Merge pull request #2957 from holta/openvpn-cleaner

Major cleanup of roles/openvpn, openvpn_handle SSOT

install-support.yml

@@ -9,5 +9,4 @@
   roles:
     - { role: 0-init }
     - { role: sshd }
-    - { role: iiab-admin }
     - { role: openvpn }

roles/firmware/templates/iiab-check-firmware

@@ -3,12 +3,13 @@
 WARN=0
 DATE=$(date +%F-%T)
 
-# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml
+# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
 # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
-# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12
-# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51
+# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
 # https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
-# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle)
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
+
 if grep -q '^wifi_hotspot_capacity_rpi_fix:\s\+[fF]alse\b' /etc/iiab/local_vars.yml ; then
     echo "'wifi_hotspot_capacity_rpi_fix: False' found in /etc/iiab/local_vars.yml"
     echo "...so WiFi firmware will NOT be checked or replaced."

roles/network/templates/gateway/iiab-gen-iptables

@@ -34,19 +34,20 @@ IPTABLES=/usr/sbin/iptables
 IPTABLES_DATA=/etc/sysconfig/iptables
 {% endif %}
 
-# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml
+# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
 # https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
-# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12
-# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51
+# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
 # https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
-# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle)
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
 
 # "awk '{print $2}'" almost works, but: (1) Fails to remove outer quotes, and
 # (2) Chops up Ansible vars containing multiple words w/o surrounding quotes.
 # So: sed is used instead, to emulate Ansible's parsing of vars from .yml
+
 iiab_var_value() {
-    v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
-    v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+    v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+    v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
     [ "$v2" != "" ] && echo $v2 || echo $v1    # [ "$v2" ] ALSO WORKS
 }
 

roles/openvpn/tasks/install.yml

@@ -1,7 +1,7 @@
 - name: "Install packages: ncat, nmap, openvpn, sudo"
   package:
     name:
-      - ncat    # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle (if Debian > 9 or Ubuntu > 18)
+      - ncat    # Newer versions of NMap do not include NCat, needed to announce openvpn_handle (if Debian > 9 or Ubuntu > 18)
       - nmap
       - openvpn
       - sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
@@ -55,22 +55,23 @@
     mode: "{{ item.mode }}"
     backup: yes
   with_items:
-    - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', mode: '0644' }
-    - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', mode: '0644' }
-    - { src: 'client1.key', dest: '/etc/openvpn/keys/client1.key', mode: '0600' }
-    - { src: 'announce', dest: '/etc/openvpn/scripts/announce', mode: '0755' }
-    - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' }
-    - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' }
+    - { src: 'ca.crt', dest: '/etc/openvpn/keys/', mode: '0644' }
+    - { src: 'client1.crt', dest: '/etc/openvpn/keys/', mode: '0644' }
+    - { src: 'client1.key', dest: '/etc/openvpn/keys/', mode: '0600' }
+    - { src: 'announce', dest: '/etc/openvpn/scripts/', mode: '0755' }
+    - { src: 'announcer', dest: '/etc/openvpn/scripts/', mode: '0755' }
+    - { src: 'silence', dest: '/etc/openvpn/scripts/', mode: '0755' }
     - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
-    - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
+    # - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }    # 2021-08-18 SSOT: Please instead set it in /etc/iiab/local_vars.yml
+    - { src: 'iiab-support', dest: '/usr/bin/', mode: '0755' }
     - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
-    - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
+    - { src: 'iiab-remote-off', dest: '/usr/bin/', mode: '0755' }
 
-- name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install
-  copy:
-    src: "{{ iiab_dir }}/iiab-support"
-    dest: /usr/bin/
-    mode: '0755'
+# - name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install
+#   copy:
+#     src: "{{ iiab_dir }}/iiab-support"
+#     dest: /usr/bin/
+#     mode: '0755'
 
 - name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-support
   file:

roles/openvpn/tasks/main.yml

@@ -2,6 +2,24 @@
 # http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?"
 
 
+# AUGUST 2018 - AUGUST 2021
+
+# (1) openvpn_handle could no longer be left undefined OR null
+# (two different concepts in Ansible, see /opt/iiab/iiab/test.yml)
+
+# 2021-08-19 UPDATE: the /usr/bin/iiab-support command can now handle almost
+# any /etc/iiab/local_vars.yml (PR #2957) making it all much more resilient!
+
+# (2) openvpn_handle: "" (EMPTY STRING) IS HOWEVER TOLERATED -- in which case
+# the OpenVPN server instead tries to use the 1st 6 chars of /etc/iiab/uuid
+
+# (3) Finally if there's no client UUID (/etc/iiab/uuid) -- the OpenVPN server
+# falls back to labelling that machine as generic: "client1's certificate"
+
+# SEE ALSO /etc/openvpn/scripts/announcer & /usr/bin/iiab-support from:
+# https://github.com/iiab/iiab/tree/master/roles/openvpn/templates
+
+
 # "How do i fail a task in Ansible if the variable contains a boolean value?
 # I want to perform input validation for Ansible playbooks"
 # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
@@ -42,7 +60,6 @@
     value: OpenVPN
   - option: description
     value: '"OpenVPN enables live/remote support by connecting machines anywhere on the Internet, via a middleman server, using Virtual Private Network (VPN) techniques to create secure connections."'
-# openvpn_handle variable can no longer be left completely undefined of August 2018 (EMPTY STRING "" IS TOLERATED, in which case OpenVPN server should use /etc/iiab/uuid in lieu of the handle)
   - option: openvpn_install
     value: "{{ openvpn_install }}"
   - option: openvpn_enabled

roles/openvpn/templates/announcer

@@ -0,0 +1,74 @@
+#!/bin/bash -x
+# Small daemon to identify this machine to the OpenVPN server
+
+# SEE /usr/bin/iiab-support for local_vars.yml var extraction explanation
+
+# EMULATE ANSIBLE: but additionally Force Empty String Where Nec, e.g. whether
+# local_vars.yml sets openvpn_handle to "" (or worst case null, or not at all!)
+HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+
+# ALSO GO 1 STEP FURTHER THAN ANSIBLE: convert remaining spaces to underscores,
+# for OpenVPN server.  iiab-support emulates this, to help folks understand.
+HANDLE=${HANDLE// /_}    # Same as "s/ /_/g"
+
+# Likewise empty string is the worst case, e.g. if file doesn't exist.
+# If $HANDLE is "", OpenVPN server tries to use the 1st 6 chars of UUID,
+# e.g. e1a3d4 from e1a3d4e2-2d1a-4f37-9ba0-e836d7c8e3ca
+# SEE "AUGUST 2018 - AUGUST 2021" RECAP ON TOP OF: roles/openvpn/tasks/main.yml
+UUID=$(cat /etc/iiab/uuid)
+
+/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" &
+
+
+
+# 2021-08-18: Let's finally do it 3 years lster, simplifying from 4 places to 1
+# at long last.  Per SSOT (single source of truth).
+
+# #HANDLE=
+# #UUID=
+# #if [ -f /etc/iiab/openvpn_handle ]; then
+#     # Option #1: Source directly from /etc/iiab/local_vars.yml in future?
+#     # Option #2
+#     HANDLE=$(cat /etc/iiab/openvpn_handle)    # Sets to "" if file doesn't exist (error is ok!)
+
+# # Sourcing a variable from ~4 different places is a recipe for total confusion
+# # (or worse!)  Far better to make variable openvpn_handle and file
+# # /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH
+# # CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...)
+
+# # CLARIF: "systemctl restart openvpn" still works tolerably even if the above
+# # is defied, auto-starting child service openvpn@xscenet per usual
+# # (e.g. if /etc/iiab/openvpn_handle is deleted by accident!)
+
+# #else
+# #    # Option #3: Dangerous to invoke hypothetical variables :(
+# #    source {{ iiab_env_file }}
+# #    # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ?
+# #    if [ -z "$HANDLE" ]; then
+# #        HANDLE=`cat {{ iiab_ini_file }} | gawk \
+# #        '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'`
+# #    fi
+# #fi
+# HANDLE=${HANDLE// /_}    # Change all spaces to underscores
+# #if [ -f /etc/iiab/uuid ]; then
+#     UUID=$(cat /etc/iiab/uuid)    # Sets to "" if file doesn't exist (error is ok!)
+# #fi
+
+# SERVER=/usr/bin/ncat
+# #ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID)
+# #ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}")
+# ID=$(echo "HANDLE = $HANDLE|UUID = $UUID")
+# # August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04
+# #ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID`
+
+# # Start the daemon which will serve the handle on demand
+# {% if is_debuntu %}
+# $SERVER -l -k -p1705 --exec "/bin/echo $ID" &
+# # 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu:
+# #/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" &
+# {% else %}
+# source /etc/init.d/functions
+# PID_FILE=/var/run/openvpn/announce.pid
+# daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" &
+# #daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" &
+# {% endif %}

roles/openvpn/templates/announcer.j2

@@ -1,51 +0,0 @@
-#!/bin/bash -x
-# Small daemon to identify this machine to the OpenVPN server
-
-#HANDLE=
-#UUID=
-#if [ -f /etc/iiab/openvpn_handle ]; then
-    # Option #1: Source directly from /etc/iiab/local_vars.yml in future?
-    # Option #2
-    HANDLE=$(cat /etc/iiab/openvpn_handle)    # Sets to "" if file doesn't exist (error is ok!)
-
-# Sourcing a variable from ~4 different places is a recipe for total confusion
-# (or worse!)  Far better to make variable openvpn_handle and file
-# /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH
-# CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...)
-
-# CLARIF: "systemctl restart openvpn" still works tolerably even if the above
-# is defied, auto-starting child service openvpn@xscenet per usual
-# (e.g. if /etc/iiab/openvpn_handle is deleted by accident!)
-
-#else
-#    # Option #3: Dangerous to invoke hypothetical variables :(
-#    source {{ iiab_env_file }}
-#    # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ?
-#    if [ -z "$HANDLE" ]; then
-#        HANDLE=`cat {{ iiab_ini_file }} | gawk \
-#        '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'`
-#    fi
-#fi
-HANDLE=${HANDLE// /_}    # Change all spaces to underscores
-#if [ -f /etc/iiab/uuid ]; then
-    UUID=$(cat /etc/iiab/uuid)    # Sets to "" if file doesn't exist (error is ok!)
-#fi
-
-SERVER=/usr/bin/ncat
-#ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID)
-#ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}")
-ID=$(echo "HANDLE = $HANDLE|UUID = $UUID")
-# August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04
-#ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID`
-
-# Start the daemon which will serve the handle on demand
-{% if is_debuntu %}
-$SERVER -l -k -p1705 --exec "/bin/echo $ID" &
-# 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu:
-#/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" &
-{% else %}
-source /etc/init.d/functions
-PID_FILE=/var/run/openvpn/announce.pid
-daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" &
-#daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" &
-{% endif %}

roles/openvpn/templates/iiab-support

@@ -0,0 +1,184 @@
+#!/bin/bash
+
+# Run 'sudo iiab-support' to turn on OpenVPN without hassle.  GENERAL TIPS:
+# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?"
+
+# "AUGUST 2018 - AUGUST 2021" Technical Recap at the top of:
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml
+
+DEBUG=false    # Using /usr/bin/true or /usr/bin/false
+PLAYBOOK="install-support.yml"
+INVENTORY="ansible_hosts"
+
+# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
+# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
+# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
+
+# PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO:
+# (1) In case var's defined multiple times, 'tail 1' takes the last assignment.
+# (2) sed: Strip 'varname:\s' on left.
+# (3) sed: Strip '#comment' on right.
+# (4) sed: Strip any outer spacing.
+# (5) sed: Strip up-to-1 pair of matching outer quotes.
+
+# 'announcer' (from openvpn/templates) ALSO GOES ONE STEP FURTHER THAN ANSIBLE:
+# (6) Convert remaining spaces to underscores.
+
+# Steps (1) and (2) are Not Applicable with live/keyboard input.
+# Steps (3), (4) and (5) are Optional with live/keyboard input (here we do it!)
+# Step (6) is always required for OpenVPN here (file input or live/keyboard!)
+
+# NOTE Ansible vars can have non-string value null.  This is different from
+# undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml
+# BUT HERE IN BASH, we focus only on string values e.g. "" empty string if nec:
+# (a) WITH INPUT, we choose to ignore lines like "^var:$" that lack whitespace.
+#     Ansible would have assigned the null value.  We do not.  We force ""
+# (b) INPUT LINES "^var:\s\+$" (trailing whitespace) we force to empty string.
+#     Ansible would have assigned the null value.  We do not.  We force ""
+# (c) WITH *OUTPUT* we aggressively overwrite null var lines, including both
+#     "^var:$" (no trailing whitespace) and "^var:\s\+$" (trailing whitespace).
+
+echo -e "\e[0m"    # Turn off all ANSI/VT100 colors
+
+if [ -f /etc/iiab/openvpn_handle ]; then
+    echo -e "\n             \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n"
+    echo -e "             \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n\n"
+fi
+
+# (1), (2), (3) and (4) for now -- then (5) and (6) further below
+handle=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//")
+
+if $($DEBUG); then
+    echo -e "/etc/iiab/local_vars.yml shows:\n"
+    grep "^openvpn_" /etc/iiab/local_vars.yml
+    echo
+    echo "Your OpenVPN machine name -- source: $handle"
+fi
+
+# Preview of steps (5) and (6)
+echo -ne "\e[1mYour OpenVPN machine name is set to: \e[100m"
+echo -n "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/; s/ /_/g"    # Avoid '-e' interpreting backlash escapes, to show var accurately!  Double quote var to prevent field splitting (eats spaces)
+echo -e "\e[0m\n"    # Separate line also for trailing backslash in var
+
+echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n"
+
+echo -e "                     cape-town-school-36-rpi-2019-05-31\n"
+
+echo -en "Or hit [Enter] to keep the existing name:\e[0m "
+read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
+
+if [ "$ans" = "" ]; then    # (A) Simple!  Writes to local_vars.yml a bit more often than nec.
+# if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then    # (B) Only write when nec?  Also works.
+# if ( [ "$ans" = "" ] || [ "$ans" = "$handle" ] ) && [ "$handle" != "" ]; then    # (C) Overkill.
+    echo -e "\n        \e[100mopenvpn_handle REMAINS UNCHANGED IN /etc/iiab/local_vars.yml\e[0m\n"
+else
+    if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml
+    else
+        echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml
+    fi
+
+    echo -e "\n                     \e[7mSAVED TO: /etc/iiab/local_vars.yml\e[0m\n"
+
+    if $($DEBUG); then
+	echo -e "/etc/iiab/local_vars.yml shows:\n"
+	grep "^openvpn_" /etc/iiab/local_vars.yml
+	echo
+    fi
+
+    # NEXT 4 LINES AREN'T ESSENTIAL: but they allow user to type in a '# comment' for the right side of /etc/iiab/local_vars.yml
+
+    # (3) sed: Strip '# comment' on right, as Ansible would do.
+    ans=$(echo "$ans" | sed "s/#.*//")    # Double quote var to prevent field splitting (eats spaces)
+    # (4) sed: Strip any outer spacing, as Ansible would do.
+    ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//")    # Code Safety: lstrip not nec, given "read" command above, but one day $ans might arise from elsewhere
+
+    handle=$ans;    # For display at bottom
+fi
+
+if $($DEBUG); then
+    echo '$handle after (1)-(4), prior to (5)-(6):' "$handle"
+    echo
+fi
+
+# (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do.
+handle=$(echo "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/")
+# (6) Convert remaining spaces to underscores, just as /etc/openvpn/scripts/announcer does -- same as "s/ /_/g"
+handle=${handle// /_}
+
+if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then
+    echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
+else
+    echo -e "Plz wait a few minutes as sshd & OpenVPN are confirmed/installed...\n"
+    if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
+    else
+        echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
+    fi
+
+    if [ -d /opt/iiab/iiab ]; then
+        cd /opt/iiab/iiab
+        export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log"
+        ansible -m setup -i $INVENTORY localhost --connection=local | grep python
+        ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local
+        # 2 roles (sshd & openvpn) faster than running all of "./runrole 1-prep"
+        echo
+    else
+        echo -e " \e[41m       Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN!       \e[0m\n"
+        exit 1
+    fi
+fi
+
+echo -e "Now let's (re)enable OpenVPN...\n"
+if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then
+    sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
+else
+    echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml
+fi
+systemctl enable openvpn
+
+echo -e "\nNow let's restart OpenVPN..."
+#systemctl start openvpn
+systemctl restart openvpn
+
+echo -en "\n      "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\n    1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'"
+echo -e "    2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
+echo -e "    3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
+echo -e "    4. If necessary, run 'systemctl restart openvpn' which should"
+echo -e "       run 'systemctl restart openvpn@xscenet' for you."
+echo -e "    5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor."
+echo -e "    6. If in future you want to disable OpenVPN connections to-and-from your"
+echo -e "       Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
+echo -e "    7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
+echo -e "       http://FAQ.IIAB.IO to learn about DIY remote support alternatives"
+echo -e "       like ngrok, serveo, remot3.it and TeamViewer.\n"
+
+echo -en "      "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)"
+sleep 15
+
+# echo -ne "\nYour OpenVPN machine name, per openpvn_handle: \e[32m"
+# echo -ne "\nYour OpenVPN machine name is set to..........: \e[32m"
+echo -ne "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m"    # Actually step (6) above took it just beyond Ansible's (1)-(5) interpretation of openvpn_handle -- i.e. this line just provides a hint to users -- as to how /etc/openvpn/scripts/announcer converts their spaces to underscores when starting OpenVPN.
+echo -n "$handle"    # Avoid '-e' interpreting backlash escapes, to show var accurately!  Double quote var to prevent field splitting (eats spaces)
+echo -e "\e[0m"
+
+vpnip=$(ip a | grep tun0$ | awk '{print $2}')
+if [ "$vpnip" != "" ]; then
+    echo -e "Your OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
+else
+    echo -e "\n \e[41m       ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS        \e[0m\n"
+    exit 1
+fi

scripts/iiab-diagnostics

@@ -19,7 +19,7 @@ echo -e "   sudo iiab-diagnostics PATH/FILE1 PATH/FILE2 ...      # COMPLETE RESU
 echo
 echo -ne "Can you provide a \e[1mshort public nickname:\e[0m (no spaces!) "
 read nickname < /dev/tty
-if [ -z "$nickname" ]; then
+if [ "$nickname" = "" ]; then
     nickname="NONAME"
 fi
 
@@ -87,9 +87,13 @@ function cat_cmd() {                        # $1 = command + params, $2 = explan
     echo "=IIAB==========================================================================" >> $outfile
     cmd=$(echo "$1" | sed 's/\s.*$//')        # Keep command on left; Drop params on right
     pth=$(which $cmd | sed 's/[^/]*$//')    # Keep only path on left; Drop command on right
-    echo "COMMAND: $pth$1    # $2" >> $outfile
+    if [ "$2" = "" ]; then
+	echo "COMMAND: $pth$1" >> $outfile
+    else
+	echo "COMMAND: $pth$1    # $2" >> $outfile
+    fi
     echo >> $outfile
-    if [ -z "$pth" ]; then
+    if [ "$pth" = "" ]; then
         echo "COMMAND NOT FOUND: $1" >> $outfile
     else
         $(echo "eval $1") >> $outfile    # eval is nec within backticks, so | (pipes) work: https://stackoverflow.com/a/7184782
@@ -133,6 +137,7 @@ cat_file /etc/issue.net
 cat_file /etc/debian_version
 cat_cmd 'dpkg --print-architecture' 'RaspiOS-on-PC shows: i386'
 cat_cmd 'dpkg --print-foreign-architectures' 'RaspiOS-on-PC shows: amd64'
+cat_cmd 'grep "^openvpn_" /etc/iiab/local_vars.yml'
 
 echo -e '\n\n  1. Files Specially Requested: (from "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n'
 echo -e '\n\n\n\n1. FILES SPECIALLY REQUESTED (FROM "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n' >> $outfile
@@ -151,7 +156,6 @@ echo -e "\n\n\n\n2. REGULAR FILES\n" >> $outfile
 #cat_file /opt/iiab/iiab              # Directory test
 #cat_file /tmp/empty-file             # Empty file test
 #cat_file /usr/bin/iiab-support-on    # Symlink test
-cat_file /etc/iiab/openvpn_handle
 cat_file /.iiab-image
 cat_file /etc/iiab/iiab.env
 cat_file /etc/iiab/iiab.ini

scripts/iiab-diagnostics.README.md

@@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things:
 
 ## Source Code
 
-Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-224 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
+Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 110-228 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.

test.yml

@@ -21,6 +21,7 @@
 
   - debug:
       msg: "{{ 'changeme' | password_hash('sha512') }}"
+      # msg: "{{ 'changeme' | password_hash('yescrypt') }}"    # crypt.crypt STILL doesn't support 'yescrypt' algorithm ?
 
   #- pause:
 
@@ -32,4 +33,26 @@
     debug:
       msg: "'\"'"    # FAILS: "'""'"
 
+  - name: a shows "VARIABLE IS NOT DEFINED!" -- whereas b (w/o whitespace) AND c (with space) AND d (with tab) show null (without quotes!) -- whereas d (singlequotes) and e (doublequotes) show "" empty string
+    set_fact:
+      #a:
+      b:
+      c: # Space
+      d:	# Tab
+      e: ''
+      f: ""
+
+  - debug:
+      var: a
+  - debug:
+      var: b
+  - debug:
+      var: c
+  - debug:
+      var: d
+  - debug:
+      var: e
+  - debug:
+      var: f
+
   # TEST ANSIBLE COMMANDS/MODULES HERE!

vars/local_vars_big.yml

@@ -111,7 +111,7 @@ sshd_enabled: True
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: False
-# Set /etc/iiab/openvpn_handle in advance here:
+# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
 openvpn_handle: BIG-sized - Put Your Name Here
 
 # IIAB-ADMIN runs here - see its vars near top of this file:

vars/local_vars_medium.yml

@@ -111,7 +111,7 @@ sshd_enabled: True
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: False
-# Set /etc/iiab/openvpn_handle in advance here:
+# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
 openvpn_handle: MEDIUM-sized - Put Your Name Here
 
 # IIAB-ADMIN runs here - see its vars near top of this file:

vars/local_vars_min.yml

@@ -111,7 +111,7 @@ sshd_enabled: True
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: False
-# Set /etc/iiab/openvpn_handle in advance here:
+# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
 openvpn_handle: MIN-sized - Put Your Name Here
 
 # IIAB-ADMIN runs here - see its vars near top of this file:

vars/local_vars_unittest.yml

@@ -111,7 +111,7 @@ sshd_enabled: True
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: True
-# Set /etc/iiab/openvpn_handle in advance here:
+# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle
 openvpn_handle: unittest - Put Your Name Here
 
 # IIAB-ADMIN runs here - see its vars near top of this file: