iiab/scripts/ansible

#!/bin/bash -e
# FWIW "-e" tries to exit right away on error:
# https://tldp.org/LDP/abs/html/options.html
# https://stackoverflow.com/questions/9952177/whats-the-meaning-of-the-parameter-e-for-bash-shell-command-line/9952249

# PLZ SEE http://FAQ.IIAB.IO > "What is Ansible and what version should I use?"
# https://github.com/iiab/iiab/wiki/Technical-Contributors-Guide#understanding-ansible

APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
CURR_VER=undefined    # Ansible version you have installed, e.g. [core 2.14.1]
GOOD_VER=2.14.1       # Orig for 'yum install [rpm]' & XO laptops (pip install)

# 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and
# .gpg key etc) are commented out with ### below.  Associated guidance/comments
# are intentionally preserved.

# 2021-05-19 PR #2743: As a result of Ansible / Red Hat / IBM's extensive
# delays in publishing the PPA (.deb installer files) for ansible-core, this
# file bypasses the apt approach (and associated PPA source) in favor of:
#
# pip3 install --upgrade ansible-core

# 2021-02-25: Latest 'ansible-base' was being installed from PPA, using either
# OS 'CODENAME' below: https://launchpad.net/~ansible/+archive/ubuntu/ansible

# 'lsb_release -sc' gives Mint 20 codename 'ulyana' etc: (TOO FINE-GRAINED)
###if grep -q buster /etc/os-release /etc/debian_version; then
###    CODENAME=bionic    # Debian 10, RaspiOS 10 & Buster-like distros
###else
###    CODENAME=focal     # Debian 11+, RaspiOS 11+, Ubuntu 20.04+, Mint 20+ (ETC)
###fi

# APRIL 2021 - ansible-base (2.10) was renamed to ansible-core (2.11+):
# https://www.ansible.com/blog/ansible-3.0.0-qa
# https://github.com/ansible/ansible/tags
# https://github.com/ansible/ansible/releases (OLD)
# https://github.com/ansible/ansible/commits/stable-2.14
# https://github.com/ansible/ansible/blob/stable-2.14/changelogs/CHANGELOG-v2.14.rst
# https://github.com/ansible/ansible/commits/stable-2.13
# https://github.com/ansible/ansible/blob/stable-2.13/changelogs/CHANGELOG-v2.13.rst
# https://github.com/ansible/ansible/commits/stable-2.12
# https://github.com/ansible/ansible/blob/stable-2.12/changelogs/CHANGELOG-v2.12.rst
# https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_12.rst
# https://pypi.org/project/ansible-core/
# https://pypi.org/project/ansible-base/
# https://releases.ansible.com/ansible-core/
# https://releases.ansible.com/ansible-base/ (OLD)
# https://launchpad.net/~ansible
# https://launchpad.net/~ansible-gha
# https://launchpad.net/~ansible/+archive/ubuntu/ansible
# https://launchpad.net/~ansible/+archive/ubuntu/ansible-2.10 (OLD)
# http://ppa.launchpad.net/ansible/ansible/ubuntu/pool/main/a/ansible/
# http://ppa.launchpad.net/ansible/ansible/ubuntu/pool/main/a/ansible-core/

# FYI .travis.yml installs ansible-core in a slightly different way (PRs #2689 & #2743)

# IIAB implementers might instead consider these 4 GENERAL TECHNIQUES below
# ("in an emergency!") e.g. if apt fails & you need a newer/older Ansible:

# TEMPORARILY USE pip3 to install the latest ansible-core as listed at
# https://pypi.org/project/ansible-core/ (REMOVE W/ "pip3 uninstall ansible-core")
#apt install python3-pymysql python3-psycopg2 python3-passlib python3-pip python3-setuptools python3-packaging python3-venv virtualenv
#pip3 install --upgrade ansible-core    # Then start a new shell, so /usr/local/bin works
#ansible-galaxy collection install -r collections.yml

# TEMPORARILY USE ansible-base 2.10.17 (REMOVE W/ "pip3 uninstall ansible-base")
#apt install python3-pip
#pip3 install ansible-base==2.10.17   # Start new shell, so /usr/local/bin works

# TEMPORARILY USE ANSIBLE 2.9.27 (REMOVE IT WITH "pip3 uninstall ansible")
#apt install python3-pip
#pip3 install ansible==2.9.27

# TEMPORARILY USE ANSIBLE 2.4.2 DUE TO 2.4.3 MEMORY BUG. Details: iiab/iiab#669
#echo "Install https://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb"
#cd /tmp
#wget https://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb
#apt -y --allow-downgrades install ./ansible_2.4.2.0-1ppa~xenial_all.deb

export DEBIAN_FRONTEND=noninteractive
# Why 'noninteractive' appears needed:
# https://github.com/iiab/iiab/issues/564#issuecomment-347264985

echo -e "\n\nYOU ARE RUNNING: /opt/iiab/iiab/scripts/ansible (TO INSTALL ANSIBLE ETC)\n"
#echo -e 'Alternative:     /opt/iiab/iiab/scripts/ansible-2.9.x ("Slow Food")\n'

echo -e "RECOMMENDED PREREQUISITES:"
echo -e "(1) Verify you're online"
echo -e "(2) Remove all prior versions of Ansible using..."
echo -e "    'apt purge ansible-core'  and/or  'pip3 uninstall ansible-core'  and/or"
echo -e "    'apt purge ansible-base'  and/or  'pip3 uninstall ansible-base'  and/or"
echo -e "    'apt purge ansible'       and/or  'pip3 uninstall ansible'"
echo -e "(3) Remove all lines containing 'ansible' from..."
echo -e "    /etc/apt/sources.list and /etc/apt/sources.list.d/*\n"

echo -e "IIAB INSTALL INSTRUCTIONS: (OLDER, MANUAL APPROACH)"
echo -e "https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch\n"

if [ $(command -v ansible) ]; then    # "command -v" is POSIX compliant; also catches built-in commands like "cd"
    CURR_VER=$(ansible --version | head -1 | cut -f 2- -d " ")
    # Above works with 'ansible [core 2.11.0rc2]' -- these old ways do not:
    #CURR_VER=$(ansible --version | head -1 | awk '{print $2}')
    #CURR_VER=$(ansible --version | head -1 | sed -e 's/.* //')
    echo -e "CURRENTLY INSTALLED ANSIBLE: $CURR_VER -- LET'S TRY TO UPGRADE IT!"
else
    echo -e "ANSIBLE NOT FOUND ON THIS COMPUTER -- LET'S TRY TO INSTALL IT!"
fi
echo -e "(Internet-in-a-Box requests ansible-core $GOOD_VER or higher)\n"

# Code above designed to work on all Linux distributions, to preserve options,
# in support of any volunteer(s) wanting to port IIAB to a new Linux/distro.
if [ ! -f /etc/debian_version ]; then    # e.g. RaspiOS, Ubuntu, Mint & Debian
    echo -e "\nEXITING: /etc/debian_version FILE NOT FOUND.  Linux OS support info here:"
    echo -e "           https://github.com/iiab/iiab/wiki/IIAB-Platforms\n"
    exit 1
fi

# 2021-04-26: JV & @holta WIP.  The apt-key command is going away, and the past
# practice of putting keys in /etc/apt/trusted.gpg.d is considered insecure:
# https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
# https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1307181#1307181
# So we put .gpg key in repo iiab/iiab, also for reliable installs/containers.

#echo -e "\napt update; install dirmngr; PPA to /etc/apt/sources.list.d/iiab-ansible.list\n"
#$APT_PATH/apt update
#$APT_PATH/apt -y install dirmngr
#echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
###echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
###     > /etc/apt/sources.list.d/iiab-ansible.list

# 2022-11-09: ansible-core 2.12.10+ PPA works on 32-bit RasPiOS, until upstream wheels -> cryptography is fixed (PR #3421)
echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu focal main" \
     > /etc/apt/sources.list.d/iiab-ansible.list

# In future we might instead consider 'add-apt-repository ppa:ansible/ansible'
# or 'apt-add-repository ppa:ansible/bionic/ansible' etc, e.g. for streamlined
# removal using 'apt-add-repository -r' -- however that currently requires
# 'apt install software-properties-common' which drags in a dozen packages we
# might not want, e.g. unattended-upgrades, packagekit etc.

# 2020-08-20: TEMP WORKAROUND (REVERT TO ANSIBLE 2.9.6) MITIGATING
# iiab/iiab#2481 (Ansible 2.9.12 and 2.10.0's 666-TO-600 file permissions
# problem).  This workaround installs 2.9.6-1ppa~disco onto RaspiOS, from
# https://launchpad.net/~ansible/+archive/ubuntu/ansible
#echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu disco main" \
#    > /etc/apt/sources.list.d/iiab-ansible.list

# 2021-04-26: JV & @holta WIP: (see above)
#echo -e '\nIF YOU FACE ERROR "signatures couldn'"'"'t be verified because the public key is not available" THEN REPEATEDLY RE-RUN "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367"\n'
#apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367
###cp /opt/iiab/iiab/scripts/iiab-ansible-keyring.gpg /usr/share/keyrings/iiab-ansible-keyring.gpg
#chmod 644 /usr/share/keyrings/iiab-ansible-keyring.gpg

# 2022-11-09: ansible-core 2.12.10+ PPA works on 32-bit RasPiOS, until upstream wheels -> cryptography is fixed (PR #3421)
cp /opt/iiab/iiab/scripts/iiab-ansible-keyring.gpg /usr/share/keyrings/iiab-ansible-keyring.gpg

###echo -e 'PPA source "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu '$CODENAME' main"'
###echo -e "successfully saved to /etc/apt/sources.list.d/iiab-ansible.list\n"
###echo -e "IF *OTHER* ANSIBLE SOURCES APPEAR BELOW, PLEASE MANUALLY REMOVE THEM TO"
###echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
###grep '^deb .*ansible' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v '^/etc/apt/sources.list.d/iiab-ansible.list:' || true    # Override bash -e (instead of aborting at 1st error)

echo -e "\napt update; apt install python3-pip    # Also installs 'python3-setuptools' and 'python3' etc"
#echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n"
$APT_PATH/apt update
$APT_PATH/apt -y install python3-pip

# 2021-07-29:
# 'python3-packaging' dropped for now
# 'python3-pymysql' (drags in 'python3' which drags in 'python3-venv' on Debian 11 but not on Ubuntu 20.04) -- moved to roles/mysql/tasks/install.yml
# 'python3-psycopg2' moved to roles/postgresql/tasks/install.yml
# 'python3-passlib' moved to roles/munin/tasks/install.yml
# 'python3-venv' moved to roles/2-common/tasks/packages.yml
# 'virtualenv' for Python 2 moved to roles/kalite/tasks/install.yml
#
#$APT_PATH/apt -y install \
#              python3-pymysql python3-psycopg2 python3-passlib python3-pip \
#              python3-setuptools python3-packaging python3-venv virtualenv

#$APT_PATH/apt -y --allow-downgrades install ansible-core

if uname -m | grep -q 64; then
    # 2021-10-30: Using pip is messy, leaving behind cached files, so turn off pip
    # cache system-wide before installing:
    # https://stackoverflow.com/questions/9510474/removing-pips-cache/61762308#61762308
    # https://github.com/iiab/iiab/pull/3022
    pip3 config --global set global.no-cache-dir false
    echo -e "\n\n'pip3 install --upgrade ansible-core' will now run:\n"
    pip3 install --upgrade ansible-core    # ansible-core 2.12 (released 2021-11-08) requires Python >= 3.8
else
    echo "2022-11-09: ansible-core 2.12.10+ PPA works on 32-bit RasPiOS, using /etc/apt/sources.list.d/iiab-ansible.list, until upstream wheels -> cryptography is fixed (PR #3421)"
    $APT_PATH/apt -y --allow-downgrades install ansible-core
fi

# (Re)running collection installs appears safe, with --force-with-deps to force
# upgrade of collection and dependencies it pulls in.  Note Ansible may support
# explicit upgrading of collections (--upgrade / -U flag) in version "2.11"
# with PR ansible/ansible#73336.  See also IIAB PRs #2647 #2652 #2653 #2655.
echo -e "\n\nIIAB requires these ~4 Ansible Collections: (we upgrade them here if possible!)\n"
ansible-galaxy collection install --force-with-deps \
               -r /opt/iiab/iiab/collections.yml \
               -p /usr/share/ansible/collections
# 2021-02-24: 'ansible-galaxy collection list' lists those installed. (#2659)
# 2020-11-28: The ~3 Ansible Collections used by IIAB (~37MB) once lived here:
#    /root/.ansible/collections/ansible_collections
# But going forward they'll be stored herein: [~24MB for 4 Collections as of 2021-05-19]
#    /usr/share/ansible/collections/ansible_collections

# 2021-04-19: No longer needed, per PR #2743 testing
#echo -e "\n\nCreating/verifying directory /etc/ansible & installing /etc/ansible/hosts\n"
#mkdir -p /etc/ansible    # LIKELY REDUNDANT, due to above installation of Ansible
#echo -e '[local]\nlocalhost\n' > /etc/ansible/hosts    # LIKELY REDUNDANT, due to https://github.com/iiab/iiab/blob/master/ansible_hosts

echo -e "\n\nSUCCESS!  PLEASE VERIFY ANSIBLE WITH COMMANDS LIKE:\n"
echo -e "    ansible --version"
echo -e "    pip3 show ansible-core"
echo -e '    apt -a list "ansible*"'
echo -e "    ansible-galaxy collection list\n"
echo -e "WARNING: Start a new Linux shell, if it changed from /usr/bin to /usr/local/bin\n\n"