iiab/roles/network/tasks/install.yml

- name: Record (initial) available disk space
  shell: df -PB1 $(findmnt / -o SOURCE -n) | awk 'NR==2 {print $4}'
  register: df1


# 2022-03-16: 'apt show <pkg> | grep Size' revealed download sizes, on 64-bit RasPiOS with desktop.

- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
  include_tasks: roles/network/tasks/dnsmasq.yml    # Invoked by 1-prep (so full path needed)

# 2021-07-27 from @jvonau: 3 apt packages BELOW (iw, rfkill, wireless-tools)
# are provided by RasPiOS.  Ubuntu|Debian on the other hand are hit or miss:
# desktops might have some/all 3 preinstalled, while servers tend not to have
# these present at all, but need to be installed if you want to take full
# advantage of WiFi on Ubuntu and friends.
#
# 2022-03-16 update: Let's make these 3 mandatory as they're only 300kB (grand
# total download size) and they can help IIAB field operators with BOTH
# (1) internal WiFi AND (2) USB WiFi devices inserted anytime/later.

- name: 'Install 12 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, networkd-dispatcher, rfkill, wireless-tools, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
  package:
    name:
      - avahi-daemon           #   97kB download: RasPiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
      #- avahi-discover        #   46kB download: 2021-07-27: Commented out long ago
      - hostapd                #  764kB download: IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
      #- inetutils-syslogd     #  240kB download: 2021-07-27: Error logging facility -- holdover from the XO days, journalctl has replaced this in newer distros
      - iproute2               #  902kB download: RasPiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
      - iptables-persistent    #   12kB download: Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!
      - iw                     #   97kB download: RasPiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/iiab-clone-wifi.service.j2
      - libnss-mdns            #   27kB download: RasPiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
      - netmask                #   25kB download: Handy utility -- helps determine network masks
      - net-tools              #  248kB download: RasPiOS installs this regardless -- @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
      - networkd-dispatcher    #   15kB download: Dispatcher service for systemd-networkd connection status changes
      - rfkill                 #   87kB download: RasPiOS installs this regardless -- enable & disable wireless devices
      - wireless-tools         #  112kB download: RasPiOS installs this regardless -- manipulate Linux Wireless Extensions
      - wpasupplicant          # 1188kB download: RasPiOS installs this regardless -- client library for connections to a WiFi AP
    state: present

# 2021-08-17: Debian ignores this, according to 2013 post:
# https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables
# - name: Install /etc/network/if-pre-up.d/iptables from template (0755)
#   template:
#     src: iptables
#     dest: /etc/network/if-pre-up.d/iptables
#     mode: '0755'

- name: Unmask the Access Point 'hostapd' service
  systemd:
    name: hostapd
    enabled: no
    masked: no

- name: Install Avahi (mDNS, Zeroconf/Bonjour)
  include_tasks: roles/network/tasks/avahi.yml    # Invoked by 1-prep (so full path needed)

# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
- name: "4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"
  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
    name: "{{ item.name }}"
    value: "{{ item.value }}"
  with_items:
    - { name: 'net.ipv4.ip_forward', value: '1' }                          # Default: 0.  Masquerading LAN->Internet
    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }              # Default: 2.  Enable Spoof protection (reverse-path filter)
    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }    # Default: 1.  Do not accept IP source route packets (we are not a router)
    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }               # Very standard in 2020
    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }               # Default: 0.  Disable IPv6.  SEE ALSO: roles/munin/tasks/install.yml & enable-and-disable.yml
    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE


# UNUSED
#- name: Install named / BIND
#  include_tasks: roles/network/tasks/named.yml
#  when: named_install is defined and named_install

# UNUSED
#- name: Install dhcpd
#  include_tasks: roles/network/tasks/dhcpd.yml
#  when: dhcpd_install is defined and dhcpd_install

# LESS MAINTAINED
- name: Install Squid
  include_tasks: roles/network/tasks/squid.yml    # Invoked by 1-prep (so full path needed)
  when: squid_install and squid_installed is undefined

  #preprep for backends
- name: Netplan in use on Ubuntu 18.04+
  include_tasks: roles/network/tasks/netplan.yml    # Invoked by 1-prep (so full path needed)
  when: is_ubuntu

# all installs

- name: Install /usr/bin/iiab-internet-on|off from template (root:root by default)
  template:
    src: "{{ item }}"
    dest: /usr/bin/
    mode: 0755
  with_items:
    - roles/network/templates/gateway/iiab-internet-on     # Invoked by 1-prep (so full path needed)
    - roles/network/templates/gateway/iiab-internet-off    # Invoked by 1-prep (so full path needed)

- name: 'Install /usr/local/sbin/netwarn for pop-ups on boot, if iiab-network should be run'
  include_tasks: roles/network/tasks/netwarn.yml    # Invoked by 1-prep (so full path needed)


# RECORD Network AS INSTALLED

- name: Record (final) available disk space
  shell: df -PB1 $(findmnt / -o SOURCE -n) | awk 'NR==2 {print $4}'
  register: df2

- name: Add 'network_disk_usage = {{ df1.stdout|int - df2.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: network
    option: network_disk_usage
    value: "{{ df1.stdout|int - df2.stdout|int }}"

- name: "Set 'network_installed: True'"
  set_fact:
    network_installed: True

- name: "Add 'network_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^network_installed'
    line: 'network_installed: True'
Record approx disk usage for 45 roles (to iiab.ini) 2023-05-27 07:26:04 +00:00			`- name: Record (initial) available disk space`
			`shell: df -PB1 $(findmnt / -o SOURCE -n) \| awk 'NR==2 {print $4}'`
			`register: df1`


1-prep -> 2-common: Consolidate/Clarify packages.yml + network.yml 2022-03-16 18:35:58 +00:00			`# 2022-03-16: 'apt show <pkg> \| grep Size' revealed download sizes, on 64-bit RasPiOS with desktop.`
2-common/tasks/network.yml: Cleanup & network packages context 2021-07-27 18:56:20 +00:00
group dnsmasq within network and always preinstall 2022-03-29 01:19:33 +00:00			`- name: Install dnsmasq -- configure LATER in 'network', after Stage 9`
FULL/PATH/dnsmasq.yml in network/tasks/install.yml for 1-prep 2022-07-22 13:14:26 +00:00			`include_tasks: roles/network/tasks/dnsmasq.yml # Invoked by 1-prep (so full path needed)`
group dnsmasq within network and always preinstall 2022-03-29 01:19:33 +00:00
1-prep -> 2-common: Consolidate/Clarify packages.yml + network.yml 2022-03-16 18:35:58 +00:00			`# 2021-07-27 from @jvonau: 3 apt packages BELOW (iw, rfkill, wireless-tools)`
			`# are provided by RasPiOS. Ubuntu\|Debian on the other hand are hit or miss:`
			`# desktops might have some/all 3 preinstalled, while servers tend not to have`
			`# these present at all, but need to be installed if you want to take full`
			`# advantage of WiFi on Ubuntu and friends.`
			`#`
			`# 2022-03-16 update: Let's make these 3 mandatory as they're only 300kB (grand`
			`# total download size) and they can help IIAB field operators with BOTH`
			`# (1) internal WiFi AND (2) USB WiFi devices inserted anytime/later.`

remove RasPiOS restriction 2022-10-07 08:33:41 +00:00			`- name: 'Install 12 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, networkd-dispatcher, rfkill, wireless-tools, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'`
indentation/syntax per new Ansible docs 2018-02-13 02:42:21 +00:00			`package:`
move network related packages 2021-04-27 23:48:03 +00:00			`name:`
Cleaner RasPiOS comments in 2-common, iiab-admin, jupyterhub, kalite, kolibri 2022-06-30 15:10:13 +00:00			`- avahi-daemon # 97kB download: RasPiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml`
1-prep -> 2-common: Consolidate/Clarify packages.yml + network.yml 2022-03-16 18:35:58 +00:00			`#- avahi-discover # 46kB download: 2021-07-27: Commented out long ago`
			`- hostapd # 764kB download: IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired`
			`#- inetutils-syslogd # 240kB download: 2021-07-27: Error logging facility -- holdover from the XO days, journalctl has replaced this in newer distros`
Cleaner RasPiOS comments in 2-common, iiab-admin, jupyterhub, kalite, kolibri 2022-06-30 15:10:13 +00:00			`- iproute2 # 902kB download: RasPiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools`
1-prep -> 2-common: Consolidate/Clarify packages.yml + network.yml 2022-03-16 18:35:58 +00:00			`- iptables-persistent # 12kB download: Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!`
			`- iw # 97kB download: RasPiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/iiab-clone-wifi.service.j2`
Cleaner RasPiOS comments in 2-common, iiab-admin, jupyterhub, kalite, kolibri 2022-06-30 15:10:13 +00:00			`- libnss-mdns # 27kB download: RasPiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi`
1-prep -> 2-common: Consolidate/Clarify packages.yml + network.yml 2022-03-16 18:35:58 +00:00			`- netmask # 25kB download: Handy utility -- helps determine network masks`
Cleaner RasPiOS comments in 2-common, iiab-admin, jupyterhub, kalite, kolibri 2022-06-30 15:10:13 +00:00			`- net-tools # 248kB download: RasPiOS installs this regardless -- @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?`
remove RasPiOS restriction 2022-10-07 08:33:41 +00:00			`- networkd-dispatcher # 15kB download: Dispatcher service for systemd-networkd connection status changes`
1-prep -> 2-common: Consolidate/Clarify packages.yml + network.yml 2022-03-16 18:35:58 +00:00			`- rfkill # 87kB download: RasPiOS installs this regardless -- enable & disable wireless devices`
			`- wireless-tools # 112kB download: RasPiOS installs this regardless -- manipulate Linux Wireless Extensions`
			`- wpasupplicant # 1188kB download: RasPiOS installs this regardless -- client library for connections to a WiFi AP`
indentation/syntax per new Ansible docs 2018-02-13 02:42:21 +00:00			`state: present`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
Cleaner network/templates/gateway/iiab-gen-iptables & 2-common prep 2021-08-18 05:47:03 +00:00			`# 2021-08-17: Debian ignores this, according to 2013 post:`
			`# https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables`
			`# - name: Install /etc/network/if-pre-up.d/iptables from template (0755)`
			`# template:`
			`# src: iptables`
			`# dest: /etc/network/if-pre-up.d/iptables`
			`# mode: '0755'`
2-common/tasks/network.yml: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible 2021-07-28 05:48:14 +00:00
network/tasks/install.yml: hostapd syntax errors 85a5f8fd (3 days ago) 2022-07-21 19:30:44 +00:00			`- name: Unmask the Access Point 'hostapd' service`
			`systemd:`
			`name: hostapd`
			`enabled: no`
			`masked: no`
unmask hostapd once 2022-07-19 05:05:34 +00:00
FULL/PATH to Avahi stuff in roles/network for 1-prep 2022-07-22 13:27:31 +00:00			`- name: Install Avahi (mDNS, Zeroconf/Bonjour)`
			`include_tasks: roles/network/tasks/avahi.yml # Invoked by 1-prep (so full path needed)`
1-prep -> 2-common: Consolidate/Clarify packages.yml + network.yml 2022-03-16 18:35:58 +00:00
2-common/tasks/network.yml: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible 2021-07-28 05:48:14 +00:00			`# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:`
visual feedback 2022-06-30 17:21:33 +00:00			`- name: "4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"`
2-common/tasks/network.yml: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible 2021-07-28 05:48:14 +00:00			`sysctl: # Places these settings in /etc/sysctl.conf, to survive reboot`
			`name: "{{ item.name }}"`
			`value: "{{ item.value }}"`
			`with_items:`
network/tasks/install.yml: Clarify 4 sysctl vars 2023-04-30 22:42:08 +00:00			`- { name: 'net.ipv4.ip_forward', value: '1' } # Default: 0. Masquerading LAN->Internet`
			`- { name: 'net.ipv4.conf.default.rp_filter', value: '1' } # Default: 2. Enable Spoof protection (reverse-path filter)`
network/tasks/install.yml: Remove typo in comment 2023-04-30 22:43:11 +00:00			`- { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } # Default: 1. Do not accept IP source route packets (we are not a router)`
network/tasks/install.yml: Clarify 4 sysctl vars 2023-04-30 22:42:08 +00:00			`#- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Very standard in 2020`
Enable sysctl's IPv6 during Munin install/enable, so munin-node.service starts 2023-04-30 23:15:44 +00:00			`- { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # Default: 0. Disable IPv6. SEE ALSO: roles/munin/tasks/install.yml & enable-and-disable.yml`
2-common/tasks/network.yml: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible 2021-07-28 05:48:14 +00:00			`#- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } # AUTO-SET`
			`#- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' } # BY ABOVE`
reorder and 'installed' 2022-03-24 13:13:46 +00:00

speedup - ssh ports are not changing 2022-07-19 04:22:11 +00:00			`# UNUSED`
remove named and dhcpd install options 2022-07-08 06:16:36 +00:00			`#- name: Install named / BIND`
			`# include_tasks: roles/network/tasks/named.yml`
			`# when: named_install is defined and named_install`
reorder and 'installed' 2022-03-24 13:13:46 +00:00
speedup - ssh ports are not changing 2022-07-19 04:22:11 +00:00			`# UNUSED`
remove named and dhcpd install options 2022-07-08 06:16:36 +00:00			`#- name: Install dhcpd`
			`# include_tasks: roles/network/tasks/dhcpd.yml`
			`# when: dhcpd_install is defined and dhcpd_install`
reorder and 'installed' 2022-03-24 13:13:46 +00:00
			`# LESS MAINTAINED`
			`- name: Install Squid`
FULL/PATH to netplan.yml & netwarn.yml for 1-prep 2022-07-22 13:51:53 +00:00			`include_tasks: roles/network/tasks/squid.yml # Invoked by 1-prep (so full path needed)`
reorder and 'installed' 2022-03-24 13:13:46 +00:00			`when: squid_install and squid_installed is undefined`
PR #3173 adjustments (making network role optional) 2022-07-11 15:40:52 +00:00
netplan setup is one time and may not even be needed 2022-07-19 04:44:19 +00:00			`#preprep for backends`
			`- name: Netplan in use on Ubuntu 18.04+`
FULL/PATH to netplan.yml & netwarn.yml for 1-prep 2022-07-22 13:51:53 +00:00			`include_tasks: roles/network/tasks/netplan.yml # Invoked by 1-prep (so full path needed)`
netplan setup is one time and may not even be needed 2022-07-19 04:44:19 +00:00			`when: is_ubuntu`

rework 2022-07-19 03:53:41 +00:00			`# all installs`
network/tasks/install.yml: Spacing around "all installs" header 2022-07-22 16:18:58 +00:00
move iiab-internet-on\|off - introduce netwarn 2022-07-16 16:45:29 +00:00			`- name: Install /usr/bin/iiab-internet-on\|off from template (root:root by default)`
			`template:`
			`src: "{{ item }}"`
			`dest: /usr/bin/`
			`mode: 0755`
			`with_items:`
2 vars in detected_network.yml to netplan.yml; FULL/PATHS for 1-prep 2022-07-22 14:53:24 +00:00			`- roles/network/templates/gateway/iiab-internet-on # Invoked by 1-prep (so full path needed)`
			`- roles/network/templates/gateway/iiab-internet-off # Invoked by 1-prep (so full path needed)`
move iiab-internet-on\|off - introduce netwarn 2022-07-16 16:45:29 +00:00
Move scripts/netwarn* to roles/network/templates/netwarn/ 2022-07-21 19:14:09 +00:00			`- name: 'Install /usr/local/sbin/netwarn for pop-ups on boot, if iiab-network should be run'`
FULL/PATH to netplan.yml & netwarn.yml for 1-prep 2022-07-22 13:51:53 +00:00			`include_tasks: roles/network/tasks/netwarn.yml # Invoked by 1-prep (so full path needed)`
Add /usr/local/sbin/netwarn to /etc/xdg/lxsession/LXDE-pi/autostart 2022-07-21 18:45:37 +00:00

			`# RECORD Network AS INSTALLED`
PR #3173 adjustments (making network role optional) 2022-07-11 15:40:52 +00:00
Record approx disk usage for 45 roles (to iiab.ini) 2023-05-27 07:26:04 +00:00			`- name: Record (final) available disk space`
			`shell: df -PB1 $(findmnt / -o SOURCE -n) \| awk 'NR==2 {print $4}'`
			`register: df2`

			`- name: Add 'network_disk_usage = {{ df1.stdout\|int - df2.stdout\|int }}' to {{ iiab_ini_file }}`
			`ini_file:`
			`path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini`
			`section: network`
			`option: network_disk_usage`
			`value: "{{ df1.stdout\|int - df2.stdout\|int }}"`

PR #3173 adjustments (making network role optional) 2022-07-11 15:40:52 +00:00			`- name: "Set 'network_installed: True'"`
			`set_fact:`
			`network_installed: True`

			`- name: "Add 'network_installed: True' to {{ iiab_state_file }}"`
			`lineinfile:`
			`path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml`
			`regexp: '^network_installed'`
			`line: 'network_installed: True'`