From d328faf6e304e348e6f47aaa90649714fc0cb4e4 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 31 Jul 2021 16:43:29 -0400 Subject: [PATCH 1/6] Modularize 1-prep, Tweak 2-common --- roles/1-prep/tasks/hw_platforms.yml | 17 +++++ roles/1-prep/tasks/main.yml | 101 ++++------------------------ roles/1-prep/tasks/ubermix.yml | 25 +++++++ roles/1-prep/tasks/uuid.yml | 26 +++++++ roles/2-common/tasks/main.yml | 2 +- roles/2-common/tasks/packages.yml | 4 +- 6 files changed, 85 insertions(+), 90 deletions(-) create mode 100644 roles/1-prep/tasks/hw_platforms.yml create mode 100644 roles/1-prep/tasks/ubermix.yml create mode 100644 roles/1-prep/tasks/uuid.yml diff --git a/roles/1-prep/tasks/hw_platforms.yml b/roles/1-prep/tasks/hw_platforms.yml new file mode 100644 index 000000000..2a5c5c2ba --- /dev/null +++ b/roles/1-prep/tasks/hw_platforms.yml @@ -0,0 +1,17 @@ +## DISCOVER PLATFORMS ###### +# Put conditional actions for hardware platforms here + +- include_tasks: raspberry_pi.yml + when: first_run and rpi_model != "none" + +- name: Check if the identifier for Intel's NUC6 built-in WiFi is present + shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'" + register: usb_NUC6 + ignore_errors: True + +- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6 # iiab_download_url is http://download.iiab.io/packages + get_url: + url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode" + dest: /lib/firmware + timeout: "{{ download_timeout }}" + when: internet_available and usb_NUC6.stdout|int > 0 diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index e7b950a3e..efaf78e54 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -1,85 +1,31 @@ -# Preparations (Hardware Level) +# Preparations (low-level, hardware, basic security) - name: ...IS BEGINNING ============================================ meta: noop -- name: dnsmasq (install now, configure LATER in 'network', after Stage 9) - include_tasks: roles/network/tasks/dnsmasq.yml - #when: dnsmasq_install # Flag might be used in future? - - -- name: 'Install packages: sudo, uuid-runtime' - package: - name: - - sudo - - uuid-runtime - state: present - -- name: Does /etc/iiab/uuid exist? - stat: - path: /etc/iiab/uuid - register: uuid_file - -- name: If not, run 'uuidgen' to create a uuid, in register uuid_response - command: uuidgen - register: uuid_response - when: not uuid_file.stat.exists - -- name: Save it to /etc/iiab/uuid - shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid - when: not uuid_file.stat.exists - -- name: Load /etc/iiab/uuid, into register stored_uuid - command: cat /etc/iiab/uuid - register: stored_uuid - -- name: Store it in Ansible variable 'uuid' - set_fact: - uuid: "{{ stored_uuid.stdout_lines[0] }}" - - -- name: Does 'ubermix' exist in /etc/lsb-release? - shell: grep -i ubermix /etc/lsb-release # Pipe to cat to avoid red errors? - register: grep_ubermix - failed_when: False # Universal way to hide alarmist red errors! - #ignore_errors: True - #check_mode: no - -- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix - copy: - src: roles/1-prep/files/iiab.conf - dest: /etc/tmpfiles.d/ - # owner: root - # group: root - # mode: '0644' - force: yes - when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist - -# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml -# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-* -# pkgs are not installed FWIW. But it's included to safeguard us across all -# OS's, in case others OS's like Ubermix later appear. See #1382 for details. -# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix! -- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix - shell: apt -y remove "libgeos-*" - when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist - - - name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml include_role: name: sshd when: sshd_install -- name: IIAB-ADMIN - include_role: - name: iiab-admin - #when: iiab_admin_install # Flag might be created in future? - - name: OPENVPN include_role: name: openvpn when: openvpn_install +- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml + include_role: + name: iiab-admin + #when: iiab_admin_install # Flag might be created in future? + +- name: dnsmasq (install now, configure LATER in 'network', after Stage 9) + include_tasks: roles/network/tasks/dnsmasq.yml + #when: dnsmasq_install # Flag might be used in future? + +- include_tasks: uuid.yml +- include_tasks: ubermix.yml +- include_tasks: hw_platforms.yml + # Debian 10 "Buster" is apparently enabling AppArmor in 2019: # https://wiki.debian.org/AppArmor/Progress @@ -109,25 +55,6 @@ # when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed -## DISCOVER PLATFORMS ###### -# Put conditional actions for hardware platforms here - -- include_tasks: raspberry_pi.yml - when: first_run and rpi_model != "none" - -- name: Check if the identifier for Intel's NUC6 built-in WiFi is present - shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'" - register: usb_NUC6 - ignore_errors: True - -- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6 # iiab_download_url is http://download.iiab.io/packages - get_url: - url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode" - dest: /lib/firmware - timeout: "{{ download_timeout }}" - when: internet_available and usb_NUC6.stdout|int > 0 - - - name: Recording STAGE 1 HAS COMPLETED ============================ template: src: roles/1-prep/templates/iiab.env.j2 diff --git a/roles/1-prep/tasks/ubermix.yml b/roles/1-prep/tasks/ubermix.yml new file mode 100644 index 000000000..fa9e1c891 --- /dev/null +++ b/roles/1-prep/tasks/ubermix.yml @@ -0,0 +1,25 @@ +- name: Does 'ubermix' exist in /etc/lsb-release? + shell: grep -i ubermix /etc/lsb-release # Pipe to cat to avoid red errors? + register: grep_ubermix + failed_when: False # Universal way to hide alarmist red errors! + #ignore_errors: True + #check_mode: no + +- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix (root:root, 0644 by default) + copy: + src: roles/1-prep/files/iiab.conf + dest: /etc/tmpfiles.d/ + # owner: root + # group: root + # mode: 0644 + force: yes + when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist + +# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml +# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-* +# pkgs are not installed FWIW. But it's included to safeguard us across all +# OS's, in case others OS's like Ubermix later appear. See #1382 for details. +# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix! +- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix + shell: apt -y remove "libgeos-*" + when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist diff --git a/roles/1-prep/tasks/uuid.yml b/roles/1-prep/tasks/uuid.yml new file mode 100644 index 000000000..28ab30340 --- /dev/null +++ b/roles/1-prep/tasks/uuid.yml @@ -0,0 +1,26 @@ +- name: "Install packages: uuid-runtime" + package: + name: uuid-runtime + state: present + +- name: Does /etc/iiab/uuid exist? + stat: + path: /etc/iiab/uuid + register: uuid_file + +- name: If not, run 'uuidgen' to create a uuid, in register uuid_response + command: uuidgen + register: uuid_response + when: not uuid_file.stat.exists + +- name: Save it to /etc/iiab/uuid + shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid + when: not uuid_file.stat.exists + +- name: Load /etc/iiab/uuid, into register stored_uuid + command: cat /etc/iiab/uuid + register: stored_uuid + +- name: Store it in Ansible variable 'uuid' + set_fact: + uuid: "{{ stored_uuid.stdout_lines[0] }}" diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index 21ae62a6a..0693fd50e 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -8,7 +8,7 @@ - include_tasks: packages.yml -- name: 'Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml' +- name: "Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml" include_tasks: network.yml - include_tasks: iiab-startup.yml diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml index 3362c0ce5..26c061b52 100644 --- a/roles/2-common/tasks/packages.yml +++ b/roles/2-common/tasks/packages.yml @@ -4,7 +4,7 @@ - name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml' meta: noop -- name: "Install 20 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget, wpasupplicant" +- name: "Install 21 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget, wpasupplicant" package: name: - acpid # Daemon for ACPI (power mgmt) events @@ -33,7 +33,7 @@ - rsync #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml - sqlite3 - #- sudo # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml + - sudo - tar - unzip #- usbmount # Moved to roles/usb_lib/tasks/install.yml From bc7c0c811c07e788a24761be41dbed4a9eafd2e2 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 31 Jul 2021 18:01:17 -0400 Subject: [PATCH 2/6] Overhaul 1-prep/README.rst etc --- roles/1-prep/README.rst | 35 ++++++++++--------- .../tasks/{hw_platforms.yml => hardware.yml} | 0 roles/1-prep/tasks/main.yml | 2 +- roles/1-prep/tasks/raspberry_pi.yml | 3 ++ roles/2-common/tasks/main.yml | 2 ++ roles/4-server-options/tasks/main.yml | 3 ++ 6 files changed, 28 insertions(+), 17 deletions(-) rename roles/1-prep/tasks/{hw_platforms.yml => hardware.yml} (100%) diff --git a/roles/1-prep/README.rst b/roles/1-prep/README.rst index d2b3bb8ee..a0ab8a3a6 100644 --- a/roles/1-prep/README.rst +++ b/roles/1-prep/README.rst @@ -2,21 +2,24 @@ 1-prep README ============= -This 1st `stage `_ (1-prep) is primarily hardware-focused, prior to OS -additions/mods — but also includes critical pieces sometimes needed for -remote support: +This 1st `stage `_ (1-prep) arranges low-level things like hardware, DNS, basic security -- and critical pieces sometimes needed for remote support: -- dnsmasq -- /etc/iiab/uuid -- Customizing /var/log/* for Ubermix on each boot, using /etc/tmpfiles.d -- SSH -- `iiab-admin `_ username and group to log into Admin Console -- OpenVPN software if/as needed later for remote support -- `raspberry_pi.yml `_ including RTC, essential packages, and networking basics +- SSHD +- OpenVPN if/as needed later for remote support +- `iiab-admin `_ username and group, to log into Admin Console +- dnsmasq (install now, configure later!) +- Universally unique identifier: /etc/iiab/uuid +- Ubermix (distro) needs /etc/tmpfiles.d/iiab.conf to create essential /var/log subdirs on each boot +- Hardware actions: + - `raspberry_pi.yml `_: + - RTC (real-time clock): install udev rule, configure, enable + - Install packages related to: + - growpart + - swapfile + - fake-hwclock (as RTC is often missing or dead!) + - Wi-Fi + - Increase swap file size + - rootfs auto-resizing + - NUC 6 Wi-Fi firmware -Traditionally 1-prep also included preliminaries like hostname and -hardware-oriented things specific to a particular platform (such as -One Laptop Per Child's XO laptop) i.e. critical setup prior to the -bulk of IIAB's software install. - -Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services ⁠— this 1st stage installs core server infra (that is not user-facing). +Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services — this 1st stage installs core server infra (that is not user-facing). diff --git a/roles/1-prep/tasks/hw_platforms.yml b/roles/1-prep/tasks/hardware.yml similarity index 100% rename from roles/1-prep/tasks/hw_platforms.yml rename to roles/1-prep/tasks/hardware.yml diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index efaf78e54..36369aaee 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -24,7 +24,7 @@ - include_tasks: uuid.yml - include_tasks: ubermix.yml -- include_tasks: hw_platforms.yml +- include_tasks: hardware.yml # Debian 10 "Buster" is apparently enabling AppArmor in 2019: diff --git a/roles/1-prep/tasks/raspberry_pi.yml b/roles/1-prep/tasks/raspberry_pi.yml index 7bd1840f5..64530c9fc 100644 --- a/roles/1-prep/tasks/raspberry_pi.yml +++ b/roles/1-prep/tasks/raspberry_pi.yml @@ -31,6 +31,7 @@ # line: 'include btcfg.txt' # when: is_ubuntu + - name: '2021-07-27: SEE ALSO ~4 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml' meta: noop @@ -55,6 +56,7 @@ - wireless-tools # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions state: present + - name: Increase swap file size (to CONF_SWAPSIZE={{ pi_swap_file_size }} in /etc/dphys-swapfile) as kalite pip download fails lineinfile: path: /etc/dphys-swapfile @@ -67,6 +69,7 @@ name: dphys-swapfile state: restarted + - name: Install RPi rootfs resizing (/usr/sbin/iiab-rpi-max-rootfs.sh) and its systemd service (/etc/systemd/system/iiab-rpi-root-resize.service), from templates (root:root by default) template: src: "{{ item.src }}" diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index 0693fd50e..a89928992 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -13,6 +13,7 @@ - include_tasks: iiab-startup.yml + # UNMAINTAINED #- include_tasks: centos.yml # when: ansible_distribution == "CentOS" @@ -39,6 +40,7 @@ # dest: /etc/profile.d/zzz_iiab.sh # src: zzz_iiab.sh + - name: Recording STAGE 2 HAS COMPLETED ========================== lineinfile: path: "{{ iiab_env_file }}" diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml index faa5ce574..52c177384 100644 --- a/roles/4-server-options/tasks/main.yml +++ b/roles/4-server-options/tasks/main.yml @@ -23,6 +23,7 @@ name: sshd when: sshd_install + # UNMAINTAINED - name: Install named / BIND include_tasks: roles/network/tasks/named.yml @@ -38,6 +39,7 @@ include_tasks: roles/network/tasks/squid.yml when: squid_install is defined and squid_install + - name: Install Bluetooth - only on Raspberry Pi include_role: name: bluetooth @@ -69,6 +71,7 @@ name: www_options #when: www_options_install # Flag might be created in future? + - name: Recording STAGE 4 HAS COMPLETED ================== lineinfile: path: "{{ iiab_env_file }}" From c4283308af5bd181b324badf672675d999b1f2d7 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 31 Jul 2021 18:19:47 -0400 Subject: [PATCH 3/6] Tighten up descriptions of 1-prep --- roles/1-prep/README.rst | 2 +- roles/1-prep/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/1-prep/README.rst b/roles/1-prep/README.rst index a0ab8a3a6..c0d868f17 100644 --- a/roles/1-prep/README.rst +++ b/roles/1-prep/README.rst @@ -2,7 +2,7 @@ 1-prep README ============= -This 1st `stage `_ (1-prep) arranges low-level things like hardware, DNS, basic security -- and critical pieces sometimes needed for remote support: +This 1st `stage `_ (1-prep) arranges low-level things like remote support infra, DNS prep, hardware, low-level OS quirks, and basic security: - SSHD - OpenVPN if/as needed later for remote support diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index 36369aaee..55085ac76 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -1,4 +1,4 @@ -# Preparations (low-level, hardware, basic security) +# Preparations (low-level e.g. remote support, DNS prep, HW/OS, basic security) - name: ...IS BEGINNING ============================================ meta: noop From 29f2f9c4233e2ed08615b98a7e0f5cf36eebd034 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 31 Jul 2021 18:40:04 -0400 Subject: [PATCH 4/6] roles/1-prep/README.rst: Typo --- roles/1-prep/README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/1-prep/README.rst b/roles/1-prep/README.rst index c0d868f17..a88a24b97 100644 --- a/roles/1-prep/README.rst +++ b/roles/1-prep/README.rst @@ -22,4 +22,4 @@ This 1st `stage Date: Sat, 31 Jul 2021 18:45:28 -0400 Subject: [PATCH 5/6] 1-prep/tasks/main.yml: Install dnsmasq but configure LATER? --- roles/1-prep/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index 55085ac76..3a398a6c6 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -18,7 +18,7 @@ name: iiab-admin #when: iiab_admin_install # Flag might be created in future? -- name: dnsmasq (install now, configure LATER in 'network', after Stage 9) +- name: Install dnsmasq -- configure LATER in 'network', after Stage 9 include_tasks: roles/network/tasks/dnsmasq.yml #when: dnsmasq_install # Flag might be used in future? From e02e89f01e5a4375d7cf3de84be734b93a881093 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 31 Jul 2021 20:06:01 -0400 Subject: [PATCH 6/6] 1-prep/tasks/main.yml: Mention raspberry_pi.yml --- roles/1-prep/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index 3a398a6c6..5366f7d97 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -24,7 +24,7 @@ - include_tasks: uuid.yml - include_tasks: ubermix.yml -- include_tasks: hardware.yml +- include_tasks: hardware.yml # Can run raspberry_pi.yml # Debian 10 "Buster" is apparently enabling AppArmor in 2019: