aa8bc09ce6
The directory access time used so far is modified on every ansible run and independent of the ansible module/playbook.
235 lines
7.7 KiB
YAML
235 lines
7.7 KiB
YAML
## This playbook deploys a client for LinuxMuster.
|
|
#
|
|
# Use the following in the installer's preseed file:
|
|
#
|
|
# d-i preseed/late_command string \
|
|
# mkdir -p /target/home/ansible/.ssh && \
|
|
# echo "ssh-ed25519 A...YOUR.KEY...Z" >> /target/home/ansible/.ssh/authorized_keys ; \
|
|
# in-target chown -R ansible:ansible /home/ansible/.ssh/ ; \
|
|
# in-target chmod -R og= /home/ansible/.ssh/ ; \
|
|
# if [ -n "$playbook" ] ; then \
|
|
# mkdir -v /target/dev/shm ; \
|
|
# in-target mount -v -t tmpfs tmpfs /dev/shm ; \
|
|
# echo "$vaultpw" > /target/dev/shm/vaultpw ; \
|
|
# in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
|
|
# --vault-password-file /dev/shm/vaultpw \
|
|
# -i localhost, --url=git://ansible.example.org/.git -C YOUR_BRANCH $playbook ; \
|
|
# fi
|
|
#
|
|
---
|
|
- name: Apply common configuration to the machines
|
|
hosts: all # desktop:laptop
|
|
remote_user: ansible
|
|
become: yes
|
|
pre_tasks:
|
|
- pause:
|
|
prompt: "Enter global-admin AD password. Leave empty to skip domain join"
|
|
echo: false
|
|
register: adpw
|
|
no_log: true
|
|
when: "ansible_cmdline.adpw is not defined"
|
|
- name: Preseed apparmor
|
|
debconf:
|
|
name: apparmor
|
|
question: apparmor/homedirs
|
|
value: >-
|
|
/srv/samba/schools/default-school/teachers/
|
|
/srv/samba/schools/default-school/students/*/
|
|
/srv/samba/schools/default-school/examusers/
|
|
vtype: string
|
|
|
|
vars_files: lmn-vault
|
|
vars:
|
|
domain: "{{ ansible_domain }}"
|
|
kerberize_uris: "{{ vault_kerberize_uris }}" ## example.org
|
|
apt_conf: "{{ vault_apt_conf }}" ## Acquire::http::Proxy "http://aptcache.example.org:3142/";
|
|
ntp_serv: "{{ vault_ntp_serv }}" ## ntp.example.org
|
|
proxy: "{{ vault_proxy }}" ## http://firewall.example.org:3128
|
|
no_proxy: "{{ vault_no_proxy }}" ## firewall.example.org,server.example.org,idam.example.org,dw.example.org
|
|
printservers: "{{ vault_printservers }}" ## ['10.0.0.1', '10.0.0.15']
|
|
|
|
## PAM mount nextcloud, remove or leave empty to skip:
|
|
web_dav: "{{ vault_web_dav }}" ## https://nc.example.org/remote.php/dav/files/%(USER)
|
|
|
|
## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
|
|
mirror_msfonts: "{{ vault_mirror_msfonts }}" ## http://livebox.example.org/mscorefonts/
|
|
|
|
## Local mirror for libdvdcss. Remove or leave empty to use no mirror:
|
|
mirror_dvdcss: "{{ vault_mirror_dvdcss }}" ## http://livebox.example.org/libdvdcss/
|
|
|
|
rsyncsecret: "{{ vault_rsyncsecret }}"
|
|
keys2deploy: "{{ vault_keys2deploy }}" ## ['ssh-ed25519 AAAAC…uYlnS0', 'ssh-ed25519 AAAA…KTM']
|
|
localuser: "{{ vault_localuser }}" ## needed here for the (universal) pam-mount configuration
|
|
|
|
## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
|
|
grub_pwd: "{{ vault_grub_pwd }}"
|
|
nfs4: false
|
|
extra_pkgs:
|
|
- vim
|
|
- mc
|
|
- tmux
|
|
- krb5-user
|
|
- debconf-utils
|
|
extra_pkgs_bpo: [] # [ linux-image-amd64 ]
|
|
|
|
roles:
|
|
- lmn_network
|
|
- up2date_debian
|
|
- lmn_sssd
|
|
- lmn_mount
|
|
- lmn_kde
|
|
- lmn_fvs ## school specific customization
|
|
- lmn_vm
|
|
- lmn_printer
|
|
- kerberize
|
|
- lmn_security
|
|
|
|
tasks:
|
|
- name: Timestamp successfull ansible run
|
|
ansible.builtin.shell: date --iso-8601=seconds >> /home/ansible/.ansible/stamps
|
|
changed_when: False
|
|
|
|
## Temporary fixes and quirks:
|
|
- name: Fix 8086:4909 external graphics card
|
|
replace:
|
|
dest: "/etc/default/grub"
|
|
regexp: 'GRUB_CMDLINE_LINUX=""$'
|
|
replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
|
|
notify: Run update-grub
|
|
when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"
|
|
|
|
- name: Fix sound on 312A
|
|
replace:
|
|
dest: "/etc/default/grub"
|
|
regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
|
|
replace: 'GRUB_CMDLINE_LINUX=""'
|
|
notify: Run update-grub
|
|
when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"
|
|
|
|
- name: Fix sound on 312A and 312D
|
|
apt:
|
|
name: firmware-sof-signed
|
|
state: latest
|
|
when: >
|
|
ansible_board_vendor == "LENOVO" and
|
|
(ansible_board_name == "312D" or ansible_board_name == "312A")
|
|
|
|
## Temporarily fix boot order
|
|
- name: Check for the buggy kernel
|
|
stat:
|
|
path: /boot/vmlinuz-6.1.0-17-amd64
|
|
register: bug
|
|
|
|
- name: Check for the fixed kernel
|
|
stat:
|
|
path: /boot/vmlinuz-6.1.0-18-amd64
|
|
register: fix
|
|
|
|
- name: Work around kernel with CIFS regression
|
|
block:
|
|
- name: Make sure kernel package -16 is available
|
|
ansible.builtin.apt:
|
|
name: linux-image-6.1.0-16-amd64
|
|
state: present
|
|
- name: Set 6.1.0-16 as default kernel in grub
|
|
lineinfile:
|
|
dest: /etc/default/grub
|
|
regexp: '^(GRUB_DEFAULT=).*'
|
|
line: '\g<1>"Debian GNU/Linux, with Linux 6.1.0-16-amd64"'
|
|
backrefs: yes
|
|
notify: Run update-grub
|
|
when: bug.stat.exists and not fix.stat.exists
|
|
|
|
- name: Set latest kernel in grub
|
|
lineinfile:
|
|
dest: /etc/default/grub
|
|
regexp: '^(GRUB_DEFAULT=).*'
|
|
line: '\g<1>0'
|
|
backrefs: yes
|
|
when: fix.stat.exists or not bug.stat.exists
|
|
notify: Run update-grub
|
|
|
|
## Clean up stuff from obsolete/faulty tasks:
|
|
- name: Remove "unattended-upgrades" package
|
|
ansible.builtin.apt:
|
|
name: unattended-upgrades
|
|
state: absent
|
|
purge: True
|
|
|
|
- name: Remove virtiofs service
|
|
file:
|
|
path: /etc/systemd/system/virtiofs@.service
|
|
state: absent
|
|
|
|
- name: Fix mount point permissions and owner
|
|
file:
|
|
path: "{{ item }}"
|
|
mode: '0755'
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- /srv/samba
|
|
- /srv/samba/schools
|
|
|
|
- name: Remove pam_mount sysvol mount
|
|
blockinfile:
|
|
dest: /etc/security/pam_mount.conf.xml
|
|
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (SysVol) -->"
|
|
block: |
|
|
<volume
|
|
fstype="cifs"
|
|
server="{{ smb_server }}"
|
|
path="sysvol/"
|
|
mountpoint="/srv/samba/%(USER)/sysvol"
|
|
options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks"
|
|
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>{{ localuser }}</user></or></not>
|
|
</volume>
|
|
state: absent
|
|
|
|
- name: check if rmlpr.timer is installed
|
|
stat: path=/etc/systemd/system/rmlpr.timer
|
|
register: rmlpr
|
|
|
|
- name: disable rmlpr.timer
|
|
systemd:
|
|
name: rmlpr.timer
|
|
enabled: false
|
|
when: rmlpr.stat.exists
|
|
|
|
- name: Remove deprecated files and directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- /etc/linuxmuster-linuxclient7
|
|
- /usr/lib/python3/dist-packages/linuxmusterLinuxclient7
|
|
- /usr/share/linuxmuster-linuxclient7
|
|
- /usr/local/bin/onLogin
|
|
- /etc/sudoers.d/90-lmn-sudotools
|
|
- /etc/systemd/system/rmlpr.service
|
|
- /etc/systemd/system/rmlpr.timer
|
|
|
|
## bookworm fixes/hacks:
|
|
- name: Work around sddm hang on shutdown
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/system.conf
|
|
line: DefaultTimeoutStopSec=5s
|
|
insertafter: '^#DefaultTimeoutStopSec=.*'
|
|
|
|
#################
|
|
|
|
- name: Apply additional laptop configuration
|
|
hosts: laptop
|
|
remote_user: ansible
|
|
become: yes
|
|
vars_files: lmn-vault
|
|
vars:
|
|
ssid: "{{ vault_ssid }}"
|
|
wifipasswd: "{{ vault_wifipasswd }}"
|
|
localuser: "{{ vault_localuser }}"
|
|
localuser_pwd: "{{ vault_localuser_pwd }}"
|
|
roles:
|
|
- role: lmn_wlan_iwd
|
|
when: ansible_interfaces | select('search', 'wl.+') | first is defined
|
|
- lmn_networkd
|
|
- lmn_localuser
|