Release Cleanup of validate_vars, default_vars, local_vars, Stages 0-4, SSHD

roles/0-init/tasks/validate_vars.yml

@@ -42,7 +42,7 @@
 # are officially now UNMAINTAINED in default_vars.yml and
 # https://github.com/iiab/iiab/blob/master/unmaintained-roles.txt etc?
 
-- name: Set vars_checklist for 46 + 46 + up-to-46 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 47 + 47 + up-to-47 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
   set_fact:
     vars_checklist:
       - hostapd
@@ -54,8 +54,13 @@
       - wondershaper
       - sshd
       - openvpn
+      - admin_console
+      #- nginx     # MANDATORY
+      #- apache    # Dependency installed on demand, by other apps/services
+      #- mysql     # MANDATORY
       - squid
       - dansguardian
+      #- postgresql    # Dependency installed on demand, by other apps/services
       - cups
       - samba
       - usb_lib
@@ -71,6 +76,7 @@
       - lokole
       - mediawiki
       - mosquitto
+      #- nodejs    # Dependency installed on demand, by other apps/services
       - nodered
       - nextcloud
       - pbx
@@ -79,6 +85,7 @@
       - kolibri
       - kiwix
       - moodle
+      #- mongodb    # Dependency installed on demand, by other apps/services
       - sugarizer
       - osm_vector_maps
       - transmission

roles/1-prep/tasks/main.yml

@@ -5,6 +5,7 @@
 
 - name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
   include_tasks: roles/network/tasks/dnsmasq.yml
+  #when: dnsmasq_install | bool    # Flag might be used in future?
 
 - name: Install uuid-runtime package (debuntu)
   package:
@@ -74,13 +75,16 @@
   shell: apt -y remove "libgeos-*"
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 
+# Required by OpenVPN below.  Also run by roles/4-server-options/tasks/main.yml
 - name: SSHD
   include_role:
     name: sshd
+  when: sshd_install | bool
 
 - name: IIAB-ADMIN
   include_role:
     name: iiab-admin
+  #when: iiab_admin_install | bool    # Flag might be created in future?
 
 - name: OPENVPN
   include_role:

roles/2-common/tasks/packages.yml

@@ -40,7 +40,7 @@
       - htop
       - i2c-tools
       - logrotate
-      #- lynx    # Already installed by 1-prep's roles/iiab-admin/tasks/access.yml
+      #- lynx    # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - make
       - mlocate
       - netmask
@@ -50,6 +50,7 @@
       - pandoc
       - pastebinit
       - rsync
+      #- screen    # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - sqlite3
       - sudo
       - tar

roles/3-base-server/tasks/main.yml

@@ -6,6 +6,7 @@
 - name: MYSQL
   include_role:
     name: mysql
+  #when: mysql_install | bool
 
 # 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
 #
@@ -21,6 +22,7 @@
 - name: NGINX
   include_role:
     name: nginx
+  #when: nginx_install | bool
 
 - name: WWW_BASE (WWW_OPTIONS should be installed later)
   include_role:

roles/4-server-options/tasks/main.yml

@@ -16,10 +16,13 @@
 - name: Install pylibs (IIAB's python libs)
   include_role:
     name: pylibs
+  #when: pylibs_install | bool    # Flag might be created in future?
 
+# Also run roles/1-prep/tasks/main.yml as required by OpenVPN.
 - name: SSHD
   include_role:
     name: sshd
+  when: sshd_install | bool
 
 - name: Install named / BIND
   include_tasks: roles/network/tasks/named.yml
@@ -60,6 +63,7 @@
 - name: WWW_OPTIONS (WWW_BASE should have been installed earlier)
   include_role:
     name: www_options
+  #when: www_options_install | bool    # Flag might be created in future?
 
 - name: Recording STAGE 4 HAS COMPLETED ==================
   lineinfile:

roles/mediawiki/defaults/main.yml

@@ -5,7 +5,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 mediawiki_major_version: 1.34    # "1.34" also works
-mediawiki_minor_version: 3
+mediawiki_minor_version: 4
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
 
 mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"

roles/network/tasks/avahi.yml

@@ -43,7 +43,7 @@
   lineinfile:
     dest: /etc/avahi/services/ssh.service
     regexp: '</port>$'
-    line: '    <port>{{ ssh_port }}</port>'
+    line: '    <port>{{ sshd_port }}</port>'
     state: present
     backrefs: yes
 

roles/network/templates/gateway/iiab-gen-iptables

@@ -46,7 +46,7 @@ echo -e "WAN: $wan\n"
 ports_externally_visible={{ ports_externally_visible }}
 #services_externally_visible= [deprecated]
 gw_block_https={{ gw_block_https }}
-ssh_port={{ ssh_port }}
+sshd_port={{ sshd_port }}
 #gui_wan= [no longer needed]
 gui_port={{ gui_port }}
 iiab_gateway_enabled={{ iiab_gateway_enabled }}
@@ -132,7 +132,7 @@ if [ "$wan" != "none" ]; then
 
     # 1 = ssh only
     if [ "$ports_externally_visible" -ge 1 ]; then
-        $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT
     fi
 
     # 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)

roles/sshd/tasks/enable-or-disable.yml

@@ -0,0 +1,15 @@
+- name: Enable & (Re)Start ssh daemon ({{ sshd_service }}) if sshd_enabled
+  systemd:
+    daemon_reload: yes
+    name: "{{ sshd_service }}"
+    enabled: yes
+    state: restarted
+  when: sshd_enabled | bool
+
+- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
+  systemd:
+    daemon_reload: yes
+    name: "{{ sshd_service }}"
+    enabled: no
+    state: stopped
+  when: not sshd_enabled

roles/sshd/tasks/install.yml

@@ -0,0 +1,55 @@
+# TODO:
+#
+# 1) Implement sshd_port IF it's truly needed? Mentioned here as of 2020-09-24:
+#
+#    vars/default_vars.yml  Line 283
+#    roles/sshd/tasks/main.yml  Lines 41-42
+#    roles/network/tasks/avahi.yml  Line 46
+#    roles/network/templates/gateway/iiab-gen-iptables  Line 49 & 135
+#
+# 2) Use Ansible handler to reload ssh?
+
+- name: "Install ssh daemon using package: {{ sshd_package }}"
+  package:
+    name: "{{ sshd_package }}"
+    state: present
+
+- name: Disable password-based logins to root
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    line: 'PermitRootLogin without-password'
+    state: present
+  #when: sshd_enabled | bool
+
+- name: mkdir /root/.ssh
+  file:
+    state: directory
+    path: /root/.ssh
+    owner: root
+    group: root
+    mode: '0700'
+  #when: sshd_enabled | bool
+
+- name: Install dummy root keys as placeholder
+  copy:
+    src: dummy_authorized_keys
+    dest: /root/.ssh/authorized_keys
+    owner: root
+    group: root
+    mode: '0600'
+    force: no
+  #when: sshd_enabled | bool
+
+
+# RECORD sshd AS INSTALLED
+
+- name: "Set 'sshd_installed: True'"
+  set_fact:
+    sshd_installed: True
+
+- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^sshd_installed'
+    line: 'sshd_installed: True'

roles/sshd/tasks/main.yml

@@ -1,61 +1,44 @@
-- name: "Install ssh daemon using package: {{ sshd_package }}"
-  package:
-    name: "{{ sshd_package }}"
-    state: present
+# "How do i fail a task in Ansible if the variable contains a boolean value?
+# I want to perform input validation for Ansible playbooks"
+# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
 
-- name: Disable password-based logins to root
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin'
-    line: 'PermitRootLogin without-password'
-    state: present
-  #when: sshd_enabled | bool
-#TODO: use handler to reload ssh
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
+# to re-check whether vars are defined here.  As Ansible vars cannot be unset:
+# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
 
-- name: mkdir /root/.ssh
-  file:
-    state: directory
-    path: /root/.ssh
-    owner: root
-    group: root
-    mode: '0700'
-  #when: sshd_enabled | bool
+- name: Assert that "sshd_install is sameas true" (boolean not string etc)
+  assert:
+    that: sshd_install is sameas true
+    fail_msg: "PLEASE SET 'sshd_install: True' e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
 
-- name: Install dummy root keys as placeholder
-  copy:
-    src: dummy_authorized_keys
-    dest: /root/.ssh/authorized_keys
-    owner: root
-    group: root
-    mode: '0600'
-    force: no
-  #when: sshd_enabled | bool
+- name: Assert that "sshd_enabled | type_debug == 'bool'" (boolean not string etc)
+  assert:
+    that: sshd_enabled | type_debug == 'bool'
+    fail_msg: "PLEASE GIVE VARIABLE 'sshd_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
 
 
-# RECORD sshd AS INSTALLED
-
-- name: "Set 'sshd_installed: True'"
-  set_fact:
-    sshd_installed: True
-
-- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
-  lineinfile:
-    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
-    regexp: '^sshd_installed'
-    line: 'sshd_installed: True'
+- name: Install sshd if 'sshd_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+  include_tasks: install.yml
+  when: sshd_installed is undefined
 
 
-- name: Enable & Start ssh daemon ({{ sshd_service }}) if sshd_enabled
-  systemd:
-    name: "{{ sshd_service }}"
-    daemon_reload: yes
-    enabled: yes
-    state: started
-  when: sshd_enabled | bool
+- include_tasks: enable-or-disable.yml
 
-- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
-  systemd:
-    name: "{{ sshd_service }}"
-    enabled: no
-    state: stopped
-  when: not sshd_enabled
+
+- name: Add 'sshd' variable values to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: sshd
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
+  with_items:
+  - option: name
+    value: sshd
+  - option: description
+    value: '"Secure Shell daemon (typically implemented by openssh-server) for remote login using the ''ssh'' low-level protocol."'
+  - option: sshd_port
+    value: "{{ sshd_port }}"
+  - option: sshd_enabled
+    value: "{{ sshd_enabled }}"

vars/default_vars.yml

@@ -113,7 +113,6 @@ wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # Gateway mode
 iiab_lan_enabled: True
 iiab_wan_enabled: True
-ssh_port: 22    # SEE sshd_* vars below.
 # Ties in what the user populated in the GUI for static WAN IP address info:
 gui_wan: True
 adm_cons_force_ssl: False
@@ -207,10 +206,6 @@ wan_try_dhcp_before_static_ip: True   # Facilitate field updates w/ cablemodems
 
 # 1-PREP
 
-# SEE ssh_port var above.
-sshd_install: True
-sshd_enabled: True
-
 # roles/iiab-admin runs here
 # SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
 # iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
@@ -250,7 +245,7 @@ mysql_enabled: True
 
 # 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
 # evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
-# 2020-09-21: removed install |bool in stage 3, not optional and has no effect
+# 2020-09-24: NGINX is mandatory, SEE: roles/3-base-server/tasks/main.yml
 nginx_install: True
 nginx_enabled: True
 nginx_port: 80
@@ -271,7 +266,7 @@ apache_allow_sudo: True
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
 # 2020-05-21: apache_install is completely ignored as Apache is installed on
-# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED and/or
+# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX and/or
 # phpMyAdmin
 apache_install: False
 apache_enabled: False
@@ -283,6 +278,10 @@ apache_interface: 127.0.0.1    # 2020-01-13: Var unused
 
 # 4-SERVER-OPTIONS
 
+sshd_install: True    # Required by OpenVPN
+sshd_enabled: True
+sshd_port: 22    # Not fully functional.  SEE: roles/sshd/tasks/install.yml
+
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 

vars/local_vars_big.yml

@@ -99,6 +99,7 @@ named_install: False
 named_enabled: False
 
 # dnsmasq - handles DHCP and DNS
+dnsmasq_install: True
 dnsmasq_enabled: True
 
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
@@ -168,6 +169,8 @@ apache_allow_sudo: True
 
 
 # 4-SERVER-OPTIONS
+
+sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs

vars/local_vars_medium.yml

@@ -99,6 +99,7 @@ named_install: False
 named_enabled: False
 
 # dnsmasq - handles DHCP and DNS
+dnsmasq_install: True
 dnsmasq_enabled: True
 
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
@@ -168,6 +169,8 @@ apache_allow_sudo: True
 
 
 # 4-SERVER-OPTIONS
+
+sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs

vars/local_vars_min.yml

@@ -99,6 +99,7 @@ named_install: False
 named_enabled: False
 
 # dnsmasq - handles DHCP and DNS
+dnsmasq_install: True
 dnsmasq_enabled: True
 
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
@@ -168,6 +169,8 @@ apache_allow_sudo: True
 
 
 # 4-SERVER-OPTIONS
+
+sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs