Use vault for site-specific variables.

2023-10-12 20:00:19 +02:00 · 2023-10-12 20:00:19 +02:00 · 79ec9e57f2
commit 79ec9e57f2
parent 0b413b7835
4 changed files with 182 additions and 69 deletions
--- a/lmn-laptop.yml
+++ b/lmn-laptop.yml
@ -11,7 +11,7 @@
      register: adpw
      no_log: true
      when: "ansible_cmdline.adpw is not defined"
-    - name: preseed apparmor
+    - name: Preseed apparmor
      debconf:
        name: apparmor
        question: apparmor/homedirs
@ -26,33 +26,30 @@
        value: True
        vtype: boolean

+  vars_files: lmn-vault
  vars:
    domain: "{{ ansible_domain }}"
-    kerberize_uris: steinbeis.schule
-    apt_conf: Acquire::http::Proxy "http://aptcache.pn.steinbeis.schule:3142/";
-    ntp_serv: server.pn.steinbeis.schule
-    proxy: http://firewall.pn.steinbeis.schule:3128
-    no_proxy: firewall.pn.steinbeis.schule,server.pn.steinbeis.schule,idam.steinbeis.schule,dw.steinbeis.schule,.pn.steinbeis.schule,.steinbeis.schule
+    kerberize_uris: "{{ vault_kerberize_uris }}"  ##  example.org
+    apt_conf: "{{ vault_apt_conf }}"  ## Acquire::http::Proxy "http://aptcache.example.org:3142/";
+    ntp_serv: "{{ vault_ntp_serv }}"  ## ntp.example.org
+    proxy: "{{ vault_proxy }}"        ## http://firewall.example.org:3128
+    no_proxy: "{{ vault_no_proxy }}"  ## firewall.example.org,server.example.org,idam.example.org,dw.example.org

    ## PAM mount nextcloud, remove or leave empty to skip:
-    web_dav: https://nc.steinbeis.schule/remote.php/dav/files/%(USER)
+    web_dav: "{{ vault_web_dav }}"    ## https://nc.example.org/remote.php/dav/files/%(USER)

    ## Local mirror for mscorefonts. Remove or leave empty to use no mirror:
-    mirror_msfonts: http://livebox.pn.steinbeis.schule/mscorefonts/
+    mirror_msfonts: "{{ vault_mirror_msfonts }}" ## http://livebox.example.org/mscorefonts/

-    rsyncsecret: Muster!
-    wifipasswd: FjgmGBaKEenr25ZF
-    keys2deploy:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOY0hChWaCDtuiuQcM0v4/u1499esjTtnMjl4uYlnS0 andi@netboot'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN5ylqP936MPjGNxzrzV5jMwIfMhKJdOGuVh3xGQKTM andi@yogi'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxgeu7Rpb/1++531+MopqP9haUkyh1XXpv5kmbgSjx6'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbdOT+WSDmsBcaVFfzPRcmvOfd3CqO/FBOH44UVm7c7 raphael@uranus'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGICjy88HnMg5oaz4BJ20hgzqFWSem+HHD2PQ+As42pA raphael@pluto'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm9lu9dDo5TG99QWTkl2G5G+ZbYikLlRNOXfs/bRTHy sascha@america'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMR4TP7jE+wS7zcH0iUBmlxCbvy9saYeEjonX/0yYfEJ daniel@NB-20-DW'
+    ## Local mirror for libdvdcss. Remove or leave empty to use no mirror:
+    mirror_dvdcss: "{{ vault_mirror_dvdcss }}"   ## http://livebox.example.org/libdvdcss/
+
+    rsyncsecret: "{{ vault_rsyncsecret }}"
+    wifipasswd: "{{ vault_wifipasswd }}"
+    keys2deploy: "{{ vault_keys2deploy }}" ## ['ssh-ed25519 AAAAC…uYlnS0', 'ssh-ed25519 AAAA…KTM']

    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
-    grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
+    grub_pwd: "{{ vault_grub_pwd }}"
    nfs4: false
    extra_pkgs:
      - vim
@ -77,9 +74,57 @@
    - lmn_security

  tasks:
+## Temporary fixes and quirks:
+    - name: Fix 8086:4909 external graphics card
+      replace:
+        dest: "/etc/default/grub"
+        regexp: 'GRUB_CMDLINE_LINUX=""$'
+        replace: 'GRUB_CMDLINE_LINUX="i915.force_probe=4909"'
+      notify: Run update-grub
+      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "32CB"
+
+    - name: Fix sound on 312A
+      replace:
+        dest: "/etc/default/grub"
+        regexp: 'GRUB_CMDLINE_LINUX="snd-intel-dspcfg.dsp_driver=1"$'
+        replace: 'GRUB_CMDLINE_LINUX=""'
+      notify: Run update-grub
+      when: ansible_board_vendor == "LENOVO" and ansible_board_name == "312A"
+
+    - name: Fix sound on 312A and 312D
+      apt:
+        name: firmware-sof-signed
+        state: latest
+      when: >
+        ansible_board_vendor == "LENOVO" and
+        (ansible_board_name == "312D" or ansible_board_name == "312A")
+
+## Clean up stuff from obsolete/faulty tasks:
+    - name: Remove virtiofs service
+      file:
+        path: /etc/systemd/system/virtiofs@.service
+        state: absent
+
+    - name: Fix mount point permissions and owner
+      file:
+        path: "{{ item }}"
+        mode: '0755'
+        owner: root
+        group: root
+      loop:
+        - /srv/samba
+        - /srv/samba/schools
+
    - name: Fix unattended-upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";
+
+## bookworm fixes/hacks:
+    - name: Work around sddm hang on shutdown
+      ansible.builtin.lineinfile:
+        path: /etc/systemd/system.conf
+        line: DefaultTimeoutStopSec=5s
+        insertafter: '^#DefaultTimeoutStopSec=.*'