Merge pull request #175 from iiab/master

sync from iiab/iiab

iiab-install

@@ -74,7 +74,7 @@ fi
 # Subroutine compares software version numbers.  Generates rare false positives
 # like "1.0 > 1" and "2.4.0 > 2.4".  Avoid risks by structuring conditionals w/
 # a consistent # of decimal points e.g. "if version_gt w.x.y.z a.b.c.d; then"
-function version_gt() { [ "$(printf '%s\n' "$@" | sort -V | head -1)" != "$1" ]; }
+version_gt() { [ "$(printf '%s\n' "$@" | sort -V | head -1)" != "$1" ]; }
 
 # Verify that Raspbian is running a recent enough kernel.  As Raspbian
 # updates on 4.9.41-v7+ broke bridging, WiFi AP & OpenVPN in Oct/Nov 2017.

roles/calibre-web/tasks/main.yml

@@ -43,13 +43,13 @@
     src: "{{ calibreweb_venv_path }}/lib/python2.7/site-packages"
     dest: "{{ calibreweb_venv_path }}/vendor"
 
-- name: Create Calibre-Web systemd service unit file and calibre-web.conf for Apache
+- name: Install systemd unit file calibre-web.service & Apache's calibre-web.conf, from templates
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
-    owner: "{{ calibreweb_user }}"
+    owner: root
-    group: "{{ apache_user }}"
+    group: root
   with_items:
     - { src: 'calibre-web.service.j2', dest: '/etc/systemd/system/calibre-web.service', mode: '0644' }
     - { src: 'calibre-web.conf.j2', dest: '/etc/apache2/sites-available/calibre-web.conf', mode: '0644' }

roles/httpd/tasks/html.yml

@@ -59,7 +59,7 @@
   with_fileglob:
     - html/services/*
 
-- name: Create symlink from assets to {{ iiab_ini_file }}
+- name: Create symlink from /library/www/html/common/assets/iiab.ini to {{ iiab_ini_file }}
   file:
     src: "{{ iiab_ini_file }}"
     dest: "{{ doc_root }}/common/assets/iiab.ini"

roles/httpd/tasks/main.yml

@@ -1,15 +1,15 @@
-- name: Install httpd required packages (debian)
+- name: Install Apache's required packages (debian)
   package:
-    name: "{{ item }}"
+    #name: [u'apache2', u'php{{ php_version }}', u'php{{ php_version }}-curl']    # FAILS ('u' for Unicode strings)
+    #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl']       # WORKS?
+    name:
+      - apache2
+      - "php{{ php_version }}"
+      - "php{{ php_version }}-curl"
     state: present
-  with_items:
+  when: is_debian
-    - apache2
-    - php{{ php_version }}
-    - php{{ php_version }}-curl
-#    - php{{ php_version }}-sqlite
   tags:
     - download
-  when: is_debian
 
 - name: Debian changed SQLite name (debian-8)
   package:
@@ -21,35 +21,36 @@
     name: "php{{ php_version }}-sqlite3"
   when: is_debian and ansible_distribution_major_version == "9"
 
-- name: Install httpd required packages (ubuntu)
+- name: Install Apache's required packages (ubuntu)
   package:
-    name: "{{ item }}"
+    #name: [u'apache2', u'php']    # FAILS ('u' for Unicode strings)
+    #name: ['apache2', 'php']      # WORKS
+    name:
+      - apache2
+      - php
     state: present
-  with_items:
+  when: is_ubuntu
-    - apache2
-    - php
   tags:
     - download
-  when: is_ubuntu
 
 - name: SQLite3 no longer included in another package (ubuntu-18)
   package:
     name: php{{ php_version }}-sqlite3
   when: is_ubuntu_18
 
-- name: Install httpd required packages (redhat)
+- name: Install Apache's required packages (redhat)
   package:
-    name: "{{ item }}"
+    #name: [u'httpd', u'php', u'php-curl', u'mod_authnz_external']    # FAILS ('u' for Unicode strings)
+    #name: ['httpd', 'php', 'php-curl', 'mod_authnz_external']        # WORKS
+    name:
+      - httpd
+      - php
+      - php-curl
+      - mod_authnz_external
     state: present
-  with_items:
+  when: is_redhat
-    - httpd
-    - php
-    - php-curl
-    - mod_authnz_external
-#    - php-sqlite
   tags:
     - download
-  when: is_redhat
 
 # MOVED DOWN ~58 LINES
 #- name: Remove the default apache2 config file (debuntu)
@@ -58,17 +59,17 @@
 #    state: absent
 #  when: is_debuntu
 
-- name: Create httpd config files
+- name: Install Apache's 010-iiab.conf & proxy_ajp.conf into /etc/apache2/sites-available, from templates
   template:
     backup: yes
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     owner: root
     group: root
-    mode: "{{ item.mode }}"
+    mode: 0644
   with_items:
-    - { src: '010-iiab.conf.j2', dest: '/etc/{{ apache_config_dir }}/010-iiab.conf', mode: '0755' }
+    - { src: '010-iiab.conf.j2', dest: '/etc/{{ apache_config_dir }}/010-iiab.conf' }
-    - { src: 'proxy_ajp.conf.j2', dest: '/etc/{{ apache_config_dir }}/proxy_ajp.conf', mode: '0644' }
+    - { src: 'proxy_ajp.conf.j2', dest: '/etc/{{ apache_config_dir }}/proxy_ajp.conf' }
     #- { src: 'php.ini.j2', dest: '/etc/php.ini', mode: '0644' }    # @jvonau suggests removing this in https://github.com/iiab/iiab/issues/1147
 
 # For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
@@ -87,7 +88,7 @@
     - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
 
 # remove symlinks for mpm-event, replace with mpm-prefork
-- name: Remove mpm event links (debuntu)
+- name: Remove mpm event symlinks (debuntu)
   file:
     path: "/etc/apache2/mods-enabled/{{ item }}"
     state: absent
@@ -98,8 +99,8 @@
 
 - name: Create symlinks for mpm-prefork (debuntu)
   file:
-    path: "/etc/apache2/mods-enabled/{{ item }}"
     src: "/etc/apache2/mods-available/{{ item }}"
+    path: "/etc/apache2/mods-enabled/{{ item }}"
     state: link
   with_items:
     - mpm_prefork.conf
@@ -115,13 +116,11 @@
     - rewrite
   when: is_debuntu
 
-- name: Create symlinks for enabling our site (debuntu)
+- name: Create 010-iiab.conf symlink enabling our site (debuntu)
   file:
-    path: "/etc/apache2/sites-enabled/{{ item }}"
+    src: "/etc/{{ apache_config_dir }}/010-iiab.conf"
-    src: "/etc/apache2/sites-available/{{ item }}"
+    path: /etc/apache2/sites-enabled/010-iiab.conf
     state: link
-  with_items:
-    - 010-iiab.conf
   when: is_debuntu
 
 - name: Remove apache2 default config files (debuntu)
@@ -133,7 +132,7 @@
     - /etc/apache2/sites-enabled/000-default.conf
   when: is_debuntu
 
-- name: Create http pid dir /var/run/{{ apache_user }}
+- name: Create Apache's pid dir /var/run/{{ apache_user }}
   file:
     path: "/var/run/{{ apache_user }}"
     mode: 0755
@@ -146,14 +145,14 @@
     name: admin
     state: present
 
-- name: Add {{ apache_user }} (from variable apache_user) to admin group
+- name: Add user {{ apache_user }} (from variable apache_user) to admin group
   user:
     name: "{{ apache_user }}"
     groups: admin
     state: present
     createhome: no
 
-- name: Create httpd log dir /var/log/{{ apache_service }}
+- name: Create Apache's log dir /var/log/{{ apache_service }}
   file:
     path: "/var/log/{{ apache_service }}"
     mode: 0755
@@ -161,12 +160,12 @@
     group: "{{ apache_user }}"
     state: directory
 
-- name: Enable httpd
+- name: Enable systemd service {{ apache_service }}
   service:
     name: "{{ apache_service }}"
     enabled: yes
 
-- name: Create iiab-info directory
+- name: Create /library/www/html/info directory for http://box/info offline docs
   file:
     path: "{{ doc_root }}/info"
     mode: 0755
@@ -174,16 +173,20 @@
     group: "{{ apache_user }}"
     state: directory
 
-- name: Remove iiab-info.conf
+# roles/httpd/templates/iiab-info.conf.j2.deprecated is no longer needed, as
-  file:
+# Apache serves http://box/info directly from above /library/www/html/info
-    dest: "/etc/{{ apache_config_dir }}/iiab-info.conf"
+# directly (as generated by /usr/bin/iiab-refresh-wiki-docs)
-    state: absent
+#
-
+#- name: Remove iiab-info.conf
-- name: Remove iiab-info.conf symlink (debuntu)
+#  file:
-  file:
+#    path: "/etc/{{ apache_config_dir }}/iiab-info.conf"
-    dest: /etc/apache2/sites-enabled/iiab-info.conf
+#    state: absent
-    state: absent
+#
-  when: is_debuntu
+#- name: Remove iiab-info.conf symlink (debuntu)
+#  file:
+#    path: /etc/apache2/sites-enabled/iiab-info.conf
+#    state: absent
+#  when: is_debuntu
 
 # SEE https://github.com/iiab/iiab/issues/1143 as the old roles/osm playbook is rarely used as of late 2018 (if anybody still uses roles/osm, they can overwrite osm.conf using the original osm playbook, or in other ways)
 - name: Copy osm.conf for http://box/maps (all OS's)
@@ -195,10 +198,11 @@
     mode: 0644
     backup: yes
 
-- name: Create link from sites-enabled to sites-available (debuntu)
+- name: Create osm.conf symlink from sites-enabled to sites-available (debuntu)
   file:
     src: "/etc/{{ apache_config_dir }}/osm.conf"
-    dest: /etc/apache2/sites-enabled/osm.conf
+    path: /etc/apache2/sites-enabled/osm.conf
+    #path: "/etc/{{ apache_service }}/sites-enabled/osm.conf"
     state: link
   when: is_debuntu
 
@@ -217,15 +221,15 @@
     dest: /usr/bin/iiab-refresh-wiki-docs
     mode: 0755
 
-- name: Give apache_user permission to poweroff
+- name: Give {{ apache_user }} (per variable apache_user) permission to poweroff
   template:
     src: 020_apache_poweroff.j2
     dest: /etc/sudoers.d/020_apache_poweroff
     mode: 0755
   when: apache_allow_sudo
 
-- name: Remove apache_user permission to poweroff
+- name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff
   file:
-    dest: /etc/sudoers.d/020_apache_poweroff
+    path: /etc/sudoers.d/020_apache_poweroff
     state: absent
   when: not apache_allow_sudo

roles/iiab-admin/templates/lxde_ssh_warn.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-function check_user_pwd() {
+check_user_pwd() {
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
     meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
@@ -10,7 +10,7 @@ function check_user_pwd() {
 }
 
 # credit to the folks at raspberry pi foundatioon
-check_hash () {
+check_hash() {
    if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
    if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
    #test -x /usr/bin/mkpasswd || return 0

roles/iiab-admin/templates/profile_ssh_warn.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 
-function check_user_pwd() {
+# bash syntax "function check_user_pwd() {" was removed, as it prevented all
+# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
+check_user_pwd() {
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
     meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
@@ -10,7 +12,7 @@ function check_user_pwd() {
 }
 
 # credit to the folks at raspberry pi foundatioon
-check_hash () {
+check_hash() {
     if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
     if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
     #SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"

roles/network/tasks/captive_portal.yml

@@ -56,7 +56,7 @@
     dest: /etc/{{ apache_config_dir }}/captive-portal.conf
     owner: root
     group: root
-    mode: 0740
+    mode: 0644
   when: py_captive_portal_enabled
 
 - name: Enable Apache's captive-portal.conf if py_captive_portal_enabled (debuntu)

scripts/ansible

@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
 CURR_VER="undefined"    # Ansible version you currently have installed
-GOOD_VER="2.7.0"    # For XO laptops (pip install) & CentOS (yum install rpm)
+GOOD_VER="2.7.1"    # For XO laptops (pip install) & CentOS (yum install rpm)
 # On other OS's we attempt the latest from PPA, which might be more recent
 
 export DEBIAN_FRONTEND=noninteractive

scripts/ansible-2.6.x

@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
 CURR_VER="undefined"    # Ansible version you currently have installed
-GOOD_VER="2.7.0"    # For XO laptops (pip install) & CentOS (yum install rpm)
+GOOD_VER="2.7.1"    # For XO laptops (pip install) & CentOS (yum install rpm)
 # On other OS's we attempt the latest from PPA, which might be more recent
 
 export DEBIAN_FRONTEND=noninteractive

scripts/ansible-2.7.x

@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
 CURR_VER="undefined"    # Ansible version you currently have installed
-GOOD_VER="2.7.0"    # For XO laptops (pip install) & CentOS (yum install rpm)
+GOOD_VER="2.7.1"    # For XO laptops (pip install) & CentOS (yum install rpm)
 # On other OS's we attempt the latest from PPA, which might be more recent
 
 export DEBIAN_FRONTEND=noninteractive

vars/local_vars_big.yml

@@ -248,8 +248,8 @@ vnstat_enabled: True
 # Calibre E-Book Library
 # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
 # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
-calibre_install: True
+calibre_install: False
-calibre_enabled: True
+calibre_enabled: False
 # Change calibre_port to 8010 if you're using XO laptops needing above idmgr ?
 calibre_port: 8080
 # Change calibre to XYZ to add your own mnemonic URL like: http://box/XYZ