Add configuration via ansible

TODO.txt

@@ -2,5 +2,3 @@
 (because of background processes running for labuser). Killing the processes
 doesn't really work because things (e.g. XFCE) start failing if we do so.
 - LDAP authentication for user login
-- Refactor: Move stuff out of the installer and into Ansible roles (or at least
-playbooks).

ansible/README.md

@@ -0,0 +1,29 @@
+# Ansible roles and playbooks for configuration management
+
+This includes various playbooks and roles managing the overall configuration of
+the PCs plus some day-to-day tasks.
+
+**NOTE**: All playbooks / roles expect to run with administrator privileges.
+
+## Quickstart
+
+Taking over from the [installer](../archlive), to apply the base desktop
+configuration:
+
+```sh
+ansible-playbook post-install.yml
+ansible-playbook reboot.yml
+```
+
+Look into the [`extra`](roles/extra) role for course-specific software
+configuration.
+
+## Playbooks
+
+- [`persist.yml`](persist.yml) makes the current configuration permanent (see
+  [reversion mechanism](../reversion_mechanism.md))
+- [`post-install.yml`](post-install.yml) applies the necessary post-installer
+  configuration (desktop, software etc.)
+- [`poweroff.yml`](poweroff.yml) powers off
+- [`reboot.yml`](reboot.yml) reboots
+- [`upgrade.yml`](upgrade.yml) upgrades installe software

ansible/persist.yml

@@ -0,0 +1,40 @@
+---
+- name: Clear pacman cache
+  ansible.builtin.shell: yes | pacman -Scc
+  tags:
+  - cleanup
+
+- name: Make changes permanent
+  block:
+  - name: Persist home
+    block:
+    - name: Ensure no ansible traces left in home
+      ansible.builtin.file:
+        path: /home/labuser/.ansible
+        state: absent
+    - name: Delete old home snapshot
+      ansible.builtin.command: rec-sub-del.sh home-snap /root/btrfs-root
+    - name: Create home snapshot from current
+      ansible.builtin.command: btrfs subvolume snapshot /root/btrfs-root/home /root/btrfs-root/home-snap
+    tags:
+    - home
+  - name: Persist root state
+    ansible.builtin.command: replace-snap.sh
+    tags:
+    - root
+  - name: Generate GRUB configuration
+    # NOTE: This needs to happen after the above
+    block:
+    - name: Ensure /etc/grub.d/30_uefi-firmware is missing
+      # NOTE: This file (part of grub) adds a boot menu option to reboot into
+      # the UEFI firmware settings, which we don't want. The file will be
+      # reinstalled every time GRUB is upgraded, so removing it only once is not
+      # enough. Also, no reason bothering to keep a backup.
+      ansible.builtin.file:
+        path: /etc/grub.d/30_uefi-firmware
+        state: absent
+    - name: Generate grub.cfg
+      ansible.builtin.command: grub-mkconfig -o /boot/grub/grub.cfg
+    tags:
+    - grub
+  tags: persist

ansible/post-install.yml

@@ -0,0 +1,10 @@
+---
+- name: Configure system post-install
+  hosts: pclab
+  tasks:
+  - name: Apply base desktop configuration
+    import_role:
+      name: common
+  # TODO OPT: Apply extra too?
+  - name: Persist changes
+    import_tasks: persist.yml

ansible/poweroff.yml

@@ -0,0 +1,13 @@
+---
+- name: Power off the system
+  hosts: pclab
+  gather_facts: no
+  vars:
+    delay_minutes: 1
+  tasks:
+  - name: Power off
+    # NOTE: The delay is added to avoid ansible hanging until it times out.
+    ansible.builtin.command: "shutdown +{{ delay_minutes }}"
+  - name: Remind user about the delay
+    ansible.builtin.debug:
+      msg: "System will power off in {{ delay_minutes }} minute(s)"

ansible/reboot.yml

@@ -0,0 +1,13 @@
+---
+- name: Reboot the system
+  hosts: pclab
+  gather_facts: no
+  vars:
+    delay_minutes: 1
+  tasks:
+  - name: Reboot (without waiting for the remotes to come back up)
+    # NOTE: The delay is added to avoid ansible hanging until it times out.
+    ansible.builtin.command: "shutdown -r +{{ delay_minutes }}"
+  - name: Remind user about the delay
+    ansible.builtin.debug:
+      msg: "System will reboot in {{ delay_minutes }} minute(s)"

ansible/roles/common/README.md

@@ -0,0 +1,10 @@
+# Common role
+
+This includes the desktop, complete with all standard apps (not
+course-specific).
+
+- Configures lab user (`labuser`) and its home / environment.
+- COnfigures home reversion mechanism.
+- Configures GRUB (menu default and timeout).
+- Installs and configures X, Xfce, LightDM and necessary desktop applications
+  (utilities, browser, multimedia, office suite).

ansible/roles/common/files/Thunar/uca.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<actions>
+<action>
+	<icon>utilities-terminal</icon>
+	<name>Open Terminal Here</name>
+	<command>exo-open --working-directory %f --launch TerminalEmulator</command>
+	<description>Example for a custom action</description>
+	<patterns>*</patterns>
+	<startup-notify/>
+	<directories/>
+</action>
+<action>
+	<icon>org.xfce.catfish</icon>
+	<name>Search</name>
+	<command>catfish --path=%f</command>
+	<description></description>
+	<patterns>*</patterns>
+	<directories/>
+</action>
+</actions>

ansible/roles/common/files/lightdm.conf.d/50-local.conf

@@ -0,0 +1,4 @@
+[Seat:*]
+allow-user-switching=false
+allow-guest=false
+session-setup-script=/usr/local/sbin/revert-home.sh

ansible/roles/common/files/rules.d/10-admin-override.rules

@@ -0,0 +1,35 @@
+// Prevent suspend and hibernate for labuser
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.login1.suspend" ||
+         action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.hibernate" ||
+         action.id == "org.freedesktop.login1.hibernate-multiple-sessions") &&
+        subject.user == "labuser") {
+
+        return polkit.Result.NO;
+    }
+});
+
+
+// Prevent shut down for labuser
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.login1.halt" ||
+         action.id == "org.freedesktop.login1.halt-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.power-off" ||
+         action.id == "org.freedesktop.login1.power-off-multiple-sessions") &&
+        subject.user == "labuser") {
+
+        return polkit.Result.NO;
+    }
+});
+
+
+// Prevent running xfsm-shutdown-helper and xfce4-pm-helper for labuser
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.xfce.session.xfsm-shutdown-helper" ||
+         action.id == "org.xfce.power.xfce4-pm-helper") &&
+        subject.user == "labuser") {
+
+        return polkit.Result.NO;
+    }
+});

ansible/roles/common/files/xfce4/helpers.rc

@@ -0,0 +1 @@
+WebBrowser=firefox

ansible/roles/common/files/xfce4/panel/launcher-3/16215916401.desktop

@@ -0,0 +1,13 @@
+[Desktop Entry]
+Version=1.0
+Type=Application
+Exec=exo-open --launch TerminalEmulator
+Icon=org.xfce.terminalemulator
+StartupNotify=true
+Terminal=false
+Categories=Utility;X-XFCE;X-Xfce-Toplevel;
+OnlyShowIn=XFCE;
+X-AppStream-Ignore=True
+Name=Terminal Emulator
+Comment=Use the command line
+X-XFCE-Source=file:///usr/share/applications/xfce4-terminal-emulator.desktop

ansible/roles/common/files/xfce4/panel/launcher-4/16215916912.desktop

@@ -0,0 +1,14 @@
+[Desktop Entry]
+Version=1.0
+Type=Application
+Exec=exo-open --launch FileManager %u
+Icon=org.xfce.filemanager
+StartupNotify=true
+Terminal=false
+Categories=Utility;X-XFCE;X-Xfce-Toplevel;
+OnlyShowIn=XFCE;
+X-XFCE-MimeType=inode/directory;x-scheme-handler/trash;
+X-AppStream-Ignore=True
+Name=File Manager
+Comment=Browse the file system
+X-XFCE-Source=file:///usr/share/applications/xfce4-file-manager.desktop

ansible/roles/common/files/xfce4/panel/launcher-5/16217825961.desktop

@@ -0,0 +1,27 @@
+[Desktop Entry]
+Version=1.0
+Name=Firefox
+GenericName=Web Browser
+Comment=Browse the World Wide Web
+Keywords=Internet;WWW;Browser;Web;Explorer
+Exec=/usr/lib/firefox/firefox %u
+Icon=firefox
+Terminal=false
+X-MultipleArgs=false
+Type=Application
+MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;application/pdf;application/json;
+StartupNotify=true
+StartupWMClass=firefox
+Categories=Network;WebBrowser;
+Actions=new-window;new-private-window;
+X-XFCE-Source=file:///usr/share/applications/firefox.desktop
+
+[Desktop Action new-window]
+Name=New Window
+Name[en_US]=New Window
+Exec=/usr/lib/firefox/firefox --new-window %u
+
+[Desktop Action new-private-window]
+Name=New Private Window
+Name[en_US]=New Private Window
+Exec=/usr/lib/firefox/firefox --private-window %u

ansible/roles/common/files/xfce4/panel/whiskermenu-1.rc

@@ -0,0 +1,4 @@
+button-title=Start
+show-button-title=true
+default-category=2
+show-command-lockscreen=false

ansible/roles/common/files/xfce4/xfconf/xfce-perchannel-xml/keyboard-layout.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<channel name="keyboard-layout" version="1.0">
+  <property name="Default" type="empty">
+    <property name="XkbOptions" type="empty">
+      <property name="Group" type="string" value="grp:alt_shift_toggle"/>
+    </property>
+    <property name="XkbLayout" type="string" value="us,gr"/>
+    <property name="XkbDisable" type="bool" value="false"/>
+  </property>
+</channel>

ansible/roles/common/files/xfce4/xfconf/xfce-perchannel-xml/thunar-volman.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<channel name="thunar-volman" version="1.0">
+  <property name="automount-drives" type="empty">
+    <property name="enabled" type="bool" value="true"/>
+  </property>
+</channel>

ansible/roles/common/files/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<channel name="thunar" version="1.0">
+  <property name="hidden-devices" type="array">
+    <value type="string" value="C8A8A3A9A8A3948A"/>
+  </property>
+</channel>

ansible/roles/common/files/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<channel name="xfce4-desktop" version="1.0">
+  <property name="desktop-icons" type="empty">
+    <property name="file-icons" type="empty">
+      <property name="show-removable" type="bool" value="false"/>
+    </property>
+  </property>
+</channel>

ansible/roles/common/files/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<channel name="xfce4-panel" version="1.0">
+  <property name="configver" type="int" value="2"/>
+  <property name="panels" type="array">
+    <value type="int" value="1"/>
+    <property name="dark-mode" type="bool" value="false"/>
+    <property name="panel-1" type="empty">
+      <property name="position" type="string" value="p=8;x=960;y=949"/>
+      <property name="length" type="uint" value="100"/>
+      <property name="position-locked" type="bool" value="true"/>
+      <property name="size" type="uint" value="26"/>
+      <property name="plugin-ids" type="array">
+        <value type="int" value="1"/>
+        <value type="int" value="2"/>
+        <value type="int" value="3"/>
+        <value type="int" value="4"/>
+        <value type="int" value="5"/>
+        <value type="int" value="6"/>
+        <value type="int" value="7"/>
+        <value type="int" value="8"/>
+        <value type="int" value="9"/>
+        <value type="int" value="10"/>
+        <value type="int" value="11"/>
+        <value type="int" value="12"/>
+      </property>
+    </property>
+  </property>
+  <property name="plugins" type="empty">
+    <property name="plugin-1" type="string" value="whiskermenu"/>
+    <property name="plugin-2" type="string" value="separator">
+      <property name="style" type="uint" value="0"/>
+    </property>
+    <property name="plugin-3" type="string" value="launcher">
+      <property name="items" type="array">
+        <value type="string" value="16215916401.desktop"/>
+      </property>
+    </property>
+    <property name="plugin-4" type="string" value="launcher">
+      <property name="items" type="array">
+        <value type="string" value="16215916912.desktop"/>
+      </property>
+    </property>
+    <property name="plugin-5" type="string" value="launcher">
+      <property name="items" type="array">
+        <value type="string" value="16217825961.desktop"/>
+      </property>
+    </property>
+    <property name="plugin-6" type="string" value="tasklist"/>
+    <property name="plugin-7" type="string" value="separator">
+      <property name="expand" type="bool" value="true"/>
+      <property name="style" type="uint" value="0"/>
+    </property>
+    <property name="plugin-8" type="string" value="systray"/>
+    <property name="plugin-9" type="string" value="xkb">
+      <property name="group-policy" type="uint" value="1"/>
+      <property name="display-type" type="uint" value="2"/>
+    </property>
+    <property name="plugin-10" type="string" value="pulseaudio"/>
+    <property name="plugin-11" type="string" value="clock"/>
+    <property name="plugin-12" type="string" value="notification-plugin"/>
+  </property>
+</channel>

ansible/roles/common/files/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<channel name="xfce4-session" version="1.0">
+  <property name="general" type="empty">
+    <property name="SaveOnExit" type="bool" value="false"/>
+  </property>
+</channel>

ansible/roles/common/files/xfce4/xfconf/xfce-perchannel-xml/xfwm4.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<channel name="xfwm4" version="1.0">
+  <property name="general" type="empty">
+    <property name="workspace_count" type="int" value="1"/>
+  </property>
+</channel>