1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-13 03:32:12 +00:00

Merge pull request #300 from iiab/master

sync from iiab/iiab
This commit is contained in:
A Holt 2019-10-12 14:53:33 -04:00 committed by GitHub
commit bc57581a22
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 40 additions and 231 deletions

24
roles/openvpn/templates/iiab-support → iiab-support Normal file → Executable file
View file

@ -1,5 +1,8 @@
#!/bin/bash #!/bin/bash
PLAYBOOK="install-support.yml"
INVENTORY="ansible_hosts"
# openvpn_handle is stored in 2 files on disk, one slightly stripped down (from # openvpn_handle is stored in 2 files on disk, one slightly stripped down (from
# the other) due to Ansible. So we emulate Ansible's behavior, when reading from # the other) due to Ansible. So we emulate Ansible's behavior, when reading from
# (and later writing to) disk, removing outer cruft as explained on Lines 31-33: # (and later writing to) disk, removing outer cruft as explained on Lines 31-33:
@ -46,15 +49,25 @@ fi
if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then
echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
else else
echo -e "Please wait a few minutes as IIAB Stage 1 (1-prep) & OpenVPN are installed...\n" echo -e "Plz wait a few minutes as sshd, iiab-admin & OpenVPN are confirmed/installed...\n"
if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
else else
echo "openvpn_install: True" >> /etc/iiab/local_vars.yml echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
fi fi
cd /opt/iiab/iiab
./runrole 1-prep if [ -d /opt/iiab/iiab ]; then
echo cd /opt/iiab/iiab
#CWD=`pwd`
#export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log"
ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local
# Above is tighter/better than running all of "./runrole 1-prep"
echo
else
echo -e " \e[41m Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN! \e[0m\n"
exit 1
fi
fi fi
echo -e "Now let's (re)enable OpenVPN...\n" echo -e "Now let's (re)enable OpenVPN...\n"
@ -79,7 +92,7 @@ echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x" echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
echo -e " 4. If necessary, run 'systemctl restart openvpn' which should" echo -e " 4. If necessary, run 'systemctl restart openvpn' which should"
echo -e " run 'systemctl restart openvpn@xscenet' for you." echo -e " run 'systemctl restart openvpn@xscenet' for you."
echo -e " 5. Sometimes waiting a minute helps -- retry steps 2 and 3 to monitor." echo -e " 5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor."
echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your" echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your"
echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time." echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at" echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
@ -103,4 +116,5 @@ if [ "$vpnip" != "" ]; then
echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
else else
echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n"
exit 1
fi fi

View file

@ -1,26 +0,0 @@
#!/bin/bash
echo -e "\n\n\e[41m DEPRECATED PLEASE RUN 'iiab-support' INSTEAD \e[0m\n\n"
read -p "Continue? [y/N] " ans
if [ "$ans" != "y" ]; then
echo
exit
fi
PLAYBOOK="install-support.yml"
INVENTORY="ansible_hosts"
CWD=`pwd`
export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
if [ ! -f $PLAYBOOK ]; then
echo -e "\nEXITING: $PLAYBOOK not found.\n"
echo -e "Please run this command from /opt/iiab/iiab (top of git repo).\n"
exit 1
fi
sed -i -e "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
sed -i -e "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local

View file

@ -8,7 +8,6 @@
roles: roles:
- { role: 0-init, tags: ['0-init'] } - { role: 0-init, tags: ['0-init'] }
#- { role: 1-prep, tags: ['1-prep', 'platform', 'base'] } - { role: sshd, tags: ['sshd'] }
- { role: 1-prep, tags: ['1-prep'] } - { role: iiab-admin, tags: ['iiab-admin'] }
#- { role: openvpn, tags: ['openvpn'] } # FASTER ALTERNATIVE THAN 1-prep (if 1-prep was already run!) - { role: openvpn, tags: ['openvpn'] }
# BETTER YET, SEE: /usr/bin/iiab-support for a much friendlier UX, that only runs 1-prep when necessary.

View file

@ -2,7 +2,7 @@
Network README Network README
============== ==============
This is run by Ansible after it has installed the core of Internet-in-a-Box (IIAB) and its apps/services. This is run by Ansible after it has installed the core (`Stages 0-to-9 <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_) of Internet-in-a-Box (IIAB) and its apps/services.
Specifically, this 'network' role is run: Specifically, this 'network' role is run:

View file

@ -4,17 +4,18 @@
- openvpn - openvpn
- nmap - nmap
state: present state: present
tags: #tags:
- download # - download
- name: Install Ncat package # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle
- name: Install Ncat package (if Debian > 9 or Ubuntu > 18)
package: package:
name: name: ncat
- ncat
state: present state: present
when: need_ncat | bool when: is_debuntu and not (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18)
tags: #when: need_ncat | bool
- download #tags:
# - download
- name: Install ssh public keys for remote support (if openvpn_install) - name: Install ssh public keys for remote support (if openvpn_install)
lineinfile: lineinfile:
@ -62,8 +63,6 @@
with_items: with_items:
- /etc/openvpn/keys - /etc/openvpn/keys
- /etc/openvpn/scripts - /etc/openvpn/scripts
# Obsolete & unused for ~2 years as of August 2018:
#- /usr/lib/iiab
- name: Configure OpenVPN (BACKS UP FILES IF CHANGED) - name: Configure OpenVPN (BACKS UP FILES IF CHANGED)
template: template:
@ -82,19 +81,16 @@
- { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' } - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' }
- { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' } - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
- { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
- { src: 'iiab-support', dest: '/usr/bin/iiab-support', mode: '0755' }
- { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' } - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
- { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' } - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
# Comment out in future? Not recommended as of August 2018: # 2019-10-09: Not recommended for over a year & no longer in use
- { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' } # - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
# Obsolete & unused for ~2 years as of August 2018:
# - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' } - name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install
# Obsolete & unused for ~2 years as of August 2018: copy:
#- { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' } src: "{{ iiab_dir }}/iiab-support"
# Obsolete & unused for ~2 years as of August 2018: dest: /usr/bin/
#- { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' } mode: 0755
# Obsolete & unused for ~2 years as of August 2018:
#- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
- name: Create iiab-support-on (symlink to iiab-support for now) - name: Create iiab-support-on (symlink to iiab-support for now)
file: file:
@ -120,29 +116,6 @@
path: /usr/bin/iiab-vpn-off path: /usr/bin/iiab-vpn-off
state: link state: link
# up_wan was being installed twice (also above) and was unused for ~2 years
# as of August 2018: (see 15-openvpn below)
#- name: Put up_wan in place (debuntu)
# template:
# src: up_wan
# dest: /usr/lib/iiab/up_wan
# when: is_debuntu | bool
# Contained serious bug (15-openvpn called up-wan instead of up_wan in
# /usr/lib/iiab/ as of August 2018) so evidently unused for ~2 years:
#- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
# template:
# src: 15-openvpn
# dest: /etc/NetworkManager/dispatcher.d/
# #when: not is_debuntu # CONDITION APPEARS TOO BROAD
# when: False # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
# Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf)
#- name: Check for manually configured OpenVPN tunnel
# stat:
# path: /etc/openvpn/iiab-vpn.conf
# register: stat
# FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
# been working with systemd service names that contained the "@" character. # been working with systemd service names that contained the "@" character.

View file

@ -1,6 +0,0 @@
# this file allows changing the world accessable vpn server and its ip address
#
# copy this template file to /etc/openvpn/iiab-vpn.conf, and set properly
# VPNCONFIG=< put the name of the config file in /etc/openvpn you want to use>
# VPNIP=<put the ip address of server, pinged to test for existence of vpn tunnel>

View file

@ -1,92 +0,0 @@
#!/bin/bash
# script to manage openvpn
if [ ! -f "/etc/openvpn/iiab-vpn.conf" ]; then
VPNCONFIG='xscenet.conf' # WAS BUGGY (set to non-existent "party-line.conf", but thankfully unused) as of August 2018
VPNIP={{ openvpn_server_virtual_ip }}
else
# expect the sourced file to set the above variables
source /etc/openvpn/iiab-vpn.conf
fi
# we'd like the user of this script to have root privilege
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
case $1 in
"stop" | "no" | "off")
killall openvpn
exit 0
;;
"status")
pid=`ps -e|grep openvpn`
if [ -z "$pid" ]; then
echo "The OpenVPN process is not running"
else
echo "OpenVPN is running with id $pid"
ip=`ifconfig tun | gawk '(/netmask /) {print( $2);}'`
echo "Local vpn tunnel address is $ip"
fi
exit 0
;;
esac
# we'd like for password authentication to be turned off
grep -e^PasswordAuthentication.*[Yy]es /etc/ssh/sshd_config
PASSWORDS_ENABLED=$?
if [ $PASSWORDS_ENABLED -eq 0 ];then
case $1 in
"test" | "unsafe") ;;
*)
echo "OpenVPN is only safe when public/private keys are used"
echo " And when passwords are turned off in /etc/ssh/sshd_conf"
exit 1
esac
fi
# openvpn config file directory
dir=/etc/openvpn
if [ $# -eq 0 ]; then
cmd="test"
else
cmd=$1
fi
case $cmd in
"test" | "unsafe" )
# load TUN/TAP kernel module
modprobe tun
# make sure the wan is functioning
# 8.8.8.8 is one of google's dns servers
ping -c 3 -i 3 8.8.8.8
if [ $? -ne 0 ]; then
echo "internet is not available, tunnel not possible"
exit 1
fi
# check the vpn tunnel
ping -c 5 -i 5 "$VPNIP"
# a zero return means the tunnel is up
if [ $? -ne "0" ]; then
echo "Stopping any openvpn instance"
killall openvpn
sleep 10
echo "Starting OpenVPN and waiting 10 seconds for daemon to become ready"
openvpn --cd $dir --daemon --config $VPNCONFIG
fi
sleep 10
echo "Testing VPN connection"
ping -c 4 -i 4 "$VPNIP"
if [ $? -eq 0 ]; then
echo "vpn tunnel established"
else
echo "vpn connection failed"
fi
;;
esac

View file

@ -1,41 +0,0 @@
# REPLACED BY xscenet.conf.j2 -> /etc/openvpn/xscenet.conf
#########################################
# Sample client-side OpenVPN config file
# for connecting to multi-client server.
#
# Adapted from http://openvpn.sourceforge.net/20notes.html
#
# The server can be pinged at 10.8.0.1.
#
# This configuration can be used by multiple
# clients, however each client should have
# its own cert and key files.
#
# tun-style tunnel
port {{ openvpn_server_port }}
dev tun
remote {{ openvpn_server }}
# TLS parms
tls-client
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
# This parm is required for connecting
# to a multi-client server. It tells
# the client to accept options which
# the server pushes to us.
pull
# Scripts can be used to do various
# things (change nameservers, for
# example.
#up scripts/ifup-post
#down scripts/ifdown-post
verb 4
comp-lzo yes

View file

@ -1,6 +0,0 @@
# this file allows changing the world accessable vpn server and its ip address
#
# copy this template file to /etc/openvpn/xsce-vpn.conf, and set properly
# VPNCONFIG=< put the name of the config file in /etc/openvpn you want to use>
# VPNIP=<put the ip address of server, pinged to test for existence of vpn tunnel>

View file

@ -27,4 +27,3 @@ systemd_location: /lib/systemd/system
# Upgrade OS's own Calibre to very latest: # Upgrade OS's own Calibre to very latest:
calibre_via_debs: True calibre_via_debs: True
calibre_via_python: False calibre_via_python: False
need_ncat: True

View file

@ -199,9 +199,6 @@ openvpn_server: xscenet.net
openvpn_server_real_ip: 3.89.148.185 openvpn_server_real_ip: 3.89.148.185
openvpn_server_virtual_ip: 10.8.0.1 openvpn_server_virtual_ip: 10.8.0.1
openvpn_server_port: 1194 openvpn_server_port: 1194
# Newer versions of NMap do not include NCat which is used to announce handle
# need_ncat is turned true by os-#.yml files that don't have ncat in nmap
need_ncat: False
# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
# Please see recommendations at: https://itsfoss.com/swap-size/ # Please see recommendations at: https://itsfoss.com/swap-size/

View file

@ -40,4 +40,3 @@ minetest_working_dir: /library/games/minetest
minetest_game_dir: /library/games/minetest/games/minetest_game minetest_game_dir: /library/games/minetest/games/minetest_game
minetest_rpi_src_url: http://www.nathansalapat.com/downloads/0.4.17.1.tar.gz minetest_rpi_src_url: http://www.nathansalapat.com/downloads/0.4.17.1.tar.gz
minetest_rpi_src: minetest-0.4.17.1.tar.gz minetest_rpi_src: minetest-0.4.17.1.tar.gz
need_ncat: True

View file

@ -29,4 +29,3 @@ systemd_location: /lib/systemd/system
# Upgrade Ubuntu 19.x's Calibre 3.39.1+ to very latest # Upgrade Ubuntu 19.x's Calibre 3.39.1+ to very latest
calibre_via_debs: False calibre_via_debs: False
calibre_via_python: True calibre_via_python: True
need_ncat: True