Merge pull request #43 from iiab/master

sync from iiab/iiab

iiab-network

@@ -4,25 +4,34 @@
 CWD=`pwd`
 export ANSIBLE_LOG_PATH="$CWD/iiab-network.log"
 
-if [ ! -f iiab-network.yml ]
+if [ ! -f iiab-network.yml ]; then
-then
+    echo "IIAB Playbook not found."
- echo "IIAB Playbook not found."
+    echo "Please run this command from the top level of the git repo."
- echo "Please run this command from the top level of the git repo."
+    echo "Exiting."
- echo "Exiting."
+    exit 1
- exit
 fi
 
-if [ ! -f /etc/iiab/config_vars.yml ]
+if [ ! -f /etc/iiab/config_vars.yml ]; then
-then
+    mkdir -p /etc/iiab
-   touch /etc/iiab/config_vars.yml
+    echo "{}" > /etc/iiab/config_vars.yml
+fi
+
+if [ -f /etc/iiab/iiab.env ]; then
+    source /etc/iiab/iiab.env
+else
+    OS="unknown"
 fi
 
 Start=`date`
 ansible-playbook -i ansible_hosts iiab-network.yml --connection=local
 End=`date`
 echo "" >> iiab-network.log
-if [ ! "OS" == "debian" ]; then
+# redhat path
+if [ ! "OS" == "debian" ] && [ ! "OS" == "unknown" ]; then
    ls -la /etc/sys*/net*/ifcfg* >> iiab-network.log
+fi
+# ubuntu destop might be using NM - split out.
+if [ $(which nmcli) ]; then
    nmcli d >> iiab-network.log
    nmcli c >> iiab-network.log
 fi

roles/calibre/tasks/main.yml

@@ -11,6 +11,24 @@
   when: is_rpi or (is_debian and calibre_debs_on_debian)
   #when: is_rpi or is_debian     # (is_debian also covers & includes is_rpi)
 
+- name: Create calibre-serve.service and calibre.conf
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+    backup: no
+  register: calibre_config
+  with_items:
+    - { src: 'calibre-serve.service.j2', dest: '/etc/systemd/system/calibre-serve.service', mode: '0644'}
+    - { src: 'calibre.conf', dest: '/etc/{{ apache_config_dir }}', mode: '0644'}
+
+- name: Forcing systemd to reread configs
+  systemd:
+    daemon_reload: yes
+  when: calibre_config.changed
+
 # 2. STOP CALIBRE SERVICE IF IT EXISTS (REQUIRED FOR DB ACTIVITY...AND IF not calibre_enabled)
 
 #- name: Check if Calibre systemd service exists
@@ -25,7 +43,7 @@
     state: stopped
     #enabled: no
 # register: command_result    # gist.github.com/tyrells/0a79681de339237cb04c
-  failed_when: false          # Never Fail during "systemctl stop calibre-serve" (even if service doesn't exist!)
+#  failed_when: false          # Never Fail during "systemctl stop calibre-serve" (even if service doesn't exist!)
 # when: calibre_svc.stat.exists
 
 # 3. CREATE DATABASE WITH A SAMPLE BOOK (REQUIRED AS OF CALIBRE 3.x)
@@ -39,20 +57,7 @@
   include_tasks: create-db.yml
   when: not calibre_db.stat.exists
 
-# 4. WRAP UP: CALIBRE SERVICE, http://box/books ETC
+# 4. WRAP UP: ENABLE CALIBRE SERVICE, http://box/books ETC
-
-- name: Create calibre-serve.service and calibre.conf
-  template:
-    backup: no
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: root
-    group: root
-    mode: "{{ item.mode }}"
-  with_items:
-    - { src: 'calibre-serve.service.j2', dest: '/etc/systemd/system/calibre-serve.service', mode: '0644'}
-    - { src: 'calibre.conf', dest: '/etc/{{ apache_config_dir }}', mode: '0644'}
-  when: calibre_enabled
 
 # http://box:8080 & http://box:8080/mobile WORK BUT OTHER URL'S LIKE http://box/books ARE A MESS (BOOKS RARELY DISPLAY)
 - name: Create calibre.conf link for UNTESTED http://box/books etc (debuntu)
@@ -77,6 +82,11 @@
   #async: 900
   #poll: 5
 
+- name: Forcing apache to reread configs
+  service:
+    name: "{{ apache_service }}"
+    state: reloaded
+
 - name: Add 'calibre' to list of services at /etc/iiab/iiab.ini
   ini_file:
     dest: "{{ service_filelist }}"

roles/iiab-admin/tasks/access.yml

@@ -1,8 +1,9 @@
 - name: Install textmode remote access packages
-  package: name={{ item }}
+  package:
-           state=present
+    name: "{{ item }}"
+    state: present
   with_items:
-        - screen
+    - screen
-        - lynx
+    - lynx
   tags:
     - download

roles/iiab-admin/tasks/admin-user.yml

@@ -1,57 +1,69 @@
 - name: Create iiab-admin user and password
-  user: name={{ iiab_admin_user }}
+  user:
-        password={{ iiab_admin_passw_hash }}
+    name: "{{ iiab_admin_user }}"
-        update_password=on_create
+    password: "{{ iiab_admin_passw_hash }}"
+    update_password: on_create
+    shell: /bin/bash
 
 - name: Create a wheel group
-  group: name=wheel
+  group:
-         state=present
+    name: wheel
+    state: present
 
-- name: Create a sudo group
+- name: Create a sudo group (redhat)
-  group: name=sudo
+  group:
-         state=present
+    name: sudo
+    state: present
   when: is_redhat
 
 - name: Add user to wheel group
-  user: name={{ iiab_admin_user }} groups=wheel,sudo
+  user:
+    name: "{{ iiab_admin_user }}"
+    groups: wheel,sudo
 
 - name: Create root .ssh
-  file: path=/root/.ssh
+  file:
-        mode=0700
+    path: /root/.ssh
-        owner=root
+    owner: root
-        group=root
+    group: root
-        state=directory
+    mode: 0700
+    state: directory
 
 - name: Install dummy root keys as placeholder
-  copy: src=dummy_authorized_keys
+  copy:
-        dest=/root/.ssh/authorized_keys
+    src: dummy_authorized_keys
-        force=no
+    dest: /root/.ssh/authorized_keys
-        owner=root
+    owner: root
-        group=root
+    group: root
-        mode=0600
+    mode: 0600
+    force: no
 
 #        backup=yes
 
 - name: Edit the sudoers file -- first make it editable
-  file: path=/etc/sudoers
+  file:
-        mode=0640
+    path: /etc/sudoers
+    mode: 0640
 
 - name: Have sudo log all commands it handles
-  lineinfile: regexp=logfile
+  lineinfile:
-              line='Defaults     logfile = /var/log/sudo.log'
+    regexp: logfile
-              state=present
+    line: "Defaults     logfile = /var/log/sudo.log"
-              dest=/etc/sudoers
+    dest: /etc/sudoers
+    state: present
 
 - name: Lets wheel sudo without password
   lineinfile:
-     line: "%wheel ALL= NOPASSWD: ALL"
+    line: "%wheel ALL= NOPASSWD: ALL"
-     dest: /etc/sudoers
+    dest: /etc/sudoers
 
 - name: Remove the line which requires tty
-  lineinfile: regexp=requiretty
+  lineinfile:
-              state=absent
+    regexp: requiretty
-              dest=/etc/sudoers
+    dest: /etc/sudoers
+    state: absent
 
 - name: End editing the sudoers file -- protect it again
-  file: path=/etc/sudoers
+  file:
-        mode=0440
+    path: /etc/sudoers
+    mode: 0440

roles/iiab-admin/tasks/main.yml

@@ -7,11 +7,12 @@
   tags:
     - base
 
-- name: Add iiab-admin parameters to ini file
+- name: Add 'iiab-admin' to list at /etc/iiab/iiab.ini
-  ini_file: dest='{{ service_filelist }}'
+  ini_file:
-            section=iiab-admin
+    dest: "{{ service_filelist }}"
-            option='{{ item.option }}'
+    section: iiab-admin
-            value='{{ item.value }}'
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
   with_items:
     - option: name
       value: iiab-admin
@@ -21,19 +22,23 @@
       value: "{{ iiab_admin_user }}"
 
 - name: Set up to issue warning if iiab-admin password is still default
-  template: src=profile_ssh_warn.sh
+  template:
-            dest=/etc/profile.d/
+    src: profile_ssh_warn.sh
+    dest: /etc/profile.d/
 
 - name: Is this LXDE?
-  stat: path=/home/pi/.config/lxsession
+  stat:
+    path: /home/pi/.config/lxsession
   register: lx
 
 - name: Do the same if running on Raspbian
-  template: src=lxde_ssh_warn.sh
+  template:
-            dest=/home/pi/.config/lxsession/LXDE-pi/
+    src: lxde_ssh_warn.sh
+    dest: /home/pi/.config/lxsession/LXDE-pi/
   when: lx.stat.isdir is defined and lx.stat.isdir and is_rpi and is_debuntu
 
-- name: Put an autostart line to check for default password in LXDE
+- name: Put an autostart line to check for default password in LXDE (raspbian)
-  lineinfile: line=@/home/pi/.config/lxsession/LXDE-pi/lxde_ssh_warn.sh
+  lineinfile:
-              dest=/home/pi/.config/lxsession/LXDE-pi/autostart
+    line: "@/home/pi/.config/lxsession/LXDE-pi/lxde_ssh_warn.sh"
+    dest: /home/pi/.config/lxsession/LXDE-pi/autostart
   when: lx.stat.isdir is defined and lx.stat.isdir and is_rpi and is_debuntu

roles/network/defaults/main.yml

@@ -4,7 +4,6 @@ wireless_lan_present: False
 strict_networking: False
 iiab_demo_mode: False
 gui_static_wan: False
-has_NM: False
 
 # Set defaults for discovery process as strings
 wifi1: "not found-1"
@@ -29,6 +28,8 @@ has_wifi_gw: "none"
 #Debian
 dhcpcd_result: ""
 wan_in_interfaces: False
+network_manager_active: False
+systemd_networkd_active: False
 
 # The values here are default local variables.
 gui_wan_iface: "unset"

roles/network/tasks/NM-debian.yml

@@ -0,0 +1,39 @@
+# NM-debian.yml
+- name: Stopping services
+  include_tasks: down-debian.yml
+
+# provide keyfile layout like the XO's used way back.
+- name: Create uuid for NM's keyfile store
+  shell: uuidgen
+  register: uuid_response
+
+- name: Put the uuid in place
+  set_fact:
+    gen_uuid: "{{ uuid_response.stdout_lines[0] }}"
+
+# NM might have a watcher on this path and we don't have to restart NM
+- name: Copy the bridge script for NetworkManager
+  template:
+    dest: /etc/NetworkManager/system-connections/
+    src: network/bridge-br0
+
+- name: Reload systemd
+  shell: systemctl daemon-reload
+
+- name: Restart the NetworkManager service
+  service:
+    name: network-manager
+    state: restarted
+  when: not nobridge is defined and not no_net_restart
+
+- name: Restart hostapd when WiFi is present
+  service:
+    name: hostapd
+    state: restarted
+  when: iiab_wireless_lan_iface is defined and hostapd_enabled and iiab_network_mode != "Appliance"
+
+- name: dhcp_server may be affected - starting - user choice
+  service:
+    name: "{{ dhcp_service2 }}"
+    state: started
+  when: iiab_network_mode != "Appliance"

roles/network/tasks/debian.yml

@@ -9,7 +9,7 @@
 #   4. In lan_controller: wan is off, eth0 and wlan0 under br0
 #   5. In gateway: eth0 is wan, and wlan0 is under br0 (only one adapter under br0)
 #   6. As a slight concess to auto config, if eth1 exists, make it wan, and force gateway
- 
+
 #- name: In upgrade from earlier IIAB 6.2, delete the resolvconf
 #  package: name=resolvconf
 #           state=absent
@@ -37,7 +37,7 @@
 - name: Copy the bridge script
   template: dest=/etc/network/interfaces.d/iiab
             src=network/systemd.j2
-  when: not is_rpi and not has_NM and (iiab_lan_iface == "br0" or wan_ip != "dhcp")
+  when: not is_rpi and (iiab_lan_iface == "br0" or wan_ip != "dhcp")
 
 - name: Copy the bridge script for RPi
   template: dest=/etc/network/interfaces.d/iiab
@@ -57,34 +57,6 @@
   service: name=dnsmasq state=stopped
   when: dnsmasq_install
 
-# do this
-#- name: Copy NetworkManager.conf for has_NM
-#  template: dest=/etc/NetworkManager/NetworkManager.conf
-#            src=network/NetworkManager.conf
-#  when: has_NM and iiab_lan_iface == "br0"
-
-#- name: Copy the bridge script for has_NM
-#  template: dest=/etc/network/interfaces
-#            src=network/systemd.j2
-#  when: has_NM and not wan_in_interfaces and iiab_lan_iface == "br0"
-
-# or provide keyfile layout like the XO's used way back.
-- name: Create uuid for NM
-  shell: uuidgen
-  register: uuid_response
-  when: has_NM and not wan_in_interfaces and iiab_lan_iface == "br0"
-
-- name: Put the uuid in place
-  set_fact:
-    gen_uuid: "{{ uuid_response.stdout_lines[0] }}"
-  when: has_NM and not wan_in_interfaces and iiab_lan_iface == "br0"
-
-# NM might have a watcher on this path and we don't have to restart NM
-- name: Copy the bridge script for has_NM
-  template: dest=/etc/NetworkManager/system-connections/
-            src=network/bridge-br0
-  when: has_NM and not wan_in_interfaces and iiab_lan_iface == "br0"
-
 - name: Reload systemd
   shell: systemctl daemon-reload
 
@@ -95,8 +67,8 @@
 
 - name: Restart the networking service
   service: name=networking  state=restarted
-  when: not nobridge is defined and not has_NM and not no_net_restart
+  when: not nobridge is defined and not no_net_restart
-  
+
 - name: Restart hostapd when WiFi is present
   service: name=hostapd state=restarted
   when: iiab_wireless_lan_iface is defined and hostapd_enabled and iiab_network_mode != "Appliance"

roles/network/tasks/detected_network.yml

@@ -21,7 +21,17 @@
 
 - name: Setting dhcpcd_test results
   set_fact:
-    dhcpcd_result: '{{ ansible_local.local_facts.dhcpcd }}'
+    dhcpcd_result: "{{ ansible_local.local_facts.dhcpcd }}"
+
+- name: Setting systemd_networkd results
+  set_fact:
+    systemd_networkd_active: True
+  when: 'ansible_local.local_facts.systemd_networkd == "enabled"'
+
+- name: Setting network_manager results
+  set_fact:
+    network_manager_active: True
+  when: 'ansible_local.local_facts.network_manager == "enabled"'
 
 - name: Check /etc/network/interfaces for gateway
   shell: grep {{ device_gw }} /etc/network/interfaces | wc -l
@@ -185,6 +195,10 @@
     value: '{{ device_gw2 }}'
   - option: 'dhcpcd_result'
     value: '{{ dhcpcd_result }}'
+  - option: 'network_manager_active'
+    value: '{{ network_manager_active }}'
+  - option: 'systemd_networkd_active'
+    value: '{{ systemd_networkd_active }}'
   - option: 'wan_in_interfaces'
     value: '{{ wan_in_interfaces }}'
   - option: 'wireless_list_1(wifi1)'

roles/network/tasks/down-debian.yml

@@ -0,0 +1,25 @@
+# down-debian.yml
+
+#- name: Supply resolvconf.conf
+#  template:
+#     dest: /etc/resolvconf.conf
+#    src: network/resolvconf.j2
+
+- name: bind may be affected
+  service:
+    name: "{{ dns_service }}"
+    state: stopped
+  when: named_install and dnsmasq_enabled
+
+# dhcpd_server release the interface
+- name: dhcpd_server may be affected - stopping dhcpd
+  service:
+    name: dhcpd
+    state: stopped
+  when: dhcpd_install
+
+- name: dhcpd_server may be affected - stopping dnsmasq
+  service:
+    name: dnsmasq
+    state: stopped
+  when: dnsmasq_install

roles/network/tasks/main.yml

@@ -84,23 +84,41 @@
 
 #### end services
 #### Start network layout
-
+- name: Redhat networking
-- include_tasks: ifcfg_mods.yml
+  include_tasks: ifcfg_mods.yml
   tags:
-    - network
+  - network
   when: is_redhat and not installing
 
-- include_tasks: debian.yml
+- name: NetworkManager in use
+  include_tasks: NM-debian.yml
   tags:
-    - network
+  - network
-  when: is_debuntu
+  when: is_debuntu and network_manager_active
-#and not is_rpi  and not installing
+#and not installing
 
-#- include_tasks: rpi_debian.yml
+- name: systemd-networkd in use
-#  tags:
+  include_tasks: sysd-netd-debian.yml
-#    - network
+  tags:
-#  when: is_debuntu and is_rpi  and not installing
+  - network
+  when: is_debuntu and systemd_networkd_active
+#and not installing
 
+- name: RPi's have dhcpcd in use
+  include_tasks: rpi_debian.yml
+  tags:
+  - network
+  when: is_debuntu and is_rpi
+#and not installing
+
+- name: Not RPi, Not NetworkManager, Not systemd-networkd in use
+  include_tasks: debian.yml
+  tags:
+  - network
+  when: not is_rpi and not network_manager_active and not systemd_networkd_active and is_debuntu
+#and not installing
+
+# this is moving
 - name: Record iiab_wan_device
   lineinfile: dest=/etc/iiab/iiab.env
               regexp='^IIAB_WAN_DEVICE=*'
@@ -108,7 +126,7 @@
               state=present
   when: not installing
   tags:
-    - network
+  - network
 
 - name: Record iiab_lan_device
   lineinfile: dest=/etc/iiab/iiab.env
@@ -117,15 +135,15 @@
               state=present
   when: not installing
   tags:
-    - network
+  - network
 
 #### end network layout
 - include_tasks: restart.yml
   when: not installing
   tags:
-    - network
+  - network
-    - named
+  - named
-    - dhcpd
+  - dhcpd
-    - dnsmasq
+  - dnsmasq
-    - squid
+  - squid
-    - AP
+  - AP

roles/network/tasks/restart.yml

@@ -4,7 +4,7 @@
 
 - name: Start named service
   service: name={{ dns_service }}
-           state=started
+           state=restarted
   when: named_enabled and named_install
 
 - name: Stop Squid service

roles/network/tasks/rpi_debian.yml

@@ -5,78 +5,53 @@
 #      a. gui_desired_network_role
 #      b. hostapd_enabled
 #      c. gui_static_wan_ip
-#   3. In appliance mode: wan (and wlan0) is either static or dhcp under br0, and hostapd off
+#   3. In appliance mode: wan is either wired dhcp/static or wlan0 and hostapd off
 #   4. In lan_controller: wan is off, eth0 and wlan0 under br0
-#   5. In gateway: eth0 is wan, and wlan0 is under br0 (only one adapter under br0)
+#   5. In gateway: user gateway is wan, and wlan0 under br0 if not acting as
-#   6. As a slight concess to auto config, if eth1 exists, make it wan, and force gateway
+#      the gateway
 
-- name: Raspbian stock has openresolv which is not available in Debian, off it
+- name: Supply resolvconf.conf
-  package: name=openresolv
+  template:
-           state=absent
+    dest: /etc/resolvconf.conf
+    src: network/resolvconf.j2
 
-- name: Get the stock resolv.conf manager
+- name: Supply dhcpcd.conf
-  package: name=resolvconf
+  template:
-           state=absent
+    dest: /etc/dhcpcd.conf
+    src: network/dhcpcd.conf.j2
 
-- name: On upgrade from earlier IIAB versions, remove /etc/network/interfaces.d/br0
+- name: Copy the bridge script for RPi
-  file: path=/etc/network/interfaces.d/br0
+  template:
-        state=absent
+    dest: /etc/network/interfaces.d/iiab
-  when: iiab_lan_iface != "br0" and wan_ip == "dhcp"
+    src: network/rpi.j2
+  when: iiab_lan_iface == "br0"
 
-- name: Default to 'LanController'
+- name: Stopping services
-  set_fact:
+  include_tasks: down-debian.yml
-      gui_desired_network_role: "LanController"
-  when: not gui_desired_network_role is defined
 
-- name: Rewrite the /etc/network/interfaces file which we corrupted
+- name: Reload systemd
-  template: dest=/etc/network/interfaces
+  shell: systemctl daemon-reload
-            src=network/interfaces.j2
-
-- name: Supply our own dhcpcd.conf
-  template: dest=/etc/dhcpcd.conf
-            src=network/dhcpcd.conf.j2
-  when: iiab_lan_iface == "br0" or wan_ip != "dhcp"
-
-- name: Copy the network config script
-  template: dest=/etc/network/interfaces.d/iiab
-            src=network/systemd.j2
-  register: interface
-  when: iiab_lan_iface == "br0" or wan_ip != "dhcp"
-
-- name: If this was a change, things need to shift
-  service: name=hostapd state=stopped
-  when: interface.changed
-
-- name: dhcpcd may be affected
-  service: name=dhcpcd state=stopped
-  when: interface.changed
-
-- name: Tear down any bridge and start fresh
-  command: ip link set br0 down
-  ignore_errors: True
-  when: interface.changed
-
-- name: And remove the device
-  command: brctl delbr br0
-  ignore_errors: True
-  when: interface.changed
-
-- name: Reset the eth0 interface
-  command: ifdown eth0
-  ignore_errors: True
-  when: interface.changed
-
-- name: Start up dhcpcd again
-  service: name=dhcpcd state=started
 
 # now pick up denyinterfaces
 - name: Restart dhcpcd
-  service: name=dhcpcd state=restarted
+  service:
+    name: dhcpcd
+    state: restarted
 
 - name: Restart the networking service
-  service: name=networking state=restarted
+  service:
+    name: networking
+    enabled: yes
+    state: restarted
+  when: not nobridge is defined and not no_net_restart
 
-#create lan br0 if lan_controller or gateway
+- name: Restart hostapd when WiFi is present
-#create wan br0 if appliance
+  service:
-#allocate wlan0 under br0 in all cases
+    name: hostapd
-#allocate eth0 under br0 if appliance, alone if gateway
+    enabled: yes
+    state: restarted
+  when: iiab_wireless_lan_iface is defined and hostapd_enabled and iiab_network_mode != "Appliance"
+
+#- name: dhcp_server may be affected - starting - user choice
+#  service: name={{ dhcp_service2 }} state=started
+#  when: iiab_network_mode != "Appliance"

roles/network/tasks/sysd-netd-debian.yml

@@ -0,0 +1,40 @@
+# sysd-netd-debian.yml
+- name: Copy the bridge script - Creates br0
+  template:
+    dest: /etc/systemd/network/IIAB-Bridge.netdev
+    src: network/systemd-br0.j2
+
+- name: Copy the bridge script - Assigns IP address
+  template:
+    dest: /etc/systemd/network/IIAB-Bridge.network
+    src: network/systemd-br0-network.j2
+
+- name: Copy the bridge script - Assigns br0 wired slaves
+  template:
+    dest: /etc/systemd/network/IIAB-Slave.network
+    src: network/systemd-br0-slave.j2
+  when: iiab_wired_lan_iface is defined
+
+- name: Stopping services
+  include_tasks: down-debian.yml
+
+- name: Reload systemd
+  shell: systemctl daemon-reload
+
+- name: Restart the systemd-networkd service
+  service:
+    name: systemd-networkd
+    enabled: yes
+    state: restarted
+  when: not nobridge is defined and not no_net_restart
+
+- name: Restart hostapd when WiFi is present
+  service:
+    name: hostapd
+    enabled: yes
+    state: restarted
+  when: iiab_wireless_lan_iface is defined and hostapd_enabled and iiab_network_mode != "Appliance"
+
+#- name: dhcp_server may be affected - starting - user choice
+#  service: name={{ dhcp_service2 }} state=started
+#  when: iiab_network_mode != "Appliance"

roles/network/templates/network/systemd-br0-network.j2

@@ -0,0 +1,15 @@
+# /etc/systemd/network/IIAB-Bridge.network
+[Match]
+Name=br0
+
+[Network]
+Bridge=br0
+LinkLocalAddressing=no
+DNS={{ lan_ip }}
+Domains={{ iiab_domain }}
+
+[Address]
+Address={{ lan_ip }}/19
+
+[Route]
+Gateway=""

roles/network/templates/network/systemd-br0-slave.j2

@@ -0,0 +1,5 @@
+# /etc/systemd/network/IIAB-Slave.network
+[Match]
+Name={{ iiab_wired_lan_iface }}
+[Network]
+Bridge=br0

roles/network/templates/network/systemd-br0.j2

@@ -0,0 +1,4 @@
+# /etc/systemd/network/IIAB-Bridge.netdev
+[NetDev]
+Name=br0
+Kind=bridge

roles/nodogsplash/defaults/main.yml

@@ -0,0 +1,3 @@
+nodogsplash_install : False
+nodogsplash_enabled : False
+nodogsplash_arm_deb : nodogsplash_2.0.0-1_armhf.deb

roles/nodogsplash/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: Install nodogsplash (Raspbian only)
+  include_tasks: rpi.yml
+  when: is_rpi

roles/nodogsplash/tasks/rpi.yml

@@ -0,0 +1,68 @@
+- name: nodogsplash dependencies
+  package:
+    name: libmicrohttpd12
+    state: present
+
+- name: Get the nodogsplash software
+  get_url:
+     url: "{{ iiab_download_url }}/{{ nodogsplash_arm_deb }}"
+     dest: "{{ downloads_dir }}/{{ nodogsplash_arm_deb }}"
+  when: internet_available
+  async: 300
+  poll: 5
+
+- name: Install nodogsplash
+  apt:
+    deb="{{ downloads_dir }}/{{ nodogsplash_arm_deb }}"
+
+#- name: Create nodogsplash.service # deb file has one
+#  template:
+#    backup: no
+#    src: nodogsplash.service.j2
+#    dest: "/etc/systemd/system/nodogsplash.service"
+#    owner: root
+#    group: root
+#    mode: 0644
+
+- name: Install custom files
+  template:
+    backup: no
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: 'nodogsplash.conf.j2', dest: '/etc/nodogsplash/nodogsplash.conf', mode: '0644'}
+    - { src: 'splash.html.j2', dest: '/etc/nodogsplash/htdocs/splash.html', mode: '0644'}
+
+# We should probably only start this service on next boot
+- name: Enable nodogsplash service
+  service:
+    name: nodogsplash
+    enabled: yes
+    state: started
+  when: nodogsplash_enabled
+
+- name: Disable nodogsplash service
+  service:
+    name: nodogsplash
+    enabled: no
+    state: stopped
+  when: not nodogsplash_enabled
+
+- name: Add 'nodogsplash' to list of services at /etc/iiab/iiab.ini
+  ini_file:
+    dest: "{{ service_filelist }}"
+    section: nodogsplash
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  with_items:
+  - option: name
+    value: nodogsplash
+  - option: description
+    value: '"Nodogsplash is a lightweight Captive Portal."'
+  - option: source
+    value: "{{ nodogsplash_arm_deb }}"
+  - option: enabled
+    value: "{{ nodogsplash_enabled }}"

roles/nodogsplash/templates/nodogsplash.conf.j2

@@ -0,0 +1,413 @@
+#
+# Nodogsplash Configuration File
+#
+
+# Parameter: GatewayInterface
+# Default: NONE
+#
+# GatewayInterface is not autodetected, has no default, and must be set here.
+# Set GatewayInterface to the interface on your router
+# that is to be managed by Nodogsplash.
+# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
+# May be br-lan on OpenWrt Kamikaze.
+#
+GatewayInterface br0
+
+# FirewallRuleSet: authenticated-users
+#
+# Control access for users after authentication.
+# These rules are inserted at the beginning of the
+# FORWARD chain of the router's filter table, and
+# apply to packets that have come in to the router
+# over the GatewayInterface from MAC addresses that
+# have authenticated with Nodogsplash, and that are
+# destined to be routed through the router.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it.
+# If there are any rules in this ruleset, an authenticated
+# packet that does not match any rule is rejected.
+# N.B.: This ruleset is completely independent of
+# the preauthenticated-users ruleset.
+#
+FirewallRuleSet authenticated-users {
+
+ # You may want to open access to a machine on a local
+ # subnet that is otherwise blocked (for example, to
+ # serve a redirect page; see RedirectURL).  If so,
+ # allow that explicitly here, e.g:
+ #  FirewallRule allow tcp port 80 to 192.168.254.254
+
+ # Your router may have several interfaces, and you
+ # probably want to keep them private from the GatewayInterface.
+ # If so, you should block the entire subnets on those interfaces, e.g.:
+    FirewallRule block to 192.168.0.0/16
+    FirewallRule block to 10.0.0.0/8
+
+ # Typical ports you will probably want to open up include
+ # 53 udp and tcp for DNS,
+ # 80 for http,
+ # 443 for https,
+ # 22 for ssh:
+    FirewallRule allow tcp port 53
+    FirewallRule allow udp port 53
+    FirewallRule allow tcp port 80
+    FirewallRule allow tcp port 443
+    FirewallRule allow tcp port 22
+
+ # You might use ipset to easily allow/block range of ips, e.g.:
+ # FirewallRule allow ipset WHITELISTED_IPS
+ # FirewallRule allow tcp port 80 ipset WHITELISTED_IPS
+}
+# end FirewallRuleSet authenticated-users
+
+
+# FirewallRuleSet: preauthenticated-users
+#
+# Control access for users before authentication.
+# These rules are inserted in the PREROUTING chain
+# of the router's nat table, and in the
+# FORWARD chain of the router's filter table.
+# These rules apply to packets that have come in to the
+# router over the GatewayInterface from MAC addresses that
+# are not on the BlockedMACList or TrustedMACList,
+# are *not* authenticated with Nodogsplash.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it. A packet that does not match
+# any rule here is rejected.
+# N.B.: This ruleset is completely independent of
+# the authenticated-users and users-to-router rulesets.
+#
+FirewallRuleSet preauthenticated-users {
+ # For preauthenticated users to resolve IP addresses in their initial
+ # request not using the router itself as a DNS server,
+ # you probably want to allow port 53 udp and tcp for DNS.
+    FirewallRule allow tcp port 53
+    FirewallRule allow udp port 53
+ # For splash page content not hosted on the router, you
+ # will want to allow port 80 tcp to the remote host here.
+ # Doing so circumvents the usual capture and redirect of
+ # any port 80 request to this remote host.
+ # Note that the remote host's numerical IP address must be known
+ # and used here.
+ #    FirewallRule allow tcp port 80 to 123.321.123.321
+}
+# end FirewallRuleSet preauthenticated-users
+
+
+# FirewallRuleSet: users-to-router
+#
+# Control access to the router itself from the GatewayInterface.
+# These rules are inserted at the beginning of the
+# INPUT chain of the router's filter table, and
+# apply to packets that have come in to the router
+# over the GatewayInterface from MAC addresses that
+# are not on the TrustedMACList, and are destined for
+# the router itself.  The rules are
+# considered in order, and the first rule that matches
+# a packet applies to it.
+# If there are any rules in this ruleset, a
+# packet that does not match any rule is rejected.
+#
+FirewallRuleSet users-to-router {
+ # Nodogsplash automatically allows tcp to GatewayPort,
+ # at GatewayAddress, to serve the splash page.
+ # However you may want to open up other ports, e.g.
+ # 53 for DNS and 67 for DHCP if the router itself is
+ # providing these services.
+    FirewallRule allow udp port 53
+    FirewallRule allow tcp port 53
+    FirewallRule allow udp port 67
+ # You may want to allow ssh, http, and https to the router
+ # for administration from the GatewayInterface.  If not,
+ # comment these out.
+    FirewallRule allow tcp port 22
+    FirewallRule allow tcp port 80
+    FirewallRule allow tcp port 443
+    # FirewallRule allow tcp port 3000
+}
+# end FirewallRuleSet users-to-router
+
+# EmptyRuleSetPolicy directives
+# The FirewallRuleSets that NoDogSplash permits are:
+#
+# authenticated-users
+# preauthenticated-users
+# users-to-router
+# trusted-users
+# trusted-users-to-router
+#
+# For each of these, an EmptyRuleSetPolicy can be specified.
+# An EmptyRuleSet policy applies to a FirewallRuleSet if the
+# FirewallRuleSet is missing from this configuration file,
+# or if it exists but contains no FirewallRules.
+#
+# The possible values of an EmptyRuleSetPolicy are:
+# allow  -- packets are accepted
+# block  -- packets are rejected
+# passthrough -- packets are passed through to pre-existing firewall rules
+#
+# Default EmptyRuleSetPolicies are set as follows:
+# EmptyRuleSetPolicy authenticated-users passthrough
+# EmptyRuleSetPolicy preauthenticated-users block
+EmptyRuleSetPolicy users-to-router allow
+# EmptyRuleSetPolicy trusted-users allow
+# EmptyRuleSetPolicy trusted-users-to-router allow
+
+
+# Parameter: GatewayName
+# Default: NoDogSplash
+#
+# Set  GatewayName to the name of your gateway.  This value
+# will be available as variable $gatewayname in the splash page source
+# and in status output from ndsctl, but otherwise doesn't matter.
+# If none is supplied, the value "NoDogSplash" is used.
+#
+# GatewayName NoDogSplash
+
+# Parameter: GatewayAddress
+# Default: Discovered from GatewayInterface
+#
+# This should be autodetected on an OpenWRT system, but if not:
+# Set GatewayAddress to the IP address of the router on
+# the GatewayInterface.  This is the address that the Nodogsplash
+# server listens on.
+#
+# GatewayAddress 192.168.1.1
+
+# Parameter: RedirectURL
+# Default: none
+#
+# After authentication, normally a user is redirected
+# to their initially requested page.
+# If RedirectURL is set, the user is redirected to this URL instead.
+#
+# RedirectURL http://www.ilesansfil.org/
+
+# Parameter: GatewayPort
+# Default: 2050
+#
+# Nodogsplash's own http server uses GatewayAddress as its IP address.
+# The port it listens to at that IP can be set here; default is 2050.
+#
+# GatewayPort 2050
+
+# Parameter: MaxClients
+# Default: 20
+#
+# Set MaxClients to the maximum number of users allowed to
+# connect at any time.  (Does not include users on the TrustedMACList,
+# who do not authenticate.)
+#
+# MaxClients 20
+
+# ClientIdleTimeout
+# Parameter: ClientIdleTimeout
+# Default: 10
+#
+# Set ClientIdleTimeout to the desired of number of minutes
+# of inactivity before a user is automatically 'deauthenticated'.
+#
+# ClientIdleTimeout 10
+
+# Parameter: ClientForceTimeout
+# Default: 360
+#
+# Set ClientForceTimeout to the desired number of minutes before
+# a user is automatically 'deauthenticated', whether active or not
+#
+# ClientForceTimeout 360
+
+# Parameter: AuthenticateImmediately
+# Default: no
+#
+# Set to yes (or true or 1), to immediately authenticate users
+# who make a http port 80 request on the GatewayInterface (that is,
+# do not serve a splash page, just redirect to the user's request,
+# or to RedirectURL if set).
+#
+# AuthenticateImmediately no
+
+# Parameter: MACMechanism
+# Default: block
+#
+# Either block or allow.
+# If 'block', MAC addresses on BlockedMACList are blocked from
+# authenticating, and all others are allowed.
+# If 'allow', MAC addresses on AllowedMACList are allowed to
+# authenticate, and all other (non-trusted) MAC's are blocked.
+#
+# MACMechanism block
+
+# Parameter: BlockedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who will be completely blocked
+# from the GatewayInterface.  Ignored if MACMechanism is allow.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
+
+# Parameter: AllowedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who will not be completely
+# blocked from the GatewayInterface.  Ignored if MACMechanism is block.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# AllowedMACList 00:00:12:34:56:78
+
+# Parameter: TrustedMACList
+# Default: none
+#
+# Comma-separated list of MAC addresses who are not subject to
+# authentication, and are not restricted by any FirewallRuleSet.
+# N.B.: weak security, since MAC addresses are easy to spoof.
+#
+# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
+
+
+# Parameter: PasswordAuthentication
+# Default: no
+# Set to yes (or true or 1), to require a password matching
+# the Password parameter to be supplied when authenticating.
+#
+#
+# PasswordAuthentication no
+
+# Parameter: Password
+# Default: none
+# Whitespace delimited string that is compared to user-supplied
+# password when authenticating.
+#
+#
+# Password nodog
+
+# Parameter: UsernameAuthentication
+# Default: no
+# Set to yes (or true or 1), to require a username matching
+# the Username parameter to be supplied when authenticating.
+#
+#
+# UsernameAuthentication no
+
+# Parameter: Username
+# Default: none
+# Whitespace delimited string that is compared to user-supplied
+# username when authenticating.
+#
+#
+# Username guest
+
+# Parameter: PasswordAttempts
+# Default: 5
+# Integer number of failed password/username entries before
+# a user is forced to reauthenticate.
+#
+#
+# PasswordAttempts 5
+
+# Parameter: TrafficControl
+# Default: no
+#
+# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
+#
+# TrafficControl no
+
+# Parameter: DownloadLimit
+# Default: 0
+#
+# If TrafficControl is enabled, this sets the maximum download
+# speed to the GatewayInterface, in kilobits per second.
+# For example if you have an ADSL connection with 768 kbit
+# download speed, and you want to allow about half of that
+# bandwidth for the GatewayInterface, set this to 384.
+# A value of 0 means no download limiting is done.
+#
+# DownloadLimit 384
+
+# Parameter: UploadLimit
+# Default: 0
+#
+# If TrafficControl is enabled, this sets the maximum upload
+# speed from the GatewayInterface, in kilobits per second.
+# For example if you have an ADSL connection with 128 kbit
+# upload speed, and you want to allow about half of that
+# bandwidth for the GatewayInterface, set this to 64.
+# A value of 0 means no upload limiting is done.
+#
+# UploadLimit 64
+
+# Parameter: GatewayIPRange
+# Default: 0.0.0.0/0
+#
+# By setting this parameter, you can specify a range of IP addresses
+# on the GatewayInterface that will be responded to and managed by
+# Nodogsplash.  Addresses outside this range do not have their packets
+# touched by Nodogsplash at all.
+# Defaults to 0.0.0.0/0, that is, all addresses.
+#
+# GatewayIPRange 0.0.0.0/0
+
+# Parameter: ImagesDir
+# Default: images
+#
+# Set the directory from which images are served.
+# Use $imagesdir in HTML files to reference this directory.
+#
+# ImagesDir images
+
+# Parameter: BinVoucher
+# Default: None
+#
+# Enable Voucher Support.
+# If set, an alphanumeric voucher HTTP parameter is accepted
+# and passed to a command line call along with the clients MAC:
+#
+# $<BinVoucher> auth_voucher <mac> <voucher>
+#
+# BinVoucher must point to a program that will be called as described above.
+# The call is expected to output the number of seconds the client
+# is to be authenticated. Zero or negative seconds will cause the
+# authentification request to be rejected.
+# The output may contain a user specific download and upload limit in KBit/s:
+# <seconds> <upload> <download>
+#
+# BinVoucher "/bin/myauth"
+
+# Parameter: ForceVoucher
+# Default: no
+#
+# Force the use of a voucher. Authentification is not possible without voucher.
+#
+# ForceVoucher no
+
+# Parameter: EnablePreAuth
+# Default: no
+#
+# Enable pre-authentication support.
+# Pass the MAC of a client to a command line call before the splash page
+# would be send:
+#
+# $<BinVoucher> auth_status <mac>
+#
+# The call is expected to output the number of seconds the client
+# is to be authenticated. Zero or negative seconds will cause the
+# splash page to be displayed.
+# The output may contain a user specific download and upload limit in KBit/s:
+# <seconds> <download> <upload>
+#
+# EnablePreAuth no
+
+
+# Parameter: FW_MARK_BLOCKED
+# Default: 0x100
+#
+# Parameter: FW_MARK_TRUSTED
+# Default: 0x200
+#
+# Parameter: FW_MARK_AUTHENTICATED
+# Default: 0x400
+#
+# Nodogsplash uses specific values to mark packet using iptables.
+# In rare cases these might conflict with other programs and need
+# to be changed.

roles/nodogsplash/templates/nodogsplash.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=NoDogSplash Captive Portal
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/nodogsplash -d 5 $OPTIONS
+ExecStop=/usr/bin/ndsctl stop
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

roles/nodogsplash/templates/splash.html.j2

@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+<html>
+<head>
+<!--
+A client is authenticated by requesting the page $authtarget.
+	So, href to it here, with an img or link text the user can click on.
+	Alternatively submit an HTTP form method=get, passing $authaction, $tok and $redir
+	Also, note that any images you reference must reside in the
+	subdirectory that is the value of $imagesdir (default: "images").
+
+Available variables:
+	error_msg: $error_msg
+	gatewayname: $gatewayname
+	tok: $tok
+	redir: $redir
+	authaction: $authaction
+	denyaction: $denyaction
+	authtarget: $authtarget
+	clientip: $clientip
+	clientmac: $clientmac
+	gatewaymac: $gatewaymac
+	nclients: $nclients
+	maxclients: $maxclients
+	uptime: $uptime
+	imagesdir: $imagesdir
+	pagesdir: $pagesdir
+
+Additional Variables that can also be passed back via HTTP get.
+Or just append them to the authentication link:
+	nodoguser
+	nodogpass
+	info
+	voucher
+-->
+
+<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+<meta http-equiv="Pragma" content="no-cache" />
+<meta http-equiv="Expires" content="0" />
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<link rel='shortcut icon' href='$imagesdir/splash.jpg' type='image/x-icon' />
+<title>$gatewayname Entry</title>
+
+<style>
+body
+{
+background-color:lightgrey;
+color:black;
+max-width: 500px;
+margin: auto;
+text-align: left;
+}
+
+img
+{
+width: 40%;
+max-width: 180px;
+margin-left: 0%;
+margin-right: 5%;
+}
+
+input[type=submit]
+{
+color:black;
+margin-left: 0%;
+margin-right: 5%;
+text-align:left;
+font-size: 1.0em;
+line-height: 2.5em;
+font-weight: bold;
+border: 1px solid;
+}
+</style>
+</head>
+
+<body>
+<br>
+<h3>Redirecting to Internet in a Box ...</h3>
+<h3>If not redirected automatically, <BR>Please click Continue Button.</h3>
+<br>
+<br>
+
+<form method='get' action='$authaction' name='redirectForm'>
+<input type='hidden' name='tok' value='$tok'>
+<input type='hidden' name='redir' value='http://{{ iiab_hostname }}.{{ iiab_domain }}{{ iiab_home_url }}'>
+<input type='submit' value='Continue to Internet in a Box'>
+</form>
+
+<script type="text/javascript">
+  setTimeout(function () {
+    document.forms["redirectForm"].submit();
+    }, 1000);
+</script>
+</body>
+</html>

scripts/ansible

@@ -1,135 +1,81 @@
 #!/bin/bash -e
 # required to start loading IIAB with ansible
+GOOD_VER="2.4.2"
 FOUND=""
+FAMILY=""
 VER=""
 # below are unused for future use
-GOOD_VER=""
 URL="NA"
-# TODO add check for version - to revese patching if upgrading
+export DEBIAN_FRONTEND=noninteractive
-if [ $(which ansible-playbook) ]; then
+if ! [ $(which ansible-playbook) ]; then
-    VER=`ansible --version|head -n 1|cut -f 2 -d " "`
+    echo "Installing --- Please Wait"
-    GOOD_VER=`echo $VER | grep ^2.4`
+    if [ -f /etc/centos-release ]; then
-# 2.2.0.0 -> 2.4.1+ patching was not applied -just upgrade via pip
+        yum -y install ca-certificates nss epel-release
-    if [ $GOOD_VER = "" ]; then
+        yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
-        echo "Ansible $VER installed updating to 2.4.1"
+        yum -y install python-pip python-setuptools python-wheel patch
-        pip install --upgrade ansible==2.4.1 --disable-pip-version-check
+        yum -y install http://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.4.2.0-1.el7.ans.noarch.rpm
-        exit 0
+        FOUND="yes"
-    fi
+        FAMILY="redhat"
-# keep an eye out for 2.4.1.X in the future
+#    elif [ -f /etc/fedora-release ]; then
-    if [ $VER = "2.4.1.0" ]; then
+#        VER=`grep VERSION_ID /etc/*elease | cut -d= -f2`
-        echo "Ansible $VER installed exiting..."
+#        URL=https://github.com/jvonau/iiab/blob/ansible/vars/fedora-$VER.yml
-        exit 0
+#        dnf -y install ansible git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
-    fi
+#        dnf -y install python-pip python-setuptools python-wheel patch
-fi
+#        FOUND="yes"
-
+#        FAMILY="redhat"
-# TODO add check for version - to revese patching if upgrading
+    elif [ -f /etc/olpc-release ]; then
-#if [ $(which ansible-playbook) ]; then
+        yum -y install ca-certificates nss
-#    VER=`ansible --version|head -n 1|cut -f 2 -d " "`
+        yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
-
+        yum -y install python-pip python-setuptools python-wheel patch
-echo "Installing --- Please Wait"
+        pip install --upgrade pip setuptools wheel #EOL just do it
-if [ -f /etc/fedora-release ]; then
+        pip install ansible==$GOOD_VER --disable-pip-version-check
-    VER=`grep VERSION_ID /etc/*elease | cut -d= -f2`
+        FOUND="yes"
-    URL=https://github.com/jvonau/iiab/blob/ansible/vars/fedora-$VER.yml
+        FAMILY="olpc"
-    dnf -y upgrade
+    elif [ -f /etc/debian_version ] || [ `grep -qi raspbian /etc/*elease` ]; then
-    dnf -y install ansible git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
+        if [ ! `grep -qi ansible /etc/apt/sources.list` ] && [ ! -f /etc/apt/sources.list.d/ansible ]; then
-    dnf -y install python-pip python-setuptools python-wheel patch
+            apt-get -y install dirmngr python-pip python-setuptools python-wheel patch
-    FOUND="yes"
+            echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main" \
-    FAMILY="redhat"
+            >> /etc/apt/sources.list.d/ansible.list
-fi
+            apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
-# might have to revisit dependencies with a redhat dialect
+        fi
-# ansible python-kerberos python-selinux python-winrm python-xmltodict sshpass bzip2 file findutils gzip tar unzip zip python-keyczar python-boto python-dnspython python-pyrax python-sphere
+        FOUND="yes"
-
+        FAMILY="debian"
-if [ -f /etc/centos-release ]; then
+    elif [ `grep -qi ubuntu /etc/lsb-release` ] ||  [ `grep -qi ubuntu /etc/os-release` ]; then
-    yum -y upgrade
+        apt-get -y install python-pip python-setuptools python-wheel patch
-    yum -y install ca-certificates nss epel-release
-    yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
-    yum -y install python-pip python-setuptools python-wheel patch
-    yum -y install http://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.4.1.0-1.el7.ans.noarch.rpm
-    FOUND="yes"
-    FAMILY="redhat"
-fi
-if [ -f /etc/olpc-release ]; then
-    yum -y upgrade
-    yum -y install ca-certificates nss
-    yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
-    yum -y install python-pip python-setuptools python-wheel patch
-    pip install --upgrade pip setuptools wheel #EOL just do it
-    FOUND="yes"
-    FAMILY="olpc"
-fi
-
-if [ -f /etc/debian_version ]; then
-    echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main" >> /etc/apt/sources.list
-    apt-get -y install dirmngr
-    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
-    apt-get -y update
-    apt-get -y install ansible git python-pip python-setuptools python-wheel patch
-#    apt-get install ansible python-kerberos python-selinux python-winrm python-xmltodict sshpass bzip2 file findutils gzip tar unzip zip python-keyczar python-boto python-dnspython python-pyrax python-sphere
-    FOUND="yes"
-    FAMILY="debian"
-fi
-# Has 2.2.1
-if [ `grep -qi raspbian /etc/*elease` ]; then
-    echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main" >> /etc/apt/sources.list
-    apt-get -y install dirmngr
-    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
-    apt-get -y update
-    apt-get -y install ansible git python-pip python-setuptools python-wheel patch
-#    apt-get install ansible python-kerberos python-selinux python-winrm python-xmltodict sshpass bzip2 file findutils gzip tar unzip zip python-keyczar python-boto python-dnspython python-pyrax python-sphere
-    FOUND="yes"
-    FAMILY="debian"
-fi
-if [ ! $FOUND = "yes" ]; then
-    if [ `grep -qi ubuntu /etc/lsb-release` ] ||  [ `grep -qi ubuntu /etc/os-release` ]; then
         apt-add-repository -y ppa:ansible/ansible
-        apt-get -y update
-        apt-get -y install ansible git python-pip python-setuptools python-wheel patch
-#        apt-get install ansible python-kerberos python-selinux python-winrm python-xmltodict sshpass bzip2 file findutils gzip tar unzip zip python-keyczar python-boto python-dnspython python-pyrax python-sphere
         FOUND="yes"
         FAMILY="debian"
     fi
-fi
+    if [ ! $FOUND = "yes" ]; then
-if [ ! $FOUND = "yes" ]; then
+        echo 'WARN: Could not detect distro or distro unsupported'
-    echo 'WARN: Could not detect distro or distro unsupported'
+        exit 1
-    exit 1
+    fi
-fi
+else
-
-# latest pip 2.2 is 2.2.3.0 on 2017-07-07
-# ansible-2.3.1.0-1.el7.noarch.rpm from 2017-06-01
-
-### start ansible pip install TODO add venv location /opt/iiab/anisble
-if [ $FAMILY = "olpc" ]; then
-    pip install ansible==2.4.1 --disable-pip-version-check
     VER=`ansible --version|head -n 1|cut -f 2 -d " "`
-    echo "ansible version installed via pip $VER"
+    echo "Current ansible version installed is $VER"
-fi
+    if [ -f /etc/centos-release ] || [ -f /etc/fedora-release ]; then
-
+        echo "Please use your system's package manager to update ansible"
-#  handle 2.2.1 -> 2.4.1+ deb install undo patching
+        exit 0
-#  unsure if install above will upgrade or skip - cover that now
+    fi
-if [ $FAMILY = "debian" ]; then
+    if [ -f /etc/olpc-release ]; then
-    if [ ! $VER == "" ]; then
+        echo "Please use pip package manager to update ansible"
-        sed -i 's/LooseVersion/StrictVersion/g' /usr/lib/python2.7/dist-packages/ansible/modules/core/web_infrastructure/htpasswd.py
+        exit 0
-        apt-get -y upgrade ansible
+    fi
+    if [[ `grep -qi ansible /etc/apt/sources.list` ]] || [ -f /etc/apt/sources.list.d/ansible*.list ]; then
+        echo "repos found"
+    else
+        echo "Upstream ansible source repo not found, please uninstall ansible and re-run this script"
+        exit 1
     fi
 fi
-VER=`ansible --version|head -n 1|cut -f 2 -d " "`
-echo "Current ansible version installed is $VER"
 
-# sample only
+if [ ! -f /etc/centos-release ] && [ ! -f /etc/fedora-release ] && \
-#if [ $FAMILY = "debian" ]; then
+   [ ! -f /etc/olpc-release ]; then
-#   rpm -e ansible
+    echo "Using OS package manager to check for ansible updates"
-#   pip install ansible==2.2.1 --disable-pip-version-check
+    apt-get -y update
-#fi
+    apt-get -y install ansible
+fi
 
-#if [ $FAMILY = "debian" ]; then
+# needed?
-#    echo 'WARN: Trying to install ansible via pip without some dependencies'
-#    echo 'WARN: Not all functionality of ansible may be available'
-#    pip install ansible==2.3.1 --disable-pip-version-check
-#fi
 mkdir -p /etc/ansible/
 echo -e '[local]\nlocalhost\n' > /etc/ansible/hosts
-
-### end ansible routine
-###
-# other pip upgrades here if needed
-###

scripts/local_facts.fact

@@ -6,6 +6,7 @@ VERSION_ID=${VERSION_ID//\"/}
 VERSION_ID=${VERSION_ID%%.*}
 OS_VER=$OS-$VERSION_ID
 DHCPCD_PATH=`which dhcpcd`
+NM_PATH=`which NetworkManager`
 
 case $OS_VER in
 "fedora-18" | \
@@ -59,10 +60,20 @@ if [ ! x$DHCPCD_PATH = x ]
 then
   DHCPCD=`systemctl is-enabled dhcpcd`
 fi
+# the check is debian family only is_redhad would use NetworkManager as the
+# service name.
+if [ ! x$NM_PATH = x ]
+then
+  NM=`systemctl is-enabled network-manager`
+fi
+SYSD_NETD=`systemctl is-enabled systemd-networkd`
+
 cat <<EOF
 {"phplib_dir"             : "$PHPLIB_DIR",
 "stage"                   : "$STAGE",
 "dhcpcd"                  : "$DHCPCD",
+"network_manager"         : "$NM",
+"systemd_networkd"        : "$SYSD_NETD",
 "iiab_branch"             : "$BRANCH",
 "iiab_commit"             : "$COMMIT",
 "xo_model"                : "$XO_VERSION",

vars/ubuntu-17.yml

@@ -1,6 +1,5 @@
 is_debuntu: True
 is_ubuntu: True
-has_NM: True
 dns_service: bind9
 dns_user: bind
 dhcp_service: isc-dhcp-server

vars/ubuntu-18.yml

@@ -1,6 +1,5 @@
 is_debuntu: True
 is_ubuntu: True
-has_NM: True
 dns_service: bind9
 dns_user: bind
 dhcp_service: isc-dhcp-server