diff --git a/install-support.yml b/install-support.yml index 0a6dafe33..f8e6802f6 100644 --- a/install-support.yml +++ b/install-support.yml @@ -9,5 +9,4 @@ roles: - { role: 0-init } - { role: sshd } - - { role: iiab-admin } - { role: openvpn } diff --git a/roles/firmware/templates/iiab-check-firmware b/roles/firmware/templates/iiab-check-firmware index efa0269af..94c690314 100644 --- a/roles/firmware/templates/iiab-check-firmware +++ b/roles/firmware/templates/iiab-check-firmware @@ -3,12 +3,13 @@ WARN=0 DATE=$(date +%F-%T) -# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 -# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12 -# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 # https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 -# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle) +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN + if grep -q '^wifi_hotspot_capacity_rpi_fix:\s\+[fF]alse\b' /etc/iiab/local_vars.yml ; then echo "'wifi_hotspot_capacity_rpi_fix: False' found in /etc/iiab/local_vars.yml" echo "...so WiFi firmware will NOT be checked or replaced." diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index d4be214f2..1d196ccb7 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -34,19 +34,20 @@ IPTABLES=/usr/sbin/iptables IPTABLES_DATA=/etc/sysconfig/iptables {% endif %} -# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 -# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12 -# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 # https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 -# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle) +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN # "awk '{print $2}'" almost works, but: (1) Fails to remove outer quotes, and # (2) Chops up Ansible vars containing multiple words w/o surrounding quotes. # So: sed is used instead, to emulate Ansible's parsing of vars from .yml + iiab_var_value() { - v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") - v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") [ "$v2" != "" ] && echo $v2 || echo $v1 # [ "$v2" ] ALSO WORKS } diff --git a/roles/openvpn/tasks/install.yml b/roles/openvpn/tasks/install.yml index f876ecc99..cbe2e36af 100644 --- a/roles/openvpn/tasks/install.yml +++ b/roles/openvpn/tasks/install.yml @@ -1,7 +1,7 @@ - name: "Install packages: ncat, nmap, openvpn, sudo" package: name: - - ncat # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle (if Debian > 9 or Ubuntu > 18) + - ncat # Newer versions of NMap do not include NCat, needed to announce openvpn_handle (if Debian > 9 or Ubuntu > 18) - nmap - openvpn - sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!) @@ -55,22 +55,23 @@ mode: "{{ item.mode }}" backup: yes with_items: - - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', mode: '0644' } - - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', mode: '0644' } - - { src: 'client1.key', dest: '/etc/openvpn/keys/client1.key', mode: '0600' } - - { src: 'announce', dest: '/etc/openvpn/scripts/announce', mode: '0755' } - - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' } - - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' } + - { src: 'ca.crt', dest: '/etc/openvpn/keys/', mode: '0644' } + - { src: 'client1.crt', dest: '/etc/openvpn/keys/', mode: '0644' } + - { src: 'client1.key', dest: '/etc/openvpn/keys/', mode: '0600' } + - { src: 'announce', dest: '/etc/openvpn/scripts/', mode: '0755' } + - { src: 'announcer', dest: '/etc/openvpn/scripts/', mode: '0755' } + - { src: 'silence', dest: '/etc/openvpn/scripts/', mode: '0755' } - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' } - - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } + # - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } # 2021-08-18 SSOT: Please instead set it in /etc/iiab/local_vars.yml + - { src: 'iiab-support', dest: '/usr/bin/', mode: '0755' } - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' } - - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' } + - { src: 'iiab-remote-off', dest: '/usr/bin/', mode: '0755' } -- name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install - copy: - src: "{{ iiab_dir }}/iiab-support" - dest: /usr/bin/ - mode: '0755' +# - name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install +# copy: +# src: "{{ iiab_dir }}/iiab-support" +# dest: /usr/bin/ +# mode: '0755' - name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-support file: diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 576ce225a..8c8577767 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -2,6 +2,24 @@ # http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?" +# AUGUST 2018 - AUGUST 2021 + +# (1) openvpn_handle could no longer be left undefined OR null +# (two different concepts in Ansible, see /opt/iiab/iiab/test.yml) + +# 2021-08-19 UPDATE: the /usr/bin/iiab-support command can now handle almost +# any /etc/iiab/local_vars.yml (PR #2957) making it all much more resilient! + +# (2) openvpn_handle: "" (EMPTY STRING) IS HOWEVER TOLERATED -- in which case +# the OpenVPN server instead tries to use the 1st 6 chars of /etc/iiab/uuid + +# (3) Finally if there's no client UUID (/etc/iiab/uuid) -- the OpenVPN server +# falls back to labelling that machine as generic: "client1's certificate" + +# SEE ALSO /etc/openvpn/scripts/announcer & /usr/bin/iiab-support from: +# https://github.com/iiab/iiab/tree/master/roles/openvpn/templates + + # "How do i fail a task in Ansible if the variable contains a boolean value? # I want to perform input validation for Ansible playbooks" # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 @@ -42,7 +60,6 @@ value: OpenVPN - option: description value: '"OpenVPN enables live/remote support by connecting machines anywhere on the Internet, via a middleman server, using Virtual Private Network (VPN) techniques to create secure connections."' -# openvpn_handle variable can no longer be left completely undefined of August 2018 (EMPTY STRING "" IS TOLERATED, in which case OpenVPN server should use /etc/iiab/uuid in lieu of the handle) - option: openvpn_install value: "{{ openvpn_install }}" - option: openvpn_enabled diff --git a/roles/openvpn/templates/15-openvpn.deprecated b/roles/openvpn/templates/15-openvpn.unused similarity index 100% rename from roles/openvpn/templates/15-openvpn.deprecated rename to roles/openvpn/templates/15-openvpn.unused diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer new file mode 100755 index 000000000..824a43ba4 --- /dev/null +++ b/roles/openvpn/templates/announcer @@ -0,0 +1,74 @@ +#!/bin/bash -x +# Small daemon to identify this machine to the OpenVPN server + +# SEE /usr/bin/iiab-support for local_vars.yml var extraction explanation + +# EMULATE ANSIBLE: but additionally Force Empty String Where Nec, e.g. whether +# local_vars.yml sets openvpn_handle to "" (or worst case null, or not at all!) +HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + +# ALSO GO 1 STEP FURTHER THAN ANSIBLE: convert remaining spaces to underscores, +# for OpenVPN server. iiab-support emulates this, to help folks understand. +HANDLE=${HANDLE// /_} # Same as "s/ /_/g" + +# Likewise empty string is the worst case, e.g. if file doesn't exist. +# If $HANDLE is "", OpenVPN server tries to use the 1st 6 chars of UUID, +# e.g. e1a3d4 from e1a3d4e2-2d1a-4f37-9ba0-e836d7c8e3ca +# SEE "AUGUST 2018 - AUGUST 2021" RECAP ON TOP OF: roles/openvpn/tasks/main.yml +UUID=$(cat /etc/iiab/uuid) + +/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & + + + +# 2021-08-18: Let's finally do it 3 years lster, simplifying from 4 places to 1 +# at long last. Per SSOT (single source of truth). + +# #HANDLE= +# #UUID= +# #if [ -f /etc/iiab/openvpn_handle ]; then +# # Option #1: Source directly from /etc/iiab/local_vars.yml in future? +# # Option #2 +# HANDLE=$(cat /etc/iiab/openvpn_handle) # Sets to "" if file doesn't exist (error is ok!) + +# # Sourcing a variable from ~4 different places is a recipe for total confusion +# # (or worse!) Far better to make variable openvpn_handle and file +# # /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH +# # CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...) + +# # CLARIF: "systemctl restart openvpn" still works tolerably even if the above +# # is defied, auto-starting child service openvpn@xscenet per usual +# # (e.g. if /etc/iiab/openvpn_handle is deleted by accident!) + +# #else +# # # Option #3: Dangerous to invoke hypothetical variables :( +# # source {{ iiab_env_file }} +# # # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ? +# # if [ -z "$HANDLE" ]; then +# # HANDLE=`cat {{ iiab_ini_file }} | gawk \ +# # '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` +# # fi +# #fi +# HANDLE=${HANDLE// /_} # Change all spaces to underscores +# #if [ -f /etc/iiab/uuid ]; then +# UUID=$(cat /etc/iiab/uuid) # Sets to "" if file doesn't exist (error is ok!) +# #fi + +# SERVER=/usr/bin/ncat +# #ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID) +# #ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}") +# ID=$(echo "HANDLE = $HANDLE|UUID = $UUID") +# # August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04 +# #ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` + +# # Start the daemon which will serve the handle on demand +# {% if is_debuntu %} +# $SERVER -l -k -p1705 --exec "/bin/echo $ID" & +# # 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu: +# #/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & +# {% else %} +# source /etc/init.d/functions +# PID_FILE=/var/run/openvpn/announce.pid +# daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" & +# #daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & +# {% endif %} diff --git a/roles/openvpn/templates/announcer.j2 b/roles/openvpn/templates/announcer.j2 deleted file mode 100755 index 7d55d305b..000000000 --- a/roles/openvpn/templates/announcer.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -x -# Small daemon to identify this machine to the OpenVPN server - -#HANDLE= -#UUID= -#if [ -f /etc/iiab/openvpn_handle ]; then - # Option #1: Source directly from /etc/iiab/local_vars.yml in future? - # Option #2 - HANDLE=$(cat /etc/iiab/openvpn_handle) # Sets to "" if file doesn't exist (error is ok!) - -# Sourcing a variable from ~4 different places is a recipe for total confusion -# (or worse!) Far better to make variable openvpn_handle and file -# /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH -# CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...) - -# CLARIF: "systemctl restart openvpn" still works tolerably even if the above -# is defied, auto-starting child service openvpn@xscenet per usual -# (e.g. if /etc/iiab/openvpn_handle is deleted by accident!) - -#else -# # Option #3: Dangerous to invoke hypothetical variables :( -# source {{ iiab_env_file }} -# # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ? -# if [ -z "$HANDLE" ]; then -# HANDLE=`cat {{ iiab_ini_file }} | gawk \ -# '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` -# fi -#fi -HANDLE=${HANDLE// /_} # Change all spaces to underscores -#if [ -f /etc/iiab/uuid ]; then - UUID=$(cat /etc/iiab/uuid) # Sets to "" if file doesn't exist (error is ok!) -#fi - -SERVER=/usr/bin/ncat -#ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID) -#ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}") -ID=$(echo "HANDLE = $HANDLE|UUID = $UUID") -# August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04 -#ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` - -# Start the daemon which will serve the handle on demand -{% if is_debuntu %} -$SERVER -l -k -p1705 --exec "/bin/echo $ID" & -# 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu: -#/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & -{% else %} -source /etc/init.d/functions -PID_FILE=/var/run/openvpn/announce.pid -daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" & -#daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & -{% endif %} diff --git a/roles/openvpn/templates/iiab-remote-off b/roles/openvpn/templates/iiab-remote-off old mode 100644 new mode 100755 diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support new file mode 100755 index 000000000..784327d31 --- /dev/null +++ b/roles/openvpn/templates/iiab-support @@ -0,0 +1,184 @@ +#!/bin/bash + +# Run 'sudo iiab-support' to turn on OpenVPN without hassle. GENERAL TIPS: +# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?" + +# "AUGUST 2018 - AUGUST 2021" Technical Recap at the top of: +# https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml + +DEBUG=false # Using /usr/bin/true or /usr/bin/false +PLAYBOOK="install-support.yml" +INVENTORY="ansible_hosts" + +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml +# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 +# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN + +# PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO: +# (1) In case var's defined multiple times, 'tail 1' takes the last assignment. +# (2) sed: Strip 'varname:\s' on left. +# (3) sed: Strip '#comment' on right. +# (4) sed: Strip any outer spacing. +# (5) sed: Strip up-to-1 pair of matching outer quotes. + +# 'announcer' (from openvpn/templates) ALSO GOES ONE STEP FURTHER THAN ANSIBLE: +# (6) Convert remaining spaces to underscores. + +# Steps (1) and (2) are Not Applicable with live/keyboard input. +# Steps (3), (4) and (5) are Optional with live/keyboard input (here we do it!) +# Step (6) is always required for OpenVPN here (file input or live/keyboard!) + +# NOTE Ansible vars can have non-string value null. This is different from +# undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml +# BUT HERE IN BASH, we focus only on string values e.g. "" empty string if nec: +# (a) WITH INPUT, we choose to ignore lines like "^var:$" that lack whitespace. +# Ansible would have assigned the null value. We do not. We force "" +# (b) INPUT LINES "^var:\s\+$" (trailing whitespace) we force to empty string. +# Ansible would have assigned the null value. We do not. We force "" +# (c) WITH *OUTPUT* we aggressively overwrite null var lines, including both +# "^var:$" (no trailing whitespace) and "^var:\s\+$" (trailing whitespace). + +echo -e "\e[0m" # Turn off all ANSI/VT100 colors + +if [ -f /etc/iiab/openvpn_handle ]; then + echo -e "\n \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" + echo -e " \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n\n" +fi + +# (1), (2), (3) and (4) for now -- then (5) and (6) further below +handle=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//") + +if $($DEBUG); then + echo -e "/etc/iiab/local_vars.yml shows:\n" + grep "^openvpn_" /etc/iiab/local_vars.yml + echo + echo "Your OpenVPN machine name -- source: $handle" +fi + +# Preview of steps (5) and (6) +echo -ne "\e[1mYour OpenVPN machine name is set to: \e[100m" +echo -n "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/; s/ /_/g" # Avoid '-e' interpreting backlash escapes, to show var accurately! Double quote var to prevent field splitting (eats spaces) +echo -e "\e[0m\n" # Separate line also for trailing backslash in var + +echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n" + +echo -e " cape-town-school-36-rpi-2019-05-31\n" + +echo -en "Or hit [Enter] to keep the existing name:\e[0m " +read ans < /dev/tty # Strips outer whitespace, whether we like it or not! + +if [ "$ans" = "" ]; then # (A) Simple! Writes to local_vars.yml a bit more often than nec. +# if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then # (B) Only write when nec? Also works. +# if ( [ "$ans" = "" ] || [ "$ans" = "$handle" ] ) && [ "$handle" != "" ]; then # (C) Overkill. + echo -e "\n \e[100mopenvpn_handle REMAINS UNCHANGED IN /etc/iiab/local_vars.yml\e[0m\n" +else + if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml + else + echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml + fi + + echo -e "\n \e[7mSAVED TO: /etc/iiab/local_vars.yml\e[0m\n" + + if $($DEBUG); then + echo -e "/etc/iiab/local_vars.yml shows:\n" + grep "^openvpn_" /etc/iiab/local_vars.yml + echo + fi + + # NEXT 4 LINES AREN'T ESSENTIAL: but they allow user to type in a '# comment' for the right side of /etc/iiab/local_vars.yml + + # (3) sed: Strip '# comment' on right, as Ansible would do. + ans=$(echo "$ans" | sed "s/#.*//") # Double quote var to prevent field splitting (eats spaces) + # (4) sed: Strip any outer spacing, as Ansible would do. + ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//") # Code Safety: lstrip not nec, given "read" command above, but one day $ans might arise from elsewhere + + handle=$ans; # For display at bottom +fi + +if $($DEBUG); then + echo '$handle after (1)-(4), prior to (5)-(6):' "$handle" + echo +fi + +# (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do. +handle=$(echo "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/") +# (6) Convert remaining spaces to underscores, just as /etc/openvpn/scripts/announcer does -- same as "s/ /_/g" +handle=${handle// /_} + +if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then + echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" +else + echo -e "Plz wait a few minutes as sshd & OpenVPN are confirmed/installed...\n" + if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml + else + echo "openvpn_install: True" >> /etc/iiab/local_vars.yml + fi + + if [ -d /opt/iiab/iiab ]; then + cd /opt/iiab/iiab + export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log" + ansible -m setup -i $INVENTORY localhost --connection=local | grep python + ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local + # 2 roles (sshd & openvpn) faster than running all of "./runrole 1-prep" + echo + else + echo -e " \e[41m Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN! \e[0m\n" + exit 1 + fi +fi + +echo -e "Now let's (re)enable OpenVPN...\n" +if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml +else + echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml +fi +systemctl enable openvpn + +echo -e "\nNow let's restart OpenVPN..." +#systemctl start openvpn +systemctl restart openvpn + +echo -en "\n " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\n 1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'" +echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'" +echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x" +echo -e " 4. If necessary, run 'systemctl restart openvpn' which should" +echo -e " run 'systemctl restart openvpn@xscenet' for you." +echo -e " 5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor." +echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your" +echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time." +echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at" +echo -e " http://FAQ.IIAB.IO to learn about DIY remote support alternatives" +echo -e " like ngrok, serveo, remot3.it and TeamViewer.\n" + +echo -en " " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)" +sleep 15 + +# echo -ne "\nYour OpenVPN machine name, per openpvn_handle: \e[32m" +# echo -ne "\nYour OpenVPN machine name is set to..........: \e[32m" +echo -ne "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m" # Actually step (6) above took it just beyond Ansible's (1)-(5) interpretation of openvpn_handle -- i.e. this line just provides a hint to users -- as to how /etc/openvpn/scripts/announcer converts their spaces to underscores when starting OpenVPN. +echo -n "$handle" # Avoid '-e' interpreting backlash escapes, to show var accurately! Double quote var to prevent field splitting (eats spaces) +echo -e "\e[0m" + +vpnip=$(ip a | grep tun0$ | awk '{print $2}') +if [ "$vpnip" != "" ]; then + echo -e "Your OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" +else + echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" + exit 1 +fi diff --git a/iiab-support b/roles/openvpn/templates/iiab-support.older similarity index 100% rename from iiab-support rename to roles/openvpn/templates/iiab-support.older diff --git a/roles/openvpn/templates/openvpn_handle.j2 b/roles/openvpn/templates/openvpn_handle.j2.unused similarity index 100% rename from roles/openvpn/templates/openvpn_handle.j2 rename to roles/openvpn/templates/openvpn_handle.j2.unused diff --git a/scripts/iiab-diagnostics b/scripts/iiab-diagnostics index fbbca15a9..3e8edfcd5 100755 --- a/scripts/iiab-diagnostics +++ b/scripts/iiab-diagnostics @@ -19,7 +19,7 @@ echo -e " sudo iiab-diagnostics PATH/FILE1 PATH/FILE2 ... # COMPLETE RESU echo echo -ne "Can you provide a \e[1mshort public nickname:\e[0m (no spaces!) " read nickname < /dev/tty -if [ -z "$nickname" ]; then +if [ "$nickname" = "" ]; then nickname="NONAME" fi @@ -87,9 +87,13 @@ function cat_cmd() { # $1 = command + params, $2 = explan echo "=IIAB==========================================================================" >> $outfile cmd=$(echo "$1" | sed 's/\s.*$//') # Keep command on left; Drop params on right pth=$(which $cmd | sed 's/[^/]*$//') # Keep only path on left; Drop command on right - echo "COMMAND: $pth$1 # $2" >> $outfile + if [ "$2" = "" ]; then + echo "COMMAND: $pth$1" >> $outfile + else + echo "COMMAND: $pth$1 # $2" >> $outfile + fi echo >> $outfile - if [ -z "$pth" ]; then + if [ "$pth" = "" ]; then echo "COMMAND NOT FOUND: $1" >> $outfile else $(echo "eval $1") >> $outfile # eval is nec within backticks, so | (pipes) work: https://stackoverflow.com/a/7184782 @@ -133,6 +137,7 @@ cat_file /etc/issue.net cat_file /etc/debian_version cat_cmd 'dpkg --print-architecture' 'RaspiOS-on-PC shows: i386' cat_cmd 'dpkg --print-foreign-architectures' 'RaspiOS-on-PC shows: amd64' +cat_cmd 'grep "^openvpn_" /etc/iiab/local_vars.yml' echo -e '\n\n 1. Files Specially Requested: (from "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n' echo -e '\n\n\n\n1. FILES SPECIALLY REQUESTED (FROM "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n' >> $outfile @@ -151,7 +156,6 @@ echo -e "\n\n\n\n2. REGULAR FILES\n" >> $outfile #cat_file /opt/iiab/iiab # Directory test #cat_file /tmp/empty-file # Empty file test #cat_file /usr/bin/iiab-support-on # Symlink test -cat_file /etc/iiab/openvpn_handle cat_file /.iiab-image cat_file /etc/iiab/iiab.env cat_file /etc/iiab/iiab.ini diff --git a/scripts/iiab-diagnostics.README.md b/scripts/iiab-diagnostics.README.md index aef45d8fd..70c627429 100644 --- a/scripts/iiab-diagnostics.README.md +++ b/scripts/iiab-diagnostics.README.md @@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things: ## Source Code -Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-224 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. +Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 110-228 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. diff --git a/test.yml b/test.yml index be808dc92..ac372d43a 100644 --- a/test.yml +++ b/test.yml @@ -21,6 +21,7 @@ - debug: msg: "{{ 'changeme' | password_hash('sha512') }}" + # msg: "{{ 'changeme' | password_hash('yescrypt') }}" # crypt.crypt STILL doesn't support 'yescrypt' algorithm ? #- pause: @@ -32,4 +33,26 @@ debug: msg: "'\"'" # FAILS: "'""'" + - name: a shows "VARIABLE IS NOT DEFINED!" -- whereas b (w/o whitespace) AND c (with space) AND d (with tab) show null (without quotes!) -- whereas d (singlequotes) and e (doublequotes) show "" empty string + set_fact: + #a: + b: + c: # Space + d: # Tab + e: '' + f: "" + + - debug: + var: a + - debug: + var: b + - debug: + var: c + - debug: + var: d + - debug: + var: e + - debug: + var: f + # TEST ANSIBLE COMMANDS/MODULES HERE! diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 9e9515a85..68be9319e 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: BIG-sized - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index c4bc2018b..6ede6593b 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: MEDIUM-sized - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 68141d398..464b00890 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: MIN-sized - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: diff --git a/vars/local_vars_unittest.yml b/vars/local_vars_unittest.yml index 48774451d..e3e1dd866 100644 --- a/vars/local_vars_unittest.yml +++ b/vars/local_vars_unittest.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: True -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: unittest - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: