From 011139bde6fc202ca83ddf85a5acfa04f85c8554 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 18 Aug 2021 21:47:46 -0400 Subject: [PATCH 01/19] Major cleanup of roles/openvpn, openvpn_handle SSOT --- install-support.yml | 1 - roles/firmware/templates/iiab-check-firmware | 9 +- .../templates/gateway/iiab-gen-iptables | 13 +- roles/openvpn/tasks/install.yml | 29 ++-- roles/openvpn/tasks/main.yml | 3 +- ...5-openvpn.deprecated => 15-openvpn.unused} | 0 roles/openvpn/templates/announcer | 72 ++++++++++ roles/openvpn/templates/announcer.j2 | 51 ------- roles/openvpn/templates/iiab-remote-off | 0 roles/openvpn/templates/iiab-support | 133 ++++++++++++++++++ .../openvpn/templates/iiab-support.older | 0 ...vpn_handle.j2 => openvpn_handle.j2.unused} | 0 scripts/iiab-diagnostics | 12 +- test.yml | 23 +++ vars/local_vars_big.yml | 2 +- vars/local_vars_medium.yml | 2 +- vars/local_vars_min.yml | 2 +- vars/local_vars_unittest.yml | 2 +- 18 files changed, 268 insertions(+), 86 deletions(-) rename roles/openvpn/templates/{15-openvpn.deprecated => 15-openvpn.unused} (100%) create mode 100755 roles/openvpn/templates/announcer delete mode 100755 roles/openvpn/templates/announcer.j2 mode change 100644 => 100755 roles/openvpn/templates/iiab-remote-off create mode 100755 roles/openvpn/templates/iiab-support rename iiab-support => roles/openvpn/templates/iiab-support.older (100%) rename roles/openvpn/templates/{openvpn_handle.j2 => openvpn_handle.j2.unused} (100%) diff --git a/install-support.yml b/install-support.yml index 0a6dafe33..f8e6802f6 100644 --- a/install-support.yml +++ b/install-support.yml @@ -9,5 +9,4 @@ roles: - { role: 0-init } - { role: sshd } - - { role: iiab-admin } - { role: openvpn } diff --git a/roles/firmware/templates/iiab-check-firmware b/roles/firmware/templates/iiab-check-firmware index efa0269af..94c690314 100644 --- a/roles/firmware/templates/iiab-check-firmware +++ b/roles/firmware/templates/iiab-check-firmware @@ -3,12 +3,13 @@ WARN=0 DATE=$(date +%F-%T) -# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 -# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12 -# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 # https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 -# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle) +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN + if grep -q '^wifi_hotspot_capacity_rpi_fix:\s\+[fF]alse\b' /etc/iiab/local_vars.yml ; then echo "'wifi_hotspot_capacity_rpi_fix: False' found in /etc/iiab/local_vars.yml" echo "...so WiFi firmware will NOT be checked or replaced." diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index d4be214f2..e4fd5c60d 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -34,19 +34,20 @@ IPTABLES=/usr/sbin/iptables IPTABLES_DATA=/etc/sysconfig/iptables {% endif %} -# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 -# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12 -# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 # https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 -# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle) +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN # "awk '{print $2}'" almost works, but: (1) Fails to remove outer quotes, and # (2) Chops up Ansible vars containing multiple words w/o surrounding quotes. # So: sed is used instead, to emulate Ansible's parsing of vars from .yml + iiab_var_value() { - v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") - v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | head -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") [ "$v2" != "" ] && echo $v2 || echo $v1 # [ "$v2" ] ALSO WORKS } diff --git a/roles/openvpn/tasks/install.yml b/roles/openvpn/tasks/install.yml index f876ecc99..cbe2e36af 100644 --- a/roles/openvpn/tasks/install.yml +++ b/roles/openvpn/tasks/install.yml @@ -1,7 +1,7 @@ - name: "Install packages: ncat, nmap, openvpn, sudo" package: name: - - ncat # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle (if Debian > 9 or Ubuntu > 18) + - ncat # Newer versions of NMap do not include NCat, needed to announce openvpn_handle (if Debian > 9 or Ubuntu > 18) - nmap - openvpn - sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!) @@ -55,22 +55,23 @@ mode: "{{ item.mode }}" backup: yes with_items: - - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', mode: '0644' } - - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', mode: '0644' } - - { src: 'client1.key', dest: '/etc/openvpn/keys/client1.key', mode: '0600' } - - { src: 'announce', dest: '/etc/openvpn/scripts/announce', mode: '0755' } - - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' } - - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' } + - { src: 'ca.crt', dest: '/etc/openvpn/keys/', mode: '0644' } + - { src: 'client1.crt', dest: '/etc/openvpn/keys/', mode: '0644' } + - { src: 'client1.key', dest: '/etc/openvpn/keys/', mode: '0600' } + - { src: 'announce', dest: '/etc/openvpn/scripts/', mode: '0755' } + - { src: 'announcer', dest: '/etc/openvpn/scripts/', mode: '0755' } + - { src: 'silence', dest: '/etc/openvpn/scripts/', mode: '0755' } - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' } - - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } + # - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } # 2021-08-18 SSOT: Please instead set it in /etc/iiab/local_vars.yml + - { src: 'iiab-support', dest: '/usr/bin/', mode: '0755' } - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' } - - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' } + - { src: 'iiab-remote-off', dest: '/usr/bin/', mode: '0755' } -- name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install - copy: - src: "{{ iiab_dir }}/iiab-support" - dest: /usr/bin/ - mode: '0755' +# - name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install +# copy: +# src: "{{ iiab_dir }}/iiab-support" +# dest: /usr/bin/ +# mode: '0755' - name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-support file: diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 576ce225a..14378f59e 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -42,13 +42,12 @@ value: OpenVPN - option: description value: '"OpenVPN enables live/remote support by connecting machines anywhere on the Internet, via a middleman server, using Virtual Private Network (VPN) techniques to create secure connections."' -# openvpn_handle variable can no longer be left completely undefined of August 2018 (EMPTY STRING "" IS TOLERATED, in which case OpenVPN server should use /etc/iiab/uuid in lieu of the handle) - option: openvpn_install value: "{{ openvpn_install }}" - option: openvpn_enabled value: "{{ openvpn_enabled }}" - option: openvpn_handle - value: "{{ openvpn_handle }}" + value: "{{ openvpn_handle }}" # As of August 2018: (1) openvpn_handle could no longer be left undefined OR null (different concepts in Ansible, see /opt/iiab/iiab/tests.yml) -- (2) though an EMPTY STRING "" IS TOLERATED, in which case OpenVPN server instead tries to use 1st 6 chars of /etc/iiab/uuid -- (3) finally, if nec, OpenVPN server falls back to labelling the connection as generic: "client1's certificate" -- SEE ALSO: roles/openvpn/templates/announcer - option: openvpn_cron_enabled value: "{{ openvpn_cron_enabled }}" - option: openvpn_server diff --git a/roles/openvpn/templates/15-openvpn.deprecated b/roles/openvpn/templates/15-openvpn.unused similarity index 100% rename from roles/openvpn/templates/15-openvpn.deprecated rename to roles/openvpn/templates/15-openvpn.unused diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer new file mode 100755 index 000000000..87e2791b5 --- /dev/null +++ b/roles/openvpn/templates/announcer @@ -0,0 +1,72 @@ +#!/bin/bash -x +# Small daemon to identify this machine to the OpenVPN server + +# local_vars.yml code from /usr/bin/iiab-support and /usr/bin/iiab-gen-iptables + +# Empty string, worst case, e.g. whether var is set to "" (or not set at all!) +HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + +# Change all spaces to underscores +HANDLE=${HANDLE// /_} + +# Likewise empty string is the worst case, e.g. if file doesn't exist. +# If handle is "", OpenVPN server tries to use the 1st 6 chars of UUID +# e.g. e1a3d4 from e1a3d4e2-2d1a-4f37-9ba0-e836d7c8e3ca +# SEE ALSO: roles/openvpn/tasks/main.yml Line 50 +UUID=$(cat /etc/iiab/uuid) + +/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & + + + +# 2021-08-18: Let's finally do it 3 years lster, simplifying from 4 places to 1 +# at long last. Per SSOT (single source of truth). + +# #HANDLE= +# #UUID= +# #if [ -f /etc/iiab/openvpn_handle ]; then +# # Option #1: Source directly from /etc/iiab/local_vars.yml in future? +# # Option #2 +# HANDLE=$(cat /etc/iiab/openvpn_handle) # Sets to "" if file doesn't exist (error is ok!) + +# # Sourcing a variable from ~4 different places is a recipe for total confusion +# # (or worse!) Far better to make variable openvpn_handle and file +# # /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH +# # CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...) + +# # CLARIF: "systemctl restart openvpn" still works tolerably even if the above +# # is defied, auto-starting child service openvpn@xscenet per usual +# # (e.g. if /etc/iiab/openvpn_handle is deleted by accident!) + +# #else +# # # Option #3: Dangerous to invoke hypothetical variables :( +# # source {{ iiab_env_file }} +# # # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ? +# # if [ -z "$HANDLE" ]; then +# # HANDLE=`cat {{ iiab_ini_file }} | gawk \ +# # '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` +# # fi +# #fi +# HANDLE=${HANDLE// /_} # Change all spaces to underscores +# #if [ -f /etc/iiab/uuid ]; then +# UUID=$(cat /etc/iiab/uuid) # Sets to "" if file doesn't exist (error is ok!) +# #fi + +# SERVER=/usr/bin/ncat +# #ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID) +# #ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}") +# ID=$(echo "HANDLE = $HANDLE|UUID = $UUID") +# # August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04 +# #ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` + +# # Start the daemon which will serve the handle on demand +# {% if is_debuntu %} +# $SERVER -l -k -p1705 --exec "/bin/echo $ID" & +# # 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu: +# #/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & +# {% else %} +# source /etc/init.d/functions +# PID_FILE=/var/run/openvpn/announce.pid +# daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" & +# #daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & +# {% endif %} diff --git a/roles/openvpn/templates/announcer.j2 b/roles/openvpn/templates/announcer.j2 deleted file mode 100755 index 7d55d305b..000000000 --- a/roles/openvpn/templates/announcer.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -x -# Small daemon to identify this machine to the OpenVPN server - -#HANDLE= -#UUID= -#if [ -f /etc/iiab/openvpn_handle ]; then - # Option #1: Source directly from /etc/iiab/local_vars.yml in future? - # Option #2 - HANDLE=$(cat /etc/iiab/openvpn_handle) # Sets to "" if file doesn't exist (error is ok!) - -# Sourcing a variable from ~4 different places is a recipe for total confusion -# (or worse!) Far better to make variable openvpn_handle and file -# /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH -# CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...) - -# CLARIF: "systemctl restart openvpn" still works tolerably even if the above -# is defied, auto-starting child service openvpn@xscenet per usual -# (e.g. if /etc/iiab/openvpn_handle is deleted by accident!) - -#else -# # Option #3: Dangerous to invoke hypothetical variables :( -# source {{ iiab_env_file }} -# # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ? -# if [ -z "$HANDLE" ]; then -# HANDLE=`cat {{ iiab_ini_file }} | gawk \ -# '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` -# fi -#fi -HANDLE=${HANDLE// /_} # Change all spaces to underscores -#if [ -f /etc/iiab/uuid ]; then - UUID=$(cat /etc/iiab/uuid) # Sets to "" if file doesn't exist (error is ok!) -#fi - -SERVER=/usr/bin/ncat -#ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID) -#ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}") -ID=$(echo "HANDLE = $HANDLE|UUID = $UUID") -# August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04 -#ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` - -# Start the daemon which will serve the handle on demand -{% if is_debuntu %} -$SERVER -l -k -p1705 --exec "/bin/echo $ID" & -# 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu: -#/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & -{% else %} -source /etc/init.d/functions -PID_FILE=/var/run/openvpn/announce.pid -daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" & -#daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & -{% endif %} diff --git a/roles/openvpn/templates/iiab-remote-off b/roles/openvpn/templates/iiab-remote-off old mode 100644 new mode 100755 diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support new file mode 100755 index 000000000..4b5d6a11e --- /dev/null +++ b/roles/openvpn/templates/iiab-support @@ -0,0 +1,133 @@ +#!/bin/bash + +PLAYBOOK="install-support.yml" +INVENTORY="ansible_hosts" + +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml +# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 +# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN + +# openvpn_handle WAS stored in 2 files on disk, one slightly stripped down (from +# the other) due to Ansible. Still, we emulate Ansible behavior when reading var +# (and later writing to disk) removing outer cruft as explained on Lines 31-38: + +handle1=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") +echo -e "\n/etc/iiab/local_vars.yml shows openvpn_handle: $handle1\n" +if [ -f /etc/iiab/openvpn_handle ]; then + echo -e " \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" + echo -e " \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n" +fi + +echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n" + +echo -e " cape-town-school-36-rpi-2019-05-31\n" + +echo -en "Or hit [Enter] to keep the existing name:\e[0m " +read ans < /dev/tty + +# BEHAVIOR LIKE ANSIBLE'S parsing of vars from .yml: +# (0) No need to remove comment as above (user prompt here) +# (1) Remove outer spacing IF NEC, then... +# (2) Remove 1 pair of matching outer quotes (IF NEC) +# (3) Ansible vars can have non-string value null. +# Here in bash, we force those to "" (empty string). + +ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + +if [ "$ans" = "" ]; then + handle2=$handle1 # Beware old handle could also be "" (handled below!) +else + handle2=$ans; # Also for display at bottom +fi + +echo "ans: '$ans'" +echo "handle1: '$handle1'" +echo "handle2: '$handle2'" +#echo "uuid: '$uuid'" + +if [ "$handle1" = "$handle2" ] && [ "$handle2" != "" ]; then # [ "$ans" ] ALSO WORKS + echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in /etc/iiab/local_vars.yml\e[0m\n" +else + if grep -q '^openvpn_handle:\s' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_handle:\s.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml + else + echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml + fi + + echo -e "\n\e[1mSAVED your openvpn_handle to /etc/iiab/local_vars.yml\e[0m\n" +fi + +if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then + echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" +else + echo -e "Plz wait a few minutes as sshd & OpenVPN are confirmed/installed...\n" + if grep -q '^openvpn_install:\s' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_install:\s.*/openvpn_install: True/" /etc/iiab/local_vars.yml + else + echo "openvpn_install: True" >> /etc/iiab/local_vars.yml + fi + + if [ -d /opt/iiab/iiab ]; then + cd /opt/iiab/iiab + export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log" + ansible -m setup -i $INVENTORY localhost --connection=local | grep python + ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local + # Above is tighter/better than running all of "./runrole 1-prep" + echo + else + echo -e " \e[41m Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN! \e[0m\n" + exit 1 + fi +fi + +echo -e "Now let's (re)enable OpenVPN...\n" +if grep -q '^openvpn_enabled:\s' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_enabled:\s.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml +else + echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml +fi +systemctl enable openvpn + +echo -e "\nNow let's restart OpenVPN..." +#systemctl start openvpn +systemctl restart openvpn + +echo -en "\n " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\n 1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'" +echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'" +echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x" +echo -e " 4. If necessary, run 'systemctl restart openvpn' which should" +echo -e " run 'systemctl restart openvpn@xscenet' for you." +echo -e " 5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor." +echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your" +echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time." +echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at" +echo -e " http://FAQ.IIAB.IO to learn about DIY remote support alternatives" +echo -e " like ngrok, serveo, remot3.it and TeamViewer.\n" + +echo -en " " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)" +sleep 15 + +echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m" +echo -en $handle2 +echo -en "\e[0m" + +vpnip=$(ip a | grep tun0$ | awk '{print $2}') +if [ "$vpnip" != "" ]; then + echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" +else + echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" + exit 1 +fi diff --git a/iiab-support b/roles/openvpn/templates/iiab-support.older similarity index 100% rename from iiab-support rename to roles/openvpn/templates/iiab-support.older diff --git a/roles/openvpn/templates/openvpn_handle.j2 b/roles/openvpn/templates/openvpn_handle.j2.unused similarity index 100% rename from roles/openvpn/templates/openvpn_handle.j2 rename to roles/openvpn/templates/openvpn_handle.j2.unused diff --git a/scripts/iiab-diagnostics b/scripts/iiab-diagnostics index fbbca15a9..021b87402 100755 --- a/scripts/iiab-diagnostics +++ b/scripts/iiab-diagnostics @@ -19,7 +19,7 @@ echo -e " sudo iiab-diagnostics PATH/FILE1 PATH/FILE2 ... # COMPLETE RESU echo echo -ne "Can you provide a \e[1mshort public nickname:\e[0m (no spaces!) " read nickname < /dev/tty -if [ -z "$nickname" ]; then +if [ "$nickname" = "" ]; then nickname="NONAME" fi @@ -87,9 +87,13 @@ function cat_cmd() { # $1 = command + params, $2 = explan echo "=IIAB==========================================================================" >> $outfile cmd=$(echo "$1" | sed 's/\s.*$//') # Keep command on left; Drop params on right pth=$(which $cmd | sed 's/[^/]*$//') # Keep only path on left; Drop command on right - echo "COMMAND: $pth$1 # $2" >> $outfile + if [ "$2" = "" ]; then + echo "COMMAND: $pth$1" >> $outfile + else + echo "COMMAND: $pth$1 # $2" >> $outfile + fi echo >> $outfile - if [ -z "$pth" ]; then + if [ "$pth" = "" ]; then echo "COMMAND NOT FOUND: $1" >> $outfile else $(echo "eval $1") >> $outfile # eval is nec within backticks, so | (pipes) work: https://stackoverflow.com/a/7184782 @@ -151,7 +155,7 @@ echo -e "\n\n\n\n2. REGULAR FILES\n" >> $outfile #cat_file /opt/iiab/iiab # Directory test #cat_file /tmp/empty-file # Empty file test #cat_file /usr/bin/iiab-support-on # Symlink test -cat_file /etc/iiab/openvpn_handle +cat_cmd 'grep "^openvpn_" /etc/iiab/local_vars.yml' cat_file /.iiab-image cat_file /etc/iiab/iiab.env cat_file /etc/iiab/iiab.ini diff --git a/test.yml b/test.yml index be808dc92..ac372d43a 100644 --- a/test.yml +++ b/test.yml @@ -21,6 +21,7 @@ - debug: msg: "{{ 'changeme' | password_hash('sha512') }}" + # msg: "{{ 'changeme' | password_hash('yescrypt') }}" # crypt.crypt STILL doesn't support 'yescrypt' algorithm ? #- pause: @@ -32,4 +33,26 @@ debug: msg: "'\"'" # FAILS: "'""'" + - name: a shows "VARIABLE IS NOT DEFINED!" -- whereas b (w/o whitespace) AND c (with space) AND d (with tab) show null (without quotes!) -- whereas d (singlequotes) and e (doublequotes) show "" empty string + set_fact: + #a: + b: + c: # Space + d: # Tab + e: '' + f: "" + + - debug: + var: a + - debug: + var: b + - debug: + var: c + - debug: + var: d + - debug: + var: e + - debug: + var: f + # TEST ANSIBLE COMMANDS/MODULES HERE! diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 9e9515a85..68be9319e 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: BIG-sized - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index c4bc2018b..6ede6593b 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: MEDIUM-sized - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 68141d398..464b00890 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: MIN-sized - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: diff --git a/vars/local_vars_unittest.yml b/vars/local_vars_unittest.yml index 48774451d..e3e1dd866 100644 --- a/vars/local_vars_unittest.yml +++ b/vars/local_vars_unittest.yml @@ -111,7 +111,7 @@ sshd_enabled: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: True -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: unittest - Put Your Name Here # IIAB-ADMIN runs here - see its vars near top of this file: From 673b3be6793929346a2a65440c9a5efa095d4dcb Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 00:20:44 -0400 Subject: [PATCH 02/19] Tighter OpenVPN: iiab-support + iiab-diagnostics --- roles/openvpn/templates/iiab-support | 51 ++++++++++++---------------- scripts/iiab-diagnostics | 2 +- scripts/iiab-diagnostics.README.md | 2 +- 3 files changed, 24 insertions(+), 31 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 4b5d6a11e..333ba76dc 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -12,10 +12,10 @@ INVENTORY="ansible_hosts" # openvpn_handle WAS stored in 2 files on disk, one slightly stripped down (from # the other) due to Ansible. Still, we emulate Ansible behavior when reading var -# (and later writing to disk) removing outer cruft as explained on Lines 31-38: +# (and later writing to disk) removing outer cruft as explained on Lines 31-40: -handle1=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -echo -e "\n/etc/iiab/local_vars.yml shows openvpn_handle: $handle1\n" +handle=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") +echo -e "\n/etc/iiab/local_vars.yml shows openvpn_handle: $handle\n" if [ -f /etc/iiab/openvpn_handle ]; then echo -e " \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" echo -e " \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n" @@ -29,43 +29,36 @@ echo -en "Or hit [Enter] to keep the existing name:\e[0m " read ans < /dev/tty # BEHAVIOR LIKE ANSIBLE'S parsing of vars from .yml: -# (0) No need to remove comment as above (user prompt here) -# (1) Remove outer spacing IF NEC, then... -# (2) Remove 1 pair of matching outer quotes (IF NEC) -# (3) Ansible vars can have non-string value null. -# Here in bash, we force those to "" (empty string). +# (0) No need to remove hash/comments b/c it's live input here, unlike above. +# (1) sed: Remove outer spacing IF NEC, then... +# (2) sed: Remove 1 pair of matching outer quotes (IF NEC) +# (3) Ansible vars can have non-string value null. SEE /opt/iiab/iiab/test.yml +# Here in bash, we focus only on string values, e.g. "" empty string if nec. +# (4) When writing to disk, we aggressively overwrite such null var lines, e.g. +# including sloppy unassigned var lines like "^var:$" that lacks whitespace. ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -if [ "$ans" = "" ]; then - handle2=$handle1 # Beware old handle could also be "" (handled below!) -else - handle2=$ans; # Also for display at bottom -fi - -echo "ans: '$ans'" -echo "handle1: '$handle1'" -echo "handle2: '$handle2'" -#echo "uuid: '$uuid'" - -if [ "$handle1" = "$handle2" ] && [ "$handle2" != "" ]; then # [ "$ans" ] ALSO WORKS +# if ( [ "$ans" = "$handle" ] || [ "$ans" = "" ] ) && [ "$handle" != "" ]; then # Overkill +if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in /etc/iiab/local_vars.yml\e[0m\n" else - if grep -q '^openvpn_handle:\s' /etc/iiab/local_vars.yml; then - sed -i "s/^openvpn_handle:\s.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml + if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml else echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml fi - echo -e "\n\e[1mSAVED your openvpn_handle to /etc/iiab/local_vars.yml\e[0m\n" + echo -e "\n\e[1mSAVED YOUR NEW openvpn_handle to /etc/iiab/local_vars.yml\e[0m\n" + handle=$ans; # For display at bottom fi if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" else echo -e "Plz wait a few minutes as sshd & OpenVPN are confirmed/installed...\n" - if grep -q '^openvpn_install:\s' /etc/iiab/local_vars.yml; then - sed -i "s/^openvpn_install:\s.*/openvpn_install: True/" /etc/iiab/local_vars.yml + if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml else echo "openvpn_install: True" >> /etc/iiab/local_vars.yml fi @@ -75,7 +68,7 @@ else export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log" ansible -m setup -i $INVENTORY localhost --connection=local | grep python ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local - # Above is tighter/better than running all of "./runrole 1-prep" + # 2 roles (sshd & openvpn) faster than running all of "./runrole 1-prep" echo else echo -e " \e[41m Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN! \e[0m\n" @@ -84,8 +77,8 @@ else fi echo -e "Now let's (re)enable OpenVPN...\n" -if grep -q '^openvpn_enabled:\s' /etc/iiab/local_vars.yml; then - sed -i "s/^openvpn_enabled:\s.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml +if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml else echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml fi @@ -121,7 +114,7 @@ echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs tha sleep 15 echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m" -echo -en $handle2 +echo -en $handle echo -en "\e[0m" vpnip=$(ip a | grep tun0$ | awk '{print $2}') diff --git a/scripts/iiab-diagnostics b/scripts/iiab-diagnostics index 021b87402..3e8edfcd5 100755 --- a/scripts/iiab-diagnostics +++ b/scripts/iiab-diagnostics @@ -137,6 +137,7 @@ cat_file /etc/issue.net cat_file /etc/debian_version cat_cmd 'dpkg --print-architecture' 'RaspiOS-on-PC shows: i386' cat_cmd 'dpkg --print-foreign-architectures' 'RaspiOS-on-PC shows: amd64' +cat_cmd 'grep "^openvpn_" /etc/iiab/local_vars.yml' echo -e '\n\n 1. Files Specially Requested: (from "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n' echo -e '\n\n\n\n1. FILES SPECIALLY REQUESTED (FROM "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n' >> $outfile @@ -155,7 +156,6 @@ echo -e "\n\n\n\n2. REGULAR FILES\n" >> $outfile #cat_file /opt/iiab/iiab # Directory test #cat_file /tmp/empty-file # Empty file test #cat_file /usr/bin/iiab-support-on # Symlink test -cat_cmd 'grep "^openvpn_" /etc/iiab/local_vars.yml' cat_file /.iiab-image cat_file /etc/iiab/iiab.env cat_file /etc/iiab/iiab.ini diff --git a/scripts/iiab-diagnostics.README.md b/scripts/iiab-diagnostics.README.md index aef45d8fd..70c627429 100644 --- a/scripts/iiab-diagnostics.README.md +++ b/scripts/iiab-diagnostics.README.md @@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things: ## Source Code -Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-224 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. +Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 110-228 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. From c1e5052722a3b53344e01d39f25a2967dd07219c Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 00:33:08 -0400 Subject: [PATCH 03/19] openvpn/templates/iiab-support: Recap Ansible-vs-sed var mechanics --- roles/openvpn/templates/iiab-support | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 333ba76dc..7fbffb111 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -33,9 +33,9 @@ read ans < /dev/tty # (1) sed: Remove outer spacing IF NEC, then... # (2) sed: Remove 1 pair of matching outer quotes (IF NEC) # (3) Ansible vars can have non-string value null. SEE /opt/iiab/iiab/test.yml -# Here in bash, we focus only on string values, e.g. "" empty string if nec. +# Here in bash, we focus only on string values e.g. "" empty string if nec. # (4) When writing to disk, we aggressively overwrite such null var lines, e.g. -# including sloppy unassigned var lines like "^var:$" that lacks whitespace. +# including sloppy unassigned var lines like "^var:$" that lack whitespace. ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") From c8a8dd85bc46bd34617c43474ee4d35e5c1ac36d Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 02:02:24 -0400 Subject: [PATCH 04/19] iiab-support output more vivid: ANSI/VT100 colors/highlighting --- roles/openvpn/templates/iiab-support | 41 ++++++++++++++-------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 7fbffb111..f7808ec75 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -30,8 +30,8 @@ read ans < /dev/tty # BEHAVIOR LIKE ANSIBLE'S parsing of vars from .yml: # (0) No need to remove hash/comments b/c it's live input here, unlike above. -# (1) sed: Remove outer spacing IF NEC, then... -# (2) sed: Remove 1 pair of matching outer quotes (IF NEC) +# (1) sed: Trim outer spacing IF NEC, then... +# (2) sed: Trim 1 pair of matching outer quotes (IF NEC) # (3) Ansible vars can have non-string value null. SEE /opt/iiab/iiab/test.yml # Here in bash, we focus only on string values e.g. "" empty string if nec. # (4) When writing to disk, we aggressively overwrite such null var lines, e.g. @@ -39,9 +39,10 @@ read ans < /dev/tty ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -# if ( [ "$ans" = "$handle" ] || [ "$ans" = "" ] ) && [ "$handle" != "" ]; then # Overkill -if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then - echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in /etc/iiab/local_vars.yml\e[0m\n" +if [ "$ans" = "" ]; then # (A) Simple! Writes to local_vars.yml a bit more than nec. +# if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then # (B) Only write to disk when nec? +# if ( [ "$ans" = "" ] || [ "$ans" = "$handle" ] ) && [ "$handle" != "" ]; then # (C) Overkill + echo -e "\n \e[100mopenvpn_handle REMAINS UNCHANGED IN /etc/iiab/local_vars.yml\e[0m\n" else if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml @@ -49,7 +50,7 @@ else echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml fi - echo -e "\n\e[1mSAVED YOUR NEW openvpn_handle to /etc/iiab/local_vars.yml\e[0m\n" + echo -e "\n \e[7mSAVED TO: /etc/iiab/local_vars.yml\e[0m\n" handle=$ans; # For display at bottom fi @@ -88,24 +89,24 @@ echo -e "\nNow let's restart OpenVPN..." #systemctl start openvpn systemctl restart openvpn -echo -en "\n " +echo -en "\n " for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done echo -en " OpenVPN TIPS " for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done -echo -e "\n\n 1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'" -echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'" -echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x" -echo -e " 4. If necessary, run 'systemctl restart openvpn' which should" -echo -e " run 'systemctl restart openvpn@xscenet' for you." -echo -e " 5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor." -echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your" -echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time." -echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at" -echo -e " http://FAQ.IIAB.IO to learn about DIY remote support alternatives" -echo -e " like ngrok, serveo, remot3.it and TeamViewer.\n" +echo -e "\n\n 1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'" +echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'" +echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x" +echo -e " 4. If necessary, run 'systemctl restart openvpn' which should" +echo -e " run 'systemctl restart openvpn@xscenet' for you." +echo -e " 5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor." +echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your" +echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time." +echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at" +echo -e " http://FAQ.IIAB.IO to learn about DIY remote support alternatives" +echo -e " like ngrok, serveo, remot3.it and TeamViewer.\n" -echo -en " " +echo -en " " for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done echo -en " OpenVPN TIPS " for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done @@ -121,6 +122,6 @@ vpnip=$(ip a | grep tun0$ | awk '{print $2}') if [ "$vpnip" != "" ]; then echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" else - echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" + echo -e "\n\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" exit 1 fi From 4168ecfa37052035020d358936118172a8284338 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 15:27:05 -0400 Subject: [PATCH 05/19] Toughen up /usr/bin/iiab-support & similar local_vars.yml extractors --- .../templates/gateway/iiab-gen-iptables | 4 +- roles/openvpn/templates/announcer | 4 +- roles/openvpn/templates/iiab-support | 94 ++++++++++++++----- 3 files changed, 73 insertions(+), 29 deletions(-) diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index e4fd5c60d..1d196ccb7 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -46,8 +46,8 @@ IPTABLES_DATA=/etc/sysconfig/iptables # So: sed is used instead, to emulate Ansible's parsing of vars from .yml iiab_var_value() { - v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | head -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") - v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") [ "$v2" != "" ] && echo $v2 || echo $v1 # [ "$v2" ] ALSO WORKS } diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer index 87e2791b5..048d97e13 100755 --- a/roles/openvpn/templates/announcer +++ b/roles/openvpn/templates/announcer @@ -4,9 +4,9 @@ # local_vars.yml code from /usr/bin/iiab-support and /usr/bin/iiab-gen-iptables # Empty string, worst case, e.g. whether var is set to "" (or not set at all!) -HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") +HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -# Change all spaces to underscores +# Change all spaces to underscores - same as "s/ /_/g" HANDLE=${HANDLE// /_} # Likewise empty string is the worst case, e.g. if file doesn't exist. diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index f7808ec75..98736ce1b 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -2,6 +2,7 @@ PLAYBOOK="install-support.yml" INVENTORY="ansible_hosts" +DEBUG=false # Using /usr/bin/true or /usr/bin/false # 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 @@ -10,38 +11,55 @@ INVENTORY="ansible_hosts" # https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 # https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN -# openvpn_handle WAS stored in 2 files on disk, one slightly stripped down (from -# the other) due to Ansible. Still, we emulate Ansible behavior when reading var -# (and later writing to disk) removing outer cruft as explained on Lines 31-40: +# PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO: +# (1) In case var's defined multiple times, 'tail 1' takes the last assignment. +# (2) sed: Strip 'varname:\s' on left. +# (3) sed: Strip '# comment' on right. Optional on live/keyboard input. +# (4) sed: Strip any outer spacing, as Ansible would do. Optional on live input. +# (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do. +# (6) Convert remaining spaces to underscores, as 'announcer' would do. + +# NOTE Ansible vars can have non-string value null. This is different from +# undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml +# BUT HERE IN BASH, we focus only on string values e.g. "" empty string if nec: +# (a) WITH INPUT, we choose to ignore lines like "^var:$" that lack whitespace. +# Ansible would have assigned the null value. We do not. +# (b) INPUT LINES "^var:\s\+$" (trailing whitespace) we force to empty string. +# Ansible would have assigned the null value. We do not. +# (c) WITH *OUTPUT* we aggressively overwrite null var lines, including both +# "^var:$" (no trailing whitespace) and "^var:\s\+$" (trailing whitespace). + +echo -handle=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | head -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -echo -e "\n/etc/iiab/local_vars.yml shows openvpn_handle: $handle\n" if [ -f /etc/iiab/openvpn_handle ]; then echo -e " \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" echo -e " \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n" fi +# (1), (2), (3) and (4) for now -- then (5) and (6) further below +handle=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//") + +if $($DEBUG); then + echo -e "/etc/iiab/local_vars.yml shows:\n" + grep "^openvpn_" /etc/iiab/local_vars.yml + echo + echo "Your OpenVPN machine name -- source: $handle" +fi + +echo -ne "\e[1mYour OpenVPN machine name is set to: \e[100m" +echo -n "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/; s/ /_/g" # Avoid '-e' interpreting backlash escapes, to show var accurately! Double quote var to prevent field splitting (eats spaces) +echo -e "\e[0m\n" # Separate line also for trailing backslash in var + echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n" echo -e " cape-town-school-36-rpi-2019-05-31\n" echo -en "Or hit [Enter] to keep the existing name:\e[0m " -read ans < /dev/tty +read ans < /dev/tty # Strips outer whitespace, whether we like it or not! -# BEHAVIOR LIKE ANSIBLE'S parsing of vars from .yml: -# (0) No need to remove hash/comments b/c it's live input here, unlike above. -# (1) sed: Trim outer spacing IF NEC, then... -# (2) sed: Trim 1 pair of matching outer quotes (IF NEC) -# (3) Ansible vars can have non-string value null. SEE /opt/iiab/iiab/test.yml -# Here in bash, we focus only on string values e.g. "" empty string if nec. -# (4) When writing to disk, we aggressively overwrite such null var lines, e.g. -# including sloppy unassigned var lines like "^var:$" that lack whitespace. - -ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") - -if [ "$ans" = "" ]; then # (A) Simple! Writes to local_vars.yml a bit more than nec. -# if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then # (B) Only write to disk when nec? -# if ( [ "$ans" = "" ] || [ "$ans" = "$handle" ] ) && [ "$handle" != "" ]; then # (C) Overkill +if [ "$ans" = "" ]; then # (A) Simple! Writes to local_vars.yml a bit more often than nec. +# if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then # (B) Only write when nec? Also works. +# if ( [ "$ans" = "" ] || [ "$ans" = "$handle" ] ) && [ "$handle" != "" ]; then # (C) Overkill. echo -e "\n \e[100mopenvpn_handle REMAINS UNCHANGED IN /etc/iiab/local_vars.yml\e[0m\n" else if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then @@ -51,9 +69,33 @@ else fi echo -e "\n \e[7mSAVED TO: /etc/iiab/local_vars.yml\e[0m\n" + + if $($DEBUG); then + echo -e "/etc/iiab/local_vars.yml shows:\n" + grep "^openvpn_" /etc/iiab/local_vars.yml + echo + fi + + # NEXT 4 LINES AREN'T ESSENTIAL: but they allow user to type in a '# comment' for the right side of /etc/iiab/local_vars.yml + + # (3) sed: Strip '# comment' on right. + ans=$(echo "$ans" | sed "s/#.*//") # Double quote var to prevent field splitting (eats spaces) + # (4) sed: Strip any outer spacing, as Ansible would do. + ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//") + handle=$ans; # For display at bottom fi +if $($DEBUG); then + echo '$handle after (1)-(4), prior to (5)-(6):' "$handle" + echo +fi + +# (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do. +handle=$(echo "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/") +# (6) Convert remaining spaces to underscores, as 'announcer' would do - same as "s/ /_/g" +handle=${handle// /_} + if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" else @@ -114,14 +156,16 @@ for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)" sleep 15 -echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m" -echo -en $handle -echo -en "\e[0m" +# echo -ne "\nYour OpenVPN machine name, per openpvn_handle: \e[32m" +# echo -ne "\nYour OpenVPN machine name is set to..........: \e[32m" +echo -ne "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m" # Actually step (6) above took it just beyond Ansible's (1)-(5) interpretation of openvpn_handle -- i.e. this line just provides a hint to users -- as to how /etc/openvpn/scripts/announcer converts their spaces to underscores when starting OpenVPN. +echo -n "$handle" # Avoid '-e' interpreting backlash escapes, to show var accurately! Double quote var to prevent field splitting (eats spaces) +echo -e "\e[0m" vpnip=$(ip a | grep tun0$ | awk '{print $2}') if [ "$vpnip" != "" ]; then - echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" + echo -e "Your OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" else - echo -e "\n\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" + echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" exit 1 fi From a0ca53a0fb5e5bb6b692b042e294d9655b0f35f2 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 15:49:08 -0400 Subject: [PATCH 06/19] /usr/bin/iiab-support: Turn off ANSI/VT100 colors at the outset --- roles/openvpn/templates/iiab-support | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 98736ce1b..6d82161d7 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -29,7 +29,7 @@ DEBUG=false # Using /usr/bin/true or /usr/bin/false # (c) WITH *OUTPUT* we aggressively overwrite null var lines, including both # "^var:$" (no trailing whitespace) and "^var:\s\+$" (trailing whitespace). -echo +echo -e "\e[0m" # Turn off all ANSI/VT100 colors if [ -f /etc/iiab/openvpn_handle ]; then echo -e " \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" From 0be8cfa16a8caed859c3b98c4aef34ac77055241 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 16:05:10 -0400 Subject: [PATCH 07/19] iiab-support: Clarify /etc/openvpn/scripts/announcer SPC -> underscore --- roles/openvpn/templates/iiab-support | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 6d82161d7..14cf436f5 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -17,7 +17,7 @@ DEBUG=false # Using /usr/bin/true or /usr/bin/false # (3) sed: Strip '# comment' on right. Optional on live/keyboard input. # (4) sed: Strip any outer spacing, as Ansible would do. Optional on live input. # (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do. -# (6) Convert remaining spaces to underscores, as 'announcer' would do. +# (6) Convert remaining spaces to underscores, just as 'announcer' does. # NOTE Ansible vars can have non-string value null. This is different from # undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml @@ -93,7 +93,7 @@ fi # (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do. handle=$(echo "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/") -# (6) Convert remaining spaces to underscores, as 'announcer' would do - same as "s/ /_/g" +# (6) Convert remaining spaces to underscores, just as /etc/openvpn/scripts/announcer does -- same as "s/ /_/g" handle=${handle// /_} if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then From b8a9ec091417a627d8d7fe14cd25beb694a0bd50 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 17:14:49 -0400 Subject: [PATCH 08/19] Warn that /etc/iiab/openvpn_handle is no longer supported --- roles/openvpn/templates/iiab-support | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 14cf436f5..66f6eb1ad 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -32,8 +32,8 @@ DEBUG=false # Using /usr/bin/true or /usr/bin/false echo -e "\e[0m" # Turn off all ANSI/VT100 colors if [ -f /etc/iiab/openvpn_handle ]; then - echo -e " \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" - echo -e " \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n" + echo -e "\n \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" + echo -e " \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n\n" fi # (1), (2), (3) and (4) for now -- then (5) and (6) further below From 201a8cd00c93bad03c7777bc41f10fd393a9a4ee Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 19 Aug 2021 18:14:29 -0400 Subject: [PATCH 09/19] openvpn/templates/announcer: User education re: spaces-to-underscores --- roles/openvpn/templates/announcer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer index 048d97e13..17ddfb6d0 100755 --- a/roles/openvpn/templates/announcer +++ b/roles/openvpn/templates/announcer @@ -6,7 +6,7 @@ # Empty string, worst case, e.g. whether var is set to "" (or not set at all!) HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -# Change all spaces to underscores - same as "s/ /_/g" +# Change all spaces to underscores -- same as "s/ /_/g" -- /usr/bin/iiab-support emulates this, to help folks understand HANDLE=${HANDLE// /_} # Likewise empty string is the worst case, e.g. if file doesn't exist. From d58b0a7c17ed201fe1000973b01d60e17d984105 Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 19 Aug 2021 18:17:56 -0400 Subject: [PATCH 10/19] openvpn/templates/announcer: < 80 columns for readability, as much as poss --- roles/openvpn/templates/announcer | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer index 17ddfb6d0..a8e11d2b1 100755 --- a/roles/openvpn/templates/announcer +++ b/roles/openvpn/templates/announcer @@ -6,7 +6,8 @@ # Empty string, worst case, e.g. whether var is set to "" (or not set at all!) HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -# Change all spaces to underscores -- same as "s/ /_/g" -- /usr/bin/iiab-support emulates this, to help folks understand +# Change all spaces to underscores -- same as "s/ /_/g" +# /usr/bin/iiab-support emulates this, to help folks understand HANDLE=${HANDLE// /_} # Likewise empty string is the worst case, e.g. if file doesn't exist. From e6e3555838bfa5ee4f90992efbccbb6f04f9db87 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 19:35:05 -0400 Subject: [PATCH 11/19] "AUGUST 2018 - AUGUST 2021" recap at top of: openvpn/tasks/main.yml --- roles/openvpn/tasks/main.yml | 20 +++++++++++++++++++- roles/openvpn/templates/announcer | 2 +- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 14378f59e..00640891e 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -2,6 +2,24 @@ # http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?" +# AUGUST 2018 - AUGUST 2021 + +# (1) openvpn_handle could no longer be left undefined OR null +# (two different concepts in Ansible, see /opt/iiab/iiab/test.yml) + +# 2021-08-19 UPDATE: the /usr/bin/iiab-support command can now handle almost +# any /etc/iiab/local_vars.yml (PR #2957) making it all much more resilient! + +# (2) openvpn_handle: "" (EMPTY STRING) IS HOWEVER TOLERATED -- in which case +# the OpenVPN server instead tries to use the 1st 6 chars of /etc/iiab/uuid + +# (3) Finally if there's no UUID, the OpenVPN server falls back to labelling +# that machine as generic: "client1's certificate" + +# SEE ALSO /etc/openvpn/scripts/announcer & /usr/bin/iiab-support from: +# https://github.com/iiab/iiab/tree/master/roles/openvpn/templates + + # "How do i fail a task in Ansible if the variable contains a boolean value? # I want to perform input validation for Ansible playbooks" # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 @@ -47,7 +65,7 @@ - option: openvpn_enabled value: "{{ openvpn_enabled }}" - option: openvpn_handle - value: "{{ openvpn_handle }}" # As of August 2018: (1) openvpn_handle could no longer be left undefined OR null (different concepts in Ansible, see /opt/iiab/iiab/tests.yml) -- (2) though an EMPTY STRING "" IS TOLERATED, in which case OpenVPN server instead tries to use 1st 6 chars of /etc/iiab/uuid -- (3) finally, if nec, OpenVPN server falls back to labelling the connection as generic: "client1's certificate" -- SEE ALSO: roles/openvpn/templates/announcer + value: "{{ openvpn_handle }}" - option: openvpn_cron_enabled value: "{{ openvpn_cron_enabled }}" - option: openvpn_server diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer index a8e11d2b1..9c027cebe 100755 --- a/roles/openvpn/templates/announcer +++ b/roles/openvpn/templates/announcer @@ -13,7 +13,7 @@ HANDLE=${HANDLE// /_} # Likewise empty string is the worst case, e.g. if file doesn't exist. # If handle is "", OpenVPN server tries to use the 1st 6 chars of UUID # e.g. e1a3d4 from e1a3d4e2-2d1a-4f37-9ba0-e836d7c8e3ca -# SEE ALSO: roles/openvpn/tasks/main.yml Line 50 +# SEE "AUGUST 2018 - AUGUST 2021" RECAP ON TOP OF: roles/openvpn/tasks/main.yml UUID=$(cat /etc/iiab/uuid) /usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & From 40379df4b81823afa007d34a9f50529bce6383f9 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 19 Aug 2021 19:42:15 -0400 Subject: [PATCH 12/19] "AUGUST 2018 - AUGUST 2021" recap touchup @ openvpn/tasks/main.yml --- roles/openvpn/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 00640891e..8c8577767 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -13,8 +13,8 @@ # (2) openvpn_handle: "" (EMPTY STRING) IS HOWEVER TOLERATED -- in which case # the OpenVPN server instead tries to use the 1st 6 chars of /etc/iiab/uuid -# (3) Finally if there's no UUID, the OpenVPN server falls back to labelling -# that machine as generic: "client1's certificate" +# (3) Finally if there's no client UUID (/etc/iiab/uuid) -- the OpenVPN server +# falls back to labelling that machine as generic: "client1's certificate" # SEE ALSO /etc/openvpn/scripts/announcer & /usr/bin/iiab-support from: # https://github.com/iiab/iiab/tree/master/roles/openvpn/templates From 5fcc91988ca2607db2b5dab22803febe1baae058 Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 19 Aug 2021 19:55:17 -0400 Subject: [PATCH 13/19] openvpn/templates/iiab-support: Explain code paths/mechanics --- roles/openvpn/templates/iiab-support | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 66f6eb1ad..0897f1031 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -46,6 +46,7 @@ if $($DEBUG); then echo "Your OpenVPN machine name -- source: $handle" fi +# Preview of steps (5) and (6) echo -ne "\e[1mYour OpenVPN machine name is set to: \e[100m" echo -n "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/; s/ /_/g" # Avoid '-e' interpreting backlash escapes, to show var accurately! Double quote var to prevent field splitting (eats spaces) echo -e "\e[0m\n" # Separate line also for trailing backslash in var @@ -81,7 +82,7 @@ else # (3) sed: Strip '# comment' on right. ans=$(echo "$ans" | sed "s/#.*//") # Double quote var to prevent field splitting (eats spaces) # (4) sed: Strip any outer spacing, as Ansible would do. - ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//") + ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//") # Code Safety: lstrip not nec, given "read" command above, but one day $ans might arise from elsewhere handle=$ans; # For display at bottom fi From 5de9073d48ac7373a9f94b7f350a4a05678a7f33 Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 20 Aug 2021 05:58:24 -0400 Subject: [PATCH 14/19] iiab-support: Emulate Ansible & /etc/openvpn/scripts/announcer --- roles/openvpn/templates/iiab-support | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 0897f1031..5dbc309e6 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -13,11 +13,16 @@ DEBUG=false # Using /usr/bin/true or /usr/bin/false # PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO: # (1) In case var's defined multiple times, 'tail 1' takes the last assignment. -# (2) sed: Strip 'varname:\s' on left. -# (3) sed: Strip '# comment' on right. Optional on live/keyboard input. -# (4) sed: Strip any outer spacing, as Ansible would do. Optional on live input. -# (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do. -# (6) Convert remaining spaces to underscores, just as 'announcer' does. +# (2) sed: Strip 'varname:\s' on left. Not applicable for live/keyboard input. +# (3) sed: Strip '#comment' on right. +# (4) sed: Strip any outer spacing. +# (5) sed: Strip up-to-1 pair of matching outer quotes. + +[*] Steps (1) and (2) are not applicable for live/keyboard input. +[*] Steps (3), (4) and (5) are optional for live/keyboard input (we do it!) + +# /etc/openvpn/scripts/announcer ALSO GOES ONE STEP FURTHER THAN ANSIBLE: +# (6) Convert remaining spaces to underscores. # NOTE Ansible vars can have non-string value null. This is different from # undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml @@ -79,7 +84,7 @@ else # NEXT 4 LINES AREN'T ESSENTIAL: but they allow user to type in a '# comment' for the right side of /etc/iiab/local_vars.yml - # (3) sed: Strip '# comment' on right. + # (3) sed: Strip '# comment' on right, as Ansible would do. ans=$(echo "$ans" | sed "s/#.*//") # Double quote var to prevent field splitting (eats spaces) # (4) sed: Strip any outer spacing, as Ansible would do. ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//") # Code Safety: lstrip not nec, given "read" command above, but one day $ans might arise from elsewhere From 03a4e217e49710b9f3f907fbcda60ca9feccf901 Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 20 Aug 2021 05:59:59 -0400 Subject: [PATCH 15/19] Update iiab-support --- roles/openvpn/templates/iiab-support | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 5dbc309e6..527bbe70e 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -18,8 +18,8 @@ DEBUG=false # Using /usr/bin/true or /usr/bin/false # (4) sed: Strip any outer spacing. # (5) sed: Strip up-to-1 pair of matching outer quotes. -[*] Steps (1) and (2) are not applicable for live/keyboard input. -[*] Steps (3), (4) and (5) are optional for live/keyboard input (we do it!) +# Steps (1) and (2) are not applicable with live/keyboard input. +# Steps (3), (4) and (5) are optional with live/keyboard input (we do it!) # /etc/openvpn/scripts/announcer ALSO GOES ONE STEP FURTHER THAN ANSIBLE: # (6) Convert remaining spaces to underscores. From 244c67243fad778a7fe5db65a539045c7bca809d Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 20 Aug 2021 06:07:49 -0400 Subject: [PATCH 16/19] iiab-support: Summarize mechanics --- roles/openvpn/templates/iiab-support | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 527bbe70e..fd887fff3 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -13,17 +13,18 @@ DEBUG=false # Using /usr/bin/true or /usr/bin/false # PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO: # (1) In case var's defined multiple times, 'tail 1' takes the last assignment. -# (2) sed: Strip 'varname:\s' on left. Not applicable for live/keyboard input. +# (2) sed: Strip 'varname:\s' on left. # (3) sed: Strip '#comment' on right. # (4) sed: Strip any outer spacing. # (5) sed: Strip up-to-1 pair of matching outer quotes. -# Steps (1) and (2) are not applicable with live/keyboard input. -# Steps (3), (4) and (5) are optional with live/keyboard input (we do it!) - # /etc/openvpn/scripts/announcer ALSO GOES ONE STEP FURTHER THAN ANSIBLE: # (6) Convert remaining spaces to underscores. +# Steps (1) and (2) are not applicable with live/keyboard input. +# Steps (3), (4) and (5) are optional with live/keyboard input (we do it!) +# Step (6) is always required for OpenVPN here (file or live/keyboard input!) + # NOTE Ansible vars can have non-string value null. This is different from # undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml # BUT HERE IN BASH, we focus only on string values e.g. "" empty string if nec: From 0e5325ad8b7d9da0c1c2341fcc58b1db6b25a832 Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 20 Aug 2021 06:33:57 -0400 Subject: [PATCH 17/19] Explain openvpn/templates/announcer --- roles/openvpn/templates/announcer | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer index 9c027cebe..824a43ba4 100755 --- a/roles/openvpn/templates/announcer +++ b/roles/openvpn/templates/announcer @@ -1,17 +1,18 @@ #!/bin/bash -x # Small daemon to identify this machine to the OpenVPN server -# local_vars.yml code from /usr/bin/iiab-support and /usr/bin/iiab-gen-iptables +# SEE /usr/bin/iiab-support for local_vars.yml var extraction explanation -# Empty string, worst case, e.g. whether var is set to "" (or not set at all!) +# EMULATE ANSIBLE: but additionally Force Empty String Where Nec, e.g. whether +# local_vars.yml sets openvpn_handle to "" (or worst case null, or not at all!) HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") -# Change all spaces to underscores -- same as "s/ /_/g" -# /usr/bin/iiab-support emulates this, to help folks understand -HANDLE=${HANDLE// /_} +# ALSO GO 1 STEP FURTHER THAN ANSIBLE: convert remaining spaces to underscores, +# for OpenVPN server. iiab-support emulates this, to help folks understand. +HANDLE=${HANDLE// /_} # Same as "s/ /_/g" # Likewise empty string is the worst case, e.g. if file doesn't exist. -# If handle is "", OpenVPN server tries to use the 1st 6 chars of UUID +# If $HANDLE is "", OpenVPN server tries to use the 1st 6 chars of UUID, # e.g. e1a3d4 from e1a3d4e2-2d1a-4f37-9ba0-e836d7c8e3ca # SEE "AUGUST 2018 - AUGUST 2021" RECAP ON TOP OF: roles/openvpn/tasks/main.yml UUID=$(cat /etc/iiab/uuid) From 9a47f504238016f861477318b72b556bb9ace95e Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 20 Aug 2021 06:44:19 -0400 Subject: [PATCH 18/19] /usr/bin/iiab-support: Link to higher-level explanations --- roles/openvpn/templates/iiab-support | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index fd887fff3..7a7d70063 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -1,5 +1,11 @@ #!/bin/bash +# Run 'sudo iiab-support' to turn on OpenVPN without hassle. GENERAL TIPS: +# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?" + +# "AUGUST 2018 - AUGUST 2021" Technical Recap at the top of: +# https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml + PLAYBOOK="install-support.yml" INVENTORY="ansible_hosts" DEBUG=false # Using /usr/bin/true or /usr/bin/false From 176e4efc5a8e1e8c27baa50d5c518337f32a5079 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 20 Aug 2021 10:05:41 -0400 Subject: [PATCH 19/19] Polish OpenVPN /usr/bin/iiab-support explanation --- roles/openvpn/templates/iiab-support | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support index 7a7d70063..784327d31 100755 --- a/roles/openvpn/templates/iiab-support +++ b/roles/openvpn/templates/iiab-support @@ -6,9 +6,9 @@ # "AUGUST 2018 - AUGUST 2021" Technical Recap at the top of: # https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml +DEBUG=false # Using /usr/bin/true or /usr/bin/false PLAYBOOK="install-support.yml" INVENTORY="ansible_hosts" -DEBUG=false # Using /usr/bin/true or /usr/bin/false # 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 @@ -24,20 +24,20 @@ DEBUG=false # Using /usr/bin/true or /usr/bin/false # (4) sed: Strip any outer spacing. # (5) sed: Strip up-to-1 pair of matching outer quotes. -# /etc/openvpn/scripts/announcer ALSO GOES ONE STEP FURTHER THAN ANSIBLE: +# 'announcer' (from openvpn/templates) ALSO GOES ONE STEP FURTHER THAN ANSIBLE: # (6) Convert remaining spaces to underscores. -# Steps (1) and (2) are not applicable with live/keyboard input. -# Steps (3), (4) and (5) are optional with live/keyboard input (we do it!) -# Step (6) is always required for OpenVPN here (file or live/keyboard input!) +# Steps (1) and (2) are Not Applicable with live/keyboard input. +# Steps (3), (4) and (5) are Optional with live/keyboard input (here we do it!) +# Step (6) is always required for OpenVPN here (file input or live/keyboard!) # NOTE Ansible vars can have non-string value null. This is different from # undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml # BUT HERE IN BASH, we focus only on string values e.g. "" empty string if nec: # (a) WITH INPUT, we choose to ignore lines like "^var:$" that lack whitespace. -# Ansible would have assigned the null value. We do not. +# Ansible would have assigned the null value. We do not. We force "" # (b) INPUT LINES "^var:\s\+$" (trailing whitespace) we force to empty string. -# Ansible would have assigned the null value. We do not. +# Ansible would have assigned the null value. We do not. We force "" # (c) WITH *OUTPUT* we aggressively overwrite null var lines, including both # "^var:$" (no trailing whitespace) and "^var:\s\+$" (trailing whitespace).