diff --git a/roles/2-common/tasks/iiab-startup.yml b/roles/2-common/tasks/iiab-startup.yml index 8509bba5b..0fa842e4f 100644 --- a/roles/2-common/tasks/iiab-startup.yml +++ b/roles/2-common/tasks/iiab-startup.yml @@ -3,20 +3,20 @@ path: /usr/libexec/iiab-startup.sh register: startup_script -- name: Copy template script to /usr/libexec/iiab-startup.sh +- name: If not, install /usr/libexec/iiab-startup.sh from template template: src: iiab-startup.sh - dest: /usr/libexec/ + path: /usr/libexec/ mode: 0755 when: not startup_script.stat.exists -- name: Copy iiab-startup.service to {{ systemd_location }} +- name: Install {{ systemd_location }}/iiab-startup.service from template template: src: iiab-startup.service - dest: "{{ systemd_location }}" + path: "{{ systemd_location }}" when: not startup_script.stat.exists -- name: Enable & restart the systemd service after daemon-reload +- name: Enable & restart systemd service (iiab-startup) after daemon-reload # shell: systemctl daemon-reload # shell: systemctl restart iiab-startup.service # shell: systemctl enable iiab-startup.service diff --git a/roles/2-common/tasks/iptables.yml b/roles/2-common/tasks/iptables.yml index d84900650..02db8ee97 100644 --- a/roles/2-common/tasks/iptables.yml +++ b/roles/2-common/tasks/iptables.yml @@ -4,12 +4,13 @@ enabled: no when: not is_debuntu -- name: Use larger hammer to disable firewalld -- 2 symbolic links involved (OS's other than debuntu) - shell: "systemctl disable firewalld.service" +# Likely no longer nec as of 2019 +- name: Use larger hammer -- systemctl disable firewalld -- 2 symbolic links involved (OS's other than debuntu) + shell: systemctl disable firewalld.service when: not is_debuntu - name: Mask firewalld service (OS's other than debuntu) - shell: 'systemctl mask firewalld' + shell: systemctl mask firewalld ignore_errors: yes when: not installing and not is_debuntu @@ -20,17 +21,17 @@ ignore_errors: yes when: not installing and not is_debuntu -- name: Remove iptables.service file from /etc +- name: Remove /etc/systemd/system/iptables.service file: path: /etc/systemd/system/iptables.service state: absent -- name: Remove iptables-xs.service file from /etc - file: - path: /etc/systemd/system/iptables-xs.service - state: absent +#- name: Remove iptables-xs.service file from /etc +# file: +# path: /etc/systemd/system/iptables-xs.service +# state: absent -- name: Install iptables service package (debuntu) +- name: Install package iptables-persistent (debuntu) package: name: iptables-persistent state: present @@ -38,7 +39,7 @@ tags: - download -- name: Install iptables service package (OS's other than debuntu) +- name: Install package iptables-services (OS's other than debuntu) package: name: iptables-services state: present @@ -46,17 +47,15 @@ tags: - download -- name: Install iptables services +- name: Install /etc/sysconfig/iptables-config from template template: - src: "{{ item.0 }}" - dest: "{{ item.1 }}" + src: iptables-config + dest: /etc/sysconfig/iptables-config owner: root group: root - mode: "{{ item.2 }}" - with_items: - - { 0: 'iptables-config', 1: '/etc/sysconfig/iptables-config', 2: '0644' } + mode: 0644 -- name: Install Debian config (debuntu) +- name: Install /etc/network/if-pre-up.d/iptables from template (debuntu) template: src: iptables dest: /etc/network/if-pre-up.d/iptables diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index 48a072231..8dad669df 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -72,7 +72,7 @@ value: 1 state: present -- name: Install custom profile file +- name: Install custom /etc/profile.d/zzz_iiab.sh from template template: dest: /etc/profile.d/zzz_iiab.sh src: zzz_iiab.sh diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml index c8367b31d..c403ad6d2 100644 --- a/roles/2-common/tasks/packages.yml +++ b/roles/2-common/tasks/packages.yml @@ -1,72 +1,72 @@ -- name: Install yum/dnf packages (redhat) +- name: Install 10 yum/dnf packages {avahi, avahi-tools, createrepo, linux-firmware, nss-mdns, openssl, syslog, wpa_supplicant, xml-common, yum-utils} (redhat) package: name: - - yum-utils - - createrepo - - wpa_supplicant - - linux-firmware - - syslog - - xml-common - - nss-mdns - avahi - avahi-tools + - createrepo + - linux-firmware + - nss-mdns + - openssl # FC 18 does not supply, but pear requires + - syslog + - wpa_supplicant + - xml-common + - yum-utils state: present when: is_redhat -- name: Download & install usbmount, missing from Debian Stretch (debian-9) +- name: Install {{ iiab_download_url }}/usbmount_0.0.14.1_all.deb, missing from Debian Stretch (debian-9) apt: deb: "{{ iiab_download_url }}/usbmount_0.0.14.1_all.deb" #timeout: "{{ download_timeout }}" # Ansible's apt module doesn't support timeout parameter; that's ok as usbmount_0.0.14.1_all.deb is only 10KB when: internet_available and is_debian_9 -- name: Install packages (debuntu) +- name: Install 7 packages {avahi-daemon, avahi-discover, exfat-fuse, exfat-utils, inetutils-syslogd, libnss-mdns, wpasupplicant} (debuntu) package: name: - - inetutils-syslogd - - wpasupplicant - - libnss-mdns - avahi-daemon - avahi-discover - exfat-fuse - exfat-utils + - inetutils-syslogd + - libnss-mdns + - wpasupplicant state: present when: is_debuntu -- name: Install common packages +- name: Install 23 common packages {acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, openssh-server, pandoc, rsync, sudo, tar, unzip, usbmount, usbutils, wget} package: name: - acpid - - mlocate - - rsync - - htop + - bridge-utils + - bzip2 + - curl #- etckeeper # "nobody is really using etckeeper and it's bloating the filesystem every time apt runs" per @jvonau at https://github.com/iiab/iiab/issues/1146 - - python-passlib - - usbmount - - net-tools - - openssh-server - - sudo + - gawk + - hostapd + - htop + - i2c-tools - logrotate + #- lynx # already installed by 1-prep's roles/iiab-admin/tasks/access.yml - make + - mlocate + - netmask + - net-tools + - ntfs-3g + - openssh-server + - pandoc + - rsync + - sudo - tar - unzip - - bzip2 - - i2c-tools - - bridge-utils - - netmask + - usbmount - usbutils - - hostapd - wget - - openssl # FC 18 does not supply, but pear requires - - gawk - - curl - - pandoc - - lynx # already installed by 1-prep's roles/iiab-admin/tasks/access.yml - - ntfs-3g state: present -- name: Install common Python packages {python-pip, python-setuptools, python-virtualenv} +- name: Install 4 common Python packages {python-passlib, python-pip, python-setuptools, python-virtualenv} package: name: + - python-passlib - python-pip - python-setuptools - python-virtualenv diff --git a/roles/3-base-server/tasks/main.yml b/roles/3-base-server/tasks/main.yml index 5d07b28af..2b1672f1a 100644 --- a/roles/3-base-server/tasks/main.yml +++ b/roles/3-base-server/tasks/main.yml @@ -15,8 +15,8 @@ # has no "when: XXXXX_install" flag tags: base, mysql -- name: Restart httpd - service: +- name: Restart Apache systemd service ({{ apache_service }}) + systemd: name: "{{ apache_service }}" state: restarted when: not installing diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml index fab02336e..ec90b4118 100644 --- a/roles/4-server-options/tasks/main.yml +++ b/roles/4-server-options/tasks/main.yml @@ -3,22 +3,22 @@ - name: ...IS BEGINNING ================================== command: echo -- name: Installing dnsmasq +- name: Install dnsmasq include_tasks: roles/network/tasks/dnsmasq.yml when: dnsmasq_install tags: base, domain, dnsmasq, network -- name: Installing named +- name: Install named / BIND include_tasks: roles/network/tasks/named.yml when: named_install tags: base, named, network, domain -- name: Installing dhcpd +- name: Install dhcpd include_tasks: roles/network/tasks/dhcpd.yml when: dhcpd_install tags: base, dhcpd, network, domain -- name: Installing Squid +- name: Install Squid (and DansGuardian if dansguardian_install) include_tasks: roles/network/tasks/squid.yml when: squid_install tags: base, squid, network, domain diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml index deb8b26be..0e12493c3 100644 --- a/roles/httpd/tasks/main.yml +++ b/roles/httpd/tasks/main.yml @@ -1,4 +1,4 @@ -- name: Install Apache's required packages (debian) +- name: 'Install 3 packages: apache2, php{{ php_version }}, php{{ php_version }}-curl (debian)' package: #name: [u'apache2', u'php{{ php_version }}', u'php{{ php_version }}-curl'] # FAILS ('u' for Unicode strings) #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl'] # WORKS? @@ -11,17 +11,7 @@ tags: - download -- name: Debian changed SQLite name (debian-8) - package: - name: "php{{ php_version }}-sqlite" - when: is_debian and ansible_distribution_major_version == "8" - -- name: Debian changed SQLite3 name (debian-9) - package: - name: "php{{ php_version }}-sqlite3" - when: is_debian and ansible_distribution_major_version == "9" - -- name: Install Apache's required packages (ubuntu) +- name: 'Install 2 packages: apache2, php (ubuntu)' package: #name: [u'apache2', u'php'] # FAILS ('u' for Unicode strings) #name: ['apache2', 'php'] # WORKS @@ -33,32 +23,31 @@ tags: - download -- name: SQLite3 no longer included in another package (ubuntu-18) +- name: Install php{{ php_version }}-sqlite (debian-8) package: - name: php{{ php_version }}-sqlite3 - when: is_ubuntu_18 + name: "php{{ php_version }}-sqlite" + when: is_debian and ansible_distribution_major_version == "8" -- name: Install Apache's required packages (redhat) +# SQLite3 no longer included in another package +- name: Install php{{ php_version }}-sqlite3 (debian-9 or ubuntu-18) + package: + name: "php{{ php_version }}-sqlite3" + when: (is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18 + +- name: 'Install 4 packages: httpd, mod_authnz_external, php, php-curl (redhat)' package: #name: [u'httpd', u'php', u'php-curl', u'mod_authnz_external'] # FAILS ('u' for Unicode strings) #name: ['httpd', 'php', 'php-curl', 'mod_authnz_external'] # WORKS name: - httpd + - mod_authnz_external - php - php-curl - - mod_authnz_external state: present when: is_redhat tags: - download -# MOVED DOWN ~58 LINES -#- name: Remove the default apache2 config file (debuntu) -# file: -# path: /etc/apache2/sites-enabled/000-default.conf -# state: absent -# when: is_debuntu - - name: Install Apache's 010-iiab.conf & proxy_ajp.conf into /etc/apache2/sites-available, from templates template: backup: yes @@ -88,7 +77,7 @@ - { regexp: '^max_input_time', line: 'max_input_time = 300 ; default is 60' } # remove symlinks for mpm-event, replace with mpm-prefork -- name: Remove mpm event symlinks (debuntu) +- name: Remove both mpm_event symlinks from /etc/apache2/mods-enabled (debuntu) file: path: "/etc/apache2/mods-enabled/{{ item }}" state: absent @@ -97,7 +86,7 @@ - mpm_event.load when: is_debuntu -- name: Create symlinks for mpm-prefork (debuntu) +- name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available (debuntu) file: src: "/etc/apache2/mods-available/{{ item }}" path: "/etc/apache2/mods-enabled/{{ item }}" @@ -107,7 +96,7 @@ - mpm_prefork.load when: is_debuntu -- name: Turn on mod_proxy (debuntu) +- name: 'Turn on mod_proxy using a2enmod with: proxy, proxy_html, headers, rewrite (debuntu)' command: a2enmod {{ item }} with_items: - proxy @@ -116,14 +105,14 @@ - rewrite when: is_debuntu -- name: Create 010-iiab.conf symlink enabling our site (debuntu) +- name: Enable our site, creating 010-iiab.conf symlink from sites-enabled to sites-available (debuntu) file: src: "/etc/{{ apache_config_dir }}/010-iiab.conf" path: /etc/apache2/sites-enabled/010-iiab.conf state: link when: is_debuntu -- name: Remove apache2 default config files (debuntu) +- name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled (debuntu) file: path: "{{ item }}" state: absent @@ -140,19 +129,19 @@ group: root state: directory -- name: Create admin group +- name: 'Create group: admin' group: name: admin state: present -- name: Add user {{ apache_user }} (from variable apache_user) to admin group +- name: Add user {{ apache_user }} (from variable apache_user) to group admin user: name: "{{ apache_user }}" groups: admin state: present createhome: no -- name: Create Apache's log dir /var/log/{{ apache_service }} +- name: Create Apache dir /var/log/{{ apache_service }} file: path: "/var/log/{{ apache_service }}" mode: 0755 @@ -160,7 +149,7 @@ group: "{{ apache_user }}" state: directory -- name: Enable systemd service {{ apache_service }} +- name: Enable {{ apache_service }} systemd service service: name: "{{ apache_service }}" enabled: yes @@ -173,23 +162,8 @@ group: "{{ apache_user }}" state: directory -# roles/httpd/templates/iiab-info.conf.j2.deprecated is no longer needed, as -# Apache serves http://box/info directly from above /library/www/html/info -# directly (as generated by /usr/bin/iiab-refresh-wiki-docs) -# -#- name: Remove iiab-info.conf -# file: -# path: "/etc/{{ apache_config_dir }}/iiab-info.conf" -# state: absent -# -#- name: Remove iiab-info.conf symlink (debuntu) -# file: -# path: /etc/apache2/sites-enabled/iiab-info.conf -# state: absent -# when: is_debuntu - # SEE https://github.com/iiab/iiab/issues/1143 as the old roles/osm playbook is rarely used as of late 2018 (if anybody still uses roles/osm, they can overwrite osm.conf using the original osm playbook, or in other ways) -- name: Copy osm.conf for http://box/maps (all OS's) +- name: Copy osm.conf to /etc/{{ apache_config_dir }} for http://box/maps (all OS's) copy: src: osm.conf dest: "/etc/{{ apache_config_dir }}" @@ -215,7 +189,7 @@ tags: - base -- name: Install /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation. (This script will run at the end of Stage 4 = roles/4-server-options/tasks/main.yml) +- name: Install /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation. (Script can be run manually and/or at the end of Stage 4 = roles/4-server-options/tasks/main.yml) template: src: refresh-wiki-docs.sh dest: /usr/bin/iiab-refresh-wiki-docs @@ -233,3 +207,8 @@ path: /etc/sudoers.d/020_apache_poweroff state: absent when: not apache_allow_sudo + +- name: Restart Apache systemd service ({{ apache_service }}) + systemd: + name: "{{ apache_service }}" + state: restarted diff --git a/roles/httpd/tasks/php-stem.yml b/roles/httpd/tasks/php-stem.yml index a31c4e064..1869d5981 100644 --- a/roles/httpd/tasks/php-stem.yml +++ b/roles/httpd/tasks/php-stem.yml @@ -11,7 +11,7 @@ # command: cd /; wget http://download.iiab.io/packages/php-stem.x64.tar # when: not is_rpi -- name: Download & unpack php-stem.rpi.tar to / (rpi) +- name: Unarchive http://download.iiab.io/packages/php-stem.rpi.tar to / (rpi) unarchive: src: http://download.iiab.io/packages/php-stem.rpi.tar dest: / @@ -21,7 +21,7 @@ remote_src: yes when: is_rpi -- name: Download & unpack php-stem.x86.tar to / (debian-9 on x86_64 only) +- name: Unarchive http://download.iiab.io/packages/php-stem.x64.tar to / (debian-9 on x86_64 only) unarchive: src: http://download.iiab.io/packages/php-stem.x64.tar dest: / @@ -33,9 +33,3 @@ # Presumably fails on Debian 8 & 10? # Fails on Debian i686 as of 2018-08-07: https://github.com/iiab/iiab/issues/983 # Fails on Ubuntu 18.04 as of 2018-07-28: https://github.com/iiab/iiab/issues/829 - -# No need to do this twice? Happens later @ https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml#L24-L28 -#- name: Restart apache2 / httpd -# service: -# name: "{{ apache_service }}" -# state: restarted diff --git a/roles/network/tasks/dansguardian.yml b/roles/network/tasks/dansguardian.yml index c0e8d297d..4433716fc 100644 --- a/roles/network/tasks/dansguardian.yml +++ b/roles/network/tasks/dansguardian.yml @@ -5,7 +5,7 @@ tags: - download -- name: Copy DansGuardian config file (Fedora) +- name: Install /etc/dansguardian/dansguardian.conf from template (Fedora) template: src: roles/network/templates/squid/dansguardian.conf.j2 dest: /etc/dansguardian/dansguardian.conf @@ -14,7 +14,7 @@ mode: 0640 when: ansible_distribution == "Fedora" -- name: Copy DansGuardian config file (debuntu) +- name: Install /etc/dansguardian/dansguardian.conf from template (debuntu) template: src: roles/network/templates/squid/dansguardian.conf.debian.j2 dest: /etc/dansguardian/dansguardian.conf @@ -23,7 +23,7 @@ mode: 0640 when: is_debuntu -- name: Copy DansGuardian config file (CentOS) +- name: Install /etc/dansguardian/dansguardian.conf from template (CentOS) template: src: roles/network/templates/squid/dansguardian.conf.centos.j2 dest: /etc/dansguardian/dansguardian.conf @@ -32,7 +32,7 @@ mode: 0640 when: ansible_distribution == "CentOS" -- name: Create 'dansguardian' log directory (OS's other than CentOS) +- name: Create directory /var/log/dansguardian (OS's other than CentOS) file: path: /var/log/dansguardian owner: dansguardian @@ -41,7 +41,7 @@ state: directory when: ansible_distribution != "CentOS" -- name: Create DansGuardian log directory (CentOS) +- name: Create directory /var/log/dansguardian (CentOS) file: path: /var/log/dansguardian owner: dansguardian diff --git a/roles/network/tasks/squid.yml b/roles/network/tasks/squid.yml index 09cc67a09..faeaf66e6 100644 --- a/roles/network/tasks/squid.yml +++ b/roles/network/tasks/squid.yml @@ -1,4 +1,4 @@ -- name: Install Squid packages {{ proxy }} and cadaver +- name: 'Install packages: {{ proxy }} and cadaver' package: name: - "{{ proxy }}" @@ -7,7 +7,7 @@ tags: - download -- name: Bigger hammer for Ubuntu +- name: 'Bigger hammer for Ubuntu, run: /etc/init.d/squid stop' command: /etc/init.d/squid stop when: is_ubuntu @@ -17,13 +17,13 @@ state: stopped when: not installing -- name: Create the Squid user +- name: 'Create the Squid user: {{ proxy_user }}' user: name: "{{ proxy_user }}" createhome: False shell: /bin/false -- name: Copy init script and config file +- name: 'Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files' template: src: "{{ item.src }}" dest: "{{ item.dest }}" @@ -62,7 +62,7 @@ group: 'root' mode: '0755' -- name: Create Squid cache directory +- name: Create Squid directory /library/cache file: path: /library/cache owner: "{{ proxy_user }}" @@ -70,7 +70,7 @@ mode: 0750 state: directory -- name: Create Squid log directory +- name: Create Squid directory /var/log/{{ proxy }} file: path: "/var/log/{{ proxy }}" owner: "{{ proxy_user }}" @@ -82,7 +82,7 @@ when: dansguardian_install # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8 -- name: Add '{{ proxy }}' to list of services at {{ iiab_ini_file }} +- name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }} ini_file: dest: "{{ iiab_ini_file }}" section: "{{ proxy }}"