diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml
index bbbdbbbf1..32eb77ffd 100644
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@@ -42,7 +42,7 @@
# are officially now UNMAINTAINED in default_vars.yml and
# https://github.com/iiab/iiab/blob/master/unmaintained-roles.txt etc?
-- name: Set vars_checklist for 46 + 46 + up-to-46 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 47 + 47 + up-to-47 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
set_fact:
vars_checklist:
- hostapd
@@ -54,8 +54,13 @@
- wondershaper
- sshd
- openvpn
+ - admin_console
+ #- nginx # MANDATORY
+ #- apache # Dependency installed on demand, by other apps/services
+ #- mysql # MANDATORY
- squid
- dansguardian
+ #- postgresql # Dependency installed on demand, by other apps/services
- cups
- samba
- usb_lib
@@ -71,6 +76,7 @@
- lokole
- mediawiki
- mosquitto
+ #- nodejs # Dependency installed on demand, by other apps/services
- nodered
- nextcloud
- pbx
@@ -79,6 +85,7 @@
- kolibri
- kiwix
- moodle
+ #- mongodb # Dependency installed on demand, by other apps/services
- sugarizer
- osm_vector_maps
- transmission
diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml
index a9a91c182..3a8615c10 100644
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@@ -5,6 +5,7 @@
- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
include_tasks: roles/network/tasks/dnsmasq.yml
+ #when: dnsmasq_install | bool # Flag might be used in future?
- name: Install uuid-runtime package (debuntu)
package:
@@ -74,13 +75,16 @@
shell: apt -y remove "libgeos-*"
when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist
+# Required by OpenVPN below. Also run by roles/4-server-options/tasks/main.yml
- name: SSHD
include_role:
name: sshd
+ when: sshd_install | bool
- name: IIAB-ADMIN
include_role:
name: iiab-admin
+ #when: iiab_admin_install | bool # Flag might be created in future?
- name: OPENVPN
include_role:
diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml
index 342a0ab7e..02ae39496 100644
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@@ -40,7 +40,7 @@
- htop
- i2c-tools
- logrotate
- #- lynx # Already installed by 1-prep's roles/iiab-admin/tasks/access.yml
+ #- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
- make
- mlocate
- netmask
@@ -50,6 +50,7 @@
- pandoc
- pastebinit
- rsync
+ #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
- sqlite3
- sudo
- tar
diff --git a/roles/3-base-server/tasks/main.yml b/roles/3-base-server/tasks/main.yml
index 4b8b536e4..aac0cbf37 100644
--- a/roles/3-base-server/tasks/main.yml
+++ b/roles/3-base-server/tasks/main.yml
@@ -6,6 +6,7 @@
- name: MYSQL
include_role:
name: mysql
+ #when: mysql_install | bool
# 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
#
@@ -21,6 +22,7 @@
- name: NGINX
include_role:
name: nginx
+ #when: nginx_install | bool
- name: WWW_BASE (WWW_OPTIONS should be installed later)
include_role:
diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml
index f5dce89c4..330629451 100644
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@@ -16,10 +16,13 @@
- name: Install pylibs (IIAB's python libs)
include_role:
name: pylibs
+ #when: pylibs_install | bool # Flag might be created in future?
+# Also run roles/1-prep/tasks/main.yml as required by OpenVPN.
- name: SSHD
include_role:
name: sshd
+ when: sshd_install | bool
- name: Install named / BIND
include_tasks: roles/network/tasks/named.yml
@@ -60,6 +63,7 @@
- name: WWW_OPTIONS (WWW_BASE should have been installed earlier)
include_role:
name: www_options
+ #when: www_options_install | bool # Flag might be created in future?
- name: Recording STAGE 4 HAS COMPLETED ==================
lineinfile:
diff --git a/roles/mediawiki/defaults/main.yml b/roles/mediawiki/defaults/main.yml
index f63e4c4ae..4909854b6 100644
--- a/roles/mediawiki/defaults/main.yml
+++ b/roles/mediawiki/defaults/main.yml
@@ -5,7 +5,7 @@
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
mediawiki_major_version: 1.34 # "1.34" also works
-mediawiki_minor_version: 3
+mediawiki_minor_version: 4
mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"
diff --git a/roles/network/tasks/avahi.yml b/roles/network/tasks/avahi.yml
index b632e6491..b0fde81fe 100644
--- a/roles/network/tasks/avahi.yml
+++ b/roles/network/tasks/avahi.yml
@@ -43,7 +43,7 @@
lineinfile:
dest: /etc/avahi/services/ssh.service
regexp: '$'
- line: ' {{ ssh_port }}'
+ line: ' {{ sshd_port }}'
state: present
backrefs: yes
diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables
index 668c3d0d7..f7ee6c7c9 100755
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@@ -46,7 +46,7 @@ echo -e "WAN: $wan\n"
ports_externally_visible={{ ports_externally_visible }}
#services_externally_visible= [deprecated]
gw_block_https={{ gw_block_https }}
-ssh_port={{ ssh_port }}
+sshd_port={{ sshd_port }}
#gui_wan= [no longer needed]
gui_port={{ gui_port }}
iiab_gateway_enabled={{ iiab_gateway_enabled }}
@@ -132,7 +132,7 @@ if [ "$wan" != "none" ]; then
# 1 = ssh only
if [ "$ports_externally_visible" -ge 1 ]; then
- $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
+ $IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT
fi
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
diff --git a/roles/sshd/tasks/enable-or-disable.yml b/roles/sshd/tasks/enable-or-disable.yml
new file mode 100644
index 000000000..36a870b3d
--- /dev/null
+++ b/roles/sshd/tasks/enable-or-disable.yml
@@ -0,0 +1,15 @@
+- name: Enable & (Re)Start ssh daemon ({{ sshd_service }}) if sshd_enabled
+ systemd:
+ daemon_reload: yes
+ name: "{{ sshd_service }}"
+ enabled: yes
+ state: restarted
+ when: sshd_enabled | bool
+
+- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
+ systemd:
+ daemon_reload: yes
+ name: "{{ sshd_service }}"
+ enabled: no
+ state: stopped
+ when: not sshd_enabled
diff --git a/roles/sshd/tasks/install.yml b/roles/sshd/tasks/install.yml
new file mode 100644
index 000000000..e7e929834
--- /dev/null
+++ b/roles/sshd/tasks/install.yml
@@ -0,0 +1,55 @@
+# TODO:
+#
+# 1) Implement sshd_port IF it's truly needed? Mentioned here as of 2020-09-24:
+#
+# vars/default_vars.yml Line 283
+# roles/sshd/tasks/main.yml Lines 41-42
+# roles/network/tasks/avahi.yml Line 46
+# roles/network/templates/gateway/iiab-gen-iptables Line 49 & 135
+#
+# 2) Use Ansible handler to reload ssh?
+
+- name: "Install ssh daemon using package: {{ sshd_package }}"
+ package:
+ name: "{{ sshd_package }}"
+ state: present
+
+- name: Disable password-based logins to root
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ regexp: '^PermitRootLogin'
+ line: 'PermitRootLogin without-password'
+ state: present
+ #when: sshd_enabled | bool
+
+- name: mkdir /root/.ssh
+ file:
+ state: directory
+ path: /root/.ssh
+ owner: root
+ group: root
+ mode: '0700'
+ #when: sshd_enabled | bool
+
+- name: Install dummy root keys as placeholder
+ copy:
+ src: dummy_authorized_keys
+ dest: /root/.ssh/authorized_keys
+ owner: root
+ group: root
+ mode: '0600'
+ force: no
+ #when: sshd_enabled | bool
+
+
+# RECORD sshd AS INSTALLED
+
+- name: "Set 'sshd_installed: True'"
+ set_fact:
+ sshd_installed: True
+
+- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
+ lineinfile:
+ path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
+ regexp: '^sshd_installed'
+ line: 'sshd_installed: True'
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 67c8b1478..5d66608c9 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,61 +1,44 @@
-- name: "Install ssh daemon using package: {{ sshd_package }}"
- package:
- name: "{{ sshd_package }}"
- state: present
+# "How do i fail a task in Ansible if the variable contains a boolean value?
+# I want to perform input validation for Ansible playbooks"
+# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
-- name: Disable password-based logins to root
- lineinfile:
- dest: /etc/ssh/sshd_config
- regexp: '^PermitRootLogin'
- line: 'PermitRootLogin without-password'
- state: present
- #when: sshd_enabled | bool
-#TODO: use handler to reload ssh
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
+# to re-check whether vars are defined here. As Ansible vars cannot be unset:
+# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
-- name: mkdir /root/.ssh
- file:
- state: directory
- path: /root/.ssh
- owner: root
- group: root
- mode: '0700'
- #when: sshd_enabled | bool
+- name: Assert that "sshd_install is sameas true" (boolean not string etc)
+ assert:
+ that: sshd_install is sameas true
+ fail_msg: "PLEASE SET 'sshd_install: True' e.g. IN: /etc/iiab/local_vars.yml"
+ quiet: yes
-- name: Install dummy root keys as placeholder
- copy:
- src: dummy_authorized_keys
- dest: /root/.ssh/authorized_keys
- owner: root
- group: root
- mode: '0600'
- force: no
- #when: sshd_enabled | bool
+- name: Assert that "sshd_enabled | type_debug == 'bool'" (boolean not string etc)
+ assert:
+ that: sshd_enabled | type_debug == 'bool'
+ fail_msg: "PLEASE GIVE VARIABLE 'sshd_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
+ quiet: yes
-# RECORD sshd AS INSTALLED
-
-- name: "Set 'sshd_installed: True'"
- set_fact:
- sshd_installed: True
-
-- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
- lineinfile:
- path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
- regexp: '^sshd_installed'
- line: 'sshd_installed: True'
+- name: Install sshd if 'sshd_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml
+ include_tasks: install.yml
+ when: sshd_installed is undefined
-- name: Enable & Start ssh daemon ({{ sshd_service }}) if sshd_enabled
- systemd:
- name: "{{ sshd_service }}"
- daemon_reload: yes
- enabled: yes
- state: started
- when: sshd_enabled | bool
+- include_tasks: enable-or-disable.yml
-- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
- systemd:
- name: "{{ sshd_service }}"
- enabled: no
- state: stopped
- when: not sshd_enabled
+
+- name: Add 'sshd' variable values to {{ iiab_ini_file }}
+ ini_file:
+ path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini
+ section: sshd
+ option: "{{ item.option }}"
+ value: "{{ item.value | string }}"
+ with_items:
+ - option: name
+ value: sshd
+ - option: description
+ value: '"Secure Shell daemon (typically implemented by openssh-server) for remote login using the ''ssh'' low-level protocol."'
+ - option: sshd_port
+ value: "{{ sshd_port }}"
+ - option: sshd_enabled
+ value: "{{ sshd_enabled }}"
diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index 1f188ceb5..256a6b6c5 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -113,7 +113,6 @@ wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi
# Gateway mode
iiab_lan_enabled: True
iiab_wan_enabled: True
-ssh_port: 22 # SEE sshd_* vars below.
# Ties in what the user populated in the GUI for static WAN IP address info:
gui_wan: True
adm_cons_force_ssl: False
@@ -207,10 +206,6 @@ wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems
# 1-PREP
-# SEE ssh_port var above.
-sshd_install: True
-sshd_enabled: True
-
# roles/iiab-admin runs here
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
# iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
@@ -250,7 +245,7 @@ mysql_enabled: True
# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
-# 2020-09-21: removed install |bool in stage 3, not optional and has no effect
+# 2020-09-24: NGINX is mandatory, SEE: roles/3-base-server/tasks/main.yml
nginx_install: True
nginx_enabled: True
nginx_port: 80
@@ -271,7 +266,7 @@ apache_allow_sudo: True
# See also Apache vars {default_language, language_priority} @ top of this file
#
# 2020-05-21: apache_install is completely ignored as Apache is installed on
-# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED and/or
+# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX and/or
# phpMyAdmin
apache_install: False
apache_enabled: False
@@ -283,6 +278,10 @@ apache_interface: 127.0.0.1 # 2020-01-13: Var unused
# 4-SERVER-OPTIONS
+sshd_install: True # Required by OpenVPN
+sshd_enabled: True
+sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml
+
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml
index 86c722cff..dba2a678c 100644
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@@ -99,6 +99,7 @@ named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
+dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
@@ -168,6 +169,8 @@ apache_allow_sudo: True
# 4-SERVER-OPTIONS
+
+sshd_install: True # Required by OpenVPN
sshd_enabled: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml
index 56c73486e..7ef535511 100644
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@@ -99,6 +99,7 @@ named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
+dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
@@ -168,6 +169,8 @@ apache_allow_sudo: True
# 4-SERVER-OPTIONS
+
+sshd_install: True # Required by OpenVPN
sshd_enabled: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml
index e897512a9..7c95e4aed 100644
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@@ -99,6 +99,7 @@ named_install: False
named_enabled: False
# dnsmasq - handles DHCP and DNS
+dnsmasq_install: True
dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
@@ -168,6 +169,8 @@ apache_allow_sudo: True
# 4-SERVER-OPTIONS
+
+sshd_install: True # Required by OpenVPN
sshd_enabled: True
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs