diff --git a/create_inventory.yml b/create_inventory.yml index 4e7991b..a4b8625 100644 --- a/create_inventory.yml +++ b/create_inventory.yml @@ -1,3 +1,9 @@ +--- +# Dieses Playbook holt die devices.csv vom Schulserver +# und baut daraus ein ansible inventory +# Damit das geht, muss der ansible Benutzer des netboot-Servers +# die devices.csv per scp vom Server holen können +# - Frank Schiebel, 09/2023 - hosts: localhost gather_facts: false become: false @@ -6,10 +12,9 @@ ini_hosts: | {% for group in csv_hosts %} [{{ group.0 }}] - {% for host in group.1|map(attribute='1') %} - {{ host }} + {% for line in group.1 %} + {{ line[1] }} mac={{ line[3] }} ip={{ line[4] }} type={{ line[8] }} pxe={{ line[10] }} {% endfor %} - {% endfor %} tasks: - shell: scp linuxadmin@server:/etc/linuxmuster/sophomorix/default-school/devices.csv . @@ -18,4 +23,3 @@ - copy: dest: devices.ini content: "{{ ini_hosts }}" - diff --git a/lmn-qglaptop.yml b/lmn-qglaptop.yml new file mode 100644 index 0000000..1583bc9 --- /dev/null +++ b/lmn-qglaptop.yml @@ -0,0 +1,69 @@ +## This playbook deploys a KDE desktop machine for LinuxMuster. +--- +- name: apply configuration to the machines + hosts: all + remote_user: ansible + become: yes + pre_tasks: + - pause: + prompt: "Enter global-admin active directory password, leave empty to skip domain join" + minutes: 5 + echo: false + register: adpw + no_log: true + when: "ansible_cmdline.adpw is not defined" + - name: preseed apparmor + debconf: + name: apparmor + question: apparmor/homedirs + value: >- + /srv/samba/schools/default-school/teachers/ + /srv/samba/schools/default-school/students/*/ + vtype: string + + vars: + domain: "{{ ansible_domain }}" + kerberize_uris: qgm.lan + realm: QGM.LAN + serverhostname: server + smb_server: server + apt_conf: Acquire::http::Proxy "http://netboot.qgm.lan:3142/"; + ntp_serv: server.qgm.lan + proxy: http://firewall.qgm.lan:3128 + no_proxy: firewall.qgm.lan, server.qgm.lan, qgm.lan + + ## PAM mount nextcloud, remove or leave empty to skip: + web_dav: https://wolke.qg-moessingen.de/remote.php/dav/files/%(USER) + + ## Local mirror for mscorefonts. Remove or leave empty to use no mirror: + mirror_msfonts: http://netboot.qgm.lan/mscorefonts/ + + ## Local Mirror for Greenfoot and BlueJ. Leave empty to skip installation of bluej and greenfoot + mirror_javadev: http://netboot.qgm.lan/javadev/ + + + # Linbo Passwort + rsyncsecret: Muster! + ## Use grub-mkpasswd-pbkdf2: to calculate the password hash, this hash is for "geheim": + grub_pwd: 'grub.pbkdf2.sha512.10000.775CB8C7FDA6892B684049EC0257245BA886719264ED9CDB3A7543B3562CC71BA70DB31F3550586D1F41642B13AEF61857FE009AF891D0854A8383251C55119D.30056755AF00EA171069E591D3CA18A592C8C5DEC7E0DEE957AC23A51F58CC5E05231AC49674EC19F2BACAD7D510DF58A157840596F0247054C7FD42C5D43BE7' + nfs4: false + extra_pkgs: + - vim + - mc + - tmux + - console-setup + - krb5-user + - unattended-upgrades + - debconf-utils + - ctorrent + extra_pkgs_bpo: [] # [ linux-image-amd64 ] + + roles: + #- lmn_network + - up2date_debian + #- lmn_sssd + #- lmn_mount + - lmn_kde + - lmn_qgm + #- lmn_printer + #- kerberize diff --git a/qgm_create_bgimages.sh b/qgm_create_bgimages.sh new file mode 100755 index 0000000..1bb3bb9 --- /dev/null +++ b/qgm_create_bgimages.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +if [ "x$1" == x ]; then + echo "Das erste Argument muss das neue Hintergrundbild sein" + exit 1 +fi + +if [ ! -f $1 ]; then + echo "Die Datei \"$1\" existiert nicht." + exit 1 +fi + +convert $1 -colorspace Gray ./roles/lmn_qgm/files/qgm_background.jpg +convert $1 -quality 77 ./roles/lmn_qgm/files/qgm_background_wallpaper.jpg diff --git a/roles/lmn_qgm/files/52-arduino.rules b/roles/lmn_qgm/files/52-arduino.rules new file mode 100644 index 0000000..7c49415 --- /dev/null +++ b/roles/lmn_qgm/files/52-arduino.rules @@ -0,0 +1,3 @@ +SUBSYSTEMS=="usb",KERNEL=="ttyACM*",ATTRS{idVendor}=="16c0",ATTRS{idProduct}=="0483",GROUP="dialout",MODE="0666" +SUBSYSTEMS=="usb",KERNEL=="ttyACM*",ATTRS{idVendor}=="2341",ATTRS{idProduct}=="0043",GROUP="dialout",MODE="0666" +SUBSYSTEMS=="usb",KERNEL=="ttyUSB*",ATTRS{idVendor}=="1a86",ATTRS{idProduct}=="7523",GROUP="dialout",MODE="0666" diff --git a/roles/lmn_qgm/files/firefox_policies.json b/roles/lmn_qgm/files/firefox_policies.json new file mode 100644 index 0000000..0c13eb9 --- /dev/null +++ b/roles/lmn_qgm/files/firefox_policies.json @@ -0,0 +1,70 @@ +{ + "policies": { + "Proxy": { + "Mode": "system" + }, + "OverrideFirstRunPage": "https://www.qg-moessingen.de", + "Homepage": { + "URL": "https://www.debian.org", + "Locked": false, + "StartPage": "previous-session" + }, + "DisplayBookmarksToolbar": true, + "ManagedBookmarks": [ + { + "toplevel_name": "QG Mössingen" + }, + { + "url": "https://server.qgm.lan", + "name": "Passwort ändern" + }, + { + "url": "https://wolke.qg-moessingen.de", + "name": "QG-Wolke" + }, + { + "url": "https://moodle.qg-moessingen.de", + "name": "QG-Moodle" + }, + { + "name": "Debian", + "children": [ + { + "url": "https://www.debian.org", + "name": "Debian Homepage" + }, + { + "url": "https://wiki.debian.org", + "name": "Debian Wiki" + }, + { + "name": "Debian LAN/Live", + "children": [ + { + "url": "https://salsa.debian.org/andi/debian-lan-ansible", + "name": "Debian LAN Ansible" + }, + { + "url": "https://wiki.debian.org/DebianLive", + "name": "Debian Live" + } + ] + } + ] + } + ], + "SearchEngines": { + "Add": [ + { + "Name": "Startpage", + "URLTemplate": "https://www.startpage.com/sp/search?query={searchTerms}", + "Method": "GET", + "IconURL": "https://www.startpage.com/sp/cdn/favicons/favicon--default.ico", + "Alias": "sp", + "Description": "Startpage Search Engine" + } + ], + "Default": "Startpage" + } + } +} diff --git a/roles/lmn_qgm/files/qgm-login.sh b/roles/lmn_qgm/files/qgm-login.sh index 56c1938..dd239c5 100644 --- a/roles/lmn_qgm/files/qgm-login.sh +++ b/roles/lmn_qgm/files/qgm-login.sh @@ -1,2 +1,2 @@ [[ "${UID}" -lt 10000 ]] && return -kwriteconfig5 --file "$HOME/.config/plasma-org.kde.plasma.desktop-appletsrc" --group 'Containments' --group '1' --group 'Wallpaper' --group 'org.kde.image' --group 'General' --key 'Image' "/usr/local/share/qgm/qgm_background.jpg" || return +kwriteconfig5 --file "$HOME/.config/plasma-org.kde.plasma.desktop-appletsrc" --group 'Containments' --group '1' --group 'Wallpaper' --group 'org.kde.image' --group 'General' --key 'Image' "/usr/local/share/qgm/qgm_background_wallpaper.jpg" || return diff --git a/roles/lmn_qgm/files/qgm_background.jpg b/roles/lmn_qgm/files/qgm_background.jpg index bf75ad5..f2e18f5 100644 Binary files a/roles/lmn_qgm/files/qgm_background.jpg and b/roles/lmn_qgm/files/qgm_background.jpg differ diff --git a/roles/lmn_qgm/files/qgm_background_wallpaper.jpg b/roles/lmn_qgm/files/qgm_background_wallpaper.jpg new file mode 100644 index 0000000..9cc2a2e Binary files /dev/null and b/roles/lmn_qgm/files/qgm_background_wallpaper.jpg differ diff --git a/roles/lmn_qgm/tasks/main.yml b/roles/lmn_qgm/tasks/main.yml index a26e340..4f5aebb 100644 --- a/roles/lmn_qgm/tasks/main.yml +++ b/roles/lmn_qgm/tasks/main.yml @@ -1,4 +1,7 @@ --- +######### +# Management: Ansible User benötigt auf den Clients kein +# Passwort für sudo - name: Enable passwordless sudo access for user ansible lineinfile: path: /etc/sudoers @@ -7,6 +10,8 @@ line: 'ansible ALL=(ALL) NOPASSWD: ALL' validate: '/usr/sbin/visudo -cf %s' +######### +# Paketvorkonfigurationen - name: Preseed ttf-mscorefonts-installer ansible.builtin.debconf: name: ttf-mscorefonts-installer @@ -32,7 +37,8 @@ value: "false" vtype: boolean - +######### +# Softwareauswahl - name: Install desktop EDU packages and some more apt: name: @@ -51,21 +57,39 @@ - libdvd-pkg - handbrake - slic3r-prusa + - filius autoremove: true state: latest environment: - http_proxy: '' + http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher +######### +# libdvdcss muss gebaut werden +# Optimierungspotential: Einmal bauen und über netboot +# die Pakete verteilen geht wahrscheinlich schneller + - name: Build libdvdcss ansible.builtin.shell: cmd: dpkg-reconfigure -f noninteractive libdvd-pkg - +######### +# Den cups-browsed will ich gar nicht haben, nicht +# nur disablen. - name: Remove cups-browsed ansible.builtin.apt: name: cups-browsed state: absent +######### +# Anpassungen für Login Screen und Hintergrund +# Wir möchten am Login-Screen das Hintergrund-Bild +# qgm_background.jpg - in Schwarz/Weiss haben +# Bei der Anmeldung soll das Bild +# qgm_background_desktop.jpg - in Farbe +# gesetzt werden. +# Das passiert im Skript qgm-login.sh, das weiter unten +# auf die Rechner kopiert wird + - name: Make qgm share directory file: path: /usr/local/share/qgm @@ -74,13 +98,16 @@ owner: root group: root -- name: Copy qgm background - copy: - src: files/qgm_background.jpg - dest: /usr/local/share/qgm/qgm_background.jpg +- name: Copy qgm background pictures + ansible.builtin.copy: + src: "{{ item }}" + dest: /usr/local/share/qgm/ mode: '0644' owner: root group: root + loop: + - qgm_background.jpg + - qgm_background_wallpaper.jpg - name: Entpacke qgm-breeze-sddm.tgz nach /usr/share/sddm/themes unarchive: @@ -95,6 +122,28 @@ group: root state: link +######### +# Das Skript, das beim Userlogin ausgeführt wird +# Setzt derzeit nur den Hintergrund zurück - nicht bei der +# allerersten Anmeldung eines Nutzers, weil es da die KDE Config noch +# nicht gibt. + +- name: Copy qgm-login.sh for misc login Tasks + copy: + src: files/qgm-login.sh + dest: /etc/profile.d/qgm-login.sh + mode: '0644' + owner: root + group: root + +######### +# Anpassungen an KDE +# - Doppelklick zum öffnen von Dateien +# - Style aug breeze fetstackern +# - Kein Benutzerwechsel +# - Kein Lockscreen +# - Keine neue Session + - name: Set mandatory KDE settings ansible.builtin.copy: dest: /etc/xdg/kdeglobals @@ -108,6 +157,8 @@ action/lock_screen=false action/start_new_session=false +######### +# Screen Locking abschalten, Mittelstufenschüler... - name: Disable screen locking ansible.builtin.copy: dest: /etc/xdg/kscreenlockerrc @@ -119,14 +170,33 @@ [Greeter][Wallpaper][org.kde.image][General] Image=file:///usr/local/share/qgm/qgm_background.jpg -- name: Copy qgm-login.sh for misc login Tasks - copy: - src: files/qgm-login.sh - dest: /etc/profile.d/qgm-login.sh - mode: '0644' - owner: root - group: root +######## +# Logout beschleunigen +- name: Wartezeit nach KDE nach Logout/Shutdown verkürzen + ansible.builtin.replace: + path: /usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/logout/Logout.qml + regexp: '^(\s+)property real timeout:.*$' + replace: '\1property real timeout: 4' +######### +# plasma-discover ist der grafische Paketmamanger +# der stürzt nur ab und die Bejutzer können eh +# nichts selbst installieren +- name: Remove plasma-discover + ansible.builtin.apt: + name: plasma-discover + state: absent + +######### +# Greenfoot und BlueJ. +# Müssen einmalig auf den netboot Server +# in den http Cache geschoben werden. +# Siehe Script im Repo. +# +# Außerdem ist hier Optimierungspotential: +# - Installation direkt von der URL +# - Installation nur, wenn die neueste Version noch +# nicht installiert ist - name: Download greenfoot/bluej ansible.builtin.get_url: @@ -138,7 +208,6 @@ - greenfoot.deb when: mirror_javadev is defined and mirror_javadev | length > 0 - - name: Install greenfoot/bluej ansible.builtin.apt: deb: "/tmp/{{ item }}" @@ -147,7 +216,6 @@ - greenfoot.deb when: mirror_javadev is defined and mirror_javadev | length > 0 - - name: Remove greenfoot/bluej debs ansible.builtin.file: path: "/tmp/{{ item }}" @@ -157,6 +225,58 @@ - greenfoot.deb when: mirror_javadev is defined and mirror_javadev | length > 0 +######### +# Anpassungen für Arduino +# - modemmanager dinstallieren, soll die Probleme mit wechselnden +# Device Namen lössen (ungetestet) +# - Udev-Rule, so dass die Devices mit 0666 angelegt werden, wie +# Warnung des Debian Pakets "arduino" wegen der dialout Gruppe +# bleiben leider. + +- name: Remove modemmanager to fix arduino problems + ansible.builtin.apt: + name: modemmanager + state: absent + +- name: Copy arduino udev rule + copy: + src: files/52-arduino.rules + dest: /etc/udev/rules.d/52-arduino.rules + mode: '0644' + owner: root + group: root + +- name: relaod udev rules + ansible.builtin.command: udevadm control --reload-rules + +- name: trigger udev update + ansible.builtin.command: udevadm trigger +######### +# Firefox ESR Anpassungen +# Lesezeichen und Startseite müssen in der +# Datei firefox_policies.json für die eigene Schule +# angepasst werden. +- name: Create firefox policies directory + ansible.builtin.file: + path: /etc/firefox-esr/policies + state: directory + mode: '0755' +- name: Create a symbolic link firefox to firefox-esr + ansible.builtin.file: + src: /etc/firefox-esr + dest: /etc/firefox + state: link + +- name: Copy firefox policy + ansible.builtin.copy: + src: firefox_policies.json + dest: /etc/firefox-esr/policies/policies.json + +- name: Remove file (delete file) + ansible.builtin.file: + path: /etc/firefox-esr/policies/firefox_policies.json + state: absent +