Separate exam-mode stuff in own role

roles/lmn_exam/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+exam_mode: true

roles/lmn_exam/files/pam-exec.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+
+# exit if not running as root. Because other user don't have privileges to start/stop firewalld.
+[[ "${UID}" -eq "0" ]] || exit 0
+
+if [[ "${PAM_USER}" =~ -exam$ ]]; then
+  systemctl start firewalld.service
+  if systemctl is-enabled --quiet libvirtd.service; then
+    systemctl restart libvirtd.service
+  fi
+elif ! (users | grep -q -- "-exam"); then
+  systemctl stop firewalld.service
+  if systemctl is-enabled --quiet libvirtd.service; then
+    systemctl restart libvirtd.service
+  fi
+fi

roles/lmn_exam/files/rmexam

@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+#
+# rename -exam directories in /home and /lmn/media older than 12h
+# remove -exam.* directories in /home and /lmn/media older than 10d
+#
+
+set -eu
+
+for dir in /home/ /lmn/media ; do
+  if [[ -d "${dir}" ]]; then
+    find "${dir}" -maxdepth 1 -mindepth 1 -name '*-exam' -type d -cmin +720 \
+         -exec bash -c 'mv "$0" "$0".$( date +%Y%m%d-%H%M --reference="$0" )' {} \;
+    find "${dir}" -maxdepth 1 -mindepth 1 -name '*-exam.*' -type d -cmin +14400 \
+	 -exec rm -rf {} \;
+  fi
+done

roles/lmn_exam/files/rmexam.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Rename/Remove -exam directories older than 12h/10d
+
+[Service]
+Type=simple
+ExecStart=/usr/local/sbin/rmexam

roles/lmn_exam/files/rmexam.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Run rmexam after boot
+
+[Timer]
+OnBootSec=0min
+
+[Install]
+WantedBy=timers.target

roles/lmn_exam/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+# Requirement: Install firewalld after installing libvirt
+- name: Install firewalld packages
+  ansible.builtin.apt:
+    name:
+      - firewalld
+  register: result
+
+- name: Stop firewalld-service
+  ansible.builtin.systemd:
+    name: firewalld
+    state: stopped
+  when: result.changed
+
+- name: Disable firewalld-service
+  ansible.builtin.systemd:
+    name: firewalld
+    enabled: false
+
+- name: Add virbr0 to libvirt zone
+  ansible.posix.firewalld:
+    zone: libvirt
+    interface: virbr0
+    permanent: true
+    state: enabled
+  when: vm_support is defined and vm_support
+
+- name: Permit access to cups from libvirt
+  ansible.posix.firewalld:
+    zone: libvirt
+    port: 631/tcp
+    permanent: true
+    state: enabled
+  when: vm_support is defined and vm_support # and printing is defined and printing
+
+- name: Permit access to usersquid from libvirt
+  ansible.posix.firewalld:
+    zone: libvirt
+    port: 3128/tcp
+    permanent: true
+    state: enabled
+  when: vm_support is defined and vm_support # and localsquid is defined and localsquid
+
+- name: Copy some scripts
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /usr/local/sbin/
+    mode: 0755
+  loop:
+    - pam-exec.sh
+    - rmexam
+
+- name: Enable login script via pam_exec.so
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-auth
+    line: "auth    optional        pam_exec.so /usr/local/sbin/pam-exec.sh"
+
+- name: Provide rmexam services and timers for some scripts
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: 0644
+  loop:
+    - rmexam.service
+    - rmexam.timer
+
+- name: Enable rmexam.timer
+  ansible.builtin.systemd:
+    name: rmexam.timer
+    enabled: true