First working version for Netbootbox-Install

config.vars

@@ -0,0 +1,2 @@
+ansible_ssh_pubkey: "dummy-placeholder"
+lmn_client_branch: "main"

livebox.yml

@@ -16,6 +16,8 @@
 ##  >   configfile (tftp,livebox.lan)/d-i/n-a/grub/grub.cfg
 ##  > }
 ##
+## To build an initial customized image run 'livebuilder.sh'.
+## A systemd-timer will do this every week automatically.
 ---
 - name: apply configuration to the livebox
   hosts: all
@@ -23,15 +25,16 @@
   become: true
 
   vars:
+#    ansible_connection: local
     extra_pkgs:
       - lighttpd
       - nfs-kernel-server
-    extra_pkgs_bpo:
       - atftpd
       - di-netboot-assistant
       - apt-cacher-ng
+    extra_pkgs_bpo: []
 
-    live_desktop:
+    live_desktop: # [] # use an empty list to skip iso images
       - gnome
       - kde
       - standard
@@ -42,18 +45,23 @@
     # Make sure you have sufficient disk space available (~30GiB?).
     build_images:
       - gnome-edu
+      - standard-edu
 
     di_dist: "{{ ansible_distribution_release }}"
     di_version: "{{ ansible_distribution_major_version }}"
     di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
     boot_params:
       - boot=live
-      - netboot=nfs
       - components
       - locales=de_DE.UTF-8
       - keyboard-layouts=de
+      - live-config.timezone=Europe/Berlin
+      - swap=true
       - quiet
       - splash
+      - user-default-groups=audio,cdrom,dip,video,plugdev,netdev,dialout
+      - modprobe.blacklist=nvme
+#      - libata.force=disable
 #      - noroot
 
     ansible_python_interpreter: "/usr/bin/python3"
@@ -87,3 +95,4 @@
     - aptcacher
     - debianlive
     - edulive
+    - lmn_netbootinstaller

roles/debianlive/tasks/main.yml

@@ -6,23 +6,29 @@
     checksum: "sha256:{{ live_url }}/SHA256SUMS"
   register: new_iso
   loop:
-    "{{ live_iso | dict2items }}"
+    "{{ live_iso | default({}) | dict2items }}"
 
 - name: umount old iso images
   mount:
     path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
     state: unmounted
   loop:
-    "{{ live_iso | dict2items }}"
+    "{{ live_iso | default({}) | dict2items }}"
   when: new_iso.changed
 
-- name: prepare live image directory
+- name: prepare live image base directory
+  file:
+    path: "/var/lib/tftpboot/d-i/n-live/"
+    state: directory
+    mode: 0755
+
+- name: prepare live image directories
   file:
     path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
     state: directory
     mode: 0755
   loop:
-    "{{ live_iso | dict2items }}"
+    "{{ live_iso | default({}) | dict2items }}"
 
 - name: make sure loop module is loaded
   modprobe:
@@ -37,7 +43,7 @@
     opts: loop,ro,nofail
     state: mounted
   loop:
-    "{{ live_iso | dict2items }}"
+    "{{ live_iso | default({}) | dict2items }}"
   notify: rebuild di-netboot menu
 
 - name: prepare http downloads
@@ -82,47 +88,37 @@
     insertafter: '-- Customized Boot Entries --'
     line: "item {{ item.key }} Debian GNU/Linux {{ item.key }} NFS"
   loop:
-    "{{ live_iso | dict2items }}"
+    "{{ live_iso | default({}) | dict2items }}"
   notify: rebuild di-netboot menu
 
-- name: find kernel version
-  shell:
-    cmd: >-
-      basename /var/lib/tftpboot/d-i/n-live/{{ item.key }}/live/vmlinuz*
-      | sed "s/vmlinuz-//"
-  register: images
-  changed_when: false
-  loop:
-    "{{ live_iso | dict2items }}"
-
 - name: prepare debian live boot loader ipxe
   blockinfile:
     path: /etc/di-netboot-assistant/ipxemenu.HEAD
-    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.key }}"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.key }}"
     block: |
-      :{{ item.item.key }}
+      :{{ item.key }}
-          echo Booting Debian GNU/Linux {{ item.item.key }} NFS
+          echo Booting Debian GNU/Linux {{ item.key }} NFS
-          kernel ${210:string}d-i/n-live/{{ item.item.key }}/live/vmlinuz-{{ item.stdout }} \
+          kernel ${210:string}d-i/n-live/{{ item.key }}/live/vmlinuz \
-          initrd=initrd.img-{{ item.stdout }} {{ boot_params|join(' ') }} \
+          initrd=initrd.img netboot=nfs {{ boot_params|join(' ') }} \
-          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.key }}/
+          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.key }}/
-          initrd ${210:string}d-i/n-live/{{ item.item.key }}/live/initrd.img-{{ item.stdout }}
+          initrd ${210:string}d-i/n-live/{{ item.key }}/live/initrd.img
           boot
   loop:
-    "{{ images.results }}"
+    "{{ live_iso | default({}) | dict2items }}"
   notify: rebuild di-netboot menu
 
 - name: prepare debian live boot loader grub
   blockinfile:
     path: /etc/di-netboot-assistant/grub.cfg.HEAD
     insertbefore: "^menuentry 'Boot from local disk..'"
-    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.key }}"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.key }}"
     block: |
-      menuentry 'Debian GNU/Linux Live {{ item.item.key }} NFS' {
+      menuentry 'Debian GNU/Linux Live {{ item.key }} NFS' {
-          linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.key }}/live/vmlinuz-{{ item.stdout }} \
+          linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.key }}/live/vmlinuz \
-          {{ boot_params|join(' ') }} \
+          netboot=nfs {{ boot_params|join(' ') }} \
-          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.key }}/
+          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.key }}/
-          initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.key }}/live/initrd.img-{{ item.stdout }}
+          initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.key }}/live/initrd.img
       }
   loop:
-    "{{ images.results }}"
+    "{{ live_iso | default({}) | dict2items }}"    
   notify: rebuild di-netboot menu

roles/edulive/files/gnome-edu/README

@@ -1,2 +1,3 @@
 This config space is based on:
-  https://salsa.debian.org/live-team/live-images/-/tree/debian/images/gnome-desktop
+  https://salsa.debian.org/live-team/live-images/-/tree/debian/images/gnome-desktop
+

roles/edulive/files/gnome-edu/auto/config

@@ -7,12 +7,10 @@ lb config noauto \
 	--cache false \
 	--net-tarball false \
 	--ignore-system-defaults \
-	--distribution bullseye \
+	--distribution bookworm \
 	--binary-images netboot \
 	--mode debian \
 	--backports true \
 	--linux-packages linux-image \
-	--archive-areas "main contrib non-free" \
+	--archive-areas "main non-free-firmware contrib non-free" \
-	--mirror-bootstrap http://localhost:3142/deb.debian.org/debian/ \
-	--mirror-chroot-security http://localhost:3142/security.debian.org/debian-security/ \
 "${@}"

roles/edulive/files/gnome-edu/config/hooks/live/0500-desktop.hook.chroot

@@ -2,14 +2,20 @@
 
 set -e
 
-echo 'pref("browser.startup.homepage", "https://www.startpage.com");' >> /etc/firefox-esr/firefox-esr.js
-echo 'pref("network.proxy.type", 4);' >> /etc/firefox-esr/firefox-esr.js
-
 dconf update
 
 #sed -i "s/^/#/" /etc/xdg/user-dirs.defaults
 
 sed -i "s/^#WaylandEnable=false$/WaylandEnable=false/" /etc/gdm3/daemon.conf
 
+## shared directory:
+mkdir /media/tmpshare
+echo "livebox:/srv/tmpshare /media/tmpshare nfs rw,auto,nofail,nolock 0 0" >> /etc/fstab
+
+## remote journal:
+echo "URL=http://livebox" >> /etc/systemd/journal-upload.conf
+ln -s /lib/systemd/system/systemd-journal-upload.service \
+   /etc/systemd/system/multi-user.target.wants/systemd-journal-upload.service
+
 ## workaround https://bugzilla.gnome.org/show_bug.cgi?id=730587
 #dpkg-divert --divert /usr/bin/gnome-keyring-daemon.bak --rename /usr/bin/gnome-keyring-daemon

roles/edulive/files/gnome-edu/config/includes.chroot/etc/firefox

@@ -0,0 +1 @@
+firefox-esr

roles/edulive/files/gnome-edu/config/includes.chroot/etc/firefox-esr/policies/policies.json

@@ -0,0 +1,74 @@
+{
+    "policies": {
+        "Proxy": {
+            "Mode": "system"
+        },
+        "OverrideFirstRunPage": "https://www.debian.org",
+        "Homepage": {
+            "URL": "https://www.debian.org",
+            "Locked": false,
+            "StartPage": "previous-session"
+        },
+        "DisplayBookmarksToolbar": true,
+        "ManagedBookmarks": [
+            {
+                "toplevel_name": "Debian"
+            },
+            {
+                "url": "https://www.debian.org",
+                "name": "Debian Homepage"
+            },
+            {
+                "url": "https://wiki.debian.org",
+                "name": "Debian Wiki"
+            },
+            {
+                "name": "Debian Development",
+                "children": [
+                    {
+                        "url": "https://bugs.debian.org",
+                        "name": "Debian Bug Tracker"
+                    },
+                    {
+                        "url": "https://packages.debian.org",
+                        "name": "Debian Packages"
+                    },
+                    {
+                        "url": "https://salsa.debian.org",
+                        "name": "Debian Salsa"
+                    },
+                    {
+                        "url": "https://tracker.debian.org",
+                        "name": "Package Tracker"
+                    }
+                ]
+            },
+            {
+                "name": "Debian LAN/Live",
+                "children": [
+                    {
+                        "url": "https://salsa.debian.org/andi/debian-lan-ansible",
+                        "name": "Debian LAN Ansible"
+                    },
+                    {
+                        "url": "https://wiki.debian.org/DebianLive",
+                        "name": "Debian Live"
+                    }
+                ]
+            }
+        ],
+        "SearchEngines": {
+            "Add": [
+                {
+                    "Name": "Startpage",
+                    "URLTemplate": "https://www.startpage.com/sp/search?query={searchTerms}",
+                    "Method": "GET",
+                    "IconURL": "https://www.startpage.com/sp/cdn/favicons/favicon--default.ico",
+                    "Alias": "sp",
+                    "Description": "Startpage Search Engine"
+                }
+            ],
+            "Default": "Startpage"
+        }
+    }
+}

roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/netboot.xml

@@ -85,19 +85,16 @@ or other application using the libvirt API.
       <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
     </controller>
     <interface type='direct'>
-      <mac address='52:54:00:VMMAC'/>
       <source dev='INTERFACE' mode='bridge'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
     </interface>
     <interface type='network'>
-      <mac address='52:54:00:46:a6:25'/>
       <source network='default'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
     </interface>
     <interface type='network'>
-      <mac address='52:54:00:5c:fc:08'/>
       <source network='intern'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>

roles/edulive/files/gnome-edu/config/includes.chroot/lib/live/config/0001-VM-MAC

@@ -3,9 +3,5 @@
 
 set -eu
 
-NIC="$(ip link | grep "^2: " | cut -d ' ' -f2 | sed "s/://")"
+NIC="$(ip route | grep -m1 default | sed -E "s/.+dev (\w+).*/\1/")"
-MAC="$(ip link | grep -A1 "^2: " | grep -oE "[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2} " \
+sed -i -e "s/INTERFACE/$NIC/g" /etc/libvirt/qemu/netboot.xml
-	| sed "s/ //g")"
-
-sed -i -e "s/VMMAC/$MAC/g" -e "s/INTERFACE/$NIC/g" /etc/libvirt/qemu/netboot.xml
-

roles/edulive/files/gnome-edu/config/package-lists/school-cli.list.chroot

@@ -0,0 +1,24 @@
+##
+## packages for CLI programs
+##
+console-setup
+emacs-nox
+git
+htop
+mc
+minicom
+ncdu
+netcat-openbsd
+net-tools
+nfs-common
+nmap
+screen
+shellcheck
+sl
+systemd-journal-remote
+tcpdump
+tmux
+tree
+vim
+xterm
+

roles/edulive/files/gnome-edu/config/package-lists/school-gui.list.chroot

@@ -0,0 +1,43 @@
+##
+## packages for GUI programs
+##
+
+bluefish
+codeblocks
+dia
+emacs
+freecad
+ghex
+gimp
+inkscape
+keepassxc
+kicad
+librecad
+mu-editor
+#nautilus-nextcloud
+#nextcloud-desktop
+obs-studio
+openboard
+pdf-presenter-console
+qtcreator
+#scrcpy
+spyder
+ssh-askpass-gnome
+sway
+task-german-desktop
+terminator
+#texlive
+#texlive-lang-german
+#texlive-latex-extra
+#texlive-science
+thonny
+#thunderbird
+#thunderbird-l10n-de
+virt-manager
+vlc
+vym
+webext-privacy-badger
+webext-ublock-origin-chromium
+webext-ublock-origin-firefox
+wireshark
+xournal

roles/edulive/files/gnome-edu/config/package-lists/school.list.chroot

@@ -1,100 +0,0 @@
-#
-# This file is linked to all desktop configurations.
-# Put desktop specific packages in the desktop specific file.
-#
-#webext-ublock-origin-firefox
-#webext-ublock-origin-chromium
-webext-ublock-origin
-webext-privacy-badger
-
-vim
-emacs
-vlc
-gimp
-inkscape
-bluefish
-
-openboard
-xournal
-
-freecad
-librecad
-kicad
-
-git
-mc
-tmux
-wireshark
-nmap
-netcat-openbsd
-net-tools
-thonny
-spyder
-ghex
-
-codeblocks
-gprolog
-qtcreator
-obs-studio
-
-mu-editor
-dia
-vym
-shellcheck
-xterm
-
-tree
-console-setup
-virt-manager
-sway
-
-task-german-desktop
-
-ssh-askpass-gnome
-keepassxc
-
-#nextcloud-desktop
-#nautilus-nextcloud
-#thunderbird
-#thunderbird-l10n-de
-
-#texlive
-#texlive-latex-extra
-#texlive-lang-german
-#texlive-science
-
-pdf-presenter-console
-
-libreoffice/bullseye-backports
-libreoffice-core/bullseye-backports
-libreoffice-common/bullseye-backports
-libreoffice-writer/bullseye-backports
-libreoffice-calc/bullseye-backports
-libreoffice-impress/bullseye-backports
-libreoffice-base/bullseye-backports
-libreoffice-base-drivers/bullseye-backports
-libreoffice-math/bullseye-backports
-libreoffice-report-builder-bin/bullseye-backports
-libreoffice-style-colibre/bullseye-backports
-libreoffice-gnome/bullseye-backports
-libreoffice-gtk3/bullseye-backports
-libreoffice-style-elementary/bullseye-backports
-libreoffice-help-common/bullseye-backports
-libreoffice-help-de/bullseye-backports
-libreoffice-java-common/bullseye-backports
-libreoffice-l10n-de/bullseye-backports
-libreoffice-nlpsolver/bullseye-backports
-libreoffice-report-builder/bullseye-backports
-libreoffice-script-provider-bsh/bullseye-backports
-libreoffice-script-provider-js/bullseye-backports
-libreoffice-script-provider-python/bullseye-backports
-libreoffice-sdbc-firebird/bullseye-backports
-libreoffice-sdbc-hsqldb/bullseye-backports
-libreoffice-sdbc-mysql/bullseye-backports
-libreoffice-sdbc-postgresql/bullseye-backports
-libreoffice-wiki-publisher/bullseye-backports
-
-python3-uno/bullseye-backports
-libuno-sal3/bullseye-backports
-fonts-opensymbol/bullseye-backports
-ure/bullseye-backports

roles/edulive/files/standard-edu/README

@@ -0,0 +1,3 @@
+This config space is based on:
+  https://salsa.debian.org/live-team/live-images/-/tree/debian/images/standard
+

roles/edulive/files/standard-edu/auto/build

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+lb build noauto "${@}" 2>&1 | tee build.log

roles/edulive/files/standard-edu/auto/clean

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+lb clean noauto "${@}"
+
+rm -f config/binary config/bootstrap config/chroot config/common config/source
+rm -f config/control
+
+rm -f build.log

roles/edulive/files/standard-edu/auto/config

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+
+lb config noauto \
+	--clean \
+	--cache false \
+	--net-tarball false \
+	--ignore-system-defaults \
+	--distribution bookworm \
+	--binary-images netboot \
+	--mode debian \
+	--backports true \
+	--linux-packages linux-image \
+	--archive-areas "main non-free-firmware contrib non-free" \
+"${@}"

roles/edulive/files/standard-edu/config/hooks/0001-plymouth-theme.hook.chroot

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+if [ -e /usr/sbin/plymouth-set-default-theme ] && [ -e /usr/share/plymouth/themes/lines ]
+then
+	plymouth-set-default-theme lines
+fi

roles/edulive/files/standard-edu/config/hooks/live/0010-disable-kexec-tools.hook.chroot

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+
+# Disable kexec-tools
+
+if [ -e /sbin/kexec ]
+then
+	echo "kexec-tools kexec-tools/load_kexec boolean false" > /root/preseed
+
+	debconf-set-selections /root/preseed
+
+	rm -f /root/preseed
+
+	dpkg-reconfigure kexec-tools
+fi

roles/edulive/files/standard-edu/config/hooks/live/0050-disable-sysvinit-tmpfs.hook.chroot

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+# Disable tmpfs on /tmp
+
+if [ -e /etc/default/rcS ]
+then
+	sed -i -e 's|^ *RAMTMP=.*|RAMTMP=no|' /etc/default/rcS
+fi

roles/edulive/files/standard-edu/config/hooks/live/0500-tmpshare.hook.chroot

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+## shared directory:
+mkdir /media/tmpshare
+echo "livebox:/srv/tmpshare /media/tmpshare nfs rw,auto,nofail,nolock 0 0" >> /etc/fstab
+
+## remote journal:
+echo "URL=http://livebox" >> /etc/systemd/journal-upload.conf
+ln -s /lib/systemd/system/systemd-journal-upload.service \
+   /etc/systemd/system/multi-user.target.wants/systemd-journal-upload.service
+
+## workaround https://bugzilla.gnome.org/show_bug.cgi?id=730587
+#dpkg-divert --divert /usr/bin/gnome-keyring-daemon.bak --rename /usr/bin/gnome-keyring-daemon

roles/edulive/files/standard-edu/config/hooks/normal/0020-create-mtab-symlink.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0020-create-mtab-symlink.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0030-enable-cryptsetup.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0030-enable-cryptsetup.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0040-create-locales-files.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0040-create-locales-files.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0100-remove-adjtime-configuration.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0100-remove-adjtime-configuration.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0110-remove-backup-files.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0110-remove-backup-files.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0120-remove-dbus-machine-id.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0120-remove-dbus-machine-id.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0130-remove-gnome-icon-cache.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0130-remove-gnome-icon-cache.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0140-remove-log-files.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0140-remove-log-files.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0150-remove-mdadm-configuration.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0150-remove-mdadm-configuration.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0160-remove-openssh-server-host-keys.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0160-remove-openssh-server-host-keys.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0170-remove-python-py.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0170-remove-python-py.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0180-remove-systemd-machine-id.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0180-remove-systemd-machine-id.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0190-remove-temporary-files.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0190-remove-temporary-files.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0195-remove-ssl-cert-snakeoil.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0195-remove-ssl-cert-snakeoil.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0200-remove-udev-persistent-cd-rules.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0200-remove-udev-persistent-cd-rules.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0300-remove-udev-persistent-net-rules.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0300-remove-udev-persistent-net-rules.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0400-update-apt-file-cache.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0400-update-apt-file-cache.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0410-update-apt-xapian-index.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0410-update-apt-xapian-index.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0420-update-glx-alternative.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0420-update-glx-alternative.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0430-update-mlocate-database.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0430-update-mlocate-database.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0440-update-nvidia-alternative.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0440-update-nvidia-alternative.hook.chroot

roles/edulive/files/standard-edu/config/hooks/normal/0500-reproducible-glibc.hook.chroot

@@ -0,0 +1 @@
+/usr/share/live/build/hooks/normal/0500-reproducible-glibc.hook.chroot

roles/edulive/files/standard-edu/config/includes.chroot/etc/sysctl.d/sysctl.conf

@@ -0,0 +1,3 @@
+# Uncomment the following to stop low-level messages on console
+kernel.printk = 3 4 1 3
+

roles/edulive/files/standard-edu/config/includes.chroot/lib/live/config/0002-apt-proxy

@@ -0,0 +1,2 @@
+#!/bin/sh
+echo 'Acquire::http::Proxy "http://livebox:3142";' >> /etc/apt/apt.conf.d/10proxy

roles/edulive/files/standard-edu/config/package-lists/live-systems.list.chroot

@@ -0,0 +1,2 @@
+live-manual
+live-tools

roles/edulive/files/standard-edu/config/package-lists/live.list.chroot

@@ -0,0 +1,3 @@
+live-boot
+live-config
+live-config-systemd

roles/edulive/files/standard-edu/config/package-lists/localization.list.chroot

@@ -0,0 +1,2 @@
+task-english
+task-german

roles/edulive/files/standard-edu/config/package-lists/school-cli.list.chroot

@@ -0,0 +1,24 @@
+##
+## packages for CLI programs
+##
+console-setup
+emacs-nox
+git
+htop
+mc
+minicom
+ncdu
+netcat-openbsd
+net-tools
+nfs-common
+nmap
+screen
+shellcheck
+sl
+systemd-journal-remote
+tcpdump
+tmux
+tree
+vim
+xterm
+

roles/edulive/files/standard-edu/config/package-lists/standard.list.chroot

@@ -0,0 +1,3 @@
+! Packages Priority standard
+
+task-ssh-server

roles/edulive/handlers/main.yml

@@ -1,12 +1,20 @@
 ---
 - name: run the image build script
-  command:
+  ansible.builtin.command:
     cmd: livebuilder.sh
   listen: run build script
 
 - name: enable timer for livebuilder
-  systemd:
+  ansible.builtin.systemd:
     name: livebuilder.timer
     state: started
     enabled: true
   listen: enable livebuilder.timer
+
+- name: restart systemd-journal-remote
+  ansible.builtin.systemd:
+    name: systemd-journal-remote.socket
+    daemon_reload: true
+    state: restarted
+    enabled: true
+  listen: restart systemd-journal-remote

roles/edulive/tasks/main.yml

@@ -1,24 +1,61 @@
 ---
 - name: install packages
-  apt:
+  ansible.builtin.apt:
     name:
       - live-build
+      - systemd-journal-remote
     state: latest # noqa package-latest
 
 - name: prepare live-build directory
-  file:
+  ansible.builtin.file:
+    path: /etc/systemd/system/systemd-journal-remote.service.d/
+    state: directory
+    mode: 0755
+
+- name: configure remote journal
+  ansible.builtin.blockinfile:
+    path: /etc/systemd/system/systemd-journal-remote.service.d/override.conf
+    create: true
+    block: |
+      [Service]
+      ExecStart=
+      ExecStart=/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote
+  notify: restart systemd-journal-remote
+
+- name: prepare live-build directory
+  ansible.builtin.file:
     path: "{{ build_dir }}"
     state: directory
     mode: 0755
 
 - name: copy build script
-  template:
+  ansible.builtin.template:
     src: livebuilder.sh
     dest: /usr/local/sbin/
     mode: 0755
 
+- name: prepare shared directory
+  ansible.builtin.file:
+    path: "/srv/tmpshare"
+    state: directory
+    mode: "1777"
+
+- name: mount tmpfs on shared directory
+  ansible.builtin.mount:
+    path: "/srv/tmpshare/"
+    src: "tmpfs"
+    fstype: tmpfs
+    opts: rw,nofail
+    state: mounted
+
+- name: export shared directory
+  ansible.builtin.lineinfile:
+    path: /etc/exports
+    line: "/srv/tmpshare/ *(rw,fsid=0,crossmnt,no_subtree_check)"
+  notify: export nfs
+
 - name: provide service and timer for livebuilder
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: "/etc/systemd/system/{{ item }}"
     mode: 0644
@@ -28,47 +65,70 @@
   notify: "enable livebuilder.timer"
 
 - name: copy live-build configuration
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: "{{ build_dir }}"
+    force: false
     local_follow: false
     mode: preserve
   loop: "{{ build_images }}"
 
 - name: prepare debian live nfs boot entry title
-  lineinfile:
+  ansible.builtin.blockinfile:
     path: /etc/di-netboot-assistant/ipxemenu.HEAD
     insertafter: '-- Customized Boot Entries --'
-    line: "item {{ item }} Debian GNU/Linux {{ item }} NFS"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK menu entries {{ item }}"
+    block: |
+      item {{ item }}-NFS Debian GNU/Linux {{ item }} NFS
+      item {{ item }}-RAM Debian GNU/Linux {{ item }} RAM
   loop:
     "{{ build_images }}"
   notify: rebuild di-netboot menu
 
 - name: prepare debian live boot loader ipxe
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: /etc/di-netboot-assistant/ipxemenu.HEAD
     marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }}"
     block: |
-      :{{ item }}
+      :{{ item }}-NFS
-          echo Booting Debian GNU/Linux EDU LIVE NFS
+          echo Booting Debian GNU/Linux {{ item }} NFS
           kernel ${210:string}d-i/n-live/{{ item }}/live/vmlinuz \
-          initrd=initrd.img {{ boot_params|join(' ') }} \
+            initrd=initrd.img netboot=nfs {{ boot_params|join(' ') }} hostname=${netX/mac} \
-          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item }}/
+            nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item }}/
+          initrd ${210:string}d-i/n-live/{{ item }}/live/initrd.img
+          boot
+
+      :{{ item }}-RAM
+          echo Booting Debian GNU/Linux {{ item }} RAM
+          kernel ${210:string}d-i/n-live/{{ item }}/live/vmlinuz \
+            initrd=initrd.img {{ boot_params|join(' ') }} hostname=${netX/mac} \
+            fetch=http://{{ ansible_default_ipv4.address }}/d-i/n-live/{{ item }}/live/filesystem.squashfs
           initrd ${210:string}d-i/n-live/{{ item }}/live/initrd.img
           boot
   loop: "{{ build_images }}"
   notify: rebuild di-netboot menu
 
 - name: prepare debian live boot loader grub
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: /etc/di-netboot-assistant/grub.cfg.HEAD
     insertbefore: "^menuentry 'Boot from local disk..'"
     marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }}"
     block: |
       menuentry 'Debian GNU/Linux Live {{ item }} NFS' {
+          regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 \
+            "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac
           linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item }}/live/vmlinuz \
-          {{ boot_params|join(' ') }} \
+            netboot=nfs {{ boot_params|join(' ') }} hostname=${oct4}${oct5}${oct6} \
-          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item }}/
+            nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item }}/
+          initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item }}/live/initrd.img
+      }
+
+      menuentry 'Debian GNU/Linux Live {{ item }} RAM' {
+          regexp --set=1:oct4 --set=2:oct5 --set=3:oct6 \
+            "\:([[:xdigit:]]+)\:([[:xdigit:]]+)\:([[:xdigit:]]+)\$" $net_default_mac
+          linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item }}/live/vmlinuz \
+            {{ boot_params|join(' ') }} hostname=${oct4}${oct5}${oct6} \
+            fetch=http://{{ ansible_default_ipv4.address }}/d-i/n-live/{{ item }}/live/filesystem.squashfs
           initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item }}/live/initrd.img
       }
   loop: "{{ build_images }}"

roles/edulive/templates/livebuilder.sh

@@ -19,6 +19,13 @@ run_build(){
     done
 }
 
+clean_share(){
+    local TMPSHARE="/srv/tmpshare/"
+    find "$TMPSHARE/" -mindepth 1 -delete
+    echo "All content in this directory will be removed periodically!" \
+         >> "$TMPSHARE/README"
+}
+
 ## main:
 
 if ! auto-apt-proxy | grep -q 'http://127.0.0.1:3142' ; then
@@ -30,3 +37,4 @@ for IMG in {{ build_images|join(' ') }} ; do
     echo "=========== Building image $IMG ==========="
     run_build $IMG
 done
+clean_share

roles/lmn_netbootinstaller/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+service_description: "A service to server the netboot-client-playbook and roles to the lan"

roles/lmn_netbootinstaller/handlers/main.yml

@@ -0,0 +1,13 @@
+- name: rebuild di-netboot menu
+  command: "{{ item }}"
+  with_items:
+    - di-netboot-assistant rebuild-menu
+    - di-netboot-assistant rebuild-grub
+  listen: rebuild di-netboot menu
+
+
+- name: restart git service 
+  service:
+    name: lmn-netboot-git
+    state: restarted
+  listen: restart git service

roles/lmn_netbootinstaller/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: prepare installer boot loader grub
+  blockinfile:
+    path: /etc/di-netboot-assistant/grub.cfg.HEAD
+    insertbefore: "^menuentry 'Boot from local disk..'"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK netboot-installer"
+    block: |
+      menuentry 'Installer Debian bookworm (amd64) + preseed + lmn-desktop.yml' --unrestricted {
+          linux (http,{{ ansible_default_ipv4.address }})/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/linux auto=true priority=critical \
+          url=tftp://{{ ansible_default_ipv4.address }}/d-i/bookworm/preseed.cfg_lmn-desktop \
+          playbook=lmn-desktop.yml adpw='{{ gapw }}' ---
+          initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/initrd.gz
+      }
+  notify: rebuild di-netboot menu
+
+- name: set git-daemon-export-ok for management repo
+  copy:
+    content: ""
+    dest: "{{ playbook_dir }}/.git/git-daemon-export-ok"
+    force: false
+    group: ansible
+    owner: ansible
+    mode: 0644
+
+- name: Create gitd systemd service file
+  template:
+    src: templates/lmn-netboot-git.service.j2
+    dest: /lib/systemd/system/lmn-netboot-git.service
+
+- name: Start gitd service for installation playbook
+  systemd:
+    name: lmn-netboot-git
+    state: started
+
+- name: provide preseed.cfg_lmn-desktop file
+  template:
+    src: templates/preseed.cfg_lmn-desktop.j2
+    dest: /var/lib/tftpboot/d-i/bookworm/preseed.cfg_lmn-desktop
+  notify: restart git service

roles/lmn_netbootinstaller/templates/lmn-netboot-git.service.j2

@@ -0,0 +1,20 @@
+[Unit]
+Description={{ service_description }}
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/git daemon --reuseaddr --base-path={{ playbook_dir }}  {{ playbook_dir }}
+Restart=on-failure
+
+Restart=always
+RestartSec=500ms
+
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=git-daemon
+
+User=ansible
+Group=ansible
+
+[Install]
+WantedBy=multi-user.target

roles/lmn_netbootinstaller/templates/preseed.cfg_lmn-desktop.j2

@@ -0,0 +1,149 @@
+#### Preconfiguration file
+##
+##  The following preseeding might be used to install a basic system
+##  completely automatically.
+##
+##  A user 'ansible' is set up and ssh login with public key
+##  authentication is configured.  The idea is to allow further
+##  customization of the system after installation using ansible.
+##
+##  Modify at least the public ssh key in 'authorized_keys' (see
+##  below).
+##
+##  For more examples and comments consult:
+##    https://www.debian.org/releases/stable/example-preseed.txt
+##
+
+## To change default values:
+#d-i foo/bar seen false
+#d-i foo/bar string value
+
+## Useful boot parameters:
+## DEBCONF_DEBUG=5
+## locale?=de_DE
+
+## To set the hostname manually during installation, use priority=high
+## as boot parameter and uncomment this line:
+#d-i debconf/priority string critical
+
+## Preseeding only locale sets language, country and locale:
+d-i debian-installer/locale string de_DE
+d-i keyboard-configuration/xkb-keymap select de
+
+## Use hostname assigned by DHCP:
+d-i netcfg/get_hostname string unassigned-hostname
+d-i netcfg/get_domain string unassigned-domain
+
+## Skip root account:
+d-i passwd/root-login boolean false
+
+### Apt setup
+d-i apt-setup/non-free-firmware boolean true
+d-i apt-setup/non-free boolean true
+d-i apt-setup/contrib boolean true
+
+d-i mirror/country string manual
+d-i mirror/http/hostname string deb.debian.org
+d-i mirror/http/directory string /debian
+#d-i mirror/http/proxy string http://10.167.0.253:3142/
+#d-i mirror/http/proxy string http://192.168.1.17:3142/
+#d-i mirror/http/proxy string http://aptcache.steinbeisschule-reutlingen.de:3142/
+d-i mirror/http/proxy string http://10.16.1.2:3142/
+
+# NTP server to use.
+d-i clock-setup/ntp-server string server.qgm.lan
+
+### Backports:
+#apt-setup-udeb apt-setup/services-select multiselect security, updates, backports
+apt-setup-udeb apt-setup/services-select multiselect security, updates
+
+### Ansible User
+d-i passwd/user-fullname string Ansible User
+d-i passwd/username string ansible
+d-i passwd/user-password password insecure
+d-i passwd/user-password-again password insecure
+#d-i passwd/user-password-crypted password [crypt(3) hash]
+
+### Do not ask about support for non-efi systems:
+d-i partman-efi/non_efi_system boolean true
+
+### Leave this empty to use the only available hard drive:
+d-i partman-auto/disk string
+#d-i partman-auto/disk string /dev/sdd
+#d-i partman-auto/disk string /dev/vda
+
+### Regular partitions:
+d-i partman-auto/method string regular
+d-i partman-auto/choose_recipe select atomic
+## This makes partman automatically partition without confirmation:
+d-i partman-partitioning/confirm_write_new_label boolean true
+d-i partman/choose_partition select finish
+d-i partman/confirm boolean true
+d-i partman/confirm_nooverwrite boolean true
+
+# ### Enable to set up LVM:
+# d-i partman-auto/method string lvm
+# ## Use only 50% of the available physical volume size and then
+# ## adjust the logical volume sizes later with ansible, if needed:
+# d-i partman-auto-lvm/guided_size PERCENT 50%
+# # If one of the disks that are going to be automatically partitioned
+# # contains an old LVM configuration, the user will normally receive a
+# # warning. This can be preseeded away...
+# d-i partman-lvm/device_remove_lvm boolean true
+# # The same applies to pre-existing software RAID array:
+# d-i partman-md/device_remove_md boolean true
+# # And the same goes for the confirmation to write the lvm partitions.
+# d-i partman-lvm/confirm boolean true
+# d-i partman-lvm/confirm_nooverwrite boolean true
+# # You can choose one of the three predefined partitioning recipes:
+# # - atomic: all files in one partition
+# # - home:   separate /home partition
+# # - multi:  separate /home, /var, and /tmp partitions
+# d-i partman-auto/choose_recipe select multi
+
+### Package selection
+#tasksel tasksel/first multiselect standard, ssh-server, gnome-desktop, print-server
+tasksel tasksel/first multiselect standard, ssh-server, kde-desktop
+
+### Individual additional packages to install
+#d-i pkgsel/include string firmware-linux ansible git
+d-i pkgsel/include string ansible git firmware-linux
+#d-i pkgsel/include string firmware-linux ansible/buster-backports git
+#d-i pkgsel/include string firmware-linux
+
+### GRUB on default disk:
+d-i grub-installer/bootdev string default
+
+### This command is run just before the install finishes:
+d-i preseed/late_command string \
+      mkdir -p /target/home/ansible/.ssh && \
+      echo "{{ ansible_ssh_pubkey }}" >> /target/home/ansible/.ssh/authorized_keys ; \
+      in-target chown -R ansible:ansible /home/ansible/.ssh/ ; \
+      in-target chmod -R og= /home/ansible/.ssh/ ; \
+      [ -z "$playbook" ] || mkdir -v /target/dev/shm ; \
+      [	-z "$playbook" ] || in-target mount -v -t tmpfs tmpfs /dev/shm ; \
+      in-target ansible-pull --verbose --purge --extra-vars="run_in_installer=true" \
+          -i localhost, --url=git://{{ ansible_default_ipv4.address }}/.git -C {{ lmn_client_branch }} $playbook
+#         -i localhost, --url=http://10.16.1.2/debian-lan-ansible.git $playbook
+#         -i localhost, --url=git://10.167.0.253/.git -C fvs $playbook
+#         -i localhost, --url=git://installbox/.git $playbook
+#
+#
+## Replace key with:  sed -i "s#echo \".\+\"#echo \"$(cat ~/.ssh/id_rsa.pub)\"#" preseed.cfg
+#
+## When installing in combination with ansible-pull,
+## export your ansible playbook like:
+##
+##   git daemon --verbose --export-all \
+##       --base-path=/dir/of/playbook -- /dir/of/playbook
+##
+## Conditions may be applied in the playbook like:
+##    when: run_in_installer|default(false)|bool
+##    when: not run_in_installer|default(false)|bool
+
+### Avoid that last message about the install being complete.
+d-i finish-install/reboot_in_progress note
+
+## Do not modify boot order (netboot first): 
+grub-efi-amd64 grub2/update_nvram boolean false
+##grub-efi-amd64 grub2/force_efi_extra_removable boolean true

roles/up2date_debian/tasks/main.yml

@@ -24,9 +24,7 @@
 
 - name: add {{ ansible_distribution_release }}-backports
   apt_repository:
-    repo: >
+    repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main
-      deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports
-      main contrib non-free-firmware non-free
     state: present
     update_cache: true
   when: extra_pkgs_bpo|length