lmn-client/roles/lmn_teacherlaptop/tasks/main.yml

---
- name: Install additional teacherlaptop packages
  apt:
    name:
      - plasma-discover
      - wireguard
        #- krb5-auth-dialog
    state: latest

- name: Copy polkit rule to allow install packages by role-teacher
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/polkit-1/rules.d/
    mode: "0644"
  loop:
    - lmn-packagekit.rules
    - lmn-networkmanager.rules

- name: Adjust mmcblk-device gid to allow teachers to access SD-cards
  ansible.builtin.copy:
    dest: /etc/udev/rules.d/80-mmcblk.rules
    content: |
      KERNEL=="mmcblk[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="teachers"
      KERNEL=="mmcblk[0-9]p[0-9]*", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="teachers"

- name: Copy mountserver script to /usr/local/bin
  ansible.builtin.copy:
    src: mountserver
    dest: /usr/local/bin/
    mode: "0755"

- name: Copy NetworkManager dispatcher-script (10-lmn-mount.sh)
  ansible.builtin.copy:
    src: 10-lmn-mount.sh
    dest: /etc/NetworkManager/dispatcher.d/
    mode: "0755"

- name: Create link to dispatcher-script (10-lmn-mount.sh)
  ansible.builtin.file:
    src: ../10-lmn-mount.sh
    dest: /etc/NetworkManager/dispatcher.d/pre-down.d/10-lmn-mount.sh
    state: link

- name: Deploy sudo configurations (apt for role-teacher) 
  copy:
    dest: /etc/sudoers.d/90-lmn-teacherlaptop
    owner: root
    group: root
    mode: '0700'
    content: |
      %role-teacher ALL=(root) NOPASSWD: /usr/bin/apt
      %role-teacher ALL=(root) NOPASSWD: /usr/sbin/cryptsetup
      %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/mountserver

- name: Configure Wireguard
  ansible.builtin.include_tasks: wg_config.yml
  tags:
    - never
    - wgconfig