lmn-client/roles/fvs-client-mkhome/tasks/main.yml

---
- name: install needed packages
  apt:
    name:
      - sssd-ldap
      - libpam-mount
      - cifs-utils
    state: latest

- name: add URI to ldap.conf
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: "URI ldaps://{{ ldap_server }}/"
    insertafter: "#URI.*"

- name: add BASE to ldap.conf
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: "BASE {{ basedn }}"
    insertafter: "#BASE.*"

- name: do not verify cert
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: "LDAPTLS_REQCERT      never"

- name: set homepage
  lineinfile:
    dest: /etc/firefox-esr/firefox-esr.js
    line: pref("browser.startup.homepage", "https://www.startpage.com");

    #- name: enable pam_umask
    #  lineinfile:
    #    dest: /etc/pam.d/common-session
    #    line: "session optional	pam_umask.so usergroups"

- name: enable pam_mkhomedir.so
  lineinfile:
    dest: /etc/pam.d/common-session
    line: "session	optional	pam_mkhomedir.so  umask=0027"
    insertbefore: "session	optional	pam_mount.so"

- name: configure pam_mount
  blockinfile:
    dest: /etc/security/pam_mount.conf.xml
    block: |
      <volume
        fstype="cifs"
        server="smb.steinbeisschule-reutlingen.de"
        path="DOCS/fvs/home/"
        mountpoint="~/winhome"
      />
      <!--volume
        fstype="fuse"
        path="sshfs#%(USER)@homes:"
        mountpoint="/home/%(USER)"
        options="StrictHostKeyChecking=no,allow_root"
      />
      <volume
        path="/home/%(USER)"
        mountpoint="~"
        options="bind"
      /-->
    insertafter: "<!-- Volume definitions -->"

- name: provide identities from directory
  template:
    src: sssd.conf.j2
    dest: /etc/sssd/sssd.conf
    mode: 0600
  notify: restart sssd

  ## FIXME: preseeding grub nvram does not work
- name: reset boot order
  command: efibootmgr --delete-bootorder
  when: run_in_installer|default(false)|bool

- name: set capabilities (wireshark)
  capabilities:
    path: /usr/bin/dumpcap
    capability: cap_net_raw,cap_net_admin+eip
    state: present


############## extra data partition ###############
- name: mount data partition
  mount:
    src: "UUID={{ hostvars[inventory_hostname]['ansible_devices']['%s'|format(item)]['partitions']['%s1'|format(item)]['uuid'] }}"
    path: /home/data
    fstype: ext4
    state: mounted
  register: data_mounted
  when: hostvars[inventory_hostname]['ansible_devices']['%s'|format(item)] | default(false)
  loop:
    - sdb
    - sde

- name: set sticky bit on data directory
  file:
    path: /home/data
    state: directory
    mode: '1777'
  when: data_mounted.changed

################# from kiosk.yml ##################
- name: grub timeout
  lineinfile:
    dest: /etc/default/grub
    regexp: '^(GRUB_TIMEOUT=).*'
    line: '\g<1>1'
    backrefs: yes
  notify: update grub

- name: keyboard compose key
  lineinfile:
    dest: /etc/default/keyboard
    regexp: '^(XKBOPTIONS=).*'
    line: '\1"compose:caps"'
    backrefs: yes

- name: tmp on tmpfs
  shell: cp /usr/share/systemd/tmp.mount /etc/systemd/system/
  args:
    creates: /etc/systemd/system/tmp.mount
  notify: enable tmp.mount