Merge pull request #3798 from holta/vpn

Introduce new VPN approach (roles/tailscale) with commands iiab-vpn and iiab-vpn-off in /usr/bin

roles/0-init/tasks/validate_vars.yml

@@ -71,7 +71,8 @@
       - dnsmasq
       - bluetooth
       - sshd
-      - openvpn
+      #- openvpn            # Deprecated
+      - tailscale
       - remoteit
       - admin_console
       #- nginx              # MANDATORY

roles/1-prep/tasks/main.yml

@@ -3,22 +3,22 @@
 - name: ...IS BEGINNING ============================================
   meta: noop
 
-- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
+- name: SSHD
   include_role:
     name: sshd
   when: sshd_install
 
-- name: OPENVPN
+- name: TAILSCALE (VPN)
   include_role:
-    name: openvpn
-  when: openvpn_install
+    name: tailscale
+  when: tailscale_install
 
 - name: REMOTE.IT
   include_role:
     name: remoteit
   when: remoteit_install
 
-- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
+- name: IIAB-ADMIN -- includes {lynx, screen, sudo-prereqs.yml, admin-user.yml, pwd-warnings.yml}
   include_role:
     name: iiab-admin
   #when: iiab_admin_install    # Flag might be created in future?

roles/4-server-options/tasks/main.yml

@@ -19,11 +19,6 @@
   #when: pylibs_installed is undefined
   #when: pylibs_install    # Flag might be created in future?
 
-- name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN
-  include_role:
-    name: sshd
-  when: sshd_install
-
 - name: Install Bluetooth - only on Raspberry Pi
   include_role:
     name: bluetooth

roles/iiab-admin/README.rst

@@ -36,7 +36,7 @@ Security
    #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
    #. ``sudo``
 * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
-* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
+* If your IIAB includes Tailscale (VPN), ``/root/.ssh/authorized_keys`` should be installed by `roles/tailscale/tasks/install.yml <../tailscale/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
 * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).
 
 Example
@@ -56,7 +56,7 @@ Historical Notes
 Remote Support Tools
 --------------------
 
-The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
+The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `Tailscale (VPN) <https://en.wikipedia.org/wiki/Tailscale>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
 
 Similarly, `tasks/main.yml <tasks/main.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
 

roles/iiab-admin/tasks/sudo-prereqs.yml

@@ -1,6 +1,6 @@
 - name: 'Install package: sudo'
   package:
-    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
+    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can be installed by 1-prep's roles/tailscale/tasks/install.yml, (3) Can be installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
 
 - name: Temporarily make file /etc/sudoers editable (0640)
   file:

roles/sshd/defaults/main.yml

@@ -1,4 +1,4 @@
-# sshd_install: True    # Required by OpenVPN
+# sshd_install: True
 # sshd_enabled: True
 
 # sshd_port: 22    # Not fully functional.  SEE: roles/sshd/tasks/install.yml

roles/tailscale/tasks/install.yml

@@ -0,0 +1,113 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
+- name: "Set up apt source (jammy) in /etc/apt/sources.list.d/tailscale.list and its key /usr/share/keyrings/tailscale-archive-keyring.gpg, to install Tailscale"
+  shell: |
+    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg > /usr/share/keyrings/tailscale-archive-keyring.gpg
+    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.tailscale-keyring.list > /etc/apt/sources.list.d/tailscale.list
+
+- name: "Install packages: jq, sudo, tailscale"
+  package:
+    name:
+      #- ncat    # Newer versions of NMap do not include NCat, WAS needed to announce openvpn_handle (if Debian > 9 or Ubuntu > 18)
+      #- nmap
+      - jq      # JSON parser used by /usr/bin/iiab-support == /usr/bin/iiab-vpn
+      - sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
+      - tailscale
+    update_cache: yes
+
+- name: Set up tab completion for 'tailscale' at the command-line
+  shell: tailscale completion bash > /etc/bash_completion.d/tailscale
+
+- name: "Install ssh public keys for remote support (only runs if 'tailscale_install: True')"
+  lineinfile:
+    line: "{{ item.pubkey }}"
+    regexp: "{{ item.regexp }}"
+    path: /root/.ssh/authorized_keys
+  with_items:
+    - regexp: "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$" # Tim Moody
+      pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhlQIh8ZPx4awdM0O6QNcPbx3qIZ39FHjF2YJ2SX3z7iLnYiz03Ek6Bux9P4HvaVAqlApiz2I68Vq8TfU2s/+LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s="
+    - regexp: "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$"
+      pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxAmjU7VojyK+0Pjp2p8CCGTNBtE565A/L8IVbAT8MIucRE9LN1g5LjGnOHUShFJpwuTR1JLX2r9EDRMsf9MmyTgUAnuyP005giWVHXLPtjyjTzbsJ1DEtXRytulmF+GlCOaqPWNde6EOmReqPHbmjIQpRZ/Sc8hziS4jVSQuBA9EhaBmZ62CPqK33mPJvnpwMtdd6nHXAcXsZhStd3NhVDm27+B3sHI6mr2w7ExdBXE5DKiZL2po8n2y4hJYZreJopbjcQmv4oWdDWvPu5I92xDgYCsqcE7zSrv1um+tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal"
+    - regexp: "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$"
+      pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApHPly+EA1M4bispl3AulTLjyYCjcJzh6s779K3epDkqh600a+fHsdIiddWCAfIonRq+9MJyOiaNQ+WYLOuajI1IiFZWFt45xDAiyCUnyuT+ytAX+IA3TgTwgTZPfzDOzI8rDRV9Sgl+LZLfPno7T3qxcGx2l51bRk+koRK+Txpph//M3jGvsFmTKhjvfxgEIUmMH9SkASxEdyqASr0+/+uLR92MnT+8CT1pOYYoJyZp9Lta5eGqJvbEmd3Dn7MXqD3vXE57o4rBJ0bR3q5LK59WVNxNQbulJ9z5V7aTJ4AbBFQWxm0fH0gBx+heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank"
+
+# CLARIF: plus signs (+) in public keys cause duplicate key additions (above)
+# and failure during removal (below) as "+" has a special meaning as
+# interpreted in a Python regexp, as implemented by Ansible's lineinfile module:
+# https://docs.python.org/2/library/re.html
+
+# WORKAROUND: the tail end of each public key (after the last plus sign) is
+# being used (instead of the full key) as an abbreviated regexp for now.
+# A backslash in front of each plus sign (+) would also work.
+
+# - name: Remove those ssh public keys, if not tailscale_enabled
+#   lineinfile:
+#     regexp: "{{ item }}"
+#     path: /root/.ssh/authorized_keys
+#     state: absent
+#   with_items:
+#     - "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$"
+#     - "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$"
+#     - "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$"
+#   when: not tailscale_enabled
+
+- name: Install /usr/bin/iiab-vpn & /usr/bin/iiab-vpn-off (BACKS UP FILES IF CHANGED)
+  template:
+    src: "{{ item }}"
+    dest: /usr/bin/
+    mode: '0755'
+    backup: yes
+  with_items:
+    - iiab-vpn
+    - iiab-vpn-off
+
+- name: Symlink /usr/bin/iiab-vpn-on -> /usr/bin/iiab-vpn
+  file:
+    src: /usr/bin/iiab-vpn
+    path: /usr/bin/iiab-vpn-on
+    state: link
+
+- name: Symlink /usr/bin/iiab-support -> /usr/bin/iiab-vpn
+  file:
+    src: /usr/bin/iiab-vpn
+    path: /usr/bin/iiab-support
+    state: link
+
+- name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-vpn
+  file:
+    src: /usr/bin/iiab-vpn
+    path: /usr/bin/iiab-support-on
+    state: link
+
+- name: Symlink /usr/bin/iiab-support-off -> /usr/bin/iiab-vpn-off
+  file:
+    src: /usr/bin/iiab-vpn-off
+    path: /usr/bin/iiab-support-off
+    state: link
+
+
+# RECORD Tailscale AS INSTALLED
+
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'tailscale_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: tailscale
+    option: tailscale_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
+- name: "Set 'tailscale_installed: True'"
+  set_fact:
+    tailscale_installed: True
+
+- name: "Add 'tailscale_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^tailscale_installed'
+    line: 'tailscale_installed: True'

roles/tailscale/tasks/main.yml

@@ -0,0 +1,47 @@
+# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?"
+
+
+# "How do i fail a task in Ansible if the variable contains a boolean value?
+# I want to perform input validation for Ansible playbooks"
+# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
+
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
+# to re-check whether vars are defined here.  As Ansible vars cannot be unset:
+# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
+
+- name: Assert that "tailscale_install is sameas true" (boolean not string etc)
+  assert:
+    that: tailscale_install is sameas true
+    fail_msg: "PLEASE SET 'tailscale_install: True' e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+- name: Assert that "tailscale_enabled | type_debug == 'bool'" (boolean not string etc)
+  assert:
+    that: tailscale_enabled | type_debug == 'bool'
+    fail_msg: "PLEASE GIVE VARIABLE 'tailscale_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+
+- name: Install Tailscale if 'tailscale_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+  include_tasks: install.yml
+  when: tailscale_installed is undefined
+
+
+#- include_tasks: enable-or-disable.yml
+
+
+- name: Add 'tailscale' variable values to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: tailscale
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
+  with_items:
+    - option: name
+      value: Tailscale (VPN)
+    - option: description
+      value: '"Tailscale enables live/remote support by connecting machines anywhere on the Internet, using a software-defined mesh virtual private network (VPN), and optional web-based management service."'
+    - option: tailscale_install
+      value: "{{ tailscale_install }}"
+    - option: tailscale_enabled
+      value: "{{ tailscale_enabled }}"

roles/tailscale/templates/iiab-vpn

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# USEFUL DOC: https://tailscale.com/kb/1080/cli#status
+
+VPN_URL=https://iiab.net
+VPN_KEY="$1"
+
+# if tailscale status > /dev/null; then    # MANY IMPERFECT TESTS OF TAILNET CONNECTIVITY: tailscale0 CAN lose its IP address, as shown by 'ip a' and 'hostname -I' (testing 'systemctl is-active tailscaled' is likely no better!)  Unclear if 'tailscale status --json | jq -r .Self.Online' is much better?  Maybe explore 'tailscale debug --help' and 'tailscale debug prefs' for a cleaner/authoritative verdict?  Or use + display string output of 'systemctl show tailscaled --property=StatusText' e.g. 'StatusText=Connected; iiab; 100.64.0.4' ?  (OR JUST DON'T WORRY ABOUT IT, AS THE ~3 'tailscale up' COMMANDS BELOW ARE MORE PROACTIVE... AND APPEAR FAST + SAFE!)
+#     echo -e "\n\e[1;33mAlready connected to VPN!?\e[0m"
+# else
+#     [NEST ~20 LINES OF IF STATEMENTS FURTHER BELOW?]
+
+# Check that current profile key still exists in /var/lib/tailscale/tailscaled.state ?  (As 'tailscale logout' wipes it!)  In the end, these are 3 lousy tests...
+# if [ -f /var/lib/tailscale/tailscaled.state ] && [[ $(grep -c $(jq -r '."_current-profile"' /var/lib/tailscale/tailscaled.state) /var/lib/tailscale/tailscaled.state) > 1 ]]; then
+# if ! [[ $(tailscale status | tr '[:upper:]' '[:lower:]') =~ "logged out" ]]; then
+# if [[ $(tailscale status --json | jq -r .CurrentTailnet.Name) = "iiab.community" ]]; then
+
+# UX Optimization: {iiab-vpn, iiab-support} can be run WITHOUT key *IF* .BackendState is "Stopped" or "Running" *AND* .ControlURL is $VPN_URL (avoid their default, https://controlplane.tailscale.com !)
+if [[ $(tailscale status --json | jq -r .BackendState) != "NeedsLogin" && $(tailscale debug prefs | jq -r .ControlURL) = $VPN_URL ]]; then
+    if ! tailscale up --login-server "$VPN_URL" --timeout 8s; then    # (Re-)passing $VPN_URL is overkill on this line, but can't hurt!
+        echo -e "\n\e[41;1mERROR $?: Failed to connect to VPN\e[0m\n"
+        exit 1
+    fi
+elif [ -z $VPN_KEY ]; then
+    echo -e "\n\e[1;33mVPN key required!\e[0m\n\nEmail holt@unleashkids.org to explain your need?\n"
+    exit 1
+else
+    if ! tailscale up --login-server "$VPN_URL" --auth-key "$VPN_KEY" --timeout 8s; then
+        echo -e "\n\e[41;1mERROR $?: Failed to connect to VPN, so let's try --force-reauth\e[0m\n"
+        # If 'tailscale up' just above fails w/ exit code 1 ~= "can't change --login-server without --force-reauth" (i.e. if switching login server, e.g. to/from their default (https://controlplane.tailscale.com) -- SEE ALSO: 'tailscale switch -h' and https://tailscale.com/blog/fast-user-switching) then more "brute force" is attempted below...
+	# https://github.com/tailscale/tailscale/issues/3849 "Please warn that --force-reauth immediately disconnects"  (brute force, only as a last resort!)
+	# https://github.com/tailscale/tailscale/issues/4854 "Tailscale CLI has poor UX with expiring keys"  (long-term node keys thankfully mitigate this!)
+        if ! tailscale up --login-server "$VPN_URL" --auth-key "$VPN_KEY" --force-reauth --timeout 8s; then
+            echo -e "\n\e[41;1mERROR $?: Failed to connect to VPN, even with --force-reauth\e[0m\n"
+            exit 1
+        fi
+    fi
+fi
+
+# jq 1.7 (2023-09-05) on new OS's also allows new syntax...  jq -r .Node.Tags.[]
+# Can also work: tailscale whois --json $(tailscale ip -1) | jq -r .Node.Tags[])
+echo -e "\n\e[44;1mCheck that VPN ($(tailscale status --json | jq -r .Self.Tags[])) is now live:\e[0m\n"
+echo -e "    hostname -I"
+echo -e "    tailscale ip"
+echo -e "    tailscale status"
+echo -e "    tailscale whois $(tailscale ip -1)"
+echo -e "    tailscale whois --json $(tailscale ip -1) | jq"
+echo -e "    tailscale ping [IP or HOSTNAME]"
+echo -e "    tailscale status --json | jq"
+echo -e "    systemctl status tailscaled\n"
+echo -e "\e[4mTo disconnect from VPN:\e[0m\n"
+echo -e "    tailscale down\n"
+echo -e "\e[4mTo permanently log out of VPN:\e[0m\n"
+echo -e "    tailscale logout\n"

roles/tailscale/templates/iiab-vpn-off

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+tailscale down
+
+echo -e "\n\e[44;1mDisconnecting from VPN...\e[0m\n"
+echo -e "\e[4mTo permanently log out of VPN:\e[0m\n"    # Expires machine node key, from /var/lib/tailscale/tailscaled.state
+echo -e "    tailscale logout\n"                        # ...as seen by 'tailscale status --json' (related: 'tailscale debug prefs')

scripts/iiab-summary

@@ -79,8 +79,13 @@ echo
 /opt/iiab/iiab/scripts/iiab-apps-to-be-installed > /dev/null
 echo "$(df -h /)      ZIMs: $(ls /library/zims/content/ | wc -l) OER2Go: $(ls /library/www/html/modules/ | wc -l) Apps2B: $(cat /tmp/iiab-apps-to-be-installed | wc -l)"
 echo
+#grep "^openvpn_handle:" /etc/iiab/local_vars.yml
+#grep "^tailscale_installed:" /etc/iiab/iiab_state.yml
+if [[ $(command -v /usr/bin/tailscale) ]]; then
+    #echo "VPN: $(tailscale ip) $(tailscale whois --json $(tailscale ip -1) | jq -r .Node.Tags[])"
+    echo "VPN: $(tailscale ip) $(tailscale status --json | jq -r .Self.Tags[])"
+fi
 echo $(ip -o link show | awk -F': ' '{print $2}')    # Better order than: ls -rt /sys/class/net
-grep "^openvpn_enabled:" /etc/iiab/local_vars.yml
-grep "^openvpn_handle:" /etc/iiab/local_vars.yml
+echo $(echo $(hostname -A) $(hostname -a) | xargs -n1 | sort | uniq)
 hostname -I
 echo

vars/default_vars.yml

@@ -219,8 +219,8 @@ dns_jail_enabled: False
 
 # 1-PREP
 
-# SSHD runs here & also below in 4-SERVER-OPTIONS
-sshd_install: True    # Required by OpenVPN
+# OPENSSH-SERVER
+sshd_install: True
 sshd_enabled: True
 sshd_port: 22    # Not fully functional.  SEE: roles/sshd/tasks/install.yml
 
@@ -232,17 +232,9 @@ remoteit_enabled: False
 # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
-openvpn_install: True
-openvpn_enabled: False
-openvpn_handle: ""    # Empty string on purpose since ~2016, for /etc/iiab/uuid
-# SEE https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml#L5-L20
-# cron seemed necessary on CentOS:
-openvpn_cron_enabled: False
-# General OpenVPN settings
-openvpn_server: xscenet.net
-openvpn_server_real_ip: 3.89.148.185
-openvpn_server_virtual_ip: 10.8.0.1
-openvpn_server_port: 1194
+# New VPN replaced OpenVPN in Sept 2024:
+tailscale_install: True
+tailscale_enabled: False    # Stub var, doesn't yet do anything!
 
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo,
@@ -289,8 +281,6 @@ nginx_log_dir: /var/log/nginx
 
 # 4-SERVER-OPTIONS
 
-# SSHD runs here & also above in 1-PREP
-
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
 # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)

vars/local_vars_large.yml

@@ -132,8 +132,8 @@ dns_jail_enabled: False
 
 # 1-PREP
 
-# SSHD runs here & also below in 4-SERVER-OPTIONS
-sshd_install: True    # Required by OpenVPN
+# OPENSSH-SERVER
+sshd_install: True
 sshd_enabled: True
 
 # https://remote.it can help you remotely maintain an IIAB.
@@ -144,10 +144,9 @@ remoteit_enabled: False
 # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
-openvpn_install: True
-openvpn_enabled: False
-# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
-openvpn_handle: LARGE - Put Your Name Here
+# New VPN replaced OpenVPN in Sept 2024:
+tailscale_install: True
+tailscale_enabled: False    # Stub var, doesn't yet do anything!
 
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo
@@ -178,8 +177,6 @@ pi_swap_file_size: 1024
 
 # 4-SERVER-OPTIONS
 
-# SSHD runs here & also above in 1-PREP
-
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
 # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)

vars/local_vars_medical.yml

@@ -12,7 +12,6 @@ munin_install: True
 munin_enabled: True
 vnstat_install: True
 vnstat_enabled: True
-openvpn_handle: "MEDICAL - Put Your Name Here"
 usb_lib_umask0000_for_kolibri: False
 apache_allow_sudo: True
 # By default

vars/local_vars_medium.yml

@@ -132,8 +132,8 @@ dns_jail_enabled: False
 
 # 1-PREP
 
-# SSHD runs here & also below in 4-SERVER-OPTIONS
-sshd_install: True    # Required by OpenVPN
+# OPENSSH-SERVER
+sshd_install: True
 sshd_enabled: True
 
 # https://remote.it can help you remotely maintain an IIAB.
@@ -144,10 +144,9 @@ remoteit_enabled: False
 # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
-openvpn_install: True
-openvpn_enabled: False
-# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
-openvpn_handle: MEDIUM-sized - Put Your Name Here
+# New VPN replaced OpenVPN in Sept 2024:
+tailscale_install: True
+tailscale_enabled: False    # Stub var, doesn't yet do anything!
 
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo
@@ -178,8 +177,6 @@ pi_swap_file_size: 1024
 
 # 4-SERVER-OPTIONS
 
-# SSHD runs here & also above in 1-PREP
-
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
 # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)

vars/local_vars_none.yml

@@ -1,6 +1,6 @@
 # turn off defaults
 remoteit_install: False
-openvpn_install: False
+tailscale_install: False
 kolibri_install: False
 kolibri_enabled: False
 kiwix_install: False

vars/local_vars_small.yml

@@ -132,8 +132,8 @@ dns_jail_enabled: False
 
 # 1-PREP
 
-# SSHD runs here & also below in 4-SERVER-OPTIONS
-sshd_install: True    # Required by OpenVPN
+# OPENSSH-SERVER
+sshd_install: True
 sshd_enabled: True
 
 # https://remote.it can help you remotely maintain an IIAB.
@@ -144,10 +144,9 @@ remoteit_enabled: False
 # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
-openvpn_install: True
-openvpn_enabled: False
-# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
-openvpn_handle: SMALL - Put Your Name Here
+# New VPN replaced OpenVPN in Sept 2024:
+tailscale_install: True
+tailscale_enabled: False    # Stub var, doesn't yet do anything!
 
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo
@@ -178,8 +177,6 @@ pi_swap_file_size: 1024
 
 # 4-SERVER-OPTIONS
 
-# SSHD runs here & also above in 1-PREP
-
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
 # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)

vars/local_vars_unittest.yml

@@ -132,8 +132,8 @@ dns_jail_enabled: False
 
 # 1-PREP
 
-# SSHD runs here & also below in 4-SERVER-OPTIONS
-sshd_install: True    # Required by OpenVPN
+# OPENSSH-SERVER
+sshd_install: True
 sshd_enabled: True
 
 # https://remote.it can help you remotely maintain an IIAB.
@@ -144,10 +144,9 @@ remoteit_enabled: False
 # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
-openvpn_install: True
-openvpn_enabled: True
-# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
-openvpn_handle: UNITTEST - Put Your Name Here
+# New VPN replaced OpenVPN in Sept 2024:
+tailscale_install: True
+tailscale_enabled: False    # Stub var, doesn't yet do anything!
 
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo
@@ -178,8 +177,6 @@ pi_swap_file_size: 1024
 
 # 4-SERVER-OPTIONS
 
-# SSHD runs here & also above in 1-PREP
-
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
 # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)