Merge pull request #1995 from holta/support_yml

Build on + revise @jvonau's PR #1994 ("Combine iiab-support & install-support")

roles/openvpn/tasks/main.yml

@@ -4,17 +4,18 @@
       - openvpn
       - nmap
     state: present
-  tags:
-    - download
+  #tags:
+  #  - download
 
-- name: Install Ncat package
+# Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle
+- name: Install Ncat package (if Debian > 9 or Ubuntu > 18)
   package:
-    name:
-      - ncat
+    name: ncat
     state: present
-  when:  need_ncat | bool
-  tags:
-    - download
+  when: is_debuntu and not (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18)
+  #when: need_ncat | bool
+  #tags:
+  #  - download
 
 - name: Install ssh public keys for remote support (if openvpn_install)
   lineinfile:
@@ -62,8 +63,6 @@
   with_items:
     - /etc/openvpn/keys
     - /etc/openvpn/scripts
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- /usr/lib/iiab
 
 - name: Configure OpenVPN (BACKS UP FILES IF CHANGED)
   template:
@@ -82,19 +81,16 @@
     - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' }
     - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
     - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
-    - { src: 'iiab-support', dest: '/usr/bin/iiab-support', mode: '0755' }
     - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
     - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
-    # Comment out in future?  Not recommended as of August 2018:
-    - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    # - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
+    # 2019-10-09: Not recommended for over a year & no longer in use
+    # - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
+
+- name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install
+  copy:
+    src: "{{ iiab_dir }}/iiab-support"
+    dest: /usr/bin/
+    mode: 0755
 
 - name: Create iiab-support-on (symlink to iiab-support for now)
   file:
@@ -120,29 +116,6 @@
     path: /usr/bin/iiab-vpn-off
     state: link
 
-# up_wan was being installed twice (also above) and was unused for ~2 years
-# as of August 2018: (see 15-openvpn below)
-#- name: Put up_wan in place (debuntu)
-#  template:
-#    src: up_wan
-#    dest: /usr/lib/iiab/up_wan
-#  when: is_debuntu | bool
-
-# Contained serious bug (15-openvpn called up-wan instead of up_wan in
-# /usr/lib/iiab/ as of August 2018) so evidently unused for ~2 years:
-#- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
-#  template:
-#    src: 15-openvpn
-#    dest: /etc/NetworkManager/dispatcher.d/
-#  #when: not is_debuntu    # CONDITION APPEARS TOO BROAD
-#  when: False              # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
-
-# Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf)
-#- name: Check for manually configured OpenVPN tunnel
-#  stat:
-#    path: /etc/openvpn/iiab-vpn.conf
-#  register: stat
-
 
 # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
 # been working with systemd service names that contained the "@" character.

roles/openvpn/templates/iiab-support

@@ -1,106 +0,0 @@
-#!/bin/bash
-
-# openvpn_handle is stored in 2 files on disk, one slightly stripped down (from
-# the other) due to Ansible.  So we emulate Ansible's behavior, when reading from
-# (and later writing to) disk, removing outer cruft as explained on Lines 31-33:
-handle1=$(grep "^openvpn_handle:" /etc/iiab/local_vars.yml | sed -e "s/^openvpn_handle://; s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
-echo -e "\n/etc/iiab/local_vars.yml source/master copy: $handle1"
-if [ -f /etc/iiab/openvpn_handle ]; then
-    handle2=$(cat /etc/iiab/openvpn_handle)
-    echo -e "/etc/iiab/openvpn_handle for openvpn daemon: $handle2\n"
-else
-    echo -e "/etc/iiab/openvpn_handle for openvpn daemon: [FILE DOESN'T YET EXIST]\n"
-fi
-
-echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n"
-
-echo -e "                     cape-town-school-36-rpi-2019-05-31\n"
-
-echo -en "Or hit [Enter] to keep the existing name:\e[0m "
-read ans < /dev/tty
-
-#if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -f /etc/iiab/openvpn_handle ] ); then
-# -v (below) checks if var's defined: equivalent to file existence test above
-if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then
-    if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then
-        sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml
-    else
-        echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml
-    fi
-
-    # BEHAVIOR JUST LIKE ANSIBLE'S: create /etc/iiab/openvpn_handle from the
-    # "^openvpn_handle:" line in /etc/iiab/local_vars.yml by (1) removing outer
-    # spacing IF NEC, then (2) removing 1 pair of matching outer quotes IF NEC:
-    ans=$(echo $ans | sed -e "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
-    echo $ans > /etc/iiab/openvpn_handle
-    echo -e "\n\e[1mSAVED: openvpn_handle recorded into both above files.\e[0m\n"
-elif [ "$handle1" != "$handle2" ]; then    # Sloppily, but conveniently here,
-    # bash treats "$handle2" as "" when var undefined, catching all conflicts!
-    echo -e "\n\e[41mYou MUST specify an OpenVPN machine name (openvpn_handle) to resolve the above\e[0m"
-    echo -e "\e[41mnaming conflict. Please rerun to proceed.\e[0m\n"
-    exit 1
-else
-    echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n"
-fi
-
-if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then
-    echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
-else
-    echo -e "Please wait a few minutes as IIAB Stage 1 (1-prep) & OpenVPN are installed...\n"
-    if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
-        sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
-    else
-        echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
-    fi
-    cd /opt/iiab/iiab
-    ./runrole 1-prep
-    echo
-fi
-
-echo -e "Now let's (re)enable OpenVPN...\n"
-if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then
-    sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
-else
-    echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml
-fi
-systemctl enable openvpn
-
-echo -e "\nNow let's restart OpenVPN..."
-#systemctl start openvpn
-systemctl restart openvpn
-
-echo -en "\n    "
-for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
-echo -en " OpenVPN TIPS "
-for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
-
-echo -e "\n\n  1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'"
-echo -e "  2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
-echo -e "  3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
-echo -e "  4. If necessary, run 'systemctl restart openvpn' which should"
-echo -e "     run 'systemctl restart openvpn@xscenet' for you."
-echo -e "  5. Sometimes waiting a minute helps -- retry steps 2 and 3 to monitor."
-echo -e "  6. If in future you want to disable OpenVPN connections to-and-from your"
-echo -e "     Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
-echo -e "  7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
-echo -e "     http://FAQ.IIAB.IO to learn about DIY remote support alternatives"
-echo -e "     like ngrok, serveo, remot3.it and TeamViewer.\n"
-
-echo -en "    "
-for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
-echo -en " OpenVPN TIPS "
-for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
-
-echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)"
-sleep 15
-
-echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m"
-cat /etc/iiab/openvpn_handle
-echo -en "\e[0m"
-
-vpnip=$(ip a | grep tun0$ | awk '{print $2}')
-if [ "$vpnip" != "" ]; then
-    echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
-else
-    echo -e "\n \e[41m       ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS        \e[0m\n"
-fi

roles/openvpn/templates/iiab-vpn.conf.in.deprecated

@@ -1,6 +0,0 @@
-# this file allows changing the world accessable vpn server and its ip address
-#
-# copy this template file to /etc/openvpn/iiab-vpn.conf, and set properly
-
-#  VPNCONFIG=< put the name of the config file in /etc/openvpn you want to use>
-#  VPNIP=<put the ip address of server, pinged to test for existence of vpn tunnel>

roles/openvpn/templates/iiab-vpn.j2.deprecated

@@ -1,92 +0,0 @@
-#!/bin/bash
-# script to manage openvpn
-
-if [ ! -f "/etc/openvpn/iiab-vpn.conf" ]; then
-    VPNCONFIG='xscenet.conf'    # WAS BUGGY (set to non-existent "party-line.conf", but thankfully unused) as of August 2018
-    VPNIP={{ openvpn_server_virtual_ip }}
-else
-    # expect the sourced file to set the above variables
-    source /etc/openvpn/iiab-vpn.conf
-fi
-
-# we'd like the user of this script to have root privilege
-if [ "$(id -u)" != "0" ]; then
-    echo "This script must be run as root" 1>&2
-    exit 1
-fi
-
-case $1 in
-    "stop" | "no" | "off")
-        killall openvpn
-        exit 0
-        ;;
-    "status")
-        pid=`ps -e|grep openvpn`
-        if [ -z "$pid" ]; then
-            echo "The OpenVPN process is not running"
-        else
-            echo "OpenVPN is running with id $pid"
-            ip=`ifconfig tun | gawk '(/netmask /) {print( $2);}'`
-            echo "Local vpn tunnel address is $ip"
-        fi
-        exit 0
-        ;;
-esac
-
-# we'd like for password authentication to be turned off
-grep -e^PasswordAuthentication.*[Yy]es /etc/ssh/sshd_config
-PASSWORDS_ENABLED=$?
-
-if [ $PASSWORDS_ENABLED -eq 0 ];then
-    case $1 in
-        "test" | "unsafe") ;;
-        *)
-            echo "OpenVPN is only safe when public/private keys are used"
-            echo " And when passwords are turned off in /etc/ssh/sshd_conf"
-            exit 1
-    esac
-fi
-
-# openvpn config file directory
-dir=/etc/openvpn
-
-if [ $# -eq 0 ]; then
-    cmd="test"
-else
-    cmd=$1
-fi
-
-case $cmd in
-    "test" | "unsafe" )
-        # load TUN/TAP kernel module
-        modprobe tun
-
-        # make sure the wan is functioning
-        # 8.8.8.8 is one of google's dns servers
-        ping -c 3 -i 3 8.8.8.8
-        if [ $? -ne 0 ]; then
-            echo "internet is not available, tunnel not possible"
-            exit 1
-        fi
-
-        # check the vpn tunnel
-        ping -c 5 -i 5 "$VPNIP"
-        # a zero return means the tunnel is up
-        if [ $? -ne "0" ]; then
-            echo "Stopping any openvpn instance"
-            killall openvpn
-            sleep 10
-            echo "Starting OpenVPN and waiting 10 seconds for daemon to become ready"
-            openvpn --cd $dir --daemon --config $VPNCONFIG
-        fi
-        sleep 10
-        echo "Testing VPN connection"
-        ping -c 4 -i 4 "$VPNIP"
-        if [ $? -eq 0 ]; then
-            echo "vpn tunnel established"
-        else
-            echo "vpn connection failed"
-        fi
-
-        ;;
-esac

roles/openvpn/templates/party-line.conf.j2.deprecated

@@ -1,41 +0,0 @@
-# REPLACED BY xscenet.conf.j2 -> /etc/openvpn/xscenet.conf
-
-#########################################
-# Sample client-side OpenVPN config file
-# for connecting to multi-client server.
-#
-# Adapted from http://openvpn.sourceforge.net/20notes.html
-#
-# The server can be pinged at 10.8.0.1.
-#
-# This configuration can be used by multiple
-# clients, however each client should have
-# its own cert and key files.
-#
-# tun-style tunnel
-
-port {{ openvpn_server_port }}
-dev tun
-remote {{ openvpn_server }}
-
-# TLS parms
-
-tls-client
-ca keys/ca.crt
-cert keys/client1.crt
-key keys/client1.key
-
-# This parm is required for connecting
-# to a multi-client server.  It tells
-# the client to accept options which
-# the server pushes to us.
-pull
-
-# Scripts can be used to do various
-# things (change nameservers, for
-# example.
-#up scripts/ifup-post
-#down scripts/ifdown-post
-
-verb 4
-comp-lzo yes

roles/openvpn/templates/xsce-vpn.conf.in.deprecated

@@ -1,6 +0,0 @@
-# this file allows changing the world accessable vpn server and its ip address
-#
-# copy this template file to /etc/openvpn/xsce-vpn.conf, and set properly
-
-#  VPNCONFIG=< put the name of the config file in /etc/openvpn you want to use>
-#  VPNIP=<put the ip address of server, pinged to test for existence of vpn tunnel>