playbooks/trixie
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make lmn-client a separate repository.

Browse source 
Remove all playbooks and roles not used for the lmn-client playbook.
They are almost all maintained within the debian-lan-ansible project
at:
     https://salsa.debian.org/andi/debian-lan-ansible/
This commit is contained in:
Andreas B. Mundt 2024-03-12 18:34:58 +01:00
parent fe7ec2f2e9
commit e7aa91e7f8
209 changed files with 0 additions and 5758 deletions
Download patch file Download diff file Expand all files Collapse all files

3
roles/aptcacher/handlers/main.yml
View file

@ -1,3 +0,0 @@
- name: start apt-cacher-ng
service: name=apt-cacher-ng state=started enabled=yes
listen: "start apt-cacher-ng"

37
roles/aptcacher/tasks/main.yml
View file

@ -1,37 +0,0 @@
- name: install apt-cacher-ng package
apt:
name:
- apt-cacher-ng
- auto-apt-proxy
state: latest # noqa package-latest
- name: check if preseeded installer is available
stat: path={{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg
register: preseedcfg
- name: enable apt-cacher-ng for install-clients
replace:
dest: "{{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg"
regexp: '^d-i mirror/http/proxy string$'
replace: 'd-i mirror/http/proxy string http://{{ ansible_hostname }}:3142/'
when: preseedcfg.stat.exists
- name: test if firewalld is available
stat: path=/usr/sbin/firewalld
register: firewalld
- name: allow apt-cacher-ng service in firewalld
firewalld:
zone: internal
port: 3142/tcp
permanent: true
immediate: true
state: enabled
when: not run_in_installer|default(false)|bool and firewalld.stat.exists
- name: allow apt-cacher-ng service in firewalld, offline
command: "firewall-offline-cmd --zone=internal --add-port=3142/tcp"
when: run_in_installer|default(false)|bool and firewalld.stat.exists
- name: flush handler to make apt-cacher available
meta: flush_handlers

15
roles/backup/defaults/main.yml
View file

@ -1,15 +0,0 @@
borg_pwd: "{{ lookup('password', '/tmp/borg.pwd chars=ascii_letters,digits length=32') }}"
borg_pwd_file: "/root/borg.pwd"
borg_key_backup: "/root/borg-key.backup"
## alternative: "ssh://user@host:port/path/to/repo"
backup_repo: "/var/backups/mnt/backup/borg"
backup_dirs_extra: ""
backup_opts: "--exclude-caches"
backup_opts_extra: ""
www_root: "/var/www"
nc_dir: "{{ www_root }}/nextcloud"
data_dir: "/var/nc-data"

6
roles/backup/files/backup.service
View file

@ -1,6 +0,0 @@
[Unit]
Description=Run backup script
[Service]
Type=simple
ExecStart=/usr/local/bin/backup

10
roles/backup/files/backup.timer
View file

@ -1,10 +0,0 @@
[Unit]
Description=Run backup script daily
[Timer]
OnCalendar=*-*-* 4:00:00
Persistent=true
AccuracySec=15min
[Install]
WantedBy=timers.target

6
roles/backup/handlers/main.yml
View file

@ -1,6 +0,0 @@
- name: enable backup.service and .timer
systemd:
name: backup.timer
state: started
enabled: true
listen: "enable backup.timer"

33
roles/backup/tasks/main.yml
View file

@ -1,33 +0,0 @@
- name: install borg
apt:
name: borgbackup
state: latest # noqa package-latest
- name: check if borg password is available
stat: path="{{ borg_pwd_file }}"
register: borg
- name: dump borg password
shell: echo -n "{{ borg_pwd }}" > "{{ borg_pwd_file }}" ; chmod 0600 "{{ borg_pwd_file }}"
no_log: true
when: not borg.stat.exists
- name: provide backup script
template:
src: "backup"
dest: "/usr/local/bin/backup"
mode: "0750"
- name: provide backup.service and .timer
copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items:
- backup.service
- backup.timer
notify: "enable backup.timer"
- name: run first backup
command: /usr/local/bin/backup
when: not borg.stat.exists

51
roles/backup/templates/backup
View file

@ -1,51 +0,0 @@
#!/bin/bash
set -eu
BACKUP=({{ backup_dirs|join(' ') }} {{ backup_dirs_extra|join(' ') }})
OPTIONS=({{ backup_opts }} {{ backup_opts_extra }})
export BORG_REPO="{{ backup_repo }}"
export BORG_PASSCOMMAND="cat {{ borg_pwd_file }}"
KEY_BACKUP="{{ borg_key_backup }}"
MOUNTED=""
MNT="$(echo "$BORG_REPO" | sed "s|\(^.*/mnt\).*|\1|")"
if grep -q "$MNT" /etc/fstab ; then
[ -d "$BORG_REPO" ] || mount -v "$MNT" && MOUNTED="TRUE"
fi
if [ ! -e "$KEY_BACKUP" ] ; then
[[ "$BORG_REPO" =~ @ ]] || mkdir -vp --mode=0750 "$BORG_REPO"
borg init --encryption=repokey
borg key export "$BORG_REPO" "$KEY_BACKUP"
fi
if [ -e "{{ nc_dir }}/config/config.php" ] ; then
NCDB="{{ data_dir }}/nextcloud-database.dump"
sudo -u www-data /usr/bin/php {{ nc_dir }}/occ maintenance:mode --on
PW="$(grep dbpassword {{ nc_dir }}/config/config.php | \
sed -e "s/\W*'dbpassword' => '//" -e "s/',$//")"
echo -n "Dumping data base into '$NCDB' … "
mysqldump --single-transaction -h localhost -u nextcloud -p"$PW" nextcloud > "$NCDB"
chmod 600 "$NCDB"
echo "done."
fi
echo "Backup ${BACKUP[@]} to $BORG_REPO."
borg create -v --show-rc "${OPTIONS[@]}" ::'{hostname}-{now}' "${BACKUP[@]}"
borg prune -v --list --prefix='{hostname}-' --show-rc \
--keep-daily 14 \
--keep-weekly 8 \
--keep-monthly 6 \
--keep-yearly 10
if [ -e "{{ nc_dir }}/config/config.php" ] ; then
sudo -u www-data /usr/bin/php {{ nc_dir }}/occ maintenance:mode --off
fi
if [ "$MOUNTED" = "TRUE" ] ; then
umount -v "$MNT"
fi

35
roles/ddnsupdate/files/ddns-update
View file

@ -1,35 +0,0 @@
#!/bin/bash
set -eu
. /etc/ddns-update/ddns-update.conf
DDHOST="https://www.ddnss.de/upd.php"
if ! DNSRESULT="$(host $DDNSNAME)" ; then
echo "Could not resolve IP address for '$DDNSNAME', no update."
exit 0
fi
DNSIP4="$(echo "$DNSRESULT" | grep -m 1 -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$' || true )"
DNSIP6="$(echo "$DNSRESULT" | grep -m 1 -oE '[0-9a-f]{1,4}:.+:[0-9a-f]{1,4}' || true )"
REALIP4="$(wget -q -O - https://ip4.ddnss.de/meineip.php | \
grep -m 1 -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' || true )"
REALIP6="$(wget -q -O - https://ip6.ddnss.de/meineip.php | \
grep -m 1 -oE '[0-9a-f]{1,4}:.+:[0-9a-f]{1,4}' || true )"
if [ -z "$REALIP4" -a -z "$REALIP6" ] ; then
echo "Could not detect real IP addresses, exiting."
exit 0
fi
echo "Current DNS: IPv4=$DNSIP4, IPv6=$DNSIP6."
echo "Detected: IPv4=$REALIP4, IPv6=$REALIP6."
if [ "$REALIP4" == "$DNSIP4" -a "$REALIP6" == "$DNSIP6" ] ; then
echo "IP address unchanged, no update."
else
echo "IP address changed: $DNSIP4 → ${REALIP4}, $DNSIP6 → ${REALIP6}, updating ddns."
wget -q -O - $DDHOST'?key='$KEYAUTH'&host='$DDNSNAME'&ip='$REALIP4'&ip6='$REALIP6 \
| grep -oE "Updated .+ hostname." || echo "Update not confirmed, it might have failed."
fi

6
roles/ddnsupdate/files/ddns-update.service
View file

@ -1,6 +0,0 @@
[Unit]
Description=Update ddns
[Service]
Type=oneshot
ExecStart=/usr/local/bin/ddns-update

11
roles/ddnsupdate/files/ddns-update.timer
View file

@ -1,11 +0,0 @@
[Unit]
Description=Update ddns IP-address
[Timer]
OnBootSec=0
OnUnitActiveSec=20min
AccuracySec=3min
[Install]
WantedBy=timers.target

7
roles/ddnsupdate/handlers/main.yml
View file

@ -1,7 +0,0 @@
- name: enable ddns-update timer
systemd:
name: ddns-update.timer
state: restarted
daemon_reload: true
enabled: true
listen: "enable ddns-update timer"

27
roles/ddnsupdate/tasks/main.yml
View file

@ -1,27 +0,0 @@
- name: make sure /etc/ddns-update/ exists
file: path=/etc/ddns-update/ state=directory recurse=yes
- name: install ddns-update config
template:
src: ddns-update.conf.j2
dest: /etc/ddns-update/ddns-update.conf
mode: 0644
- name: install ddns-update script
copy:
src: ddns-update
dest: /usr/local/bin/ddns-update
mode: 0755
- name: install ddns-update.service
copy:
src: ddns-update.service
dest: /etc/systemd/system/ddns-update.service
mode: 0644
- name: install ddns-update.timer
copy:
src: ddns-update.timer
dest: /etc/systemd/system/ddns-update.timer
mode: 0644
notify: enable ddns-update timer

2
roles/ddnsupdate/templates/ddns-update.conf.j2
View file

@ -1,2 +0,0 @@
DDNSNAME="{{ ddns_domain }}"
KEYAUTH="{{ ddns_updkey }}"

10
roles/debianlive/handlers/main.yml
View file

@ -1,10 +0,0 @@
---
- name: rebuild di-netboot assistant menu
command:
cmd: di-netboot-assistant rebuild-menu
listen: rebuild di-netboot menu
- name: export nfs
command:
cmd: exportfs -ra
listen: export nfs

128
roles/debianlive/tasks/main.yml
View file

@ -1,128 +0,0 @@
---
- name: download debian-live images
get_url:
url: "{{ live_url }}{{ item.value }}"
dest: "/var/cache/di-netboot-assistant/{{ item.value }}"
checksum: "sha256:{{ live_url }}/SHA256SUMS"
register: new_iso
loop:
"{{ live_iso | dict2items }}"
- name: umount old iso images
mount:
path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
state: unmounted
loop:
"{{ live_iso | dict2items }}"
when: new_iso.changed
- name: prepare live image directory
file:
path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
state: directory
mode: 0755
loop:
"{{ live_iso | dict2items }}"
- name: make sure loop module is loaded
modprobe:
name: loop
state: present
- name: loop mount iso images
mount:
path: "/var/lib/tftpboot/d-i/n-live/{{ item.key }}"
src: "/var/cache/di-netboot-assistant/{{ item.value }}"
fstype: iso9660
opts: loop,ro,nofail
state: mounted
loop:
"{{ live_iso | dict2items }}"
notify: rebuild di-netboot menu
- name: prepare http downloads
file:
src: "/var/lib/tftpboot/d-i/"
dest: "/var/www/html/d-i"
state: link
- name: export live image squashfs
lineinfile:
path: /etc/exports
line: "/var/lib/tftpboot/d-i/n-live/ *(ro,crossmnt,no_subtree_check)"
notify: export nfs
- name: configure ipxe boot menu address and headline
replace:
path: /etc/di-netboot-assistant/ipxemenu.HEAD
regexp: "{{ item.reg }}"
replace: "{{ item.rep }}"
loop:
- reg: '^set 210:string .+$'
rep: 'set 210:string http://{{ ansible_default_ipv4.address }}/'
- reg: '^#(item --gap -- -- Customized Boot Entries.*)$'
rep: '\1'
notify: rebuild di-netboot menu
- name: configure grub boot menu addresses
lineinfile:
path: /etc/di-netboot-assistant/grub.cfg.HEAD
line: "{{ item.line }}"
regexp: "{{ item.reg }}"
loop:
- line: "set root=(http,{{ ansible_default_ipv4.address }})"
reg: "^set root="
- line: "set pxe_default_server={{ ansible_default_ipv4.address }}"
reg: "^set pxe_default_server="
notify: rebuild di-netboot menu
- name: prepare debian live nfs boot entry title
lineinfile:
path: /etc/di-netboot-assistant/ipxemenu.HEAD
insertafter: '-- Customized Boot Entries --'
line: "item {{ item.key }} Debian GNU/Linux {{ item.key }} NFS"
loop:
"{{ live_iso | dict2items }}"
notify: rebuild di-netboot menu
- name: find kernel version
shell:
cmd: >-
basename /var/lib/tftpboot/d-i/n-live/{{ item.key }}/live/vmlinuz*
| sed "s/vmlinuz-//"
register: images
changed_when: false
loop:
"{{ live_iso | dict2items }}"
- name: prepare debian live boot loader ipxe
blockinfile:
path: /etc/di-netboot-assistant/ipxemenu.HEAD
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.key }}"
block: |
:{{ item.item.key }}
echo Booting Debian GNU/Linux {{ item.item.key }} NFS
kernel ${210:string}d-i/n-live/{{ item.item.key }}/live/vmlinuz-{{ item.stdout }} \
initrd=initrd.img-{{ item.stdout }} {{ boot_params|join(' ') }} \
nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.key }}/
initrd ${210:string}d-i/n-live/{{ item.item.key }}/live/initrd.img-{{ item.stdout }}
boot
loop:
"{{ images.results }}"
notify: rebuild di-netboot menu
- name: prepare debian live boot loader grub
blockinfile:
path: /etc/di-netboot-assistant/grub.cfg.HEAD
insertbefore: "^menuentry 'Boot from local disk..'"
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.key }}"
block: |
menuentry 'Debian GNU/Linux Live {{ item.item.key }} NFS' {
linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.key }}/live/vmlinuz-{{ item.stdout }} \
{{ boot_params|join(' ') }} \
nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.key }}/
initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.key }}/live/initrd.img-{{ item.stdout }}
}
loop:
"{{ images.results }}"
notify: rebuild di-netboot menu

20
roles/dhcp6radvdatftp/handlers/main.yml
View file

@ -1,20 +0,0 @@
---
- name: restart radvd
systemd:
name: radvd.service
state: restarted
enabled: true
listen: restart radvd
- name: restart kea-dhcp6-server
systemd:
name: kea-dhcp6-server.service
state: restarted
enabled: true
listen: restart kea-dhcp6-server
- name: restart network interfaces
systemd:
name: networking
state: restarted
listen: reconfigure network

39
roles/dhcp6radvdatftp/tasks/main.yml
View file

@ -1,39 +0,0 @@
## DHCPv6, RAs and TFTP
---
- name: preseed aftpd
debconf:
name: atftpd
question: atftpd/basedir
value: /var/lib/tftpboot
vtype: string
- name: install di-netboot-assistant and installer package
apt:
name:
- kea-dhcp6-server
- radvd
- atftpd
state: latest # noqa package-latest
- name: configure radvd
template:
src: radvd.conf.j2
dest: /etc/radvd.conf
mode: 0644
notify: restart radvd
- name: configure kea-dhcp-server
template:
src: kea-dhcp6.conf.j2
dest: /etc/kea/kea-dhcp6.conf
mode: 0644
notify: restart kea-dhcp6-server
- name: set IPv6 address on interface
blockinfile:
path: /etc/network/interfaces
block: |
allow-hotplug {{ if_lan }}
iface {{ if_lan }} inet6 static
address 2001:db8:b001::1/64
notify: reconfigure network

20
roles/dhcp6radvdatftp/templates/kea-dhcp6.conf.j2
View file

@ -1,20 +0,0 @@
{
"Dhcp6": {
"interfaces-config": {
"interfaces": [ "{{ if_lan }}" ]
},
"option-data": [
{
"name": "bootfile-url",
"data": "tftp://[2001:db8:b001::1]/d-i/n-a/grubx64.efi"
}
],
"subnet6": [
{
"subnet": "2001:db8:b001::/64",
"pools": [ { "pool": "2001:db8:b001::2 - 2001:db8:b001::ffff" } ],
"interface": "enp1s0"
}
]
}
}

10
roles/dhcp6radvdatftp/templates/radvd.conf.j2
View file

@ -1,10 +0,0 @@
interface {{ if_lan }}
{
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix {{ prefix }}
{
};
};

1
roles/dnsdhcptftp/defaults/main.yml
View file

@ -1 +0,0 @@
name_servers: ns1.{{ ansible_domain }}

15
roles/dnsdhcptftp/handlers/main.yml
View file

@ -1,15 +0,0 @@
- name: restart isc-dhcp-server
systemd: name=isc-dhcp-server state=restarted enabled=yes
listen: restart isc-dhcp-server
- name: restart bind
systemd: name=bind9 state=restarted enabled=yes
listen: restart bind
- name: restart tftpd-hpa
systemd: name=tftpd-hpa state=restarted enabled=yes
listen: restart tftpd-hpa
- name: restart dhcp-client
systemd: name=ifup@{{ if_wan }} state=restarted enabled=yes
listen: restart dhcp-client

100
roles/dnsdhcptftp/tasks/main.yml
View file

@ -1,100 +0,0 @@
---
- name: preseed tftpd-hpa
debconf:
name: tftpd-hpa
question: tftpd-hpa/directory
value: /var/lib/tftpboot
vtype: string
- name: install tftpd, dhcpd and named packages
apt:
name:
- isc-dhcp-server
- tftpd-hpa
- bind9
state: latest # noqa package-latest
## FIXME: preseeding seems to be ignored
- name: configure TFTP root directory
replace:
path: /etc/default/tftpd-hpa
regexp: '^TFTP_DIRECTORY=".*"$'
replace: 'TFTP_DIRECTORY="/var/lib/tftpboot"'
notify: restart tftpd-hpa
- name: serve dhcp on LAN interface
replace:
path: /etc/default/isc-dhcp-server
regexp: '^INTERFACESv4=".*"$'
replace: 'INTERFACESv4="{{ if_lan }}"'
notify: restart isc-dhcp-server
- name: deploy config files for isc-dhcp-server
template:
src: dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf
mode: 0644
backup: true
notify: restart isc-dhcp-server
- name: deploy config files for bind9
template:
src: "{{ item.src }}.j2"
dest: "/etc/bind/{{ item.dest }}"
mode: 0644
loop:
- src: db.RR
dest: "db.{{ ansible_domain }}"
- src: db.RRinv
dest: "db.{{ ipaddr_lan_threeoct }}"
- src: localzones
dest: localzones
notify: restart bind
- name: link zone files to writeable directory for DDNS
file:
src: "/etc/bind/{{ item }}"
dest: "/var/lib/bind/{{ item }}"
state: link
loop:
- "db.{{ ansible_domain }}"
- "db.{{ ipaddr_lan_threeoct }}"
notify: restart bind
- name: enable local bind config
lineinfile:
path: /etc/bind/named.conf.local
line: 'include "/etc/bind/localzones";'
notify: restart bind
- name: adapt resolv.conf
template:
src: resolv.conf.j2
dest: /etc/resolv.conf
mode: 0644
notify: restart isc-dhcp-server
## stop dhclient from overwriting /etc/resolv.conf:
- name: supersede dhcp client data
blockinfile:
dest: /etc/dhcp/dhclient.conf
block: |
supersede domain-search "{{ ansible_domain }}";
supersede domain-name-servers 127.0.0.1;
insertbefore: "#send dhcp-client-identifier.*"
notify: restart dhcp-client
- name: generate rndc key
command:
cmd: rndc-confgen -a
creates: /etc/bind/rndc.key
- name: copy rndc key
copy:
src: /etc/bind/rndc.key
dest: /etc/dhcp/
owner: root
group: root
mode: 0640
remote_src: true
notify: restart isc-dhcp-server

17
roles/dnsdhcptftp/templates/db.RR.j2
View file

@ -1,17 +0,0 @@
$TTL 500
@ IN SOA {{ ansible_fqdn }}. root.{{ ansible_domain }}. (
1 ; Serial
3600 ; Refresh
1800 ; Retry
720000 ; Expire
6400 ) ; Negative Cache TTL
;
@ NS {{ ansible_fqdn }}.
MX 10 {{ ansible_fqdn }}.
{{ ansible_hostname }} A {{ ipaddr_lan | ipaddr("address") }}
_ldap._tcp SRV 100 0 389 {{ ansible_fqdn }}.
ns1 CNAME {{ ansible_fqdn }}.
ns2 CNAME {{ ansible_fqdn }}.
aptcache CNAME {{ ansible_fqdn }}.
homes CNAME {{ ansible_fqdn }}.
ldap CNAME {{ ansible_fqdn }}.

11
roles/dnsdhcptftp/templates/db.RRinv.j2
View file

@ -1,11 +0,0 @@
$TTL 500
@ IN SOA {{ ansible_fqdn }}. root.{{ ansible_domain }}. (
1 ; Serial
3600 ; Refresh
1800 ; Retry
720000 ; Expire
6400 ) ; Negative Cache TTL
;
@ NS {{ ansible_fqdn }}.
MX 10 {{ ansible_fqdn }}.
{{ ipaddr_lan | ipaddr("address") | regex_replace("^.*\.(.+$)", "\\1") }} PTR {{ ansible_fqdn }}.

139
roles/dnsdhcptftp/templates/dhcpd.conf.j2
View file

@ -1,139 +0,0 @@
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "{{ ansible_domain }}";
option domain-name-servers {{ name_servers }};
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
#ddns-update-style none;
use-host-decl-names on;
ddns-update-style standard;
include "/etc/dhcp/rndc.key";
zone {{ ansible_domain }}. {
primary 127.0.0.1;
key rndc-key;
}
zone {{ ipaddr_lan_ptr }} {
primary 127.0.0.1;
key rndc-key;
}
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
## The tftpd server IP address, for all clients.
next-server {{ ipaddr_lan | ipaddr("address") }};
option arch code 93 = unsigned integer 16;
if option arch = 00:07 {
filename "d-i/n-a/bootnetx64.efi";
} else {
filename "d-i/n-a/pxelinux.0";
}
subnet {{ ipaddr_lan | ipaddr("network") }} netmask {{ ipaddr_lan | ipaddr("netmask") }} {
option routers {{ ipaddr_lan | ipaddr("address") }};
range {{ dhcp_start }} {{ dhcp_stop }};
}
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.example.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.example.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

17
roles/dnsdhcptftp/templates/localzones.j2
View file

@ -1,17 +0,0 @@
include "/etc/bind/rndc.key";
zone "{{ ipaddr_lan_ptr[:-1] }}" {
type master;
notify no;
file "/etc/bind/db.{{ ipaddr_lan_threeoct }}";
journal "/var/lib/bind/db.{{ ipaddr_lan_threeoct }}.jnl";
allow-update { key rndc-key; };
};
zone "{{ ansible_domain }}" {
type master;
notify no;
file "/etc/bind/db.{{ ansible_domain }}";
journal "/var/lib/bind/db.{{ ansible_domain }}.jnl";
allow-update { key rndc-key; };
};

2
roles/dnsdhcptftp/templates/resolv.conf.j2
View file

@ -1,2 +0,0 @@
search {{ ansible_domain }}.
nameserver 127.0.0.1

3
roles/dnsmasq/handlers/main.yml
View file

@ -1,3 +0,0 @@
- name: restart dnsmasq
service: name=dnsmasq state=restarted enabled=yes
listen: "restart dnsmasq"

24
roles/dnsmasq/tasks/main.yml
View file

@ -1,24 +0,0 @@
- name: check if dnsmasq is already there
stat: path=/etc/dnsmasq.d/dnsmasq-dhcp
register: dnsmasq
- name: install dnsmasq package
apt:
name:
- dnsmasq
- resolvconf
state: latest # noqa package-latest
- name: configure dnsmasq dhcp
template:
src: dnsmasq-dhcp.j2
dest: /etc/dnsmasq.d/dnsmasq-dhcp
mode: 0644
notify: "restart dnsmasq"
- name: configure dnsmasq tftp
template:
src: dnsmasq-tftp-netboot-installer.j2
dest: /etc/dnsmasq.d/tftp-netboot-installer
mode: 0644
notify: "restart dnsmasq"

3
roles/dnsmasq/templates/dnsmasq-dhcp.j2
View file

@ -1,3 +0,0 @@
interface={{ if_lan }}
dhcp-range={{ dhcp_start }},{{ dhcp_stop }},2h
# dhcp-generate-names ## better use grub to generate names

5
roles/dnsmasq/templates/dnsmasq-tftp-netboot-installer.j2
View file

@ -1,5 +0,0 @@
enable-tftp
tftp-root={{ tftp_root }}
dhcp-boot=d-i/n-a/pxelinux.0
dhcp-match=set:efi-x86_64,option:client-arch,7
dhcp-boot=tag:efi-x86_64,d-i/n-a/bootnetx64.efi

13
roles/educontainer/defaults/main.yml
View file

@ -1,13 +0,0 @@
## generate most of this list with 'tasksel --task-packages standard'
cont_packages:
- systemd-container
- openssh-server
- sudo
- python3
- auto-apt-proxy
- bash-completion
- ca-certificates
- man-db
- manpages
cont_packages_extra: []

7
roles/educontainer/handlers/main.yml
View file

@ -1,7 +0,0 @@
- name: enable and restart containers
systemd:
name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
state: restarted
enabled: true
loop: "{{ containers }}"
listen: enable and restart containers

70
roles/educontainer/tasks/main.yml
View file

@ -1,70 +0,0 @@
## Prepare minimal systemd-nspawn containers for educational use.
##
## Port mapping to the host:
##
## container 0: ssh → host port 10000, HTTP → 10100
## container 1: ssh → host port 10001, HTTP → 10101
## ... ... ...
##
## User '{{ contuser }}' in the sudo group. Password is '{{ contpwd }}'.
##
- name: stop all containers
systemd:
name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
state: stopped
loop: "{{ containers | reverse }}"
tags:
- never
- stop
- reset
- purge
- setup
- restart
- name: purge all containers
command:
cmd: machinectl remove {{ contname }}{{ "%02d" | format(item|int) }}
removes: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}
loop: "{{ containers | reverse }}"
tags:
- never
- purge
- setup
- name: remove container overlay
file:
path: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}-delta
state: absent
loop: "{{ containers | reverse }}"
tags:
- never
- reset
- purge
- setup
- name: start all containers
systemd:
name: systemd-nspawn@{{ contname }}{{ "%02d" | format(item|int) }}.service
state: started
loop: "{{ containers | reverse }}"
tags:
- never
- start
- reset
- restart
###########
- name: check if container template exists
ansible.builtin.stat:
path: "/var/lib/machines/{{ contname }}00"
register: cont
tags:
- always
- name: import setup.yml tasks
import_tasks: setup.yml
when: cont.stat.isdir is not defined
tags:
- always

181
roles/educontainer/tasks/setup.yml
View file

@ -1,181 +0,0 @@
---
- name: install packages
apt:
name:
- systemd-container
- debootstrap
- auto-apt-proxy
state: latest # noqa package-latest
- name: prepare machine directory
file:
path: /var/lib/machines/
state: directory
mode: 0700
- name: debootstrap base system
command:
cmd: >
auto-apt-proxy debootstrap
--include={{ cont_packages | union(cont_packages_extra) | join(',') }}
--components=main,contrib,non-free stable
{{ contname }}00 http://deb.debian.org/debian
args:
chdir: /var/lib/machines/
creates: /var/lib/machines/{{ contname }}00
notify: enable and restart containers
- name: provide complete apt sources
copy:
src: /etc/apt/sources.list
dest: /var/lib/machines/{{ contname }}00/etc/apt/sources.list
mode: 0644
remote_src: true
- name: configure locale
lineinfile:
path: /var/lib/machines/{{ contname }}00/etc/profile
line: 'export LANG=C'
## Use 'chroot' here instead of 'systemd-nspawn -D …' to make it work
## with ansible-pull in the preseed debian installer:
- name: upgrade container
command:
cmd: "{{ item }}"
args:
chdir: /var/lib/machines/{{ contname }}00
loop:
- mount --bind /proc proc
- mount --bind /sys sys
- mount --bind /dev/pts dev/pts
- chroot . sh -c '/usr/bin/apt-get update && DEBIAN_FRONTEND=noninteractive /usr/bin/apt-get full-upgrade --yes'
- umount proc sys dev/pts
register: cmd_result
changed_when: cmd_result.stdout is not search('0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.')
- name: provide {{ contuser }} user account
command:
cmd: >
chroot . sh -c '/usr/sbin/useradd -m -s /bin/bash
-c "User {{ contuser }},,," -G sudo {{ contuser }}'
args:
chdir: /var/lib/machines/{{ contname }}00
creates: /var/lib/machines/{{ contname }}00/home/{{ contuser }}
register: user_account
- name: provide empty password for {{ contuser }} user
command:
cmd: chroot . sh -c "passwd -d {{ contuser }}"
args:
chdir: /var/lib/machines/{{ contname }}00
when: user_account.changed | default(false) and contpwd | length == 0
- name: provide password for container {{ contuser }} user
command:
cmd: chroot . sh -c "echo {{ contuser }}:{{ contpwd }} | chpasswd"
args:
chdir: /var/lib/machines/{{ contname }}00
when: user_account.changed | default(true) and contpwd | length > 0
- name: allow empty passwords in ssh
lineinfile:
path: /var/lib/machines/{{ contname }}00/etc/ssh/sshd_config
insertafter: '#PermitEmptyPasswords no'
line: 'PermitEmptyPasswords yes'
when: user_account.changed | default(false) and contpwd | length == 0
- name: prepare directories
file:
path: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item }}
state: directory
mode: 0755
loop:
- multi-user.target.wants
- sockets.target.wants
- network-online.target.wants
notify: enable and restart containers
- name: enable systemd-networkd service
file:
src: /lib/systemd/system/{{ item.src }}
dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
state: link
follow: false
force: true
loop:
- src: systemd-networkd.service
dest: dbus-org.freedesktop.network1.service
- src: systemd-networkd.service
dest: multi-user.target.wants/systemd-networkd.service
- src: systemd-networkd.socket
dest: sockets.target.wants/systemd-networkd.socket
- src: systemd-networkd-wait-online.service
dest: network-online.target.wants/systemd-networkd-wait-online.service
notify: enable and restart containers
- name: enable systemd-resolved in containers
file:
src: /lib/systemd/system/{{ item.src }}
dest: /var/lib/machines/{{ contname }}00/etc/systemd/system/{{ item.dest }}
state: link
follow: false
force: true
loop:
- src: systemd-resolved.service
dest: dbus-org.freedesktop.resolve1.service
- src: systemd-resolved.service
dest: multi-user.target.wants/systemd-resolved.service
notify: enable and restart containers
########
- name: prepare local sysctl config file
copy:
content: "# Avoid 'too many open files' error:"
dest: /etc/sysctl.d/inotify.conf
mode: 0644
force: false
- name: fix too many open files error
sysctl:
name: fs.inotify.max_user_instances
value: '1024'
sysctl_file: /etc/sysctl.d/inotify.conf
- name: generate links to the initial container
file:
src: "{{ contname }}00"
dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}
state: link
loop: "{{ containers[1:] }}"
notify: enable and restart containers
- name: prepare nspawn config directory
file:
path: /etc/systemd/nspawn
state: directory
mode: 0755
- name: provide container configuration
template:
src: contcfg.nspawn.j2
dest: /etc/systemd/nspawn/{{ contname }}{{ "%02d" | format(item|int) }}.nspawn
mode: 0644
loop: "{{ containers }}"
notify: enable and restart containers
- name: provide container hostname file
template:
src: hostname.j2
dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hostname
mode: 0644
loop: "{{ containers }}"
notify: enable and restart containers
- name: provide container hosts file
template:
src: hosts.j2
dest: /var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hosts
mode: 0644
loop: "{{ containers }}"
notify: enable and restart containers

15
roles/educontainer/templates/contcfg.nspawn.j2
View file

@ -1,15 +0,0 @@
[Exec]
Capability=CAP_NET_ADMIN
ResolvConf=copy-host
[Network]
Port=10{{ "%03d" | format(item|int) }}:22
Port=10{{ "%03d" | format(item|int + 100) }}:80
Port=10{{ "%03d" | format(item|int + 200) }}:443
[Files]
ReadOnly=yes
Overlay=+/:/var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}-delta:/
PrivateUsersChown=false
BindReadOnly=/var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hostname:/etc/hostname
BindReadOnly=/var/lib/machines/{{ contname }}{{ "%02d" | format(item|int) }}.hosts:/etc/hosts

1
roles/educontainer/templates/hostname.j2
View file

@ -1 +0,0 @@
{{ contname }}{{ "%02d" | format(item|int) }}

4
roles/educontainer/templates/hosts.j2
View file

@ -1,4 +0,0 @@
127.0.0.1 localhost {{ contname }}{{ "%02d" | format(item|int) }}
::1 localhost {{ contname }}{{ "%02d" | format(item|int) }} ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

1
roles/edulive/defaults/main.yml
View file

@ -1 +0,0 @@
build_dir: /opt/live-build/

2
roles/edulive/files/gnome-edu/README
View file

@ -1,2 +0,0 @@
This config space is based on:
https://salsa.debian.org/live-team/live-images/-/tree/debian/images/gnome-desktop

5
roles/edulive/files/gnome-edu/auto/build
View file

@ -1,5 +0,0 @@
#!/bin/sh
set -e
lb build noauto "${@}" 2>&1 | tee build.log

10
roles/edulive/files/gnome-edu/auto/clean
View file

@ -1,10 +0,0 @@
#!/bin/sh
set -e
lb clean noauto "${@}"
rm -f config/binary config/bootstrap config/chroot config/common config/source
rm -f config/control
rm -f build.log

18
roles/edulive/files/gnome-edu/auto/config
View file

@ -1,18 +0,0 @@
#!/bin/sh
set -e
lb config noauto \
--clean \
--cache false \
--net-tarball false \
--ignore-system-defaults \
--distribution bullseye \
--binary-images netboot \
--mode debian \
--backports true \
--linux-packages linux-image \
--archive-areas "main contrib non-free" \
--mirror-bootstrap http://localhost:3142/deb.debian.org/debian/ \
--mirror-chroot-security http://localhost:3142/security.debian.org/debian-security/ \
"${@}"

8
roles/edulive/files/gnome-edu/config/hooks/0001-plymouth-theme.hook.chroot
View file

@ -1,8 +0,0 @@
#!/bin/sh
set -e
if [ -e /usr/sbin/plymouth-set-default-theme ] && [ -e /usr/share/plymouth/themes/lines ]
then
plymouth-set-default-theme lines
fi

1
roles/edulive/files/gnome-edu/config/hooks/live/0010-disable-kexec-tools.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/live/0010-disable-kexec-tools.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/live/0050-disable-sysvinit-tmpfs.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/live/0050-disable-sysvinit-tmpfs.hook.chroot

15
roles/edulive/files/gnome-edu/config/hooks/live/0500-desktop.hook.chroot
View file

@ -1,15 +0,0 @@
#!/bin/sh
set -e
echo 'pref("browser.startup.homepage", "https://www.startpage.com");' >> /etc/firefox-esr/firefox-esr.js
echo 'pref("network.proxy.type", 4);' >> /etc/firefox-esr/firefox-esr.js
dconf update
#sed -i "s/^/#/" /etc/xdg/user-dirs.defaults
sed -i "s/^#WaylandEnable=false$/WaylandEnable=false/" /etc/gdm3/daemon.conf
## workaround https://bugzilla.gnome.org/show_bug.cgi?id=730587
#dpkg-divert --divert /usr/bin/gnome-keyring-daemon.bak --rename /usr/bin/gnome-keyring-daemon

5
roles/edulive/files/gnome-edu/config/hooks/live/0600-wireshark.hook.chroot
View file

@ -1,5 +0,0 @@
#!/bin/sh
set -e
## allow everybody to run wireshark:
chmod 0755 /usr/bin/dumpcap

1
roles/edulive/files/gnome-edu/config/hooks/normal/0020-create-mtab-symlink.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0020-create-mtab-symlink.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0030-enable-cryptsetup.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0030-enable-cryptsetup.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0040-create-locales-files.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0040-create-locales-files.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0100-remove-adjtime-configuration.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0100-remove-adjtime-configuration.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0110-remove-backup-files.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0110-remove-backup-files.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0120-remove-dbus-machine-id.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0120-remove-dbus-machine-id.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0130-remove-gnome-icon-cache.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0130-remove-gnome-icon-cache.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0140-remove-log-files.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0140-remove-log-files.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0150-remove-mdadm-configuration.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0150-remove-mdadm-configuration.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0160-remove-openssh-server-host-keys.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0160-remove-openssh-server-host-keys.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0170-remove-python-py.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0170-remove-python-py.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0180-remove-systemd-machine-id.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0180-remove-systemd-machine-id.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0190-remove-temporary-files.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0190-remove-temporary-files.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0195-remove-ssl-cert-snakeoil.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0195-remove-ssl-cert-snakeoil.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0200-remove-udev-persistent-cd-rules.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0200-remove-udev-persistent-cd-rules.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0300-remove-udev-persistent-net-rules.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0300-remove-udev-persistent-net-rules.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0400-update-apt-file-cache.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0400-update-apt-file-cache.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0410-update-apt-xapian-index.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0410-update-apt-xapian-index.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0420-update-glx-alternative.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0420-update-glx-alternative.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0430-update-mlocate-database.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0430-update-mlocate-database.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0440-update-nvidia-alternative.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0440-update-nvidia-alternative.hook.chroot

1
roles/edulive/files/gnome-edu/config/hooks/normal/0500-reproducible-glibc.hook.chroot
View file

@ -1 +0,0 @@
/usr/share/live/build/hooks/normal/0500-reproducible-glibc.hook.chroot

8
roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/db/gdm.d/00-login-screen
View file

@ -1,8 +0,0 @@
[org/gnome/login-screen]
disable-user-list=true
logo='/usr/share/desktop-base/debian-logos/logo-text-64.png'
[org/gnome/settings-daemon/plugins/power]
power-button-action='interactive'
sleep-inactive-ac-timeout=600
sleep-inactive-ac-type='interactive'

34
roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/db/local.d/defaults
View file

@ -1,34 +0,0 @@
[org/gnome/shell]
enabled-extensions=['apps-menu@gnome-shell-extensions.gcampax.github.com', 'window-list@gnome-shell-extensions.gcampax.github.com', 'places-menu@gnome-shell-extensions.gcampax.github.com', 'drive-menu@gnome-shell-extensions.gcampax.github.com', 'dash-to-dock@micxgx.gmail.com']
[org/gnome/desktop/input-sources]
sources=[('xkb', 'de'), ('xkb', 'us')]
[org/gnome/desktop/wm/preferences]
button-layout='appmenu:minimize,maximize,close'
[org/gnome/desktop/peripherals/touchpad]
natural-scroll=false
edge-scrolling-enabled=true
tap-to-click=true
[org/gnome/nautilus/preferences]
default-folder-viewer='list-view'
[org/gnome/nautilus/list-view]
use-tree-view=true
[org/gnome/settings-daemon/plugins/power]
power-button-action='interactive'
sleep-inactive-battery-timeout=600
sleep-inactive-battery-type='hibernate'
sleep-inactive-ac-timeout=6000
sleep-inactive-ac-type='nothing'
[org/gnome/desktop/screensaver]
lock-enabled=false
[org/gnome/desktop/interface]
clock-show-date=true
clock-show-seconds=true
clock-show-weekday=true

3
roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/profile/gdm
View file

@ -1,3 +0,0 @@
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter.dconf-defaults

2
roles/edulive/files/gnome-edu/config/includes.chroot/etc/dconf/profile/user
View file

@ -1,2 +0,0 @@
user-db:user
system-db:local

151
roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/netboot.xml
View file

@ -1,151 +0,0 @@
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh edit netboot
or other application using the libvirt API.
-->
<domain type='kvm'>
<name>netboot</name>
<uuid>60ea84db-de6c-493c-8e3f-8e9a99ee19c2</uuid>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
<libosinfo:os id="http://debian.org/debian/11"/>
</libosinfo:libosinfo>
</metadata>
<memory unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>2097152</currentMemory>
<vcpu placement='static'>2</vcpu>
<os>
<type arch='x86_64' machine='pc-q35-3.1'>hvm</type>
<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
<nvram>/var/lib/libvirt/qemu/nvram/netboot_VARS.fd</nvram>
<boot dev='network'/>
</os>
<features>
<acpi/>
<apic/>
<vmport state='off'/>
</features>
<cpu mode='host-model' check='partial'>
<model fallback='allow'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
</controller>
<controller type='sata' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pcie-root'/>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</controller>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x10'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x11'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0x12'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0x13'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0x14'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0x15'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
</controller>
<interface type='direct'>
<mac address='52:54:00:VMMAC'/>
<source dev='INTERFACE' mode='bridge'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:46:a6:25'/>
<source network='default'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:5c:fc:08'/>
<source network='intern'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
</interface>
<serial type='pty'>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='unix'>
<target type='virtio' name='org.qemu.guest_agent.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='2'/>
</channel>
<input type='tablet' bus='usb'>
<address type='usb' bus='0' port='1'/>
</input>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='spice' autoport='yes'>
<listen type='address'/>
<image compression='off'/>
</graphics>
<sound model='ich9'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
</sound>
<video>
<model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</video>
<redirdev bus='usb' type='spicevmc'>
<address type='usb' bus='0' port='2'/>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
<address type='usb' bus='0' port='3'/>
</redirdev>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</rng>
</devices>
</domain>

1
roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/autostart/default.xml
View file

@ -1 +0,0 @@
../default.xml

1
roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/autostart/intern.xml
View file

@ -1 +0,0 @@
../intern.xml

14
roles/edulive/files/gnome-edu/config/includes.chroot/etc/libvirt/qemu/networks/intern.xml
View file

@ -1,14 +0,0 @@
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit intern
or other application using the libvirt API.
-->
<network>
<name>intern</name>
<uuid>399d67ae-263b-4aeb-995d-fe0a44f00132</uuid>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:93:e1:ee'/>
<domain name='intern'/>
</network>

3
roles/edulive/files/gnome-edu/config/includes.chroot/etc/sysctl.d/sysctl.conf
View file

@ -1,3 +0,0 @@
# Uncomment the following to stop low-level messages on console
kernel.printk = 3 4 1 3

11
roles/edulive/files/gnome-edu/config/includes.chroot/lib/live/config/0001-VM-MAC
View file

@ -1,11 +0,0 @@
#!/bin/sh
# Fix deployed VM config
set -eu
NIC="$(ip link | grep "^2: " | cut -d ' ' -f2 | sed "s/://")"
MAC="$(ip link | grep -A1 "^2: " | grep -oE "[[:xdigit:]]{2}:[[:xdigit:]]{2}:[[:xdigit:]]{2} " \
| sed "s/ //g")"
sed -i -e "s/VMMAC/$MAC/g" -e "s/INTERFACE/$NIC/g" /etc/libvirt/qemu/netboot.xml

13
roles/edulive/files/gnome-edu/config/package-lists/desktop.list.chroot
View file

@ -1,13 +0,0 @@
task-gnome-desktop
gnome-shell-extension-dashtodock
gnome-shell-extension-dash-to-panel
plymouth
plymouth-x11
gstreamer1.0-vaapi
i965-va-driver
## this confuses apt-cacher-ng:
#auto-apt-proxy

2
roles/edulive/files/gnome-edu/config/package-lists/live-systems.list.chroot
View file

@ -1,2 +0,0 @@
live-manual
live-tools

3
roles/edulive/files/gnome-edu/config/package-lists/live.list.chroot
View file

@ -1,3 +0,0 @@
live-boot
live-config
live-config-systemd

2
roles/edulive/files/gnome-edu/config/package-lists/localization.list.chroot
View file

@ -1,2 +0,0 @@
task-english
task-german

100
roles/edulive/files/gnome-edu/config/package-lists/school.list.chroot
View file

@ -1,100 +0,0 @@
#
# This file is linked to all desktop configurations.
# Put desktop specific packages in the desktop specific file.
#
#webext-ublock-origin-firefox
#webext-ublock-origin-chromium
webext-ublock-origin
webext-privacy-badger
vim
emacs
vlc
gimp
inkscape
bluefish
openboard
xournal
freecad
librecad
kicad
git
mc
tmux
wireshark
nmap
netcat-openbsd
net-tools
thonny
spyder
ghex
codeblocks
gprolog
qtcreator
obs-studio
mu-editor
dia
vym
shellcheck
xterm
tree
console-setup
virt-manager
sway
task-german-desktop
ssh-askpass-gnome
keepassxc
#nextcloud-desktop
#nautilus-nextcloud
#thunderbird
#thunderbird-l10n-de
#texlive
#texlive-latex-extra
#texlive-lang-german
#texlive-science
pdf-presenter-console
libreoffice/bullseye-backports
libreoffice-core/bullseye-backports
libreoffice-common/bullseye-backports
libreoffice-writer/bullseye-backports
libreoffice-calc/bullseye-backports
libreoffice-impress/bullseye-backports
libreoffice-base/bullseye-backports
libreoffice-base-drivers/bullseye-backports
libreoffice-math/bullseye-backports
libreoffice-report-builder-bin/bullseye-backports
libreoffice-style-colibre/bullseye-backports
libreoffice-gnome/bullseye-backports
libreoffice-gtk3/bullseye-backports
libreoffice-style-elementary/bullseye-backports
libreoffice-help-common/bullseye-backports
libreoffice-help-de/bullseye-backports
libreoffice-java-common/bullseye-backports
libreoffice-l10n-de/bullseye-backports
libreoffice-nlpsolver/bullseye-backports
libreoffice-report-builder/bullseye-backports
libreoffice-script-provider-bsh/bullseye-backports
libreoffice-script-provider-js/bullseye-backports
libreoffice-script-provider-python/bullseye-backports
libreoffice-sdbc-firebird/bullseye-backports
libreoffice-sdbc-hsqldb/bullseye-backports
libreoffice-sdbc-mysql/bullseye-backports
libreoffice-sdbc-postgresql/bullseye-backports
libreoffice-wiki-publisher/bullseye-backports
python3-uno/bullseye-backports
libuno-sal3/bullseye-backports
fonts-opensymbol/bullseye-backports
ure/bullseye-backports

4
roles/edulive/files/gnome-edu/config/package-lists/standard.list.chroot
View file

@ -1,4 +0,0 @@
! Packages Priority standard
task-laptop
task-ssh-server

1
roles/edulive/files/gnome-edu/config/preseed/wireshark.cfg.chroot
View file

@ -1 +0,0 @@
wireshark-common wireshark-common/install-setuid boolean true

6
roles/edulive/files/livebuilder.service
View file

@ -1,6 +0,0 @@
[Unit]
Description=Run livebuilder script
[Service]
Type=simple
ExecStart=/usr/local/sbin/livebuilder.sh

11
roles/edulive/files/livebuilder.timer
View file

@ -1,11 +0,0 @@
[Unit]
Description=Run livebuilder script weekly
[Timer]
OnCalendar=weekly
Persistent=true
AccuracySec=3h
RandomizedDelaySec=3h
[Install]
WantedBy=timers.target

12
roles/edulive/handlers/main.yml
View file

@ -1,12 +0,0 @@
---
- name: run the image build script
command:
cmd: livebuilder.sh
listen: run build script
- name: enable timer for livebuilder
systemd:
name: livebuilder.timer
state: started
enabled: true
listen: enable livebuilder.timer

75
roles/edulive/tasks/main.yml
View file

@ -1,75 +0,0 @@
---
- name: install packages
apt:
name:
- live-build
state: latest # noqa package-latest
- name: prepare live-build directory
file:
path: "{{ build_dir }}"
state: directory
mode: 0755
- name: copy build script
template:
src: livebuilder.sh
dest: /usr/local/sbin/
mode: 0755
- name: provide service and timer for livebuilder
copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items:
- livebuilder.service
- livebuilder.timer
notify: "enable livebuilder.timer"
- name: copy live-build configuration
copy:
src: "{{ item }}"
dest: "{{ build_dir }}"
local_follow: false
mode: preserve
loop: "{{ build_images }}"
- name: prepare debian live nfs boot entry title
lineinfile:
path: /etc/di-netboot-assistant/ipxemenu.HEAD
insertafter: '-- Customized Boot Entries --'
line: "item {{ item }} Debian GNU/Linux {{ item }} NFS"
loop:
"{{ build_images }}"
notify: rebuild di-netboot menu
- name: prepare debian live boot loader ipxe
blockinfile:
path: /etc/di-netboot-assistant/ipxemenu.HEAD
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }}"
block: |
:{{ item }}
echo Booting Debian GNU/Linux EDU LIVE NFS
kernel ${210:string}d-i/n-live/{{ item }}/live/vmlinuz \
initrd=initrd.img {{ boot_params|join(' ') }} \
nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item }}/
initrd ${210:string}d-i/n-live/{{ item }}/live/initrd.img
boot
loop: "{{ build_images }}"
notify: rebuild di-netboot menu
- name: prepare debian live boot loader grub
blockinfile:
path: /etc/di-netboot-assistant/grub.cfg.HEAD
insertbefore: "^menuentry 'Boot from local disk..'"
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }}"
block: |
menuentry 'Debian GNU/Linux Live {{ item }} NFS' {
linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item }}/live/vmlinuz \
{{ boot_params|join(' ') }} \
nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item }}/
initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item }}/live/initrd.img
}
loop: "{{ build_images }}"
notify: rebuild di-netboot menu

32
roles/edulive/templates/livebuilder.sh
View file

@ -1,32 +0,0 @@
#!/usr/bin/bash
#
# build live images and copy kernel, initramfs and squashfs
#
set -eu
BUILDD="{{ build_dir }}"
run_build(){
local DEST="/var/lib/tftpboot/d-i/n-live/$1/live/"
cd "$BUILDD/$1"
[[ -d "$DEST" ]] || mkdir -vp "$DEST"
lb clean && lb config && lb build
for FILE in vmlinuz initrd.img filesystem.squashfs ; do
ln -vf "$BUILDD/$1/binary/live/$FILE" "$DEST"
done
}
## main:
if ! auto-apt-proxy | grep -q 'http://127.0.0.1:3142' ; then
echo "Cannot find the local apt proxy needed to build live images."
exit 1
fi
for IMG in {{ build_images|join(' ') }} ; do
echo "=========== Building image $IMG ==========="
run_build $IMG
done

23
roles/exam_homes/files/archive-homes
View file

@ -1,23 +0,0 @@
#!/usr/bin/bash
#
# Backup and remove all student home directories.
set -eu
HDIRS='/home/'
DIRS=()
for DIR in $(find $HDIRS -maxdepth 1 -mindepth 1 -type d) ; do
H="$(basename $DIR)"
if [[ "$H" =~ ^L_ ]] || [[ "$H" =~ ansible ]] ; then
echo "Skipping home of '$H'."
continue
fi
DIRS+=("$DIR")
done
[[ "${#DIRS[@]}" -eq 0 ]] && exit 0
tar czf "/var/backups/homes_$(date -I).tar.gz" -C "$HDIRS" \
-P --transform="s%$HDIRS%%" "${DIRS[@]}"
rm -rf "${DIRS[@]}"
echo "Archived and removed: ${DIRS[@]}"

6
roles/exam_homes/files/archive-homes.service
View file

@ -1,6 +0,0 @@
[Unit]
Description=Archive students' home directories
[Service]
Type=simple
ExecStart=/usr/local/sbin/archive-homes

11
roles/exam_homes/files/archive-homes.timer
View file

@ -1,11 +0,0 @@
[Unit]
Description=Run archive script every night
[Timer]
OnCalendar=daily
Persistent=true
AccuracySec=3h
RandomizedDelaySec=3h
[Install]
WantedBy=timers.target

26
roles/exam_homes/files/copy2students
View file

@ -1,26 +0,0 @@
#!/usr/bin/bash
#
# Copy content to all student home download directories.
set -eu
if [[ -z $@ ]] ; then
echo "Argument missing!"
exit 1
fi
HDIRS='/home/'
DIRS=()
for DIR in $(find $HDIRS -maxdepth 1 -mindepth 1 -type d) ; do
H="$(basename $DIR)"
if [[ "$H" =~ ^L_ ]] || [[ "$H" =~ ansible ]] ; then
echo "Skipping home of '$H'."
continue
fi
DIRS+=("$DIR")
done
[[ "${#DIRS[@]}" -eq 0 ]] && exit 0
for DIR in "${DIRS[@]}" ; do
cp -va $@ "$DIR/Downloads/"
done

75
roles/exam_homes/files/examode.py
View file

@ -1,75 +0,0 @@
#!/usr/bin/python3
import ldap
from os import scandir
HOME = '/home'
BASE = 'ou=schueler,ou=Benutzer,ou=fvs,ou=SCHULEN,o=ml3'
#BASE = 'ou=Benutzer,ou=fvs,ou=SCHULEN,o=ml3'
LDAP = 'ldap://ldap.steinbeisschule-reutlingen.de'
def fetch_ou(uid):
l = ldap.initialize(LDAP)
f = '(uid=' + uid + ')'
try:
return l.search_s(BASE,ldap.SCOPE_SUBTREE,f,['ou'])[0][1]['ou'][0].decode('utf-8')
except:
return None
def fetch_uids(crs):
uids = []
l = ldap.initialize(LDAP)
# if 'Abgang' in crs:
# b = 'ou=Abgang,' + BASE
# else:
# b = 'ou=' + crs + ',' + BASE
b = BASE
r = l.search_s(b,ldap.SCOPE_SUBTREE,'(ou=' + crs + ')',['uid'])
for dn,entry in r:
if entry != {}:
uids.append(entry['uid'][0].decode('utf-8'))
return uids
def assign_course(user, crs_uids, home):
c = fetch_ou(user)
print('Needed to fetch new course', c, 'for', user)
if c:
crs_uids[c] = fetch_uids(c)
home[user] = c
else:
print('No course for', user , 'found!')
if __name__ == '__main__':
home = {}
with scandir(HOME) as it:
for entry in it:
if entry.is_dir() and entry.name != 'lost+found':
home[entry.name] = ''
crs_uids = {}
for user in home:
if crs_uids == {}:
assign_course(user, crs_uids, home)
continue
for k in crs_uids.keys():
if user in crs_uids[k]:
home[user] = k
break
else:
assign_course(user, crs_uids, home)
for usr in home:
print(usr, home[usr])
for crs in crs_uids.keys():
print(usr, home[usr])
for k, v in sorted(crs_uids.items()):
print(k, sorted(v))
for item in sorted(v):
try:
print(item, home[item])
except:
print('No home for', item, 'found.')

23
roles/exam_homes/files/fetchexam
View file

@ -1,23 +0,0 @@
#!/usr/bin/bash
#
# Backup and remove all student home directories.
set -eu
HDIRS='/home/'
DIRS=()
for DIR in $(find $HDIRS -maxdepth 1 -mindepth 1 -type d) ; do
H="$(basename $DIR)"
if [[ "$H" =~ ^L_ ]] || [[ "$H" =~ ansible ]] ; then
echo "Skipping home of '$H'."
continue
fi
DIRS+=("$DIR")
done
[[ "${#DIRS[@]}" -eq 0 ]] && exit 0
AR="homes_$(date -I).tar.gz"
tar czf "$AR" -C "$HDIRS" --exclude='.[^/]*' \
-P --transform="s%$HDIRS%%" "${DIRS[@]}"
echo "Create archive $AR containing: ${DIRS[@]}"

12
roles/exam_homes/files/mkDownloads
View file

@ -1,12 +0,0 @@
#!/usr/bin/bash
#
# Prepare Downloads directory.
set -eu
HDIRS='/home/'
if [[ ! -d "$HDIRS/$PAM_USER/Downloads" ]] && [[ ! "$PAM_USER" =~ ^L_ ]] && \
[[ ! "$PAM_USER" =~ ansible ]] ; then
mkdir --mode=0777 "$HDIRS/$PAM_USER/Downloads"
fi

Some files were not shown because too many files have changed in this diff Show more