Merge pull request #2948 from holta/deprecate-wondershaper-etc

Deprecate DansGuardian & WonderShaper + overhaul Squid -- in future let's consider fortifying, removing or replacing Squid (some prefer Varnish as a proxy/cache)

roles/0-init/defaults/main.yml

@@ -43,10 +43,10 @@ FQDN_changed: False
 
 #wifi_id: none          # 2021-07-30: Had been used in 2-common/tasks/xo.yml
 
-# 2021-07-30: roles/network/tasks/squid.yml#L16 to stop Squid
+# 2021-08-16: roles/network/tasks/squid.yml#L16 to stop Squid
-# ("when: not installing") is the only non-Fedora use of this var.
+# ("when: not installing") was the only non-Fedora use of this var.
 # Earlier, this var HAD also been used in 2-common and 3-base-server.
-installing: False
+# installing: False
 
 # 2021-07-30: Broadly used across roles/network/tasks/*.yml -- but things might
 # possibly change if roles/network becomes optional per PR #2876 ?

roles/0-init/tasks/validate_vars.yml

@@ -63,7 +63,7 @@
 #
 # 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
 
-- name: Set vars_checklist for 44 + 44 + 40 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 43 + 43 + 39 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
   set_fact:
     vars_checklist:
       - hostapd
@@ -79,7 +79,7 @@
       #- apache             # Unmaintained - former dependency
       #- mysql              # MANDATORY
       - squid
-      - dansguardian
+      #- dansguardian       # Unmaintained
       - cups
       - samba
       - usb_lib

roles/4-server-options/tasks/main.yml

@@ -34,8 +34,8 @@
   include_tasks: roles/network/tasks/dhcpd.yml
   when: dhcpd_install is defined and dhcpd_install
 
-# UNMAINTAINED
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
-- name: Install Squid (and DansGuardian if dansguardian_install)
+- name: Install Squid
   include_tasks: roles/network/tasks/squid.yml
   when: squid_install is defined and squid_install
 

roles/network/defaults/main.yml

@@ -85,8 +85,8 @@ systemd_networkd_active: False
 # The values here are default local variables
 gui_wan_iface: unset
 gui_static_wan_ip: unset
-wondershaper_dspeed: 4096
+# wondershaper_dspeed: 4096
-wondershaper_upspeed: 1024
+# wondershaper_upspeed: 1024
 
 # netplan
 fix_dispatcher: True

roles/network/tasks/computed_network.yml

@@ -153,7 +153,7 @@
 
 - name: Add 'computed_network' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: computed_network
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"

roles/network/tasks/computed_services.yml

@@ -1,17 +1,17 @@
 - name: No LAN configured - 'Appliance' mode
   set_fact:
-    dansguardian_enabled: False
+    # dansguardian_enabled: False
     squid_enabled: False
-    wondershaper_enabled: False
+    # wondershaper_enabled: False
     hostapd_enabled: False
     iiab_network_mode: "Appliance"
   when: iiab_lan_iface == "none" or user_lan_iface == "none"
 
 - name: LAN configured - 'LanController' mode
   set_fact:
-    dansguardian_enabled: False
+    # dansguardian_enabled: False
     squid_enabled: False
-    wondershaper_enabled: False
+    # wondershaper_enabled: False
     iiab_network_mode: "LanController"
   when: iiab_lan_iface != "none" and iiab_wan_iface == "none"
 
@@ -52,7 +52,7 @@
 
 - name: Add 'network' variable values (from computed_services.yml) to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: network
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"

roles/network/tasks/enable_services.yml

@@ -11,29 +11,29 @@
     enabled: yes
   when: dhcpd_install and dhcpd_enabled
 
-- name: Install /etc/sysconfig/dhcpd, /etc/dhcpd-iiab.conf from templates
+- name: Install /etc/sysconfig/dhcpd, /etc/dhcpd-iiab.conf from templates (root:root, 0644 by default)
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: "{{ item.mode }}"
+    # mode: "{{ item.mode }}"
   with_items:
-   - { src: 'dhcp/dhcpd-env.j2', dest: '/etc/sysconfig/dhcpd', mode: '0644' }
+   - { src: 'dhcp/dhcpd-env.j2', dest: '/etc/sysconfig/dhcpd' }
-   - { src: 'dhcp/dhcpd-iiab.conf.j2', dest: '/etc/dhcpd-iiab.conf', mode: '0644' }
+   - { src: 'dhcp/dhcpd-iiab.conf.j2', dest: '/etc/dhcpd-iiab.conf' }
   when: dhcpd_install and dhcpd_enabled
 
-- name: Install /etc/named-iiab.conf and two *.zone.db files into /var/named-iiab
+- name: Install /etc/named-iiab.conf and two *.zone.db files into /var/named-iiab (root:root, 0644 by default)
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: "{{ item.mode }}"
+    # mode: "{{ item.mode }}"
   with_items:
-   - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf', mode: '0644' }
+   - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf' }
-   - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/', mode: '0644' }
+   - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/' }
-   - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/', mode: '0644' }
+   - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/' }
   when: named_install and named_enabled
 
 - name: Enable named service ({{ dns_service }}) if named_enabled
@@ -93,13 +93,13 @@
 #- debug:
 #    var: nd_dir
 
-- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04 or later)
+- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04 or later) (root:root by default)
   template:
     src: roles/network/templates/network/dnsmasq.sh.j2
     dest: /etc/networkd-dispatcher/routable.d/dnsmasq.sh
     mode: 0755
-    owner: root
+    # owner: root
-    group: root
+    # group: root
   when: dnsmasq_install and dnsmasq_enabled and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance")
   #when: dnsmasq_install and dnsmasq_enabled and nd_enabled is defined and nd_enabled.stdout == "enabled" and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance")
   #when: dnsmasq_install and dnsmasq_enabled and systemd_out.status.UnitFileState == "enabled" and networkd_dir.stat.exists and networkd_dir.stat.isdir and (iiab_network_mode != "Appliance")
@@ -122,104 +122,96 @@
     enabled: no
   when: dnsmasq_install and not dnsmasq_enabled
 
-- name: Enable DansGuardian systemd service, if dansguardian_enabled
+# - name: Enable DansGuardian systemd service, if dansguardian_enabled
-  systemd:
+#   systemd:
-    name: dansguardian
+#     name: dansguardian
-    enabled: yes
+#     enabled: yes
-  when: dansguardian_install and dansguardian_enabled
+#   when: dansguardian_install and dansguardian_enabled
 
-- name: Disable DansGuardian, if not dansguardian_enabled
+# - name: Disable DansGuardian, if not dansguardian_enabled
-  systemd:
+#   systemd:
-    name: dansguardian
+#     name: dansguardian
-    enabled: no
+#     enabled: no
-  when: (dansguardian_install or dansguardian_installed is defined) and not dansguardian_enabled
+#   when: (dansguardian_install or dansguardian_installed is defined) and not dansguardian_enabled
 
-- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }}, if squid_enabled
+- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }} - if squid_install [{{ squid_install }}] and squid_enabled [{{ squid_enabled }}]
   lineinfile:
     path: "{{ iiab_env_file }}"
     regexp: '^HTTPCACHE_ON=*'
     line: 'HTTPCACHE_ON=True'
-    state: present
   when: squid_install and squid_enabled
 
-- name: Enable Squid systemd service ({{ proxy }}) if squid_enabled
+- name: Enable systemd service '{{ proxy }}' - if squid_install and squid_enabled
   systemd:
-    name: "{{ proxy }}"
+    name: "{{ proxy }}"    # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
     enabled: yes
   when: squid_install and squid_enabled
 
-- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }}
+- name: Install /etc/{{ proxy }}/squid.conf from template (root:root, 0644 by default) - and create a timestamped backup of the original - if squid_install and squid_enabled
   template:
-    src: "{{ item.src }}"
+    src: squid/squid.conf.j2
-    dest: "{{ item.dest }}"
+    dest: /etc/{{ proxy }}/squid.conf
-    owner: "{{ item.owner }}"
+    # owner: "{{ proxy_user }}"    # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
-    group: "{{ item.group }}"
+    # group: "{{ proxy_user }}"
-    mode: "{{ item.mode }}"
+    backup: yes
-  with_items:
-    - src: squid/squid-iiab.conf.j2
-      dest: "/etc/{{ proxy }}/squid-iiab.conf"
-      owner: "{{ proxy_user }}"
-      group: "{{ proxy_user }}"
-      mode: 0644
   when: squid_install and squid_enabled
 
-- name: Point to Squid config file from startup file, if squid_enabled (debuntu)
+# - name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled
-  lineinfile:
+#   lineinfile:
-    regexp: '^CONFIG'
+#     regexp: '^CONFIG'
-    line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
+#     line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
-    path: "/etc/init.d/{{ proxy }}"
+#     path: "/etc/init.d/{{ proxy }}"
-  when: squid_install and squid_enabled and is_debuntu
+#   when: squid_install and squid_enabled
 
-- name: Disable Squid service, if not squid_enabled
+- name: Disable systemd service '{{ proxy }}' - if (squid_install or squid_installed [{{ squid_installed }}] is defined) and not squid_enabled
   systemd:
     name: "{{ proxy }}"
     enabled: no
   when: (squid_install or squid_installed is defined) and not squid_enabled
 
-- name: Revert to 'HTTPCACHE_ON=False' if not squid_enabled
+- name: Revert {{ iiab_env_file }} to 'HTTPCACHE_ON=False' - if squid_install and not squid_enabled
   lineinfile:
     path: "{{ iiab_env_file }}"
     regexp: '^HTTPCACHE_ON=*'
     line: 'HTTPCACHE_ON=False'
-    state: present
   when: squid_install and not squid_enabled
 
-- name: Enable Wondershaper service, if wondershaper_enabled
+# - name: Enable Wondershaper service, if wondershaper_enabled
-  systemd:
+#   systemd:
-    name: wondershaper
+#     name: wondershaper
-    enabled: yes
+#     enabled: yes
-  when: wondershaper_install and wondershaper_enabled
+#   when: wondershaper_install and wondershaper_enabled
 
-- name: Disable Wondershaper service, if not wondershaper_enabled
+# - name: Disable Wondershaper service, if not wondershaper_enabled
-  systemd:
+#   systemd:
-    name: wondershaper
+#     name: wondershaper
-    enabled: no
+#     enabled: no
-  when: (wondershaper_install or wondershaper_installed is defined) and not wondershaper_enabled
+#   when: (wondershaper_install or wondershaper_installed is defined) and not wondershaper_enabled
 
 # check-LAN should be iptables.yml remove later
-- name: Install clean copy of /usr/bin/iiab-gen-iptables from template
+- name: Install clean copy of /usr/bin/iiab-gen-iptables from template (root:root by default)
   template:
     src: gateway/iiab-gen-iptables
     dest: /usr/bin/iiab-gen-iptables
-    owner: root
+    # owner: root
-    group: root
+    # group: root
     mode: 0755
 
-- name: Install iiab-internet-on|off
+- name: Install /usr/bin/iiab-internet-on|off from template (root:root by default)
   template:
     src: "{{ item }}"
     dest: /usr/bin/
-    owner: root
+    # owner: root
-    group: root
+    # group: root
     mode: 0755
   with_items:
     - gateway/iiab-internet-on
     - gateway/iiab-internet-off
 
 
-- name: Add 'squid' variable values to {{ iiab_ini_file }}
+- name: Add 'squid' variable values to {{ iiab_ini_file }} - if squid_installed is defined
   ini_file:
-    path: "{{ iiab_ini_file }}"
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: squid
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"
@@ -230,28 +222,28 @@
       value: "{{ squid_enabled }}"
   when: squid_installed is defined
 
-- name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
+# - name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
-  ini_file:
+#   ini_file:
-    path: "{{ iiab_ini_file }}"
+#     path: "{{ iiab_ini_file }}"
-    section: dansguardian
+#     section: dansguardian
-    option: "{{ item.option }}"
+#     option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+#     value: "{{ item.value | string }}"
-  with_items:
+#   with_items:
-    - option: dansguardian_install
+#     - option: dansguardian_install
-      value: "{{ dansguardian_install }}"
+#       value: "{{ dansguardian_install }}"
-    - option: dansguardian_enabled
+#     - option: dansguardian_enabled
-      value: "{{ dansguardian_enabled }}"
+#       value: "{{ dansguardian_enabled }}"
-  when: dansguardian_installed is defined
+#   when: dansguardian_installed is defined
 
-- name: Add 'wondershaper' variable values to {{ iiab_ini_file }}
+# - name: Add 'wondershaper' variable values to {{ iiab_ini_file }}
-  ini_file:
+#   ini_file:
-    path: "{{ iiab_ini_file }}"
+#     path: "{{ iiab_ini_file }}"
-    section: wondershaper
+#     section: wondershaper
-    option: "{{ item.option }}"
+#     option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+#     value: "{{ item.value | string }}"
-  with_items:
+#   with_items:
-    - option: wondershaper_install
+#     - option: wondershaper_install
-      value: "{{ wondershaper_install }}"
+#       value: "{{ wondershaper_install }}"
-    - option: wondershaper_enabled
+#     - option: wondershaper_enabled
-      value: "{{ wondershaper_enabled }}"
+#       value: "{{ wondershaper_enabled }}"
-  when: wondershaper_installed is defined
+#   when: wondershaper_installed is defined

roles/network/tasks/main.yml

@@ -21,9 +21,9 @@
 - name: computed_network
   include_tasks: computed_network.yml
 
-- name: Configure wondershaper
+# - name: Configure wondershaper
-  include_tasks: wondershaper.yml
+#   include_tasks: wondershaper.yml
-  when: wondershaper_install or wondershaper_installed is defined
+#   when: wondershaper_install or wondershaper_installed is defined
 
 - name: (Re)Install named
   include_tasks: named.yml

roles/network/tasks/restart.yml

@@ -23,17 +23,17 @@
   async: 120
   when: squid_install or squid_installed is defined
 
-- name: Stop DansGuardian
+# - name: Stop DansGuardian
-  systemd:
+#   systemd:
-    name: dansguardian
+#     name: dansguardian
-    state: stopped
+#     state: stopped
-  when: dansguardian_install or dansguardian_installed is defined
+#   when: dansguardian_install or dansguardian_installed is defined
 
-- name: Restart DansGuardian service (dansguardian) except Ubuntu which needs reboot to activate
+# - name: Restart DansGuardian service (dansguardian) except Ubuntu which needs reboot to activate
-  systemd:
+#   systemd:
-    name: dansguardian
+#     name: dansguardian
-    state: restarted
+#     state: restarted
-  when: dansguardian_enabled and dansguardian_install and ( not is_ubuntu and iiab_stage|int < 4 )
+#   when: dansguardian_enabled and dansguardian_install and ( not is_ubuntu and iiab_stage|int < 4 )
 
 # Squid get re-loaded with dispatcher.d
 - name: Restart Squid service ({{ proxy }})
@@ -42,11 +42,11 @@
     state: restarted
   when: squid_enabled and squid_install
 
-- name: Restart Wondershaper service (wondershaper)
+# - name: Restart Wondershaper service (wondershaper)
-  systemd:
+#   systemd:
-    name: wondershaper
+#     name: wondershaper
-    state: restarted
+#     state: restarted
-  when: wondershaper_enabled
+#   when: wondershaper_enabled
 
 - name: Restart Avahi service (avahi-daemon)
   systemd:

roles/network/tasks/squid.yml

@@ -1,85 +1,104 @@
-- name: "Install 2 packages: {{ proxy }}, cadaver"
+- name: "Install package: {{ proxy }}"
   package:
-    name:
+    name: "{{ proxy }}"    # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
-      - "{{ proxy }}"
+      # - cadaver
-      - cadaver
     state: present
 
-- name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
+# - name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
-  command: /etc/init.d/squid stop
+#   command: /etc/init.d/squid stop
-  when: is_ubuntu
+#   when: is_ubuntu
 
-- name: Stop Squid
+- name: Stop systemd service '{{ proxy }}'
-  service:
+  systemd:
     name: "{{ proxy }}"
     state: stopped
-  when: not installing
+  when: squid_installed is undefined
 
-- name: "Create the Squid user: {{ proxy_user }}"
+- name: Create Squid user:group '{{ proxy_user }}' to own /library/cache
   user:
-    name: "{{ proxy_user }}"
+    name: "{{ proxy_user }}"    # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
     createhome: False
     shell: /bin/false
 
-- name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files"
+# 2021-08-16: Squid runs as 'nobody' when started as root:
-  template:
+# http://www.squid-cache.org/Doc/config/cache_effective_user/
-    src: "{{ item.src }}"
+# Much more detail here, but neither directive is recommended:
-    dest: "{{ item.dest }}"
+# http://www.squid-cache.org/Doc/config/cache_effective_group/
-    owner: "{{ item.owner }}"
+#
-    group: "{{ item.group }}"
+# So nobody:root or root:root ownership don't work for cache_dir /library/cache
-    mode: "{{ item.mode }}"
+#
-    force: no
+# Squid auto-creation of cache_dir (or the old way, 'squid -z') both fail:
-  with_items:
+# "FATAL: Failed to make swap directory /library/cache: (13) Permission denied"
-    - src: 'roles/network/templates/squid/squid.sysconfig'
+#
-      dest: '/etc/sysconfig/squid'
+# SEE ALSO: https://github.com/iiab/iiab/blob/master/roles/network/templates/squid/squid.conf.j2#L10-L30
-      owner: 'root'
-      group: 'root'
-      mode: '0755'
-    - src: 'roles/network/templates/squid/sites.whitelist.txt'
-      dest: '/etc/{{ proxy }}/sites.whitelist.txt'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/allowregex.rules'
-      dest: '/etc/{{ proxy }}/allowregex.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/denyregex.rules'
-      dest: '/etc/{{ proxy }}/denyregex.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/dstaddress.rules'
-      dest: '/etc/{{ proxy }}/dstaddress.rules'
-      owner: '{{ proxy_user }}'
-      group: '{{ proxy_user }}'
-      mode: '0644'
-    - src: 'roles/network/templates/squid/iiab-httpcache.j2'
-      dest: '/usr/bin/iiab-httpcache'
-      owner: 'root'
-      group: 'root'
-      mode: '0755'
 
-- name: Create Squid directory /library/cache
+- name: Create Squid directory /library/cache ({{ proxy_user }}:{{ proxy_user }}, 0750)
   file:
+    state: directory
     path: /library/cache
     owner: "{{ proxy_user }}"
     group: "{{ proxy_user }}"
-    mode: '0750'
+    mode: 0750
-    state: directory
 
-- name: Create Squid directory /var/log/{{ proxy }}
+- name: Install site allowlists/whitelists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default)
-  file:
+  template:
-    path: "/var/log/{{ proxy }}"
+    src: "{{ item }}"
-    owner: "{{ proxy_user }}"
+    dest: /etc/{{ proxy }}/
-    group: "{{ proxy_user }}"
+    backup: yes
-    mode: '0750'
+  with_items:
-    state: directory
+    - roles/network/templates/squid/allow_dst_domains
+    - roles/network/templates/squid/allow_url_regexs
 
+# - name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files"
+#   template:
+#     src: "{{ item.src }}"
+#     dest: "{{ item.dest }}"
+#     owner: "{{ item.owner }}"
+#     group: "{{ item.group }}"
+#     mode: "{{ item.mode }}"
+#     force: no
+#   with_items:
+#     - src: 'roles/network/templates/squid/squid.sysconfig'
+#       dest: '/etc/sysconfig/squid'
+#       owner: 'root'
+#       group: 'root'
+#       mode: '0755'
+#     - src: 'roles/network/templates/squid/sites.whitelist.txt'
+#       dest: '/etc/{{ proxy }}/sites.whitelist.txt'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/allowregex.rules'
+#       dest: '/etc/{{ proxy }}/allowregex.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/denyregex.rules'
+#       dest: '/etc/{{ proxy }}/denyregex.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/dstaddress.rules'
+#       dest: '/etc/{{ proxy }}/dstaddress.rules'
+#       owner: '{{ proxy_user }}'
+#       group: '{{ proxy_user }}'
+#       mode: '0644'
+#     - src: 'roles/network/templates/squid/iiab-httpcache.j2'
+#       dest: '/usr/bin/iiab-httpcache'
+#       owner: 'root'
+#       group: 'root'
+#       mode: '0755'
 
-- include_tasks: roles/network/tasks/dansguardian.yml
+# - name: Create Squid directory /var/log/{{ proxy }}
-  when: dansguardian_install
+#   file:
+#     path: "/var/log/{{ proxy }}"
+#     owner: "{{ proxy_user }}"
+#     group: "{{ proxy_user }}"
+#     mode: '0750'
+#     state: directory
+
+# - include_tasks: roles/network/tasks/dansguardian.yml
+#   when: dansguardian_install
 
 
 # RECORD Squid AS INSTALLED
@@ -98,7 +117,7 @@
 # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
 - name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: "{{ proxy }}"
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"
@@ -112,18 +131,18 @@
     - option: squid_enabled
       value: "{{ squid_enabled }}"
 
-- name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
+# - name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
-  ini_file:
+#   ini_file:
-    dest: "{{ iiab_ini_file }}"
+#     dest: "{{ iiab_ini_file }}"
-    section: dansguardian
+#     section: dansguardian
-    option: "{{ item.option }}"
+#     option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+#     value: "{{ item.value | string }}"
-  with_items:
+#   with_items:
-    - option: name
+#     - option: name
-      value: DansGuardian
+#       value: DansGuardian
-    - option: description
+#     - option: description
-      value: '"DansGuardian searches web content for objectionable references and denies access when found."'
+#       value: '"DansGuardian searches web content for objectionable references and denies access when found."'
-    - option: dansguardian_install
+#     - option: dansguardian_install
-      value: "{{ dansguardian_install }}"
+#       value: "{{ dansguardian_install }}"
-    - option: dansguardian_enabled
+#     - option: dansguardian_enabled
-      value: "{{ dansguardian_enabled }}"
+#       value: "{{ dansguardian_enabled }}"

roles/network/templates/squid/allow_dst_domains

@@ -0,0 +1,17 @@
+# SEE ALSO /etc/squid/allow_url_regexs
+# the leading dot matches anything preceding
+# don't remove the .lan line
+# change this to your domain if necessary
+.lan
+.laptop.org
+.olpcMAP.net
+.mapmeld.appspot.com
+.googlecode.com
+.googleapis.com
+.gstatic.com
+.unleashkids.org
+.iiab.io
+.hopeforhaitischildren.org
+.lenouvelliste.com
+.voanouvel.com
+.sugarlabs.org

roles/network/templates/squid/allow_url_regexs

@@ -0,0 +1,4 @@
+# SEE ALSO /etc/squid/allow_url_regexs
+# put regular expressions that match desired urls
+translator
+translate

roles/network/templates/squid/sites.whitelist.txt.unused

@@ -10,7 +10,7 @@
 .translate.google.com
 .gstatic.com
 .unleashkids.org
-.iiab.io.org
+.iiab.io
 .hopeforhaitischildren.org
 .lenouvelliste.com
 .voanouvel.com

roles/network/templates/squid/squid-iiab.conf.j2.unused

@@ -4,11 +4,11 @@
 ###############################
 #  Network Interface
 
-{% if dansguardian_enabled %}
+# ## if dansguardian_enabled ##
-http_port 127.0.0.1:3130 
+# http_port 127.0.0.1:3130
-{% else %}
+# ## else ##
 http_port 0.0.0.0:3128 transparent
-{% endif %}
+# ## endif ##
 
 icp_port 0
 

roles/network/templates/squid/squid.conf.j2

@@ -0,0 +1,52 @@
+# 2021-08-16 IIAB PR #2948 - April 2007 OLPC School Server legacy moved to:
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/squid/squid-iiab.conf.j2.unused
+
+http_port 3129
+http_port 3128 intercept
+
+# Some measure of privacy: mask off the lowest byte of logged IP addresses
+client_netmask 255.255.255.0
+
+# https://wiki.squid-cache.org/Features/CacheManager
+# https://wiki.squid-cache.org/SquidFaq/SecurityPitfalls#The_manager_ACLs
+http_access allow localhost manager
+http_access deny manager
+
+# 2021-08-16: Squid's auto-creation of cache_dir (or the old way, 'squid -z')
+# don't work well in recent years.  So we do it manually, as explained here:
+# https://github.com/iiab/iiab/blob/master/roles/network/tasks/squid.yml#L17-L41
+
+# Where is the cache stored on disk? http://www.squid-cache.org/Doc/config/cache_dir/
+#
+#         Type (ufs, aufs, or COSS)
+#          |       Where
+#          |         |        Size (in MB)
+#          |         |         |
+#          |         |         |     L1 (directories)
+#          |         |         |     |  L2 (directories)
+#          |         |         |     |  |
+#cache_dir aufs /library/cache 20000 32 256
+cache_dir ufs /library/cache 200 16 128
+# Remove the line above IF YOU WANT SQUID'S CACHE IN MEMORY INSTEAD OF DISK!
+
+{% if gw_squid_whitelist %}
+#acl allow_src_ips src "/etc/squid/allow_src_ips"
+acl allow_dst_domains dstdomain "/etc/squid/allow_dst_domains"
+acl allow_url_regexs url_regex -i "/etc/squid/allow_url_regexs"
+#acl allow_dst_ips dst "/etc/squid/allow_dst_ips"
+#acl deny_url_regexs url_regex -i "/etc/squid/deny_url_regexs"
+#acl deny_dst_ips src "/etc/squid/deny_dst_ips"
+
+#http_access allow allow_src_ips
+http_access allow allow_dst_domains
+http_access allow allow_url_regexs
+#http_access allow allow_dst_ips
+#http_access deny deny_url_regexs
+#http_access deny deny_dst_ips
+{% endif %}
+
+# 2021-08-16: DEFAULTS HAPPEN ANYWAY
+# http_access deny all
+# access_log /var/log/squid/access.log
+# cache_log /var/log/squid/cache.log
+# pid_filename /var/run/squid.pid

tests/test.yml

@@ -14,6 +14,7 @@
     - { role: 9-local-addons }
     #- { role: activity-server
     #- { role: ajenti }
+    - { role: all-vars }
     #- { role: authserver }
     - { role: awstats }
     - { role: azuracast }
@@ -80,9 +81,10 @@
     - { role: yarn }
     #- { roles: xovis }
 
-# Let's try to keep these 9 aligned:
+# Let's try to keep these 10 aligned:
 #
 # http://FAQ.IIAB.IO > "What services (IIAB apps) are suggested during installation?"
+# https://github.com/iiab/iiab/blob/master/vars/local_vars_unittest.yml
 # https://github.com/iiab/iiab/blob/master/vars/local_vars_min.yml
 # https://github.com/iiab/iiab/blob/master/vars/local_vars_medium.yml
 # https://github.com/iiab/iiab/blob/master/vars/local_vars_big.yml

vars/default_vars.yml

@@ -123,8 +123,6 @@ wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 
 # Set True if client machines should have "passthrough" access to WAN/Internet:
 iiab_gateway_enabled: False
-gw_squid_whitelist: False
-gw_block_https: False
 
 # Gateway mode
 iiab_lan_enabled: True
@@ -185,8 +183,8 @@ block_DNS: False
 dns_jail_enabled: False
 
 # UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382
-wondershaper_install: False
+# wondershaper_install: False
-wondershaper_enabled: False
+# wondershaper_enabled: False
 
 
 # 1-PREP
@@ -257,15 +255,19 @@ nginx_log_dir: /var/log/nginx
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
-# UNMAINTAINED as of July 2021
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
 squid_install: False
-squid_enabled: False
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
+gw_block_https: False
 
 # UNMAINTAINED as of July 2021
 # DansGuardian REQUIRES Squid (above) be installed & enabled.
 # DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
-dansguardian_install: False
+# dansguardian_install: False
-dansguardian_enabled: False
+# dansguardian_enabled: False
 
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: True

vars/local_vars_big.yml

@@ -147,6 +147,14 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
+squid_install: False
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
+gw_block_https: False
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: True
 bluetooth_enabled: False

vars/local_vars_medium.yml

@@ -147,6 +147,14 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
+squid_install: False
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
+gw_block_https: False
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: True
 bluetooth_enabled: False

vars/local_vars_min.yml

@@ -147,6 +147,14 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
+squid_install: False
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
+gw_block_https: False
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: True
 bluetooth_enabled: False

vars/local_vars_unittest.yml

@@ -147,6 +147,14 @@ pi_swap_file_size: 1024
 
 # DNS prep (named &/or dhcpd) used to run here.  See dnsmasq in 1-PREP above.
 
+# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains
+# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs
+squid_install: False
+squid_enabled: False         # SET 'iiab_gateway_enabled' FURTHER ABOVE ?
+gw_squid_whitelist: False    # Works with HTTP sites, not HTTPS sites !
+gw_block_https: False
+
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: False
 bluetooth_enabled: False