/systemd/system/rmlpr.timer
- /usr/local/bin/sync-vm.sh
- /usr/local/bin/run-vm.sh
- /usr/local/bin/rebase-vm.sh
- /usr/local/bin/create-vm.sh
- /usr/local/bin/upload-vm.sh
- /usr/local/bin/vmimage-torrent
- /etc/systemd/system/vmimage-torrent.service
- /usr/local/bin/linbo-torrenthelper.sh
- /usr/local/bin/link-images.sh
- /usr/local/bin/start-virtiofsd.sh
- /etc/sudoers.d/90-lmn-upload-vm
- /etc/sudoers.d/90-lmn-sync-vm
- /etc/sudoers.d/90-lmn-startvirtiofsd
- /etc/sudoers.d/90-lmn-link-images
- /etc/rsync.secret
- name: check if vm_usage_information.txt exists
stat: path=/lmn/vm/vm_usage_information.txt
register: vm_usage_information
- name: pre-fill vm_usage_information.txt
shell:
cmd: |
ls -tr *.qcow2 > vm_usage_information.txt || touchvm_usage_information.txt
chown lmnsynci:lmnsynci vm_usage_information.txt
chdir: /lmn/vm/
when: not vm_usage_information.stat.exists
- name: Detect if IPP-Everywhere printers exist
ansible.builtin.shell:
cmd: grep "IPP Everywhere" /etc/cups/printers.conf
register: ipp_everywhere
failed_when: ipp_everywhere.rc >= 2
changed_when: False
- name: Delete old IPP-Everywhere printers
shell:
cmd: |
for p in $(lpstat -p | cut -d" " -f2); do
lpadmin -x "$p"
done
when: not ipp_everywhere.rc
- name: Remove Listen on VMBridge
lineinfile:
dest: /etc/cups/cupsd.conf
line: 'Listen 192.168.122.1:631'
state: absent
## bookworm fixes/hacks:
- name: Work around sddm hang on shutdown
ansible.builtin.lineinfile:
path: /etc/systemd/system.conf
line: DefaultTimeoutStopSec=5s
insertafter: '^#DefaultTimeoutStopSec=.*'
#################
- name: Timestamp successfull run and send up-to-date report
ansible.builtin.shell:
cmd: date --iso-8601=seconds >> /root/.ansible/stamps && /usr/local/sbin/reporter
changed_when: False
tags: upgrade
#################
- name: Apply additional laptop configuration
hosts: laptop
remote_user: ansible
become: yes
vars_files: lmn-vault
vars:
ssid: "{{ vault_ssid }}"
wifipasswd: "{{ vault_wifipasswd }}"
localuser: "{{ vault_localuser }}"
localuser_pwd: "{{ vault_localuser_pwd }}"
roles:
- role: lmn_wlan_iwd
when: ansible_interfaces | select('search', 'wl.+') | first is defined
- lmn_networkd
- lmn_localuser
tasks:
- name: Remove deprecated files and directories (laptop-class)
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/systemd/network/80-wlan-dhcp.network
- /etc/systemd/network/wlan-dhcp.network
- /etc/systemd/network/virbr1.netdev
- /etc/systemd/network/virbr1.network
- /etc/systemd/network/wlan-dhcp.network
Reference in a new issue View git blame Copy permalink