Merge pull request #2893 from holta/1-prep_modularize

Modularize and explain Stage 1 (1-prep) of IIAB install
2025-03-09 15:40:17 +00:00 · 2021-07-31 20:56:03 -04:00 · 2021-07-31 20:56:03 -04:00 · 0baca4d89c
commit 0baca4d89c
parent 43720da0e8 e02e89f01e
9 changed files with 112 additions and 106 deletions
--- a/roles/1-prep/README.rst
+++ b/roles/1-prep/README.rst
@ -2,21 +2,24 @@
 1-prep README
 =============

-This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) is primarily hardware-focused, prior to OS
-additions/mods — but also includes critical pieces sometimes needed for
-remote support:
+This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) arranges low-level things like remote support infra, DNS prep, hardware, low-level OS quirks, and basic security:

- dnsmasq
- /etc/iiab/uuid
- Customizing /var/log/* for Ubermix on each boot, using /etc/tmpfiles.d
- SSH
- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin>`_ username and group to log into Admin Console
- OpenVPN software if/as needed later for remote support
- `raspberry_pi.yml <tasks/raspberry_pi.yml>`_ including RTC, essential packages, and networking basics
+- SSHD
+- OpenVPN if/as needed later for remote support
+- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin#iiab-admin-readme>`_ username and group, to log into Admin Console
+- dnsmasq (install now, configure later!)
+- Universally unique identifier: /etc/iiab/uuid
+- Ubermix (distro) needs /etc/tmpfiles.d/iiab.conf to create essential /var/log subdirs on each boot
+- Hardware actions:
+   - `raspberry_pi.yml <tasks/raspberry_pi.yml>`_:
+      - RTC (real-time clock): install udev rule, configure, enable
+      - Install packages related to:
+         - growpart
+         - swapfile
+         - fake-hwclock (as RTC is often missing or dead!)
+         - Wi-Fi
+      - Increase swap file size
+      - rootfs auto-resizing
+   - NUC 6 Wi-Fi firmware

-Traditionally 1-prep also included preliminaries like hostname and
-hardware-oriented things specific to a particular platform (such as
-One Laptop Per Child's XO laptop) i.e. critical setup prior to the
-bulk of IIAB's software install.
-
-Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services ⁠— this 1st stage installs core server infra (that is not user-facing).
+Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services — this 1st stage installs core server infra (that is not user-facing).
--- a/roles/1-prep/tasks/hardware.yml
+++ b/roles/1-prep/tasks/hardware.yml
@ -0,0 +1,17 @@
+##  DISCOVER PLATFORMS ######
+# Put conditional actions for hardware platforms here
+
+- include_tasks: raspberry_pi.yml
+  when: first_run and rpi_model != "none"
+
+- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
+  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
+  register: usb_NUC6
+  ignore_errors: True
+
+- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
+  get_url:
+    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
+    dest: /lib/firmware
+    timeout: "{{ download_timeout }}"
+  when: internet_available and usb_NUC6.stdout|int > 0
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -1,85 +1,31 @@
-# Preparations (Hardware Level)
+# Preparations (low-level e.g. remote support, DNS prep, HW/OS, basic security)

 - name: ...IS BEGINNING ============================================
  meta: noop

- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
-  include_tasks: roles/network/tasks/dnsmasq.yml
-  #when: dnsmasq_install    # Flag might be used in future?
-
-
- name: 'Install packages: sudo, uuid-runtime'
-  package:
-    name:
-      - sudo
-      - uuid-runtime
-    state: present
-
- name: Does /etc/iiab/uuid exist?
-  stat:
-    path: /etc/iiab/uuid
-  register: uuid_file
-
- name: If not, run 'uuidgen' to create a uuid, in register uuid_response
-  command: uuidgen
-  register: uuid_response
-  when: not uuid_file.stat.exists
-
- name: Save it to /etc/iiab/uuid
-  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
-  when: not uuid_file.stat.exists
-
- name: Load /etc/iiab/uuid, into register stored_uuid
-  command: cat /etc/iiab/uuid
-  register: stored_uuid
-
- name: Store it in Ansible variable 'uuid'
-  set_fact:
-    uuid: "{{ stored_uuid.stdout_lines[0] }}"
-
-
- name: Does 'ubermix' exist in /etc/lsb-release?
-  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
-  register: grep_ubermix
-  failed_when: False    # Universal way to hide alarmist red errors!
-  #ignore_errors: True
-  #check_mode: no
-
- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
-  copy:
-    src: roles/1-prep/files/iiab.conf
-    dest: /etc/tmpfiles.d/
-    # owner: root
-    # group: root
-    # mode: '0644'
-    force: yes
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
-# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
-# pkgs are not installed FWIW.  But it's included to safeguard us across all
-# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
-# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
-  shell: apt -y remove "libgeos-*"
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-
 - name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
  include_role:
    name: sshd
  when: sshd_install

- name: IIAB-ADMIN
-  include_role:
-    name: iiab-admin
-  #when: iiab_admin_install    # Flag might be created in future?
-
 - name: OPENVPN
  include_role:
    name: openvpn
  when: openvpn_install

+- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
+  include_role:
+    name: iiab-admin
+  #when: iiab_admin_install    # Flag might be created in future?
+
+- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
+  include_tasks: roles/network/tasks/dnsmasq.yml
+  #when: dnsmasq_install    # Flag might be used in future?
+
+- include_tasks: uuid.yml
+- include_tasks: ubermix.yml
+- include_tasks: hardware.yml    # Can run raspberry_pi.yml
+

 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
@ -109,25 +55,6 @@
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed


-##  DISCOVER PLATFORMS ######
-# Put conditional actions for hardware platforms here
-
- include_tasks: raspberry_pi.yml
-  when: first_run and rpi_model != "none"
-
- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
-  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
-  register: usb_NUC6
-  ignore_errors: True
-
- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
-  get_url:
-    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
-    dest: /lib/firmware
-    timeout: "{{ download_timeout }}"
-  when: internet_available and usb_NUC6.stdout|int > 0
-
-
 - name: Recording STAGE 1 HAS COMPLETED ============================
  template:
    src: roles/1-prep/templates/iiab.env.j2
--- a/roles/1-prep/tasks/raspberry_pi.yml
+++ b/roles/1-prep/tasks/raspberry_pi.yml
@ -31,6 +31,7 @@
 #    line: 'include btcfg.txt'
 #  when: is_ubuntu

+
 - name: '2021-07-27: SEE ALSO ~4 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
  meta: noop

@ -55,6 +56,7 @@
      - wireless-tools    # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions
    state: present

+
 - name: Increase swap file size (to CONF_SWAPSIZE={{ pi_swap_file_size }} in /etc/dphys-swapfile) as kalite pip download fails
  lineinfile:
    path: /etc/dphys-swapfile
@ -67,6 +69,7 @@
    name: dphys-swapfile
    state: restarted

+
 - name: Install RPi rootfs resizing (/usr/sbin/iiab-rpi-max-rootfs.sh) and its systemd service (/etc/systemd/system/iiab-rpi-root-resize.service), from templates (root:root by default)
  template:
    src: "{{ item.src }}"
--- a/roles/1-prep/tasks/ubermix.yml
+++ b/roles/1-prep/tasks/ubermix.yml
@ -0,0 +1,25 @@
+- name: Does 'ubermix' exist in /etc/lsb-release?
+  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
+  register: grep_ubermix
+  failed_when: False    # Universal way to hide alarmist red errors!
+  #ignore_errors: True
+  #check_mode: no
+
+- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix (root:root, 0644 by default)
+  copy:
+    src: roles/1-prep/files/iiab.conf
+    dest: /etc/tmpfiles.d/
+    # owner: root
+    # group: root
+    # mode: 0644
+    force: yes
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
+
+# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
+# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
+# pkgs are not installed FWIW.  But it's included to safeguard us across all
+# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
+# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
+- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
+  shell: apt -y remove "libgeos-*"
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
--- a/roles/1-prep/tasks/uuid.yml
+++ b/roles/1-prep/tasks/uuid.yml
@ -0,0 +1,26 @@
+- name: "Install packages: uuid-runtime"
+  package:
+    name: uuid-runtime
+    state: present
+
+- name: Does /etc/iiab/uuid exist?
+  stat:
+    path: /etc/iiab/uuid
+  register: uuid_file
+
+- name: If not, run 'uuidgen' to create a uuid, in register uuid_response
+  command: uuidgen
+  register: uuid_response
+  when: not uuid_file.stat.exists
+
+- name: Save it to /etc/iiab/uuid
+  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
+  when: not uuid_file.stat.exists
+
+- name: Load /etc/iiab/uuid, into register stored_uuid
+  command: cat /etc/iiab/uuid
+  register: stored_uuid
+
+- name: Store it in Ansible variable 'uuid'
+  set_fact:
+    uuid: "{{ stored_uuid.stdout_lines[0] }}"
--- a/roles/2-common/tasks/main.yml
+++ b/roles/2-common/tasks/main.yml
@ -8,11 +8,12 @@

 - include_tasks: packages.yml

- name: 'Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml'
+- name: "Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml"
  include_tasks: network.yml

 - include_tasks: iiab-startup.yml

+
 # UNMAINTAINED
 #- include_tasks: centos.yml
 #  when: ansible_distribution == "CentOS"
@ -39,6 +40,7 @@
 #    dest: /etc/profile.d/zzz_iiab.sh
 #    src: zzz_iiab.sh

+
 - name: Recording STAGE 2 HAS COMPLETED ==========================
  lineinfile:
    path: "{{ iiab_env_file }}"
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -4,7 +4,7 @@
 - name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml'
  meta: noop

- name: "Install 20 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget, wpasupplicant"
+- name: "Install 21 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget, wpasupplicant"
  package:
    name:
      - acpid              # Daemon for ACPI (power mgmt) events
@ -33,7 +33,7 @@
      - rsync
      #- screen            # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
      - sqlite3
-      #- sudo              # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
+      - sudo
      - tar
      - unzip
      #- usbmount          # Moved to roles/usb_lib/tasks/install.yml
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -23,6 +23,7 @@
    name: sshd
  when: sshd_install

+
 # UNMAINTAINED
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
@ -38,6 +39,7 @@
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install is defined and squid_install

+
 - name: Install Bluetooth - only on Raspberry Pi
  include_role:
    name: bluetooth
@ -69,6 +71,7 @@
    name: www_options
  #when: www_options_install    # Flag might be created in future?

+
 - name: Recording STAGE 4 HAS COMPLETED ==================
  lineinfile:
    path: "{{ iiab_env_file }}"