Merge pull request #147 from iiab/master

sync from iiab/iiab

iiab-base.yml

@@ -1,13 +0,0 @@
----
-- hosts: all
-  become: yes
-
-  vars_files:
-  - vars/default_vars.yml
-  - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - /etc/iiab/local_vars.yml
-
-  roles:
-      - { role: 0-init, tags: ['0-init'] }
-      - { role: 1-prep, tags: ['1-prep','platform','base'] }
-      - { role: openvpn, tags: ['openvpn'] }

iiab-from-console.yml

@@ -9,11 +9,11 @@
   - /etc/iiab/config_vars.yml
 
   roles:
-      - { role: 0-init, tags: ['0-init'] }
-      - { role: 4-server-options, tags: ['4-server-options'] }
-      - { role: 5-xo-services, tags: ['5-xo-services'] }
-      - { role: 6-generic-apps, tags: ['6-generic-apps'] }
-      - { role: 7-edu-apps, tags: ['7-edu-apps'] }
-      - { role: 8-mgmt-tools, tags: ['8-mgmt-tools'] }
-      - { role: 9-local-addons, tags: ['9-local-addons'] }
-      - { role: network, tags: ['network'] }
+    - { role: 0-init, tags: ['0-init'] }
+    - { role: 4-server-options, tags: ['4-server-options'] }
+    - { role: 5-xo-services, tags: ['5-xo-services'] }
+    - { role: 6-generic-apps, tags: ['6-generic-apps'] }
+    - { role: 7-edu-apps, tags: ['7-edu-apps'] }
+    - { role: 8-mgmt-tools, tags: ['8-mgmt-tools'] }
+    - { role: 9-local-addons, tags: ['9-local-addons'] }
+    - { role: network, tags: ['network'] }

iiab-network.yml

@@ -9,5 +9,5 @@
   - /etc/iiab/config_vars.yml
 
   roles:
-      - { role: 0-init, tags: ['network'] }
-      - { role: network, tags: ['network','base'] }
+    - { role: 0-init, tags: ['network'] }
+    - { role: network, tags: ['network','base'] }

iiab-support.yml

@@ -0,0 +1,14 @@
+---
+- hosts: all
+  become: yes
+
+  vars_files:
+  - vars/default_vars.yml
+  - vars/{{ ansible_local.local_facts.os_ver }}.yml
+  - /etc/iiab/local_vars.yml
+
+  roles:
+    - { role: 0-init, tags: ['0-init'] }
+    #- { role: 1-prep, tags: ['1-prep', 'platform', 'base'] }
+    - { role: 1-prep, tags: ['1-prep'] }
+    - { role: openvpn, tags: ['openvpn'] }

install-support

@@ -1,17 +1,15 @@
 #!/bin/bash
 
-PLAYBOOK="iiab-base.yml"
+PLAYBOOK="iiab-support.yml"
 INVENTORY="ansible_hosts"
 CWD=`pwd`
 
 export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
 
-if [ ! -f $PLAYBOOK ]
-then
- echo "IIAB Playbook not found."
- echo "Please run this command from the top level of the git repo."
- echo "Exiting."
- exit 1
+if [ ! -f $PLAYBOOK ]; then
+    echo -e "\nEXITING: $PLAYBOOK not found.\n"
+    echo -e "Please run this command from /opt/iiab/iiab (top of git repo).\n"
+    exit 1
 fi
 
 sed -i -e "s/openvpn_install: False/openvpn_install: True/" /etc/iiab/local_vars.yml

roles/calibre-web/defaults/main.yml

@@ -7,8 +7,8 @@ calibreweb_enabled: False
 
 calibreweb_port: 8083
 calibreweb_url: /books
-calibreweb_path: "{{ iiab_base }}/calibre-web"    # /opt/iiab/calibre-web
-calibreweb_exec_path: "{{ calibreweb_path }}/cps.py"
+calibreweb_venv_path: /usr/local/calibre-web
+calibreweb_exec_path: "{{ calibreweb_venv_path }}/cps.py"
 
 # calibre-web folder to store its data files.
 calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web

roles/calibre-web/tasks/main.yml

@@ -7,14 +7,14 @@
     state: directory
   with_items:
     - "{{ calibreweb_home }}"
-    - "{{ calibreweb_path }}"
+    - "{{ calibreweb_venv_path }}"
     - "{{ calibreweb_config }}"
 
 ## TODO: Calibre-web future release might get into pypi https://github.com/janeczku/calibre-web/issues/456
 - name: Download calibre-web github repository
   git:
     repo: https://github.com/janeczku/calibre-web.git
-    dest: "{{ calibreweb_path }}"
+    dest: "{{ calibreweb_venv_path }}"
     force: yes
     #update: yes
     depth: 1
@@ -30,13 +30,19 @@
 #  ignore_errors: True
 ##
 # Implementing this with Ansible command module for now.
-- name: Download calibre-web dependencies into vendor subdirectory
-  command: pip install --target vendor -r ./requirements.txt
-  args:
-    chdir: "{{ calibreweb_path }}"
-  ignore_errors: True
+- name: Download calibre-web dependencies into virtual environment
+  pip:
+    requirements: "{{ calibreweb_venv_path }}/requirements.txt"
+    virtualenv: "{{ calibreweb_venv_path }}"
+    virtualenv_site_packages: no
   when: internet_available
 
+- name: Symlink 'vendor' to site-packages for python to keep cps.py happy
+  file:
+    state: link
+    src: "{{ calibreweb_venv_path }}/lib/python2.7/site-packages"
+    dest: "{{ calibreweb_venv_path }}/vendor"
+
 - name: Create calibre-web systemd service unit file and calibre-web.conf for Apache
   template:
     src: "{{ item.src }}"
@@ -130,7 +136,7 @@
     - option: calibreweb_url
       value: "{{ calibreweb_url }}"
     - option: calibreweb_path
-      value: "{{ calibreweb_path }}"
+      value: "{{ calibreweb_venv_path }}"
     - option: calibreweb_home
       value: "{{ calibreweb_home }}"
     - option: calibreweb_port

roles/calibre/defaults/main.yml

@@ -23,7 +23,7 @@ calibre_deb_url: http://download.iiab.io/packages
 # Must contain both packages for the pinned version, formatted as follows:
 # calibre_3.30.0+dfsg-1_all (25M, 2018-08-24)
 # calibre-bin_3.30.0+dfsg-1_armhf (742K, 2018-08-30)
-calibre_deb_pin_version: 3.30.0
+calibre_deb_pin_version: 3.30.0+dfsg-1
 
 # USE TO TEST debs.yml (RASPBIAN APPROACH!) ON DEBIAN 9.X: (now handled by calibre_via_debs in /opt/iiab/iiab/vars/*)
 #calibre_debs_on_debian: True

roles/calibre/tasks/debs.yml

@@ -42,8 +42,8 @@
     #backup: no
     timeout: "{{ download_timeout }}"
   with_items:
-    - calibre_{{ calibre_deb_pin_version }}+dfsg-1_all.deb
-    - calibre-bin_{{ calibre_deb_pin_version }}+dfsg-1_armhf.deb
+    - calibre_{{ calibre_deb_pin_version }}_all.deb
+    - calibre-bin_{{ calibre_deb_pin_version }}_armhf.deb
   when: is_rpi and internet_available
 
 - name: Install/Upgrade both, to PINNED version {{ calibre_deb_pin_version }} while using additional .deb's from testing (rpi)

roles/kolibri/README.rst

@@ -2,66 +2,50 @@
 Kolibri README
 ==============
 
-This Ansible role installs Kolibri within Internet-in-a-Box.  Kolibri is an
-open-source educational platform specially designed to provide offline access
-to a wide range of quality, openly licensed educational contents in
-low-resource contexts like rural schools, refugee camps, orphanages, and also
-in non-formal school programs.
+This Ansible role installs Kolibri within Internet-in-a-Box.  Kolibri is an open-source educational platform specially designed to provide offline access to a wide range of quality, openly licensed educational contents in low-resource contexts like rural schools, refugee camps, orphanages, and also in non-formal school programs.
 
-Access
-------
+Using It
+--------
 
-If enabled and with the default settings Kolibri should be accessible at http://box:8009
+If enabled and with the default settings Kolibri should be accessible at http://box:8009 (and in future at http://box/kolibri).
 
-To login to Kolibri enter
+To login to Kolibri enter::
 
   Username: Admin
-
   Password: changeme
 
 Configuration Parameters
 ------------------------
 
-Please look in defaults/main.yml for the default values of the various install parameters.  Everything
-in this readme assumes the default values.
+Please look in roles/kolibri/defaults/main.yml for the default values of the various install parameters.  Everything in this README assumes the default values.
 
 Automatic Device Provisioning
 -----------------------------
 
-When kolibri_provision is enabled, the installation will setup the following settings:
+When kolibri_provision is enabled, the installation will setup the following settings::
 
   Kolibri Facility name: 'Kolibri-in-a-Box'
-
-  Kolibri Preset type: formal (Other options are nonformal, informal)
-
-  Kolibri default language: en (Otherwise language are ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu)
-
+  Kolibri Preset type: formal    (Other options are nonformal, informal)
+  Kolibri default language: en    (Otherwise language are ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu)
   Kolibri Admin User: Admin
-
   Kolibri Admin password: changeme
 
 Cloning content
 ---------------
 
-Kolibri 0.10 introduced `kolibri manage deprovision` which will remove
-user configuration, leaving content intact. You can then copy/clone /library/kolibri
-to a new location.
+Kolibri 0.10 introduced `kolibri manage deprovision` which will remove user configuration, leaving content intact.  You can then copy/clone /library/kolibri to a new location.
 
 Troubleshooting
 ----------------
 
-You can run the server manually with the following commands:
-
-  systemctl stop kolibri (make sure the systemd service is not running)
+You can run the server manually with the following commands::
 
+  systemctl stop kolibri    # Make sure the systemd service is not running
   export KOLIBRI_HOME=/library/kolibri
-
-  export KOLIBRI_HTTP_PORT=8009 (otherwise Kolibri will try to run on default port 8080)
-
+  export KOLIBRI_HTTP_PORT=8009    # Otherwise Kolibri will try to run on default port 8080
   kolibri start
 
-To return to using the systemd unit:
+To return to using the systemd unit::
 
   kolibri stop
-
   systemctl start kolibri

roles/kolibri/defaults/main.yml

@@ -10,9 +10,9 @@ kolibri_home: "{{ content_base }}/kolibri"
 
 kolibri_http_port: 8009
 kolibri_url: /kolibri/
-kolibri_path: "{{ iiab_base }}/kolibri"
+kolibri_venv_path: /usr/local/kolibri
 # 2018-07-16: IIAB recommends /usr/bin but @arky says this isn't yet possible, due to pip
-kolibri_exec_path: /usr/local/bin/kolibri
+kolibri_exec_path: "{{ kolibri_venv_path }}/bin/kolibri"
 
 # Kolibri system user
 kolibri_user: kolibri

roles/kolibri/tasks/main.yml

@@ -18,10 +18,13 @@
     state: directory
   with_items:
     - "{{ kolibri_home }}"
+    - "{{ kolibri_venv_path }}"
 
 - name: Install kolibri using pip on all OS's
   pip:
     name: kolibri
+    virtualenv: "{{ kolibri_venv_path }}"
+    virtualenv_site_packages: no
     state: latest
     extra_args: --no-cache-dir
   when: internet_available
@@ -36,9 +39,20 @@
   with_items:
     - { src: 'kolibri.service.j2', dest: '/etc/systemd/system/kolibri.service', mode: '0644' }
 
-- name: Ask systemd to reread unit files (daemon-reload)
+- name: Enable & (Re)Start kolibri service
   systemd:
+    name: kolibri
+    enabled: yes
+    state: restarted
     daemon_reload: yes
+  when: kolibri_enabled
+
+- name: Disable kolibri service
+  systemd:
+    name: kolibri
+    enabled: no
+    state: stopped
+  when: not kolibri_enabled
 
 - name: Set kolibri default language
   shell: export KOLIBRI_HOME="{{ kolibri_home }}" && "{{ kolibri_exec_path }}" language setdefault "{{ kolibri_language }}"
@@ -61,20 +75,6 @@
     group: "{{ apache_user }}"
     recurse: yes
 
-- name: Enable kolibri service
-  service:
-    name: kolibri
-    enabled: yes
-    state: restarted
-  when: kolibri_enabled
-
-- name: Disable kolibri service
-  service:
-    name: kolibri
-    enabled: no
-    state: stopped
-  when: not kolibri_enabled
-
 - name: Add 'kolibri' to list of services at /etc/iiab/iiab.ini
   ini_file:
     dest: "{{ service_filelist }}"
@@ -89,7 +89,7 @@
     - option: kolibri_url
       value: "{{ kolibri_url }}"
     - option: kolibri_path
-      value: "{{ kolibri_path }}"
+      value: "{{ kolibri_exec_path }}"
     - option: kolibri_port
       value: "{{ kolibri_http_port }}"
     - option: enabled

roles/openvpn/tasks/main.yml

@@ -32,7 +32,7 @@
 # being used (instead of the full key) as an abbreviated regexp for now.
 # A backslash in front of each plus sign (+) would also work.
 
-- name: Remove ssh public keys (if openvpn_install is False)
+- name: Remove those ssh public keys (if openvpn_install is False)
   lineinfile:
     regexp: "{{ item }}"
     path: /root/.ssh/authorized_keys
@@ -44,27 +44,17 @@
     - "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$"
     - "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$"
 
-- name: Create the directory for OpenVPN keys
+- name: "Create 3 directories for: OpenVPN keys, scripts & up_wan"
   file:
-    dest: /etc/openvpn/keys
+    path: "{{ item }}"
     state: directory
     owner: root
     group: root
     mode: 0755
-
-- name: Create the directory for scripts
-  file:
-    dest: /etc/openvpn/scripts
-    state: directory
-    owner: root
-    group: root
-    mode: 0755
-
-# Comment out in future?  Might still be relevant for CentOS but unused for ~2 years as of August 2018:
-- name: Create folder /usr/lib/iiab (not on path) for iiab executable up_wan
-  file:
-    path: /usr/lib/iiab
-    state: directory
+  with_items:
+    - /etc/openvpn/keys
+    - /etc/openvpn/scripts
+    - /usr/lib/iiab    # For executable up_wan.  Comment out in future?  Might still be relevant for CentOS but unused for ~2 years as of August 2018.
 
 - name: Configure OpenVPN (BACKS UP FILES IF CHANGED)
   template:
@@ -89,23 +79,13 @@
     - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
     # Comment out in future?  Might still be relevant for CentOS but unused for ~2 years as of August 2018:
     - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' }
-    # Unused for ~2 years as of August 2018:
+    # Obsolete & unused for ~2 years as of August 2018:
     #- { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' }
-    # Buggy & rarely used as of August 2018:
+    # Obsolete & unused for ~2 years as of August 2018:
     #- { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' }
-    # Buggy & rarely used as of August 2018:
+    # Obsolete & unused for ~2 years as of August 2018:
     #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
 
-#- name: Save openvpn_handle variable into /etc/iiab/openvpn_handle (BACKS UP FILE IF CHANGED)
-#  template:
-#    src: openvpn_handle.j2
-#    dest: /etc/iiab/openvpn_handle
-#    owner: root
-#    group: root
-#    mode: 0644
-#    backup: yes
-#  when: openvpn_handle is defined
-
 # up_wan was being installed twice (also above) and was unused for ~2 years
 # as of August 2018: (see 15-openvpn below)
 #- name: Put up_wan in place (debuntu)
@@ -121,9 +101,9 @@
   template:
     src: 15-openvpn
     dest: /etc/NetworkManager/dispatcher.d/
-  when: not is_debuntu
+  when: not is_debuntu    # SHOULD THIS CONDITION ACT ON THE PRESENCE OF NETWORKMANAGER?  e.g. some Ubuntu's use NM, others don't.
 
-# Was buggy & unused for ~2 years as of August 2018:
+# Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf)
 #- name: Check for manually configured OpenVPN tunnel
 #  stat:
 #    path: /etc/openvpn/iiab-vpn.conf
@@ -154,20 +134,30 @@
 # /etc/iiab/openvpn_handle to xscenet.net -- and
 # "systemctl restart openvpn@xscenet" was failing completely (no matter how
 # many times it was run) to transmit /etc/iiab/openvpn_handle to xscenet.net
-- name: Enable & (Re)Start openvpn@xscenet tunnel
+
+# 2018-09-02: OpenVPN had been starting tunnels by accident after reboot,
+# with new IIAB installs.  Fix below (https://github.com/iiab/iiab/pull/1079)
+# changes most all instances below from PARENT service "openvpn@xscenet" to
+# CHILD service "openpvn".  See these 2 critical files to understand why:
+#
+#    /etc/default/openvpn
+#    /etc/openvpn/xscenet.conf
+
+- name: Enable & (Re)Start PARENT service openvpn, which (re)starts CHILD service openvpn@xscenet (& actual tunnel)
   systemd:
-    name: openvpn@xscenet.service
+    name: openvpn
+    daemon_reload: yes
     enabled: yes
-    state: restarted
+    state: restarted    # 2018-09-02: Should we be concerned that "systemctl status openvpn" often shows "active (exited)" ?  If so we might consider "state: started" or "state: reloaded" instead?
   when: openvpn_enabled
 
-- name: Enable hourly cron job for OpenVPN
+- name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?)
   lineinfile:
     path: /etc/crontab
     line: "25 *  *  *  * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null"
   when: openvpn_enabled and openvpn_cron_enabled
 
-- name: Remove hourly cron job for OpenVPN
+- name: Remove hourly cron job for OpenVPN (typically for CentOS only?)
   lineinfile:
     path: /etc/crontab
     regexp: "openvpn@xscenet"
@@ -176,9 +166,9 @@
     state: absent
   when: not openvpn_enabled or not openvpn_cron_enabled
 
-- name: Disable & Stop openvpn@xscenet tunnel
+- name: Disable & Stop PARENT service openvpn, which stops CHILD service openvpn@xscenet (& actual tunnel)
   systemd:
-    name: openvpn@xscenet.service
+    name: openvpn
     enabled: no
     state: stopped
   when: not openvpn_enabled
@@ -207,7 +197,7 @@
   - option: name
     value: OpenVPN
   - option: description
-    value: "OpenVPN is a means of connecting to other machines anywhere on the internet, via a middleman server, using Virtual Private Network techniques to create secure connections."
+    value: "OpenVPN enables live/remote support by connecting machines anywhere on the Internet, via a middleman server, using Virtual Private Network (VPN) techniques to create secure connections."
   - option: enabled
     value: "{{ openvpn_enabled }}"
 # openvpn_handle variable can no longer be left completely undefined of August 2018 (EMPTY STRING "" IS TOLERATED, in which case OpenVPN server should use /etc/iiab/uuid in lieu of the handle)

roles/openvpn/templates/xscenet.conf.j2

@@ -1,4 +1,4 @@
-# Sample client-side OpenVPN config file for connecting to multi-client server.
+# Sample client-side OpenVPN config file for connecting to multi-client server
 #
 # Adapted from http://openvpn.sourceforge.net/20notes.html
 #

run-one-role.yml

@@ -9,5 +9,5 @@
   - /etc/iiab/config_vars.yml
 
   roles:
-      - { role: 0-init, tags: ['0-init'] }
-      - { role: "{{ role_to_run }}", tags: ['run'] }
+    - { role: 0-init, tags: ['0-init'] }
+    - { role: "{{ role_to_run }}", tags: ['run'] }