[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/sunweaver/pxeinstall-locale-keymap-configoptions] 8 commits: Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Fri May 22 23:30:38 BST 2026
Mike Gabriel pushed to branch personal/sunweaver/pxeinstall-locale-keymap-configoptions at Debian Edu / debian-edu-config
Commits:
e7f8fe8b by Daniel Teichmann at 2026-03-13T16:54:07+01:00
Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.
These are preconfigured empty proxy groups for the use in Debian Edu Router.
See Debian Edu Router Plugin: Content filter at https://salsa.debian.org/debian-edu/debian-edu-router/-/tree/master/docs.
- - - - -
1342f54b by Daniel Teichmann at 2026-03-13T16:54:10+01:00
ldap-bootstrap/debian-edu-router.ldif: Add 'server-hosts' nisNetgroup to 'proxy-trusted' nisNetgroup, via 'memberNisNetgroup' attribute.
- - - - -
ae91d71a by Daniel Teichmann at 2026-03-13T16:54:10+01:00
share/debian-edu-config/gosa.conf.template: Activate nisNetgroup tab for user accounts.
This makes it possible to add a user into a nisNetgroup while editing a user.
This is a fine addition to the already present 'NIS Netgroup' tab on the left.
- - - - -
c53528cf by Mike Gabriel at 2026-05-07T22:28:30+02:00
share/debian-edu-config/tools/copy-host-keytab: Support SSH publickey login to tjener, if this is possible (e.g. if admin is using SSH agent forwarding).
- - - - -
b892e2fa by Daniel Teichmann at 2026-05-22T22:28:45+00:00
apache2 debian-edu-default.conf: Do not force HTTPS on *.crt (including Debian-Edu_rootCA.crt).
Closes: #1068388
- - - - -
a624dc1c by Daniel Teichmann at 2026-05-22T22:29:28+00:00
etc/dovecot/local.conf: Fix passdb block syntax for Dovecot 2.4.x compatibility.
Dovecot 2.4.x introduced a breaking change to the passdb/userdb
configuration block syntax. A prior commit 63523d4c partially adapted
etc/dovecot/local.conf to Dovecot 2.4.x by splitting mail_location
into mail_driver, mail_path, and mail_inbox_path, but did not update
the passdb block, leaving the configuration broken.
This causes Dovecot to fail immediately at startup with:
- doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line 10: passdb { }
- dovecot.service: Main process exited, code=exited, status=89/n/a
- - - - -
17c18602 by Daniel Teichmann at 2026-05-22T22:30:02+00:00
debian/control: Add 'Conflicts: firefox-esr-mobile-config'.
This ensures that /usr/share/firefox-esr/distribution/policies.json
will not be overwritten by the other package.
Closes: #1126881
- - - - -
994fbcef by Mike Gabriel at 2026-05-22T22:30:36+00:00
{etc/debian-edu/pxeinstall,sbin/debian-edu-pxeinstall}: Support making the initial locale and keymap of the PXE-launched D-I configurable.
- - - - -
10 changed files:
- Makefile
- debian/control
- etc/apache2/sites-available/debian-edu-default.conf
- etc/debian-edu/pxeinstall.conf
- etc/dovecot/local.conf
- + ldap-bootstrap/debian-edu-router.ldif
- ldap-tools/ldap-debian-edu-install
- sbin/debian-edu-pxeinstall
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/tools/copy-host-keytab
Changes:
=====================================
Makefile
=====================================
@@ -195,6 +195,7 @@ LDIFS = \
ltsp.ldif \
gosa.ldif \
gosa-server.ldif \
+ debian-edu-router.ldif \
$(NULL)
LDAPPROGRAMS = \
=====================================
debian/control
=====================================
@@ -18,6 +18,7 @@ Vcs-Git: https://salsa.debian.org/debian-edu/debian-edu-config.git
Package: debian-edu-config
Architecture: all
+Conflicts: firefox-esr-mobile-config,
Depends: ${misc:Depends},
adduser,
bind9-host,
=====================================
etc/apache2/sites-available/debian-edu-default.conf
=====================================
@@ -7,7 +7,9 @@
<Directory /etc/debian-edu/www/ >
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
+ # HTTP only: wpad.dat + Debian-Edu_rootCA.crt
RewriteCond %{REQUEST_URI} !\.dat$
+ RewriteCond %{REQUEST_URI} !\.crt$
RewriteRule ^(.*)$ https://%{SERVER_ADDRESS}/$1 [R=301,L]
Options Indexes FollowSymLinks MultiViews
AllowOverride None
=====================================
etc/debian-edu/pxeinstall.conf
=====================================
@@ -4,6 +4,12 @@
# Set a different desktop environment for new installations instead of the default xfce one.
#mydesktop=mate
+# Override the host locale and use the below locale for the PXE-launched Debian Installer.
+#locale=fr_BE.UTF-8
+
+# Override the host's keymap settings and use this keymap instead for the PXE-launched Debian Installer.
+#keymap=be-latin1
+
# Comment the next entry if the Debian Installer should be run in text mode.
graphicdi=true
=====================================
etc/dovecot/local.conf
=====================================
@@ -7,8 +7,12 @@ auth_gssapi_hostname = postoffice.intern
mail_driver = maildir
mail_path = ~/Maildir
mail_inbox_path = /var/mail/%u
-passdb {
- args = uid=uid home=homeDirectory
- driver = static
+
+passdb static {
+ fields {
+ uid = uid
+ home = homeDirectory
+ }
}
+
protocols = "imap"
=====================================
ldap-bootstrap/debian-edu-router.ldif
=====================================
@@ -0,0 +1,37 @@
+dn: cn=proxy-trusted,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-trusted
+description: Completely unfiltered internet access (+ bypasses NAT/T-P-M) - ProxyTrusted{User,Client} - Debian Edu Router Plugin: Content filter
+# This should enable direct unNAT'ted (bypasses transparent-proxy-mode) internet access to all internal servers in the Debian Edu network.
+memberNisNetgroup: server-hosts
+
+dn: cn=proxy-allow,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-allow
+description: Generally unfiltered internet access - ProxyAllow{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-deny,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-deny
+description: Disables internet access completely - ProxyDeny{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-blacklist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-blacklist
+description: Allows all but specific blacklisted websites - ProxyBlacklist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-whitelist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-whitelist
+description: Allows nothing but specific whitelisted websites - ProxyWhitelist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-noauth-client,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-noauth-client
+description: Fully disable auth. for these clients (BYOD Clients) - ProxyNoauthClient - Debian Edu Router Plugin: Content filter
=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -282,7 +282,8 @@ EOF
/etc/ldap/gosa-server.ldif \
/etc/ldap/ltsp.ldif \
/etc/ldap/firstuser.ldif \
- /etc/ldap/krb5.ldif
+ /etc/ldap/krb5.ldif \
+ /etc/ldap/debian-edu-router.ldif
do
if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
-e "s/\$MAC/$MAC/" \
=====================================
sbin/debian-edu-pxeinstall
=====================================
@@ -58,12 +58,16 @@ else
fi
default_mydesktop="xfce"
+default_locale="en_US.UTF-8"
+default_keymap="us-latin1"
[ "$archs" ] || archs="amd64 i386"
[ "$mirrorurl" ] || mirrorurl=http://deb.debian.org/debian
[ "$hostname" ] || hostname=pxeinstall
[ "$domain" ] || domain=intern
[ "$mydesktop" ] || mydesktop="${default_mydesktop}"
+[ "$locale" ] || locale="${default_locale}"
+[ "$keymap" ] || locale="${default_keymap}"
[ "$graphicdi" ] || graphicdi=false
[ "$dailydi" ] || dailydi=false
[ "$theme" ] || theme="$(ls -L /etc/alternatives/desktop-theme/plymouth 2>/dev/null | grep script | cut -d'.' -f 1)"
@@ -97,9 +101,15 @@ for template in debian-installer/locale \
value="${default_mydesktop}"
fi
- if [ "tasksel/desktop" = $template ] && [ "${mydesktop}" != "${default_mydesktop}" ]; then
+ if [ "tasksel/desktop" = "${template}" ] && [ "${mydesktop}" != "${default_mydesktop}" ]; then
# Let setting from /etc/debian-edu/pxeinstall.conf override tasksel/desktop.
value="${mydesktop}"
+ elif [ "keyboard-configuration/xkb-keymap" = "${template}" ] && [ "${keymap}" != "${default_keymap}" ]; then
+ # Let setting from /etc/debian-edu/pxeinstall.conf override keyboard-configuration/xkb-keymap.
+ value="${keymap}"
+ elif [ "debian-installer/locale" = "${template}" ] && [ "${locale}" != "${default_locale}" ]; then
+ # Let setting from /etc/debian-edu/pxeinstall.conf override debian-installer/locale.
+ value="${locale}"
fi
# Map the long debconf names to the keywords supported in the kernel cmdline.
=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -117,6 +117,7 @@
<tab class="gofaxAccount" name="Fax" />
<tab class="phoneAccount" name="Phone" />
<tab class="nagiosAccount" name="Nagios" />
+ <tab class="netgroupAccount" name="NIS Netgroup" />
</usertabs>
<!-- User dialog -->
=====================================
share/debian-edu-config/tools/copy-host-keytab
=====================================
@@ -1,6 +1,21 @@
#!/bin/sh
set -e
-kinit
+
+if [ $(id -u) -gt 0 ]; then
+ echo "ERROR: This script has to run as super-user root."
+ exit 1
+fi
+
+# Attempt passwordless SSH login root at tjener (could be publickey, gssapi-keyex, or gssapi-with-mic)
+set +e
+ssh -o PasswordAuthentication=no -o KbdInteractiveAuthentication=no tjener "echo -n" 2>/dev/null
+ret=$?
+set -e
+if [ "${ret}" != "0" ]; then
+ # Try to get a Kerberos ticket for root instead to use GSSAPI login.
+ kinit root
+fi
+
scp tjener:/var/lib/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
# Special case separate LTSP server.
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a95871208d0b20fd16f57d66099d8015ffb6bd78...994fbcef1fb94a10f4ac17de4c37951bbd8edc05
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a95871208d0b20fd16f57d66099d8015ffb6bd78...994fbcef1fb94a10f4ac17de4c37951bbd8edc05
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20260522/4218509a/attachment-0001.htm>
More information about the debian-edu-commits
mailing list