bookworm/qgm-desktop.yml

## This playbook deploys a KDE desktop machine for LinuxMuster.
---
- name: apply configuration to the machines
  hosts: all
  remote_user: ansible
  become: yes

  vars_files:
    - vars-qgsoftware.yml
  
  vars:
    joinpw: '' 
    domain: "{{ ansible_domain }}"
    kerberize_uris: qgm.lan
    realm: QGM.LAN
    serverhostname: server
    smb_server: server
    apt_conf: Acquire::http::Proxy "http://netboot.qgm.lan:3142/";
    ntp_serv: server.qgm.lan
    proxy: http://firewall.qgm.lan:3128
    no_proxy: firewall.qgm.lan, server.qgm.lan, qgm.lan

    ## PAM mount nextcloud, remove or leave empty to skip:
    web_dav: https://wolke.qg-moessingen.de/nextcloud/remote.php/dav/files/%(USER)

    ## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
    mirror_msfonts: http://netboot.qgm.lan/mscorefonts/

    # Linbo Passwort
    rsyncsecret: Muster!
    ## Use grub-mkpasswd-pbkdf2: to calculate the password hash, this hash is for "geheim":
    grub_pwd: 'grub.pbkdf2.sha512.10000.775CB8C7FDA6892B684049EC0257245BA886719264ED9CDB3A7543B3562CC71BA70DB31F3550586D1F41642B13AEF61857FE009AF891D0854A8383251C55119D.30056755AF00EA171069E591D3CA18A592C8C5DEC7E0DEE957AC23A51F58CC5E05231AC49674EC19F2BACAD7D510DF58A157840596F0247054C7FD42C5D43BE7'
    nfs4: false
    extra_pkgs:
      - vim
      - mc
      - tmux
      - console-setup
      - krb5-user
      - unattended-upgrades
      - debconf-utils
      - ctorrent
    extra_pkgs_bpo: [] # [ linux-image-amd64 ]

  roles:
    - lmn_network
    #- up2date_debian
    - lmn_sssd
    - lmn_mount
    - lmn_kde
    - lmn_qgm ## school specific customization
    - lmn_qgsoftware
    - lmn_qgsddm
    - lmn_printer
    #- kerberize
  
  tasks:
    - name: Copy Server roots-pubkey to clients
      authorized_key:
        user: ansible
        state: present
        key: "{{ lookup('file', 'pubkeys/serverroot.pub') }}"

    - name: Fix unattended-upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "0";

    - name: Prepare mount point for homes
      ansible.builtin.file:
        path: /srv/samba/schools/default-school/
        state: directory
        mode: '0755'

    - name: Fix mount point permissions and owner
      file:
        path: "{{ item }}"
        mode: '0755'
        owner: root
        group: root
      loop:
        - /srv/samba
        - /srv/samba/schools
        - /srv/samba/schools/default-school
    
    - name: Disable Grub submenus
      lineinfile:
        dest: /etc/default/grub
        line: 'GRUB_DISABLE_SUBMENU=true'
        insertafter: '^GRUB_TIMEOUT=.*'
      notify: Run update-grub


    - name: Check for the buggy kernel
      stat:
        path: /boot/vmlinuz-6.1.0-17-amd64
      register: bug

    - name: Check for the fixed kernel
      stat:
        path: /boot/vmlinuz-6.1.0-18-amd64
      register: fix

    - name: Work around kernel with CIFS regression
      block:
        - name: Make sure kernel package -16 is available
          ansible.builtin.apt:
            name: linux-image-6.1.0-16-amd64
            state: present
        - name: Set 6.1.0-16 as default kernel in grub
          lineinfile:
            dest: /etc/default/grub
            regexp: '^(GRUB_DEFAULT=).*'
            line: '\g<1>"Debian GNU/Linux, with Linux 6.1.0-16-amd64"'
            backrefs: yes
          notify: Run update-grub
      when: bug.stat.exists and not fix.stat.exists

    - name: Set latest kernel in grub if bug is fixed
      lineinfile:
        dest: /etc/default/grub
        regexp: '^(GRUB_DEFAULT=).*'
        line: '\g<1>0'
        backrefs: yes
      when: fix.stat.exists or not bug.stat.exists
      notify: Run update-grub

    - name: Remove "unattended-upgrades" package
      ansible.builtin.apt:
        name: unattended-upgrades
        state: absent
        purge: True

    - name: Fix stuttering sound on HDMI 
      lineinfile:
        dest: /etc/default/grub
        regexp: '^(GRUB_CMDLINE_LINUX=).*'
        line: '\g<1>"intel_iommu=on,igfx_off"'
        backrefs: yes
      when: "'lt-' in inventory_hostname"
      notify: Run update-grub
SDDM Theme, KDE Lock, BlueJ, Greenfoot 2023-09-06 14:43:55 +02:00			`## This playbook deploys a KDE desktop machine for LinuxMuster.`
			`---`
			`- name: apply configuration to the machines`
			`hosts: all`
			`remote_user: ansible`
			`become: yes`
SW Download als role, kernel Bug 2024-02-03 16:42:19 +01:00
			`vars_files:`
			`- vars-qgsoftware.yml`
SDDM Theme, KDE Lock, BlueJ, Greenfoot 2023-09-06 14:43:55 +02:00
			`vars:`
SW Download als role, kernel Bug 2024-02-03 16:42:19 +01:00			`joinpw: ''`
SDDM Theme, KDE Lock, BlueJ, Greenfoot 2023-09-06 14:43:55 +02:00			`domain: "{{ ansible_domain }}"`
			`kerberize_uris: qgm.lan`
Drucker 2023-09-06 16:45:33 +02:00			`realm: QGM.LAN`
			`serverhostname: server`
			`smb_server: server`
SDDM Theme, KDE Lock, BlueJ, Greenfoot 2023-09-06 14:43:55 +02:00			`apt_conf: Acquire::http::Proxy "http://netboot.qgm.lan:3142/";`
			`ntp_serv: server.qgm.lan`
			`proxy: http://firewall.qgm.lan:3128`
			`no_proxy: firewall.qgm.lan, server.qgm.lan, qgm.lan`

			`## PAM mount nextcloud, remove or leave empty to skip:`
Update 2024-06-06 10:29:07 +02:00			`web_dav: https://wolke.qg-moessingen.de/nextcloud/remote.php/dav/files/%(USER)`
SDDM Theme, KDE Lock, BlueJ, Greenfoot 2023-09-06 14:43:55 +02:00
			`## Local mirror for mscorefonts. Remove or leave empty to use no mirror:`
			`mirror_msfonts: http://netboot.qgm.lan/mscorefonts/`

			`# Linbo Passwort`
			`rsyncsecret: Muster!`
			`## Use grub-mkpasswd-pbkdf2: to calculate the password hash, this hash is for "geheim":`
			`grub_pwd: 'grub.pbkdf2.sha512.10000.775CB8C7FDA6892B684049EC0257245BA886719264ED9CDB3A7543B3562CC71BA70DB31F3550586D1F41642B13AEF61857FE009AF891D0854A8383251C55119D.30056755AF00EA171069E591D3CA18A592C8C5DEC7E0DEE957AC23A51F58CC5E05231AC49674EC19F2BACAD7D510DF58A157840596F0247054C7FD42C5D43BE7'`
			`nfs4: false`
			`extra_pkgs:`
			`- vim`
			`- mc`
			`- tmux`
			`- console-setup`
			`- krb5-user`
			`- unattended-upgrades`
			`- debconf-utils`
			`- ctorrent`
			`extra_pkgs_bpo: [] # [ linux-image-amd64 ]`

			`roles:`
SW Download als role, kernel Bug 2024-02-03 16:42:19 +01:00			`- lmn_network`
			`#- up2date_debian`
			`- lmn_sssd`
			`- lmn_mount`
			`- lmn_kde`
SDDM Theme, KDE Lock, BlueJ, Greenfoot 2023-09-06 14:43:55 +02:00			`- lmn_qgm ## school specific customization`
SW Download als role, kernel Bug 2024-02-03 16:42:19 +01:00			`- lmn_qgsoftware`
SDDM ohne Fokus 2023-09-20 15:55:57 +02:00			`- lmn_qgsddm`
SW Download als role, kernel Bug 2024-02-03 16:42:19 +01:00			`- lmn_printer`
SDDM Theme, KDE Lock, BlueJ, Greenfoot 2023-09-06 14:43:55 +02:00			`#- kerberize`
Änderungen Autoupdate für Desktop 2023-11-14 10:07:36 +01:00
			`tasks:`
Update 2024-06-06 10:29:07 +02:00			`- name: Copy Server roots-pubkey to clients`
			`authorized_key:`
			`user: ansible`
			`state: present`
			`key: "{{ lookup('file', 'pubkeys/serverroot.pub') }}"`

Änderungen Autoupdate für Desktop 2023-11-14 10:07:36 +01:00			`- name: Fix unattended-upgrades`
			`ansible.builtin.copy:`
			`dest: /etc/apt/apt.conf.d/20auto-upgrades`
			`content: \|`
			`APT::Periodic::Update-Package-Lists "1";`
SW Download als role, kernel Bug 2024-02-03 16:42:19 +01:00			`APT::Periodic::Unattended-Upgrade "0";`
Änderungen Autoupdate für Desktop 2023-11-14 10:07:36 +01:00
			`- name: Prepare mount point for homes`
			`ansible.builtin.file:`
			`path: /srv/samba/schools/default-school/`
			`state: directory`
			`mode: '0755'`

			`- name: Fix mount point permissions and owner`
			`file:`
			`path: "{{ item }}"`
			`mode: '0755'`
			`owner: root`
			`group: root`
			`loop:`
			`- /srv/samba`
			`- /srv/samba/schools`
			`- /srv/samba/schools/default-school`
SW Download als role, kernel Bug 2024-02-03 16:42:19 +01:00
			`- name: Disable Grub submenus`
			`lineinfile:`
			`dest: /etc/default/grub`
			`line: 'GRUB_DISABLE_SUBMENU=true'`
			`insertafter: '^GRUB_TIMEOUT=.*'`
			`notify: Run update-grub`


			`- name: Check for the buggy kernel`
			`stat:`
			`path: /boot/vmlinuz-6.1.0-17-amd64`
			`register: bug`

			`- name: Check for the fixed kernel`
			`stat:`
			`path: /boot/vmlinuz-6.1.0-18-amd64`
			`register: fix`

			`- name: Work around kernel with CIFS regression`
			`block:`
			`- name: Make sure kernel package -16 is available`
			`ansible.builtin.apt:`
			`name: linux-image-6.1.0-16-amd64`
			`state: present`
			`- name: Set 6.1.0-16 as default kernel in grub`
			`lineinfile:`
			`dest: /etc/default/grub`
			`regexp: '^(GRUB_DEFAULT=).*'`
			`line: '\g<1>"Debian GNU/Linux, with Linux 6.1.0-16-amd64"'`
			`backrefs: yes`
			`notify: Run update-grub`
			`when: bug.stat.exists and not fix.stat.exists`

			`- name: Set latest kernel in grub if bug is fixed`
			`lineinfile:`
			`dest: /etc/default/grub`
			`regexp: '^(GRUB_DEFAULT=).*'`
			`line: '\g<1>0'`
			`backrefs: yes`
			`when: fix.stat.exists or not bug.stat.exists`
			`notify: Run update-grub`

			`- name: Remove "unattended-upgrades" package`
			`ansible.builtin.apt:`
			`name: unattended-upgrades`
			`state: absent`
			`purge: True`

			`- name: Fix stuttering sound on HDMI`
			`lineinfile:`
			`dest: /etc/default/grub`
			`regexp: '^(GRUB_CMDLINE_LINUX=).*'`
			`line: '\g<1>"intel_iommu=on,igfx_off"'`
			`backrefs: yes`
			`when: "'lt-' in inventory_hostname"`
			`notify: Run update-grub`