external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00
Code Issues Releases Wiki Activity

Merge branch 'master' into mitra

Browse source
This commit is contained in:
A Holt 2019-05-25 01:11:24 -04:00 committed by GitHub
commit 32b849e34f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
140 changed files with 1099 additions and 715 deletions
Download patch file Download diff file Expand all files Collapse all files

14
install-support
View file

@ -1,6 +1,14 @@
#!/bin/bash
PLAYBOOK="iiab-support.yml"
echo -e "\n\n\e[41m DEPRECATED PLEASE RUN 'iiab-support' INSTEAD \e[0m\n\n"
read -p "Continue? [y/N] " ans
if [ "$ans" != "y" ]; then
echo
exit
fi
PLAYBOOK="install-support.yml"
INVENTORY="ansible_hosts"
CWD=`pwd`
@ -12,7 +20,7 @@ if [ ! -f $PLAYBOOK ]; then
exit 1
fi
sed -i -e "s/openvpn_install: False/openvpn_install: True/" /etc/iiab/local_vars.yml
sed -i -e "s/openvpn_enabled: False/openvpn_enabled: True/" /etc/iiab/local_vars.yml
sed -i -e "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
sed -i -e "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local

4
iiab-support.yml → install-support.yml
View file

@ -1,4 +1,3 @@
---
- hosts: all
become: yes
@ -11,4 +10,5 @@
- { role: 0-init, tags: ['0-init'] }
#- { role: 1-prep, tags: ['1-prep', 'platform', 'base'] }
- { role: 1-prep, tags: ['1-prep'] }
#- { role: openvpn, tags: ['openvpn'] } # no longer nec, as 1-prep calls role openvpn (2018-09-19)
#- { role: openvpn, tags: ['openvpn'] } # FASTER ALTERNATIVE THAN 1-prep (if 1-prep was already run!)
# BETTER YET, SEE: /usr/bin/iiab-support for a much friendlier UX, that only runs 1-prep when necessary.

9
roles/0-init/defaults/main.yml
View file

@ -1,6 +1,7 @@
# Use these to tag a release at a point in time, for {{ iiab_env_file }}
iiab_base_ver: 7.0
iiab_revision: 0
# (PRE-)release version number, for {{ iiab_env_file }} = /etc/iiab/iiab.env
# iiab_base_ver: 7.0
# iiab_revision: 0
# ABOVE MOVED TO /opt/iiab/iiab/vars/default_vars.yml
# These entries should never be changed in this file.
# These are defaults for boolean routines.
@ -8,7 +9,7 @@ first_run: False
rpi_model: none
is_rpi: False
xo_model: none
gw_active: none
gw_active: False
internet_available: False
discovered_wan_iface: none

4
roles/0-init/tasks/hostname.yml
View file

@ -13,7 +13,7 @@
- name: 'Turn the crank for systemd: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}" (debuntu)'
shell: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"
when: is_debuntu
when: is_debuntu | bool
- name: Install /etc/sysconfig/network from template (redhat)
template:
@ -22,7 +22,7 @@
owner: root
group: root
mode: 0644
when: is_redhat
when: is_redhat | bool
- name: Put hostnames "127.0.0.1 localhost.localdomain localhost box {{ iiab_hostname }}" in /etc/hosts
lineinfile:

28
roles/0-init/tasks/main.yml
View file

@ -14,7 +14,7 @@
# sections once and only once to preserve the install date and git hash.
- name: Create IIAB directory structure and {{ iiab_ini_file }}, if first_run
include_tasks: first_run.yml
when: first_run
when: first_run | bool
#- name: Loading computed_vars
# include_tasks: roles/0-init/tasks/computed_vars.yml
@ -92,7 +92,7 @@
- name: Set port 443 for Admin Console if adm_cons_force_ssl
set_fact:
gui_port: 443
when: adm_cons_force_ssl
when: adm_cons_force_ssl | bool
- name: Turn on both vars for MySQL (mandatory in Stage 3!)
set_fact:
@ -109,7 +109,7 @@
# set_fact:
# mongodb_install: True
# mongodb_enabled: True
# when: sugarizer_enabled
# when: sugarizer_enabled | bool
# There might be other db's
- name: Turn on both vars for PostgreSQL if moodle_enabled or pathagar_enabled
@ -127,12 +127,12 @@
- name: "Set python_path: /lib/python2.7/site-packages/ (redhat)"
set_fact:
python_path: /lib/python2.7/site-packages/
when: is_redhat
when: is_redhat | bool
- name: "Set python_path: /usr/local/lib/python2.7/dist-packages/ (debuntu)"
set_fact:
python_path: /usr/local/lib/python2.7/dist-packages/
when: is_debuntu
when: is_debuntu | bool
# For various reasons the mysql service cannot be enabled on Fedora 20, but
# 'mariadb', which is its real name can. On Fedora 18 we need to use 'mysqld'.
@ -154,7 +154,7 @@
#- name: "Set mysql_service: mysql (debuntu)"
# set_fact:
# mysql_service: mysql
# when: is_debuntu
# when: is_debuntu | bool
- name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
set_fact:
@ -168,7 +168,7 @@
- name: Set hostname if FQDN_changed
include_tasks: hostname.yml
when: FQDN_changed
when: FQDN_changed | bool
- name: Add 'runtime' variable values to {{ iiab_ini_file }}
ini_file:
@ -202,21 +202,21 @@
- option: product_id
value: "{{ ansible_product_uuid }}"
- option: gw_active
value: "{{ gw_active }}"
value: "{{ gw_active }}"
- option: internet_available
value: "{{ internet_available }}"
value: "{{ internet_available }}"
- option: is_rpi
value: "{{ is_rpi }}"
value: "{{ is_rpi }}"
- option: first_run
value: "{{ first_run }}"
value: "{{ first_run }}"
- option: local_tz
value: "{{ local_tz }}"
value: "{{ local_tz }}"
- option: no_NM_reload
value: "{{ no_NM_reload }}"
- option: is_F18
value: "{{ is_F18 }}"
- option: FQDN_changed
value: "{{ FQDN_changed }}"
value: "{{ FQDN_changed }}"
- name: Add 'runtime' variable 'is_VM' value if defined, to {{ iiab_ini_file }}
ini_file:
@ -226,7 +226,7 @@
value: "{{ item.value }}"
with_items:
- option: is_VM
value: "yes"
value: "yes"
when: is_VM is defined
- name: STAGE 0 HAS COMPLETED ======================================

16
roles/1-prep/tasks/main.yml
View file

@ -9,7 +9,7 @@
- uuid-runtime
- sudo
state: present
when: is_debuntu
when: is_debuntu | bool
- name: Does /etc/iiab/uuid file exist?
stat:
@ -44,8 +44,8 @@
- name: Does 'ubermix' exist in /etc/lsb-release?
shell: grep -i ubermix /etc/lsb-release # Pipe to cat to avoid red errors?
register: grep_ubermix
failed_when: false # Universal way to hide alarmist red errors!
#ignore_errors: true
failed_when: False # Universal way to hide alarmist red errors!
#ignore_errors: True
#check_mode: no
#- debug:
@ -77,7 +77,7 @@
- name: OPENVPN
include_role:
name: openvpn
when: openvpn_install
when: openvpn_install | bool
tags: openvpn
# for rpi, without rtc, we need time as soon as possible
@ -100,14 +100,14 @@
# https://wiki.debian.org/AppArmor/HowToUse
# https://packages.debian.org/buster/apparmor
# Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10
# pre-releases, during @floydianslips' March 2019 testing anyway!
# pre-releases, during @floydianslips' March 2019 testing anyway! SEE #1387
- name: Disable AppArmor -- override OS default (ubuntu)
service:
name: apparmor
enabled: False
state: stopped
when: is_ubuntu
ignore_errors: true
when: is_ubuntu | bool
ignore_errors: True
- name: Disable SELinux on next boot (OS's other than debuntu)
selinux:
@ -127,7 +127,7 @@
- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
register: usb_NUC6
ignore_errors: true
ignore_errors: True
- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6 # iiab_download_url is http://download.iiab.io/packages
get_url:

4
roles/1-prep/tasks/raspberry_pi.yml
View file

@ -37,14 +37,14 @@
path: /etc/dphys-swapfile
regexp: "^CONF_SWAPSIZE"
line: CONF_SWAPSIZE=500
when: is_debuntu
when: is_debuntu | bool
- name: Restart swap service "dphys-swapfile" (debuntu)
#command: /etc/init.d/dphys-swapfile restart
service: # A rare/legacy service that is NOT systemd
name: dphys-swapfile
state: restarted
when: is_debuntu
when: is_debuntu | bool
- name: Install RPi rootfs resizing (iiab-rpi-max-rootfs.sh) and its systemd service (iiab-rpi-root-resize.service), from templates
template:

2
roles/2-common/tasks/fl.yml
View file

@ -14,8 +14,10 @@
- "{{ downloads_dir }}"
- /library/downloads/zims
- /library/downloads/rachel
- /library/downloads/maps
- /library/working/zims
- /library/working/rachel
- /library/working/maps
- "{{ iiab_zim_path }}/content"
- "{{ iiab_zim_path }}/index"
- "{{ doc_root }}/local_content"

4
roles/2-common/tasks/iptables.yml
View file

@ -35,7 +35,7 @@
package:
name: iptables-persistent
state: present
when: is_debuntu
when: is_debuntu | bool
tags:
- download
@ -60,4 +60,4 @@
src: iptables
dest: /etc/network/if-pre-up.d/iptables
mode: 0755
when: is_debuntu
when: is_debuntu | bool

4
roles/2-common/tasks/packages.yml
View file

@ -12,7 +12,7 @@
- xml-common
- yum-utils
state: present
when: is_redhat
when: is_redhat | bool
- name: Install {{ iiab_download_url }}/usbmount_0.0.14.1_all.deb, missing from Debian (debian-9 or debian-10, if NOT rpi)
apt:
@ -31,7 +31,7 @@
- libnss-mdns
- wpasupplicant
state: present
when: is_debuntu
when: is_debuntu | bool
- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, rsync, sudo, tar, unzip, usbmount, usbutils, wget"
package:

14
roles/2-common/tasks/yum-historical.yml
View file

@ -13,18 +13,18 @@
- name: get the createrepo program
package: name=createrepo
state=present
when: is_redhat
when: is_redhat | bool
- name: Create local repo
shell: createrepo {{ yum_packages_dir }}
when: is_redhat
when: is_redhat | bool
- name: Install local repo file.
template: dest=/etc/yum.repos.d/iiab-local.repo
src=local.repo
owner=root
mode=0644
when: is_redhat
when: is_redhat | bool
- name: Install yum packages
package: name={{ item }}
@ -36,7 +36,7 @@
- linux-firmware
- syslog
- xml-common
when: is_redhat
when: is_redhat | bool
- name: Install yum packages for Debian
package: name={{ item }}
@ -44,7 +44,7 @@
with_items:
- inetutils-syslogd
- wpasupplicant
when: is_debuntu
when: is_debuntu | bool
- name: Install common packages
package: name={{ item }}
@ -82,7 +82,7 @@
- glibc # CVE-2015-7547
- bash
- iptables
when: is_redhat
when: is_redhat | bool
- name: Update common packages (debian)
package: name={{ item }}
@ -91,7 +91,7 @@
- libc6
- bash
- iptables
when: is_debuntu
when: is_debuntu | bool
# instuctions state to start with a fully updated system before starting, stop using

18
roles/4-server-options/tasks/main.yml
View file

@ -5,27 +5,27 @@
- name: Install dnsmasq
include_tasks: roles/network/tasks/dnsmasq.yml
when: dnsmasq_install
when: dnsmasq_install | bool
tags: base, domain, dnsmasq, network
- name: Install named / BIND
include_tasks: roles/network/tasks/named.yml
when: named_install
when: named_install | bool
tags: base, named, network, domain
- name: Installing captive portal
include_tasks: roles/captive-portal/tasks/main.yml
when: captive_portal_install
when: captive_portal_install | bool
tags: base, captive-portal, network, domain
- name: Installing dhcpd
include_tasks: roles/network/tasks/dhcpd.yml
when: dhcpd_install
when: dhcpd_install | bool
tags: base, dhcpd, network, domain
- name: Install Squid (and DansGuardian if dansguardian_install)
include_tasks: roles/network/tasks/squid.yml
when: squid_install
when: squid_install | bool
tags: base, squid, network, domain
# NETWORK moved to the very end, after Stage 9 (9-LOCAL-ADDONS)
@ -47,7 +47,7 @@
- name: POSTGRESQL
include_role:
name: postgresql
when: postgresql_install
when: postgresql_install | bool
tags: postgresql, pathagar, moodle
# UNMAINTAINED
@ -60,19 +60,19 @@
- name: CUPS
include_role:
name: cups
when: cups_install
when: cups_install | bool
tags: cups
- name: SAMBA
include_role:
name: samba
when: samba_install
when: samba_install | bool
tags: samba
- name: USB-LIB
include_role:
name: usb-lib
when: usb_lib_install
when: usb_lib_install | bool
tags: usb-lib
- name: Run /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation. (This script was installed at the beginning of Stage 3 = roles/3-base-server/tasks/main.yml, which ran Apache playbook = roles/httpd/tasks/main.yml)

6
roles/5-xo-services/tasks/main.yml
View file

@ -6,19 +6,19 @@
- name: ACTIVITY-SERVER
include_role:
name: activity-server
when: activity_server_install
when: activity_server_install | bool
tags: olpc, activity-server
- name: EJABBERD_XS
include_role:
name: ejabberd_xs
when: ejabberd_xs_install
when: ejabberd_xs_install | bool
tags: olpc, ejabberd-xs
- name: IDMGR
include_role:
name: idmgr
when: idmgr_install
when: idmgr_install | bool
tags: olpc, idmgr
- name: Recording STAGE 5 HAS COMPLETED =====================

24
roles/6-generic-apps/tasks/main.yml
View file

@ -6,73 +6,73 @@
- name: DOKUWIKI
include_role:
name: dokuwiki
when: dokuwiki_install
when: dokuwiki_install | bool
tags: dokuwiki
- name: MEDIAWIKI
include_role:
name: mediawiki
when: mediawiki_install
when: mediawiki_install | bool
tags: mediawiki
- name: EJABBERD
include_role:
name: ejabberd
when: ejabberd_install
when: ejabberd_install | bool
tags: ejabberd
- name: ELGG
include_role:
name: elgg
when: elgg_install
when: elgg_install | bool
tags: elgg
- name: GITEA
include_role:
name: gitea
when: gitea_install
when: gitea_install | bool
tags: gitea
- name: LOKOLE
include_role:
name: lokole
when: lokole_install
when: lokole_install | bool
tags: lokole
- name: MOSQUITTO
include_role:
name: mosquitto
when: mosquitto_install
when: mosquitto_install | bool
tags: mosquitto
- name: NODE-RED
include_role:
name: nodered
when: nodered_install
when: nodered_install | bool
tags: nodered
- name: NEXTCLOUD
include_role:
name: nextcloud
when: nextcloud_install
when: nextcloud_install | bool
tags: nextcloud
#- name: OWNCLOUD
# include_role:
# name: owncloud
# when: owncloud_install
# when: owncloud_install | bool
# tags: owncloud
- name: PBX
include_role:
name: pbx
when: pbx_install
when: pbx_install | bool
tags: pbx
- name: WORDPRESS
include_role:
name: wordpress
when: wordpress_install
when: wordpress_install | bool
tags: wordpress
- name: Recording STAGE 6 HAS COMPLETED ====================

20
roles/7-edu-apps/tasks/main.yml
View file

@ -6,39 +6,39 @@
- name: KALITE
include_role:
name: kalite
when: kalite_install
when: kalite_install | bool
tags: kalite
- name: KOLIBRI
include_role:
name: kolibri
when: kolibri_install
when: kolibri_install | bool
tags: kolibri
- name: KIWIX
include_role:
name: kiwix
when: kiwix_install
when: kiwix_install | bool
tags: kiwix
- name: MOODLE
include_role:
name: moodle
when: moodle_install
when: moodle_install | bool
tags: olpc, moodle
- name: OSM_VECTOR
- name: OSM-VECTOR-MAPS
include_role:
name: osm-vector
when: osm_vector_install is defined and osm_vector_install
tags: osm
name: osm-vector-maps
when: osm_vector_maps_install | bool
tags: osm, maps
# UNMAINTAINED
- name: OSM
include_role:
name: osm
when: osm_install is defined and osm_install
tags: osm
tags: osm, maps
# UNMAINTAINED
- name: PATHAGAR
@ -50,7 +50,7 @@
- name: SUGARIZER
include_role:
name: sugarizer
when: sugarizer_install
when: sugarizer_install | bool
tags: sugarizer
- name: Recording STAGE 7 HAS COMPLETED ========================

12
roles/8-mgmt-tools/tasks/main.yml
View file

@ -6,31 +6,31 @@
- name: TRANSMISSION
include_role:
name: transmission
when: transmission_install
when: transmission_install | bool
tags: transmission
- name: AWSTATS
include_role:
name: awstats
when: awstats_install
when: awstats_install | bool
tags: awstats
- name: MONIT
include_role:
name: monit
when: monit_install
when: monit_install | bool
tags: monit
- name: MUNIN
include_role:
name: munin
when: munin_install
when: munin_install | bool
tags: munin
- name: PHPMYADMIN
include_role:
name: phpmyadmin
when: phpmyadmin_install
when: phpmyadmin_install | bool
tags: phpmyadmin
# UNMAINTAINED
@ -50,7 +50,7 @@
- name: VNSTAT
include_role:
name: vnstat
when: vnstat_install
when: vnstat_install | bool
tags: vnstat
# UNMAINTAINED

6
roles/9-local-addons/tasks/main.yml
View file

@ -6,19 +6,19 @@
- name: CALIBRE
include_role:
name: calibre
when: calibre_install
when: calibre_install | bool
tags: calibre
- name: CALIBRE-WEB
include_role:
name: calibre-web
when: calibreweb_install
when: calibreweb_install | bool
tags: calibre-web
- name: MINETEST
include_role:
name: minetest
when: minetest_install
when: minetest_install | bool
tags: minetest
- name: INTERNETARCHIVE

2
roles/activity-server/tasks/main.yml
View file

@ -79,7 +79,7 @@
- name: enable mod_expires for debian
command: a2enmod expires
when: is_debuntu
when: is_debuntu | bool
- name: create the link which enables the site
file: src=/etc/apache2/sites-available/xs-activity-server.conf

2
roles/ajenti/tasks/ajenti-wondershaper.yml
View file

@ -1,3 +1,3 @@
- name: Install wondershaper ajenti plugin
pip: name="{{ iiab_download_url }}"/ajenti-plugin-wondershaper-0.3.tar.gz
when: internet_available
when: internet_available | bool

2
roles/ajenti/tasks/main.yml
View file

@ -45,7 +45,7 @@
service: name=ajenti
enabled=yes
state=restarted
when: ajenti_enabled
when: ajenti_enabled | bool
- name: Add 'ajenti' variable values to {{ iiab_ini_file }}
ini_file:

4
roles/authserver/tasks/main.yml
View file

@ -4,7 +4,7 @@
- name: Install xs-authserver from pypi
pip: name=xs-authserver
when: internet_available
when: internet_available | bool
- name: install gunicorn
package: name=python-gunicorn
@ -48,7 +48,7 @@
service: name=xs-authserver
state=restarted
enabled=yes
when: authserver_enabled
when: authserver_enabled | bool
- name: Add 'authserver' variable values to {{ iiab_ini_file }}
ini_file:

14
roles/awstats/tasks/install.yml
View file

@ -14,13 +14,13 @@
- libapache2-mod-authnz-external
- apache2-utils
state: present
when: is_debuntu
when: is_debuntu | bool
tags:
- download
- name: Enable cgi execution (debuntu)
command: a2enmod cgi
when: is_debuntu
when: is_debuntu | bool
- name: 'Mandate {{ apache_user }}:{{ apache_user }} perm 0750 dirs: {{ awstats_data_dir }} (intermediate summary storage) & {{ apache_log_dir }}' # /library/awstats & /var/log/apache2 typically
file:
@ -29,8 +29,8 @@
owner: "{{ apache_user }}"
group: "{{ apache_user }}"
state: directory
recurse: true
force: true
recurse: yes
force: yes
with_items:
- "{{ awstats_data_dir }}"
- "{{ apache_log_dir }}"
@ -57,7 +57,7 @@
template:
src: logrotate.d.apache2
dest: /etc/logrotate.d/apache2
when: is_debuntu
when: is_debuntu | bool
- name: Check if package installed /etc/awstats/awstats.conf
stat:
@ -94,14 +94,14 @@
owner: root
group: root
mode: 0644
when: awstats_enabled
when: awstats_enabled | bool
- name: Create a symlink /etc/awstats/awstats.conf for access by IP address
file:
src: /etc/awstats/awstats.schoolserver.conf
path: /etc/awstats/awstats.conf
state: link
when: awstats_enabled
when: awstats_enabled | bool
- name: On first enabling of AWStats, summarize httpd logs up to now (OS's other than debuntu)
shell: /bin/perl /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=schoolserver -update

2
roles/awstats/tasks/main.yml
View file

@ -1,6 +1,6 @@
- name: Install AWStats if awstats_install
include_tasks: install.yml
when: awstats_install
when: awstats_install | bool
- name: Add 'awstats' variable values to {{ iiab_ini_file }}
ini_file:

18
roles/calibre-web/tasks/main.yml
View file

@ -3,7 +3,7 @@
name:
- imagemagick
state: present
when: is_debuntu
when: is_debuntu | bool
- name: Allow ImageMagick to read PDFs (debuntu)
lineinfile:
@ -12,7 +12,7 @@
backrefs: yes
line: ' <policy domain="coder" rights="read" pattern="PDF" />'
state: present
when: is_debuntu
when: is_debuntu | bool
- name: Create 3 Calibre-Web folders to store data and configuration files
file:
@ -35,7 +35,7 @@
#update: yes
depth: 1
version: master
when: internet_available
when: internet_available | bool
## Ansible Pip Bug: Cannot use 'chdir' with 'env' https://github.com/ansible/ansible/issues/37912 (Patch landed)
#- name: Download calibre-web dependencies into vendor subdirectory.
@ -51,7 +51,7 @@
requirements: "{{ calibreweb_venv_path }}/requirements.txt"
virtualenv: "{{ calibreweb_venv_path }}"
virtualenv_site_packages: no
when: internet_available
when: internet_available | bool
- name: Symlink {{ calibreweb_venv_path }}/vendor to {{ calibreweb_venv_path }}/lib/python2.7/site-packages to keep cps.py happy
file:
@ -87,7 +87,7 @@
- roles/calibre-web/files/metadata.db
- roles/calibre-web/files/metadata_db_prefs_backup.json
when: not metadatadb.stat.exists
#when: calibreweb_provision
#when: calibreweb_provision | bool
- name: Provision/Copy default admin settings to {{ calibreweb_config }}/app.db IF metadata.db did not exist # {{ calibreweb_config }} is /library/calibre-web/config
copy:
@ -98,7 +98,7 @@
mode: 0644
backup: yes
when: not metadatadb.stat.exists
#when: calibreweb_provision
#when: calibreweb_provision | bool
- name: Enable & Restart 'calibre-web' systemd service
systemd:
@ -106,17 +106,17 @@
daemon_reload: yes
enabled: yes
state: restarted
when: calibreweb_enabled
when: calibreweb_enabled | bool
# Default: http://box/books
# SEE ALSO: https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy
- name: Enable http://box{{ calibreweb_url }} with Apache
command: a2ensite calibre-web.conf
when: calibreweb_enabled
when: calibreweb_enabled | bool
#- name: Restart Apache after enabling calibre-web httpd2 site
# command: apachectl -k graceful
# when: calibreweb_enabled
# when: calibreweb_enabled | bool
- name: Disable 'calibre-web' systemd service
systemd:

4
roles/calibre/tasks/main.yml
View file

@ -64,7 +64,7 @@
state: stopped
#enabled: no
#register: command_result # gist.github.com/tyrells/0a79681de339237cb04c
#failed_when: false # Never Fail during "systemctl stop calibre-serve" (even if service doesn't exist!)
#failed_when: False # Never Fail during "systemctl stop calibre-serve" (even if service doesn't exist!)
#when: calibre_svc.stat.exists
# 3. CREATE USER DATABASE
@ -121,7 +121,7 @@
name: calibre-serve
enabled: yes
state: started
when: calibre_enabled
when: calibre_enabled | bool
#async: 900
#poll: 5

4
roles/calibre/tasks/py-installer.yml
View file

@ -12,7 +12,7 @@
backup: yes
timeout: "{{ download_timeout }}"
register: calibre_download_output
when: internet_available
when: internet_available | bool
# ALWAYS DEFINED, DESPITE get_url DOCUMENTATION CLAIM...
# - debug:
@ -53,4 +53,4 @@
shell: "{{ downloads_dir }}/calibre-installer.py >> /dev/null"
#args:
# creates: /usr/bin/calibre-uninstall
when: internet_available
when: internet_available | bool

12
roles/captive-portal/tasks/main.yml
View file

@ -10,7 +10,7 @@
package:
name: libapache2-mod-wsgi
state: present
when: is_debuntu
when: is_debuntu | bool
- name: Install mod_wsgi (not debuntu)
package:
@ -70,7 +70,7 @@
owner: root
group: root
mode: 0644
when: captive_portal_enabled
when: captive_portal_enabled | bool
- name: Enable Apache's captive-portal.conf if captive_portal_enabled (debuntu)
file:
@ -92,7 +92,7 @@
# daemon-reload: yes
# enabled: yes
# state: started
# when: captive_portal_enabled
# when: captive_portal_enabled | bool
#- name: Disable & Stop captive-portal.service if not captive_portal_enabled
# systemd:
@ -128,7 +128,7 @@
# systemd:
# name: dnsmasq
# state: restarted
# when: dnsmasq_enabled
# when: dnsmasq_enabled | bool
# ABOVE DOES NOT WORK ON UBUNTU 16.04 -- what follows is a crude hack (seems to work!)
@ -136,11 +136,11 @@
systemd:
name: dnsmasq
state: stopped
when: dnsmasq_enabled
when: dnsmasq_enabled | bool
- name: Start dnsmasq
systemd:
name: dnsmasq
state: started
when: dnsmasq_enabled
when: dnsmasq_enabled | bool

4
roles/cups/tasks/main.yml
View file

@ -3,7 +3,7 @@
package:
name: cups
state: present
when: cups_install
when: cups_install | bool
tags:
- download
@ -43,7 +43,7 @@
- name: Permit headless admin of CUPS -- only works when CUPS daemon is running
shell: "cupsctl --remote-admin"
when: cups_enabled
when: cups_enabled | bool
- name: Disable both CUPS services (OS's other than Fedora 18)
systemd:

4
roles/docker/tasks/main.yml
View file

@ -4,7 +4,7 @@
with_items:
- docker
- python-docker-py
when: docker_install
when: docker_install | bool
tags: download
- name: put the systemd startup file in place
@ -32,7 +32,7 @@
service: name=docker
state=started
enabled=true
when: docker_enabled
when: docker_enabled | bool
- name: Disable docker
service: name=docker

4
roles/dokuwiki/tasks/install.yml
View file

@ -3,7 +3,7 @@
url: "{{ iiab_download_url }}/{{ dokuwiki_version }}.tgz"
dest: "{{ downloads_dir }}/"
timeout: "{{ download_timeout }}"
when: internet_available
when: internet_available | bool
- name: Unarchive (unpack) it to /library/{{ dokuwiki_version }}
unarchive:
@ -25,7 +25,7 @@
template:
src: dokuwiki.conf.j2
dest: "/etc/{{ apache_config_dir }}/dokuwiki.conf"
when: dokuwiki_enabled
when: dokuwiki_enabled | bool
- name: Symlink /etc/apache2/sites-enabled/dokuwiki.conf to /etc/apache2/sites-available/dokuwiki.conf if dokuwiki_enabled (debuntu)
file:

2
roles/dokuwiki/tasks/main.yml
View file

@ -1,6 +1,6 @@
- name: Install DokuWiki
include_tasks: install.yml
when: dokuwiki_install
when: dokuwiki_install | bool
- name: Add 'dokuwiki' variable values to {{ iiab_ini_file }}
ini_file:

4
roles/ejabberd/tasks/main.yml
View file

@ -36,7 +36,7 @@
# src: ejabberd-iiab.init
# dest: /etc/init.d/ejabberd-iiab
# mode: 0755
# when: is_debuntu
# when: is_debuntu | bool
#- name: Put the startup script in place - non debian
# template:
@ -73,7 +73,7 @@
#name: ejabberd-iiab
state: restarted
enabled: yes
when: ejabberd_enabled
when: ejabberd_enabled | bool
#when: ejabberd_config.changed and ejabberd_enabled
#- name: Wait for ejabberd service start

4
roles/elgg/tasks/main.yml
View file

@ -9,7 +9,7 @@
url: "{{ iiab_download_url }}/elgg-{{ elgg_version }}.zip"
dest: "{{ downloads_dir }}"
timeout: "{{ download_timeout }}"
when: internet_available
when: internet_available | bool
- name: Check for existence of /opt/elgg-{{ elgg_version }}/index.php
stat:
@ -34,7 +34,7 @@
owner: "{{ apache_user }}"
group: "{{ apache_user }}"
state: link
force: true
force: yes
- name: 'Install /opt/elgg/elgg-config/settings.php from template (WARNING: overwrites manual settings!)'
template:

4
roles/gitea/defaults/main.yml
View file

@ -8,7 +8,7 @@
# https://git.coolaj86.com/coolaj86/gitea-installer.sh
# Information needed to install Gitea
gitea_version: 1.8.0
gitea_version: 1.7.6
iset_suffixes:
i386: 386
x86_64: amd64
@ -54,4 +54,4 @@ gitea_log_root: "{{ gitea_root_directory }}/log"
# Extra configuration
gitea_display_name: Internet-in-a-Box Gitea
skip_install_screen: true
skip_install_screen: true # lowercase for Gitea's own /etc/gitea/app.ini

6
roles/gitea/tasks/install.yml
View file

@ -59,7 +59,7 @@
mode: 0775
tags:
- install
when: internet_available
when: internet_available | bool
- name: Download Gitea GPG signature
get_url:
@ -68,7 +68,7 @@
tags:
- never
- verify
when: internet_available
when: internet_available | bool
- name: Verify Gitea binary with GPG signature
shell: |
@ -131,7 +131,7 @@
name: gitea
enabled: yes
state: restarted
when: gitea_enabled
when: gitea_enabled | bool
- name: Disable 'gitea' service
systemd:

2
roles/gitea/tasks/main.yml
View file

@ -1,3 +1,3 @@
- name: Install Gitea {{ gitea_version }} if gitea_install
include_tasks: install.yml
when: gitea_install
when: gitea_install | bool

2
roles/homepage/tasks/main.yml
View file

@ -16,4 +16,4 @@
src: "/etc/{{ apache_config_dir }}/iiab-homepage.conf"
path: /etc/apache2/sites-enabled/iiab-homepage.conf
state: link
when: is_debuntu
when: is_debuntu | bool

22
roles/httpd/tasks/main.yml
View file

@ -7,7 +7,7 @@
- "php{{ php_version }}"
- "php{{ php_version }}-curl"
state: present
when: is_debian
when: is_debian | bool
tags:
- download
@ -19,7 +19,7 @@
- apache2
- php
state: present
when: is_ubuntu
when: is_ubuntu | bool
tags:
- download
@ -44,7 +44,7 @@
- php
- php-curl
state: present
when: is_redhat
when: is_redhat | bool
tags:
- download
@ -68,7 +68,7 @@
path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
when: apache_high_php_limits
when: apache_high_php_limits | bool
with_items:
- { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M ; default is 2M' }
- { regexp: '^post_max_size', line: 'post_max_size = 500M ; default is 8M' }
@ -84,7 +84,7 @@
with_items:
- mpm_event.conf
- mpm_event.load
when: is_debuntu
when: is_debuntu | bool
- name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available (debuntu)
file:
@ -94,7 +94,7 @@
with_items:
- mpm_prefork.conf
- mpm_prefork.load
when: is_debuntu
when: is_debuntu | bool
- name: 'Turn on mod_proxy using a2enmod with: proxy, proxy_html, headers, rewrite (debuntu)'
command: a2enmod {{ item }}
@ -103,14 +103,14 @@
- proxy_html
- headers
- rewrite
when: is_debuntu
when: is_debuntu | bool
- name: Enable our site, creating 010-iiab.conf symlink from sites-enabled to sites-available (debuntu)
file:
src: "/etc/{{ apache_config_dir }}/010-iiab.conf"
path: /etc/apache2/sites-enabled/010-iiab.conf
state: link
when: is_debuntu
when: is_debuntu | bool
- name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled (debuntu)
file:
@ -119,7 +119,7 @@
with_items:
- /etc/apache2/000-default.conf # Not nec on Raspbian. Is this really still needed elsewhere?
- /etc/apache2/sites-enabled/000-default.conf
when: is_debuntu
when: is_debuntu | bool
- name: Create Apache's pid dir /var/run/{{ apache_user }}
file:
@ -178,7 +178,7 @@
path: /etc/apache2/sites-enabled/osm.conf
#path: "/etc/{{ apache_service }}/sites-enabled/osm.conf"
state: link
when: is_debuntu
when: is_debuntu | bool
- include_tasks: html.yml
tags:
@ -200,7 +200,7 @@
src: 020_apache_poweroff.j2
dest: /etc/sudoers.d/020_apache_poweroff
mode: 0755
when: apache_allow_sudo
when: apache_allow_sudo | bool
- name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff
file:

4
roles/httpd/tasks/php-stem.yml
View file

@ -5,7 +5,7 @@
#- name: Download php-stem.rpi.tar
# command: cd /; wget http://download.iiab.io/packages/php-stem.rpi.tar
# when: is_rpi
# when: is_rpi | bool
#- name: Download php-stem.x86.tar
# command: cd /; wget http://download.iiab.io/packages/php-stem.x64.tar
@ -19,7 +19,7 @@
group: root
#mode: ????
remote_src: yes
when: is_rpi
when: is_rpi | bool
- name: Unarchive http://download.iiab.io/packages/php-stem.x64.tar to / (debian-9 on x86_64 only)
unarchive:

2
roles/idmgr/tasks/main.yml
View file

@ -44,7 +44,7 @@
with_items:
- idmgr
- xinetd
when: xo_services_enabled
when: xo_services_enabled | bool
- name: Disable idmgr service
service: name={{ item }}

2
roles/iiab-admin/tasks/admin-user.yml
View file

@ -14,7 +14,7 @@
group:
name: sudo
state: present
when: is_redhat
when: is_redhat | bool
- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
user:

2
roles/iiab-admin/tasks/main.yml
View file

@ -1,7 +1,7 @@
- include_tasks: admin-user.yml
tags:
- base
when: iiab_admin_user_install
when: iiab_admin_user_install | bool
- include_tasks: access.yml
tags:

2
roles/kalite/tasks/install-f18.yml
View file

@ -7,7 +7,7 @@
with_items:
- python-psutil
- expect
when: is_F18
when: is_F18 | bool
- name: Install dependent pip packages (Fedora 18)
pip:

2
roles/kalite/tasks/install.yml
View file

@ -12,7 +12,7 @@
url: "{{ kalite_requirements }}"
dest: "{{ pip_packages_dir }}/kalite.txt"
timeout: "{{ download_timeout }}"
when: internet_available
when: internet_available | bool
#- name: Install KA Lite non-static + reqs file with pip - (debuntu)
# pip: requirements={{ pip_packages_dir }}/kalite.txt

2
roles/kalite/tasks/main.yml
View file

@ -5,7 +5,7 @@
- name: Set KA Lite's SQLite filename (Fedora 18)
set_fact:
kalite_db_name: "{{ kalite_root }}/kalite/database/data.sqlite"
when: is_F18
when: is_F18 | bool
- name: Set KA Lite's SQLite filename (OS's other than Fedora 18)
set_fact:

6
roles/kiwix/defaults/main.yml
View file

@ -10,9 +10,9 @@
# Which kiwix-tools to download from http://download.iiab.io/packages/
# As obtained from http://download.kiwix.org/release/kiwix-tools/ or http://download.kiwix.org/nightly/
kiwix_version_armhf: "kiwix-tools_linux-armhf-1.2.0"
kiwix_version_linux64: "kiwix-tools_linux-x86_64-1.2.0"
kiwix_version_i686: "kiwix-tools_linux-i586-1.2.0"
kiwix_version_armhf: "kiwix-tools_linux-armhf-1.2.1"
kiwix_version_linux64: "kiwix-tools_linux-x86_64-1.2.1"
kiwix_version_i686: "kiwix-tools_linux-i586-1.2.1"
# kiwix_src_file_i686: "kiwix-linux-i686.tar.bz2"
# v0.9 for i686 published May 2014 ("use it to test legacy ZIM content")
# v0.10 for i686 published Oct 2016 ("experimental") REPLACED IN EARLY 2018, thx to Matthieu Gautier:

12
roles/kiwix/tasks/kiwix_install.yml
View file

@ -47,7 +47,7 @@
owner: root
group: root
force: no
when: kiwix_force_install
when: kiwix_force_install | bool
- name: Create {{ kiwix_path }}/bin directory # /opt/iiab/kiwix/bin
file:
@ -65,11 +65,11 @@
dest: /tmp
owner: root
group: root
when: kiwix_force_install
when: kiwix_force_install | bool
- name: Move /tmp/{{ kiwix_src_dir }}/* to permanent location /opt/iiab/kiwix/bin (armhf & linux64 & i686)
shell: "mv /tmp/{{ kiwix_src_dir }}/* {{ kiwix_path }}/bin/"
when: kiwix_force_install
when: kiwix_force_install | bool
# 3. ENABLE MODS FOR APACHE PROXY IF DEBUNTU
@ -81,7 +81,7 @@
- proxy_html
- proxy_http
- rewrite
when: is_debuntu
when: is_debuntu | bool
# 4. CREATE/ENABLE/RESTART (OR DISABLE) KIWIX SERVICE & ITS CRON JOB
@ -106,14 +106,14 @@
src: /etc/apache2/sites-available/kiwix.conf
path: /etc/apache2/sites-enabled/kiwix.conf
state: link
when: is_debuntu
when: is_debuntu | bool
- name: Enable & Restart 'kiwix-serve' service
service:
name: kiwix-serve
enabled: yes
state: restarted
when: kiwix_enabled
when: kiwix_enabled | bool
- name: Disable 'kiwix-serve' service
service:

2
roles/kiwix/tasks/main.yml
View file

@ -28,7 +28,7 @@
url: "{{ iiab_download_url }}/{{ kiwix_src_file }}"
dest: "{{ downloads_dir }}/{{ kiwix_src_file }}"
timeout: "{{ download_timeout }}"
when: internet_available
when: internet_available | bool
- name: Check for /opt/iiab/downloads/{{ kiwix_src_file }}
stat:

12
roles/kolibri/tasks/main.yml
View file

@ -27,17 +27,17 @@
virtualenv_site_packages: no
state: latest
extra_args: --no-cache-dir
when: internet_available
when: internet_available | bool
- name: Run Kolibri migrations
shell: export KOLIBRI_HOME="{{ kolibri_home }}" && "{{ kolibri_exec_path }}" manage migrate
ignore_errors: yes
when: kolibri_provision
when: kolibri_provision | bool
- name: Set Kolibri default language
shell: export KOLIBRI_HOME="{{ kolibri_home }}" && "{{ kolibri_exec_path }}" language setdefault "{{ kolibri_language }}"
ignore_errors: yes
when: kolibri_provision
when: kolibri_provision | bool
- name: Create Kolibri default facility name, admin account and language
shell: >
@ -46,7 +46,7 @@
--superusername "{{ kolibri_admin_user }}" --superuserpassword "{{ kolibri_admin_password }}"
--preset "{{ kolibri_preset }}" --language_id "{{ kolibri_language }}" --verbosity 0 --noinput
ignore_errors: yes
when: kolibri_provision
when: kolibri_provision | bool
- name: chown -R {{ kolibri_user }}:{{ apache_user }} {{ kolibri_home }}
file:
@ -72,12 +72,12 @@
enabled: yes
state: restarted
daemon_reload: yes
when: kolibri_enabled
when: kolibri_enabled | bool
# Default: http://box/kolibri
- name: Enable http://box{{ kolibri_url }} with Apache
command: a2ensite kolibri.conf
when: kolibri_enabled
when: kolibri_enabled | bool
- name: Disable kolibri service
systemd:

2
roles/lokole/defaults/main.yml
View file

@ -5,7 +5,7 @@
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
# Info needed to install Lokole
lokole_version: 0.1.41
lokole_version: 0.4.2
lokole_admin_user: admin # lowercase seems nec here (even though uppercase Admin/changeme is IIAB's OOB recommendation!)
lokole_admin_password: changeme
lokole_install_path: "{{ content_base }}/lokole" # /library/lokole

4
roles/lokole/tasks/install.yml
View file

@ -20,7 +20,7 @@
virtualenv_command: python3 -m venv "{{ lokole_venv }}"
tags:
- install
when: internet_available
when: internet_available | bool
- name: Compile translations
shell: |
@ -73,7 +73,7 @@
name: lokole
enabled: yes
state: restarted
when: lokole_enabled
when: lokole_enabled | bool
- name: Disable 'lokole' service, if not lokole_enabled
systemd:

2
roles/lokole/tasks/main.yml
View file

@ -1,3 +1,3 @@
- name: Install Lokole {{ lokole_version }} if lokole_install
include_tasks: install.yml
when: lokole_install
when: lokole_install | bool

2
roles/mediawiki/tasks/install.yml
View file

@ -14,7 +14,7 @@
timeout: "{{ download_timeout }}"
#force: yes
#backup: yes
when: internet_available
when: internet_available | bool
- name: Unpack it to permanent location {{ mediawiki_abs_path }}
unarchive:

2
roles/mediawiki/tasks/main.yml
View file

@ -1,3 +1,3 @@
- name: Install MediaWiki {{ mediawiki_version }} if mediawiki_install
include_tasks: install.yml
when: mediawiki_install
when: mediawiki_install | bool

2
roles/minetest/tasks/calc_vars.yml
View file

@ -7,7 +7,7 @@
# only works if server run as root
minetest_runas_user: root
minetest_runas_group: root
when: is_rpi
when: is_rpi | bool
# For other installs
- name: Set some facts for other platforms

2
roles/minetest/tasks/main.yml
View file

@ -78,7 +78,7 @@
name: minetest-server
enabled: yes
state: restarted
when: minetest_enabled
when: minetest_enabled | bool
- name: Disable 'minetest-server' service
systemd:

2
roles/minetest/tasks/minetest_install.yml
View file

@ -24,7 +24,7 @@
line: "{{ item.line }}"
with_items:
- { regexp: '^mg_name = ', line: 'mg_name = flat' }
when: minetest_flat_world
when: minetest_flat_world | bool
- name: Create /library/games/minetest/worlds/world
file:

2
roles/minetest/tasks/rpi_minetest_install.yml
View file

@ -49,4 +49,4 @@
with_items:
- { src: 'minetest.conf.j2', dest: '/etc/minetest/minetest.conf' }
- { src: 'minetest-server.service.j2', dest: '/etc/systemd/system/minetest-server.service' }
when: minetest_install
when: minetest_install | bool

6
roles/mongodb/tasks/main.yml
View file

@ -90,7 +90,7 @@
group:
name: mongodb
state: present
when: is_rpi
when: is_rpi | bool
- name: Create Linux user mongodb (rpi)
user:
@ -99,7 +99,7 @@
groups: mongodb
home: /var/lib/mongodb
shell: /usr/sbin/nologin
when: is_rpi
when: is_rpi | bool
# 2. CONFIGURE FOR IIAB
@ -137,7 +137,7 @@
daemon_reload: yes
enabled: yes
state: restarted
when: mongodb_enabled
when: mongodb_enabled | bool
- name: Disable 'mongodb' service, if not mongodb_enabled
systemd:

4
roles/monit/tasks/main.yml
View file

@ -22,7 +22,7 @@
group: root
mode: 0600
- name: Install config file /etc/monit.d/watchdog from template
- name: Install config file /etc/monit.d/watchdog from template (NEVER RUNS, WHY?)
template:
src: watchdog
dest: /etc/monit.d/watchdog
@ -31,7 +31,7 @@
force: yes
mode: 0755
register: monit_config
when: false
when: False # IS THIS A BUG ?
until: monit_config | success
retries: 5
delay: 1

8
roles/moodle/tasks/main.yml
View file

@ -18,7 +18,7 @@
# mbstring is now included in php-cli
- php{{ php_version }}-cli
state: present
when: is_debuntu
when: is_debuntu | bool
- name: "Install package: php{{ php_version }}-zip (ubuntu or debian-9+)"
package:
@ -28,7 +28,7 @@
- name: "Install package: php-pclzip (debian-8)"
package:
name: php-pclzip
when: is_debian_8
when: is_debian_8 | bool
- name: Determine if Moodle is already downloaded
stat:
@ -80,7 +80,7 @@
owner: root
group: root
mode: 0644
when: moodle_enabled
when: moodle_enabled | bool
- name: Create symlink 022-moodle.conf from sites-enabled to sites-available, if moodle_enabled (debuntu)
file:
@ -131,7 +131,7 @@
name: postgresql-iiab
state: restarted
enabled: yes
when: moodle_enabled
when: moodle_enabled | bool
- name: Restart Apache service ({{ apache_service }})
service:

12
roles/mosquitto/tasks/main.yml
View file

@ -5,7 +5,7 @@
with_items:
- mosquitto
- mosquitto-clients
when: mosquitto_install
when: mosquitto_install | bool
tags: download
- name: Disable & Stop 'mosquitto' service
@ -13,18 +13,18 @@
name: mosquitto
enabled: no
state: stopped
when: mosquitto_install
when: mosquitto_install | bool
- name: Create (touch) file /etc/mosquitto/passwd
file:
path: /etc/mosquitto/passwd
state: touch
mode: "u=rw,g=r,o=r" # 0644
when: mosquitto_install
when: mosquitto_install | bool
- name: Populate /etc/mosquitto/passwd with actual username/password
shell: mosquitto_passwd -b /etc/mosquitto/passwd "{{ mosquitto_user }}" "{{ mosquitto_password }}"
when: mosquitto_install
when: mosquitto_install | bool
- name: Install /etc/mosquitto/conf.d/websockets.conf from template
template:
@ -34,7 +34,7 @@
owner: root
group: root
mode: 0755
when: mosquitto_install
when: mosquitto_install | bool
- name: Enable & Start 'mosquitto' service
systemd:
@ -42,4 +42,4 @@
name: mosquitto
enabled: yes
state: started
when: mosquitto_enabled
when: mosquitto_enabled | bool

6
roles/munin/tasks/main.yml
View file

@ -9,7 +9,7 @@
state: present
tags:
- download
when: is_debuntu
when: is_debuntu | bool
- name: "Install 2 packages: munin, munin-node (OS's other than debuntu)"
package:
@ -45,7 +45,7 @@
name: munin-node
enabled: yes
state: started
when: munin_enabled
when: munin_enabled | bool
- name: Create symlink munin24.conf from sites-enabled to sites-available (debuntu)
file:
@ -79,7 +79,7 @@
- /usr/share/munin/plugins/mysql_queries
- /usr/share/munin/plugins/mysql_slowqueries
- /usr/share/munin/plugins/mysql_threads
when: mysql_enabled
when: mysql_enabled | bool
- name: Add 'munin' variable values to {{ iiab_ini_file }}
ini_file:

20
roles/mysql/tasks/main.yml
View file

@ -14,7 +14,7 @@
#- php{{ php_version }}-xml
- php{{ php_version }}-xmlrpc
state: present
when: is_debuntu
when: is_debuntu | bool
tags:
- download
@ -28,7 +28,7 @@
package:
name: php-xml-parser
state: present
when: is_debian_8
when: is_debian_8 | bool
- name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)"
package:
@ -64,13 +64,13 @@
systemd:
name: "{{ mysql_service }}"
state: started
when: mysql_enabled
when: mysql_enabled | bool
- name: Enable MySQL systemd service (upon subsequent boots) if mysql_enabled
systemd:
name: "{{ mysql_service }}"
enabled: yes
when: mysql_enabled
when: mysql_enabled | bool
# 'localhost' needs to be the last item for idempotency, see
# http://ansible.cc/docs/modules.html#mysql-user
@ -81,7 +81,7 @@
host: localhost
password: "{{ mysql_root_password }}"
priv: "*.*:ALL,GRANT"
when: mysql_enabled
when: mysql_enabled | bool
- name: Install .my.cnf file from template, with root password credentials, if mysql_enabled
template:
@ -89,7 +89,7 @@
dest: /root/.my.cnf
owner: root
mode: 0600
when: mysql_enabled
when: mysql_enabled | bool
- name: Update MySQL root password for all remaining root accounts (127.0.0.1, ::1) if mysql_enabled
mysql_user:
@ -101,26 +101,26 @@
#- "{{ iiab_hostname }}.{{ iiab_domain }}"
- 127.0.0.1
- ::1
when: mysql_enabled
when: mysql_enabled | bool
- name: Delete anonymous MySQL server user for {{ ansible_hostname }}, if mysql_enabled
mysql_user:
user: ""
host: "{{ ansible_hostname }}"
state: absent
when: mysql_enabled
when: mysql_enabled | bool
- name: Delete anonymous MySQL server user for localhost, if mysql_enabled
mysql_user:
user: ""
state: absent
when: mysql_enabled
when: mysql_enabled | bool
- name: Remove the MySQL 'test' database, if mysql_enabled
mysql_db:
db: test
state: absent
when: mysql_enabled
when: mysql_enabled | bool
# we had to start mysql in order to configure it, now turn if off if not enabled
- name: Config is done but now DISABLE MySQL service, if not mysql_enabled

14
roles/network/tasks/avahi.yml
View file

@ -3,7 +3,7 @@
name: avahi
createhome: no
shell: /bin/false
when: is_debuntu
when: is_debuntu | bool
- name: Install avahi announce config file /etc/avahi/services/schoolserver.service
template:
@ -12,13 +12,19 @@
owner: avahi
group: avahi
mode: 0640
when: 'gui_wan == True'
#when: 'gui_wan == True'
when: ports_externally_visible|int >= 2
# Where "2" means "ssh + http-or-https (for Admin Console's box.lan/admin too)"
# SEE ~18 line explanation in box near:
# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L3-L20
# IF >= 2, Admin Console $gui_port from 0-init determines which port (http-or-https) is opened here:
# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L133-L138
- name: Find avahi_ver for clean copy of ssh.service (not debuntu)
shell: "ls /usr/share/doc/ | grep avahi | head -n1"
register: avahi_ver
ignore_errors: True
changed_when: false
changed_when: False
# when: not is_debuntu # would cause failures 6 lines below
- name: Grab a clean copy of ssh.service (not debuntu)
@ -31,7 +37,7 @@
copy:
src: /usr/share/doc/avahi-daemon/examples/ssh.service
dest: /etc/avahi/services/
when: is_debuntu
when: is_debuntu | bool
- name: Set ssh port for avahi
lineinfile:

5
roles/network/tasks/computed_network.yml
View file

@ -60,7 +60,8 @@
- name: Checking iiab_wan_enabled
set_fact:
user_wan_iface: "none"
when: 'not iiab_wan_enabled'
when: not iiab_wan_enabled
#when: 'not iiab_wan_enabled'
# gui wants LanController # keeps ifcfg-WAN but onboot=no
# the change over might be a little bumpy ATM.
@ -141,7 +142,7 @@
set_fact:
iiab_lan_iface: "br0"
iiab_wireless_lan_iface: "wlan0"
when: is_rpi
when: is_rpi | bool
- name: Enable hostapd if discovered_wireless_iface is not WAN
set_fact:

2
roles/network/tasks/dansguardian.yml
View file

@ -21,7 +21,7 @@
owner: dansguardian
group: dansguardian
mode: 0640
when: is_debuntu
when: is_debuntu | bool
- name: Install /etc/dansguardian/dansguardian.conf from template (CentOS)
template:

4
roles/network/tasks/debian.yml
View file

@ -73,13 +73,13 @@
service:
name: dhcpd
state: stopped
when: dhcpd_install
when: dhcpd_install | bool
- name: dhcpd_server may be affected - stopping dnsmasq
service:
name: dnsmasq
state: stopped
when: dnsmasq_install
when: dnsmasq_install | bool
- name: Reload systemd
systemd:

4
roles/network/tasks/detected_network.yml
View file

@ -17,7 +17,7 @@
- name: Red Hat network detection (redhat)
include_tasks: detected_redhat.yml
when: is_redhat
when: is_redhat | bool
- name: Setting dhcpcd_test results
set_fact:
@ -40,7 +40,7 @@
- name: Check /etc/network/interfaces for gateway
shell: grep {{ device_gw }} /etc/network/interfaces | wc -l
when: is_debuntu
when: is_debuntu | bool
register: wan_file
- name: Setting wan_in_interfaces

15
roles/network/tasks/dhcpd.yml
View file

@ -2,7 +2,7 @@
package:
name: isc-dhcp-server
state: present
when: is_debuntu
when: is_debuntu | bool
tags:
- download
@ -18,21 +18,22 @@
user:
name: dhcpd
createhome: no
when: is_debuntu
when: is_debuntu | bool
- name: Disable stock dhcp_service (debuntu)
service:
name: "{{ dhcp_service }}"
enabled: no
state: stopped
when: is_debuntu
when: is_debuntu | bool
- name: Disable stock dhcp_service ipv6 (ubuntu-18)
- name: Disable stock dhcp_service ipv6 (ubuntu-18 and higher)
service:
name: "{{ dhcp_service }}6"
enabled: no
state: stopped
when: is_ubuntu_18
when: is_ubuntu and not is_ubuntu_16
#when: is_ubuntu_18 | bool
- name: Install systemd unit file to /etc/systemd/system/dhcpd.service
template:
@ -48,7 +49,7 @@
command: touch /var/lib/dhcpd/dhcpd.leases
args:
creates: /var/lib/dhcpd/dhcpd.leases
when: is_redhat
when: is_redhat | bool
- name: Set dhcpd.leases permissions/ownership (redhat)
file:
@ -57,4 +58,4 @@
group: dhcpd
mode: 0644
state: file
when: is_redhat
when: is_redhat | bool

4
roles/network/tasks/down-debian.yml
View file

@ -16,10 +16,10 @@
service:
name: dhcpd
state: stopped
when: dhcpd_install
when: dhcpd_install | bool
- name: dhcpd_server may be affected - stopping dnsmasq
service:
name: dnsmasq
state: stopped
when: dnsmasq_install
when: dnsmasq_install | bool

4
roles/network/tasks/hostapd.yml
View file

@ -31,7 +31,7 @@
owner: root
group: root
mode: 0755
when: is_rpi
when: is_rpi | bool
- name: Create /usr/bin/iiab-hotspot-off from template
template:
@ -40,7 +40,7 @@
owner: root
group: root
mode: 0755
when: is_rpi
when: is_rpi | bool
- name: Disable the Access Point 'hostapd' service
systemd:

4
roles/network/tasks/ifcfg_mods.yml
View file

@ -36,13 +36,13 @@
service:
name: dhcpd
state: stopped
when: dhcpd_install
when: dhcpd_install | bool
- name: dhcpd_server may be affected - stopping dnsmasq
service:
name: dnsmasq
state: stopped
when: dnsmasq_install
when: dnsmasq_install | bool
- name: Stop the LAN/Bridge deleting iiab-LAN
shell: nmcli con delete id iiab-LAN

6
roles/network/tasks/main.yml
View file

@ -57,7 +57,7 @@
- name: Configure wondershaper
include_tasks: wondershaper.yml
when: wondershaper_install
when: wondershaper_install | bool
tags:
- network
- wondershaper
@ -99,7 +99,7 @@
#### Start network layout
- name: Redhat networking
include_tasks: ifcfg_mods.yml
when: is_redhat
when: is_redhat | bool
#and not installing
tags:
- network
@ -107,7 +107,7 @@
- name: Netplan in use on Ubuntu 18.04+
include_tasks: netplan.yml
when: is_ubuntu and not is_ubuntu_16
#when: is_ubuntu_18
#when: is_ubuntu_18 | bool
#and not installing
tags:
- network

4
roles/network/tasks/named.yml
View file

@ -4,7 +4,7 @@
- bind9
- bind9utils
state: present
when: is_debuntu
when: is_debuntu | bool
tags:
- download
@ -79,7 +79,7 @@
template:
src: roles/network/templates/named/dns-jail.conf
dest: "/etc/{{ apache_config_dir }}/"
when: dns_jail_enabled
when: dns_jail_enabled | bool
- name: Create symlink dns-jail.conf from sites-enabled to sites-available (if debuntu and dns_jail_enabled)
file:

2
roles/network/tasks/netplan.yml
View file

@ -27,7 +27,7 @@
enabled: yes
with_items:
- systemd-networkd-wait-online
when: systemd_networkd_active
when: systemd_networkd_active | bool
# ICO will always set gui_static_wan_ip away from the default of 'unset' while
# gui_static_wan turns dhcp on/off through wan_ip in computed_network and

4
roles/network/tasks/redetect.yml
View file

@ -57,7 +57,7 @@
shell: nmcli conn up id iiab-WAN
register: dhcp_WAN
ignore_errors: yes
when: has_WAN
when: has_WAN | bool
- name: BAD ifcfg-WAN
debug:
@ -117,7 +117,7 @@
register: ifcfg_dhcp_device
ignore_errors: True
changed_when: False
when: dhcp_good
when: dhcp_good | bool
- name: Setting has ifcfg gw based on device if found
set_fact:

6
roles/network/tasks/restart.yml
View file

@ -15,13 +15,13 @@
name: "{{ proxy }}"
state: stopped
async: 120
when: squid_install
when: squid_install | bool
- name: Stop DansGuardian
systemd:
name: dansguardian
state: stopped
when: dansguardian_install
when: dansguardian_install | bool
- name: Restart DansGuardian service (dansguardian) except Ubuntu which needs reboot to activate
systemd:
@ -40,7 +40,7 @@
systemd:
name: wondershaper
state: restarted
when: wondershaper_enabled
when: wondershaper_enabled | bool
- name: Restart Avahi service (avahi-daemon)
systemd:

4
roles/network/tasks/squid.yml
View file

@ -9,7 +9,7 @@
- name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
command: /etc/init.d/squid stop
when: is_ubuntu
when: is_ubuntu | bool
- name: Stop Squid
service:
@ -79,7 +79,7 @@
state: directory
- include_tasks: roles/network/tasks/dansguardian.yml
when: dansguardian_install
when: dansguardian_install | bool
# {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
- name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }}

5
roles/network/tasks/sysd-netd-debian.yml
View file

@ -33,11 +33,12 @@
wan_cidr: "{{ CIDR.stdout }}"
when: wan_ip != "dhcp"
- name: Supply static WAN template
- name: Supply static WAN template (ubuntu-16)
template:
dest: /etc/systemd/network/IIAB-Static.network
src: network/systemd-static-net.j2
when: wan_ip != "dhcp" and not is_ubuntu_18
when: wan_ip != "dhcp" and is_ubuntu_16
#when: wan_ip != "dhcp" and not is_ubuntu_18
- name: Stopping services
include_tasks: down-debian.yml

266
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -1,5 +1,31 @@
#!/bin/bash -x
source {{ iiab_env_file }}
################################################################################
# #
# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN: #
# #
# /etc/iiab/local_vars.yml #
# #
# This firewall variable must be an integer {0...5} as follows: #
# #
# 0 = none #
# 1 = ssh only #
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too) #
# 3 = ssh + http-or-https + common IIAB services <-- THIS IS THE DEFAULT #
# 4 = ssh + http-or-https + common IIAB services + Samba #
# 5 = all but databases #
# #
# Then enable it with iptables by running: cd /opt/iiab/iiab; ./iiab-network #
# #
################################################################################
# To further customize your iptables firewall, it's generally best to edit:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network
# IIAB Networking Doc:
# https://github.com/iiab/iiab/wiki/IIAB-Networking#firewall-iptables
{% if is_debuntu %}
IPTABLES=/sbin/iptables
IPTABLES_DATA=/etc/iptables.up.rules
@ -7,152 +33,184 @@ IPTABLES_DATA=/etc/iptables.up.rules
IPTABLES=/usr/sbin/iptables
IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %}
LANIF=$IIAB_LAN_DEVICE
WANIF=$IIAB_WAN_DEVICE
MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
clear_fw() {
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
source {{ iiab_env_file }}
lan=$IIAB_LAN_DEVICE
wan=$IIAB_WAN_DEVICE
echo -e "\nLAN: $lan"
echo -e "WAN: $wan\n"
#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
#echo -e "Network Mode: $network_mode\n"
# first match wins
# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
# Always drop rpc
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
# mysql
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# postgres - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# couchdb
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
}
if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then
clear_fw
# save the rule set
{% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}
exit 0
fi
lan=$LANIF
wan=$WANIF
# Good thing we replace this file should be treated like squid below
# "Good thing we replace this file; should be treated like Squid below" ?
ports_externally_visible={{ ports_externally_visible }}
#services_externally_visible={{ services_externally_visible }}
gw_block_https={{ gw_block_https }}
ssh_port={{ ssh_port }}
gui_wan={{ gui_wan }}
#gui_wan={{ gui_wan }}
gui_port={{ gui_port }}
iiab_gateway_enabled={{ iiab_gateway_enabled }}
services_externally_visible={{ services_externally_visible }}
block_DNS={{ block_DNS }}
calibre_port={{ calibre_port }}
calibreweb_port={{ calibreweb_port }}
kiwix_port={{ kiwix_port }}
kalite_server_port={{ kalite_server_port }}
kolibri_http_port={{ kolibri_http_port }}
cups_port={{ cups_port }}
transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }}
sugarizer_port={{ sugarizer_port }}
internetarchive_port={{ internetarchive_port }}
nodered_port={{ nodered_port }}
mosquitto_port={{ mosquitto_port }}
kalite_server_port={{ kalite_server_port }}
kiwix_port={{ kiwix_port }}
kolibri_http_port={{ kolibri_http_port }}
minetest_port={{ minetest_port }}
mosquitto_port={{ mosquitto_port }}
nodered_port={{ nodered_port }}
pbx_enabled={{ pbx_enabled }}
pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
pbx_data_ports={{ pbx_data_ports }}
pbx_enabled={{ pbx_enabled }}
block_DNS={{ block_DNS }}
sugarizer_port={{ sugarizer_port }}
transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }}
echo "LAN is $lan and WAN is $wan"
#
# delete all existing rules.
#
samba_udp_ports={{ samba_udp_ports }}
samba_tcp_mports={{ samba_tcp_mports }}
echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
echo "EXITING: an integer is required"
exit 1
elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then
echo "EXITING: it must be in the range {0...5}"
exit 1
fi
#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
# Load iptables kernel modules
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
clear_fw
#fi
# Delete all existing firewall rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
# FIRST MATCH WINS - establish iptable rules, starting at the top:
# (verify the resulting rule set by running 'iptables -L -v')
# New to iptables? Run/read 'man iptables' & 'man iptables-extensions'
# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
# Disable access to databases, on LAN-side and WAN-side
# SunRPC
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
# MySQL
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# PostgreSQL - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# CouchDB
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
# Allow mDNS
# Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
#when run as gateway
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
if [ "$wan" != "none" ]; then
if [ "$gui_wan" == "True" ]; then
$IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
fi
# 1 = ssh only
if [ "$ports_externally_visible" -ge 1 ]; then
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
fi
if [ "$services_externally_visible" == "True" ]; then
$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
if [ "$ports_externally_visible" -ge 2 ]; then
# For now this is implemented using Admin Console variable "gui_port" from:
# https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95
$IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
fi
if [ "$pbx_enabled" == "True" ]; then
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
# 3 = ssh + http-or-https + common IIAB services
if [ "$ports_externally_visible" -ge 3 ]; then
$IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT
if [ "$pbx_enabled" == "True" ]; then
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
fi
$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
fi
# 4 = ssh + http-or-https + common IIAB services + Samba
if [ "$ports_externally_visible" -ge 4 ]; then
$IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
fi
if [ "$lan" != "none" ]; then
# Typically False, to keep client machines (e.g. students) off the Internet
if [ "$iiab_gateway_enabled" == "True" ]; then
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
fi
# 3 or 4 IP forwarding rules
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
fi
# Allow outgoing connections from the LAN side
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
# Don't forward from the outside to the inside
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
# Enable routing (kernel IP forwarding)
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
# 5 = "all but databases"
if [ "$ports_externally_visible" -lt 5 ]; then
# Drop everything else arriving via WAN
$IPTABLES -A INPUT -i $wan -j DROP
fi
fi
if [ "$iiab_gateway_enabled" == "True" ]; then
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
fi
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
#Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
fi
# Allow outgoing connections from the LAN side.
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
# Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
$IPTABLES -A INPUT -i $wan -j DROP
# TCP & UDP block of DNS port 53 if truly nec
if [ "$block_DNS" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
fi
# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
if [ "$HTTPCACHE_ON" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# save the whole rule set now
# Save the whole rule set
{% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}
exit 0

6
roles/nextcloud/defaults/main.yml
View file

@ -11,7 +11,11 @@ nextcloud_url: /nextcloud
nextcloud_prefix: /opt
nextcloud_data_dir: "{{ content_base }}/nextcloud/data"
nextcloud_dl_url: https://download.nextcloud.com/server/releases
nextcloud_orig_src_file: latest-15.tar.bz2 # 2019-04-25: nextcloud-16.0.0.tar.bz2 requires PHP 7.1+ and so fails on current Raspbian and Debian 9 "Stretch". 2019-09-27 aside: latest-16.tar.bz2 oddly still not yet published at https://download.nextcloud.com/server/releases/
# 2019-05-11: latest-16.tar.bz2 finally published to https://download.nextcloud.com/server/releases/ (nextcloud/server#15502) e.g. for Ubuntu 18.04 & Debian 10
nextcloud_orig_src_file_old: latest-15.tar.bz2 # 2019-05-16: for legacy OS's Debian 9 & Raspbian 9 where PHP 7.1+ isn't available
nextcloud_src_file_old: nextcloud_{{ nextcloud_orig_src_file_old }}
nextcloud_orig_src_file: latest-16.tar.bz2 # 2019-05-16: for all other OS's e.g. Debian 10 & Ubuntu 18.04 where PHP 7.1+ is hopefully available!
nextcloud_src_file: nextcloud_{{ nextcloud_orig_src_file }}
# we install on mysql with these setting or those from default_vars, etc.

2
roles/nextcloud/tasks/F18.yml
View file

@ -9,7 +9,7 @@
url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}"
dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
timeout: "{{ download_timeout }}"
when: internet_available
when: internet_available | bool
- name: Copy it to permanent location /opt
unarchive:

42
roles/nextcloud/tasks/main.yml
View file

@ -14,18 +14,31 @@
# - debug:
# msg: "nextcloud_force_install: {{ nextcloud_force_install }}"
- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }} to {{ downloads_dir }}/{{ nextcloud_src_file }}
- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }} to {{ downloads_dir }}/{{ nextcloud_src_file_old }} on older OS's lacking PHP 7.1+
get_url:
url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }}"
dest: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}"
timeout: "{{ download_timeout }}"
force: yes
#validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954
#async: 1800
#poll: 10
tags:
- download
when: internet_available and nextcloud_force_install and (is_debian_9 or is_raspbian_9)
- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }} to {{ downloads_dir }}/{{ nextcloud_src_file }} on newer OS's that have PHP 7.1+
get_url:
url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}"
dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
timeout: "{{ download_timeout }}"
force: yes
#validate_certs: False # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954
when: internet_available and nextcloud_force_install
#async: 1800
#poll: 10
tags:
- download
when: internet_available and nextcloud_force_install and not (is_debian_9 or is_raspbian_9)
# Ubuntu and Debian treat names differently
- name: Install 3 php packages (debian)
@ -35,7 +48,7 @@
- "php{{ php_version }}-mbstring"
- "php{{ php_version }}-zip"
state: present
when: is_debian
when: is_debian | bool
# Ubuntu and Debian treat names differently
- name: Install 4 php packages (ubuntu)
@ -46,7 +59,7 @@
- php-zip
- php-mbstring
state: present
when: is_ubuntu
when: is_ubuntu | bool
- name: Install 5 more php packages (debuntu)
package:
@ -57,7 +70,7 @@
- "php{{ php_version }}-curl"
- "php{{ php_version }}-intl"
state: present
when: is_debuntu
when: is_debuntu | bool
- name: 'Install php{{ php_version }}-mcrypt IF this is a "pre-2018" distro in the debuntu family. NOTE: PHP 7.1 deprecated mcrypt 1-Dec-2016 and PHP 7.2 dropped it completely 30-Nov-2017, as it should no longer be nec.'
package:
@ -83,20 +96,27 @@
# CentOS does not have a package for php-imagick
#- php-imagick
state: present
when: is_redhat
when: is_redhat | bool
- name: Unarchive {{ nextcloud_src_file }} to permanent location {{ nextcloud_prefix }}/nextcloud # e.g. unpack nextcloud_latest-14.tar.bz2 to /opt/nextcloud
- name: Unarchive {{ nextcloud_src_file_old }} to permanent location {{ nextcloud_prefix }}/nextcloud on older OS's lacking PHP 7.1+ # e.g. unpack nextcloud_latest-15.tar.bz2 to /opt/nextcloud
unarchive:
src: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}"
dest: "{{ nextcloud_prefix }}"
#creates: "{{ nextcloud_prefix }}/nextcloud/version.php"
when: nextcloud_force_install and (is_debian_9 or is_raspbian_9)
- name: Unarchive {{ nextcloud_src_file }} to permanent location {{ nextcloud_prefix }}/nextcloud on newer OS's that have PHP 7.1+ # e.g. unpack nextcloud_latest-16.tar.bz2 to /opt/nextcloud
unarchive:
src: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
dest: "{{ nextcloud_prefix }}"
#creates: "{{ nextcloud_prefix }}/nextcloud/version.php"
when: nextcloud_force_install
when: nextcloud_force_install and not (is_debian_9 or is_raspbian_9)
- name: Create dir /etc/nextcloud (centos) for a subsequent config dir that's symlinked to /etc/nextcloud ?
file:
path: /etc/nextcloud
state: directory
when: is_centos
when: is_centos | bool
- name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template (centos)
template:
@ -105,7 +125,7 @@
owner: "{{ apache_user }}"
group: "{{ apache_user }}"
mode: 0640
when: is_centos
when: is_centos | bool
- name: chown -R {{ apache_user }}:{{ apache_user }} {{ nextcloud_prefix }}/nextcloud
file:
@ -146,7 +166,7 @@
# service:
# name: "{{ apache_service }}"
# state: restarted
## when: nextcloud_enabled # taken care of by nextcloud_enabled.yml below
## when: nextcloud_enabled | bool # taken care of by nextcloud_enabled.yml below
# when: not nextcloud_enabled
# Enables or disable Nextcloud!

2
roles/nextcloud/tasks/nextcloud_enabled.yml
View file

@ -11,7 +11,7 @@
owner: root
group: root
mode: 0644
when: nextcloud_enabled
when: nextcloud_enabled | bool
- name: Create symlink nextcloud.conf from sites-enabled to sites-available for http://box/nextcloud (debuntu)
file:

3
roles/nodered/meta/main.yml
View file

@ -1,3 +1,2 @@
dependencies:
- { role: nodejs, tags: ['nodejs'], when: nodered_install }
- { role: nodejs, tags: ['nodejs'], when: nodered_install | bool }

14
roles/nodered/tasks/main.yml
View file

@ -14,7 +14,7 @@
package:
name: nodered
state: absent
when: nodered_install
when: nodered_install | bool
# 2012-02-13: the 6 RPi stanzas below recreate Raspbian Desktop's Node-RED
# environment, inspired by:
@ -159,7 +159,7 @@
owner: root
group: root
mode: 0666
when: nodered_install
when: nodered_install | bool
- name: Install Apache's sites-available/nodered.conf from template
template:
@ -169,7 +169,7 @@
owner: root
group: root
mode: 0666
when: nodered_install
when: nodered_install | bool
- name: Create symlink nodered.conf from sites-enabled to sites-available, for short URL http://box/nodered (if nodered_enabled)
file:
@ -178,7 +178,7 @@
owner: root
group: root
state: link
when: nodered_enabled
when: nodered_enabled | bool
- name: Remove symlink /etc/apache2/sites-enabled/nodered.conf (if not nodered_enabled)
file:
@ -190,14 +190,14 @@
apache2_module:
state: present
name: proxy_wstunnel
when: nodered_install
when: nodered_install | bool
- name: Restart Apache service ({{ apache_service }}) to enable/disable http://box/nodered (not just http://box:{{ nodered_port }}/nodered)
systemd:
#daemon_reload: yes
name: "{{ apache_service }}" # httpd or apache2
state: restarted
when: nodered_install
when: nodered_install | bool
- name: Enable & (Re)start 'nodered' systemd service (if nodered_enabled)
systemd:
@ -205,7 +205,7 @@
name: nodered
enabled: yes
state: restarted
when: nodered_enabled
when: nodered_enabled | bool
- name: Disable & Stop 'nodered' systemd service (if not nodered_enabled)
systemd:

2
roles/nodogsplash/tasks/main.yml
View file

@ -1,3 +1,3 @@
- name: Install nodogsplash (Raspbian only)
include_tasks: rpi.yml
when: is_rpi
when: is_rpi | bool

4
roles/nodogsplash/tasks/rpi.yml
View file

@ -8,7 +8,7 @@
url: "{{ iiab_download_url }}/{{ nodogsplash_arm_deb }}"
dest: "{{ downloads_dir }}/{{ nodogsplash_arm_deb }}"
timeout: "{{ download_timeout }}"
when: internet_available
when: internet_available | bool
#async: 300
#poll: 5
@ -43,7 +43,7 @@
name: nodogsplash
enabled: yes
state: started
when: nodogsplash_enabled
when: nodogsplash_enabled | bool
- name: Disable 'nodogsplash' systemd service, if not nodogsplash_enabled
systemd:

17
roles/openvpn/defaults/main.yml
View file

@ -1,12 +1,15 @@
openvpn_install: True
openvpn_enable: False
# openvpn_install: True
# openvpn_enabled: False
# For /etc/iiab/openvpn_handle
openvpn_handle: ""
# openvpn_handle: ""
# cron seems necessary on CentOS:
openvpn_cron_enabled: False
# openvpn_cron_enabled: False
openvpn_server: xscenet.net
openvpn_server_virtual_ip: 10.8.0.1
openvpn_server_port: 1194
# openvpn_server: xscenet.net
# openvpn_server_virtual_ip: 10.8.0.1
# openvpn_server_port: 1194
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

38
roles/openvpn/tasks/main.yml
View file

@ -13,7 +13,7 @@
regexp: "{{ item.regexp }}"
path: /root/.ssh/authorized_keys
#backup: yes
when: openvpn_install
when: openvpn_install | bool
with_items:
- regexp: "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$" # Tim Moody
pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhlQIh8ZPx4awdM0O6QNcPbx3qIZ39FHjF2YJ2SX3z7iLnYiz03Ek6Bux9P4HvaVAqlApiz2I68Vq8TfU2s/+LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s="
@ -72,9 +72,10 @@
- { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' }
- { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' }
- { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
- { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
- { src: 'iiab-support', dest: '/usr/bin/iiab-support', mode: '0755' }
- { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
- { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
- { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
# Comment out in future? Not recommended as of August 2018:
- { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
# Obsolete & unused for ~2 years as of August 2018:
@ -86,6 +87,18 @@
# Obsolete & unused for ~2 years as of August 2018:
#- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
- name: Create iiab-support-on (symlink to iiab-support for now)
file:
src: /usr/bin/iiab-support
path: /usr/bin/iiab-support-on
state: link
- name: Create iiab-support-off (symlink to iiab-remote-off for now)
file:
src: /usr/bin/iiab-remote-off
path: /usr/bin/iiab-support-off
state: link
- name: Create iiab-vpn-on (symlink to iiab-remote-on for now)
file:
src: /usr/bin/iiab-remote-on
@ -104,17 +117,16 @@
# template:
# src: up_wan
# dest: /usr/lib/iiab/up_wan
# when: is_debuntu
# when: is_debuntu | bool
# Comment out in future? Contained serious bug (15-openvpn called
# up-wan instead of up_wan in /usr/lib/iiab/ as of August 2018) so
# evidently unused for ~2 years:
- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
template:
src: 15-openvpn
dest: /etc/NetworkManager/dispatcher.d/
#when: not is_debuntu # CONDITION APPEARS TOO BROAD
when: False # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
# Contained serious bug (15-openvpn called up-wan instead of up_wan in
# /usr/lib/iiab/ as of August 2018) so evidently unused for ~2 years:
#- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
# template:
# src: 15-openvpn
# dest: /etc/NetworkManager/dispatcher.d/
# #when: not is_debuntu # CONDITION APPEARS TOO BROAD
# when: False # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
# Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf)
#- name: Check for manually configured OpenVPN tunnel
@ -166,7 +178,7 @@
daemon_reload: yes
enabled: yes
state: restarted # 2018-09-02: Should we be concerned that "systemctl status openvpn" often shows "active (exited)" ? If so we might consider "state: started" or "state: reloaded" instead?
when: openvpn_enabled
when: openvpn_enabled | bool
- name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?)
lineinfile:

35
roles/openvpn/templates/iiab-handle.j2
View file

@ -1,20 +1,35 @@
#!/bin/bash
# DEPRECATED interactive script (over)writes /etc/iiab/openvpn_handle file, identifying client to server
echo -e '\nCORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml'
echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n'
echo -e "\n\n\e[41m DEPRECATED PLEASE RUN 'iiab-support' INSTEAD \e[0m\n\n"
echo -e "Or, for a temporary solution until the next time Ansible is run,"
read -p "what OpenVPN handle do you want to use? " ans
echo -e 'This older script TEMPORARILY (over)writes /etc/iiab/openvpn_handle to'
echo -e 'identify IIAB to the upstream OpenVPN server, until Ansible next runs.\n'
#echo -e 'CORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml'
#echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n'
echo -e 'PLEASE NOW TYPE CTRL-C TO QUIT. Or, if you really want it temporary until the'
read -p 'next time Ansible is run, what OpenVPN handle do you want? ' ans
echo
if [ "$ans" == "" ]; then
if [ -f /etc/iiab/openvpn_handle ]; then
rm -f /etc/iiab/openvpn_handle
fi
else
if [ "$ans" != "" ]; then
echo $ans > /etc/iiab/openvpn_handle
echo -e "\nYour machine's openvpn_handle is TEMPORARILY now set... \n"
else
echo -e "\nWARNING: your machine's openvpn_handle remains unchanged...\n"
fi
echo -e "Restarting OpenVPN daemon...\n"
# 2019-05-09: removing /etc/iiab/openvpn_handle (or setting it to "") are both very bad practices
#if [ "$ans" == "" ]; then
# if [ -f /etc/iiab/openvpn_handle ]; then
# rm -f /etc/iiab/openvpn_handle
# fi
#else
# echo $ans > /etc/iiab/openvpn_handle
#fi
{{ systemctl_program }} restart openvpn@xscenet
# This would also work: (but would bounce all VPN connections, if others exist, causing unnec disruption if so)
#{{ systemctl_program }} restart openvpn

7
roles/openvpn/templates/iiab-remote-on.j2
View file

@ -3,11 +3,14 @@
# /usr/bin/iiab-remote-on should turn on multiple remote support services like
# OpenVPN and others, for remote support, so they work even after reboot.
echo -e '\nWARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n'
echo -e "\n\n\e[44m CONSIDER RUNNING 'iiab-support' INSTEAD \e[0m\n\n"
echo -e 'WARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n'
echo -e '1) Set these variables in /etc/local/local_vars.yml'
echo -e ' openvpn_install: True'
echo -e ' openvpn_enabled: True\n'
echo -e ' openvpn_enabled: True'
echo -e ' openvpn_handle: <descriptive-name-for-your-machine>\n'
echo -e '2) Run:'
echo -e ' cd /opt/iiab/iiab'

106
roles/openvpn/templates/iiab-support Normal file
View file

@ -0,0 +1,106 @@
#!/bin/bash
# openvpn_handle is stored in 2 files on disk, one slightly stripped down (from
# the other) due to Ansible. So we emulate Ansible's behavior, when reading from
# (and later writing to) disk, removing outer cruft as explained on Lines 27-29:
handle1=$(grep "^openvpn_handle:" /etc/iiab/local_vars.yml | sed -e "s/^openvpn_handle://; s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
echo -e "\n/etc/iiab/local_vars.yml source/master copy: $handle1"
if [ -f /etc/iiab/openvpn_handle ]; then
handle2=$(cat /etc/iiab/openvpn_handle)
echo -e "/etc/iiab/openvpn_handle for openvpn daemon: $handle2\n"
else
echo -e "/etc/iiab/openvpn_handle for openvpn daemon: [FILE DOESN'T YET EXIST]\n"
fi
echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n"
echo -e " cape-town-school-36-rpi-2019-05-31\n"
echo -en "Or hit [Enter] to keep the existing name:\e[0m "
read ans < /dev/tty
#if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -f /etc/iiab/openvpn_handle ] ); then
# -v (below) checks if var's defined: equivalent to file existence test above
if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then
if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml
else
echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml
fi
# BEHAVIOR JUST LIKE ANSIBLE'S: create /etc/iiab/openvpn_handle from the
# "^openvpn_handle:" line in /etc/iiab/local_vars.yml by (1) removing outer
# spacing IF NEC, then (2) removing 1 pair of matching outer quotes IF NEC:
ans=$(echo $ans | sed -e "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
echo $ans > /etc/iiab/openvpn_handle
echo -e "\n\e[1mSAVED: openvpn_handle recorded into both above files.\e[0m\n"
elif [ "$handle1" != "$handle2" ]; then # Sloppily, but conveniently here,
# bash treats "$handle2" as "" when var undefined, catching all conflicts!
echo -e "\n\e[41mYou MUST specify an OpenVPN machine name (openvpn_handle) to resolve the above\e[0m"
echo -e "\e[41mnaming conflict. Please rerun to proceed.\e[0m\n"
exit 1
else
echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n"
fi
if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then
echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
else
echo -e "Please wait a few minutes as IIAB Stage 1 (1-prep) & OpenVPN are installed...\n"
if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
else
echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
fi
cd /opt/iiab/iiab
./runrole 1-prep
echo
fi
echo -e "Now let's (re)enable OpenVPN...\n"
if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
else
echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml
fi
systemctl enable openvpn
echo -e "\nNow let's restart OpenVPN..."
#systemctl start openvpn
systemctl restart openvpn
echo -en "\n "
for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
echo -en " OpenVPN TIPS "
for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
echo -e "\n\n 1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'"
echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
echo -e " 4. If necessary, run 'systemctl restart openvpn' which should"
echo -e " run 'systemctl restart openvpn@xscenet' for you."
echo -e " 5. Sometimes waiting a minute helps -- retry steps 2 and 3 to monitor."
echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your"
echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
echo -e " http://FAQ.IIAB.IO to learn about DIY remote support alternatives"
echo -e " like ngrok, serveo, remot3.it and TeamViewer.\n"
echo -en " "
for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
echo -en " OpenVPN TIPS "
for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)"
sleep 15
echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m"
cat /etc/iiab/openvpn_handle
echo -en "\e[0m"
vpnip=$(ip a | grep tun0$ | awk '{print $2}')
if [ "$vpnip" != "" ]; then
echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
else
echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n"
fi

8
roles/osm-vector-maps/defaults/main.yml Normal file
View file

@ -0,0 +1,8 @@
# osm_vector_maps_install: True
# osm_vector_maps_enabled: True
# iiab_map_url : http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
# vector_map_path: "{{ content_base }}/www/osm-vector-maps"
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

0
roles/osm-vector/files/countries.json → roles/osm-vector-maps/files/countries.json
View file

0
roles/osm-vector/files/en-map_test.json → roles/osm-vector-maps/files/en-map_test.json
View file

58
roles/osm-vector/files/osm_functions.js → roles/osm-vector-maps/files/map_functions.js
View file

@ -1,16 +1,16 @@
// osm_functions.js -- (non authoritative see below) src = iiab/roles/files/
// map_functions.js -- (non authoritative see below) src = iiab/roles/files/
// copyright 2019 George Hunt
// CAUTION -- this file is duplicate to admin-console/console/files/js/osm_fuctions.js -- please think of admin-console as authoritative
// CAUTION -- this file is duplicate to admin-console/console/files/js/map_functions.js -- please think of admin-console as authoritative
// Placed here in duplicate to ease debugging, and simplify dependences
var regionGeojson = {};
var regionList = [];
var regionInstalled = [];
var commonAssetsDir = '/common/assets/';
var mapAssetsDir = '/osm-vector/maplist/assets/';
var mapAssetsDir = '/osm-vector-maps/maplist/assets/';
var iiab_config_dir = '/etc/iiab/';
var onChangeFunc = "setSize";
var osmCatalog = {};
var mapCatalog = {};
// following 2 lines an experiment to see if test page and console can be common
//var jquery = require("./assets/jquery.min");
@ -19,7 +19,7 @@ var osmCatalog = {};
function getOsmStat(){
// called during the init
console.log('in getOsmStat');
readOsmCatalog( true ); // we want checkboxes
readMapCatalog( true ); // we want checkboxes
readOsmIdx();
}
@ -27,25 +27,25 @@ function readOsmIdx(){
//consoleLog ("in readOsmIdx");
var resp = $.ajax({
type: 'GET',
url: consoleJsonDir + 'osm-vector-idx.json',
url: consoleJsonDir + 'osm-vector-maps-idx.json',
dataType: 'json'
})
.done(function( data ) {
osmInstalled = data['regions'];
mapInstalled = data['regions'];
regionInstalled = [];
for (region in data['regions']) {
if (data['regions'].hasOwnProperty(region)) {
regionInstalled.push(region);
}
}
//consoleLog(osmInstalled + '');
//consoleLog(mapInstalled + '');
})
.fail(jsonErrhandler);
return resp;
}
function readOsmCatalog(checkbox){
function readMapCatalog(checkbox){
checkbox = checkbox || true;
console.log ("in readOsmCalalog");
regionList = [];
@ -56,11 +56,11 @@ function readOsmCatalog(checkbox){
})
.done(function( data ) {
regionJson = data;
osmCatalog = regionJson['regions'];
for(var key in osmCatalog){
//console.log(key + ' ' + osmCatalog[key]['title']);
osmCatalog[key]['name'] = key;
regionList.push(osmCatalog[key]);
mapCatalog = regionJson['regions'];
for(var key in mapCatalog){
//console.log(key + ' ' + mapCatalog[key]['title']);
mapCatalog[key]['name'] = key;
regionList.push(mapCatalog[key]);
}
})
.fail(jsonErrhandler);
@ -120,13 +120,13 @@ function genRegionItem(region,checkbox) {
function instOsmItem(name) {
var command = "INST-OSM-VECT-SET";
var cmd_args = {};
cmd_args['osm_vect_id'] = name;
cmd_args['map_vect_id'] = name;
cmd = command + " " + JSON.stringify(cmd_args);
sendCmdSrvCmd(cmd, genericCmdHandler);
osmDownloading.push(name);
if ( osmWip.indexOf(name) != -1 )
osmWip.push(osmCatalog[name]);
console.log('osmWip: ' + osmWip);
mapDownloading.push(name);
if ( mapWip.indexOf(name) != -1 )
mapWip.push(mapCatalog[name]);
console.log('mapWip: ' + mapWip);
return true;
}
@ -161,19 +161,19 @@ function updateOsmSpace(cb){
}
function updateOsmSpaceUtil(region, checked){
var size = parseInt(osmCatalog[region].size);
var size = parseInt(mapCatalog[region].size);
var modIdx = selectedOsmItems.indexOf(region);
if (checked){
if (regionInstalled.indexOf(region) == -1){ // only update if not already installed mods
sysStorage.osm_selected_size += size;
sysStorage.map_selected_size += size;
selectedOsmItems.push(region);
}
}
else {
if (modIdx != -1){
sysStorage.osm_selected_size -= size;
sysStorage.map_selected_size -= size;
selectedOsmItems.splice(modIdx, 1);
}
}
@ -188,29 +188,29 @@ function totalSpace(){
$( ".extract" ).each(function(ind,elem){
var data = JSON.parse($(this).attr('data-region'));
var region = data.name;
var size = parseInt(osmCatalog[region]['size']);
var size = parseInt(mapCatalog[region]['size']);
var chk = $( this ).find(':checkbox').prop("checked") == true;
if (chk && typeof size !== 'undefined')
sum += size;
});
var ksize = sum / 1000;
$( "#osmDiskSpace" ).html(readableSize(ksize));
$( "#mapDiskSpace" ).html(readableSize(ksize));
}
$( '#instOsmRegion').on('click', function(evnt){
readOsmCatalog();
osm.render();
readMapCatalog();
map.render();
});
*/
function renderOsm(){
console.log('in renderOsm');
window.map.setTarget($("#osm-container")[0]);
window.map.setTarget($("#map-container")[0]);
window.map.render();
renderRegionList(true);
}
function initOsm(){
var dummy = 0;
sysStorage.osm_selected_size = 0;
$.when(readOsmCatalog(true)).then(renderRegionList);
sysStorage.map_selected_size = 0;
$.when(readMapCatalog(true)).then(renderRegionList);
}

4
roles/osm-vector-maps/files/test-index.redirect Normal file
View file

@ -0,0 +1,4 @@
<head>
<meta http-equiv="refresh" content="0; URL=/osm-vector-maps/maplist/" />
</head>

85
roles/osm-vector-maps/tasks/main.yml Normal file
View file

@ -0,0 +1,85 @@
- name: Make sure the osm-vector-maps directory exists
file:
path: '{{ vector_map_path }}/maplist/assets'
state: directory
owner: '{{ apache_user }}'
group: '{{ apache_user }}'
mode: '0755'
- name: Fetch the catalog for osm maps
get_url:
url: "{{ iiab_map_url }}/assets/regions.json"
dest: '{{ vector_map_path }}/maplist/assets/'
- name: Create a link to osm catalog in /common/assets
file:
src: "{{ vector_map_path }}/maplist/assets/regions.json"
dest: "{{ doc_root }}/common/assets/regions.json"
state: link
- name: Fetch the javascript bundle with openlayers for test page
get_url:
url: "{{ iiab_map_url }}/../main.js"
dest: '{{ vector_map_path }}/maplist/'
- name: Fetch the index.html for test page
template:
src: "index.html"
dest: '{{ vector_map_path }}/maplist/index.html'
# Bboxes (bounding boxes) are currently square. But geofabrik has non-rectangular bboxes.
# So bring the bounding box definition from cloud (bboxes.geojson is big)
- name: Fetch the bounding box description for osm maps
get_url:
url: "{{ iiab_map_url }}/assets/bboxes.geojson"
dest: '{{ vector_map_path }}/maplist/assets/'
- name: Install python-geojson package, that helps with geojson
package:
name: python-geojson
state: present
- name: Install the script to update osm catalog
template:
src: iiab-update-map
dest: /usr/bin/iiab-update-map
mode: "0755"
# This depends on iiab-admin-console which is not yet installed
#- name: Run the script that does osm-vector-maps housekeeping
# shell: /usr/bin/iiab-update-map
- name: Copy the Countries geojson to assets
copy:
src: countries.json
dest: '{{ vector_map_path }}/maplist/assets'
# It is too complicated to use a single file for both iiab and admin-console
- name: Copy the duplicated javascript to assets
copy:
src: map_functions.js
dest: '{{ vector_map_path }}/maplist/assets'
- name: Install /etc/{{ apache_config_dir }}/osm-vector-maps.conf from template
template:
src: osm-vector-maps.conf
dest: "/etc/{{ apache_config_dir }}/osm-vector-maps.conf"
- name: Create symlink osm-vector-maps.conf from sites-enabled to sites-available (debuntu, not nec for redhat)
file:
src: /etc/apache2/sites-available/osm-vector-maps.conf
path: /etc/apache2/sites-enabled/osm-vector-maps.conf
state: link
when: osm_vector_maps_enabled and is_debuntu
- name: Remove symlink /etc/apache2/sites-enabled/osm-vector-maps.conf (debuntu)
file:
path: /etc/apache2/sites-enabled/osm-vector-maps.conf
state: absent
when: not osm_vector_maps_enabled and is_debuntu
- name: Copy the redirect to the test page -- delete this if more than one map
copy:
src: test-index.redirect
dest: "{{ vector_map_path }}/index.html"

Some files were not shown because too many files have changed in this diff Show more