diff --git a/install-support b/install-support index 2df198cb1..aad78fe93 100755 --- a/install-support +++ b/install-support @@ -1,6 +1,14 @@ #!/bin/bash -PLAYBOOK="iiab-support.yml" +echo -e "\n\n\e[41m DEPRECATED PLEASE RUN 'iiab-support' INSTEAD \e[0m\n\n" + +read -p "Continue? [y/N] " ans +if [ "$ans" != "y" ]; then + echo + exit +fi + +PLAYBOOK="install-support.yml" INVENTORY="ansible_hosts" CWD=`pwd` @@ -12,22 +20,7 @@ if [ ! -f $PLAYBOOK ]; then exit 1 fi -echo -en "\n\nWhat OpenVPN machine name (openvpn_handle) do you want? " -read ans < /dev/tty -if [ "$ans" != "" ]; then - sed -i -e "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml - echo -e "\nYour machine's openvpn_handle is now set, in /etc/iiab/local_vars.yml\n" -else - echo -e "\nWARNING: openvpn_handle remains unchanged in /etc/iiab/local_vars.yml\n" -fi - sed -i -e "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml sed -i -e "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml -echo -e "Now let's (re)install and (re)start OpenVPN...\n" - ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local - -echo -en "\nYour OpenVPN handle is....... " -cat /etc/iiab/openvpn_handle -echo -e "\nYour OpenVPN IP address is... $(ip a | grep tun0$ | awk '{print $2}')\n\n" diff --git a/iiab-support.yml b/install-support.yml similarity index 50% rename from iiab-support.yml rename to install-support.yml index 15f2500bb..b7a9faf75 100644 --- a/iiab-support.yml +++ b/install-support.yml @@ -9,5 +9,6 @@ roles: - { role: 0-init, tags: ['0-init'] } #- { role: 1-prep, tags: ['1-prep', 'platform', 'base'] } - #- { role: 1-prep, tags: ['1-prep'] } - - { role: openvpn, tags: ['openvpn'] } + - { role: 1-prep, tags: ['1-prep'] } + #- { role: openvpn, tags: ['openvpn'] } # FASTER ALTERNATIVE THAN 1-prep (if 1-prep was already run!) + # BETTER YET, SEE: /usr/bin/iiab-support for a much friendlier UX, that only runs 1-prep when necessary. diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index e518689c4..635112ac0 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -100,7 +100,7 @@ # https://wiki.debian.org/AppArmor/HowToUse # https://packages.debian.org/buster/apparmor # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10 -# pre-releases, during @floydianslips' March 2019 testing anyway! +# pre-releases, during @floydianslips' March 2019 testing anyway! SEE #1387 - name: Disable AppArmor -- override OS default (ubuntu) service: name: apparmor diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index c3b2ed683..d2ff224ec 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -11,7 +11,7 @@ nextcloud_url: /nextcloud nextcloud_prefix: /opt nextcloud_data_dir: "{{ content_base }}/nextcloud/data" nextcloud_dl_url: https://download.nextcloud.com/server/releases -nextcloud_orig_src_file: latest-15.tar.bz2 # 2019-04-25: nextcloud-16.0.0.tar.bz2 requires PHP 7.1+ and so fails on current Raspbian and Debian 9 "Stretch". 2019-09-27 aside: latest-16.tar.bz2 oddly still not yet published at https://download.nextcloud.com/server/releases/ +nextcloud_orig_src_file: latest-15.tar.bz2 # 2019-04-24: nextcloud-16.0.0.tar.bz2 requires PHP 7.1+ and so fails on current Raspbian 9 and Debian 9 "Stretch". 2019-05-11: latest-16.tar.bz2 finally published to https://download.nextcloud.com/server/releases/ (nextcloud/server#15502) e.g. for Ubuntu 18.04+ nextcloud_src_file: nextcloud_{{ nextcloud_orig_src_file }} # we install on mysql with these setting or those from default_vars, etc. diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 6d6b51e6e..70e943bbe 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -72,9 +72,10 @@ - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' } - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' } - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' } + - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } + - { src: 'iiab-support', dest: '/usr/bin/iiab-support', mode: '0755' } - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' } - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' } - - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } # Comment out in future? Not recommended as of August 2018: - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' } # Obsolete & unused for ~2 years as of August 2018: @@ -86,6 +87,18 @@ # Obsolete & unused for ~2 years as of August 2018: #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' } +- name: Create iiab-support-on (symlink to iiab-support for now) + file: + src: /usr/bin/iiab-support + path: /usr/bin/iiab-support-on + state: link + +- name: Create iiab-support-off (symlink to iiab-remote-off for now) + file: + src: /usr/bin/iiab-remote-off + path: /usr/bin/iiab-support-off + state: link + - name: Create iiab-vpn-on (symlink to iiab-remote-on for now) file: src: /usr/bin/iiab-remote-on @@ -106,15 +119,14 @@ # dest: /usr/lib/iiab/up_wan # when: is_debuntu -# Comment out in future? Contained serious bug (15-openvpn called -# up-wan instead of up_wan in /usr/lib/iiab/ as of August 2018) so -# evidently unused for ~2 years: -- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet) - template: - src: 15-openvpn - dest: /etc/NetworkManager/dispatcher.d/ - #when: not is_debuntu # CONDITION APPEARS TOO BROAD - when: False # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?) +# Contained serious bug (15-openvpn called up-wan instead of up_wan in +# /usr/lib/iiab/ as of August 2018) so evidently unused for ~2 years: +#- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet) +# template: +# src: 15-openvpn +# dest: /etc/NetworkManager/dispatcher.d/ +# #when: not is_debuntu # CONDITION APPEARS TOO BROAD +# when: False # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?) # Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf) #- name: Check for manually configured OpenVPN tunnel diff --git a/roles/openvpn/templates/iiab-handle.j2 b/roles/openvpn/templates/iiab-handle.j2 index d3a29e91b..157d653e5 100755 --- a/roles/openvpn/templates/iiab-handle.j2 +++ b/roles/openvpn/templates/iiab-handle.j2 @@ -1,17 +1,9 @@ #!/bin/bash +echo -e "\n\n\e[41m DEPRECATED PLEASE RUN 'iiab-support' INSTEAD \e[0m\n\n" -echo -e '\n\nDEPRECATED:\n' - -echo -e 'This interactive script TEMPORARILY (over)writes /etc/iiab/openvpn_handle' -echo -e 'to identify IIAB to the upstream OpenVPN server, until Ansible next runs.\n\n' - - -echo -e 'PLEASE USE THIS NEW METHOD INSTEAD:\n' - -echo -e 'cd /opt/iiab/iiab' -echo -e 'sudo ./install-support\n\n' - +echo -e 'This older script TEMPORARILY (over)writes /etc/iiab/openvpn_handle to' +echo -e 'identify IIAB to the upstream OpenVPN server, until Ansible next runs.\n' #echo -e 'CORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml' #echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n' @@ -20,7 +12,6 @@ echo -e 'PLEASE NOW TYPE CTRL-C TO QUIT. Or, if you really want it temporary un read -p 'next time Ansible is run, what OpenVPN handle do you want? ' ans echo - if [ "$ans" != "" ]; then echo $ans > /etc/iiab/openvpn_handle echo -e "\nYour machine's openvpn_handle is TEMPORARILY now set... \n" @@ -28,7 +19,7 @@ else echo -e "\nWARNING: your machine's openvpn_handle remains unchanged...\n" fi -echo -e "Restarting OpenVPN daemon...\n\n" +echo -e "Restarting OpenVPN daemon...\n" # 2019-05-09: removing /etc/iiab/openvpn_handle (or setting it to "") are both very bad practices #if [ "$ans" == "" ]; then @@ -39,7 +30,6 @@ echo -e "Restarting OpenVPN daemon...\n\n" # echo $ans > /etc/iiab/openvpn_handle #fi - {{ systemctl_program }} restart openvpn@xscenet # This would also work: (but would bounce all VPN connections, if others exist, causing unnec disruption if so) #{{ systemctl_program }} restart openvpn diff --git a/roles/openvpn/templates/iiab-remote-on.j2 b/roles/openvpn/templates/iiab-remote-on.j2 index 8771cb94f..d9702ef8e 100644 --- a/roles/openvpn/templates/iiab-remote-on.j2 +++ b/roles/openvpn/templates/iiab-remote-on.j2 @@ -3,11 +3,14 @@ # /usr/bin/iiab-remote-on should turn on multiple remote support services like # OpenVPN and others, for remote support, so they work even after reboot. -echo -e '\nWARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n' +echo -e "\n\n\e[44m CONSIDER RUNNING 'iiab-support' INSTEAD \e[0m\n\n" + +echo -e 'WARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n' echo -e '1) Set these variables in /etc/local/local_vars.yml' echo -e ' openvpn_install: True' -echo -e ' openvpn_enabled: True\n' +echo -e ' openvpn_enabled: True' +echo -e ' openvpn_handle: \n' echo -e '2) Run:' echo -e ' cd /opt/iiab/iiab' diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support new file mode 100644 index 000000000..35a5ae4f9 --- /dev/null +++ b/roles/openvpn/templates/iiab-support @@ -0,0 +1,101 @@ +#!/bin/bash + +# openvpn_handle is stored in 2 files on disk, one slightly stripped down (from +# the other) due to Ansible. So we emulate Ansible's behavior, when reading from +# (and later writing to) disk, removing outer cruft as explained on Lines 27-29 +handle1=$(grep "^openvpn_handle:" /etc/iiab/local_vars.yml | sed -e "s/^openvpn_handle://; s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") +echo -e "\n/etc/iiab/local_vars.yml source/master copy: $handle1" +if [ -f /etc/iiab/openvpn_handle ]; then + handle2=$(cat /etc/iiab/openvpn_handle) + echo -e "/etc/iiab/openvpn_handle for openvpn daemon: $handle2\n" +else + echo -e "/etc/iiab/openvpn_handle for openvpn daemon: [FILE DOESN'T YET EXIST]\n" +fi + +echo -en "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n\n cape-town-school-36-rpi-2019-05-31\n\nOr hit [Enter] to keep the existing name:\e[0m " +read ans < /dev/tty + +#if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -f /etc/iiab/openvpn_handle ] ); then +# -v (below) checks if var's defined: equivalent to file existence test above +if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then + if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml + else + echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml + fi + + # BEHAVIOR JUST LIKE ANSIBLE'S: create /etc/iiab/openvpn_handle from the + # "^openvpn_handle:" line in /etc/iiab/local_vars.yml by (1) removing outer + # spacing IF NEC, then (2) removing 1 pair of matching outer quotes IF NEC. + ans=$(echo $ans | sed -e "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + echo $ans > /etc/iiab/openvpn_handle + echo -e "\n\e[1mSAVED: openvpn_handle recorded into both above files.\e[0m\n" +elif [ "$handle1" != "$handle2" ]; then # Sloppily, but conveniently here, + # bash treats "$handle2" as "" when var undefined, catching all conflicts! + echo -e "\n\e[41mYou MUST specify an OpenVPN machine name (openvpn_handle) to resolve the above\e[0m" + echo -e "\e[41mnaming conflict. Please rerun to proceed.\e[0m\n" + exit 1 +else + echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n" +fi + +if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then + echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" +else + echo -e "Please wait a few minutes as IIAB Stage 1 (1-prep) & OpenVPN are installed...\n" + if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml + else + echo "openvpn_install: True" >> /etc/iiab/local_vars.yml + fi + cd /opt/iiab/iiab + ./runrole 1-prep + echo +fi + +echo -e "Now let's (re)enable OpenVPN...\n" +if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml +else + echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml +fi +systemctl enable openvpn + +echo -e "\nNow let's restart OpenVPN..." +#systemctl start openvpn +systemctl restart openvpn + +echo -en "\n " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\n 1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'" +echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'" +echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x" +echo -e " 4. If necessary, run 'systemctl restart openvpn' which will" +echo -e " effectively run 'systemctl restart openvpn@xscenet' for you." +echo -e " 5. Sometimes waiting a minute helps -- retry steps 2 and 3 to monitor." +echo -e " 6. Read 'How can I remotely manage my Internet-in-a-Box?' at" +echo -e " http://FAQ.IIAB.IO to learn about DIY remote support alternatives" +echo -e " like ngrok, serveo, remot3.it and TeamViewer.\n" + +echo -en " " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)" + +sleep 15 + +echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m" +cat /etc/iiab/openvpn_handle +echo -en "\e[0m" + +vpnip=$(ip a | grep tun0$ | awk '{print $2}') +if [ "$vpnip" != "" ]; then + echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" +else + echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" +fi diff --git a/vars/default_vars.yml b/vars/default_vars.yml index a9edac146..1a1d150ca 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -165,7 +165,7 @@ sshd_enabled: True openvpn_install: True openvpn_enabled: False # For /etc/iiab/openvpn_handle -openvpn_handle: "" +openvpn_handle: # cron seems necessary on CentOS: openvpn_cron_enabled: False # General OpenVPN settings diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 016feb675..844dfb909 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -88,7 +88,7 @@ js_menu_install: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "" +openvpn_handle: # The following seems necessary on CentOS: # openvpn_cron_enabled: True diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 42ce9030d..ee49de897 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -88,7 +88,7 @@ js_menu_install: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "" +openvpn_handle: # The following seems necessary on CentOS: # openvpn_cron_enabled: True diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 66384a974..05f0b0ce6 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -88,7 +88,7 @@ js_menu_install: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "" +openvpn_handle: # The following seems necessary on CentOS: # openvpn_cron_enabled: True