diff --git a/roles/linroom/tasks/NetBeans.yml b/roles/linroom/tasks/NetBeans.yml deleted file mode 100644 index 2b874a8..0000000 --- a/roles/linroom/tasks/NetBeans.yml +++ /dev/null @@ -1 +0,0 @@ -# TODO install NetBeans diff --git a/roles/linroom/tasks/VSCode.yml b/roles/linroom/tasks/VSCode.yml deleted file mode 100644 index 885a65e..0000000 --- a/roles/linroom/tasks/VSCode.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: Add VS repository - block: - - name: VS repo - apt key - ansible.builtin.get_url: - url: https://packages.microsoft.com/keys/microsoft.asc - dest: /etc/apt/trusted.gpg.d/microsoft_key.asc - - name: VS repo - url - ansible.builtin.apt_repository: - repo: "deb https://packages.microsoft.com/repos/vscode stable main" - state: present -- name: Install VSCode - ansible.builtin.apt: - name: code - state: latest -# TODO: dodaj potrebne plugine diff --git a/roles/linroom/tasks/fri_base.yml b/roles/linroom/tasks/fri_base.yml index c431f16..7e22a42 100644 --- a/roles/linroom/tasks/fri_base.yml +++ b/roles/linroom/tasks/fri_base.yml @@ -1,3 +1,20 @@ +- name: Add Firefox not-a-snap repository + block: + - name: Pin Firefox PPA package priority + template: + src: mozilla-firefox-apt-preferences + dest: /etc/apt/preferences.d/mozilla-firefox + - name: Enable Firefox unattended upgrades + template: + src: mozilla-firefox-unattended-upgrades + dest: /etc/apt/apt.conf.d/51unattended-upgrades-firefox + - name: Add Firefox PPA + apt_repository: + repo: ppa:mozillateam/ppa + state: present + update_cache: True + validate_certs: False + - name: Install generally useful packages apt: name: @@ -33,19 +50,47 @@ - git-cola - kdiff3 - thonny + - ttf-mscorefonts-installer + - libhivex-bin state: latest update_cache: yes +- name: Remove broken or unnecessary packages + apt: + name: + - xfce4-screensaver + - xscreensaver + state: absent + - name: Set up additional groups for students + vars: + additional_groups: + - wireshark + - kvm + - dialout + - libvirt + - vboxusers + - ubridge + - docker block: - name: create user@.service.d file: path: /etc/systemd/system/user@.service.d state: directory - - name: override groups + - name: override groups in systemd template: src: systemd_group_override.conf dest: /etc/systemd/system/user@.service.d/override.conf + - name: create /etc/security/group.conf + template: + src: security_group.conf + dest: /etc/security/group.conf + - name: create pam config for libpam_group + template: + src: pamconfig_groups + dest: /usr/share/pam-configs/groups + - name: enable libpam_group + shell: pam-auth-update --enable groups - name: Set default keyboard layout to SI template: @@ -60,3 +105,10 @@ src: intel-wol.rules dest: /etc/udev/rules.d/79-wol.rules +- name: Join AD + shell: "realm join --user=ad.join@FRI1.UNI-LJ.SI --computer-ou=OU=Ucilnice FRI1.UNI-LJ.SI" + +- name: Fix SSSD config + template: + src: sssd.conf + dest: /etc/sssd/sssd.conf diff --git a/roles/linroom/tasks/mysql_odbc.yml b/roles/linroom/tasks/mysql_odbc.yml deleted file mode 100644 index b9c0b29..0000000 --- a/roles/linroom/tasks/mysql_odbc.yml +++ /dev/null @@ -1 +0,0 @@ -# TODO install MySQL ODBC adapter diff --git a/roles/linroom/tasks/pelles.yml b/roles/linroom/tasks/pelles.yml deleted file mode 100644 index 3cb827b..0000000 --- a/roles/linroom/tasks/pelles.yml +++ /dev/null @@ -1 +0,0 @@ -# TODO install Pelles diff --git a/roles/linroom/tasks/SceneBuilder.yml b/roles/linroom/tasks/scenebuilder.yml similarity index 100% rename from roles/linroom/tasks/SceneBuilder.yml rename to roles/linroom/tasks/scenebuilder.yml diff --git a/roles/linroom/tasks/weka3.yml b/roles/linroom/tasks/weka3.yml deleted file mode 100644 index 1a90f90..0000000 --- a/roles/linroom/tasks/weka3.yml +++ /dev/null @@ -1 +0,0 @@ -# TODO install Weka 3 diff --git a/roles/linroom/templates/mozilla-firefox-apt-preferences b/roles/linroom/templates/mozilla-firefox-apt-preferences new file mode 100644 index 0000000..f854044 --- /dev/null +++ b/roles/linroom/templates/mozilla-firefox-apt-preferences @@ -0,0 +1,3 @@ +Package: * +Pin: release o=LP-PPA-mozillateam +Pin-Priority: 1001 diff --git a/roles/linroom/templates/mozilla-firefox-unattended-upgrades b/roles/linroom/templates/mozilla-firefox-unattended-upgrades new file mode 100644 index 0000000..358d833 --- /dev/null +++ b/roles/linroom/templates/mozilla-firefox-unattended-upgrades @@ -0,0 +1 @@ +Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}"; diff --git a/roles/linroom/templates/pamconfig_groups b/roles/linroom/templates/pamconfig_groups new file mode 100644 index 0000000..ebde502 --- /dev/null +++ b/roles/linroom/templates/pamconfig_groups @@ -0,0 +1,6 @@ +Name: Additional group management through /etc/security/groups.conf +Default: yes +Priority: 0 +Auth-Type: Additional +Auth-Final: + optional pam_group.so diff --git a/roles/linroom/templates/security_group.conf b/roles/linroom/templates/security_group.conf new file mode 100644 index 0000000..0568a16 --- /dev/null +++ b/roles/linroom/templates/security_group.conf @@ -0,0 +1,108 @@ +# +# This is the configuration file for the pam_group module. +# + +# +# *** Please note that giving group membership on a session basis is +# *** NOT inherently secure. If a user can create an executable that +# *** is setgid a group that they are infrequently given membership +# *** of, they can basically obtain group membership any time they +# *** like. Example: games are allowed between the hours of 6pm and 6am +# *** user joe logs in at 7pm writes a small C-program toplay.c that +# *** invokes their favorite shell, compiles it and does +# *** "chgrp play toplay; chmod g+s toplay". They are basically able +# *** to play games any time... You have been warned. AGM +# + +*;*;*;Al0000-2400;{{ additional_groups|join(',') }} + +# +# The syntax of the lines is as follows: +# +# services;ttys;users;times;groups +# +# white space is ignored and lines maybe extended with '\\n' (escaped +# newlines). From reading these comments, it is clear that +# text following a '#' is ignored to the end of the line. +# +# the combination of individual users/terminals etc is a logic list +# namely individual tokens that are optionally prefixed with '!' (logical +# not) and separated with '&' (logical and) and '|' (logical or). +# +# services +# is a logic list of PAM service names that the rule applies to. +# +# ttys +# is a logic list of terminal names that this rule applies to. +# +# users +# is a logic list of users or a netgroup of users to whom this +# rule applies. +# +# NB. For these items the simple wildcard '*' may be used only once. +# With netgroups no wildcards or logic operators are allowed. +# +# times +# It is used to indicate "when" these groups are to be given to the +# user. The format here is a logic list of day/time-range +# entries the days are specified by a sequence of two character +# entries, MoTuSa for example is Monday Tuesday and Saturday. Note +# that repeated days are unset MoMo = no day, and MoWk = all weekdays +# bar Monday. The two character combinations accepted are +# +# Mo Tu We Th Fr Sa Su Wk Wd Al +# +# the last two being week-end days and all 7 days of the week +# respectively. As a final example, AlFr means all days except Friday. +# +# Each day/time-range can be prefixed with a '!' to indicate "anything +# but" +# +# The time-range part is two 24-hour times HHMM separated by a hyphen +# indicating the start and finish time (if the finish time is smaller +# than the start time it is deemed to apply on the following day). +# +# groups +# The (comma or space separated) list of groups that the user +# inherits membership of. These groups are added if the previous +# fields are satisfied by the user's request +# +# For a rule to be active, ALL of service+ttys+users must be satisfied +# by the applying process. +# + +# +# Note, to get this to work as it is currently typed you need +# +# 1. to run an application as root +# 2. add the following groups to the /etc/group file: +# floppy, play, sound +# + +# +# Here is a simple example: running 'xsh' on tty* (any ttyXXX device), +# the user 'us' is given access to the floppy (through membership of +# the floppy group) +# + +#xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +# +# another example: running 'xsh' on tty* (any ttyXXX device), +# the user 'sword' is given access to games (through membership of +# the sound and play group) after work hours. +# + +#xsh; tty* ;sword;!Wk0900-1800;sound, play +#xsh; tty* ;*;Al0900-1800;floppy + +# +# yet another example: any member of the group 'admin' running +# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev' +# + +#xsh; tty* ;%admin;Al0000-2400;plugdev + +# +# End of group.conf file +# diff --git a/roles/linroom/templates/sssd.conf b/roles/linroom/templates/sssd.conf new file mode 100644 index 0000000..cd745fa --- /dev/null +++ b/roles/linroom/templates/sssd.conf @@ -0,0 +1,30 @@ +[sssd] +config_file_version = 2 +domains = fri1.uni-lj.si +enable_files_domain = False +services = nss, pam + +[nss] +filtered_groups = root +filtered_users = root +reconnection_retries = 3 + +[pam] +reconnection_retries = 3 + +[domain/fri1.uni-lj.si] +ad_domain = fri1.uni-lj.si +ad_server = dcv1fri1.fri1.uni-lj.si,dcv2fri1.fri1.uni-lj.si +ad_maximum_machine_account_password_age = 0 +ad_gpo_access_control = permissive +ad_enabled_domains = fri1.uni-lj.si, student.uni-lj.si, fkkt1.uni-lj.si, ef1.uni-lj.si, fe1.uni-lj.si, ff.uni-lj.si, fmf.uni-lj.si, fu.uni-lj.si, pef.uni-lj.si +krb5_realm = FRI1.UNI-LJ.SI +realmd_tags = manages-system joined-with-adcli +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = True +use_fully_qualified_names = True +fallback_homedir = /home/%u@%d +access_provider = ad diff --git a/roles/linroom/templates/systemd_group_override.conf b/roles/linroom/templates/systemd_group_override.conf index 6b0eec2..f3d177b 100644 --- a/roles/linroom/templates/systemd_group_override.conf +++ b/roles/linroom/templates/systemd_group_override.conf @@ -1,2 +1,2 @@ [Service] -SupplementaryGroups=wireshark kvm dialout libvirt vboxusers ubridge +SupplementaryGroups={{ additional_groups|join(' ') }}