6 files changed, 139 insertions, 0 deletions

diff --git a/roles/linux_laptop/defaults/main.yml b/roles/linux_laptop/defaults/main.yml
new file mode 100644
index 0000000..adaa6b2
--- /dev/null
+++ b/roles/linux_laptop/defaults/main.yml
@@ -0,0 +1,9 @@
+linux_laptop_access_group: role-linux-desktop-access
+linux_laptop_wifi_ssid: '{{ wifi_ssid }}'
+linux_laptop_wifi_ip: '{{ ip }}'
+linux_laptop_wifi_prefix: "{{ vlan.cidr | ansible.utils.ipaddr('prefix') }}"
+linux_laptop_wifi_gateway: '{{ vlan.gateway }}'
+linux_laptop_wifi_domain: '{{ ansible_domain }}'
+linux_laptop_wifi_dns_servers: '{{ vlan.dns_servers }}'
+linux_laptop_wlan_device: wlan0
+linux_laptop_dirty_writeback_centisecs: 6000
diff --git a/roles/linux_laptop/tasks/freeipa.yml b/roles/linux_laptop/tasks/freeipa.yml
new file mode 100644
index 0000000..3c39bbf
--- /dev/null
+++ b/roles/linux_laptop/tasks/freeipa.yml
@@ -0,0 +1,33 @@
+- name: create linux-laptops hostgroup
+  ipahostgroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ linux_laptop_hbac_hostgroup}}'
+    description: Linux Laptops
+    host: "{{ groups[linux_laptop_hbac_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}"
+    state: present
+  run_once: yes
+
+- name: create linux laptop access group
+  ipagroup:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: '{{ linux_laptop_access_group }}'
+    nonposix: yes
+    state: present
+  run_once: yes
+
+- name: create HBAC rule for gdm
+  ipahbacrule:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: allow_gdm_on_linux_laptops
+    description: Allow login to GDM on linux laptops
+    hostgroup:
+      - '{{ linux_laptop_hbac_hostgroup }}'
+    group:
+      - '{{ linux_laptop_access_group }}'
+    hbacsvc:
+      - gdm
+      - gdm-password
+  run_once: yes
diff --git a/roles/linux_laptop/tasks/main.yml b/roles/linux_laptop/tasks/main.yml
new file mode 100644
index 0000000..93f0862
--- /dev/null
+++ b/roles/linux_laptop/tasks/main.yml
@@ -0,0 +1,58 @@
+- import_tasks: freeipa.yml
+
+- name: request TLS certificate for wifi
+  include_role:
+    name: getcert_request
+  vars:
+    certificate_service: host
+    certificate_sans: ['{{ ansible_fqdn }}']
+    certificate_path: '{{ linux_laptop_wifi_certificate_path }}'
+    certificate_key_path: '{{ linux_laptop_wifi_certificate_key_path }}'
+    certificate_key_passphrase: '{{ linux_laptop_wifi_certificate_key_passphrase }}'
+
+- name: get connection uuid
+  shell: nmcli --get-values connection.uuid connection show {{ linux_laptop_wifi_ssid }} || uuidgen
+  register: linux_laptop_wifi_networkmanager_uuid
+  changed_when: no
+
+- name: generate wifi network script
+  template:
+    src: etc/sysconfig/network-scripts/ifcfg-ssid.j2
+    dest: /etc/sysconfig/network-scripts/ifcfg-{{ linux_laptop_wifi_ssid }}
+  register: linux_laptop_wifi_config
+
+- name: generate wifi keys file
+  template:
+    src: etc/sysconfig/network-scripts/keys-ssid.j2
+    dest: /etc/sysconfig/network-scripts/keys-{{ linux_laptop_wifi_ssid }}
+    mode: 0600
+
+- name: warn that wifi settings are not applied automatically
+  debug:
+    msg: >-
+      NOTE: WiFi has been configured in NetworkManager, but changes have not been
+      applied. Either restart NetworkManager or reboot the host.
+  when: linux_laptop_wifi_config.changed
+
+- name: disable nmi watchdog
+  sysctl:
+    name: kernel.nmi_watchdog
+    value: 0
+
+- name: bump vm.dirty_writeback_centisecs
+  sysctl:
+    name: vm.dirty_writeback_centisecs
+    value: '{{ linux_laptop_dirty_writeback_centisecs }}'
+
+- name: enable wifi powersaving
+  copy:
+    content: |
+      options iwlwifi power_save=1 uapsd_disable=0
+      options iwlmvm power_scheme=3
+    dest: /etc/modprobe.d/iwlwifi.conf
+
+- name: enable audio powersaving
+  copy:
+    content: |
+      options snd_hda_intel power_save=1
+    dest: /etc/modprobe.d/snd_hda_intel.conf
diff --git a/roles/linux_laptop/templates/etc/sysconfig/network-scripts/ifcfg-ssid.j2 b/roles/linux_laptop/templates/etc/sysconfig/network-scripts/ifcfg-ssid.j2
new file mode 100644
index 0000000..3737699
--- /dev/null
+++ b/roles/linux_laptop/templates/etc/sysconfig/network-scripts/ifcfg-ssid.j2
@@ -0,0 +1,32 @@
+ESSID={{ linux_laptop_wifi_ssid }}
+MODE=Managed
+KEY_MGMT=WPA-EAP
+MAC_ADDRESS_RANDOMIZATION=never
+TYPE=Wireless
+IEEE_8021X_EAP_METHODS=TLS
+IEEE_8021X_IDENTITY=anonymous
+IEEE_8021X_CA_CERT={{ linux_laptop_wifi_certificate_ca_path }}
+IEEE_8021X_PRIVATE_KEY={{ linux_laptop_wifi_certificate_key_path }}
+IEEE_8021X_CLIENT_CERT={{ linux_laptop_wifi_certificate_path }}
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=none
+IPADDR={{ linux_laptop_wifi_ip }}
+PREFIX={{ linux_laptop_wifi_prefix }}
+GATEWAY={{ linux_laptop_wifi_gateway }}
+{% for server in linux_laptop_wifi_dns_servers %}
+DNS{{ loop.index }}={{ server }}
+{% endfor %}
+DOMAIN={{ linux_laptop_wifi_domain }}
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=yes
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME={{ linux_laptop_wifi_ssid }}
+UUID={{ linux_laptop_wifi_networkmanager_uuid.stdout }}
+DEVICE={{ linux_laptop_wlan_device }}
+ONBOOT=yes
+MACADDR=permanent
diff --git a/roles/linux_laptop/templates/etc/sysconfig/network-scripts/keys-ssid.j2 b/roles/linux_laptop/templates/etc/sysconfig/network-scripts/keys-ssid.j2
new file mode 100644
index 0000000..31c61a6
--- /dev/null
+++ b/roles/linux_laptop/templates/etc/sysconfig/network-scripts/keys-ssid.j2
@@ -0,0 +1 @@
+IEEE_8021X_PRIVATE_KEY_PASSWORD={{ linux_laptop_wifi_certificate_key_passphrase }}
diff --git a/roles/linux_laptop/vars/main.yml b/roles/linux_laptop/vars/main.yml
new file mode 100644
index 0000000..d02e644
--- /dev/null
+++ b/roles/linux_laptop/vars/main.yml
@@ -0,0 +1,6 @@
+linux_laptop_wifi_certificate_path: /etc/pki/tls/certs/wifi-{{ ansible_fqdn }}.crt
+linux_laptop_wifi_certificate_key_path: /etc/pki/tls/private/wifi-{{ ansible_fqdn }}.key
+linux_laptop_wifi_certificate_ca_path: /etc/ipa/ca.crt
+linux_laptop_wifi_certificate_key_passphrase: just_have_to_use_something_or_networkmanger_freaks_out
+
+linux_laptop_hbac_hostgroup: linux_laptops