Merge branch 'master' of https://github.com/iiab/iiab

roles/openvpn/tasks/main.yml

@@ -70,8 +70,8 @@
 #    backup: yes
 #  when: openvpn_handle is defined
 
-# Comment out in future?  up_wan was being installed twice (also above) and
-# was unused for ~2 years as of August 2018: (see 15-openvpn below)
+# up_wan was being installed twice (also above) and was unused for ~2 years
+# as of August 2018: (see 15-openvpn below)
 #- name: Put up_wan in place (debuntu)
 #  template:
 #    src: up_wan
@@ -79,8 +79,8 @@
 #  when: is_debuntu
 
 # Comment out in future?  Contained serious bug (15-openvpn called
-# up-wan instead of up_wan in /usr/lib/iiab/) so evidently unused
-# for ~2 years, as of Aug 2018:
+# up-wan instead of up_wan in /usr/lib/iiab/ as of August 2018) so
+# evidently unused for ~2 years:
 - name: Put dispatcher up for NM (not debuntu)
   template:
     src: 15-openvpn
@@ -174,7 +174,7 @@
     value: "OpenVPN is a means of connecting to other machines anywhere on the internet, via a middleman server, using Virtual Private Network techniques to create secure connections."
   - option: enabled
     value: "{{ openvpn_enabled }}"
-# Uncommented as openvpn_handle variable is now mandatory: (if set to "", /etc/iiab/uuid will be used instead)
+# openvpn_handle variable can no longer be left complete undefined of August 2018 (EMPTY STRING "" IS TOLERATED, in which case OpenVPN server should use /etc/iiab/uuid in lieu of the handle)
   - option: handle
     value: "{{ openvpn_handle }}"
   - option: cron_enabled

roles/openvpn/templates/15-openvpn

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Not really used as of August 2018, but perhaps can be revived for CentOS etc
 
 export LC_ALL=C
 

roles/openvpn/templates/announce

@@ -1,4 +1,5 @@
 #!/bin/bash
-# disconnect our worker from everything
+# Disconnect our worker from everything
+
 DIR=$(dirname $0)
 nohup $DIR/announcer 0<&- &>/dev/null & 

roles/openvpn/templates/announcer.j2

@@ -8,7 +8,15 @@ if [ -f /etc/iiab/openvpn_handle ]; then
     # Option #1
     HANDLE=`cat /etc/iiab/openvpn_handle`
     # Option #2: UUID is later used, if openvpn_handle is not set
-# Sourcing a variable from ~4 different places is a recipe for total confusion (or worse!)
+
+# Sourcing a variable from ~4 different places is a recipe for total confusion
+# (or worse!)  Far better to make variable openvpn_handle and file
+# /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, in which
+# case OpenVPN server should use /etc/iiab/uuid in lieu of the handle).
+
+# CLARIF: "systemctl restart openvpn@xscenet" still runs even if the above is
+# defied.  e.g. if an implementer deletes /etc/iiab/openvpn_handle by accident.
+
 #else
 #    # Option #3: Dangerous to invoke hypothetical variables :(
 #    source /etc/iiab/iiab.env

roles/openvpn/templates/up_wan

@@ -1,5 +1,8 @@
 #!/bin/bash
-# if the wan has recently come up, see if we need to start openvpn
+# Not really used as of August 2018, but perhaps can be revived for CentOS etc
+
+# If the wan has recently come up, see if we need to start openvpn
+
 systemctl is-enabled openvpn
 if [ $? -eq 0 ]; then
     pgrep openvpn

roles/openvpn/templates/xscenet.conf.j2

@@ -1,32 +1,24 @@
-#########################################
-# Sample client-side OpenVPN config file
-# for connecting to multi-client server.
+# Sample client-side OpenVPN config file for connecting to multi-client server.
 #
 # Adapted from http://openvpn.sourceforge.net/20notes.html
 #
 # The server can be pinged at {{ openvpn_server_virtual_ip }}
-#
 
 port {{ openvpn_server_port }}
 dev tun
 remote {{ openvpn_server }}
 
-# TLS parms
-
+# TLS parameters
 tls-client
 ca keys/ca.crt
 cert keys/client1.crt
 key keys/client1.key
 
-# This parm is required for connecting
-# to a multi-client server.  It tells
-# the client to accept options which
-# the server pushes to us.
+# This parameter is required for connecting to a multi-client server.
+# It tells the client to accept options which the server pushes to us.
 pull
 
-# Scripts can be used to do various
-# things (change nameservers, for
-# example.
+# Scripts can be used to do various things (change nameservers, for example).
 script-security 2
 up scripts/announce
 down scripts/silence