Separate exam-mode stuff in own role

2025-03-18 14:37:13 +01:00 · 2025-03-18 14:37:13 +01:00 · 3d01394820
commit 3d01394820
parent 43157dd810
13 changed files with 493 additions and 472 deletions
--- a/roles/lmn_exam/defaults/main.yml
+++ b/roles/lmn_exam/defaults/main.yml
@ -0,0 +1,2 @@
+---
+exam_mode: true
--- a/roles/lmn_exam/files/pam-exec.sh
+++ b/roles/lmn_exam/files/pam-exec.sh
--- a/roles/lmn_localhome/files/rmexam
+++ b/roles/lmn_localhome/files/rmexam
--- a/roles/lmn_localhome/files/rmexam.service
+++ b/roles/lmn_localhome/files/rmexam.service
--- a/roles/lmn_localhome/files/rmexam.timer
+++ b/roles/lmn_localhome/files/rmexam.timer
--- a/roles/lmn_exam/tasks/main.yml
+++ b/roles/lmn_exam/tasks/main.yml
@ -0,0 +1,70 @@
+---
+# Requirement: Install firewalld after installing libvirt
+- name: Install firewalld packages
+  ansible.builtin.apt:
+    name:
+      - firewalld
+  register: result
+
+- name: Stop firewalld-service
+  ansible.builtin.systemd:
+    name: firewalld
+    state: stopped
+  when: result.changed
+
+- name: Disable firewalld-service
+  ansible.builtin.systemd:
+    name: firewalld
+    enabled: false
+
+- name: Add virbr0 to libvirt zone
+  ansible.posix.firewalld:
+    zone: libvirt
+    interface: virbr0
+    permanent: true
+    state: enabled
+  when: vm_support is defined and vm_support
+
+- name: Permit access to cups from libvirt
+  ansible.posix.firewalld:
+    zone: libvirt
+    port: 631/tcp
+    permanent: true
+    state: enabled
+  when: vm_support is defined and vm_support # and printing is defined and printing
+
+- name: Permit access to usersquid from libvirt
+  ansible.posix.firewalld:
+    zone: libvirt
+    port: 3128/tcp
+    permanent: true
+    state: enabled
+  when: vm_support is defined and vm_support # and localsquid is defined and localsquid
+
+- name: Copy some scripts
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /usr/local/sbin/
+    mode: 0755
+  loop:
+    - pam-exec.sh
+    - rmexam
+
+- name: Enable login script via pam_exec.so
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-auth
+    line: "auth    optional        pam_exec.so /usr/local/sbin/pam-exec.sh"
+
+- name: Provide rmexam services and timers for some scripts
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: 0644
+  loop:
+    - rmexam.service
+    - rmexam.timer
+
+- name: Enable rmexam.timer
+  ansible.builtin.systemd:
+    name: rmexam.timer
+    enabled: true
--- a/roles/lmn_fvs/tasks/main.yml
+++ b/roles/lmn_fvs/tasks/main.yml
@ -152,7 +152,6 @@
    - pwroff
    - bootorder.sh
    - reporter
-    - pam-exec.sh

 - name: Provide services and timers for some scripts
  copy:
@ -309,12 +308,6 @@
         font.pointSize: config.fontSize
      }

- name: enable login script via pam_exec.so
-  lineinfile:
-    dest: /etc/pam.d/common-auth
-    line: "auth    optional        pam_exec.so /usr/local/sbin/pam-exec.sh"
-  when: "'teacherlaptop' not in group_names"
-
 - name: Set git default-branch to main
  ansible.builtin.copy:
    dest: /etc/gitconfig
--- a/roles/lmn_localhome/tasks/main.yml
+++ b/roles/lmn_localhome/tasks/main.yml
@ -36,26 +36,3 @@
      {% if 'teacherlaptop' not in group_names %}
      [[ "${UID}" -gt 10000 ]] && ! findmnt /srv/samba/schools/default-school > /dev/null && exit 0
      {% endif %}
-
- name: Provide rmexam script
-  ansible.builtin.copy:
-    src: rmexam
-    dest: /usr/local/sbin/
-    mode: 0755
-  when: "'teacherlaptop' not in group_names"
-
- name: Provide rmexam services and timers for some scripts
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "/etc/systemd/system/{{ item }}"
-    mode: 0644
-  loop:
-    - rmexam.service
-    - rmexam.timer
-  when: "'teacherlaptop' not in group_names"
-
- name: Enable rmexam.timer
-  ansible.builtin.systemd:
-    name: rmexam.timer
-    enabled: true
-  when: "'teacherlaptop' not in group_names"
--- a/roles/lmn_printer/tasks/main.yml
+++ b/roles/lmn_printer/tasks/main.yml
@ -46,13 +46,6 @@
    state: stopped
    enabled: no

- name: Permit access to cups from libvirt
-  ansible.posix.firewalld:
-    zone: libvirt
-    port: 631/tcp
-    permanent: true
-    state: enabled
-
 - name: Install install-printers.sh
  template:
    src: install-printers.sh.j2
--- a/roles/lmn_vm/defaults/main.yml
+++ b/roles/lmn_vm/defaults/main.yml
@ -0,0 +1,2 @@
+---
+vm_support: false
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -17,7 +17,6 @@
      - mktorrent
      - libvirt-daemon-system
      - virt-manager
-      - firewalld
      - dialog # for vm-netboot menu
    state: latest
    autoremove: true
@ -29,19 +28,6 @@
    #    insertafter: '#auth_unix_rw = "polkit"'
    #  notify: reload libvirtd

- name: disable firewalld-service
-  systemd:
-    name: firewalld
-    enabled: false
-    state: stopped
-
- name: Add virbr0 to libvirt zone
-  ansible.posix.firewalld:
-    zone: libvirt
-    interface: virbr0
-    permanent: true
-    state: enabled
-
 - name: Configure pam_mount for VM bind mounts
  blockinfile:
    dest: /etc/security/pam_mount.conf.xml
@ -186,13 +172,6 @@
    scope: global
    enabled: true

- name: Permit access to usersquid from libvirt
-  ansible.posix.firewalld:
-    zone: libvirt
-    port: 3128/tcp
-    permanent: true
-    state: enabled
-
 - name: Deploy sudo configurations
  copy:
    src: "{{ item }}"