From c4d6597d7434b0e2126c0f0bfdda3539549f1a4c Mon Sep 17 00:00:00 2001 From: George Hunt Date: Mon, 25 Oct 2021 19:59:16 +0100 Subject: [PATCH] initial checkin --- roles/remoteit/defaults/main.yml | 4 ++ roles/remoteit/tasks/enable-or-disable.yml | 80 ++++++++++++++++++++++ roles/remoteit/tasks/install.yml | 22 ++++++ roles/remoteit/tasks/main.yml | 37 ++++++++++ vars/local_vars_big.yml | 4 ++ vars/local_vars_medium.yml | 4 ++ vars/local_vars_min.yml | 4 ++ vars/local_vars_unittest.yml | 4 ++ 8 files changed, 159 insertions(+) create mode 100644 roles/remoteit/defaults/main.yml create mode 100644 roles/remoteit/tasks/enable-or-disable.yml create mode 100644 roles/remoteit/tasks/install.yml create mode 100644 roles/remoteit/tasks/main.yml diff --git a/roles/remoteit/defaults/main.yml b/roles/remoteit/defaults/main.yml new file mode 100644 index 000000000..1f5449dc8 --- /dev/null +++ b/roles/remoteit/defaults/main.yml @@ -0,0 +1,4 @@ +# Remote.it allows you to make secure remote connections between two computers. +# See https://docs.remote.it/cli/overview for possible values for remoteit_url +remoteit_cli_url: https://downloads.remote.it/cli/latest/remoteit_linux_armv7 +remoteit_device_url: https://downloads.remote.it/remoteit/v4.13.5/remoteit-4.13.5.armhf.rpi.deb diff --git a/roles/remoteit/tasks/enable-or-disable.yml b/roles/remoteit/tasks/enable-or-disable.yml new file mode 100644 index 000000000..78e717e05 --- /dev/null +++ b/roles/remoteit/tasks/enable-or-disable.yml @@ -0,0 +1,80 @@ +# FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not +# been working with systemd service names that contained the "@" character. + +#- name: Enable the OpenVPN tunnel at boot time (debuntu) +# shell: systemctl enable openvpn@xscenet.service +# when: openvpn_enabled and not stat.exists is defined and is_debuntu + +#- name: Enable the OpenVPN tunnel at boot time (debuntu) +# shell: update-rc.d openvpn enable +# when: openvpn_enabled and not stat.exists is defined and is_debuntu + +#- name: Start the OpenVPN tunnel now +# shell: systemctl start openvpn@xscenet.service +# when: openvpn_enabled and not stat.exists is defined and not installing + +# AUGUST 2018: Unexplainably, stanza below had to be placed underneath ANY +# "lineinfile: ... state: absent" stanza to make openvpn_handle propagate +# properly to xscenet.net (monitoring ncat's erroneous handle parameter by +# observing "systemctl status openvpn@xscenet" helped trace the [primary?] +# bug to roles/openvpn/templates/announcer [far better now if not perfect?]) +# Earlier "./runrole openvpn" had to be run twice to transmit +# /etc/iiab/openvpn_handle to xscenet.net -- and +# "systemctl restart openvpn@xscenet" was failing completely (no matter how +# many times it was run) to transmit /etc/iiab/openvpn_handle to xscenet.net + +# 2018-09-02: OpenVPN had been starting tunnels by accident after reboot, +# with new IIAB installs. Fix below (https://github.com/iiab/iiab/pull/1079) +# changes most all instances below from CHILD service "openvpn@xscenet" to +# PARENT service "openpvn". See these critical files to understand why: +# +# /etc/default/openvpn implies AUTOSTART="all" +# /etc/init.d/openvpn has AUTOSTART="all" +# /etc/openvpn/xscenet.conf our VPN connection +# /etc/network/if-up.d/openvpn appears to auto-start xscenet.conf +# /lib/systemd/systemd-sysv-install sets /etc/rc*.d/S|K01openvpn +# e.g. when "systemctl enable openvpn" + +- name: Enable & (Re)Start PARENT 'openvpn' system service, which (re)starts CHILD service 'openvpn@xscenet' (& actual tunnel) + systemd: + name: openvpn + daemon_reload: yes + enabled: yes + state: restarted # 2018-09-02: Should we be concerned that "systemctl status openvpn" often shows "active (exited)" ? If so we might consider "state: started" or "state: reloaded" instead? + when: openvpn_enabled + +- name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?) + lineinfile: + path: /etc/crontab + # CONSIDER "restart" not just "start" if something stronger is confirmed needed? + line: "25 * * * * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null" + when: openvpn_enabled and openvpn_cron_enabled + +- name: Remove hourly cron job for OpenVPN (typically for CentOS only?) + lineinfile: + path: /etc/crontab + regexp: "openvpn@xscenet" + # Potentially DANGEROUS as others use systemctl too: + #regexp: ".*/usr/bin/systemctl*" + state: absent + when: not openvpn_enabled or not openvpn_cron_enabled + +- name: Disable & Stop PARENT 'openvpn' system service, which stops CHILD service 'openvpn@xscenet' (& actual tunnel) + systemd: + name: openvpn + enabled: no + state: stopped + when: not openvpn_enabled + +#- name: Stop starting the OpenVPN tunnel at boot time (not debuntu) +# shell: systemctl disable openvpn@xscenet.service +# when: not openvpn_enabled and not is_debuntu + +#- name: Stop starting the OpenVPN tunnel at boot time (debuntu) +# shell: update-rc.d openvpn disable +# when: not openvpn_enabled and is_debuntu + +#- name: Stop OpenVPN tunnel immediately +# shell: systemctl stop openvpn@xscenet.service +# ignore_errors: True +# when: not openvpn_enabled and not installing diff --git a/roles/remoteit/tasks/install.yml b/roles/remoteit/tasks/install.yml new file mode 100644 index 000000000..b48f276ca --- /dev/null +++ b/roles/remoteit/tasks/install.yml @@ -0,0 +1,22 @@ +- name: Download the command line interface for this device + get_url: + url: '{{ remoteit_cli_url }}' + dest: /usr/bin/ + mode: 0755 + +- name: Install the device package + apt: + deb: '{{ remoteit_device_url }}' + state: present + +# RECORD remoteit AS INSTALLED + +- name: "Set 'openvpn_installed: True'" + set_fact: + remoteit_installed: True + +- name: "Add 'remoteit_installed: True' to {{ iiab_state_file }}" + lineinfile: + path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml + regexp: '^remoteit_installed' + line: 'remoteit_installed: True' diff --git a/roles/remoteit/tasks/main.yml b/roles/remoteit/tasks/main.yml new file mode 100644 index 000000000..5d1443d35 --- /dev/null +++ b/roles/remoteit/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Assert that "remoteit_install is sameas true" (boolean not string etc) + assert: + that: remoteit_install is sameas true + fail_msg: "PLEASE SET 'remoteit_install: True' e.g. IN: /etc/iiab/local_vars.yml" + quiet: yes + +- name: Assert that "remoteit_enabled | type_debug == 'bool'" (boolean not string etc) + assert: + that: remoteit_enabled | type_debug == 'bool' + fail_msg: "PLEASE GIVE VARIABLE 'remoteit_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml" + quiet: yes + + +- name: Install remoteit if 'remoteit_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml + include_tasks: install.yml + when: remoteit_installed is undefined + + +- include_tasks: enable-or-disable.yml + + +- name: Add 'remoteit' variable values to {{ iiab_ini_file }} + ini_file: + path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini + section: remoteit + option: "{{ item.option }}" + value: "{{ item.value | string }}" + with_items: + - option: name + value: Remote It + - option: description + value: '"remote.it allows you to make secure remote connections between two computers. Some of the benefits include: +Crossing multiple NATs/firewallsUsing a single TCP portportforwardless: without requiring port forwarding in the router, significantly reducing your network''s vulnerability."' + - option: remoteit_install + value: "{{ remoteit_install }}" + - option: remoteit_enabled + value: "{{ remoteit_enabled }}" diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 613adeb3e..73f208f4f 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -109,6 +109,10 @@ dns_jail_enabled: False sshd_install: True # Required by OpenVPN sshd_enabled: True +# Remote.it allows you to make secure remote connections between two computers. +remoteit_install: True +remoteit_enabled: False + # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index b387932a0..9fccd8f3d 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -109,6 +109,10 @@ dns_jail_enabled: False sshd_install: True # Required by OpenVPN sshd_enabled: True +# Remote.it allows you to make secure remote connections between two computers. +remoteit_install: True +remoteit_enabled: False + # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index c731654ec..ca887495d 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -109,6 +109,10 @@ dns_jail_enabled: False sshd_install: True # Required by OpenVPN sshd_enabled: True +# Remote.it allows you to make secure remote connections between two computers. +remoteit_install: True +remoteit_enabled: False + # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False diff --git a/vars/local_vars_unittest.yml b/vars/local_vars_unittest.yml index 2be5f8aae..1ba2fb4bb 100644 --- a/vars/local_vars_unittest.yml +++ b/vars/local_vars_unittest.yml @@ -109,6 +109,10 @@ dns_jail_enabled: False sshd_install: True # Required by OpenVPN sshd_enabled: True +# Remote.it allows you to make secure remote connections between two computers. +remoteit_install: True +remoteit_enabled: False + # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: True