Merge pull request #1995 from holta/support_yml

Build on + revise @jvonau's PR #1994 ("Combine iiab-support & install-support")
2025-02-13 03:32:12 +00:00 · 2019-10-09 20:11:50 -04:00 · 2019-10-09 20:11:50 -04:00 · 7e7b8b6a11
commit 7e7b8b6a11
parent 0b81bc7ca5 0ef15b9866
13 changed files with 39 additions and 230 deletions
--- a/roles/openvpn/templates/iiab-support
+++ b/roles/openvpn/templates/iiab-support
@ -1,5 +1,8 @@
 #!/bin/bash

+PLAYBOOK="install-support.yml"
+INVENTORY="ansible_hosts"
+
 # openvpn_handle is stored in 2 files on disk, one slightly stripped down (from
 # the other) due to Ansible.  So we emulate Ansible's behavior, when reading from
 # (and later writing to) disk, removing outer cruft as explained on Lines 31-33:
@ -46,15 +49,25 @@ fi
 if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then
    echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
 else
-    echo -e "Please wait a few minutes as IIAB Stage 1 (1-prep) & OpenVPN are installed...\n"
+    echo -e "Plz wait a few minutes as sshd, iiab-admin & OpenVPN are confirmed/installed...\n"
    if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
        sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
    else
        echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
    fi
+    
+    if [ -d /opt/iiab/iiab ]; then
        cd /opt/iiab/iiab
-    ./runrole 1-prep
+        #CWD=`pwd`
+        #export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
+        export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log"
+        ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local
+        # Above is tighter/better than running all of "./runrole 1-prep"
        echo
+    else
+        echo -e " \e[41m       Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN!       \e[0m\n"
+        exit 1
+    fi
 fi

 echo -e "Now let's (re)enable OpenVPN...\n"
@ -79,7 +92,7 @@ echo -e "  2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
 echo -e "  3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
 echo -e "  4. If necessary, run 'systemctl restart openvpn' which should"
 echo -e "     run 'systemctl restart openvpn@xscenet' for you."
-echo -e "  5. Sometimes waiting a minute helps -- retry steps 2 and 3 to monitor."
+echo -e "  5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor."
 echo -e "  6. If in future you want to disable OpenVPN connections to-and-from your"
 echo -e "     Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
 echo -e "  7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
@ -103,4 +116,5 @@ if [ "$vpnip" != "" ]; then
    echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
 else
    echo -e "\n \e[41m       ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS        \e[0m\n"
+    exit 1
 fi
--- a/26
+++ b/26
@ -1,26 +0,0 @@
-#!/bin/bash
-
-echo -e "\n\n\e[41m             DEPRECATED           PLEASE RUN 'iiab-support' INSTEAD             \e[0m\n\n"
-
-read -p "Continue? [y/N] " ans
-if [ "$ans" != "y" ]; then
-    echo
-    exit
-fi
-
-PLAYBOOK="install-support.yml"
-INVENTORY="ansible_hosts"
-CWD=`pwd`
-
-export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
-
-if [ ! -f $PLAYBOOK ]; then
-    echo -e "\nEXITING: $PLAYBOOK not found.\n"
-    echo -e "Please run this command from /opt/iiab/iiab (top of git repo).\n"
-    exit 1
-fi
-
-sed -i -e "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
-sed -i -e "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
-
-ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local
--- a/install-support.yml
+++ b/install-support.yml
@ -8,7 +8,6 @@

  roles:
    - { role: 0-init, tags: ['0-init'] }
-    #- { role: 1-prep, tags: ['1-prep', 'platform', 'base'] }
-    - { role: 1-prep, tags: ['1-prep'] }
-    #- { role: openvpn, tags: ['openvpn'] }    # FASTER ALTERNATIVE THAN 1-prep (if 1-prep was already run!)
-    # BETTER YET, SEE: /usr/bin/iiab-support for a much friendlier UX, that only runs 1-prep when necessary.
+    - { role: sshd, tags: ['sshd'] }
+    - { role: iiab-admin, tags: ['iiab-admin'] }
+    - { role: openvpn, tags: ['openvpn'] }
--- a/roles/openvpn/tasks/main.yml
+++ b/roles/openvpn/tasks/main.yml
@ -4,17 +4,18 @@
      - openvpn
      - nmap
    state: present
-  tags:
-    - download
+  #tags:
+  #  - download

- name: Install Ncat package
+# Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle
+- name: Install Ncat package (if Debian > 9 or Ubuntu > 18)
  package:
-    name:
-      - ncat
+    name: ncat
    state: present
-  when:  need_ncat | bool
-  tags:
-    - download
+  when: is_debuntu and not (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18)
+  #when: need_ncat | bool
+  #tags:
+  #  - download

 - name: Install ssh public keys for remote support (if openvpn_install)
  lineinfile:
@ -62,8 +63,6 @@
  with_items:
    - /etc/openvpn/keys
    - /etc/openvpn/scripts
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- /usr/lib/iiab

 - name: Configure OpenVPN (BACKS UP FILES IF CHANGED)
  template:
@ -82,19 +81,16 @@
    - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' }
    - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
    - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
-    - { src: 'iiab-support', dest: '/usr/bin/iiab-support', mode: '0755' }
    - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
    - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
-    # Comment out in future?  Not recommended as of August 2018:
-    - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    # - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' }
-    # Obsolete & unused for ~2 years as of August 2018:
-    #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
+    # 2019-10-09: Not recommended for over a year & no longer in use
+    # - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
+
+- name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install
+  copy:
+    src: "{{ iiab_dir }}/iiab-support"
+    dest: /usr/bin/
+    mode: 0755

 - name: Create iiab-support-on (symlink to iiab-support for now)
  file:
@ -120,29 +116,6 @@
    path: /usr/bin/iiab-vpn-off
    state: link

-# up_wan was being installed twice (also above) and was unused for ~2 years
-# as of August 2018: (see 15-openvpn below)
-#- name: Put up_wan in place (debuntu)
-#  template:
-#    src: up_wan
-#    dest: /usr/lib/iiab/up_wan
-#  when: is_debuntu | bool
-
-# Contained serious bug (15-openvpn called up-wan instead of up_wan in
-# /usr/lib/iiab/ as of August 2018) so evidently unused for ~2 years:
-#- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
-#  template:
-#    src: 15-openvpn
-#    dest: /etc/NetworkManager/dispatcher.d/
-#  #when: not is_debuntu    # CONDITION APPEARS TOO BROAD
-#  when: False              # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
-
-# Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf)
-#- name: Check for manually configured OpenVPN tunnel
-#  stat:
-#    path: /etc/openvpn/iiab-vpn.conf
-#  register: stat
-

 # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
 # been working with systemd service names that contained the "@" character.
--- a/roles/openvpn/templates/iiab-handle.j2.deprecated
+++ b/roles/openvpn/templates/iiab-handle.j2.deprecated
--- a/roles/openvpn/templates/iiab-vpn.conf.in.deprecated
+++ b/roles/openvpn/templates/iiab-vpn.conf.in.deprecated
@ -1,6 +0,0 @@
-# this file allows changing the world accessable vpn server and its ip address
-#
-# copy this template file to /etc/openvpn/iiab-vpn.conf, and set properly
-
-#  VPNCONFIG=< put the name of the config file in /etc/openvpn you want to use>
-#  VPNIP=<put the ip address of server, pinged to test for existence of vpn tunnel>
--- a/roles/openvpn/templates/iiab-vpn.j2.deprecated
+++ b/roles/openvpn/templates/iiab-vpn.j2.deprecated
@ -1,92 +0,0 @@
-#!/bin/bash
-# script to manage openvpn
-
-if [ ! -f "/etc/openvpn/iiab-vpn.conf" ]; then
-    VPNCONFIG='xscenet.conf'    # WAS BUGGY (set to non-existent "party-line.conf", but thankfully unused) as of August 2018
-    VPNIP={{ openvpn_server_virtual_ip }}
-else
-    # expect the sourced file to set the above variables
-    source /etc/openvpn/iiab-vpn.conf
-fi
-
-# we'd like the user of this script to have root privilege
-if [ "$(id -u)" != "0" ]; then
-    echo "This script must be run as root" 1>&2
-    exit 1
-fi
-
-case $1 in
-    "stop" | "no" | "off")
-        killall openvpn
-        exit 0
-        ;;
-    "status")
-        pid=`ps -e|grep openvpn`
-        if [ -z "$pid" ]; then
-            echo "The OpenVPN process is not running"
-        else
-            echo "OpenVPN is running with id $pid"
-            ip=`ifconfig tun | gawk '(/netmask /) {print( $2);}'`
-            echo "Local vpn tunnel address is $ip"
-        fi
-        exit 0
-        ;;
-esac
-
-# we'd like for password authentication to be turned off
-grep -e^PasswordAuthentication.*[Yy]es /etc/ssh/sshd_config
-PASSWORDS_ENABLED=$?
-
-if [ $PASSWORDS_ENABLED -eq 0 ];then
-    case $1 in
-        "test" | "unsafe") ;;
-        *)
-            echo "OpenVPN is only safe when public/private keys are used"
-            echo " And when passwords are turned off in /etc/ssh/sshd_conf"
-            exit 1
-    esac
-fi
-
-# openvpn config file directory
-dir=/etc/openvpn
-
-if [ $# -eq 0 ]; then
-    cmd="test"
-else
-    cmd=$1
-fi
-
-case $cmd in
-    "test" | "unsafe" )
-        # load TUN/TAP kernel module
-        modprobe tun
-
-        # make sure the wan is functioning
-        # 8.8.8.8 is one of google's dns servers
-        ping -c 3 -i 3 8.8.8.8
-        if [ $? -ne 0 ]; then
-            echo "internet is not available, tunnel not possible"
-            exit 1
-        fi
-
-        # check the vpn tunnel
-        ping -c 5 -i 5 "$VPNIP"
-        # a zero return means the tunnel is up
-        if [ $? -ne "0" ]; then
-            echo "Stopping any openvpn instance"
-            killall openvpn
-            sleep 10
-            echo "Starting OpenVPN and waiting 10 seconds for daemon to become ready"
-            openvpn --cd $dir --daemon --config $VPNCONFIG
-        fi
-        sleep 10
-        echo "Testing VPN connection"
-        ping -c 4 -i 4 "$VPNIP"
-        if [ $? -eq 0 ]; then
-            echo "vpn tunnel established"
-        else
-            echo "vpn connection failed"
-        fi
-
-        ;;
-esac
--- a/roles/openvpn/templates/party-line.conf.j2.deprecated
+++ b/roles/openvpn/templates/party-line.conf.j2.deprecated
@ -1,41 +0,0 @@
-# REPLACED BY xscenet.conf.j2 -> /etc/openvpn/xscenet.conf
-
-#########################################
-# Sample client-side OpenVPN config file
-# for connecting to multi-client server.
-#
-# Adapted from http://openvpn.sourceforge.net/20notes.html
-#
-# The server can be pinged at 10.8.0.1.
-#
-# This configuration can be used by multiple
-# clients, however each client should have
-# its own cert and key files.
-#
-# tun-style tunnel
-
-port {{ openvpn_server_port }}
-dev tun
-remote {{ openvpn_server }}
-
-# TLS parms
-
-tls-client
-ca keys/ca.crt
-cert keys/client1.crt
-key keys/client1.key
-
-# This parm is required for connecting
-# to a multi-client server.  It tells
-# the client to accept options which
-# the server pushes to us.
-pull
-
-# Scripts can be used to do various
-# things (change nameservers, for
-# example.
-#up scripts/ifup-post
-#down scripts/ifdown-post
-
-verb 4
-comp-lzo yes
--- a/roles/openvpn/templates/xsce-vpn.conf.in.deprecated
+++ b/roles/openvpn/templates/xsce-vpn.conf.in.deprecated
@ -1,6 +0,0 @@
-# this file allows changing the world accessable vpn server and its ip address
-#
-# copy this template file to /etc/openvpn/xsce-vpn.conf, and set properly
-
-#  VPNCONFIG=< put the name of the config file in /etc/openvpn you want to use>
-#  VPNIP=<put the ip address of server, pinged to test for existence of vpn tunnel>
--- a/vars/debian-10.yml
+++ b/vars/debian-10.yml
@ -27,4 +27,3 @@ systemd_location: /lib/systemd/system
 # Upgrade OS's own Calibre to very latest:
 calibre_via_debs: True
 calibre_via_python: False
-need_ncat: True
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -199,9 +199,6 @@ openvpn_server: xscenet.net
 openvpn_server_real_ip: 3.89.148.185
 openvpn_server_virtual_ip: 10.8.0.1
 openvpn_server_port: 1194
-# Newer versions of NMap do not include NCat which is used to announce handle
-# need_ncat is turned true by os-#.yml files that don't have ncat in nmap
-need_ncat: False

 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
--- a/vars/raspbian-10.yml
+++ b/vars/raspbian-10.yml
@ -40,4 +40,3 @@ minetest_working_dir: /library/games/minetest
 minetest_game_dir: /library/games/minetest/games/minetest_game
 minetest_rpi_src_url: http://www.nathansalapat.com/downloads/0.4.17.1.tar.gz
 minetest_rpi_src: minetest-0.4.17.1.tar.gz
-need_ncat: True
--- a/vars/ubuntu-19.yml
+++ b/vars/ubuntu-19.yml
@ -29,4 +29,3 @@ systemd_location: /lib/systemd/system
 # Upgrade Ubuntu 19.x's Calibre 3.39.1+ to very latest
 calibre_via_debs: False
 calibre_via_python: True
-need_ncat: True