mirror of
https://github.com/iiab/iiab.git
synced 2025-03-09 15:40:17 +00:00
Release Cleanup of validate_vars, default_vars, local_vars, Stages 0-4, SSHD
This commit is contained in:
parent
dbd1f37e74
commit
ac22723b43
15 changed files with 145 additions and 66 deletions
|
@ -42,7 +42,7 @@
|
|||
# are officially now UNMAINTAINED in default_vars.yml and
|
||||
# https://github.com/iiab/iiab/blob/master/unmaintained-roles.txt etc?
|
||||
|
||||
- name: Set vars_checklist for 46 + 46 + up-to-46 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
|
||||
- name: Set vars_checklist for 47 + 47 + up-to-47 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
|
||||
set_fact:
|
||||
vars_checklist:
|
||||
- hostapd
|
||||
|
@ -54,8 +54,13 @@
|
|||
- wondershaper
|
||||
- sshd
|
||||
- openvpn
|
||||
- admin_console
|
||||
#- nginx # MANDATORY
|
||||
#- apache # Dependency installed on demand, by other apps/services
|
||||
#- mysql # MANDATORY
|
||||
- squid
|
||||
- dansguardian
|
||||
#- postgresql # Dependency installed on demand, by other apps/services
|
||||
- cups
|
||||
- samba
|
||||
- usb_lib
|
||||
|
@ -71,6 +76,7 @@
|
|||
- lokole
|
||||
- mediawiki
|
||||
- mosquitto
|
||||
#- nodejs # Dependency installed on demand, by other apps/services
|
||||
- nodered
|
||||
- nextcloud
|
||||
- pbx
|
||||
|
@ -79,6 +85,7 @@
|
|||
- kolibri
|
||||
- kiwix
|
||||
- moodle
|
||||
#- mongodb # Dependency installed on demand, by other apps/services
|
||||
- sugarizer
|
||||
- osm_vector_maps
|
||||
- transmission
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
|
||||
include_tasks: roles/network/tasks/dnsmasq.yml
|
||||
#when: dnsmasq_install | bool # Flag might be used in future?
|
||||
|
||||
- name: Install uuid-runtime package (debuntu)
|
||||
package:
|
||||
|
@ -74,13 +75,16 @@
|
|||
shell: apt -y remove "libgeos-*"
|
||||
when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist
|
||||
|
||||
# Required by OpenVPN below. Also run by roles/4-server-options/tasks/main.yml
|
||||
- name: SSHD
|
||||
include_role:
|
||||
name: sshd
|
||||
when: sshd_install | bool
|
||||
|
||||
- name: IIAB-ADMIN
|
||||
include_role:
|
||||
name: iiab-admin
|
||||
#when: iiab_admin_install | bool # Flag might be created in future?
|
||||
|
||||
- name: OPENVPN
|
||||
include_role:
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
- htop
|
||||
- i2c-tools
|
||||
- logrotate
|
||||
#- lynx # Already installed by 1-prep's roles/iiab-admin/tasks/access.yml
|
||||
#- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
|
||||
- make
|
||||
- mlocate
|
||||
- netmask
|
||||
|
@ -50,6 +50,7 @@
|
|||
- pandoc
|
||||
- pastebinit
|
||||
- rsync
|
||||
#- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
|
||||
- sqlite3
|
||||
- sudo
|
||||
- tar
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
- name: MYSQL
|
||||
include_role:
|
||||
name: mysql
|
||||
#when: mysql_install | bool
|
||||
|
||||
# 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
|
||||
#
|
||||
|
@ -21,6 +22,7 @@
|
|||
- name: NGINX
|
||||
include_role:
|
||||
name: nginx
|
||||
#when: nginx_install | bool
|
||||
|
||||
- name: WWW_BASE (WWW_OPTIONS should be installed later)
|
||||
include_role:
|
||||
|
|
|
@ -16,10 +16,13 @@
|
|||
- name: Install pylibs (IIAB's python libs)
|
||||
include_role:
|
||||
name: pylibs
|
||||
#when: pylibs_install | bool # Flag might be created in future?
|
||||
|
||||
# Also run roles/1-prep/tasks/main.yml as required by OpenVPN.
|
||||
- name: SSHD
|
||||
include_role:
|
||||
name: sshd
|
||||
when: sshd_install | bool
|
||||
|
||||
- name: Install named / BIND
|
||||
include_tasks: roles/network/tasks/named.yml
|
||||
|
@ -60,6 +63,7 @@
|
|||
- name: WWW_OPTIONS (WWW_BASE should have been installed earlier)
|
||||
include_role:
|
||||
name: www_options
|
||||
#when: www_options_install | bool # Flag might be created in future?
|
||||
|
||||
- name: Recording STAGE 4 HAS COMPLETED ==================
|
||||
lineinfile:
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
|
||||
|
||||
mediawiki_major_version: 1.34 # "1.34" also works
|
||||
mediawiki_minor_version: 3
|
||||
mediawiki_minor_version: 4
|
||||
mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
|
||||
|
||||
mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"
|
||||
|
|
|
@ -43,7 +43,7 @@
|
|||
lineinfile:
|
||||
dest: /etc/avahi/services/ssh.service
|
||||
regexp: '</port>$'
|
||||
line: ' <port>{{ ssh_port }}</port>'
|
||||
line: ' <port>{{ sshd_port }}</port>'
|
||||
state: present
|
||||
backrefs: yes
|
||||
|
||||
|
|
|
@ -46,7 +46,7 @@ echo -e "WAN: $wan\n"
|
|||
ports_externally_visible={{ ports_externally_visible }}
|
||||
#services_externally_visible= [deprecated]
|
||||
gw_block_https={{ gw_block_https }}
|
||||
ssh_port={{ ssh_port }}
|
||||
sshd_port={{ sshd_port }}
|
||||
#gui_wan= [no longer needed]
|
||||
gui_port={{ gui_port }}
|
||||
iiab_gateway_enabled={{ iiab_gateway_enabled }}
|
||||
|
@ -132,7 +132,7 @@ if [ "$wan" != "none" ]; then
|
|||
|
||||
# 1 = ssh only
|
||||
if [ "$ports_externally_visible" -ge 1 ]; then
|
||||
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
|
||||
$IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT
|
||||
fi
|
||||
|
||||
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
|
||||
|
|
15
roles/sshd/tasks/enable-or-disable.yml
Normal file
15
roles/sshd/tasks/enable-or-disable.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
- name: Enable & (Re)Start ssh daemon ({{ sshd_service }}) if sshd_enabled
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
name: "{{ sshd_service }}"
|
||||
enabled: yes
|
||||
state: restarted
|
||||
when: sshd_enabled | bool
|
||||
|
||||
- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
name: "{{ sshd_service }}"
|
||||
enabled: no
|
||||
state: stopped
|
||||
when: not sshd_enabled
|
55
roles/sshd/tasks/install.yml
Normal file
55
roles/sshd/tasks/install.yml
Normal file
|
@ -0,0 +1,55 @@
|
|||
# TODO:
|
||||
#
|
||||
# 1) Implement sshd_port IF it's truly needed? Mentioned here as of 2020-09-24:
|
||||
#
|
||||
# vars/default_vars.yml Line 283
|
||||
# roles/sshd/tasks/main.yml Lines 41-42
|
||||
# roles/network/tasks/avahi.yml Line 46
|
||||
# roles/network/templates/gateway/iiab-gen-iptables Line 49 & 135
|
||||
#
|
||||
# 2) Use Ansible handler to reload ssh?
|
||||
|
||||
- name: "Install ssh daemon using package: {{ sshd_package }}"
|
||||
package:
|
||||
name: "{{ sshd_package }}"
|
||||
state: present
|
||||
|
||||
- name: Disable password-based logins to root
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin'
|
||||
line: 'PermitRootLogin without-password'
|
||||
state: present
|
||||
#when: sshd_enabled | bool
|
||||
|
||||
- name: mkdir /root/.ssh
|
||||
file:
|
||||
state: directory
|
||||
path: /root/.ssh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0700'
|
||||
#when: sshd_enabled | bool
|
||||
|
||||
- name: Install dummy root keys as placeholder
|
||||
copy:
|
||||
src: dummy_authorized_keys
|
||||
dest: /root/.ssh/authorized_keys
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
force: no
|
||||
#when: sshd_enabled | bool
|
||||
|
||||
|
||||
# RECORD sshd AS INSTALLED
|
||||
|
||||
- name: "Set 'sshd_installed: True'"
|
||||
set_fact:
|
||||
sshd_installed: True
|
||||
|
||||
- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
|
||||
lineinfile:
|
||||
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
|
||||
regexp: '^sshd_installed'
|
||||
line: 'sshd_installed: True'
|
|
@ -1,61 +1,44 @@
|
|||
- name: "Install ssh daemon using package: {{ sshd_package }}"
|
||||
package:
|
||||
name: "{{ sshd_package }}"
|
||||
state: present
|
||||
# "How do i fail a task in Ansible if the variable contains a boolean value?
|
||||
# I want to perform input validation for Ansible playbooks"
|
||||
# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
|
||||
|
||||
- name: Disable password-based logins to root
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin'
|
||||
line: 'PermitRootLogin without-password'
|
||||
state: present
|
||||
#when: sshd_enabled | bool
|
||||
#TODO: use handler to reload ssh
|
||||
# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
|
||||
# to re-check whether vars are defined here. As Ansible vars cannot be unset:
|
||||
# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
|
||||
|
||||
- name: mkdir /root/.ssh
|
||||
file:
|
||||
state: directory
|
||||
path: /root/.ssh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0700'
|
||||
#when: sshd_enabled | bool
|
||||
- name: Assert that "sshd_install is sameas true" (boolean not string etc)
|
||||
assert:
|
||||
that: sshd_install is sameas true
|
||||
fail_msg: "PLEASE SET 'sshd_install: True' e.g. IN: /etc/iiab/local_vars.yml"
|
||||
quiet: yes
|
||||
|
||||
- name: Install dummy root keys as placeholder
|
||||
copy:
|
||||
src: dummy_authorized_keys
|
||||
dest: /root/.ssh/authorized_keys
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
force: no
|
||||
#when: sshd_enabled | bool
|
||||
- name: Assert that "sshd_enabled | type_debug == 'bool'" (boolean not string etc)
|
||||
assert:
|
||||
that: sshd_enabled | type_debug == 'bool'
|
||||
fail_msg: "PLEASE GIVE VARIABLE 'sshd_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
|
||||
quiet: yes
|
||||
|
||||
|
||||
# RECORD sshd AS INSTALLED
|
||||
|
||||
- name: "Set 'sshd_installed: True'"
|
||||
set_fact:
|
||||
sshd_installed: True
|
||||
|
||||
- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
|
||||
lineinfile:
|
||||
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
|
||||
regexp: '^sshd_installed'
|
||||
line: 'sshd_installed: True'
|
||||
- name: Install sshd if 'sshd_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml
|
||||
include_tasks: install.yml
|
||||
when: sshd_installed is undefined
|
||||
|
||||
|
||||
- name: Enable & Start ssh daemon ({{ sshd_service }}) if sshd_enabled
|
||||
systemd:
|
||||
name: "{{ sshd_service }}"
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
state: started
|
||||
when: sshd_enabled | bool
|
||||
- include_tasks: enable-or-disable.yml
|
||||
|
||||
- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
|
||||
systemd:
|
||||
name: "{{ sshd_service }}"
|
||||
enabled: no
|
||||
state: stopped
|
||||
when: not sshd_enabled
|
||||
|
||||
- name: Add 'sshd' variable values to {{ iiab_ini_file }}
|
||||
ini_file:
|
||||
path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini
|
||||
section: sshd
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value | string }}"
|
||||
with_items:
|
||||
- option: name
|
||||
value: sshd
|
||||
- option: description
|
||||
value: '"Secure Shell daemon (typically implemented by openssh-server) for remote login using the ''ssh'' low-level protocol."'
|
||||
- option: sshd_port
|
||||
value: "{{ sshd_port }}"
|
||||
- option: sshd_enabled
|
||||
value: "{{ sshd_enabled }}"
|
||||
|
|
|
@ -113,7 +113,6 @@ wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi
|
|||
# Gateway mode
|
||||
iiab_lan_enabled: True
|
||||
iiab_wan_enabled: True
|
||||
ssh_port: 22 # SEE sshd_* vars below.
|
||||
# Ties in what the user populated in the GUI for static WAN IP address info:
|
||||
gui_wan: True
|
||||
adm_cons_force_ssl: False
|
||||
|
@ -207,10 +206,6 @@ wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems
|
|||
|
||||
# 1-PREP
|
||||
|
||||
# SEE ssh_port var above.
|
||||
sshd_install: True
|
||||
sshd_enabled: True
|
||||
|
||||
# roles/iiab-admin runs here
|
||||
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
|
||||
# iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
|
||||
|
@ -250,7 +245,7 @@ mysql_enabled: True
|
|||
|
||||
# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
|
||||
# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
|
||||
# 2020-09-21: removed install |bool in stage 3, not optional and has no effect
|
||||
# 2020-09-24: NGINX is mandatory, SEE: roles/3-base-server/tasks/main.yml
|
||||
nginx_install: True
|
||||
nginx_enabled: True
|
||||
nginx_port: 80
|
||||
|
@ -271,7 +266,7 @@ apache_allow_sudo: True
|
|||
# See also Apache vars {default_language, language_priority} @ top of this file
|
||||
#
|
||||
# 2020-05-21: apache_install is completely ignored as Apache is installed on
|
||||
# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED and/or
|
||||
# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX and/or
|
||||
# phpMyAdmin
|
||||
apache_install: False
|
||||
apache_enabled: False
|
||||
|
@ -283,6 +278,10 @@ apache_interface: 127.0.0.1 # 2020-01-13: Var unused
|
|||
|
||||
# 4-SERVER-OPTIONS
|
||||
|
||||
sshd_install: True # Required by OpenVPN
|
||||
sshd_enabled: True
|
||||
sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml
|
||||
|
||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
||||
|
||||
|
|
|
@ -99,6 +99,7 @@ named_install: False
|
|||
named_enabled: False
|
||||
|
||||
# dnsmasq - handles DHCP and DNS
|
||||
dnsmasq_install: True
|
||||
dnsmasq_enabled: True
|
||||
|
||||
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
|
||||
|
@ -168,6 +169,8 @@ apache_allow_sudo: True
|
|||
|
||||
|
||||
# 4-SERVER-OPTIONS
|
||||
|
||||
sshd_install: True # Required by OpenVPN
|
||||
sshd_enabled: True
|
||||
|
||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||
|
|
|
@ -99,6 +99,7 @@ named_install: False
|
|||
named_enabled: False
|
||||
|
||||
# dnsmasq - handles DHCP and DNS
|
||||
dnsmasq_install: True
|
||||
dnsmasq_enabled: True
|
||||
|
||||
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
|
||||
|
@ -168,6 +169,8 @@ apache_allow_sudo: True
|
|||
|
||||
|
||||
# 4-SERVER-OPTIONS
|
||||
|
||||
sshd_install: True # Required by OpenVPN
|
||||
sshd_enabled: True
|
||||
|
||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||
|
|
|
@ -99,6 +99,7 @@ named_install: False
|
|||
named_enabled: False
|
||||
|
||||
# dnsmasq - handles DHCP and DNS
|
||||
dnsmasq_install: True
|
||||
dnsmasq_enabled: True
|
||||
|
||||
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
|
||||
|
@ -168,6 +169,8 @@ apache_allow_sudo: True
|
|||
|
||||
|
||||
# 4-SERVER-OPTIONS
|
||||
|
||||
sshd_install: True # Required by OpenVPN
|
||||
sshd_enabled: True
|
||||
|
||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue