external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00
Code Issues Releases Wiki Activity

Merge branch 'iiab:master' into freepbx-readme

Browse source
This commit is contained in:
lemueldsouza 2021-08-13 20:08:36 +05:30 committed by GitHub
commit a8844dbad5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
82 changed files with 1843 additions and 867 deletions
Download patch file Download diff file Expand all files Collapse all files

0
roles/elgg/README.rst → roles/0-DEPRECATED-ROLES/elgg/README.rst
View file

0
roles/elgg/defaults/main.yml → roles/0-DEPRECATED-ROLES/elgg/defaults/main.yml
View file

0
roles/elgg/tasks/apache.yml → roles/0-DEPRECATED-ROLES/elgg/tasks/apache.yml.unused
View file

39
roles/elgg/tasks/install.yml → roles/0-DEPRECATED-ROLES/elgg/tasks/install.yml
View file

@ -1,11 +1,12 @@
- name: "Set 'apache_install: True' and 'apache_enabled: True'"
set_fact:
apache_install: True
apache_enabled: True
# - name: "Set 'apache_install: True' and 'apache_enabled: True'"
# set_fact:
# apache_install: True
# apache_enabled: True
#
# - name: APACHE - run 'httpd' role
# include_role:
# name: httpd
- name: APACHE - run 'httpd' role
include_role:
name: httpd
# 2020-06-15: roles/httpd/tasks/install.yml now takes care of this.
# # 2020-05-21: Required now that mysql/tasks/install.yml installs
@ -32,7 +33,7 @@
# creates: "{{ downloads_dir }}/elgg-{{ elgg_version }}.zip"
get_url:
url: "{{ iiab_download_url }}/elgg-{{ elgg_version }}.zip"
dest: "{{ downloads_dir }}"
dest: "{{ downloads_dir }}" # /opt/iiab/downloads
timeout: "{{ download_timeout }}"
when: internet_available
@ -41,7 +42,7 @@
path: "/opt/elgg-{{ elgg_version }}/index.php"
register: elgg
- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist
- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist ({{ apache_user }}:{{ apache_user }})
#shell: "/usr/bin/unzip -o {{ downloads_dir }}/elgg-{{ elgg_version }}.zip -d /opt"
unarchive:
#remote_src: yes
@ -52,7 +53,7 @@
group: "{{ apache_user }}"
when: elgg.stat.exists is defined and not elgg.stat.exists
- name: Create softlink from /opt/elgg to /opt/elgg-{{ elgg_version }}
- name: Symlink /opt/elgg -> /opt/elgg-{{ elgg_version }}
file:
src: "./elgg-{{ elgg_version }}"
path: /opt/elgg
@ -69,13 +70,13 @@
group: "{{ apache_user }}"
# The name of this file changed from 1.9 to 1.10.
- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree
- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree (0644)
copy:
src: "/opt/{{ elgg_xx }}/vendor/elgg/elgg/install/config/htaccess.dist"
dest: "/opt/{{ elgg_xx }}/.htaccess"
owner: "{{ apache_user }}"
group: "{{ apache_user }}"
mode: '0644'
mode: 0644
#regexp='^#RewriteBase'
- name: Change .htaccess to include RewriteBase for http://box{{ elgg_url }} # http://box/elgg
@ -86,12 +87,12 @@
insertafter: '^#RewriteBase'
line: "RewriteBase {{ elgg_url }}/"
- name: Set /opt/elgg/engine directory permissions to 0755 so Apache can write there
- name: Set /opt/elgg/engine directory permissions to 0755 (owner {{ apache_user }}) so Apache can write there
file:
state: directory
path: /opt/elgg/engine/
owner: "{{ apache_user }}"
mode: '0755'
mode: 0755
- name: Change /opt/elgg-{{ elgg_version }} ownership to {{ apache_user }}:{{ apache_user }} (likely not nec, as unarchive & all do this above)
file:
@ -103,14 +104,14 @@
- name: Create upload directory {{ elgg_upload_path }} that Apache (and Elgg) can write to
file:
path: "{{ elgg_upload_path }}"
path: "{{ elgg_upload_path }}" # /library/elgg
state: directory
owner: "{{ apache_user }}"
- name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }} # http://box/elgg
template:
src: elgg.conf
dest: "/etc/{{ apache_conf_dir }}/elgg.conf"
# - name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }} # http://box/elgg
# template:
# src: elgg.conf
# dest: "/etc/{{ apache_conf_dir }}/elgg.conf"
- name: Set up Elgg's MySQL database

9
roles/elgg/tasks/main.yml → roles/0-DEPRECATED-ROLES/elgg/tasks/main.yml
View file

@ -24,14 +24,13 @@
when: elgg_installed is undefined
#- name: Enable/Disable/Restart Apache if primary
- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
include_tasks: apache.yml
#when: not nginx_enabled
# #- name: Enable/Disable/Restart Apache if primary
# - name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
# include_tasks: apache.yml
# #when: not nginx_enabled
- name: Enable/Disable/Restart NGINX if primary
include_tasks: nginx.yml
when: nginx_enabled
- name: Add 'elgg' variable values to {{ iiab_ini_file }}

0
roles/elgg/tasks/nginx.yml → roles/0-DEPRECATED-ROLES/elgg/tasks/nginx.yml
View file

0
roles/elgg/tasks/setup.yml → roles/0-DEPRECATED-ROLES/elgg/tasks/setup.yml
View file

0
roles/elgg/templates/elgg-nginx.conf.j2 → roles/0-DEPRECATED-ROLES/elgg/templates/elgg-nginx.conf.j2
View file

0
roles/elgg/templates/elgg.conf → roles/0-DEPRECATED-ROLES/elgg/templates/elgg.conf.unused
View file

0
roles/elgg/templates/elggdb.sql.j2 → roles/0-DEPRECATED-ROLES/elgg/templates/elggdb.sql.j2
View file

0
roles/elgg/templates/settings.php.j2 → roles/0-DEPRECATED-ROLES/elgg/templates/settings.php.j2
View file

0
roles/httpd/README.md → roles/0-DEPRECATED-ROLES/httpd/README.md
View file

0
roles/httpd/defaults/main.yml → roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml
View file

0
roles/httpd/tasks/homepage.yml → roles/0-DEPRECATED-ROLES/httpd/tasks/homepage.yml
View file

2
roles/httpd/tasks/install.yml → roles/0-DEPRECATED-ROLES/httpd/tasks/install.yml
View file

@ -4,7 +4,7 @@
#name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl'] # WORKS?
name:
- "{{ apache_service }}" # apache2 on Debuntu
- libapache2-mod-php{{ php_version }} # 2020-06-15: Required (e.g. for Elgg, Moodle & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml)
- libapache2-mod-php{{ php_version }} # 2020-06-15: Required (e.g. for Elgg, Moodle, roles/pbx's FreePBX & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml)
#- "php{{ php_version }}"
#- "php{{ php_version }}-curl"
state: present

0
roles/httpd/tasks/main.yml → roles/0-DEPRECATED-ROLES/httpd/tasks/main.yml
View file

0
roles/httpd/templates/010-iiab.conf.j2 → roles/0-DEPRECATED-ROLES/httpd/templates/010-iiab.conf.j2
View file

0
roles/httpd/templates/iiab-homepage.conf → roles/0-DEPRECATED-ROLES/httpd/templates/iiab-homepage.conf
View file

0
roles/httpd/templates/proxy_ajp.conf.j2 → roles/0-DEPRECATED-ROLES/httpd/templates/proxy_ajp.conf.j2
View file

4
roles/0-init/tasks/main.yml
View file

@ -56,8 +56,8 @@
- name: "Time Zone / TZ: Set symlink /etc/localtime to UTC if it doesn't exist?"
include_tasks: tz.yml
- name: Test Gateway + Test Internet + Set new hostname/domain if nec + Set 'gui_port' to 80 or 443 for Admin Console
include_tasks: network.yml # Can run hostname.yml
- name: Test Gateway + Test Internet + Set new hostname/domain (hostname.yml) if nec + Set 'gui_port' to 80 or 443 for Admin Console
include_tasks: network.yml
- name: Add 'runtime' variable values to {{ iiab_ini_file }}

16
roles/0-init/tasks/validate_vars.yml
View file

@ -61,9 +61,9 @@
# https://github.com/iiab/iiab/blob/master/tests/test.yml
# https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/validate_vars.yml
#
# 2020-11-04: Fix validation of 5 core dependencies, for ./runrole etc
# 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
- name: Set vars_checklist for 46 + 46 + 41 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
- name: Set vars_checklist for 44 + 44 + 40 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
set_fact:
vars_checklist:
- hostapd
@ -76,7 +76,7 @@
- openvpn
- admin_console
#- nginx # MANDATORY
- apache # Dependency - excluded from _installed check below
#- apache # Unmaintained - former dependency
#- mysql # MANDATORY
- squid
- dansguardian
@ -90,7 +90,7 @@
- azuracast
#- dokuwiki # Unmaintained
#- ejabberd # Unmaintained
- elgg
#- elgg # Unmaintained
- gitea
- jupyterhub
- lokole
@ -99,7 +99,6 @@
- nodejs # Dependency - excluded from _installed check below
- nodered
- nextcloud
- pbx
- wordpress
- kalite
- kolibri
@ -116,11 +115,12 @@
- phpmyadmin
- vnstat
- yarn # Dependency - excluded from _installed check below
- internetarchive
- captiveportal
- internetarchive
- minetest
- calibre
- calibreweb
- calibre
- pbx
- name: Assert that {{ vars_checklist | length }} "XYZ_install" vars are all... defined
assert:
@ -162,5 +162,5 @@
that: "{{ item }}_install or {{ item }}_installed is undefined"
fail_msg: "DISALLOWED: '{{ item }}_install: False' (e.g. in /etc/iiab/local_vars.yml) WHEN '{{ item }}_installed' is defined (e.g. in /etc/iiab/iiab_state.yml) -- IIAB DOES NOT SUPPORT UNINSTALLS -- please verify those 2 files especially, and other places variables are defined?"
quiet: yes
when: item != 'apache' and item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn' # Exclude auto-installed dependencies
when: item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn' # Exclude auto-installed dependencies
loop: "{{ vars_checklist }}"

2
roles/2-common/tasks/packages.yml
View file

@ -30,6 +30,8 @@
#- openssh-server # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
- pandoc # For /usr/bin/iiab-refresh-wiki-docs
- pastebinit # For /usr/bin/iiab-diagnostics
#- python3-pip # 2021-07-29: Already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc
#- python3-venv # 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves. FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RaspiOS 10 do not.
- rsync
#- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
- sqlite3

4
roles/6-generic-apps/tasks/main.yml
View file

@ -3,7 +3,6 @@
- name: ...IS BEGINNING ====================================
meta: noop
# UNMAINTAINED
- name: AZURACAST
include_role:
name: azuracast
@ -21,10 +20,11 @@
name: ejabberd
when: ejabberd_install is defined and ejabberd_install
# UNMAINTAINED
- name: ELGG
include_role:
name: elgg
when: elgg_install
when: elgg_install is defined and elgg_install
- name: GITEA
include_role:

2
roles/calibre-web/tasks/install.yml
View file

@ -1,4 +1,4 @@
- name: "Install ImageMagick package: imagemagick"
- name: "Install packages: imagemagick, python3-venv"
package:
name:
- imagemagick

4
roles/calibre/tasks/install.yml
View file

@ -37,13 +37,13 @@
# 2. SYSTEMD SERVICES
- name: Create /etc/systemd/system/calibre-serve.service and /etc/{{ apache_conf_dir }}/calibre.conf
- name: 'Install from template: /etc/systemd/system/calibre-serve.service'
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: 'calibre-serve.service.j2', dest: '/etc/systemd/system/calibre-serve.service' }
- { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' } # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!)
#- { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' } # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!)
- name: Stop service 'calibre-serve' (/usr/bin/calibre-server by Kovid Goyal)
systemd:

0
roles/calibre/templates/calibre.conf → roles/calibre/templates/calibre.conf.unused
View file

0
roles/internetarchive/tasks/apache.yml → roles/internetarchive/tasks/apache.yml.unused
View file

6
roles/internetarchive/tasks/install.yml
View file

@ -62,12 +62,6 @@
src: internetarchive.service.j2
dest: /etc/systemd/system/internetarchive.service
- name: "Install from template: /etc/{{ apache_conf_dir }}/internetarchive.conf"
template:
src: internetarchive.conf
dest: "/etc/{{ apache_conf_dir }}/internetarchive.conf" # apache2/sites-available
when: apache_installed is defined
# 4. RECORD Internet Archive AS INSTALLED

8
roles/internetarchive/tasks/main.yml
View file

@ -68,13 +68,13 @@
state: stopped
when: not internetarchive_enabled
- name: Enable/Disable/Restart Apache if primary
include_tasks: apache.yml
when: apache_installed is defined and not nginx_enabled
# - name: Enable/Disable/Restart Apache if primary
# include_tasks: apache.yml
# when: apache_installed is defined and not nginx_enabled
- name: Enable/Disable/Restart NGINX if primary
include_tasks: nginx.yml
when: nginx_enabled
#when: nginx_enabled
- name: Add 'internetarchive' variable values to {{ iiab_ini_file }}

0
roles/internetarchive/templates/internetarchive.conf → roles/internetarchive/templates/internetarchive.conf.unused
View file

36
roles/jupyterhub/README.md
View file

@ -1,10 +1,32 @@
## JupyterHub programming environment with student Notebooks
#### High Schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their notebook/document/blog:
#### Secondary schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their own blog-like "Jupyter Notebooks."
* Jupyter Notebooks are widely used in the scientific community.
* This IIAB package permits individual users to start using their own notebook on the server (http://box.lan/jupyterhub) without needing an individual server account.
* Once a user signs in with a username and password, these credentials are stored, and are used thereafter to gain access to the user's files.
* Individual folders are created for all student work in the path `/var/lib/protected/` — individual students will only be able to see their own work in that directory.
* Students will not have any privileges outside of their own folder.
* They may upload Jupyter Notebooks from a local machine, and download the current state of their work via a normal browser download.
* Jupyter Notebooks are widely used in the scientific community:
* [Intitutional FAQ](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html)
* [Getting Started](https://jupyterhub.readthedocs.io/en/stable/getting-started/)
* Students create their own accounts on first use — e.g. at http://box.lan/jupyterhub — just as if they're logging in regularly (unfortunately the login screen doesn't make that clear, but the teacher _does not_ need to be involved!)
* A student can then sign in with their username and password, to gain access to their files (Jupyter Notebooks).
* The teacher should set and protect JupyterHub's overall ``Admin`` password, just in case. As with student accounts, the login screen doesn't make that clear — so just log in with username `Admin` using any password that you want to become permanent.
* Individual student folders are created in ``/var/lib/private/`` on the Internet-in-a-Box (IIAB) server:
* A student will only be able to see their own work — they do not have privileges outside of their own folder.
* Students may upload Jupyter Notebooks to the IIAB server, and download the current state of their work via a normal browser.
### Settings
Linux administrators please see `/opt/iiab/jupyterhub/etc/jupyterhub/jupyterhub_config.py` which originates from:
https://github.com/iiab/iiab/blob/master/roles/jupyterhub/templates/jupyterhub_config.py
Note that `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated with the usual formula:
```
source /opt/iiab/jupyterhub/bin/activate
```
### Known Issues
* 2021-08-07: The page that allows you to reset/change your own password is not accessible. Likewise Admin users cannot reset/change the password of any _individual_ user at this time. <sub><sub>[#2918](https://github.com/iiab/iiab/pull/2918)</sub></sub>
* If necessary, a Linux administrator can delete the `/passwords.dbm.db` file at the very top of your Linux filesystem, allowing all JupyterHub users to (re)create new passwords. This does work, but is very heavy-handed. <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890551682)</sub></sub>
* 2021-08-07: Teachers (i.e. Admin users) cannot currently access the very helpful "administrator's page" discussed at [JupyterHub FAQ >> "How do I manage users?"](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html#how-do-i-manage-users) and [roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054 >> "Admin users have extra privileges"](https://github.com/iiab/iiab/blob/d0e8e048347bf46c02a2cdb0da9c5cd0c489fe40/roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054). <sub><sub>[#2919](https://github.com/iiab/iiab/pull/2919)</sub></sub>
* 2021-08-08: Password [dbm file](https://github.com/jupyterhub/firstuseauthenticator#firstuseauthenticatordbm_path) `/passwords.dbm.db` should be moved from the top of the filesystem to a better place — e.g. to `/opt/iiab/jupyterhub/etc/` ? <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890579789)</sub></sub>

9
roles/jupyterhub/tasks/install.yml
View file

@ -13,6 +13,11 @@
when: nodejs_installed is undefined
- name: "Install package: python3-venv"
package:
name: python3-venv
state: present
- name: Make 3 directories to hold JupyterHub config
file:
state: directory
@ -40,8 +45,8 @@
- jupyterhub-systemdspawner
virtualenv: "{{ jupyterhub_venv }}" # /opt/iiab/jupyterhub
virtualenv_site_packages: no
virtualenv_command: /usr/bin/virtualenv
virtualenv_python: python3
virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}" # 2021-07-29: This works on RaspiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
#virtualenv_python: python3 # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
extra_args: "--no-cache-dir"
when: internet_available

4
roles/jupyterhub/templates/jupyterhub_config.py
View file

@ -64,7 +64,7 @@
#
# Users should be properly informed if this is enabled.
# Default: False
# c.JupyterHub.admin_access = False
c.JupyterHub.admin_access = True
## DEPRECATED since version 0.7.2, use Authenticator.admin_users instead.
# Default: set()
@ -1057,7 +1057,7 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
#
# Defaults to an empty set, in which case no user has admin access.
# Default: set()
c.Authenticator.admin_users = set('iiab-admin')
c.Authenticator.admin_users = set('Admin')
## Set of usernames that are allowed to log in.
#

17
roles/kalite/tasks/install.yml
View file

@ -11,13 +11,14 @@
# ignore_errors: yes
# when: is_raspbian
- name: Install python2, if Raspbian/Debian > 10 or Ubuntu > 19
- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2)'
package:
name:
- python2
- python-setuptools # provides setuptools-44 last version compatible with python2
- python-setuptools # Provides setuptools-44 on recent OS's (last version compatible with python2)
- virtualenv # For Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole}
state: present
when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
#when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
# 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
- name: Use pip to pin setuptools to 44 in {{ kalite_venv }} if Raspbian/Debian > 10 or Ubuntu > 19
@ -53,11 +54,11 @@
# Useless stanza, for 2 reasons: (1) http://box/kalite was never made to work
# (2) /etc/apache2/sites-available does not exist on many IIAB's w/o Apache
- name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
template:
src: kalite.conf
dest: "/etc/{{ apache_conf_dir }}" # apache2/sites-available on debuntu
when: apache_installed is defined
# - name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
# template:
# src: kalite.conf
# dest: "/etc/{{ apache_conf_dir }}" # apache2/sites-available on debuntu
# when: apache_installed is defined
- name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian > 10 or Ubuntu > 19
replace:

7
roles/munin/tasks/install.yml
View file

@ -1,11 +1,12 @@
- name: "Install 4 packages: munin, munin-node, munin-plugins-extra, libcgi-fast-perl"
- name: "Install 5 packages: libcgi-fast-perl, munin, munin-node, munin-plugins-extra, python3-passlib"
package:
name:
#- libapache2-mod-fcgid
- libcgi-fast-perl
- munin
- munin-node
- munin-plugins-extra
- libcgi-fast-perl
#- libapache2-mod-fcgid
- python3-passlib # For Ansible module 'htpasswd' in Ansible collection community.general -- used just below
state: present
- name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd

104
roles/mysql/tasks/install.yml
View file

@ -1,110 +1,28 @@
# Stanzas as of 2021-08-02:
#
# - 1 base install
# - 6 double timeout for slow CPUs
# - 2 DB config
# - 2 record as installed
- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql'
- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql, python3-pymysql'
package:
name:
- mariadb-server
- mariadb-client
#- php{{ php_version }}-common # Auto-installed as an apt dependency. REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
- php{{ php_version }}-mysql # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
- php{{ php_version }}-mysql # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx.yml, wordpress/tasks/install.yml
- python3-pymysql # For Ansible modules {mysql_db, mysql_user} in Ansible collection community.mysql -- used in MySQL roles {mediawiki, nextcloud, wordpress} and possibly {elgg, pbx}
state: present
# 2020-07-11:
# 10 PHP package installs moved to roles/www_base/tasks/main.yml
# 2020-07-11: 10 PHP package installs moved to roles/www_base/tasks/main.yml
# php{{ php_version }}-sqlite3 install moved to roles/osm-vector-maps/tasks/install.yml
# - name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)"
# package:
# name:
# - MySQL-python
# - mysql
# - php
# - php-mysql
# - php-pear
# - php-gd
# - php-imap
# - php-ldap
# - php-odbc
# - php-xml
# - php-xmlrpc
# state: present
# when: not is_debuntu
#
# - include_tasks: centos.yml
# when: ansible_distribution == "CentOS"
#
# - include_tasks: fedora.yml
# when: ansible_distribution == "Fedora"
# 2019-07-03 @jvonau @holta: the next 50 lines (6 stanzas) double MariaDB's
# default boot timeout (90s to 180s) for slow CPUs like this Ubuntu 18.04.2 VM:
# https://github.com/iiab/iiab/issues/1802
# 2021-08-11: 50 lines (6 stanzas) removed, that had been doubling MariaDB's
# default boot timeout (90s to 180s) since 2019-07-03, for slow CPUs like this
# Ubuntu 18.04.2 VM: https://github.com/iiab/iiab/issues/1802 -> PR #1813
# https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd
- name: Check if /lib/systemd/system/mariadb.service exists
stat:
path: /lib/systemd/system/mariadb.service
register: mariadb_unit_file
- name: Copy pkg's /lib/systemd/system/mariadb.service to /etc/systemd/system/ to be customized (CREATES TIMESTAMPED BACKUPS OF /etc/systemd/system/mariadb.service e.g. IF OPERATOR CUSTOMIZED IT, EVEN DESPITE WARNING BELOW!)
copy:
force: yes
backup: yes
src: /lib/systemd/system/mariadb.service
dest: /etc/systemd/system/
when: mariadb_unit_file.stat.exists
- name: Symlink /etc/systemd/system/mysql.service -> /etc/systemd/system/mariadb.service
file:
state: link
force: yes
src: /etc/systemd/system/mariadb.service
path: /etc/systemd/system/mysql.service
when: mariadb_unit_file.stat.exists
- name: Symlink /etc/systemd/system/mysqld.service -> /etc/systemd/system/mariadb.service
file:
state: link
force: yes
src: /etc/systemd/system/mariadb.service
path: /etc/systemd/system/mysqld.service
when: mariadb_unit_file.stat.exists
- name: "WARN OPERATOR: Changes made to /etc/systemd/system/mariadb.service WILL BE LOST whenever 'mysql' playbook is run"
lineinfile:
path: /etc/systemd/system/mariadb.service
insertbefore: BOF # Beginning of file
line: "# WARNING: CHANGES TO THIS FILE WILL BE REGULARLY *OVERWRITTEN* BY:\n# /opt/iiab/iiab/roles/mysql/tasks/main.yml\n"
when: mariadb_unit_file.stat.exists
- name: Set systemd boot timeout to 180 seconds for slow machines, in /etc/systemd/system/mariadb.service
lineinfile:
path: /etc/systemd/system/mariadb.service
insertafter: '^\[Service\]$'
regexp: "^TimeoutStartSec="
line: "\n# 2019-07-03: @jvonau @holta doubled MariaDB's default boot timeout, from\n# 90 seconds to 180 seconds, for slow machines like this Ubuntu 18.04.2 VM:\n# https://github.com/iiab/iiab/issues/1802\n# https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd\nTimeoutStartSec=180\n"
# If the line above were to be run repeatedly (never happens here!) Ansible
# would pollute MariaDB's systemd unit file. As multi-line regexp's are
# not allowed (both regexp's should match, for idempotency). If nec, use
# the 1-liner below, or Ansible's 'blockinfile' which pollutes config files
# in its own way...surrounding blocks with marker lines.
# line: "TimeoutStartSec=180"
when: mariadb_unit_file.stat.exists
# 2 STANZAS BELOW...could later be put into setup.yml or config.yml or or provision.yml ?
# OS's have finally caught up - default timeout is now 900 seconds:
# https://github.com/iiab/iiab/pull/2936
# Name of MySQL service varies by OS, so hardcoded in /opt/iiab/iiab/vars/<OS>.yml (formerly in roles/0-init/tasks/main.yml)
- name: Start MySQL systemd service ({{ mysql_service }}) to permit configuration
- name: Restart MySQL systemd service ({{ mysql_service }}) to permit configuration
systemd:
name: "{{ mysql_service }}"
daemon_reload: yes
name: "{{ mysql_service }}"
state: restarted
- name: "Install /root/.my.cnf file from template -- used to contain root password credential, prior to 2020-08-24: https://github.com/iiab/iiab/pull/2488"

18
roles/nginx/README.md
View file

@ -2,15 +2,15 @@
1. Initial testing strategy (December 2019 - February 2020) was to move NGINX to [port 80](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services), and proxy everything to Apache on [port 8090](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) &mdash; creating "Shims" for each IIAB App/Service in *Section iii.* below.
Until "Native" NGINX is later implemented for each such IIAB App/Service &mdash; allowing each to move up to *Section ii.* below.
Until "Native" NGINX was later implemented for each such IIAB App/Service &mdash; allowing each to move up to *Section ii.* below.
And potentially later moving each up to *Section i.* if its Apache support is dropped!
And progressively later moving each up to *Section i.* when its Apache support was dropped.
(Background: IIAB Apps/Services are generally [Ansible roles](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible) that live in [/opt/iiab/iiab/roles](https://github.com/iiab/iiab/tree/master/roles))
2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
2. Without PHP available via FastCGI, any function at all for PHP-based applications validated NGINX.
3. Current state of IIAB App/Service migrations as of 2021-07-24: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
3. Current state of IIAB App/Service migrations as of 2021-08-08: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
1. These support "Native" NGINX but ***NOT*** Apache
@ -37,11 +37,11 @@
2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!) Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB. You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
* NONE: Apache support is being fully removed starting 2021-07-06 ([PR #2850](https://github.com/iiab/iiab/pull/2850))
* **NONE: Apache support is now fully REMOVED as of 2021-08-08** ([PR #2850](https://github.com/iiab/iiab/pull/2850))
3. These support Apache but ***NOT*** "Native" NGINX. They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090. See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache.
* elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?]
* elgg [deprecated -- consider assisting with a complete overhaul from Elgg 2.x to 4.x ?]
4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations). In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite)
@ -53,11 +53,11 @@
* minetest
* mosquitto
* openvpn
* pbx [*, requires Apache for now, as in Section iii., [PR #2862](https://github.com/iiab/iiab/pull/2862)]
* pbx [*, recommends Apache for now, as in Section iii., [#2914](https://github.com/iiab/iiab/issues/2914)]
* phpmyadmin [*, requires Apache for now, as in Section iii.]
* samba
* samba [*, [PR #2923](https://github.com/iiab/iiab/pull/2923)]
* sshd
* transmission
* vnstat
[*] The 4 above starred roles could use improvement, as of 2021-07-24.
[*] The 4 above starred roles could use improvement, as of 2021-08-08.

46
roles/nginx/tasks/enable-or-disable.yml
View file

@ -1,29 +1,29 @@
- name: Ensure that Apache ({{ apache_service }}) is not running -- we may need port swap
systemd:
name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
state: stopped
ignore_errors: yes
# 'when: apache_installed is defined' might also work, as mysql's php no longer installs apache2 (but 'ignore_errors: yes' remains safer!)
# - name: Ensure that Apache ({{ apache_service }}) is not running -- we may need port swap
# systemd:
# name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
# state: stopped
# ignore_errors: yes
# # 'when: apache_installed is defined' might also work, as mysql's php no longer installs apache2 (but 'ignore_errors: yes' remains safer!)
- name: Install /etc/{{ apache_service }}/ports.conf from template 1 of 2 (ports.conf.j2) if nginx_enabled, to enable Apache port {{ apache_port }} localhost only
template:
src: ports.conf.j2
dest: "/etc/{{ apache_service }}/ports.conf"
when: nginx_enabled
# - name: Install /etc/{{ apache_service }}/ports.conf from template 1 of 2 (ports.conf.j2) if nginx_enabled, to enable Apache port {{ apache_port }} localhost only
# template:
# src: ports.conf.j2
# dest: "/etc/{{ apache_service }}/ports.conf"
# when: nginx_enabled
- name: Install /etc/{{ apache_service }}/ports.conf from template 2 of 2 (stock-apache-ports.conf) if not nginx_enabled, to disable Apache port {{ apache_port }} localhost only
template:
src: stock-apache-ports.conf
dest: "/etc/{{ apache_service }}/ports.conf"
when: not nginx_enabled
# - name: Install /etc/{{ apache_service }}/ports.conf from template 2 of 2 (stock-apache-ports.conf) if not nginx_enabled, to disable Apache port {{ apache_port }} localhost only
# template:
# src: stock-apache-ports.conf
# dest: "/etc/{{ apache_service }}/ports.conf"
# when: not nginx_enabled
- name: Enable & Restart '{{ apache_service }}' if Apache is installed and enabled, since we stopped it
systemd:
name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
daemon_reload: yes
state: restarted
enabled: true
when: apache_installed is defined and apache_enabled # or not nginx_enabled
# - name: Enable & Restart '{{ apache_service }}' if Apache is installed and enabled, since we stopped it
# systemd:
# name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
# daemon_reload: yes
# state: restarted
# enabled: true
# when: apache_installed is defined and apache_enabled # or not nginx_enabled
- name: Enable & (Re)Start 'nginx' systemd service, if nginx_enabled

28
roles/nginx/tasks/install.yml
View file

@ -1,26 +1,43 @@
- name: Stop '{{ apache_service }}' systemd service
- name: Stop & Disable '{{ apache_service }}' systemd service, in case it exists
systemd:
name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
state: stopped
enabled: no
ignore_errors: yes
# 'when: apache_installed is defined' insuff b/c mysql's php installs apache2
# 'when: apache_installed is defined' insuff b/c mysql's php (etc) can install apache2
- name: 'Install 5 packages for NGINX: libnginx-mod-http-subs-filter, nginx-extras, php{{ php_version }}-fpm, uwsgi, uwsgi-plugin-python3'
package:
name:
- libnginx-mod-http-subs-filter
- nginx-extras
- php{{ php_version }}-fpm # Drags in [1] php{{ php_version }}-cli (superset of php{{ php_version }}-common) [2] libsodium23 (likewise installed in moodle/tasks/install.yml AND wordpress/tasks/install.yml) [3] php{{ php_version }}-json if PHP < 8.0 (NEEDED FOR nextcloud/tasks/install.yml AND pbx/tasks/freepbx_dependencies.yml AND wordpress/tasks/install.yml)
- php{{ php_version }}-fpm # INSTALLS [0] /etc/apache2/conf-available/php{{ php_version }}-fpm.conf AND DRAGS IN [1] php{{ php_version }}-cli (superset of php{{ php_version }}-common) [2] libsodium23 (likewise installed in moodle/tasks/install.yml AND wordpress/tasks/install.yml) [3] php{{ php_version }}-json if PHP < 8.0 (NEEDED FOR nextcloud/tasks/install.yml AND pbx/tasks/freepbx_dependencies.yml AND wordpress/tasks/install.yml)
- uwsgi # Admin Console & roles/captiveportal should really install
- uwsgi-plugin-python3 # these 2 packages on demand (not every IIAB needs these).
state: present
# 2021-08-07: Legacy from roles/httpd/tasks/install.yml
# - name: 'Create group: admin'
# group:
# name: admin
# 2020-10-16: Removed per #2560
# - name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
# user:
# name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml
# groups: shadow
# - name: Add user {{ apache_user }} (from variable apache_user) to groups admin, shadow
# user:
# name: "{{ apache_user }}" # www-data on Debuntu
# #groups: admin,shadow
# groups: shadow # 2020-06-04: shadow nec for Admin Console login (this line had been clobbering user www-data's membership in group shadow, as set earlier by nginx/tasks/install.yml, SEE #2431)
# createhome: no
# append: yes
- name: Remove NGINX default config /etc/nginx/sites-enabled/default
file:
path: /etc/nginx/sites-enabled/default
@ -34,8 +51,8 @@
- { src: 'server.conf.j2', dest: '/etc/nginx/server.conf' }
- { src: 'nginx.conf.j2', dest: '/etc/nginx/nginx.conf' }
- { src: 'mime.types.j2', dest: '/etc/nginx/mime.types' }
#- { src: 'ports.conf.j2', dest: '/etc/{{ apache_service }}/ports.conf' } # Moved to enable-or-disable.yml
#- { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" } # Moved into homepage.yml below
# - { src: 'ports.conf', dest: '/etc/{{ apache_service }}/ports.conf' } # 2021-08-09: Restored from enable-or-disable.yml then moved to roles/pbx/tasks/apache.yml
# - { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" } # Moved into homepage.yml, invoked later by roles/www_options/tasks/main.yml (see below!)
- debug:
msg: roles/nginx/tasks/homepage.yml will run LATER (invoked by roles/www_options/tasks/main.yml) SO THAT NGINX CAN REDIRECT http://box TO http://box{{ iiab_home_url }} (based on var iiab_home_url)
@ -45,7 +62,6 @@
systemd:
name: "php{{ php_version }}-fpm"
state: restarted
#when: nginx_enabled
# RECORD NGINX AS INSTALLED

4
roles/nginx/templates/server.conf.j2
View file

@ -1,6 +1,8 @@
server {
root {{ doc_root }};
server_name {{ iiab_hostname }};
server_name $hostname; # e.g. box.lan, set dynamically when NGINX starts
#server_name {{ iiab_hostname }}.{{ iiab_domain }};
#server_name {{ iiab_hostname }};
listen 80;
index index.php index.html index.htm;

0
roles/nginx/templates/stock-apache-ports.conf → roles/nginx/templates/stock-apache-ports.conf.unused
View file

42
roles/nodejs/tasks/install.yml
View file

@ -7,11 +7,12 @@
# 2019-07-04: FOR A SOMEWHAT MORE MODERN "VERSION DETECTOR" SEE:
# github.com/iiab/iiab/blob/master/roles/nextcloud/tasks/install.yml#L1-L40
- name: Try to run 'nodejs -v' to get Node.js version
# 'node -v' doesn't work with older versions e.g. Ubuntu 16.04's nodejs 4.2.6
- name: Try to run 'node -v' to get Node.js version
# 'node -v' doesn't work with older versions e.g. Ubuntu 16.04's Node.js 4.2.6
# 'nodejs -v' doesn't work with newer versions e.g. Node.js 16.x
# Both below convert v10.15.1 to 10.x, but this is safer: (removes non-digits)
shell: nodejs -v | sed 's/[^0-9]*//' | sed 's/[^0-9].*/.x/'
#shell: nodejs -v | sed 's/^[vV]//' | sed 's/\..*/.x/'
shell: node -v | sed 's/[^0-9]*//' | sed 's/[^0-9].*/.x/'
#shell: node -v | sed 's/^[vV]//' | sed 's/\..*/.x/'
register: nodejs_version_installed
#- debug:
@ -32,12 +33,13 @@
# /etc/iiab/local_vars.yml -- then re-run this IIAB installer.
# when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stderr == ""
# 2021-08-04: Regardless, nodesource.com (below) overwrites /etc/apt/sources.list.d/nodesource.list
# Forces < 16.x or > 16.x to be removed, ignored if file is absent
- name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }}
file:
state: absent
path: /etc/apt/sources.list.d/nodesource.list
when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
#- name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }}
# file:
# state: absent
# path: /etc/apt/sources.list.d/nodesource.list
# when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
# BRUTAL but ensures consistency across OS's / distros like Raspbian Desktop & Ubermix that often include an older version of Node.js
# Forces < 16.x or > 16.x to be uninstalled
@ -45,9 +47,9 @@
package:
name: nodejs
state: absent
when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version
#when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
# Forces == 16.x
- name: Warn if Node.js {{ nodejs_version}} already installed & might be updated
debug:
msg: "WARN: YOUR Node.js {{ nodejs_version }} MIGHT NOW BE UPDATED USING nodesource.com"
@ -65,12 +67,12 @@
# state: absent
# when: internet_available and is_debuntu
- name: Set up Node.js {{ nodejs_version }} apt sources
- name: Run 'curl -sL https://deb.nodesource.com/setup_{{ nodejs_version }} | bash -' to overwrite /etc/apt/sources.list.d/nodesource.list
shell: curl -sL https://deb.nodesource.com/setup_{{ nodejs_version }} | bash -
args:
warn: no
creates: /etc/apt/sources.list.d/nodesource.list
when: internet_available
#args:
# warn: no
# creates: /etc/apt/sources.list.d/nodesource.list
#when: internet_available # 2021-08-04: Better to fail & notify implementer!
#when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17)
# NOT NEC TO TEST FOR is_raspbian_8 OR is_raspbian_9 AS /opt/iiab/iiab/vars/<OS>.yml
# DEFINES THESE AS SUBSETS OF is_debian_8 OR is_debian_9 (FOR NOW!)
@ -86,15 +88,9 @@
name: nodejs
state: latest
#state: present
when: internet_available
#when: internet_available # 2021-08-04: Better to fail & notify implementer!
#when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17)
# - name: Set up & install Node.js {{ nodejs_version }} which includes /usr/bin/npm (redhat)
# shell: curl -sL https://rpm.nodesource.com/setup_{{ nodejs_version }} | bash -
# args:
# warn: no
# when: internet_available and is_redhat
# 2018-07-14: BOTH STEPS ABOVE TAKE TIME, but Raspbian (apt offers npm
# 1.4.21) & Debian 9 (apt offers no npm!) STILL NEED the above

10
roles/openvpn/tasks/install.yml
View file

@ -1,18 +1,12 @@
- name: "Install packages: nmap, openvpn, sudo"
- name: "Install packages: ncat, nmap, openvpn, sudo"
package:
name:
- ncat # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle (if Debian > 9 or Ubuntu > 18)
- nmap
- openvpn
- sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
state: present
# Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle
- name: Install Ncat package (if Debian > 9 or Ubuntu > 18)
package:
name: ncat
state: present
when: is_debuntu and not (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18)
- name: Install ssh public keys for remote support (if openvpn_install)
lineinfile:
line: "{{ item.pubkey }}"

11
roles/pbx/defaults/main.yml
View file

@ -5,21 +5,24 @@
# pbx_install: False
# pbx_enabled: False
# pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# # AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
# asterisk_chan_dongle: False
# pbx_signaling_ports_chan_sip: 5160:5161
# pbx_signaling_ports_chan_pjsip: 5060
# pbx_data_ports: 10000:20000
# pbx_http_port: 83
#
# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk/
asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk
asterisk_src_file: asterisk-18-current.tar.gz
asterisk_src_dir: /opt/iiab/asterisk
freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/7.4/
freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/7.4
freepbx_src_file: freepbx-16.0-latest.tgz # Beta as of 2021-06-21 but looking great! Does NOT support PHP < 7.4 (you've been warned!) Please review https://github.com/iiab/iiab/blob/master/roles/pbx/README.rst
freepbx_src_dir: /opt/iiab/freepbx
freepbx_install_dir: /var/www/html/freepbx
@ -30,6 +33,6 @@ asterisk_db_dbname: asterisk
asterisk_db_password: asterisk
asterisk_db_cdrdbname: asteriskcdrdb
chan_dongle_url: https://github.com/wdoekes/asterisk-chan-dongle/archive/
chan_dongle_url: https://github.com/wdoekes/asterisk-chan-dongle/archive
chan_dongle_src_file: master.zip
chan_dongle_src_dir: /opt/iiab/chan_dongle

41
roles/pbx/tasks/apache.yml Normal file
View file

@ -0,0 +1,41 @@
# Must happen before install of Apache, or it'll collide with NGINX port 80.
# 2021-08-09: Used to be done by roles/nginx/tasks/install.yml
- name: "FreePBX - Install from template: /etc/{{ apache_service }}/ports.conf containing 'Listen {{ pbx_http_port }}'" # i.e. port 83
template:
src: ports.conf
dest: /etc/{{ apache_service }}/
- name: "FreePBX - Install Apache packages: {{ apache_service }}, libapache2-mod-php, libapache2-mpm-itk"
package:
name:
- "{{ apache_service }}" # 2021-08-07: Install apache2 directly, as we prepare to deprecate roles/httpd
- libapache2-mod-php # NOTE duplication: roles/httpd/tasks.install.yml installed libapache2-mod-php{{ php_version }} ostensibly for "Elgg, Moodle, etc"
- libapache2-mpm-itk # To serve FreePBX through a VirtualHost as asterisk user (#2914: Is this possible via NGINX?)
- name: 'FreePBX - Enable Apache module, as with "a2enmod" command: rewrite'
apache2_module:
name: rewrite
# Legacy code from roles/httpd/tasks/install.yml
# - name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc)'
# apache2_module:
# name: "{{ item }}"
# with_items:
# - headers
# - proxy
# - proxy_html
# - proxy_http
# - rewrite
# 2021-08-08: Security risks? But official install doc recommends this:
# https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9
# (lineinfile doesn't quite do the job, as all instances are replaced)
- name: FreePBX - Run "sed -i 's/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf"
command: sed -i 's/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf
- name: FreePBX - Install /etc/{{ apache_service }}/sites-available/freepbx.conf from template ({{ apache_user }}:{{ apache_user }}, 0644 by default)
template:
src: freepbx.conf.j2
dest: /etc/{{ apache_service }}/sites-available/freepbx.conf # apache2
owner: "{{ apache_user }}" # www-data
group: "{{ apache_user }}"

100
roles/pbx/tasks/asterisk.yml
View file

@ -1,38 +1,48 @@
# 2021-08-03: Asterisk's own install_prereq (below) handles these?
# 2021-08-05: Asterisk's own install_prereq (below) handles essentially all of these
# - name: Asterisk - Install dependencies
# include: asterisk_dependencies.yml
# include_tasks: asterisk_dependencies.yml
- name: Asterisk - Download software to /opt/iiab/downloads
# BEWARE: 'systemctl is-active asterix' falsely reports 'inactive' even when systemd
# is compiled in below! FWIW: /opt/iiab/asterisk/contrib/systemd/asterisk.service
# https://github.com/asterisk/asterisk/blob/master/contrib/systemd/asterisk.service
- name: Asterisk - Install package 'libsystemd-dev' so Asterisk compiles in imperfect-but-improving systemd support -- if ./configure below places '#define HAVE_SYSTEMD 1' in /opt/iiab/asterisk/include/asterisk/autoconfig.h -- please later confirm with 'ldd /usr/sbin/asterisk | grep systemd' -- per https://community.asterisk.org/t/systemctl-start-asterisk-is-fail-with-timeout/81123/3
package:
name: libsystemd-dev
state: present
- name: Asterisk - Download {{ asterisk_url }}/{{ asterisk_src_file }} to {{ downloads_dir }}
get_url:
url: "{{ asterisk_url }}/{{ asterisk_src_file }}"
dest: "{{ downloads_dir }}/{{ asterisk_src_file }}"
dest: "{{ downloads_dir }}" # e.g. /opt/iiab/downloads/asterisk-18-current.tar.gz
timeout: "{{ download_timeout }}"
when: internet_available
- name: Asterisk - Check for /opt/iiab/downloads/{{ asterisk_src_file }}
- name: Asterisk - Check for {{ downloads_dir }}/{{ asterisk_src_file }}
stat:
path: "{{ downloads_dir }}/{{ asterisk_src_file }}"
register: asterisk_src
- name: Asterisk - FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ asterisk_src_file }} doesn't exist
- name: Asterisk - FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ asterisk_src_file }} doesn't exist
fail:
msg: "{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED in order to install."
msg: "{{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED to install Asterisk."
when: not asterisk_src.stat.exists
- name: Asterisk - Create install source directory
- name: Asterisk - Create source dir {{ asterisk_src_dir }}
file:
path: "{{ asterisk_src_dir }}"
path: "{{ asterisk_src_dir }}" # /opt/iiab/asterisk
state: directory
- name: Asterisk - Extract source
- name: Asterisk - Extract to source dir (root:root by default)
unarchive:
src: "{{ downloads_dir }}/{{ asterisk_src_file }}"
dest: "{{ asterisk_src_dir }}"
owner: root
group: root
# owner: root
# group: root
extra_opts: [--strip-components=1]
creates: "{{ asterisk_src_dir }}/Makefile"
# 2021-08-03: Asterisk's install_prereq script (stanza just below) installs
# 'aptitude' regardless, within handle_debian() here:
# https://github.com/asterisk/asterisk/blob/master/contrib/scripts/install_prereq#L262-L271
@ -42,39 +52,40 @@
# name: aptitude
# state: latest
- name: Asterisk - Ensure all dependencies are resolved - CAN TAKE 5 MIN OR LONGER!
- name: Asterisk - Run 'install_prereq install' for dependencies - CAN TAKE 5 MIN OR LONGER!
shell: export DEBIAN_FRONTEND=noninteractive && ./contrib/scripts/install_prereq install
args:
chdir: "{{ asterisk_src_dir }}"
# 2021-08-03: Requires subversion (installed just above)
- name: Asterisk - Download mp3 decoder library into source tree
- name: Asterisk - Download mp3 decoder library into source tree - requires 'subversion' installed just above
command: ./contrib/scripts/get_mp3_source.sh
args:
chdir: "{{ asterisk_src_dir }}"
creates: addons/mp3/mpg123.h
- name: Asterisk - Run the configure script
command: ./configure --with-jansson-bundled
- name: Asterisk - Run './configure --with-pjproject-bundled --with-jansson-bundled'
command: ./configure --with-pjproject-bundled --with-jansson-bundled
args:
chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run make menuselect.makeopts
- name: Asterisk - Run 'make menuselect.makeopts'
command: make menuselect.makeopts
args:
chdir: "{{ asterisk_src_dir }}"
creates: menuselect.makeopts
- name: Asterisk - Do a bit of menuselect configuration
command: >
menuselect/menuselect --enable app_macro --enable format_mp3
--enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722
--enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 --enable EXTRA-SOUNDS-EN-GSM
--disable-category MENUSELECT_MOH
command: menuselect/menuselect --enable app_macro --enable format_mp3 menuselect.makeopts
# 2021-08-06: Let's standardize (ABOVE) if 6 others (BELOW) aren't needed?
# command: >
# menuselect/menuselect --enable app_macro --enable format_mp3
# --enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722
# --enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 --enable EXTRA-SOUNDS-EN-GSM
# --disable-category MENUSELECT_MOH
args:
chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run 'make' - CAN TAKE 30 MIN OR LONGER!
- name: Asterisk - Run 'make' - CAN TAKE 8-30 MIN OR LONGER!
command: make
args:
chdir: "{{ asterisk_src_dir }}"
@ -91,37 +102,52 @@
args:
chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run 'make samples'
- name: Asterisk - Run 'make samples' - this creates /etc/asterisk/asterisk.conf used below
command: make samples
args:
chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run 'ldconfig'
shell: ldconfig
command: ldconfig
args:
chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Ensure group 'asterisk' exists
group:
name: asterisk
state: present
# 2021-08-06: Most install recipes do 'update-rc.d -f asterisk remove' here.
# Can't hurt but we do that a bit later in freepbx.yml
- name: Asterisk - Ensure user 'asterisk' exists, and belongs to the required groups
# 2021-08-06: Taken care of just below
# - name: Asterisk - Ensure group 'asterisk' exists
# group:
# name: asterisk
# state: present
#- name: Asterisk - Ensure system user 'asterisk' has primary group 'asterisk', groups 'audio,dialout', home '/var/lib/asterisk'
- name: Asterisk - Create Linux user 'asterisk'
user:
name: asterisk
group: asterisk
groups: audio,dialout
home: /var/lib/asterisk
system: yes
append: yes
# group: asterisk # 2021-08-06: Implicit
groups: audio,dialout # 2021-08-08: Plausibly might help?
home: /var/lib/asterisk # 2021-08-07: /home/asterisk (default) ok too
system: yes # 2021-08-08: No evidence this is needed. Hopefully it doesn't cause harm? (FYI Ansible doesn't change pre-existing users)
append: yes # 2021-08-08: Not essential. So Ansible adds groups w/o deleting existing group memberships.
- name: "Asterisk - Set ownership of 5 directories: /etc/asterisk, /var/lib/asterisk, /var/log/asterisk, /var/spool/asterisk, /usr/lib/asterisk (asterisk:asterisk)"
- name: Asterisk - Add user 'www-data' to group 'asterisk' - if pbx_try_nginx
user:
name: www-data
groups: asterisk
# system: yes # 2021-08-06: Ansible doesn't change pre-existing users
append: yes
when: pbx_try_nginx
- name: Asterisk - Set ownership for 6 directories (asterisk:asterisk, recurse)
file:
dest: "{{ item }}"
owner: asterisk
group: asterisk
recurse: yes
with_items:
- /var/run/asterisk
- /etc/asterisk
- /var/lib/asterisk
- /var/log/asterisk

6
roles/pbx/tasks/asterisk_dependencies.yml.unused
View file

@ -1,12 +1,12 @@
- name: Asterisk - Install dependencies
package:
name:
- git
- curl
- git # 2021-08-05: Not in Asterisk's install_prereq
- curl # 2021-08-05: Not in Asterisk's install_prereq
- wget
- libnewt-dev
- libssl-dev
- libncurses5-dev
- libncurses5-dev # 2021-08-05: Not in Asterisk's install_prereq
- subversion
- libsqlite3-dev
- build-essential

34
roles/pbx/tasks/chan_dongle.yml
View file

@ -1,49 +1,52 @@
- name: chan_dongle - Download software to /opt/iiab/downloads
# RPi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
- name: chan_dongle - Download {{ chan_dongle_url }}/{{ chan_dongle_src_file }} to {{ downloads_dir }}
get_url:
url: "{{ chan_dongle_url }}/{{ chan_dongle_src_file }}"
dest: "{{ downloads_dir }}/{{ chan_dongle_src_file }}"
url: "{{ chan_dongle_url }}/{{ chan_dongle_src_file }}" # /opt/iiab/downloads/master.zip
dest: "{{ downloads_dir }}/{{ chan_dongle_src_file }}" # Keep name as "master.zip" whereas browsers rename it to asterisk-chan-dongle-master.zip
timeout: "{{ download_timeout }}"
when: internet_available
- name: chan_dongle - Check for /opt/iiab/downloads/{{ chan_dongle_src_file }}
- name: chan_dongle - Check for {{ downloads_dir }}/{{ chan_dongle_src_file }}
stat:
path: "{{ downloads_dir }}/{{ chan_dongle_src_file }}"
register: chan_dongle_src
- name: chan_dongle - FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ chan_dongle_src_file }} doesn't exist
fail:
msg: "{ downloads_dir }}/{{ chan_dongle_src_file }} is REQUIRED in order to install."
msg: "{ downloads_dir }}/{{ chan_dongle_src_file }} is REQUIRED to install chan_dongle."
when: not chan_dongle_src.stat.exists
- name: chan_dongle - Create install source directory
- name: chan_dongle - Create source dir {{ chan_dongle_src_dir }}
file:
path: "{{ chan_dongle_src_dir }}"
path: "{{ chan_dongle_src_dir }}" # /opt/iiab/chan_dongle
state: directory
- name: chan_dongle - Extract source
- name: chan_dongle - Extract to {{ downloads_dir }} (root:root)
unarchive:
src: "{{ downloads_dir }}/{{ chan_dongle_src_file }}"
dest: "{{ downloads_dir }}"
owner: root
group: root
- name: chan_dongle - move to {{ chan_dongle_src_dir }}
- name: chan_dongle - Run 'rsync -av {{ downloads_dir }}/asterisk-chan-dongle-master/ {{ chan_dongle_src_dir }}'
command: rsync -av {{ downloads_dir }}/asterisk-chan-dongle-master/ {{ chan_dongle_src_dir }}
args:
chdir: "{{ downloads_dir }}"
- name: chan_dongle - Run the bootstrap script
command: "./bootstrap"
- name: chan_dongle - Run './bootstrap'
command: ./bootstrap
args:
chdir: "{{ chan_dongle_src_dir }}"
creates: "{{ chan_dongle_src_dir }}/configure"
- name: chan_dongle - Find out asterisk version
- name: chan_dongle - Run 'asterisk -V | cut -d " " -f 2' for asterisk_ver
shell: asterisk -V | cut -d " " -f 2
register: asterisk_ver
- name: chan_dongle - Run the configure script
command: "./configure --with-astversion={{asterisk_ver.stdout}}"
- name: chan_dongle - Run './configure --with-astversion={{ asterisk_ver.stdout }}'
command: ./configure --with-astversion={{ asterisk_ver.stdout }}
args:
chdir: "{{ chan_dongle_src_dir }}"
creates: "{{ chan_dongle_src_dir }}/Makefile"
@ -60,9 +63,8 @@
chdir: "{{ chan_dongle_src_dir }}"
creates: "/usr/lib/asterisk/modules/chan_dongle.so"
- name: chan_dongle - Copy dongle.conf over
- name: chan_dongle - Run 'cp {{ chan_dongle_src_dir }}/etc/dongle.conf /etc/asterisk/'
command: cp {{ chan_dongle_src_dir }}/etc/dongle.conf /etc/asterisk/
args:
chdir: "{{ chan_dongle_src_dir }}"
creates: "/etc/asterisk/dongle.conf"

78
roles/pbx/tasks/enable-or-disable.yml
View file

@ -1,35 +1,22 @@
- name: Enable & (Re)start 'asterisk' systemd service (if pbx_enabled)
- name: Enable & (Re)start 'freepbx' systemd service, if pbx_enabled
systemd:
daemon_reload: yes
name: asterisk
enabled: yes
state: restarted
when: pbx_enabled
- name: Disable & Stop 'asterisk' systemd service (if not pbx_enabled)
systemd:
daemon_reload: yes
name: asterisk
enabled: no
state: stopped
when: not pbx_enabled
- name: Enable & (Re)start 'freepbx' systemd service (if pbx_enabled)
systemd:
name: freepbx
enabled: yes
state: restarted
when: pbx_enabled
- name: Disable & Stop 'freepbx' systemd service (if not pbx_enabled)
- name: Disable & Stop 'freepbx' systemd service, if not pbx_enabled
systemd:
daemon_reload: yes
name: freepbx
enabled: no
state: stopped
when: not pbx_enabled
- block:
- name: Enable http://box:{{ pbx_http_port }}/freepbx via Apache, if pbx_enabled # http://box:83/freepbx
command: a2ensite freepbx.conf
when: pbx_enabled
@ -38,7 +25,58 @@
command: a2dissite freepbx.conf
when: not pbx_enabled
- name: Restart Apache service ({{ apache_service }})
- name: Restart & Enable '{{ apache_service }}' systemd service, if pbx_enabled
systemd:
name: "{{ apache_service }}" # httpd or apache2
name: "{{ apache_service }}" # apache2
state: restarted
enabled: yes
when: pbx_enabled
- name: Stop & Disable '{{ apache_service }}' systemd service, if not pbx_enabled
systemd:
name: "{{ apache_service }}"
state: stopped
enabled: no
when: not pbx_enabled
when: not pbx_try_nginx
- block:
- name: Install /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf converted from www.conf for user 'asterisk', if pbx_enabled
copy:
src: roles/pbx/templates/asterisk.conf
dest: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
when: pbx_enabled
- name: Remove /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf, if not pbx_enabled
file:
path: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
state: absent
when: not pbx_enabled
- name: Enable & Restart 'php{{ php_version }}-fpm' systemd service
systemd:
name: php{{ php_version }}-fpm
state: restarted
enabled: yes
- name: Enable http://box/freepbx via NGINX, by installing {{ nginx_conf_dir }}/freepbx-nginx.conf from template, if pbx_enabled
template:
src: freepbx-nginx.conf.j2
dest: "{{ nginx_conf_dir }}/freepbx-nginx.conf" # /etc/nginx/conf.d
when: pbx_enabled
- name: Disable http://box/freepbx via NGINX, by removing {{ nginx_conf_dir }}/freepbx-nginx.conf, if not pbx_enabled
file:
path: "{{ nginx_conf_dir }}/freepbx-nginx.conf"
state: absent
when: not pbx_enabled
- name: Restart 'nginx' systemd service
systemd:
name: nginx
state: restarted
when: pbx_try_nginx

269
roles/pbx/tasks/freepbx.yml
View file

@ -1,10 +1,73 @@
- name: FreePBX - Install dependencies
include: freepbx_dependencies.yml
# "Official" recipe: https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9
# Comprehensive & recent recipe for RPi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
# Quirky but still useful for comparison: https://computingforgeeks.com/how-to-install-asterisk-16-with-freepbx-15-on-ubuntu-debian/
# 2012-2017: http://www.raspberry-asterisk.org
- name: FreePBX - Download software to /opt/iiab/downloads
# 2021-08-04: Non-native systemd service 'asterisk.service' (redirects via
# systemd-sysv-install, to '/etc/init.d/asterisk status' etc) is Enabled but
# Not Active at this point.
# 2021-08-05: Asterisk's systemd / systemctl support is getting there but Very
# Imperfect (even when compiled in, as a result of package 'libsystemd-dev' at
# the top of asterisk.yml).
# 2021-08-12: Let's try to track the "official" init.d / update-rc.d
# instructions ('update-rc.d -f asterisk remove') but using systemd instead,
# to be more future-proof?
- name: "FreePBX - Disable 'asterisk' systemd service, giving FreePBX full control during boot - similar to officially recommended 'update-rc.d -f asterisk remove' at: https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9"
systemd:
daemon_reload: yes
name: asterisk
#state: stopped
enabled: no
- name: FreePBX - Install wget, git, unixodbc, sudo, net-tools, cron, sox + ~12 PHP dependencies (run 'php -m' or 'php -i' to verify PHP modules)
package:
name:
- wget
- git
- unixodbc # For Asterisk CDR (Call Detail Records)
- sudo # Required by FreePBX install script
- net-tools # Required by FWConsole (command-line utility, that controls FreePBX)
- cron # Required by FreePBX UCP package (User Control Panel)
- sox # Required for CDR web-playback
# - php{{ php_version }} # Basically drags in phpX.Y-cgi (already below!)
- php{{ php_version }}-bcmath # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml
- php{{ php_version }}-cgi
# - php{{ php_version }}-common # Auto-installed as an apt dependency. REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
- php{{ php_version }}-curl # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
- php{{ php_version }}-fpm # Likewise installed in nginx/tasks/install.yml
# - php{{ php_version }}-gettext
- php{{ php_version }}-gd # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml
- php{{ php_version }}-imap
# - php{{ php_version }}-json # See stanza just below
- php{{ php_version }}-mbstring # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
# - python-mysqldb # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
- php{{ php_version }}-mysql # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
- php-pear # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
- php{{ php_version }}-snmp
- php{{ php_version }}-xml # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
- php{{ php_version }}-zip # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
state: latest
# For PHP >= 8.0: phpX.Y-json is baked into PHP itself.
# For PHP < 8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json
#
# - name: Install php{{ php_version }}-json if PHP < 8.0
# package:
# name: php{{ php_version }}-json
# state: present
# when: php_version is version('8.0', '<')
- name: FreePBX - Install and configure Apache - if not pbx_try_nginx
include_tasks: apache.yml
when: not pbx_try_nginx
- name: FreePBX - Download {{ freepbx_url }}/{{ freepbx_src_file }} to {{ downloads_dir }}
get_url:
url: "{{ freepbx_url }}/{{ freepbx_src_file }}"
dest: "{{ downloads_dir }}/{{ freepbx_src_file }}"
dest: "{{ downloads_dir }}" # e.g. /opt/iiab/downloads/freepbx-16.0-latest.tgz
timeout: "{{ download_timeout }}"
when: internet_available
@ -15,15 +78,15 @@
- name: FreePBX - FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ freepbx_src_file }} doesn't exist
fail:
msg: "{ downloads_dir }}/{{ freepbx_src_file }} is REQUIRED in order to install."
msg: "{{ downloads_dir }}/{{ freepbx_src_file }} is REQUIRED to install FreePBX."
when: not freepbx_src.stat.exists
- name: FreePBX - Create install source directory
- name: FreePBX - Create source dir {{ freepbx_src_dir }}
file:
path: "{{ freepbx_src_dir }}"
path: "{{ freepbx_src_dir }}" # /opt/iiab/freepbx
state: directory
- name: FreePBX - Extract source
- name: FreePBX - Extract to source dir (root:root)
unarchive:
src: "{{ downloads_dir }}/{{ freepbx_src_file }}"
dest: "{{ freepbx_src_dir }}"
@ -32,27 +95,29 @@
extra_opts: [--strip-components=1]
creates: "{{ freepbx_src_dir }}/install"
- name: FreePBX - Patch FreePBX source - IIAB Bug 1685
patch:
src: roles/pbx/templates/71-freepbx-framework.patch
dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/BMO/Framework.class.php"
# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch
# - name: FreePBX - Patch FreePBX source - IIAB Bug 1685
# patch:
# src: roles/pbx/templates/71-freepbx-framework.patch
# dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/BMO/Framework.class.php"
- name: FreePBX - Patch FreePBX source - wants [] not {}
patch:
src: roles/pbx/templates/pbx.patch
dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/Composer/vendor/neitanod/forceutf8/src/ForceUTF8/Encoding.php"
# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch
# - name: FreePBX - Patch FreePBX source - wants [] not {}
# patch:
# src: roles/pbx/templates/pbx.patch
# dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/Composer/vendor/neitanod/forceutf8/src/ForceUTF8/Encoding.php"
- name: FreePBX - Disable & Stop asterisk service
systemd:
daemon_reload: yes
name: asterisk
enabled: no
state: stopped
# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch
# - name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc()
# patch:
# src: roles/pbx/templates/pbx2.patch
# dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php"
- name: FreePBX - Add mysql user
- name: FreePBX - Add MySQL user ({{ asterisk_db_user }})
mysql_user:
name: "{{ asterisk_db_user }}"
password: "{{ asterisk_db_password }}"
name: "{{ asterisk_db_user }}" # asterisk
password: "{{ asterisk_db_password }}" # asterisk
priv: "{{ asterisk_db_dbname }}.*:ALL/{{ asterisk_db_cdrdbname }}.*:ALL"
# login_host: "{{ asterisk_db_host }}"
# login_user: root
@ -60,9 +125,9 @@
host: "{{ (asterisk_db_host == 'localhost') | ternary('localhost', ansible_default_ipv4.address) }}"
state: present
- name: FreePBX - Add mysql db
- name: FreePBX - Add MySQL db ({{ asterisk_db_dbname }})
mysql_db:
name: "{{ asterisk_db_dbname }}"
name: "{{ asterisk_db_dbname }}" # asterisk
encoding: utf8
collation: utf8_general_ci
# login_host: "{{ asterisk_db_host }}"
@ -70,15 +135,28 @@
# login_password: "{{ mysql_root_password }}"
state: present
- name: FreePBX - Add cdr mysql db
- name: FreePBX - Add cdr MySQL db ({{ asterisk_db_cdrdbname }})
mysql_db:
name: "{{ asterisk_db_cdrdbname }}"
name: "{{ asterisk_db_cdrdbname }}" # asteriskcdrdb
encoding: utf8
collation: utf8_general_ci
login_host: "{{ asterisk_db_host }}"
state: present
- name: FreePBX - Don't let freepbx take over the php sessions dir
- name: FreePBX - Create new php sessions dir /var/lib/php/asterisk_sessions/ - SEE 'php_value session.save_path /var/lib/php/asterisk_sessions/' IN pbx/templates/freepbx.conf.j2
file:
path: /var/lib/php/asterisk_sessions/
state: directory
- name: FreePBX - Set ownership for new php sessions dir (asterisk:asterisk)
file:
dest: /var/lib/php/asterisk_sessions/
owner: asterisk
group: asterisk
recurse: yes
- name: "FreePBX - Populate /etc/asterisk/freepbx_chown.conf to prevent 'fwconsole chown' takeover of /var/lib/php/sessions" # And possibly later /etc/freepbx.conf, /var/log/asterisk/freepbx.log, /var/spool/asterisk/cache
blockinfile:
content: |
[blacklist]
@ -89,60 +167,99 @@
group: asterisk
create: yes
- name: FreePBX - Create php sessions directory
file:
path: /var/lib/php/asterisk_sessions/
state: directory
- name: FreePBX - Set ownership for php sessions directory
file:
dest: /var/lib/php/asterisk_sessions/
owner: asterisk
group: asterisk
recurse: yes
- name: FreePBX - Install (just run once) - CAN TAKE 12 MIN OR LONGER!
command: ./start_asterisk start
- name: FreePBX - 2-step install - won't run if {{ freepbx_install_dir }} already exists - CAN TAKE 3-12 MIN OR LONGER!
command: "{{ item }}"
args:
chdir: "{{ freepbx_src_dir }}"
creates: "{{ freepbx_install_dir }}"
creates: "{{ freepbx_install_dir }}" # /var/www/html/freepbx
with_items:
- ./start_asterisk start
- ./install -n --webroot {{ freepbx_install_dir }} --dbuser {{ asterisk_db_user }} --dbpass {{ asterisk_db_password }} --dbname {{ asterisk_db_dbname }} --cdrdbname {{ asterisk_db_cdrdbname }}
- name: FreePBX - Install (just run once) - CAN TAKE 12 MIN OR LONGER!
command: ./install -n --webroot {{ freepbx_install_dir }} --dbuser {{ asterisk_db_user }} --dbpass {{ asterisk_db_password }} --dbname {{ asterisk_db_dbname }} --cdrdbname {{ asterisk_db_cdrdbname }}
args:
chdir: "{{ freepbx_src_dir }}"
creates: "{{ freepbx_install_dir }}"
- name: "Run 'fwconsole stop' and 'killall -9 safe_asterisk' to stop both Asterisk processes -- this avoids \"Unable to run Pre-Asterisk hooks, because Asterisk is already running\" in 'journalctl -u freepbx' logs"
command: "{{ item }}"
with_items:
- fwconsole stop
- killall -9 safe_asterisk # 2021-08-08: Stronger medicine needed for 64-bit Ubuntu Server 21.04 on RPi 4. Originally from @jvonau's PR #2912.
- killall -9 "PM2 v4.5.0: God" # 2021-08-09: Missed by fwconsole (does this matter?)
# - killall -9 asterisk # 2021-08-05: Also from @jvonau's PR #2912, to brute force this. In the end, above 'fwconsole stop' works more gracefully.
# - ./start_asterisk stop # Buggy!
# - /usr/sbin/asterisk -rx "core stop gracefully"
# - fwconsole reload
# - fwconsole restart
# - fwconsole ma disablerepo commercial
# - fwconsole ma installall
# - fwconsole ma delete firewall
# - fwconsole reload
# - fwconsole restart
ignore_errors: yes # 2021-08-08: For things like 'killall -9 safe_asterisk' that fail when process doesn't exist
# 2021-08-02: FreePBX 16 seems to no longer need this FreePBX 15 patch?
#- name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc()
# patch:
# src: roles/pbx/templates/pbx2.patch
# dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php"
# 2021-08-06: This stanza works, but above is more graceful. (FYI PRs #2908,
# #2912, #2913 didn't quite work -- whereas this PR #2915 at least worked!)
# - name: FreePBX - Run 'systemctl restart freepbx' TWICE (THIS IS 1 OF 2) to get past 'systemctl status freepbx' glitch "Unable to run Pre-Asterisk hooks, because Asterisk is already running"
# systemd:
# daemon_reload: yes
# name: freepbx
# enabled: yes
# state: restarted
- name: FreePBX - Install /etc/odbc.ini from template (root:root, 0644 by default)
- name: FreePBX - Install /etc/odbc.ini from template (root:root, 0644 by default) for CDR 'asteriskcdrdb' - in future consider compiling ODBC driver for aarch64 per http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html ?
template:
src: odbc.ini.j2
dest: /etc/odbc.ini
# owner: root
# group: root
# mode: '0644'
src: odbc.ini
dest: /etc/
- name: FreePBX - Install /etc/apache2/sites-available/freepbx.conf from template ({{ apache_user }}:{{ apache_user }}, 0644 by default)
- name: FreePBX - Install /etc/systemd/system/freepbx.service from template (root:root, 0644 by default)
template:
src: freepbx.conf.j2
dest: /etc/apache2/sites-available/freepbx.conf
owner: "{{ apache_user }}"
group: "{{ apache_user }}"
# mode: '0644'
src: freepbx.service
dest: /etc/systemd/system/
- name: FreePBX - Add directive "Listen {{ pbx_http_port }}" to /etc/apache2/ports.conf
lineinfile:
path: /etc/apache2/ports.conf
line: "Listen {{ pbx_http_port }}"
#insertafter: Listen 80
- name: FreePBX - Install /etc/systemd/system/freepbx.service systemd unit file from template (root:root, 0644 by default)
template:
src: freepbx.service.j2
dest: /etc/systemd/system/freepbx.service
# mode: '0755' # Let's go with '0644' per unit file norms
- name: FreePBX - Run 'fwconsole ma upgradeall' on installed FreePBX modules, e.g. 16 default modules (of about 70 total) - CAN TAKE 2 MIN OR LONGER!
command: fwconsole ma upgradeall
- name: FreePBX - Run 'fwconsole set CHECKREFERER 0' (0 means false) - if pbx_try_nginx - so 'Submit' button definitively works at http://box/freepbx >> Settings >> Advanced Settings -- FYI you can run 'fwconsole set -l' or 'fwconsole set CHECKREFERER' to view FreePBX settings -- FYI /etc/freepbx.conf can completely override FreePBX's stored settings if nec
command: fwconsole set CHECKREFERER 0 # Or/later run 'fwconsole set CHECKREFERER 1' (1 means true) to restore FreePBX's default strict checking.
when: pbx_try_nginx
# - name: Add "$amp_conf['CHECKREFERER'] = false;" to /etc/freepbx.conf #2931 - if pbx_try_nginx"
# lineinfile:
# path: /etc/freepbx.conf
# insertbefore: '^\?>$' # Match exact line '?>' -- BOTTOM OF FILE NEC!
# line: "$amp_conf['CHECKREFERER'] = false;"
# when: pbx_try_nginx
# - name: 'FreePBX - fix file permissions for NGINX: /etc/freepbx.conf (0644), /var/log/asterisk/freepbx.log (0666)'
# file:
# #state: file
# path: "{{ item.path }}"
# mode: "{{ item.mode }}"
# with_items:
# - { path: '/etc/freepbx.conf', mode: u=rw,g=r,o=r } # 2021-08-04: LATER ENDS UP AS 0660
# - { path: '/var/log/asterisk/freepbx.log', mode: u=rw,g=rw,o=rw } # 2021-08-04: LATER ENDS UP AS 0664
# when: pbx_try_nginx
# - name: 'FreePBX - fix dir permissions for NGINX: /var/spool/asterisk/cache (0777)'
# file:
# state: directory
# path: "{{ item }}"
# mode: u=rwx,g=rwx,o=rwx # 2021-08-04: MOST CONTENT THEREIN ENDS UP AS asterisk:asterisk 664 (files) & 775 (dirs)
# # recurse: yes # Probably Doesn't Help?
# with_items:
# # - /var/www/html/freepbx/admin/assets/less/cache
# - /var/spool/asterisk/cache
# when: pbx_try_nginx
# For 'pbx_try_nginx: True' -- FreePBX's initial page (Admin user registration)
# tries to set up a cron job but fails:
# "Exception: Trying to edit user asterisk, when I'm running as www-data"
# 2021-08-10: Hacking /etc/freepbx.conf WAS NOT TESTED PROPERLY -- AS VARS MUST
# BE NEAR BOTTOM OF FILE: github.com/iiab/iiab/pull/2916#issuecomment-894585322
# - name: "2021-08-06: Try \"$amp_conf['AMPASTERISKWEBUSER'] = 'www-data';\" in /etc/freepbx.conf for #2916 registration cron fix ?'"
# lineinfile:
# path: /etc/freepbx.conf
# #insertafter: '^<\?php$' # Match exact line '<?php' -- BUT TOP OF FILE FAILS :(
# insertbefore: '^\?>$' # Match exact line '?>' -- BOTTOM OF FILE NECESSARY :)
# line: "$amp_conf['AMPASTERISKWEBUSER'] = 'www-data';"
# when: pbx_try_nginx

16
roles/pbx/tasks/freepbx_dependencies.yml → roles/pbx/tasks/freepbx_dependencies.yml.unused
View file

@ -1,13 +1,13 @@
- name: FreePBX - Install dependencies (run 'php -m' or 'php -i' to verify PHP modules)
- name: FreePBX - Install wget, git, unixodbc, sudo, net-tools, cron, sox + ~12 PHP dependencies (run 'php -m' or 'php -i' to verify PHP modules)
package:
name:
- wget
- git
- unixodbc # for Asterisk CDR (Call Detail Records)
- sudo # required by FreePBX install script
- net-tools # required by FWConsole (command-line utility, that controls FreePBX)
- cron # required by FreePBX UCP package (User Control Panel)
- sox # required for CDR web-playback
- unixodbc # For Asterisk CDR (Call Detail Records)
- sudo # Required by FreePBX install script
- net-tools # Required by FWConsole (command-line utility, that controls FreePBX)
- cron # Required by FreePBX UCP package (User Control Panel)
- sox # Required for CDR web-playback
# - php{{ php_version }} # Basically drags in phpX.Y-cgi (already below!)
- php{{ php_version }}-bcmath # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml
- php{{ php_version }}-cgi
@ -19,14 +19,12 @@
- php{{ php_version }}-imap
# - php{{ php_version }}-json # See stanza just below
- php{{ php_version }}-mbstring # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
# - python-mysqldb # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
- php{{ php_version }}-mysql # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
- php-pear # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
- php{{ php_version }}-snmp
- php{{ php_version }}-xml # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
- php{{ php_version }}-zip # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
- libapache2-mod-php
#- python-mysqldb # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
- libapache2-mpm-itk # To serve FreePBX through a VirtualHost as asterisk user
state: latest
# For PHP >= 8.0: phpX.Y-json is baked into PHP itself.

37
roles/pbx/tasks/install.yml
View file

@ -22,44 +22,23 @@
# when: nodejs_version != "12.x"
- name: "Set 'apache_install: True' and 'apache_enabled: True'"
set_fact:
apache_install: True
apache_enabled: True
# 2021-08-09: Moved to roles/pbx/tasks/apache.yml
- name: APACHE - run 'httpd' role
include_role:
name: httpd
# - name: "Set 'apache_install: True' and 'apache_enabled: True'"
# set_fact:
# apache_install: True
# apache_enabled: True
# - name: APACHE - run 'httpd' role
# include_role:
# name: httpd
# 2021-07-27: Taken care of by main.yml
#- name: TODO: Check if asterisk and freepbx are already installed
#
#- name: Check if /etc/systemd/system/freepbx.service is already installed
# stat:
# path: /etc/systemd/system/freepbx.service
# register: freepbx_installed
#
#- debug:
# msg: >-
# FreePBX already installed. Reinstall shall be skipped
# when: freepbx_installed.stat.exists
# 2021-08-03: Taken care of by asterisk.yml's scripts/install_prereq
#- name: Install 'make' package
# package:
# name: make
# state: present
- name: Install Asterisk
include_tasks: asterisk.yml
#when: internet_available and pbx_install and (pbx_installed is undefined) and is_debuntu and (not freepbx_installed.stat.exists)
#when: internet_available and pbx_install and (not pbx_installed) and ((is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18)
- name: Install FreePBX
include_tasks: freepbx.yml
#when: internet_available and pbx_install and (pbx_installed is undefined) and is_debuntu and (not freepbx_installed.stat.exists)
#when: internet_available and pbx_install and (not pbx_installed) and ((is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18)
# RECORD PBX AS INSTALLED

2
roles/pbx/tasks/main.yml
View file

@ -26,7 +26,7 @@
- include_tasks: enable-or-disable.yml
- name: Asterisk - Install chan_dongle
- name: Install chan_dongle for Huawei USB modems - if asterisk_chan_dongle
include: chan_dongle.yml
when: asterisk_chan_dongle

0
roles/pbx/templates/71-freepbx-framework.patch → roles/pbx/templates/71-freepbx-framework.patch.unused
View file

467
roles/pbx/templates/asterisk.conf Normal file
View file

@ -0,0 +1,467 @@
; 2021-08-10: @jvonau derived this from /etc/php/7.4/fpm/pool.d/www.conf (apt
; package php7.4-fpm) with just 4 changes: (github.com/iiab/iiab/pull/2930)
;
; 1. [www] -> [asterisk]
; 2. user = www-data -> user = asterisk
; 3. listen = /run/php/php7.4-fpm.sock -> listen = /run/php/php-asterisk.sock
; 4. listen.owner = www-data -> listen.owner = asterisk
;
; See also the top of asterisk.conf.patch and asterisk.conf.diff here:
; https://github.com/iiab/iiab/tree/master/roles/pbx/templates
;
; "One set of workers is running as www-data and the other set of workers is
; running as asterisk but on different sockets."
;
; This should resolve both iiab/iiab#2914 -> iiab/iiab#2916 "NGINX" issues:
; (1) As you tried to register at http://box/freepbx, cron setup failed with
; exception "Trying to edit user asterisk, when I'm running as www-data"
; https://github.com/iiab/iiab/pull/2916#issuecomment-894585322
; (2) When you clicked Settings >> Advanced Settings >> Submit >> Apply Config,
; it failed with "Unknown Error. Please Run: fwconsole reload --verbose"
; https://github.com/iiab/iiab/pull/2916#issuecomment-894604982
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[asterisk]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = asterisk
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php-asterisk.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = asterisk
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
;pm.max_children = 5
pm.max_children=120
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
;pm.start_servers = 2
pm.start_servers=12
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
;pm.min_spare_servers = 1
pm.min_spare_servers=6
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
;pm.max_spare_servers = 3
pm.max_spare_servers=18
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.4/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
env[PATH]=/usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

40
roles/pbx/templates/asterisk.conf.diff Normal file
View file

@ -0,0 +1,40 @@
4c4
< [www]
---
> [asterisk]
23c23
< user = www-data
---
> user = asterisk
36c36
< listen = /run/php/php7.4-fpm.sock
---
> listen = /run/php/php-asterisk.sock
48c48
< listen.owner = www-data
---
> listen.owner = asterisk
114c114,115
< pm.max_children = 5
---
> ;pm.max_children = 5
> pm.max_children=120
119c120,121
< pm.start_servers = 2
---
> ;pm.start_servers = 2
> pm.start_servers=12
124c126,127
< pm.min_spare_servers = 1
---
> ;pm.min_spare_servers = 1
> pm.min_spare_servers=6
129c132,133
< pm.max_spare_servers = 3
---
> ;pm.max_spare_servers = 3
> pm.max_spare_servers=18
397a402
> clear_env = no
411a417
> env[PATH]=/usr/local/bin:/usr/bin:/bin

85
roles/pbx/templates/asterisk.conf.patch Normal file
View file

@ -0,0 +1,85 @@
--- /etc/php/7.4/fpm/pool.d/www.conf 2021-07-01 23:59:48.000000000 -0400
+++ /etc/php/7.4/fpm/pool.d/asterisk.conf 2021-08-10 05:25:09.808067373 -0400
@@ -1,7 +1,7 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
-[www]
+[asterisk]
; Per pool prefix
; It only applies on the following directives:
@@ -20,7 +20,7 @@
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
-user = www-data
+user = asterisk
group = www-data
; The address on which to accept FastCGI requests.
@@ -33,7 +33,7 @@
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm.sock
+listen = /run/php/php-asterisk.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
@@ -45,7 +45,7 @@
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
; mode is set to 0660
-listen.owner = www-data
+listen.owner = asterisk
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
@@ -111,22 +111,26 @@
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
-pm.max_children = 5
+;pm.max_children = 5
+pm.max_children=120
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
-pm.start_servers = 2
+;pm.start_servers = 2
+pm.start_servers=12
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
+;pm.min_spare_servers = 1
+pm.min_spare_servers=6
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
+;pm.max_spare_servers = 3
+pm.max_spare_servers=18
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
@@ -395,6 +399,7 @@
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
+clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
@@ -409,6 +414,7 @@
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
+env[PATH]=/usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp

31
roles/pbx/templates/freepbx-nginx.conf.j2 Normal file
View file

@ -0,0 +1,31 @@
location ~ ^/freepbx(|/.*)$ { # '~' -> '~*' for case-insensitive regex
root /var/www/html;
# root {{ freepbx_install_dir }}; # /var/www/html/freepbx
# root {{ doc_root }}; # /library/www/html
# location ~ ^/freepbx {
# root {{ doc_root }};
# }
location ~ ^/freepbx(.*)\.php(.*)$ {
alias {{ freepbx_install_dir }}$1.php$2;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/run/php/php-asterisk.sock;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
#fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param HTACCESS on; # disables FreePBX htaccess warning
}
# disallows the things that the FreePBX .htaccess files disallow
location ~ /freepbx(/\.ht|/\.git|\.ini$|/libraries|/helpers|/i18n|/node|/views/.+php$) {
deny all;
}
# from the api module .htaccess file
rewrite ^/freepbx/admin/api/([^/]*)/([^/]*)/?(.*)?$ /freepbx/admin/api/api.php?module=$1&command=$2&route=$3 last;
}

17
roles/pbx/templates/freepbx.service Normal file
View file

@ -0,0 +1,17 @@
[Unit]
Description=FreePBX VoIP Server
After=mysql.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/fwconsole start
ExecStop=/usr/sbin/fwconsole stop
ExecStopPost=killall -9 "PM2 v4.5.0: God"
# 2021-08-10: Asterisk stuff doesn't stop reliably, right after freepbx.yml
# 'install -n' completes -- hence "Unable to run Pre-Asterisk hooks, because
# Asterisk is already running" issue when freepbx.service next tries to start
# it. See pbx/tasks/freepbx.yml workarounds e.g. github.com/iiab/iiab/pull/2915
[Install]
WantedBy=multi-user.target

12
roles/pbx/templates/freepbx.service.j2
View file

@ -1,12 +0,0 @@
[Unit]
Description=FreePBX VoIP Server
After=mysql.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/fwconsole start
ExecStop=/usr/sbin/fwconsole stop
[Install]
WantedBy=multi-user.target

0
roles/pbx/templates/odbc.ini.j2 → roles/pbx/templates/odbc.ini
View file

0
roles/pbx/templates/pbx.patch → roles/pbx/templates/pbx.patch.unused
View file

9
roles/nginx/templates/ports.conf.j2 → roles/pbx/templates/ports.conf
View file

@ -2,7 +2,14 @@
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 127.0.0.1:{{ apache_port }}
# Apache's stock default
#Listen 80
# IIAB NGINX proxying to legacy svcs (Dec 2019 - Aug 2021)
#Listen 127.0.0.1:8090
# IIAB FreePBX for Asterisk
Listen {{ pbx_http_port }}
#<IfModule ssl_module>
# Listen 443

16
roles/phpmyadmin/tasks/enable-or-disable.yml
View file

@ -1,9 +1,9 @@
- name: Enable phpMyAdmin via Apache, if phpmyadmin_enabled
command: a2ensite phpmyadmin.conf
when: phpmyadmin_enabled
#when: apache_installed is defined and phpmyadmin_enabled
# - name: Enable phpMyAdmin via Apache, if phpmyadmin_enabled
# command: a2ensite phpmyadmin.conf
# when: phpmyadmin_enabled
# #when: apache_installed is defined and phpmyadmin_enabled
- name: Disable phpMyAdmin via Apache, if not phpmyadmin_enabled
command: a2dissite phpmyadmin.conf
when: not phpmyadmin_enabled
#when: apache_installed is defined and not phpmyadmin_enabled
# - name: Disable phpMyAdmin via Apache, if not phpmyadmin_enabled
# command: a2dissite phpmyadmin.conf
# when: not phpmyadmin_enabled
# #when: apache_installed is defined and not phpmyadmin_enabled

28
roles/phpmyadmin/tasks/install.yml
View file

@ -1,17 +1,17 @@
- name: "Set 'apache_install: True' and 'apache_enabled: True'"
set_fact:
apache_install: True
apache_enabled: True
- name: APACHE - run 'httpd' role
include_role:
name: httpd
# - name: "Set 'apache_install: True' and 'apache_enabled: True'"
# set_fact:
# apache_install: True
# apache_enabled: True
#
# - name: APACHE - run 'httpd' role
# include_role:
# name: httpd
- name: Unarchive {{ phpmyadmin_dl_url }} (7+ MB) to /opt (60+ MB)
unarchive:
remote_src: yes # Overwrite even if "already exists on the target"
src: "{{ phpmyadmin_dl_url }}" # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-all-languages.tar.xv
src: "{{ phpmyadmin_dl_url }}" # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.xv
dest: /opt
owner: "{{ apache_user }}" # www-data on debuntu
group: "{{ apache_user }}"
@ -33,11 +33,11 @@
owner: "{{ apache_user }}"
group: "{{ apache_user }}"
- name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template
template:
src: phpmyadmin.j2
dest: "/etc/{{ apache_conf_dir }}/phpmyadmin.conf"
#when: apache_installed is defined
# - name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template
# template:
# src: phpmyadmin.j2
# dest: "/etc/{{ apache_conf_dir }}/phpmyadmin.conf"
# #when: apache_installed is defined
# RECORD phpMyAdmin AS INSTALLED

5
roles/phpmyadmin/tasks/main.yml
View file

@ -19,12 +19,13 @@
quiet: yes
- name: Install phpMyAdmin if 'phpmyadmin_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml
- name: "INCOMPLETE WITHOUT APACHE AS OF 2021-07-06: Install phpMyAdmin if 'phpmyadmin_installed' not defined, e.g. in {{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
include_tasks: install.yml
when: phpmyadmin_installed is undefined
- include_tasks: enable-or-disable.yml
- name: INCOMPLETE WITHOUT APACHE AS OF 2021-07-06
include_tasks: enable-or-disable.yml
- name: Add 'phpmyadmin' variable values to {{ iiab_ini_file }}

0
roles/phpmyadmin/templates/phpmyadmin.j2 → roles/phpmyadmin/templates/phpmyadmin.j2.unused
View file

1
roles/postgresql/tasks/install.yml
View file

@ -3,6 +3,7 @@
name:
- postgresql
- postgresql-client
- python3-psycopg2 # For Ansible modules {postgresql_db, postgresql_user} in Ansible collection community.postgresql -- used in moodle/tasks/install.yml
state: present
- name: Install /etc/systemd/system/postgresql-iiab.service from template (0644 by default)

0
roles/usb_lib/tasks/apache.yml → roles/usb_lib/tasks/apache.yml.unused
View file

11
roles/usb_lib/tasks/install.yml
View file

@ -47,13 +47,13 @@
state: present
when: is_ubuntu
- name: Add dir {{ doc_root }}/local_content, where USB drive links can appear
- name: Add dir {{ doc_root }}/local_content, where USB drive links can appear (0775)
file:
state: directory
path: "{{ doc_root }}/local_content"
owner: "{{ apache_user }}"
group: "{{ apache_user }}" # 2020-02-13: changed from iiab_admin_user, after discussion on weekly call (#1228, #2222)
mode: '0775'
mode: 0775
- name: 'Install from template: /etc/udev/rules.d/usbmount.rules, /etc/systemd/system/usbmount@.service, /usr/bin/iiab-usb_lib-show-all-on, /usr/bin/iiab-usb_lib-show-all-off, /usr/sbin/iiab-clean-usb.sh'
template:
@ -81,13 +81,6 @@
path: /etc/usbmount/mount.d/00_create_model_symlink
state: absent
# 2021-03-25: Consider removing this stanza & all of this role's Apache logic!
- name: Install /etc/{{ apache_conf_dir }}/content_dir.conf from template
template:
src: content_dir.conf
dest: "/etc/{{ apache_conf_dir }}" # apache2/sites-available on debuntu
when: apache_installed is defined
# RECORD 'USB_LIB' AS INSTALLED

8
roles/usb_lib/tasks/main.yml
View file

@ -56,13 +56,9 @@
when: not usb_lib_umask0000_for_kolibri
- name: Enable/Disable/Restart Apache if primary
include_tasks: apache.yml
when: not nginx_enabled
- name: Enable/Disable/Restart NGINX if primary
- name: Enable/Disable/Restart NGINX
include_tasks: nginx.yml
when: nginx_enabled
# 2021-04-29: Clean up here to catch the already installed users, remove for the next release (PR #2760)
- name: Remove /etc/usbmount/mount.d/00_create_model_symlink

9
roles/www_options/tasks/main.yml
View file

@ -85,6 +85,10 @@
- { regexp: '^max_input_vars', line: 'max_input_vars = 1000 ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' }
when: not nginx_high_php_limits and not moodle_install # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install
# WARNING: This might cause excess use of RAM/disk or other resources!
# The first 5 values below were chosen by @ericnitschke and @kananigit on
# 2018-09-19: https://github.com/iiab/iiab/issues/1147
# 2020-03-08: IIAB DOES NOT SUPPORT UNINSTALLING APPS, so additional
# clauses (to reset/restore PHP's defaults) are not necessary at this time.
@ -92,12 +96,7 @@
# editing /etc/php/{{ php_version }}/cli/php.ini (below) -- though during
# regular operation it uses: .../fpm/php.ini
# And in the past it used: .../apache2/php.ini
#
# SEE ALSO roles/moodle/tasks/install.yml WHERE SIMILAR SURGERY'S DONE TO
# /etc/php/{{ php_version }}/apache2/php.ini UNTIL MOODLE'S PORTED TO NGINX!
# WARNING: This might cause excess use of RAM/disk or other resources!
# The 5 first values below were chosen by @ericnitschke and @kananigit in ~2018.
- name: "Enact 'nginx_high_php_limits: True' in /etc/php/{{ php_version }}/fpm/php.ini for schools that use WordPress/Moodle/Nextcloud/PBX intensively (allow photos/docs up to 500MB, 300s timeouts, memory_limit = 512M for Nextcloud, max_input_vars = 5000 for Moodle)"
lineinfile:
path: /etc/php/{{ php_version }}/fpm/php.ini # COMPARE /etc/php/{{ php_version }}/cli/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini

22
scripts/ansible
View file

@ -4,7 +4,6 @@
# https://stackoverflow.com/questions/9952177/whats-the-meaning-of-the-parameter-e-for-bash-shell-command-line/9952249
# PLZ SEE http://FAQ.IIAB.IO > "What is Ansible and what version should I use?"
# https://github.com/iiab/iiab/tree/master/scripts/ansible.md
# https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible
APT_PATH=/usr/bin # Avoids problematic /usr/local/bin/apt on Linux Mint
@ -149,13 +148,24 @@ fi
###echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
###grep '^deb .*ansible' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v '^/etc/apt/sources.list.d/iiab-ansible.list:' || true # Override bash -e (instead of aborting at 1st error)
echo -e "\napt update; apt install of python3-* / virtualenv packages explained at:"
echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n"
echo -e "\napt update; apt install python3-pip # Also installs 'python3-setuptools' and 'python3' etc"
#echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n"
$APT_PATH/apt update
$APT_PATH/apt -y install python3-pip
# 2021-07-29:
# 'python3-packaging' dropped for now
# 'python3-pymysql' (drags in 'python3' which drags in 'python3-venv' on Debian 11 but not on Ubuntu 20.04) -- moved to roles/mysql/tasks/install.yml
# 'python3-psycopg2' moved to roles/postgresql/tasks/install.yml
# 'python3-passlib' moved to roles/munin/tasks/install.yml
# 'python3-venv' moved to roles/2-common/tasks/packages.yml
# 'virtualenv' for Python 2 moved to roles/kalite/tasks/install.yml
#
#$APT_PATH/apt -y install \
# python3-pymysql python3-psycopg2 python3-passlib python3-pip \
# python3-setuptools python3-packaging python3-venv virtualenv
#$APT_PATH/apt -y --allow-downgrades install ansible-core \
$APT_PATH/apt -y install \
python3-pymysql python3-psycopg2 python3-passlib python3-pip \
python3-setuptools python3-packaging python3-venv virtualenv
echo -e "\n\n'pip3 install --upgrade ansible-core' will now run:\n"
pip3 install --upgrade ansible-core

0
scripts/ansible.md → scripts/ansible.md.unused
View file

4
tests/test.yml
View file

@ -28,11 +28,11 @@
#- { role: dokuwiki }
#- { role: ejabberd }
#- { role: ejabberd_xs }
- { role: elgg }
#- { role: elgg }
- { role: firmware }
- { role: gitea }
#- { role: homepage }
- { role: httpd }
#- { role: httpd }
#- { role: idmgr }
- { role: iiab-admin }
- { role: internetarchive }

2
unmaintained-roles.txt
View file

@ -6,7 +6,9 @@ docker
dokuwiki
ejabberd
ejabberd_xs
elgg
homepage
httpd
httpd-enable
idmgr
moodle-1.9

109
vars/default_vars.yml
View file

@ -43,10 +43,6 @@ py3_dist_path: /usr/lib/python3/dist-packages
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Languages (for Apache)
default_language: en
language_priority: en es fr
# Real-time clock: RTC chip family. Future auto-detection plausible?
rtc_id: none # Or ds3231 ? Used in 1-prep/tasks/raspberry_pi.yml
@ -154,9 +150,11 @@ iiab_gateway_enabled: False
gw_squid_whitelist: False
gw_block_https: False
# UNMAINTAINED as of July 2021
dhcpd_install: False
dhcpd_enabled: False
# UNMAINTAINED as of July 2021
# named (BIND)
named_install: False
named_enabled: False
@ -169,17 +167,7 @@ dnsmasq_enabled: True
# Enable in local_vars.yml AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_port: 9090
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Bluetooth PAN access to IIAB server
# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
bluetooth_install: True
bluetooth_enabled: False
bluetooth_term_enabled: False
@ -215,9 +203,6 @@ sshd_install: True # Required by OpenVPN
sshd_enabled: True
sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
openvpn_install: True
openvpn_enabled: False
# For /etc/iiab/openvpn_handle
@ -231,6 +216,9 @@ openvpn_server_real_ip: 3.89.148.185
openvpn_server_virtual_ip: 10.8.0.1
openvpn_server_port: 1194
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/
pi_swap_file_size: 1024
@ -273,17 +261,6 @@ nginx_high_php_limits: False
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# See also Apache vars {default_language, language_priority} @ top of this file
#
# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Apache is installed on demand as
# a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX &/or phpMyAdmin
apache_install: False
apache_enabled: False
#
# NGINX proxies to Apache for legacy IIAB services, using:
apache_port: 8090
apache_interface: 127.0.0.1 # 2020-01-13: Var unused
# 4-SERVER-OPTIONS
@ -292,9 +269,11 @@ apache_interface: 127.0.0.1 # 2020-01-13: Var unused
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
# UNMAINTAINED as of July 2021
squid_install: False
squid_enabled: False
# UNMAINTAINED as of July 2021
# DansGuardian REQUIRES Squid (above) be installed & enabled.
# DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
dansguardian_install: False
@ -349,7 +328,6 @@ idmgr_enabled: False # 2020-01-23: UNUSED
# 6-GENERIC-APPS
# UNMAINTAINED as of September 2020
azuracast_install: False
azuracast_enabled: False # This var is currently IGNORED
azuracast_http_port: 10080
@ -370,6 +348,7 @@ dokuwiki_url: /dokuwiki
ejabberd_install: False
ejabberd_enabled: False
# UNMAINTAINED as of July 2021
elgg_install: False
elgg_enabled: False
# elgg_mysql_password: $6$iiab51$jeTwnATcbaa92xo0QBTgjLBU.5aVDDrbKeNyyC99R/TAWz6pvfzj.L7lfnOVVjD78nxqT.gkNn6XZmuRV0W3o1
@ -432,17 +411,6 @@ nextcloud_enabled: False
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi.
# If using PBX intensively, set nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
asterisk_chan_dongle: False
pbx_signaling_ports_chan_sip: 5160:5161
pbx_signaling_ports_chan_pjsip: 5060
pbx_data_ports: 10000:20000
pbx_http_port: 83
# If using WordPress intensively, set nginx_high_php_limits further above.
wordpress_install: False
wordpress_enabled: False
@ -560,15 +528,16 @@ monit_install: False
monit_enabled: False
watchdog:
- sshd
- idmgr
- ejabberd
- httpd
#- idmgr
#- ejabberd
#- httpd
- postgresql
- squid
#- squid
munin_install: False
munin_enabled: False
# UNMAINTAINED as of July 2021
# Handy for maintaining tables, but DANGEROUS if not locked down
phpmyadmin_install: False
phpmyadmin_enabled: False
@ -579,6 +548,16 @@ vnstat_enabled: False
# 9-LOCAL-ADDONS
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_port: 9090
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Yarn is installed on demand as a
# dependency -- by Internet Archive
yarn_install: False
@ -599,7 +578,20 @@ minetest_server_admin: Admin
minetest_default_game: carbone-ng # only carbone-ng and minetest are supported
minetest_flat_world: False
# Calibre E-Book Library
# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
calibreweb_install: False
calibreweb_enabled: False
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: "{{ content_base }}/calibre-web" # /library/calibre-web
# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
# Calibre E-Book Library -- https://calibre-ebook.com
# WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
# ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
calibre_install: False
@ -616,18 +608,19 @@ calibre_port: 8080
calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
# program, so we recommend you also install Calibre (above!)
# Calibre-Web alternative to Calibre, offers a clean/modern UX
calibreweb_install: False
calibreweb_enabled: False
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: "{{ content_base }}/calibre-web" # /library/calibre-web
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
asterisk_chan_dongle: False
pbx_signaling_ports_chan_sip: 5160:5161
pbx_signaling_ports_chan_pjsip: 5060
pbx_data_ports: 10000:20000
pbx_http_port: 83
# =============================================================================

131
vars/local_vars_big.yml
View file

@ -15,10 +15,6 @@
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Languages (for Apache)
default_language: en
language_priority: en es fr
# Real-time clock: set RTC chip family here. Future auto-detection plausible?
rtc_id: none # Or ds3231 ?
@ -102,38 +98,14 @@ ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
# Set True if client machines should have "passthrough" access to WAN/Internet:
iiab_gateway_enabled: False
dhcpd_install: False
dhcpd_enabled: False
# named (BIND)
named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Bluetooth PAN access to IIAB server
# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
bluetooth_install: True
bluetooth_enabled: False
bluetooth_term_enabled: False
# UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382
# wondershaper_install: False
# wondershaper_enabled: False
# 1-PREP
@ -141,15 +113,15 @@ bluetooth_term_enabled: False
sshd_install: True # Required by OpenVPN
sshd_enabled: True
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: BIG-sized - Put Your Name Here
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/
pi_swap_file_size: 1024
@ -173,8 +145,6 @@ nginx_high_php_limits: False
# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
# See also Apache vars {default_language, language_priority} @ top of this file
#
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
@ -186,14 +156,6 @@ apache_allow_sudo: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
squid_install: False
squid_enabled: False
# DansGuardian REQUIRES Squid (above) be installed & enabled.
# DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
dansguardian_install: False
dansguardian_enabled: False
# Common UNIX Printing System (CUPS)
cups_install: True
cups_enabled: True
@ -214,42 +176,12 @@ usb_lib_umask0000_for_kolibri: True
# Lesser-supported XO services need additional testing. Please contact
# http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
# UNMAINTAINED
# xo_services_install: False
# xo_services_enabled: False
# UNMAINTAINED
# activity_server_install: False
# activity_server_enabled: False
# UNMAINTAINED
# Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below
# ejabberd_xs_install: False
# ejabberd_xs_enabled: False
# UNMAINTAINED
# Change calibre_port from 8080 to 8010 below, if you enable idmgr
# idmgr_install: False
# idmgr_enabled: False
# 6-GENERIC-APPS
# UNMAINTAINED as of September 2020
azuracast_install: False
azuracast_enabled: False # This var is currently IGNORED.
# UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056
# dokuwiki_install: False
# dokuwiki_enabled: False
# UNMAINTAINED as of November 2019
# ejabberd_install: False
# ejabberd_enabled: False
elgg_install: True
elgg_enabled: True
# Gitea (lightweight self-hosted "GitHub") from https://gitea.io
gitea_install: True
gitea_enabled: True
@ -289,13 +221,6 @@ nextcloud_enabled: True
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi.
# If using PBX intensively, set nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
asterisk_chan_dongle: False
# If using WordPress intensively, set nginx_high_php_limits further above.
wordpress_install: True
wordpress_enabled: True
@ -367,8 +292,9 @@ monit_enabled: False
munin_install: True
munin_enabled: True
# UNMAINTAINED as of July 2021
# Handy for maintaining tables, but DANGEROUS if not locked down
phpmyadmin_install: True
phpmyadmin_install: False
phpmyadmin_enabled: False
vnstat_install: True
@ -377,6 +303,15 @@ vnstat_enabled: True
# 9-LOCAL-ADDONS
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Internet Archive Decentralized Web - create your own offline version box:4244
# (or http://box/archive) arising from digital library https://dweb.archive.org
internetarchive_install: True
@ -386,7 +321,20 @@ internetarchive_enabled: True
minetest_install: True
minetest_enabled: True
# Calibre E-Book Library
# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
calibreweb_install: True
calibreweb_enabled: True
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web"
# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
# Calibre E-Book Library -- https://calibre-ebook.com
# WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
# ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
calibre_install: False
@ -397,15 +345,12 @@ calibre_port: 8080
calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
# program, so we recommend you also install Calibre (above!)
# Calibre-Web alternative to Calibre, offers a clean/modern UX
calibreweb_install: True
calibreweb_enabled: True
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web"
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
asterisk_chan_dongle: False

129
vars/local_vars_medium.yml
View file

@ -15,10 +15,6 @@
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Languages (for Apache)
default_language: en
language_priority: en es fr
# Real-time clock: set RTC chip family here. Future auto-detection plausible?
rtc_id: none # Or ds3231 ?
@ -102,38 +98,14 @@ ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
# Set True if client machines should have "passthrough" access to WAN/Internet:
iiab_gateway_enabled: False
dhcpd_install: False
dhcpd_enabled: False
# named (BIND)
named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Bluetooth PAN access to IIAB server
# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
bluetooth_install: True
bluetooth_enabled: False
bluetooth_term_enabled: False
# UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382
# wondershaper_install: False
# wondershaper_enabled: False
# 1-PREP
@ -141,15 +113,15 @@ bluetooth_term_enabled: False
sshd_install: True # Required by OpenVPN
sshd_enabled: True
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: MEDIUM-sized - Put Your Name Here
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/
pi_swap_file_size: 1024
@ -173,8 +145,6 @@ nginx_high_php_limits: False
# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
# See also Apache vars {default_language, language_priority} @ top of this file
#
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
@ -186,14 +156,6 @@ apache_allow_sudo: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
squid_install: False
squid_enabled: False
# DansGuardian REQUIRES Squid (above) be installed & enabled.
# DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
dansguardian_install: False
dansguardian_enabled: False
# Common UNIX Printing System (CUPS)
cups_install: False
cups_enabled: False
@ -214,42 +176,12 @@ usb_lib_umask0000_for_kolibri: True
# Lesser-supported XO services need additional testing. Please contact
# http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
# UNMAINTAINED
# xo_services_install: False
# xo_services_enabled: False
# UNMAINTAINED
# activity_server_install: False
# activity_server_enabled: False
# UNMAINTAINED
# Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below
# ejabberd_xs_install: False
# ejabberd_xs_enabled: False
# UNMAINTAINED
# Change calibre_port from 8080 to 8010 below, if you enable idmgr
# idmgr_install: False
# idmgr_enabled: False
# 6-GENERIC-APPS
# UNMAINTAINED as of September 2020
azuracast_install: False
azuracast_enabled: False # This var is currently IGNORED.
# UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056
# dokuwiki_install: False
# dokuwiki_enabled: False
# UNMAINTAINED as of November 2019
# ejabberd_install: False
# ejabberd_enabled: False
elgg_install: False
elgg_enabled: False
# Gitea (lightweight self-hosted "GitHub") from https://gitea.io
gitea_install: False
gitea_enabled: False
@ -289,13 +221,6 @@ nextcloud_enabled: True
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi.
# If using PBX intensively, set nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
asterisk_chan_dongle: False
# If using WordPress intensively, set nginx_high_php_limits further above.
wordpress_install: True
wordpress_enabled: True
@ -367,6 +292,7 @@ monit_enabled: False
munin_install: False
munin_enabled: False
# UNMAINTAINED as of July 2021
# Handy for maintaining tables, but DANGEROUS if not locked down
phpmyadmin_install: False
phpmyadmin_enabled: False
@ -377,6 +303,15 @@ vnstat_enabled: False
# 9-LOCAL-ADDONS
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Internet Archive Decentralized Web - create your own offline version box:4244
# (or http://box/archive) arising from digital library https://dweb.archive.org
internetarchive_install: False
@ -386,7 +321,20 @@ internetarchive_enabled: False
minetest_install: False
minetest_enabled: False
# Calibre E-Book Library
# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
calibreweb_install: True
calibreweb_enabled: True
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web"
# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
# Calibre E-Book Library -- https://calibre-ebook.com
# WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
# ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
calibre_install: False
@ -397,15 +345,12 @@ calibre_port: 8080
calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
# program, so we recommend you also install Calibre (above!)
# Calibre-Web alternative to Calibre, offers a clean/modern UX
calibreweb_install: True
calibreweb_enabled: True
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web"
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
asterisk_chan_dongle: False

129
vars/local_vars_min.yml
View file

@ -15,10 +15,6 @@
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Languages (for Apache)
default_language: en
language_priority: en es fr
# Real-time clock: set RTC chip family here. Future auto-detection plausible?
rtc_id: none # Or ds3231 ?
@ -102,38 +98,14 @@ ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
# Set True if client machines should have "passthrough" access to WAN/Internet:
iiab_gateway_enabled: False
dhcpd_install: False
dhcpd_enabled: False
# named (BIND)
named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Bluetooth PAN access to IIAB server
# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
bluetooth_install: True
bluetooth_enabled: False
bluetooth_term_enabled: False
# UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382
# wondershaper_install: False
# wondershaper_enabled: False
# 1-PREP
@ -141,15 +113,15 @@ bluetooth_term_enabled: False
sshd_install: True # Required by OpenVPN
sshd_enabled: True
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: MIN-sized - Put Your Name Here
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/
pi_swap_file_size: 1024
@ -173,8 +145,6 @@ nginx_high_php_limits: False
# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
# See also Apache vars {default_language, language_priority} @ top of this file
#
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
@ -186,14 +156,6 @@ apache_allow_sudo: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
squid_install: False
squid_enabled: False
# DansGuardian REQUIRES Squid (above) be installed & enabled.
# DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
dansguardian_install: False
dansguardian_enabled: False
# Common UNIX Printing System (CUPS)
cups_install: False
cups_enabled: False
@ -214,42 +176,12 @@ usb_lib_umask0000_for_kolibri: True
# Lesser-supported XO services need additional testing. Please contact
# http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
# UNMAINTAINED
# xo_services_install: False
# xo_services_enabled: False
# UNMAINTAINED
# activity_server_install: False
# activity_server_enabled: False
# UNMAINTAINED
# Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below
# ejabberd_xs_install: False
# ejabberd_xs_enabled: False
# UNMAINTAINED
# Change calibre_port from 8080 to 8010 below, if you enable idmgr
# idmgr_install: False
# idmgr_enabled: False
# 6-GENERIC-APPS
# UNMAINTAINED as of September 2020
azuracast_install: False
azuracast_enabled: False # This var is currently IGNORED.
# UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056
# dokuwiki_install: False
# dokuwiki_enabled: False
# UNMAINTAINED as of November 2019
# ejabberd_install: False
# ejabberd_enabled: False
elgg_install: False
elgg_enabled: False
# Gitea (lightweight self-hosted "GitHub") from https://gitea.io
gitea_install: False
gitea_enabled: False
@ -289,13 +221,6 @@ nextcloud_enabled: False
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi.
# If using PBX intensively, set nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
asterisk_chan_dongle: False
# If using WordPress intensively, set nginx_high_php_limits further above.
wordpress_install: False
wordpress_enabled: False
@ -367,6 +292,7 @@ monit_enabled: False
munin_install: False
munin_enabled: False
# UNMAINTAINED as of July 2021
# Handy for maintaining tables, but DANGEROUS if not locked down
phpmyadmin_install: False
phpmyadmin_enabled: False
@ -377,6 +303,15 @@ vnstat_enabled: False
# 9-LOCAL-ADDONS
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: True
captiveportal_enabled: False
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Internet Archive Decentralized Web - create your own offline version box:4244
# (or http://box/archive) arising from digital library https://dweb.archive.org
internetarchive_install: False
@ -386,7 +321,20 @@ internetarchive_enabled: False
minetest_install: False
minetest_enabled: False
# Calibre E-Book Library
# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
calibreweb_install: False
calibreweb_enabled: False
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web"
# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
# Calibre E-Book Library -- https://calibre-ebook.com
# WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
# ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
calibre_install: False
@ -397,15 +345,12 @@ calibre_port: 8080
calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
# program, so we recommend you also install Calibre (above!)
# Calibre-Web alternative to Calibre, offers a clean/modern UX
calibreweb_install: False
calibreweb_enabled: False
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web"
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
asterisk_chan_dongle: False

0
vars/local_vars_olpc.yml → vars/local_vars_olpc.yml.unused
View file

356
vars/local_vars_unittest.yml Normal file
View file

@ -0,0 +1,356 @@
# This is local_vars_unittest.yml -- copy it to /etc/iiab/local_vars.yml then...
# modify variables below, to override /opt/iiab/iiab/vars/default_vars.yml
# PLZ READ http://wiki.laptop.org/go/IIAB/local_vars.yml AND http://FAQ.IIAB.IO
# Orig Idea: branch github.com/xsce/xsce-local for your deployment/community
# IIAB does NOT currently support uninstalling apps! So: if any IIAB app is
# installed with 'APP_XYZ_install: True' below, do NOT later change that.
# WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz,
# YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM
# CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT. See "wifi_up_down: True" below.
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Real-time clock: set RTC chip family here. Future auto-detection plausible?
rtc_id: none # Or ds3231 ?
# Please read more about the 'iiab-admin' Linux user, for login to IIAB's
# Admin Console (http://box.lan/admin) AND to help you at the command-line:
# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
#
iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc.
# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED.
iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional.
# Set these to False if you do not want to install/enable IIAB Admin Console
admin_console_install: False
admin_console_enabled: False
#
# Set to "False" if you do not want to use the latest js-menus, either because
# you use WordPress or another home page, or if you prefer the older
# https://github.com/iiab/iiab-menu (no longer maintained)
js_menu_install: True
# IIAB Networking README: https://github.com/iiab/iiab/tree/master/roles/network
# IIAB Networking Doc: https://github.com/iiab/iiab/wiki/IIAB-Networking
# Read it offline too: http://box/info > "IIAB Networking"
iiab_hostname: box
iiab_domain: lan
# Homepage: set to /home or /wordpress or /wiki (for MediaWiki)
iiab_home_url: /home
# You might also want to set captiveportal_splash_page (below!)
# WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz,
# YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM
# CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT. See "wifi_up_down: True" below.
#
# Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here:
host_country_code: US
host_ssid: unittest
host_wifi_mode: g
host_channel: 6
hostapd_secure: False # 2021-03-02 #2696 WiFi EAPOL fails if hotspot passwords,
hostapd_password: changeme # eg if firmware wifi_hotspot_capacity_rpi_fix: True
wifi_hotspot_capacity_rpi_fix: True # Restores the ability of RPi internal
# WiFi hotspots to service 30-to-32 client devices. Background explanation:
# https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi
# (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot).
# You can set iiab_gateway_enabled below, to enable "passthrough" to Internet.
# See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO
wan_ip: dhcp # wan_ip: 192.168.1.99
wan_netmask: # wan_netmask: 255.255.255.0
wan_gateway: # wan_gateway: 192.168.1.254
# If nec wan_nameserver can override ISP-provided DNS servers via dnsmasq:
# /etc/resolv.conf dictates which backend is used for the machine itself, so
# 127.0.0.1 means you get dnsmasq (so it works right away on RaspiOS) while
# 127.0.0.53 gives you systemd-networkd (so Ubuntu itself does NOT use this
# dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!)
wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1
wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems
# Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
# (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
# Only 1 of the 6 lines below should be uncommented:
#
#ports_externally_visible: 0 # none
#ports_externally_visible: 1 # ssh only
#ports_externally_visible: 2 # ssh + http-or-https (for Admin Console's box.lan/admin too)
ports_externally_visible: 3 # ssh + http-or-https + common IIAB services
#ports_externally_visible: 4 # ssh + http-or-https + common IIAB services + Samba
#ports_externally_visible: 5 # all but databases
#
# Or further customize your iptables firewall by editing:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network
# Set True if client machines should have "passthrough" access to WAN/Internet:
iiab_gateway_enabled: False
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False
# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
bluetooth_install: False
bluetooth_enabled: False
bluetooth_term_enabled: False
# 1-PREP
# SSHD runs here & also below in 4-SERVER-OPTIONS
sshd_install: True # Required by OpenVPN
sshd_enabled: True
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: True
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: unittest - Put Your Name Here
# IIAB-ADMIN runs here - see its vars near top of this file:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/
pi_swap_file_size: 1024
# 2-COMMON
# /usr/libexec/iiab-startup.sh is much like autoexec.bat & /etc/rc.local
# It's put in place by 2-common/tasks/iiab-startup.yml at the end of Stage 2.
# 3-BASE-SERVER
# roles/mysql runs here (mandatory)
# For schools that use WordPress/Nextcloud/Moodle/PBX intensively:
nginx_high_php_limits: False
# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True'
# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS...
# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# 4-SERVER-OPTIONS
# SSHD runs here & also above in 1-PREP
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
# Common UNIX Printing System (CUPS)
cups_install: False
cups_enabled: False
# At Your Own Risk: take a security audit seriously before deploying this
samba_install: False
samba_enabled: False
# Show entire contents of USB sticks/drives (at http://box/usb)
iiab_usb_lib_show_all: True
# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so
# Kolibri can export & import channels to USB sticks/drive:
usb_lib_umask0000_for_kolibri: True
# 5-XO-SERVICES
# Lesser-supported XO services need additional testing. Please contact
# http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
# 6-GENERIC-APPS
azuracast_install: False
azuracast_enabled: False # This var is currently IGNORED.
# Gitea (lightweight self-hosted "GitHub") from https://gitea.io
gitea_install: False
gitea_enabled: False
# JupyterHub programming environment with student Notebooks
jupyterhub_install: False
jupyterhub_enabled: False
# Lokole (email for rural communities) from https://ascoderu.ca
lokole_install: False
lokole_enabled: False
mediawiki_install: False
mediawiki_enabled: False
# MQTT pub-sub broker for IoT on Raspberry Pi etc
mosquitto_install: False
mosquitto_enabled: False
# Flow-based visual programming for wiring together IoT hardware devices etc
nodered_install: False
nodered_enabled: False
# Store your docs, calendar, contacts & photos on your local server not cloud!
# If using Nextcloud intensively, set nginx_high_php_limits further above.
nextcloud_install: False
nextcloud_enabled: False
#
# 2020-02-15: UNUSED at this time. Legacy remains from Apache:
# nextcloud_allow_public_ips: True
#
# Configuration tips for IPv4 access controls and tuning RAM/resources:
# https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md
#
# 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
# you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
# Uncomment the following line to end that: (might install an older Nextcloud!)
# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
# If using WordPress intensively, set nginx_high_php_limits further above.
wordpress_install: False
wordpress_enabled: False
# 7-EDU-APPS
# KA Lite - SEE THE "Transmission" BITTORRENT DOWNLOADER FURTHER BELOW, TO INSTALL THOUSANDS OF VIDEOS
kalite_install: False
kalite_enabled: False
kolibri_install: False
kolibri_enabled: False
kolibri_language: en # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans
# kiwix_install: True is REQUIRED, if you install IIAB's Admin Console
kiwix_install: False
kiwix_enabled: False
# Warning: Moodle is a serious LMS, that takes a while to install.
moodle_install: False
moodle_enabled: False
# If using Moodle intensively, set nginx_high_php_limits further above.
# Regional OSM vector maps use far less disk space than bitmap/raster versions.
# Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
osm_vector_maps_install: False
osm_vector_maps_enabled: False
# Set to "True" to download .mbtiles files from Archive.org (might be slow!)
maps_from_internet_archive: False
# Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
# Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
# 2020-09-22: Both vars WERE IGNORED on Deb 10 (MongoDB) but no longer? #1437
sugarizer_install: False
sugarizer_enabled: False
# 8-MGMT-TOOLS
# BitTorrent downloader for large Content Packs etc
transmission_install: False
transmission_enabled: False
# A. UNCOMMENT LANGUAGE(S) TO DOWNLOAD KA Lite VIDEOS TO /library/transmission
# using http://pantry.learningequality.org/downloads/ka-lite/0.17/content/
transmission_kalite_languages:
#- english
#- french
#- hindi
#- portugal-portuguese
#- brazilian-portuguese
#- spanish
#- swahili
# B. Monitor BitTorrent downloads at http://box:9091 using Admin/changeme
# until the download is confirmed complete (can take hours if not days!)
# C. Carefully move all videos/thumbnails into /library/ka-lite/content
# (DO NOT OVERWRITE SUBFOLDERS assessment, locale, srt !)
# D. Log in to KA Lite at http://box:8008/updates/videos/ using Admin/changeme
# then click "Scan content folder for videos" (can take many minutes!)
# E. READ "KA Lite Administration: What tips & tricks exist?" AT http://FAQ.IIAB.IO
awstats_install: False
awstats_enabled: False
# 2020-09-22 WARNING: both vars are IGNORED on Debian 10 due to: iiab/iiab#1849
monit_install: False
monit_enabled: False
munin_install: False
munin_enabled: False
# UNMAINTAINED as of July 2021
# Handy for maintaining tables, but DANGEROUS if not locked down
phpmyadmin_install: False
phpmyadmin_enabled: False
vnstat_install: False
vnstat_enabled: False
# 9-LOCAL-ADDONS
# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively later refined (PRs #1179, #1300, #1327, #2070).
captiveportal_install: False
captiveportal_enabled: False
captiveportal_splash_page: /
# You might also want to set iiab_home_url (above!)
# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
# Internet Archive Decentralized Web - create your own offline version box:4244
# (or http://box/archive) arising from digital library https://dweb.archive.org
internetarchive_install: False
internetarchive_enabled: False
# Minetest is an open source clone of the Minecraft building blocks game
minetest_install: False
minetest_enabled: False
# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
calibreweb_install: False
calibreweb_enabled: False
calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019)
# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc?
calibreweb_url1: /books # For SHORT URL http://box/books (English)
calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish)
calibreweb_url3: /livres # For SHORT URL http://box/livres (French)
calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web"
# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
# Calibre E-Book Library -- https://calibre-ebook.com
# WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
# ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
calibre_install: False
calibre_enabled: False
# Change calibre_port to 8010 if you're using XO laptops needing above idmgr ?
calibre_port: 8080
# Change calibre to XYZ to add your own mnemonic URL like: http://box/XYZ
calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529
# Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
# If using PBX intensively, investigate nginx_high_php_limits further above.
pbx_install: False
pbx_enabled: False
pbx_try_nginx: False # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
asterisk_chan_dongle: False