external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-15 04:32:11 +00:00
Code Issues Releases Wiki Activity

Merge pull request #2954 from holta/pbx-dual

Browse source 
FreePBX: side-by-side testing of Apache & NGINX + easy './runrole pbx' mods, using a more dynamic iiab-gen-iptables
This commit is contained in:
A Holt 2021-08-18 11:07:40 -04:00 committed by GitHub
commit 79de65425c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 261 additions and 183 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
iiab-support
View file

@ -6,7 +6,13 @@ INVENTORY="ansible_hosts"
# openvpn_handle is stored in 2 files on disk, one slightly stripped down (from
# the other) due to Ansible. So we emulate Ansible's behavior, when reading from
# (and later writing to) disk, removing outer cruft as explained on Lines 31-33:
handle1=$(grep "^openvpn_handle:" /etc/iiab/local_vars.yml | sed -e "s/^openvpn_handle://; s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
handle1=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml
# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12
# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51
# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle)
echo -e "\n/etc/iiab/local_vars.yml source/master copy: $handle1"
if [ -f /etc/iiab/openvpn_handle ]; then
handle2=$(cat /etc/iiab/openvpn_handle)
@ -25,8 +31,8 @@ read ans < /dev/tty
#if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -f /etc/iiab/openvpn_handle ] ); then
# -v (below) checks if var's defined: equivalent to file existence test above
if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then
if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml
if grep -q '^openvpn_handle:\s' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_handle:\s.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml
else
echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml
fi
@ -34,7 +40,7 @@ if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then
# BEHAVIOR JUST LIKE ANSIBLE'S: create /etc/iiab/openvpn_handle from the
# "^openvpn_handle:" line in /etc/iiab/local_vars.yml by (1) removing outer
# spacing IF NEC, then (2) removing 1 pair of matching outer quotes IF NEC:
ans=$(echo $ans | sed -e "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
echo $ans > /etc/iiab/openvpn_handle
echo -e "\n\e[1mSAVED: openvpn_handle recorded into both above files.\e[0m\n"
elif [ "$handle1" != "$handle2" ]; then # Sloppily, but conveniently here,
@ -46,12 +52,12 @@ else
echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n"
fi
if grep -q '^openvpn_installed: True\b' /etc/iiab/iiab_state.yml; then
if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then
echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
else
echo -e "Plz wait a few minutes as sshd, iiab-admin & OpenVPN are confirmed/installed...\n"
if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
if grep -q '^openvpn_install:\s' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_install:\s.*/openvpn_install: True/" /etc/iiab/local_vars.yml
else
echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
fi
@ -70,8 +76,8 @@ else
fi
echo -e "Now let's (re)enable OpenVPN...\n"
if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
if grep -q '^openvpn_enabled:\s' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_enabled:\s.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
else
echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml
fi

4
roles/0-init/defaults/main.yml
View file

@ -1,4 +1,4 @@
# adm_cons_force_ssl: False
# gui_port: 80 # 2021-08-17: For iptables. And #2811 dreams of HTTPS/443 ?
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
@ -6,8 +6,6 @@
# SEE ALSO /opt/iiab/iiab/roles/1-prep/defaults/main.yml
# 2021-07-30: Primarily for Admin Console: later change to 443 for #2811 HTTPS?
gui_port: 80
#is_F18: False # 2021-07-30: No longer used
# (PRE-)release version number, for {{ iiab_env_file }} = /etc/iiab/iiab.env

20
roles/0-init/tasks/network.yml
View file

@ -59,12 +59,16 @@
when: iiab_fqdn != ansible_fqdn
- name: "Set 'gui_port: 80' for Admin Console if not adm_cons_force_ssl"
set_fact:
gui_port: 80
when: not adm_cons_force_ssl # 2021-07-30: default_vars.yml initializes 'adm_cons_force_ssl: False'
# 2021-08-17: (1) iiab-gen-iptables works better if gui_port is set directly in
# default_vars.yml and/or local_vars.yml (2) Admin Console's iiab-admin.yml
# and js-menu.yml set 'adm_cons_force_ssl: False'
- name: "Set 'gui_port: 443' for Admin Console if adm_cons_force_ssl"
set_fact:
gui_port: 443
when: adm_cons_force_ssl
# - name: "Set 'gui_port: 80' for Admin Console if not adm_cons_force_ssl"
# set_fact:
# gui_port: 80
# when: not adm_cons_force_ssl
# - name: "Set 'gui_port: 443' for Admin Console if adm_cons_force_ssl"
# set_fact:
# gui_port: 443
# when: adm_cons_force_ssl

14
roles/2-common/tasks/network.yml
View file

@ -15,15 +15,17 @@
name:
- hostapd # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
- iproute2 # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
- iptables-persistent # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however 'netfilter' is ever moving forward so keep an eye on it!
- iptables-persistent # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!
- netmask # Handy utility -- helps determine network masks
state: present
- name: Install /etc/network/if-pre-up.d/iptables from template (0755, debuntu)
template:
src: iptables
dest: /etc/network/if-pre-up.d/iptables
mode: '0755'
# 2021-08-17: Debian ignores this, according to 2013 post:
# https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables
# - name: Install /etc/network/if-pre-up.d/iptables from template (0755)
# template:
# src: iptables
# dest: /etc/network/if-pre-up.d/iptables
# mode: '0755'
# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"

0
roles/2-common/templates/iptables → roles/2-common/templates/iptables.unused
View file

8
roles/firmware/templates/iiab-check-firmware
View file

@ -3,7 +3,13 @@
WARN=0
DATE=$(date +%F-%T)
if grep -q '^wifi_hotspot_capacity_rpi_fix: False' /etc/iiab/local_vars.yml ; then
# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml
# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12
# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51
# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle)
if grep -q '^wifi_hotspot_capacity_rpi_fix:\s\+[fF]alse\b' /etc/iiab/local_vars.yml ; then
echo "'wifi_hotspot_capacity_rpi_fix: False' found in /etc/iiab/local_vars.yml"
echo "...so WiFi firmware will NOT be checked or replaced."

107
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -34,48 +34,73 @@ IPTABLES=/usr/sbin/iptables
IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %}
source {{ iiab_env_file }}
# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml
# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12
# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51
# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle)
# "awk '{print $2}'" almost works, but: (1) Fails to remove outer quotes, and
# (2) Chops up Ansible vars containing multiple words w/o surrounding quotes.
# So: sed is used instead, to emulate Ansible's parsing of vars from .yml
iiab_var_value() {
v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
[ "$v2" != "" ] && echo $v2 || echo $v1 # [ "$v2" ] ALSO WORKS
}
source /etc/iiab/iiab.env
lan=$IIAB_LAN_DEVICE
wan=$IIAB_WAN_DEVICE
iiab_gateway_enabled=$IIAB_GATEWAY_ENABLED
echo -e "\nLAN: $lan"
echo -e "WAN: $wan\n"
#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
echo
echo "Extracted 3 network vars from /etc/iiab/iiab.env :"
echo
echo "lan: $lan"
echo "wan: $wan"
echo "iiab_gateway_enabled: $iiab_gateway_enabled"
echo
#network_mode=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'`
#echo -e "Network Mode: $network_mode\n"
lan_ip=$(iiab_var_value lan_ip) # 172.18.96.1
# "Good thing we replace this file; should be treated like Squid below" ?
ports_externally_visible={{ ports_externally_visible }}
gw_block_https={{ gw_block_https }}
sshd_port={{ sshd_port }}
ports_externally_visible=$(iiab_var_value ports_externally_visible)
gw_block_https=$(iiab_var_value gw_block_https)
sshd_port=$(iiab_var_value sshd_port)
#gui_wan= [no longer needed]
gui_port={{ gui_port }}
block_DNS={{ block_DNS }}
gui_port=$(iiab_var_value gui_port)
block_DNS=$(iiab_var_value block_DNS)
azuracast_ports="{{ azuracast_port_range_prefix }}000:{{ azuracast_port_range_prefix }}100"
azuracast_https_port={{ azuracast_https_port }}
azuracast_http_port={{ azuracast_http_port }}
calibre_port={{ calibre_port }}
calibreweb_port={{ calibreweb_port }}
cups_port={{ cups_port }}
internetarchive_port={{ internetarchive_port }}
kalite_server_port={{ kalite_server_port }}
kiwix_port={{ kiwix_port }}
kolibri_http_port={{ kolibri_http_port }}
minetest_port={{ minetest_port }}
mosquitto_port={{ mosquitto_port }}
nodered_port={{ nodered_port }}
pbx_enabled={{ pbx_enabled }}
pbx_http_port={{ pbx_http_port }}
pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
pbx_data_ports={{ pbx_data_ports }}
sugarizer_port={{ sugarizer_port }}
transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }}
jupyterhub_port={{ jupyterhub_port }}
azuracast_ports=$(iiab_var_value azuracast_port_range_prefix)000:$(iiab_var_value azuracast_port_range_prefix)100
azuracast_https_port=$(iiab_var_value azuracast_https_port)
azuracast_http_port=$(iiab_var_value azuracast_http_port)
calibre_port=$(iiab_var_value calibre_port)
calibreweb_port=$(iiab_var_value calibreweb_port)
cups_port=$(iiab_var_value cups_port)
internetarchive_port=$(iiab_var_value internetarchive_port)
jupyterhub_port=$(iiab_var_value jupyterhub_port)
kalite_server_port=$(iiab_var_value kalite_server_port)
kiwix_port=$(iiab_var_value kiwix_port)
kolibri_http_port=$(iiab_var_value kolibri_http_port)
minetest_port=$(iiab_var_value minetest_port)
mosquitto_port=$(iiab_var_value mosquitto_port)
nodered_port=$(iiab_var_value nodered_port)
samba_udp_ports={{ samba_udp_ports }}
samba_tcp_mports={{ samba_tcp_mports }}
pbx_enabled=$(iiab_var_value pbx_enabled)
pbx_http_port=$(iiab_var_value pbx_http_port)
pbx_signaling_ports_chan_sip=$(iiab_var_value pbx_signaling_ports_chan_sip)
pbx_signaling_ports_chan_pjsip=$(iiab_var_value pbx_signaling_ports_chan_pjsip)
pbx_data_ports=$(iiab_var_value pbx_data_ports)
sugarizer_port=$(iiab_var_value sugarizer_port)
transmission_http_port=$(iiab_var_value transmission_http_port)
transmission_peer_port=$(iiab_var_value transmission_peer_port)
samba_udp_ports=$(iiab_var_value samba_udp_ports)
samba_tcp_mports=$(iiab_var_value samba_tcp_mports)
squid_enabled=$(iiab_var_value squid_enabled)
echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
@ -143,6 +168,7 @@ if [ "$wan" != "none" ]; then
$IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $jupyterhub_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
@ -160,7 +186,6 @@ if [ "$wan" != "none" ]; then
$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $jupyterhub_port -m state --state NEW -i $wan -j ACCEPT
fi
# 4 = ssh + http-or-https + common IIAB services + Samba
@ -179,7 +204,7 @@ if [ "$wan" != "none" ]; then
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
$IPTABLES -A FORWARD -p tcp ! -d $lan_ip --dport 443 -j DROP
fi
# Allow outgoing connections from the LAN side
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
@ -198,13 +223,13 @@ fi
# TCP & UDP block of DNS port 53 if truly nec
if [ "$block_DNS" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d $lan_ip -j DNAT --to $lan_ip:53
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d $lan_ip -j DNAT --to $lan_ip:53
fi
# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
if [ "$HTTPCACHE_ON" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
# if [ "$HTTPCACHE_ON" == "True" ]; then # Via /etc/iiab/iiab.env
if [ "$squid_enabled" == "True" ]; then # Direct from default_vars.yml and local_vars.yml
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d $lan_ip -j DNAT --to $lan_ip:3128
fi
# Save the whole rule set

12
roles/pbx/README.adoc
View file

@ -30,10 +30,16 @@ pbx_install: True
pbx_enabled: True
----
+
You have the option of using Apache on port 83 (default) or NGINX on port 80, as the web server for FreePBX. To use NGINX, include this line in your http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F[/etc/iiab/local_vars.yml] file:
FreePBX can be used with either or both web servers, Apache on port 83 (as is traditional) and/or NGINX on port 80 (as is new). If you don't want Apache installed on your IIAB, set this line in your http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F[/etc/iiab/local_vars.yml] prior to installing IIAB:
+
----
pbx_try_nginx: True
pbx_use_apache: False
----
+
Or, if you want to use Apache alone with FreePBX, set this line in your /etc/iiab/local_vars.yml:
+
----
pbx_use_nginx: False
----
+
If using PBX intensively, please adjust `/etc/php/X.Y/apache2/php.ini`, `/etc/php/X.Y/cli/php.ini` and/or `/etc/php/X.Y/nginx/php.ini` (where `X.Y` is typically 7.4) as outlined within https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L88-L131[/opt/iiab/iiab/roles/www_options/tasks/main.yml] &mdash; some of which happens automatically if you also set:
@ -271,7 +277,7 @@ _If there's a bug or serious problem with IIAB, please do https://internet-in-a-
. Apache's `/var/lib/php/asterisk_sessions/` directory might also be needed for NGINX?
+
If not, the https://github.com/iiab/iiab/blob/master/roles/pbx/tasks/freepbx.yml#L152-L164[configuration of /var/lib/php/asterisk_sessions/] might be made conditional upon `when: not pbx_try_nginx`
If not, the https://github.com/iiab/iiab/blob/master/roles/pbx/tasks/freepbx.yml#L151-L163[configuration of /var/lib/php/asterisk_sessions/] might be made conditional upon `when: not pbx_use_apache`
. The https://github.com/iiab/iiab/blob/master/roles/pbx/tasks/freepbx.yml#L208-L211[installation of /etc/odbc.ini] for CDR (Call Detail Records) database `asteriskcdrdb` might benefit from compiling the ODBC driver for aarch64, per http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html ?
+

4
roles/pbx/defaults/main.yml
View file

@ -5,8 +5,8 @@
# pbx_install: False
# pbx_enabled: False
# pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# # AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
# pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please
# pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX!
# asterisk_chan_dongle: False

15
roles/pbx/tasks/asterisk.yml
View file

@ -136,13 +136,14 @@
system: yes # 2021-08-08: No evidence this is needed. Hopefully it doesn't cause harm? (FYI Ansible doesn't change pre-existing users)
append: yes # 2021-08-08: Not essential. So Ansible adds groups w/o deleting existing group memberships.
- name: Asterisk - Add user 'www-data' to group 'asterisk' - if pbx_try_nginx
user:
name: www-data
groups: asterisk
# system: yes # 2021-08-06: Ansible doesn't change pre-existing users
append: yes
when: pbx_try_nginx
# 2021-08-17: Moved to enable-or-disable.yml
# - name: Asterisk - Add user 'www-data' to group 'asterisk' - if pbx_use_nginx
# user:
# name: www-data
# groups: asterisk
# # system: yes # 2021-08-06: Ansible doesn't change pre-existing users
# append: yes
# when: pbx_use_nginx
- name: Asterisk - Set ownership for 6 directories (asterisk:asterisk, recurse)
file:

178
roles/pbx/tasks/enable-or-disable.yml
View file

@ -1,82 +1,120 @@
- name: Enable & (Re)start 'freepbx' systemd service, if pbx_enabled
- name: JUST 1 SETTING TO TURN ON/OFF FOR APACHE - whereas NGINX below has 4...
meta: noop
- name: EITHER - Create symlink /etc/{{ apache_service }}/sites-enabled/freepbx.conf to enable Apache's http://box:{{ pbx_http_port }}/freepbx - if pbx_use_apache and pbx_enabled # http://box:83/freepbx
command: a2ensite freepbx.conf
when: pbx_use_apache and pbx_enabled
- name: OR ELSE - Delete symlink /etc/{{ apache_service }}/sites-enabled/freepbx.conf to disable Apache's http://box:{{ pbx_http_port }}/freepbx - if not (pbx_use_apache and pbx_enabled)
file: # As 'a2dissite freepbx.conf' might not be installed
path: /etc/{{ apache_service }}/sites-enabled/freepbx.conf # apache2
state: absent
when: not (pbx_use_apache and pbx_enabled)
- name: "ENACT ABOVE SETTING FOR APACHE - 'pbx_use_apache: False' might arise later, so best ALWAYS run..."
meta: noop
- name: EITHER - Restart & Enable '{{ apache_service }}' systemd service - if pbx_use_apache and pbx_enabled
systemd:
daemon_reload: yes
name: "{{ apache_service }}" # apache2
state: restarted
enabled: yes
when: pbx_use_apache and pbx_enabled
ignore_errors: yes # In case Apache not installed
- name: OR ELSE - Stop & Disable '{{ apache_service }}' systemd service - if not (pbx_use_apache and pbx_enabled)
systemd:
daemon_reload: yes
name: "{{ apache_service }}"
state: stopped
enabled: no
when: not (pbx_use_apache and pbx_enabled)
ignore_errors: yes # In case Apache not installed
- name: Open-or-Close Asterix ports (including Apache port {{ pbx_http_port }}) in iptables firewall, depending on pbx_enabled [{{ pbx_enabled }}] in local_vars.yml - in support of './runrole pbx'
command: /usr/bin/iiab-gen-iptables
ignore_errors: yes # iptables installed in 2-common, but iiab-gen-tables may not be set up until roles/network runs later
- name: EITHER - TURN ON 4 SETTINGS FOR NGINX - if pbx_use_nginx and pbx_enabled
meta: noop
- block:
- name: "Add user 'www-data' to group 'asterisk' BEFORE restarting Asterisk (via FreePBX, below) -- Ansible doesn't support removing a single non-primary group, so if you later change to 'pbx_use_nginx: False' please manually edit /etc/group to revert this"
user:
name: www-data
groups: asterisk
append: yes
- name: Run 'fwconsole set CHECKREFERER 0' (0 means false) so 'Submit' button definitively works with NGINX at http://box/freepbx >> Settings >> Advanced Settings -- FYI you can run 'fwconsole set -l' or 'fwconsole set CHECKREFERER' to view FreePBX settings -- FYI /etc/freepbx.conf can completely override FreePBX's stored settings if nec
command: fwconsole set CHECKREFERER 0 # Or/later try to run 'fwconsole set CHECKREFERER 1' (1 means true) to restore FreePBX's default strict checking!
- name: Install /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf converted from www.conf for user 'asterisk'
copy:
src: roles/pbx/templates/asterisk.conf
dest: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
- name: Enable http://box/freepbx via NGINX, by installing {{ nginx_conf_dir }}/freepbx-nginx.conf from template
template:
src: freepbx-nginx.conf.j2
dest: "{{ nginx_conf_dir }}/freepbx-nginx.conf" # /etc/nginx/conf.d
when: pbx_use_nginx and pbx_enabled
- name: OR ELSE - TURN OFF 3 SETTINGS FOR NGINX (1st of 4 above settings too hard!) - if not (pbx_use_nginx and pbx_enabled)
meta: noop
- block:
- name: Restore FreePBX default by running 'fwconsole set CHECKREFERER 1' (1 means true) as works with Apache -- FYI you can run 'fwconsole set -l' or 'fwconsole set CHECKREFERER' to view FreePBX settings -- FYI /etc/freepbx.conf can completely override FreePBX's stored settings if nec
command: fwconsole set CHECKREFERER 1
- name: Remove /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
file:
path: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
state: absent
- name: Disable http://box/freepbx via NGINX, by removing {{ nginx_conf_dir }}/freepbx-nginx.conf
file:
path: "{{ nginx_conf_dir }}/freepbx-nginx.conf"
state: absent
when: not (pbx_use_nginx and pbx_enabled)
- name: "ENACT ABOVE 3-4 SETTINGS FOR NGINX - 'pbx_use_nginx: False' might arise later, so best ALWAYS run these 2..."
meta: noop
- name: Enable & Restart 'php{{ php_version }}-fpm' systemd service
systemd:
name: php{{ php_version }}-fpm
state: restarted
enabled: yes
- name: Restart 'nginx' systemd service
systemd:
name: nginx
state: restarted
- name: WRAP UP - Asterisk VIA FreePBX systemd service...
meta: noop
- name: EITHER - Enable & (Re)start 'freepbx' systemd service, if pbx_enabled
systemd:
name: freepbx
enabled: yes
state: restarted
when: pbx_enabled
- name: Disable & Stop 'freepbx' systemd service, if not pbx_enabled
- name: OR ELSE - Disable & Stop 'freepbx' systemd service, if not pbx_enabled
systemd:
daemon_reload: yes
name: freepbx
enabled: no
state: stopped
when: not pbx_enabled
- block:
- name: Enable http://box:{{ pbx_http_port }}/freepbx via Apache, if pbx_enabled # http://box:83/freepbx
command: a2ensite freepbx.conf
when: pbx_enabled
- name: Disable http://box:{{ pbx_http_port }}/freepbx via Apache, if not pbx_enabled
command: a2dissite freepbx.conf
when: not pbx_enabled
- name: Restart & Enable '{{ apache_service }}' systemd service, if pbx_enabled
systemd:
name: "{{ apache_service }}" # apache2
state: restarted
enabled: yes
when: pbx_enabled
- name: Stop & Disable '{{ apache_service }}' systemd service, if not pbx_enabled
systemd:
name: "{{ apache_service }}"
state: stopped
enabled: no
when: not pbx_enabled
when: not pbx_try_nginx
- block:
- name: Install /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf converted from www.conf for user 'asterisk', if pbx_enabled
copy:
src: roles/pbx/templates/asterisk.conf
dest: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
when: pbx_enabled
- name: Remove /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf, if not pbx_enabled
file:
path: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
state: absent
when: not pbx_enabled
- name: Enable & Restart 'php{{ php_version }}-fpm' systemd service
systemd:
name: php{{ php_version }}-fpm
state: restarted
enabled: yes
- name: Enable http://box/freepbx via NGINX, by installing {{ nginx_conf_dir }}/freepbx-nginx.conf from template, if pbx_enabled
template:
src: freepbx-nginx.conf.j2
dest: "{{ nginx_conf_dir }}/freepbx-nginx.conf" # /etc/nginx/conf.d
when: pbx_enabled
- name: Disable http://box/freepbx via NGINX, by removing {{ nginx_conf_dir }}/freepbx-nginx.conf, if not pbx_enabled
file:
path: "{{ nginx_conf_dir }}/freepbx-nginx.conf"
state: absent
when: not pbx_enabled
- name: Restart 'nginx' systemd service
systemd:
name: nginx
state: restarted
when: pbx_try_nginx

24
roles/pbx/tasks/freepbx.yml
View file

@ -62,10 +62,9 @@
# state: present
# when: php_version is version('8.0', '<')
- name: FreePBX - Install and configure Apache - if not pbx_try_nginx
- name: FreePBX - Install and configure Apache - if pbx_use_apache
include_tasks: apache.yml
when: not pbx_try_nginx
when: pbx_use_apache
- name: FreePBX - Download {{ freepbx_url }}/{{ freepbx_src_file }} to {{ downloads_dir }}
get_url:
@ -149,7 +148,7 @@
state: present
# 2021-08-16: DOES NGINX NEED THE NEXT 2 STANZAS? (If not, should 'when: not pbx_try_nginx' be added?)
# 2021-08-16: DOES NGINX NEED THE NEXT 2 STANZAS? (If not, should 'when: pbx_use_apache' be added?)
- name: FreePBX - Create new php sessions dir /var/lib/php/asterisk_sessions/ - SEE 'php_value session.save_path /var/lib/php/asterisk_sessions/' IN pbx/templates/freepbx.conf.j2
file:
@ -253,17 +252,12 @@
- name: FreePBX - Run 'fwconsole ma upgradeall' on installed FreePBX modules, e.g. 16 default modules (of about 70 total) - CAN TAKE 1 MIN OR LONGER!
command: fwconsole ma upgradeall
- name: FreePBX - Run 'fwconsole set CHECKREFERER 0' (0 means false) - if pbx_try_nginx - so 'Submit' button definitively works at http://box/freepbx >> Settings >> Advanced Settings -- FYI you can run 'fwconsole set -l' or 'fwconsole set CHECKREFERER' to view FreePBX settings -- FYI /etc/freepbx.conf can completely override FreePBX's stored settings if nec
command: fwconsole set CHECKREFERER 0 # Or/later run 'fwconsole set CHECKREFERER 1' (1 means true) to restore FreePBX's default strict checking.
when: pbx_try_nginx
# - name: FreePBX - Add "$amp_conf['CHECKREFERER'] = false;" to /etc/freepbx.conf #2931 - if pbx_try_nginx"
# - name: FreePBX - Add "$amp_conf['CHECKREFERER'] = false;" to /etc/freepbx.conf #2931 - if pbx_use_nginx"
# lineinfile:
# path: /etc/freepbx.conf
# insertbefore: '^\?>$' # Match exact line '?>' -- BOTTOM OF FILE NEC!
# line: "$amp_conf['CHECKREFERER'] = false;"
# when: pbx_try_nginx
# when: pbx_use_nginx
# - name: 'FreePBX - fix file permissions for NGINX: /etc/freepbx.conf (0644), /var/log/asterisk/freepbx.log (0666)'
# file:
@ -273,7 +267,7 @@
# with_items:
# - { path: '/etc/freepbx.conf', mode: u=rw,g=r,o=r } # 2021-08-04: LATER ENDS UP AS 0660
# - { path: '/var/log/asterisk/freepbx.log', mode: u=rw,g=rw,o=rw } # 2021-08-04: LATER ENDS UP AS 0664
# when: pbx_try_nginx
# when: pbx_use_nginx
# - name: 'FreePBX - fix dir permissions for NGINX: /var/spool/asterisk/cache (0777)'
# file:
@ -284,9 +278,9 @@
# with_items:
# # - /var/www/html/freepbx/admin/assets/less/cache
# - /var/spool/asterisk/cache
# when: pbx_try_nginx
# when: pbx_use_nginx
# For 'pbx_try_nginx: True' -- FreePBX's initial page (Admin user registration)
# For 'pbx_use_nginx: True' -- FreePBX's initial page (Admin user registration)
# tries to set up a cron job but fails:
# "Exception: Trying to edit user asterisk, when I'm running as www-data"
# 2021-08-10: Hacking /etc/freepbx.conf WAS NOT TESTED PROPERLY -- some vars MAY
@ -297,4 +291,4 @@
# #insertafter: '^<\?php$' # Match exact line '<?php' -- BUT TOP OF FILE FAILS :(
# insertbefore: '^\?>$' # Match exact line '?>' -- BOTTOM OF FILE NECESSARY :)
# line: "$amp_conf['AMPASTERISKWEBUSER'] = 'www-data';"
# when: pbx_try_nginx
# when: pbx_use_nginx

7
roles/pbx/tasks/main.yml
View file

@ -23,13 +23,12 @@
include_tasks: install.yml
when: pbx_installed is undefined
- include_tasks: enable-or-disable.yml
- name: Install chan_dongle for Huawei USB modems - if asterisk_chan_dongle
- name: Install & Enable chan_dongle for Huawei USB modems - if asterisk_chan_dongle
include: chan_dongle.yml
when: asterisk_chan_dongle
- include_tasks: enable-or-disable.yml
- name: Add 'pbx' variable values to {{ iiab_ini_file }}
ini_file:

11
vars/default_vars.yml
View file

@ -127,10 +127,6 @@ iiab_gateway_enabled: False
# Gateway mode
iiab_lan_enabled: True
iiab_wan_enabled: True
# Ties in what the user populated in the GUI for static WAN IP address info:
gui_wan: True
adm_cons_force_ssl: False
adm_cons_allow_downloads: False
# Intended for developers: ONLY CHANGE THESE IF YOU KNOW WHAT YOU ARE DOING
# The following 2 override the detection when not "auto"
@ -150,6 +146,9 @@ wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1
wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems
# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf
gui_port: 80 # 2021-08-17: For iptables. And #2811 dreams of HTTPS/443 ?
# adm_cons_force_ssl: False # Likewise: iiab-admin.yml & js-menu.yml set it.
# Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
# (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
# Only 1 of the 6 lines below should be uncommented:
@ -629,8 +628,8 @@ calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please
pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX!
asterisk_chan_dongle: False
pbx_signaling_ports_chan_sip: 5160:5161
pbx_signaling_ports_chan_pjsip: 5060

4
vars/local_vars_big.yml
View file

@ -378,6 +378,6 @@ calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please
pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX!
asterisk_chan_dongle: False

4
vars/local_vars_medium.yml
View file

@ -378,6 +378,6 @@ calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please
pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX!
asterisk_chan_dongle: False

4
vars/local_vars_min.yml
View file

@ -378,6 +378,6 @@ calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please
pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX!
asterisk_chan_dongle: False

4
vars/local_vars_unittest.yml
View file

@ -378,6 +378,6 @@ calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please
pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX!
asterisk_chan_dongle: False