1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00

Release Cleanup of validate_vars, default_vars, local_vars, Stages 0-4, SSHD

This commit is contained in:
root 2020-09-24 19:01:11 -04:00
parent dbd1f37e74
commit ac22723b43
15 changed files with 145 additions and 66 deletions

View file

@ -42,7 +42,7 @@
# are officially now UNMAINTAINED in default_vars.yml and
# https://github.com/iiab/iiab/blob/master/unmaintained-roles.txt etc?
- name: Set vars_checklist for 46 + 46 + up-to-46 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
- name: Set vars_checklist for 47 + 47 + up-to-47 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
set_fact:
vars_checklist:
- hostapd
@ -54,8 +54,13 @@
- wondershaper
- sshd
- openvpn
- admin_console
#- nginx # MANDATORY
#- apache # Dependency installed on demand, by other apps/services
#- mysql # MANDATORY
- squid
- dansguardian
#- postgresql # Dependency installed on demand, by other apps/services
- cups
- samba
- usb_lib
@ -71,6 +76,7 @@
- lokole
- mediawiki
- mosquitto
#- nodejs # Dependency installed on demand, by other apps/services
- nodered
- nextcloud
- pbx
@ -79,6 +85,7 @@
- kolibri
- kiwix
- moodle
#- mongodb # Dependency installed on demand, by other apps/services
- sugarizer
- osm_vector_maps
- transmission

View file

@ -5,6 +5,7 @@
- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
include_tasks: roles/network/tasks/dnsmasq.yml
#when: dnsmasq_install | bool # Flag might be used in future?
- name: Install uuid-runtime package (debuntu)
package:
@ -74,13 +75,16 @@
shell: apt -y remove "libgeos-*"
when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist
# Required by OpenVPN below. Also run by roles/4-server-options/tasks/main.yml
- name: SSHD
include_role:
name: sshd
when: sshd_install | bool
- name: IIAB-ADMIN
include_role:
name: iiab-admin
#when: iiab_admin_install | bool # Flag might be created in future?
- name: OPENVPN
include_role:

View file

@ -40,7 +40,7 @@
- htop
- i2c-tools
- logrotate
#- lynx # Already installed by 1-prep's roles/iiab-admin/tasks/access.yml
#- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
- make
- mlocate
- netmask
@ -50,6 +50,7 @@
- pandoc
- pastebinit
- rsync
#- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
- sqlite3
- sudo
- tar

View file

@ -6,6 +6,7 @@
- name: MYSQL
include_role:
name: mysql
#when: mysql_install | bool
# 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
#
@ -21,6 +22,7 @@
- name: NGINX
include_role:
name: nginx
#when: nginx_install | bool
- name: WWW_BASE (WWW_OPTIONS should be installed later)
include_role:

View file

@ -16,10 +16,13 @@
- name: Install pylibs (IIAB's python libs)
include_role:
name: pylibs
#when: pylibs_install | bool # Flag might be created in future?
# Also run roles/1-prep/tasks/main.yml as required by OpenVPN.
- name: SSHD
include_role:
name: sshd
when: sshd_install | bool
- name: Install named / BIND
include_tasks: roles/network/tasks/named.yml
@ -60,6 +63,7 @@
- name: WWW_OPTIONS (WWW_BASE should have been installed earlier)
include_role:
name: www_options
#when: www_options_install | bool # Flag might be created in future?
- name: Recording STAGE 4 HAS COMPLETED ==================
lineinfile:

View file

@ -5,7 +5,7 @@
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
mediawiki_major_version: 1.34 # "1.34" also works
mediawiki_minor_version: 3
mediawiki_minor_version: 4
mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"

View file

@ -43,7 +43,7 @@
lineinfile:
dest: /etc/avahi/services/ssh.service
regexp: '</port>$'
line: ' <port>{{ ssh_port }}</port>'
line: ' <port>{{ sshd_port }}</port>'
state: present
backrefs: yes

View file

@ -46,7 +46,7 @@ echo -e "WAN: $wan\n"
ports_externally_visible={{ ports_externally_visible }}
#services_externally_visible= [deprecated]
gw_block_https={{ gw_block_https }}
ssh_port={{ ssh_port }}
sshd_port={{ sshd_port }}
#gui_wan= [no longer needed]
gui_port={{ gui_port }}
iiab_gateway_enabled={{ iiab_gateway_enabled }}
@ -132,7 +132,7 @@ if [ "$wan" != "none" ]; then
# 1 = ssh only
if [ "$ports_externally_visible" -ge 1 ]; then
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT
fi
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)

View file

@ -0,0 +1,15 @@
- name: Enable & (Re)Start ssh daemon ({{ sshd_service }}) if sshd_enabled
systemd:
daemon_reload: yes
name: "{{ sshd_service }}"
enabled: yes
state: restarted
when: sshd_enabled | bool
- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
systemd:
daemon_reload: yes
name: "{{ sshd_service }}"
enabled: no
state: stopped
when: not sshd_enabled

View file

@ -0,0 +1,55 @@
# TODO:
#
# 1) Implement sshd_port IF it's truly needed? Mentioned here as of 2020-09-24:
#
# vars/default_vars.yml Line 283
# roles/sshd/tasks/main.yml Lines 41-42
# roles/network/tasks/avahi.yml Line 46
# roles/network/templates/gateway/iiab-gen-iptables Line 49 & 135
#
# 2) Use Ansible handler to reload ssh?
- name: "Install ssh daemon using package: {{ sshd_package }}"
package:
name: "{{ sshd_package }}"
state: present
- name: Disable password-based logins to root
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin without-password'
state: present
#when: sshd_enabled | bool
- name: mkdir /root/.ssh
file:
state: directory
path: /root/.ssh
owner: root
group: root
mode: '0700'
#when: sshd_enabled | bool
- name: Install dummy root keys as placeholder
copy:
src: dummy_authorized_keys
dest: /root/.ssh/authorized_keys
owner: root
group: root
mode: '0600'
force: no
#when: sshd_enabled | bool
# RECORD sshd AS INSTALLED
- name: "Set 'sshd_installed: True'"
set_fact:
sshd_installed: True
- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
lineinfile:
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
regexp: '^sshd_installed'
line: 'sshd_installed: True'

View file

@ -1,61 +1,44 @@
- name: "Install ssh daemon using package: {{ sshd_package }}"
package:
name: "{{ sshd_package }}"
state: present
# "How do i fail a task in Ansible if the variable contains a boolean value?
# I want to perform input validation for Ansible playbooks"
# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
- name: Disable password-based logins to root
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin without-password'
state: present
#when: sshd_enabled | bool
#TODO: use handler to reload ssh
# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
# to re-check whether vars are defined here. As Ansible vars cannot be unset:
# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
- name: mkdir /root/.ssh
file:
state: directory
path: /root/.ssh
owner: root
group: root
mode: '0700'
#when: sshd_enabled | bool
- name: Assert that "sshd_install is sameas true" (boolean not string etc)
assert:
that: sshd_install is sameas true
fail_msg: "PLEASE SET 'sshd_install: True' e.g. IN: /etc/iiab/local_vars.yml"
quiet: yes
- name: Install dummy root keys as placeholder
copy:
src: dummy_authorized_keys
dest: /root/.ssh/authorized_keys
owner: root
group: root
mode: '0600'
force: no
#when: sshd_enabled | bool
- name: Assert that "sshd_enabled | type_debug == 'bool'" (boolean not string etc)
assert:
that: sshd_enabled | type_debug == 'bool'
fail_msg: "PLEASE GIVE VARIABLE 'sshd_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
quiet: yes
# RECORD sshd AS INSTALLED
- name: "Set 'sshd_installed: True'"
set_fact:
sshd_installed: True
- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
lineinfile:
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
regexp: '^sshd_installed'
line: 'sshd_installed: True'
- name: Install sshd if 'sshd_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml
include_tasks: install.yml
when: sshd_installed is undefined
- name: Enable & Start ssh daemon ({{ sshd_service }}) if sshd_enabled
systemd:
name: "{{ sshd_service }}"
daemon_reload: yes
enabled: yes
state: started
when: sshd_enabled | bool
- include_tasks: enable-or-disable.yml
- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
systemd:
name: "{{ sshd_service }}"
enabled: no
state: stopped
when: not sshd_enabled
- name: Add 'sshd' variable values to {{ iiab_ini_file }}
ini_file:
path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini
section: sshd
option: "{{ item.option }}"
value: "{{ item.value | string }}"
with_items:
- option: name
value: sshd
- option: description
value: '"Secure Shell daemon (typically implemented by openssh-server) for remote login using the ''ssh'' low-level protocol."'
- option: sshd_port
value: "{{ sshd_port }}"
- option: sshd_enabled
value: "{{ sshd_enabled }}"

View file

@ -113,7 +113,6 @@ wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi
# Gateway mode
iiab_lan_enabled: True
iiab_wan_enabled: True
ssh_port: 22 # SEE sshd_* vars below.
# Ties in what the user populated in the GUI for static WAN IP address info:
gui_wan: True
adm_cons_force_ssl: False
@ -207,10 +206,6 @@ wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems
# 1-PREP
# SEE ssh_port var above.
sshd_install: True
sshd_enabled: True
# roles/iiab-admin runs here
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
# iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
@ -250,7 +245,7 @@ mysql_enabled: True
# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
# 2020-09-21: removed install |bool in stage 3, not optional and has no effect
# 2020-09-24: NGINX is mandatory, SEE: roles/3-base-server/tasks/main.yml
nginx_install: True
nginx_enabled: True
nginx_port: 80
@ -271,7 +266,7 @@ apache_allow_sudo: True
# See also Apache vars {default_language, language_priority} @ top of this file
#
# 2020-05-21: apache_install is completely ignored as Apache is installed on
# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED and/or
# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX and/or
# phpMyAdmin
apache_install: False
apache_enabled: False
@ -283,6 +278,10 @@ apache_interface: 127.0.0.1 # 2020-01-13: Var unused
# 4-SERVER-OPTIONS
sshd_install: True # Required by OpenVPN
sshd_enabled: True
sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")

View file

@ -99,6 +99,7 @@ named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
@ -168,6 +169,8 @@ apache_allow_sudo: True
# 4-SERVER-OPTIONS
sshd_install: True # Required by OpenVPN
sshd_enabled: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs

View file

@ -99,6 +99,7 @@ named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
@ -168,6 +169,8 @@ apache_allow_sudo: True
# 4-SERVER-OPTIONS
sshd_install: True # Required by OpenVPN
sshd_enabled: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs

View file

@ -99,6 +99,7 @@ named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
@ -168,6 +169,8 @@ apache_allow_sudo: True
# 4-SERVER-OPTIONS
sshd_install: True # Required by OpenVPN
sshd_enabled: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs