diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml index 02ae39496..08743aa0b 100644 --- a/roles/2-common/tasks/packages.yml +++ b/roles/2-common/tasks/packages.yml @@ -27,7 +27,7 @@ state: present when: is_debuntu | bool -- name: "Install 23 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget" +- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget" package: name: - acpid @@ -52,7 +52,7 @@ - rsync #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml - sqlite3 - - sudo + #- sudo # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml - tar - unzip #- usbmount # Moved to roles/usb_lib/tasks/install.yml diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index 741a3e1cb..e41278633 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -13,31 +13,59 @@ iiab-admin README ================= -This role is home to a number of administrative (Ansible) playbooks: +`Internet-in-a-Box `_ (IIAB) encourages you to pay attention to the security of your learning community. -Add Administrative User ------------------------ +This Ansible playbook is one of the very first that runs when you install IIAB, and we hope reading this helps you understand your choices: -* Adds the Linux user that will allow you access to IIAB's Admin Console (http://box.lan/admin) if this has not already been done for you by IIAB's 1-line installer (http://download.iiab.io). -* By default this is ``iiab-admin`` with password ``g0adm1n`` +Configure user 'iiab-admin' +--------------------------- + +* `admin-user.yml `_ configures a Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}. + * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here. +* By default this user is ``iiab-admin`` with password ``g0adm1n`` * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin** - * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password - * If you prefer using a pre-existing user like ``pi`` or ``ubuntu`` etc, consider customizing variables ``iiab_admin_user_install``, ``iiab_admin_user`` and ``iiab_admin_user_group`` in your `/etc/iiab/local_vars.yml `_ (please do this prior to installing IIAB !) -* Please read more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md + * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password. +* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml `_ (preferably do this prior to installing IIAB!) + * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!) + * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration `_ manually. -Desiderata, for the historical record: +Security +-------- -* Auto-checking for the default password is implemented in `/etc/profile.d `_ (and `/etc/xdg/lxsession/LXDE-pi `_ when it exists). -* |ss| N.B. to create password hash use python -c 'import crypt; print crypt.crypt("", "$6$<salt>")' |se| |nbsp| (not recommended as of October 2020) -* |ss| Make a sudoer |se| |nbsp| (likely going away in October 2020, as group 'iiab-admin' should be recommended instead of group 'sudo') -* |ss| Add /root/.ssh and dummy authorized_keys file as placeholder |se| |nbsp| (moved to `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_) -* |ss| Force password for sudoers |se| |nbsp| (sudo flag ``NOPASSWORD:`` and the ``wheel`` group will no longer being used as of October 2020) +* A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin) + #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) + #. ``sudo`` +* Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security +* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop). -Add Packages for Remote Access ------------------------------- +Example +======= -* screen -* lynx +* If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this: + #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ + #. Make sure that ``iiab_admin_user_install: True`` is also set. + #. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin`` + +Historical Notes +================ + +* We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. [October 2020] +* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks. [October 2020] + +Remote Support Tools +-------------------- + +The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you. + +Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections: + +* `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_ +* `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_ + +*More great tools to help you jumpstart community action at a distance:* + +* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?" Admin Console ------------- diff --git a/roles/iiab-admin/defaults/main.yml b/roles/iiab-admin/defaults/main.yml index 080962fbf..a7690e226 100644 --- a/roles/iiab-admin/defaults/main.yml +++ b/roles/iiab-admin/defaults/main.yml @@ -1,24 +1,16 @@ -# Must keep roles/0-init/defaults/main.yml sync'd ? (Seems no longer true as of 2018-10-15) +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: +# https://github.com/iiab/iiab/tree/master/roles/iiab-admin +# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md -# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel -# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo- -# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n). +# iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. + +# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml # iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing -# Linux user that has sudo access, for login to Admin Console http://box/admin - -# ODDLY THIS IS ALSO USED BY roles/usb-lib/tasks/main.yml TO SET GROUP PERM FOR /library/www/html/local_content (ISN'T {{ apache_user }} MORE APPROPRIATE?) -# iiab_admin_user: iiab-admin - -# For live checks/alerts of published pwds -# iiab_admin_published_pwd: g0adm1n - -# Password hash to override above, if Ansible creates above user: -# iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' +# iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. +# iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. +# admin_console_group: iiab-admin # This group & sudo log in to Admin Console # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! diff --git a/roles/iiab-admin/tasks/access.yml b/roles/iiab-admin/tasks/access.yml index 511103f17..e7281c4dc 100644 --- a/roles/iiab-admin/tasks/access.yml +++ b/roles/iiab-admin/tasks/access.yml @@ -1,6 +1,6 @@ -- name: "Install textmode remote access packages: screen, lynx" +- name: "Install text mode packages, useful during remote access: screen, lynx" package: name: - - screen - - lynx + - lynx + - screen state: present diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 1f590f534..e19ea8e7d 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -1,53 +1,56 @@ -- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account - user: - name: "{{ iiab_admin_user }}" # iiab-admin - password: "{{ iiab_admin_pwd_hash }}" - update_password: on_create - shell: /bin/bash - groups: sudo +# Summary of how this works with IIAB's Admin Console etc: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst -#- name: Create a wheel group -# group: -# name: wheel -# state: present -#- name: Create a sudo group (redhat) -# group: -# name: sudo -# state: present -# when: is_redhat | bool +# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml +- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist? # iiab-admin BY DEFAULT + command: "id {{ iiab_admin_user | quote }}" # quote to avoid ';' exploits + register: user_info + failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') -#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo' -# user: -# name: "{{ iiab_admin_user }}" -# groups: wheel,sudo - -- name: Edit the sudoers file -- first make it editable - file: - path: /etc/sudoers - mode: 0640 - -- name: Have sudo log all commands it handles - lineinfile: - regexp: logfile - line: "Defaults logfile = /var/log/sudo.log" - dest: /etc/sudoers +# admin_console_group: iiab-admin # PER default_vars.yml, SHOULD NEVER CHANGE +- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console + group: + name: "{{ admin_console_group }}" state: present +- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line + user: + name: "{{ iiab_admin_user }}" + #group: "{{ iiab_admin_user }}" # Not nec. Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs + groups: "{{ admin_console_group }}" # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future. FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd. + append: yes + shell: /bin/bash + #password: "{{ iiab_admin_pwd_hash }}" # 2020-10-14: DEPRECATED in favor + #update_password: on_create # of 'command: chpasswd' below. + +- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n + #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd" + command: chpasswd # Equiv to line above, but safer + args: + stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}" + when: user_info.rc != 0 + + +# sudo-prereqs.yml needs to have been run! + +- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo + #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo" + user: + name: "{{ iiab_admin_user }}" + groups: sudo + append: yes + when: iiab_admin_can_sudo + +- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo + command: "gpasswd -d {{ iiab_admin_user | quote }} sudo" + when: not iiab_admin_can_sudo + failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') + + #- name: Lets {{ iiab_admin_user }} sudo without password ##- name: Lets wheel sudo without password # lineinfile: +# path: /etc/sudoers # line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL" ## line: "%wheel ALL= NOPASSWD: ALL" -# dest: /etc/sudoers - -- name: Remove the line which requires tty - lineinfile: - regexp: requiretty - dest: /etc/sudoers - state: absent - -- name: End editing the sudoers file -- protect it again - file: - path: /etc/sudoers - mode: 0440 diff --git a/roles/iiab-admin/tasks/main.yml b/roles/iiab-admin/tasks/main.yml index 54275c7cf..ce4451003 100644 --- a/roles/iiab-admin/tasks/main.yml +++ b/roles/iiab-admin/tasks/main.yml @@ -1,39 +1,32 @@ -- include_tasks: admin-user.yml - when: iiab_admin_user_install | bool +# Summary of how this works with IIAB's Admin Console etc: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst -- include_tasks: access.yml -- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default - template: - src: sshpwd-profile-iiab.sh - dest: /etc/profile.d/ - mode: '0644' +- name: Install lynx, screen + include_tasks: access.yml -- name: Is this LXDE-pi? - stat: - path: /etc/xdg/lxsession/LXDE-pi - register: lx +- name: Install sudo & /etc/sudoers with logging to /var/log/sudo.log + include_tasks: sudo-prereqs.yml -- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" - template: - src: sshpwd-lxde-iiab.sh - dest: /etc/xdg/lxsession/LXDE-pi/ - mode: '0755' - when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu +- name: Configure user iiab-admin / password and its group(s), if iiab_admin_user_install + include_tasks: admin-user.yml + when: iiab_admin_user_install -# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does -# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop -# (or pprompt.desktop as Raspbian has working since 2018-11-13!) Too bad as it -# would be really nice to standardize this popup across Ubermix & all distros.. -# Is this a permissions/security issue presumably? Official autostart spec is: -# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html -# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537 +# Idea: institute precautionary system-wide published password warning(s) +# for user iiab-admin / g0adm1n, i.e. {{ iiab_admin_user }} with password +# {{ iiab_admin_published_pwd }}, regardless whether the password is set: +# +# (1) by the OS installer +# (2) by the OS's graphical desktop tools +# (3) at the command-line: sudo passwd iiab-admin +# (4) by IIAB's 1-line installer: http://download.iiab.io +# (5) by this role: roles/iiab-admin/tasks/admin-user.yml +# (6) by IIAB's Admin Console during installation +# ...and/or... +# (7) by IIAB's Admin Console > Utilities > Change Password -- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian) - lineinfile: - path: /etc/xdg/lxsession/LXDE-pi/autostart - line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" - when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu +- name: Install password warning(s) + include_tasks: pwd-warnings.yml # RECORD iiab-admin AS INSTALLED @@ -62,3 +55,7 @@ value: '"Admin User"' - option: iiab_admin_user value: "{{ iiab_admin_user }}" + - option: iiab_admin_user_install + value: "{{ iiab_admin_user_install }}" + - option: iiab_admin_can_sudo + value: "{{ iiab_admin_can_sudo }}" diff --git a/roles/iiab-admin/tasks/pwd-warnings.yml b/roles/iiab-admin/tasks/pwd-warnings.yml new file mode 100644 index 000000000..fba510883 --- /dev/null +++ b/roles/iiab-admin/tasks/pwd-warnings.yml @@ -0,0 +1,31 @@ +- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default + template: + src: sshpwd-profile-iiab.sh + dest: /etc/profile.d/ + mode: '0644' + +- name: Is this LXDE-pi? + stat: + path: /etc/xdg/lxsession/LXDE-pi + register: lx + +- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" + template: + src: sshpwd-lxde-iiab.sh + dest: /etc/xdg/lxsession/LXDE-pi/ + mode: '0755' + when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu + +# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does +# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop +# (or pprompt.desktop as Raspbian has working since 2018-11-13!) Too bad as it +# would be really nice to standardize this popup across Ubermix & all distros.. +# Is this a permissions/security issue presumably? Official autostart spec is: +# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html +# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537 + +- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian) + lineinfile: + path: /etc/xdg/lxsession/LXDE-pi/autostart + line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" + when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu diff --git a/roles/iiab-admin/tasks/sudo-prereqs.yml b/roles/iiab-admin/tasks/sudo-prereqs.yml new file mode 100644 index 000000000..66c790d0a --- /dev/null +++ b/roles/iiab-admin/tasks/sudo-prereqs.yml @@ -0,0 +1,27 @@ +# roles/2-common/tasks/packages.yml also installed sudo, but that's too late +- name: 'Install package: sudo' + package: + name: sudo + +- name: Temporarily make file /etc/sudoers editable (0640) + file: + path: /etc/sudoers + mode: 0640 + +- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log' + lineinfile: + path: /etc/sudoers + regexp: logfile + line: "Defaults logfile = /var/log/sudo.log" + +# Not nec (heavyhanded removal of customizations+comments) given sudo defaults. +#- name: Remove all lines that contain 'requiretty' +# lineinfile: +# path: /etc/sudoers +# regexp: requiretty +# state: absent + +- name: End editing file /etc/sudoers -- protect it again (0440) + file: + path: /etc/sudoers + mode: 0440 diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index b1fd88644..972ee3d88 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -3,6 +3,9 @@ # SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from... # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +# CAUTION: popup warnings still don't appear on most OS's, as mentioned here: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25 + # For Localization/Translation: (use /usr/bin/gettext below if later nec!) #export TEXTDOMAIN=pprompt-iiab #. gettext.sh diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index d805700c6..259da8139 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -44,8 +44,6 @@ check_user_pwd() { # HISTORICAL: if password-free sudo access is truly nec, it can be set with # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older: # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml -# CAUTION: popup warnings still don't appear on most OS's, as mentioned here: -# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n echo diff --git a/roles/nginx/tasks/install.yml b/roles/nginx/tasks/install.yml index 45a7b2402..cf6ed066e 100644 --- a/roles/nginx/tasks/install.yml +++ b/roles/nginx/tasks/install.yml @@ -16,10 +16,11 @@ - php-fpm - libnginx-mod-http-subs-filter -- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console - user: - name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml - groups: shadow +# 2020-10-16: Removed per #2560 +#- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console +# user: +# name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml +# groups: shadow - name: Remove NGINX default config /etc/nginx/sites-enabled/default file: diff --git a/roles/pbx/defaults/main.yml b/roles/pbx/defaults/main.yml index 5aab6f0f6..200e9384f 100644 --- a/roles/pbx/defaults/main.yml +++ b/roles/pbx/defaults/main.yml @@ -6,9 +6,9 @@ # asterisk_chan_dongle: False -# pbx_signaling_ports_chan_sip: "5160:5161" -# pbx_signaling_ports_chan_pjsip: "5060" -# pbx_data_ports: "10000:20000" +# pbx_signaling_ports_chan_sip: 5160:5161 +# pbx_signaling_ports_chan_pjsip: 5060 +# pbx_data_ports: 10000:20000 # pbx_http_port: 83 # # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml diff --git a/roles/transmission/defaults/main.yml b/roles/transmission/defaults/main.yml index 91a2ff0b4..023fbc224 100644 --- a/roles/transmission/defaults/main.yml +++ b/roles/transmission/defaults/main.yml @@ -11,7 +11,7 @@ # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme # transmission_http_port: 9091 -# transmission_url : "/transmission/" +# transmission_url: /transmission/ # transmission_peer_port: 51413 # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/ diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 7b626095e..a66ccb256 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -33,7 +33,7 @@ yum_packages_dir: "{{ iiab_base }}/yum-packages" downloads_dir: "{{ iiab_base }}/downloads" iiab_download_url: http://download.iiab.io/packages -content_base: "/library" +content_base: /library doc_base: "{{ content_base }}/www" doc_root: "{{ doc_base }}/html" @@ -50,20 +50,21 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml -iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -iiab_admin_published_pwd: g0adm1n # For live checks/alerts of published pwds -# Password hash to override above, if Ansible creates above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. +iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. +admin_console_group: iiab-admin # This group & sudo log in to Admin Console. + +# DEPRECATED - Password hash to override above, if Ansible creates above user: +# iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. # Obtain a password hash - NEW MORE SECURE WAY: # python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' # Obtain a password hash - OLD WAY: @@ -111,7 +112,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires WiFi country -- SET THIS IN /etc/iiab/local_vars.yml host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -306,8 +307,8 @@ cups_port: 631 # Samba. Do a security audit seriously before deploying this. samba_install: False samba_enabled: False -samba_udp_ports: "137:138" -samba_tcp_mports: "139,445" +samba_udp_ports: 137:138 +samba_tcp_mports: 139,445 shared_dir : "{{ content_base }}/public" # /library/public # USB_LIB @@ -423,9 +424,9 @@ nextcloud_enabled: False pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -pbx_signaling_ports_chan_sip: "5160:5161" -pbx_signaling_ports_chan_pjsip: "5060" -pbx_data_ports: "10000:20000" +pbx_signaling_ports_chan_sip: 5160:5161 +pbx_signaling_ports_chan_pjsip: 5060 +pbx_data_ports: 10000:20000 pbx_http_port: 83 # If using WordPress intensively, set nginx_high_php_limits further above. @@ -510,7 +511,7 @@ transmission_group: root # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme transmission_http_port: 9091 -transmission_url : "/transmission/" +transmission_url : /transmission/ transmission_peer_port: 51413 # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/ @@ -658,8 +659,8 @@ calibreweb_home: "{{ content_base }}/calibre-web" # /library/calibre-web # xovis_db_name: xovis # xovis_db_user: admin # xovis_db_password: admin -# xovis_root: "/opt/xovis" -# xovis_backup_dir: "/library/users" +# xovis_root: /opt/xovis +# xovis_backup_dir: /library/users # xovis_chart_heading: "My School: Usage Data Visualization" # Unmaintained diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 5b7eb39e7..9ad8bf016 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -22,23 +22,16 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml -iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -# Password hash to be used if Ansible creates the above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. # Set these to False if you do not want to install/enable IIAB Admin Console admin_console_install: True @@ -67,7 +60,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -155,7 +148,7 @@ sshd_enabled: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "BIG-sized - Put Your Name Here" +openvpn_handle: BIG-sized - Put Your Name Here # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 1e22560b3..878c98733 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -22,23 +22,16 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml -iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -# Password hash to be used if Ansible creates the above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. # Set these to False if you do not want to install/enable IIAB Admin Console admin_console_install: True @@ -67,7 +60,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -155,7 +148,7 @@ sshd_enabled: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "MEDIUM-sized - Put Your Name Here" +openvpn_handle: MEDIUM-sized - Put Your Name Here # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 3ec432aa9..8a26cc1a2 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -22,23 +22,16 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml -iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -# Password hash to be used if Ansible creates the above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. # Set these to False if you do not want to install/enable IIAB Admin Console admin_console_install: True @@ -67,7 +60,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -155,7 +148,7 @@ sshd_enabled: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "MIN-sized - Put Your Name Here" +openvpn_handle: MIN-sized - Put Your Name Here # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/