2025-06-26-13-33-49: Cronjob

2025-06-26 13:33:49 +02:00 · 2025-06-26 13:33:49 +02:00 · 29049c8da1
commit 29049c8da1
127 changed files with 7089 additions and 0 deletions
--- a/roles/lmn_mount/defaults/main.yml
+++ b/roles/lmn_mount/defaults/main.yml
@ -0,0 +1,3 @@
+smb_server: "server"
+smb_share: "default-school/"
+nfs4: false
--- a/roles/lmn_mount/files/lmn-linkhome.sh
+++ b/roles/lmn_mount/files/lmn-linkhome.sh
@ -0,0 +1,4 @@
+if [[ "${UID}" -gt 60000 ]]; then
+  [[ -L "/lmn/media/${USER}/share" ]] || ln -s .default-school/share "/lmn/media/${USER}/share"
+  [[ -L "/lmn/media/${USER}/home" ]]  || ln -s ".default-school/${HOME##/srv/samba/schools/default-school/}" "/lmn/media/${USER}/home"
+fi
--- a/roles/lmn_mount/files/lmn-mounthome.sh
+++ b/roles/lmn_mount/files/lmn-mounthome.sh
@ -0,0 +1,3 @@
+if [[ "${UID}" -gt 60000 ]]; then
+	sudo /usr/local/bin/mounthome.sh &
+fi
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@ -0,0 +1,112 @@
+---
+- name: Install needed packages
+  ansible.builtin.apt:
+    name:
+      - libpam-mount
+      - cifs-utils
+      - nfs-common
+      - hxtools
+      - davfs2
+    state: latest
+
+- name: Configure pam_mount for Webdav Nextcloud
+  ansible.builtin.blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount Nextcloud) -->"
+    block: |
+      <volume
+        fstype="davfs"
+        path="{{ web_dav }}"
+        mountpoint="/lmn/media/%(USER)/nextcloud"
+        options="username=%(USER),nosuid,nodev,uid=%(USER),gid=%(USERGID),grpid,file_mode=0700,dir_mode=0700,forceuid,forcegid"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+    insertafter: "<!-- Volume definitions -->"
+  when: web_dav is defined and web_dav | length > 0
+
+- name: Configure pam_mount for LMN homes
+  ansible.builtin.blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
+    block: |
+      <volume
+        fstype="cifs"
+        server="{{ smb_server }}"
+        path="{{ smb_share }}"
+        mountpoint="/srv/samba/schools/default-school"
+        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=%(USERGID),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl,actimeo=600{{ cifsopt | default(",cache=loose") }}"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user>{% if localuser %}<user>{{ localuser }}</user>{% endif %}</or></not>
+      </volume>
+    insertafter: "<!-- Volume definitions -->"
+
+- name: Prepare mount point for homes
+  ansible.builtin.file:
+    path: /srv/samba/schools/default-school/
+    state: directory
+    mode: '0755'
+
+- name: Prepare persistent user cache base directory
+  ansible.builtin.file:
+    path: /var/cache/user/
+    state: directory
+    mode: '1777'
+
+- name: Create user-environment-generator directory
+  ansible.builtin.file:
+    path: /etc/systemd/user-environment-generators/
+    state: directory
+    mode: '0755'
+
+- name: Prepare generator for persistent user cache directory
+  ansible.builtin.copy:
+    dest: /etc/systemd/user-environment-generators/50-xdg-cache-home.sh
+    content: |
+      #!/usr/bin/bash
+      set -eu
+      ## local users do not need the extra cache dir:
+      [[ "$UID" -le 60000 ]] && exit 0
+      cp -r -n /etc/skel/.* "$HOME"
+      DIR="/var/cache/user/${UID}/"
+      [[ -d "$DIR" ]] || mkdir -m 0700 "$DIR"
+      echo XDG_CACHE_HOME="$DIR"
+      echo JUPYTER_ALLOW_INSECURE_WRITES=1
+    mode: "0755"
+
+
+- name: Clean up all user processes after logout
+  ansible.builtin.replace:
+    path: /etc/security/pam_mount.conf.xml
+    regexp: '^(<logout wait="0" hup="no" term="no" kill="no" />)$'
+    replace: '<!-- \1 -->\n<logout wait="1000" hup="yes" term="yes" kill="yes" />'
+
+- name: Kill all user processes on logout
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/logind.conf
+    line: KillUserProcesses=yes
+    insertafter: '#KillUserProcesses=no'
+
+- name: Bind mount /lmn/media with nosuid directory
+  ansible.posix.mount:
+    src: /lmn/media
+    path: /lmn/media
+    opts: nosuid,bind
+    state: present
+    fstype: none
+
+- name: Mount NFSv4 tools directory
+  ansible.posix.mount:
+    src: "{{ nfs_server }}:tools"
+    path: /lmn/tools
+    opts: rw,_netdev,x-systemd.automount,x-systemd.idle-timeout=10s,timeo=100,soft
+    state: present
+    fstype: nfs4
+  when: nfs_server is defined
+
+- name: Mount NFSv4 home directory
+  ansible.posix.mount:
+    src: server:/default-school
+    path: /srv/samba/schools/default-school
+    opts: sec=krb5p,_netdev,x-systemd.automount,x-systemd.idle-timeout=60
+    state: present
+    fstype: nfs4
+  when: nfs4