Introduce roles/tailscale w/ /usr/bin/iiab-vpn etc

roles/0-DEPRECATED-ROLES/openvpn/defaults/main.yml

@@ -0,0 +1,19 @@
+# SECURITY WARNING: https://wiki.iiab.io/go/Security
+
+# openvpn_install: True
+# openvpn_enabled: False
+
+# Empty string on purpose since ~2016, for /etc/iiab/uuid
+# SEE https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml#L5-L20
+# openvpn_handle: ""
+
+# cron seems necessary on CentOS:
+# openvpn_cron_enabled: False
+
+# openvpn_server: xscenet.net
+# openvpn_server_real_ip: 3.89.148.185
+# openvpn_server_virtual_ip: 10.8.0.1
+# openvpn_server_port: 1194
+
+# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
+# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

roles/0-DEPRECATED-ROLES/openvpn/tasks/enable-or-disable.yml

@@ -0,0 +1,80 @@
+# FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
+# been working with systemd service names that contained the "@" character.
+
+#- name: Enable the OpenVPN tunnel at boot time (debuntu)
+#  shell: systemctl enable openvpn@xscenet.service
+#  when: openvpn_enabled and not stat.exists is defined and is_debuntu
+
+#- name: Enable the OpenVPN tunnel at boot time (debuntu)
+#  shell: update-rc.d openvpn enable
+#  when: openvpn_enabled and not stat.exists is defined and is_debuntu
+
+#- name: Start the OpenVPN tunnel now
+#  shell: systemctl start openvpn@xscenet.service
+#  when: openvpn_enabled and not stat.exists is defined and not installing
+
+# AUGUST 2018: Unexplainably, stanza below had to be placed underneath ANY
+# "lineinfile: ... state: absent" stanza to make openvpn_handle propagate
+# properly to xscenet.net (monitoring ncat's erroneous handle parameter by
+# observing "systemctl status openvpn@xscenet" helped trace the [primary?]
+# bug to roles/openvpn/templates/announcer [far better now if not perfect?])
+# Earlier "./runrole openvpn" had to be run twice to transmit
+# /etc/iiab/openvpn_handle to xscenet.net -- and
+# "systemctl restart openvpn@xscenet" was failing completely (no matter how
+# many times it was run) to transmit /etc/iiab/openvpn_handle to xscenet.net
+
+# 2018-09-02: OpenVPN had been starting tunnels by accident after reboot,
+# with new IIAB installs.  Fix below (https://github.com/iiab/iiab/pull/1079)
+# changes most all instances below from CHILD service "openvpn@xscenet" to
+# PARENT service "openpvn".  See these critical files to understand why:
+#
+#    /etc/default/openvpn               implies AUTOSTART="all"
+#    /etc/init.d/openvpn                has AUTOSTART="all"
+#    /etc/openvpn/xscenet.conf          our VPN connection
+#    /etc/network/if-up.d/openvpn       appears to auto-start xscenet.conf
+#    /lib/systemd/systemd-sysv-install  sets /etc/rc*.d/S|K01openvpn
+#                                       e.g. when "systemctl enable openvpn"
+
+- name: Enable & (Re)Start PARENT 'openvpn' system service, which (re)starts CHILD service 'openvpn@xscenet' (& actual tunnel)
+  systemd:
+    name: openvpn
+    daemon_reload: yes
+    enabled: yes
+    state: restarted    # 2018-09-02: Should we be concerned that "systemctl status openvpn" often shows "active (exited)" ?  If so we might consider "state: started" or "state: reloaded" instead?
+  when: openvpn_enabled
+
+- name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?)
+  lineinfile:
+    path: /etc/crontab
+    # CONSIDER "restart" not just "start" if something stronger is confirmed needed?
+    line: "25 *  *  *  * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null"
+  when: openvpn_enabled and openvpn_cron_enabled
+
+- name: Remove hourly cron job for OpenVPN (typically for CentOS only?)
+  lineinfile:
+    path: /etc/crontab
+    regexp: "openvpn@xscenet"
+    # Potentially DANGEROUS as others use systemctl too:
+    #regexp: ".*/usr/bin/systemctl*"
+    state: absent
+  when: not openvpn_enabled or not openvpn_cron_enabled
+
+- name: Disable & Stop PARENT 'openvpn' system service, which stops CHILD service 'openvpn@xscenet' (& actual tunnel)
+  systemd:
+    name: openvpn
+    enabled: no
+    state: stopped
+  when: not openvpn_enabled
+
+#- name: Stop starting the OpenVPN tunnel at boot time (not debuntu)    
+#  shell: systemctl disable openvpn@xscenet.service
+#  when: not openvpn_enabled and not is_debuntu
+
+#- name: Stop starting the OpenVPN tunnel at boot time (debuntu)
+#  shell: update-rc.d openvpn disable
+#  when: not openvpn_enabled and is_debuntu
+
+#- name: Stop OpenVPN tunnel immediately
+#  shell: systemctl stop openvpn@xscenet.service
+#  ignore_errors: True
+#  when: not openvpn_enabled and not installing

roles/0-DEPRECATED-ROLES/openvpn/tasks/install.yml

@@ -0,0 +1,127 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
+- name: "Install packages: ncat, nmap, openvpn, sudo"
+  package:
+    name:
+      - ncat    # Newer versions of NMap do not include NCat, needed to announce openvpn_handle (if Debian > 9 or Ubuntu > 18)
+      - nmap
+      - openvpn
+      - sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
+    state: present
+
+- name: Install ssh public keys for remote support (if openvpn_install)
+  lineinfile:
+    line: "{{ item.pubkey }}"
+    regexp: "{{ item.regexp }}"
+    path: /root/.ssh/authorized_keys
+  with_items:
+    - regexp: "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$" # Tim Moody
+      pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhlQIh8ZPx4awdM0O6QNcPbx3qIZ39FHjF2YJ2SX3z7iLnYiz03Ek6Bux9P4HvaVAqlApiz2I68Vq8TfU2s/+LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s="
+    - regexp: "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$"
+      pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxAmjU7VojyK+0Pjp2p8CCGTNBtE565A/L8IVbAT8MIucRE9LN1g5LjGnOHUShFJpwuTR1JLX2r9EDRMsf9MmyTgUAnuyP005giWVHXLPtjyjTzbsJ1DEtXRytulmF+GlCOaqPWNde6EOmReqPHbmjIQpRZ/Sc8hziS4jVSQuBA9EhaBmZ62CPqK33mPJvnpwMtdd6nHXAcXsZhStd3NhVDm27+B3sHI6mr2w7ExdBXE5DKiZL2po8n2y4hJYZreJopbjcQmv4oWdDWvPu5I92xDgYCsqcE7zSrv1um+tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal"
+    - regexp: "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$"
+      pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApHPly+EA1M4bispl3AulTLjyYCjcJzh6s779K3epDkqh600a+fHsdIiddWCAfIonRq+9MJyOiaNQ+WYLOuajI1IiFZWFt45xDAiyCUnyuT+ytAX+IA3TgTwgTZPfzDOzI8rDRV9Sgl+LZLfPno7T3qxcGx2l51bRk+koRK+Txpph//M3jGvsFmTKhjvfxgEIUmMH9SkASxEdyqASr0+/+uLR92MnT+8CT1pOYYoJyZp9Lta5eGqJvbEmd3Dn7MXqD3vXE57o4rBJ0bR3q5LK59WVNxNQbulJ9z5V7aTJ4AbBFQWxm0fH0gBx+heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank"
+
+# CLARIF: plus signs (+) in public keys cause duplicate key additions (above)
+# and failure during removal (below) as "+" has a special meaning as
+# interpreted in a Python regexp, as implemented by Ansible's lineinfile module:
+# https://docs.python.org/2/library/re.html
+
+# WORKAROUND: the tail end of each public key (after the last plus sign) is
+# being used (instead of the full key) as an abbreviated regexp for now.
+# A backslash in front of each plus sign (+) would also work.
+
+# - name: Remove those ssh public keys, if not openvpn_enabled
+#   lineinfile:
+#     regexp: "{{ item }}"
+#     path: /root/.ssh/authorized_keys
+#     state: absent
+#   with_items:
+#     - "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$"
+#     - "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$"
+#     - "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$"
+#   when: not openvpn_enabled
+
+- name: 'Create dirs: /etc/openvpn/keys, /etc/openvpn/scripts'
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - /etc/openvpn/keys
+    - /etc/openvpn/scripts
+
+- name: Configure OpenVPN (BACKS UP FILES IF CHANGED)
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+    backup: yes
+  with_items:
+    - { src: 'ca.crt', dest: '/etc/openvpn/keys/', mode: '0644' }
+    - { src: 'client1.crt', dest: '/etc/openvpn/keys/', mode: '0644' }
+    - { src: 'client1.key', dest: '/etc/openvpn/keys/', mode: '0600' }
+    - { src: 'announce', dest: '/etc/openvpn/scripts/', mode: '0755' }
+    - { src: 'announcer', dest: '/etc/openvpn/scripts/', mode: '0755' }
+    - { src: 'silence', dest: '/etc/openvpn/scripts/', mode: '0755' }
+    - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
+    # - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }    # 2021-08-18 SSOT: Please instead set it in /etc/iiab/local_vars.yml
+    - { src: 'iiab-support', dest: '/usr/bin/', mode: '0755' }
+    - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
+    - { src: 'iiab-remote-off', dest: '/usr/bin/', mode: '0755' }
+
+# - name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install
+#   copy:
+#     src: "{{ iiab_dir }}/iiab-support"
+#     dest: /usr/bin/
+#     mode: '0755'
+
+- name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-support
+  file:
+    src: /usr/bin/iiab-support
+    path: /usr/bin/iiab-support-on
+    state: link
+
+- name: Symlink /usr/bin/iiab-support-off -> /usr/bin/iiab-remote-off
+  file:
+    src: /usr/bin/iiab-remote-off
+    path: /usr/bin/iiab-support-off
+    state: link
+
+- name: Symlink /usr/bin/iiab-vpn-on -> /usr/bin/iiab-remote-on
+  file:
+    src: /usr/bin/iiab-remote-on
+    path: /usr/bin/iiab-vpn-on
+    state: link
+
+- name: Symlink /usr/bin/iiab-vpn-off -> /usr/bin/iiab-remote-off
+  file:
+    src: /usr/bin/iiab-remote-off
+    path: /usr/bin/iiab-vpn-off
+    state: link
+
+
+# RECORD OpenVPN AS INSTALLED
+
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'openvpn_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: openvpn
+    option: openvpn_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
+- name: "Set 'openvpn_installed: True'"
+  set_fact:
+    openvpn_installed: True
+
+- name: "Add 'openvpn_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^openvpn_installed'
+    line: 'openvpn_installed: True'

roles/0-DEPRECATED-ROLES/openvpn/tasks/main.yml

@@ -0,0 +1,76 @@
+# Run 'sudo iiab-support' to turn on OpenVPN without hassle.  GENERAL TIPS:
+# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?"
+
+
+# AUGUST 2018 - AUGUST 2021
+
+# (1) openvpn_handle could no longer be left undefined OR null
+# (two different concepts in Ansible, see /opt/iiab/iiab/test.yml)
+
+# 2021-08-19 UPDATE: the /usr/bin/iiab-support command can now handle almost
+# any /etc/iiab/local_vars.yml (PR #2957) making it all much more resilient!
+
+# (2) openvpn_handle: "" (EMPTY STRING) IS HOWEVER TOLERATED -- in which case
+# the OpenVPN server instead tries to use the 1st 6 chars of /etc/iiab/uuid
+
+# (3) Finally if there's no client UUID (/etc/iiab/uuid) -- the OpenVPN server
+# falls back to labelling that machine as generic: "client1's certificate"
+
+# SEE ALSO /etc/openvpn/scripts/announcer & /usr/bin/iiab-support from:
+# https://github.com/iiab/iiab/tree/master/roles/openvpn/templates
+
+
+# "How do i fail a task in Ansible if the variable contains a boolean value?
+# I want to perform input validation for Ansible playbooks"
+# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
+
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
+# to re-check whether vars are defined here.  As Ansible vars cannot be unset:
+# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
+
+- name: Assert that "openvpn_install is sameas true" (boolean not string etc)
+  assert:
+    that: openvpn_install is sameas true
+    fail_msg: "PLEASE SET 'openvpn_install: True' e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+- name: Assert that "openvpn_enabled | type_debug == 'bool'" (boolean not string etc)
+  assert:
+    that: openvpn_enabled | type_debug == 'bool'
+    fail_msg: "PLEASE GIVE VARIABLE 'openvpn_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+
+- name: Install OpenVPN if 'openvpn_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+  include_tasks: install.yml
+  when: openvpn_installed is undefined
+
+
+- include_tasks: enable-or-disable.yml
+
+
+- name: Add 'openvpn' variable values to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: openvpn
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
+  with_items:
+    - option: name
+      value: OpenVPN
+    - option: description
+      value: '"OpenVPN enables live/remote support by connecting machines anywhere on the Internet, via a middleman server, using Virtual Private Network (VPN) techniques to create secure connections."'
+    - option: openvpn_install
+      value: "{{ openvpn_install }}"
+    - option: openvpn_enabled
+      value: "{{ openvpn_enabled }}"
+    - option: openvpn_handle
+      value: "{{ openvpn_handle }}"
+    - option: openvpn_cron_enabled
+      value: "{{ openvpn_cron_enabled }}"
+    - option: openvpn_server
+      value: "{{ openvpn_server }}"
+    - option: openvpn_server_virtual_ip
+      value: "{{ openvpn_server_virtual_ip }}"
+    - option: openvpn_server_port
+      value: "{{ openvpn_server_port }}"

roles/0-DEPRECATED-ROLES/openvpn/templates/15-openvpn.unused

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Not used as of August 2018: parent service "openvpn" reliably auto-starts child service "openpn@xscenet" on OS's in common use
+# But could be revived for older CentOS etc?
+
+export LC_ALL=C
+
+#INTERFACE=$1 # The interface which is brought up or down
+#STATUS=$2 # The new state of the interface
+
+# whenever interface is brought up by NM (rhbz #565921)
+if [ "$2" = "up" ]; then
+    # wait a few seconds to allow interface startup to complete
+    # (important at boot time without this the service still fails
+    # time-out for dispatcher script is 3s (rhbz#1003695#8)
+    sleep 2
+    /sbin/ip route list dev "$1" | grep -q '^default' &&
+    # restart the services
+    #systemctl -q is-enabled openvpn@xscenet.service && /usr/lib/iiab/up_wan
+    # EQUIVALENTLY:
+    systemctl is-enabled openvpn && pgrep openvpn && systemctl start openvpn@xscenet
+    # OR EQUIVALENTLY:
+    # systemctl is-enabled openvpn && systemctl is-active openvpn && systemctl start openvpn@xscenet
+fi
+
+# we added this to prevent logs from filling with openvpn errors
+#  but we do not expect openvpn to be on in that case
+#if [ "$2" = "down" ]; then
+#    sleep 2
+#    /sbin/ip route list dev "$1" | grep -q '^default' ||
+    # stop the services
+#    systemctl -q is-enabled openvpn@xscenet.service && systemctl stop openvpn@xscenet.service
+#fi
+
+exit 0

roles/0-DEPRECATED-ROLES/openvpn/templates/announce

@@ -0,0 +1,5 @@
+#!/bin/bash
+# Disconnect our worker from everything
+
+DIR=$(dirname $0)
+nohup $DIR/announcer 0<&- &>/dev/null & 

roles/0-DEPRECATED-ROLES/openvpn/templates/announcer

@@ -0,0 +1,74 @@
+#!/bin/bash -x
+# Small daemon to identify this machine to the OpenVPN server
+
+# SEE /usr/bin/iiab-support for local_vars.yml var extraction explanation
+
+# EMULATE ANSIBLE: but additionally Force Empty String Where Nec, e.g. whether
+# local_vars.yml sets openvpn_handle to "" (or worst case null, or not at all!)
+HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+
+# ALSO GO 1 STEP FURTHER THAN ANSIBLE: convert remaining spaces to underscores,
+# for OpenVPN server.  iiab-support emulates this, to help folks understand.
+HANDLE=${HANDLE// /_}    # Same as "s/ /_/g"
+
+# Likewise empty string is the worst case, e.g. if file doesn't exist.
+# If $HANDLE is "", OpenVPN server tries to use the 1st 6 chars of UUID,
+# e.g. e1a3d4 from e1a3d4e2-2d1a-4f37-9ba0-e836d7c8e3ca
+# SEE "AUGUST 2018 - AUGUST 2021" RECAP ON TOP OF: roles/openvpn/tasks/main.yml
+UUID=$(cat /etc/iiab/uuid)
+
+/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" &
+
+
+
+# 2021-08-18: Let's finally do it 3 years lster, simplifying from 4 places to 1
+# at long last.  Per SSOT (single source of truth).
+
+# #HANDLE=
+# #UUID=
+# #if [ -f /etc/iiab/openvpn_handle ]; then
+#     # Option #1: Source directly from /etc/iiab/local_vars.yml in future?
+#     # Option #2
+#     HANDLE=$(cat /etc/iiab/openvpn_handle)    # Sets to "" if file doesn't exist (error is ok!)
+
+# # Sourcing a variable from ~4 different places is a recipe for total confusion
+# # (or worse!)  Far better to make variable openvpn_handle and file
+# # /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH
+# # CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...)
+
+# # CLARIF: "systemctl restart openvpn" still works tolerably even if the above
+# # is defied, auto-starting child service openvpn@xscenet per usual
+# # (e.g. if /etc/iiab/openvpn_handle is deleted by accident!)
+
+# #else
+# #    # Option #3: Dangerous to invoke hypothetical variables :(
+# #    source {{ iiab_env_file }}
+# #    # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ?
+# #    if [ -z "$HANDLE" ]; then
+# #        HANDLE=`cat {{ iiab_ini_file }} | gawk \
+# #        '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'`
+# #    fi
+# #fi
+# HANDLE=${HANDLE// /_}    # Change all spaces to underscores
+# #if [ -f /etc/iiab/uuid ]; then
+#     UUID=$(cat /etc/iiab/uuid)    # Sets to "" if file doesn't exist (error is ok!)
+# #fi
+
+# SERVER=/usr/bin/ncat
+# #ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID)
+# #ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}")
+# ID=$(echo "HANDLE = $HANDLE|UUID = $UUID")
+# # August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04
+# #ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID`
+
+# # Start the daemon which will serve the handle on demand
+# {% if is_debuntu %}
+# $SERVER -l -k -p1705 --exec "/bin/echo $ID" &
+# # 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu:
+# #/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" &
+# {% else %}
+# source /etc/init.d/functions
+# PID_FILE=/var/run/openvpn/announce.pid
+# daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" &
+# #daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" &
+# {% endif %}

roles/0-DEPRECATED-ROLES/openvpn/templates/ca.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE+jCCA+KgAwIBAgIJANTpdrUZJByXMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCTlkxFDASBgNVBAcTC05ld1lvcmtDaXR5MRQwEgYD
+VQQKEwtVbmxlYXNoS2lkczEVMBMGA1UECxMMU2Nob29sU2VydmVyMRcwFQYDVQQD
+Ew5VbmxlYXNoS2lkcyBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIGCSqGSIb3DQEJ
+ARYVZ2Vvcmdlamh1bnRAZ21haWwuY29tMB4XDTE0MDYxMjA2NTMyNloXDTI0MDYw
+OTA2NTMyNlowga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTEUMBIGA1UEBxML
+TmV3WW9ya0NpdHkxFDASBgNVBAoTC1VubGVhc2hLaWRzMRUwEwYDVQQLEwxTY2hv
+b2xTZXJ2ZXIxFzAVBgNVBAMTDlVubGVhc2hLaWRzIENBMRAwDgYDVQQpEwdFYXN5
+UlNBMSQwIgYJKoZIhvcNAQkBFhVnZW9yZ2VqaHVudEBnbWFpbC5jb20wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0uD76v+a7kKtwF08tTpA52Pc+NFsF
+aErL3tcb3uQy27eB4naT/IV3YRCeIBmP5Wsx5znM9R7TpjITjfB/BVBGkF2/ffBl
+M6iOukCi1YFypQn33ygwzLDyfjy7iO4g6xvDwPI/gPzO6rLoOohaE77wolfUvMWQ
+bI1aEqh8k/M/WJqCeq8SgmtCh28zoc6aWIcgcX9+YLdhSHELxn0eMo8fKi17Wz/v
+7yupyLmks2M4+LZfCmY1wU9id8KrhEbXmoMcU2PoZYJxnml+gbQJbBCYwZ7lq1wY
+2e6XjssMFeecQoTyiA1osqoSlKx76deYn0cQw4rDAOEGyk8WFHZjsrZ5AgMBAAGj
+ggEXMIIBEzAdBgNVHQ4EFgQUvQz5dfEcqP4Wcvvkp7MswZGK9E0wgeMGA1UdIwSB
+2zCB2IAUvQz5dfEcqP4Wcvvkp7MswZGK9E2hgbSkgbEwga4xCzAJBgNVBAYTAlVT
+MQswCQYDVQQIEwJOWTEUMBIGA1UEBxMLTmV3WW9ya0NpdHkxFDASBgNVBAoTC1Vu
+bGVhc2hLaWRzMRUwEwYDVQQLEwxTY2hvb2xTZXJ2ZXIxFzAVBgNVBAMTDlVubGVh
+c2hLaWRzIENBMRAwDgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcNAQkBFhVnZW9y
+Z2VqaHVudEBnbWFpbC5jb22CCQDU6Xa1GSQclzAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQChBTaO3RPfk67LJpF1NhG4DQSb6dZxvNin+0CiYluJkUN8
+AfHKqg1T7GuzxdDxA6J8F6Kk3ORLm90qNg1XjpUl++1PtgHaY8zboCmdLlqqboDE
+WBGBM4muQ7Hr7dorzRe7eYqydHA8tEeg5/6c9TU3Yl4YaHPIn0XJrrUKHYPvmEMv
+f11ip0PqzA6CYUfsYkozN1PShckOcs/Dk+r4o9cheVasEHVUott7ya5FFlNcP//I
+RYAfqbygPCQ3TbYrXri+fXkAljsywIVshM/HWyMWVBulXyF+Ko1UyTCyk+MZfNpq
+vPhW9Y+9BMGjd1j/9PO5JQU1hm/BSh/VayW63q1k
+-----END CERTIFICATE-----

roles/0-DEPRECATED-ROLES/openvpn/templates/client1.crt

@@ -0,0 +1,95 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=NY, L=NewYorkCity, O=UnleashKids, OU=SchoolServer, CN=UnleashKids CA/name=EasyRSA/emailAddress=georgejhunt@gmail.com
+        Validity
+            Not Before: Jun 12 06:56:55 2014 GMT
+            Not After : Jun  9 06:56:55 2024 GMT
+        Subject: C=US, ST=NY, L=NewYorkCity, O=UnleashKids, OU=SchoolServer, CN=client1/name=EasyRSA/emailAddress=georgejhunt@gmail.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ac:5e:07:83:14:aa:2e:c6:db:65:9b:28:f2:50:
+                    67:95:2e:6f:25:85:c8:52:87:03:7e:5a:5d:31:f3:
+                    9e:95:8b:41:bc:72:01:67:6a:56:34:ab:c9:e0:cc:
+                    e5:14:f1:ad:34:56:89:b7:5d:c3:5c:2f:31:46:e1:
+                    0f:fd:da:5e:8b:0c:6e:9b:28:40:9d:aa:fd:d9:05:
+                    d6:2a:62:db:d3:03:a8:76:ac:d9:78:03:c8:71:a9:
+                    7e:1e:fd:8b:9b:81:cd:cd:ea:3c:30:19:a1:76:ba:
+                    bd:1e:08:0f:95:73:7b:ba:30:28:af:37:f0:99:f0:
+                    e5:8e:e9:c1:dd:10:4d:56:f9:5c:38:12:5f:90:63:
+                    5e:19:a0:c1:4d:b6:4e:86:0d:93:6a:ff:40:1b:4e:
+                    fa:51:f2:b0:71:c0:c7:ed:b1:fb:eb:b9:85:01:17:
+                    67:c5:bb:9d:2c:f3:9c:12:99:f6:74:5a:57:c6:a3:
+                    4a:df:0f:cf:5d:09:0c:84:ac:86:1e:82:50:f3:6d:
+                    28:f0:b7:0f:d6:53:41:7a:c8:94:82:c1:a3:56:4f:
+                    eb:08:76:ee:ca:91:52:05:9d:d3:1e:d6:0d:ec:3f:
+                    66:de:ab:0b:a3:03:c2:60:14:b0:83:42:ec:08:dd:
+                    94:7a:ac:13:f9:ac:88:57:be:66:3d:5b:b6:f7:24:
+                    52:79
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                38:23:D3:DB:02:EE:7B:B4:C7:C3:87:AF:5C:C0:19:99:99:0D:BF:58
+            X509v3 Authority Key Identifier: 
+                keyid:BD:0C:F9:75:F1:1C:A8:FE:16:72:FB:E4:A7:B3:2C:C1:91:8A:F4:4D
+                DirName:/C=US/ST=NY/L=NewYorkCity/O=UnleashKids/OU=SchoolServer/CN=UnleashKids CA/name=EasyRSA/emailAddress=georgejhunt@gmail.com
+                serial:D4:E9:76:B5:19:24:1C:97
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha256WithRSAEncryption
+         23:00:c2:e2:a3:89:be:c4:34:ed:cf:33:0e:c4:42:de:49:be:
+         21:e1:4b:49:8f:ad:ed:e8:bd:e2:b9:94:79:9f:ec:0b:a1:f7:
+         66:2d:fe:c1:33:f0:be:ad:04:2a:cf:f4:e5:d1:ef:0b:e1:12:
+         e4:1b:e3:9f:6c:a3:5c:d3:76:8b:14:bf:b2:ff:c0:a1:26:df:
+         36:cf:44:54:51:8a:a5:bf:5e:12:5a:78:ab:2a:72:42:d1:3d:
+         d4:c4:e5:65:9f:b3:eb:47:90:55:9f:e4:00:28:46:69:f8:37:
+         5f:7c:35:b1:b0:2b:c0:d6:a7:98:3b:c7:4a:96:1d:22:a5:79:
+         c8:91:4e:2f:37:d5:58:52:07:4f:e1:e5:c2:7a:42:4f:f3:3b:
+         94:ee:08:84:4c:81:34:9a:c4:b5:27:59:12:48:92:5f:79:57:
+         b5:e3:35:f6:64:ee:9c:e6:3d:61:c4:06:5a:cf:4b:18:33:33:
+         78:d5:0b:15:e7:cd:cd:c4:07:f0:33:f1:78:54:c1:45:d3:4c:
+         fd:fb:a1:5b:f3:d1:ab:89:39:48:b7:aa:75:36:3c:89:1e:bc:
+         f1:40:84:4b:81:15:47:30:6d:ad:5a:b3:a2:4a:db:97:b0:d3:
+         59:99:8a:1b:79:49:e3:eb:32:90:65:9f:c3:ce:18:1b:7d:36:
+         8d:8b:0f:5b
+-----BEGIN CERTIFICATE-----
+MIIFOTCCBCGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAk5ZMRQwEgYDVQQHEwtOZXdZb3JrQ2l0eTEUMBIGA1UEChMLVW5s
+ZWFzaEtpZHMxFTATBgNVBAsTDFNjaG9vbFNlcnZlcjEXMBUGA1UEAxMOVW5sZWFz
+aEtpZHMgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJDAiBgkqhkiG9w0BCQEWFWdlb3Jn
+ZWpodW50QGdtYWlsLmNvbTAeFw0xNDA2MTIwNjU2NTVaFw0yNDA2MDkwNjU2NTVa
+MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxFDASBgNVBAcTC05ld1lvcmtD
+aXR5MRQwEgYDVQQKEwtVbmxlYXNoS2lkczEVMBMGA1UECxMMU2Nob29sU2VydmVy
+MRAwDgYDVQQDEwdjbGllbnQxMRAwDgYDVQQpEwdFYXN5UlNBMSQwIgYJKoZIhvcN
+AQkBFhVnZW9yZ2VqaHVudEBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCsXgeDFKouxttlmyjyUGeVLm8lhchShwN+Wl0x856Vi0G8cgFn
+alY0q8ngzOUU8a00Vom3XcNcLzFG4Q/92l6LDG6bKECdqv3ZBdYqYtvTA6h2rNl4
+A8hxqX4e/Yubgc3N6jwwGaF2ur0eCA+Vc3u6MCivN/CZ8OWO6cHdEE1W+Vw4El+Q
+Y14ZoMFNtk6GDZNq/0AbTvpR8rBxwMftsfvruYUBF2fFu50s85wSmfZ0WlfGo0rf
+D89dCQyErIYeglDzbSjwtw/WU0F6yJSCwaNWT+sIdu7KkVIFndMe1g3sP2beqwuj
+A8JgFLCDQuwI3ZR6rBP5rIhXvmY9W7b3JFJ5AgMBAAGjggFlMIIBYTAJBgNVHRME
+AjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNh
+dGUwHQYDVR0OBBYEFDgj09sC7nu0x8OHr1zAGZmZDb9YMIHjBgNVHSMEgdswgdiA
+FL0M+XXxHKj+FnL75KezLMGRivRNoYG0pIGxMIGuMQswCQYDVQQGEwJVUzELMAkG
+A1UECBMCTlkxFDASBgNVBAcTC05ld1lvcmtDaXR5MRQwEgYDVQQKEwtVbmxlYXNo
+S2lkczEVMBMGA1UECxMMU2Nob29sU2VydmVyMRcwFQYDVQQDEw5VbmxlYXNoS2lk
+cyBDQTEQMA4GA1UEKRMHRWFzeVJTQTEkMCIGCSqGSIb3DQEJARYVZ2Vvcmdlamh1
+bnRAZ21haWwuY29tggkA1Ol2tRkkHJcwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYD
+VR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQAjAMLio4m+xDTtzzMOxELeSb4h
+4UtJj63t6L3iuZR5n+wLofdmLf7BM/C+rQQqz/Tl0e8L4RLkG+OfbKNc03aLFL+y
+/8ChJt82z0RUUYqlv14SWnirKnJC0T3UxOVln7PrR5BVn+QAKEZp+DdffDWxsCvA
+1qeYO8dKlh0ipXnIkU4vN9VYUgdP4eXCekJP8zuU7giETIE0msS1J1kSSJJfeVe1
+4zX2ZO6c5j1hxAZaz0sYMzN41QsV583NxAfwM/F4VMFF00z9+6Fb89GriTlIt6p1
+NjyJHrzxQIRLgRVHMG2tWrOiStuXsNNZmYobeUnj6zKQZZ/DzhgbfTaNiw9b
+-----END CERTIFICATE-----

roles/0-DEPRECATED-ROLES/openvpn/templates/client1.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsXgeDFKouxttl
+myjyUGeVLm8lhchShwN+Wl0x856Vi0G8cgFnalY0q8ngzOUU8a00Vom3XcNcLzFG
+4Q/92l6LDG6bKECdqv3ZBdYqYtvTA6h2rNl4A8hxqX4e/Yubgc3N6jwwGaF2ur0e
+CA+Vc3u6MCivN/CZ8OWO6cHdEE1W+Vw4El+QY14ZoMFNtk6GDZNq/0AbTvpR8rBx
+wMftsfvruYUBF2fFu50s85wSmfZ0WlfGo0rfD89dCQyErIYeglDzbSjwtw/WU0F6
+yJSCwaNWT+sIdu7KkVIFndMe1g3sP2beqwujA8JgFLCDQuwI3ZR6rBP5rIhXvmY9
+W7b3JFJ5AgMBAAECggEAQNF3V7a8rKyBMrtfcYgE+9ejWmPtygMVsD1BEJjBiRD+
+HmRs3LvjQRlc6FmEyBR+AtGMJlVvMspYaIQYJGkq5nU9XsGLUv9LSIJmYDge3EJi
+5oXnnbcmeH+5euPzzP3KK+YqzhfFXUWp+pIjchskawbTNdj+dJVfbhe/nGcV/l9X
+DZ/HupnOMzHbHdrYRlykjS49GQuyY7xNRwQUjSYqZXDCpz/7NGks6W+Wly5SEi9e
+E2PT5ww2GuH7EjWrJXkMdTkad24uhHozQduaAWPfjk51WF/NEAHQiRz0L/I9CGM7
+oNOvqrLdKUwGMq52JwS/oQ+kyhuEglltR13JUu74xQKBgQDhGwceYKEzWxra4JMQ
+oAgRBGh0e41jCmzaC1s2lrmAje/d0GA/QXfQ7LcbOvNOveiUacgdlGgFHxb7snIv
++yp4knpFWKyKZ6Eb4M1Z6zt7V38dwl1dwcJTILuM7usVkprHZmaIFkekv55eIQf0
+0U49caSWCc7axQzbAsSjG15Y5wKBgQDEBhGLuStPs/VYKX6hM24XdpaFvo6quGWI
+QGKZ9X9LrnHt/cy6d6aEb45918F7wgWbEnY9D6c6PTJgDhqpSd5NQY1Kxx70N/o6
+gCODVe2gb8TpalHPccvdCBUA7KIyC9aA6L2AmyhVjSuxXr5hNMRHQjWqey4PfKw1
+Y4F+3PGtnwKBgQDNsvQDV0uW8UaOAi+BPquAWWXWI1zkxw8HBN+Z94uVpJ4vNI3u
+37VMTjNYh7r0FmfkzvEVzpprK6jF4Z+kpsB9o2Rl4AzzAJVhM0CTTXhyUlcPa6AD
+393iNoQL2fsqIGidk75X1vwq2QsvesGZfnYfgaxjipzinrQLofDsF0NUuwKBgFkB
+HGRhzl2hK2w9YwbUsE8tBElz7ZlsooVMHrkjNApsCcTy8UtVWqFVedB/75U+0obH
+yjINcnPKJ55fqRFmve48LmheoxpmdFKtrfJLSNsJBNKq+LyFQfh5W/gQedDZeSsN
+AkZrrNOzhrxBdZXzfI+Sa4Wd6psTk6mmJb0xmvanAoGBAM85Vrohbtr5tbpXSY7O
+SM24Ue76E1x8loYKPKfCROJZyDaHPeIKwLznNeEhwQUGOZnw8dWUHfMWK+JG41ju
+4Hx8Af7RemWqMxunRlhHNONj94aDKCT9I4ZKTLk/PiS9JxBTDNNkGvHZzTBOvkLm
+k1yt5jfvk9Fa5Qtsp2Vbo5vb
+-----END PRIVATE KEY-----

roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-remote-off

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# /usr/bin/iiab-remote-off should fully turn off multiple remote support
+# services like OpenVPN and others, to reduce risk of remote attacks.
+
+# echo -e '\nWARNING: To disable OpenVPN long-term, it'"'"'s recommended you:\n'
+#
+# echo -e '1) Set this variable in /etc/iiab/local_vars.yml'
+# echo -e '   openvpn_enabled: False\n'
+#
+# echo -e '2) Run:'
+# echo -e '   cd /opt/iiab/iiab'
+# echo -e '   sudo ./runrole openvpn\n'
+
+# Do nothing if OpenVPN not installed
+which openvpn
+if [ $? -ne 0 ]; then
+    echo 'Cannot find the OpenVPN program (openvpn).'
+    exit 1
+fi
+
+if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then
+    sed -i "s/^openvpn_enabled:.*/openvpn_enabled: False/" /etc/iiab/local_vars.yml
+else
+    echo "openvpn_enabled: False" >> /etc/iiab/local_vars.yml
+fi
+
+systemctl disable openvpn
+systemctl stop openvpn
+
+sleep 5
+ps -e | grep openvpn    # 2018-09-05: "ps -e | grep vpn" no longer works (nor would "pgrep vpn") when invoked from iiab-vpn-off (as filename itself causes [multiple] "vpn" instances to appear in process list!)
+if [ $? -eq 0 ]; then
+    echo "OpenVPN failed to stop."
+else
+    echo "OpenVPN's systemd service was successfully stopped and disabled."
+    echo
+    echo "Also, 'openvpn_enabled: False' was set in /etc/iiab/local_vars.yml"
+fi

roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-remote-on.j2

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# /usr/bin/iiab-remote-on should turn on multiple remote support services like
+# OpenVPN and others, for remote support, so they work even after reboot.
+
+echo -e "\n\n\e[44m                    CONSIDER RUNNING 'iiab-support' INSTEAD                     \e[0m\n\n"
+
+echo -e 'WARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n'
+
+echo -e '1) Set these variables in /etc/local/local_vars.yml'
+echo -e '   openvpn_install: True'
+echo -e '   openvpn_enabled: True'
+echo -e '   openvpn_handle: <descriptive-name-for-your-machine>\n'
+
+echo -e '2) Run:'
+echo -e '   cd /opt/iiab/iiab'
+echo -e '   sudo ./runrole openvpn\n'
+
+# Do nothing if OpenVPN not installed
+which openvpn
+if [ $? -ne 0 ]; then
+    echo 'Cannot find the OpenVPN program (openvpn).'
+    exit 1
+fi
+
+systemctl enable openvpn
+systemctl start openvpn
+
+sleep 5
+ping -c 2 {{ openvpn_server_virtual_ip }}    # 10.8.0.1
+if [ $? -eq 0 ]; then
+    echo OpenVPN successfully started.
+else
+    echo OpenVPN failed to contact remote server.
+fi

roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support

@@ -0,0 +1,186 @@
+#!/bin/bash
+
+# Run 'sudo iiab-support' to turn on OpenVPN without hassle.  GENERAL TIPS:
+# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?"
+
+# "AUGUST 2018 - AUGUST 2021" Technical Recap at the top of:
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml
+
+DEBUG=false    # Using /usr/bin/true or /usr/bin/false
+PLAYBOOK="install-support.yml"
+INVENTORY="ansible_hosts"
+
+# 2023-02-25: bash scripts using default_vars.yml &/or local_vars.yml
+# https://github.com/iiab/iiab-factory/blob/master/iiab
+# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L10-14
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L23-L39
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
+
+# PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO:
+# (1) In case var's defined multiple times, 'tail 1' takes the last assignment.
+# (2) sed: Strip 'varname:\s' on left.
+# (3) sed: Strip '#comment' on right.
+# (4) sed: Strip any outer spacing.
+# (5) sed: Strip up-to-1 pair of matching outer quotes.
+
+# 'announcer' (from openvpn/templates) ALSO GOES ONE STEP FURTHER THAN ANSIBLE:
+# (6) Convert remaining spaces to underscores.
+
+# Steps (1) and (2) are Not Applicable with live/keyboard input.
+# Steps (3), (4) and (5) are Optional with live/keyboard input (here we do it!)
+# Step (6) is always required for OpenVPN here (file input or live/keyboard!)
+
+# NOTE Ansible vars can have non-string value null.  This is different from
+# undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml
+# BUT HERE IN BASH, we focus only on string values e.g. "" empty string if nec:
+# (a) WITH INPUT, we choose to ignore lines like "^var:$" that lack whitespace.
+#     Ansible would have assigned the null value.  We do not.  We force ""
+# (b) INPUT LINES "^var:\s\+$" (trailing whitespace) we force to empty string.
+#     Ansible would have assigned the null value.  We do not.  We force ""
+# (c) WITH *OUTPUT* we aggressively overwrite null var lines, including both
+#     "^var:$" (no trailing whitespace) and "^var:\s\+$" (trailing whitespace).
+
+echo -e "\e[0m"    # Turn off all ANSI/VT100 colors
+
+if [ -f /etc/iiab/openvpn_handle ]; then
+    echo -e "\n             \e[41;1mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n"
+    echo -e "             \e[41;1m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n\n"
+fi
+
+# (1), (2), (3) and (4) for now -- then (5) and (6) further below
+handle=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//")
+
+if $($DEBUG); then
+    echo -e "/etc/iiab/local_vars.yml shows:\n"
+    grep "^openvpn_" /etc/iiab/local_vars.yml
+    echo
+    echo "Your OpenVPN machine name--direct from source: $handle"
+fi
+
+# Preview of steps (5) and (6)
+# echo -ne "\e[1mYour OpenVPN machine name is set to: \e[100m"
+echo -ne "Your OpenVPN machine name (openvpn_handle) is: \e[32m"
+echo -n "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/; s/ /_/g"    # Avoid '-e' interpreting backlash escapes, to show var accurately!  Double quote var to prevent field splitting (eats spaces)
+vpnip=$(ip a | grep tun0$ | awk '{print $2}')
+echo -e "\e[0m\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"    # Separate line from above, also in case of trailing backslash in $handle
+
+echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n"
+
+echo -e "                     cape-town-school-36-rpi-2021-09-01\n"
+
+echo -en "Or hit [Enter] to keep the existing name:\e[0m "
+read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
+
+if [ "$ans" = "" ]; then    # (A) Simple!  Writes to local_vars.yml a bit more often than nec.
+# if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then    # (B) Only write when nec?  Also works.
+# if ( [ "$ans" = "" ] || [ "$ans" = "$handle" ] ) && [ "$handle" != "" ]; then    # (C) Overkill.
+    echo -e "\n        \e[100mopenvpn_handle REMAINS UNCHANGED IN /etc/iiab/local_vars.yml\e[0m\n"
+else
+    if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml    # Beware if user insists on input "\\", error is "sed: -e expression #1, char 39: unterminated `s' command"
+    else
+        echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml
+    fi
+
+    echo -e "\n                     \e[7mSAVED TO: /etc/iiab/local_vars.yml\e[0m\n"
+
+    if $($DEBUG); then
+	echo -e "/etc/iiab/local_vars.yml shows:\n"
+	grep "^openvpn_" /etc/iiab/local_vars.yml
+	echo
+    fi
+
+    # NEXT 4 LINES AREN'T ESSENTIAL: but they allow user to type in a '# comment' for the right side of /etc/iiab/local_vars.yml
+
+    # (3) sed: Strip '# comment' on right, as Ansible would do.
+    ans=$(echo "$ans" | sed "s/#.*//")    # Double quote var to prevent field splitting (eats spaces)
+    # (4) sed: Strip any outer spacing, as Ansible would do.
+    ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//")    # Code Safety: lstrip not nec, given "read" command above, but one day $ans might arise from elsewhere
+
+    handle=$ans;    # For display at bottom
+fi
+
+if $($DEBUG); then
+    echo '$handle after (1)-(4), prior to (5)-(6):' "$handle"
+    echo
+fi
+
+# (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do.
+handle=$(echo "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/")
+# (6) Convert remaining spaces to underscores, just as /etc/openvpn/scripts/announcer does -- same as "s/ /_/g"
+handle=${handle// /_}
+
+if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then
+    echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
+else
+    echo -e "Plz wait a few minutes as sshd & OpenVPN are confirmed/installed...\n"
+    if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
+    else
+        echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
+    fi
+
+    if [ -d /opt/iiab/iiab ]; then
+        cd /opt/iiab/iiab
+        export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log"
+        ansible -m setup -i $INVENTORY localhost --connection=local | grep python
+        ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local
+        # 2 roles (sshd & openvpn) faster than running all of "./runrole 1-prep"
+        echo
+    else
+        echo -e " \e[41;1m       Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN!       \e[0m\n"
+        exit 1
+    fi
+fi
+
+echo -e "Now let's (re)enable OpenVPN...\n"
+if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then
+    sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
+else
+    echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml
+fi
+systemctl enable openvpn
+
+echo -e "\nNow let's restart OpenVPN..."
+#systemctl start openvpn
+systemctl restart openvpn
+
+echo -en "\n      "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\n    1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'"
+echo -e "    2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
+echo -e "    3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
+echo -e "    4. If necessary, run 'systemctl restart openvpn' which should"
+echo -e "       run 'systemctl restart openvpn@xscenet' for you."
+echo -e "    5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor."
+echo -e "    6. If in future you want to disable OpenVPN connections to-and-from your"
+echo -e "       Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
+echo -e "    7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
+echo -e "       http://FAQ.IIAB.IO to learn about DIY remote support alternatives"
+echo -e "       like ngrok, remote.it, Dataplicity, WireGuard/Tailscale, TeamViewer.\n"
+
+echo -en "      "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)"
+sleep 15
+
+# echo -ne "\nYour OpenVPN machine name, per openpvn_handle: \e[32m"
+# echo -ne "\nYour OpenVPN machine name is set to..........: \e[32m"
+echo -ne "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m"    # Actually step (6) above took it just beyond Ansible's (1)-(5) interpretation of openvpn_handle -- i.e. this line just provides a hint to users -- as to how /etc/openvpn/scripts/announcer converts their spaces to underscores when starting OpenVPN.
+echo -n "$handle"    # Avoid '-e' interpreting backlash escapes, to show var accurately!  Double quote var to prevent field splitting (eats spaces)
+echo -e "\e[0m"
+
+vpnip=$(ip a | grep tun0$ | awk '{print $2}')
+if [ "$vpnip" != "" ]; then
+    echo -e "Your OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
+else
+    echo -e "\n \e[41;1m       ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS        \e[0m\n"
+    exit 1
+fi

roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support.older

@@ -0,0 +1,125 @@
+#!/bin/bash
+
+PLAYBOOK="install-support.yml"
+INVENTORY="ansible_hosts"
+
+# openvpn_handle is stored in 2 files on disk, one slightly stripped down (from
+# the other) due to Ansible.  So we emulate Ansible's behavior, when reading from
+# (and later writing to) disk, removing outer cruft as explained on Lines 31-33:
+handle1=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml
+# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
+# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
+# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle)
+echo -e "\n/etc/iiab/local_vars.yml source/master copy: $handle1"
+if [ -f /etc/iiab/openvpn_handle ]; then
+    handle2=$(cat /etc/iiab/openvpn_handle)
+    echo -e "/etc/iiab/openvpn_handle for openvpn daemon: $handle2\n"
+else
+    echo -e "/etc/iiab/openvpn_handle for openvpn daemon: [FILE DOESN'T YET EXIST]\n"
+fi
+
+echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n"
+
+echo -e "                     cape-town-school-36-rpi-2019-05-31\n"
+
+echo -en "Or hit [Enter] to keep the existing name:\e[0m "
+read ans < /dev/tty
+
+#if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -f /etc/iiab/openvpn_handle ] ); then
+# -v (below) checks if var's defined: equivalent to file existence test above
+if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then
+    if grep -q '^openvpn_handle:\s' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_handle:\s.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml
+    else
+        echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml
+    fi
+
+    # BEHAVIOR JUST LIKE ANSIBLE'S: create /etc/iiab/openvpn_handle from the
+    # "^openvpn_handle:" line in /etc/iiab/local_vars.yml by (1) removing outer
+    # spacing IF NEC, then (2) removing 1 pair of matching outer quotes IF NEC:
+    ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+    echo $ans > /etc/iiab/openvpn_handle
+    echo -e "\n\e[1mSAVED: openvpn_handle recorded into both above files.\e[0m\n"
+elif [ "$handle1" != "$handle2" ]; then    # Sloppily, but conveniently here,
+    # bash treats "$handle2" as "" when var undefined, catching all conflicts!
+    echo -e "\n\e[41mYou MUST specify an OpenVPN machine name (openvpn_handle) to resolve the above\e[0m"
+    echo -e "\e[41mnaming conflict. Please rerun to proceed.\e[0m\n"
+    exit 1
+else
+    echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n"
+fi
+
+if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then
+    echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
+else
+    echo -e "Plz wait a few minutes as sshd, iiab-admin & OpenVPN are confirmed/installed...\n"
+    if grep -q '^openvpn_install:\s' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_install:\s.*/openvpn_install: True/" /etc/iiab/local_vars.yml
+    else
+        echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
+    fi
+
+    if [ -d /opt/iiab/iiab ]; then
+        cd /opt/iiab/iiab
+        export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log"
+        ansible -m setup -i $INVENTORY localhost --connection=local | grep python
+        ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local
+        # Above is tighter/better than running all of "./runrole 1-prep"
+        echo
+    else
+        echo -e " \e[41m       Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN!       \e[0m\n"
+        exit 1
+    fi
+fi
+
+echo -e "Now let's (re)enable OpenVPN...\n"
+if grep -q '^openvpn_enabled:\s' /etc/iiab/local_vars.yml; then
+    sed -i "s/^openvpn_enabled:\s.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
+else
+    echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml
+fi
+systemctl enable openvpn
+
+echo -e "\nNow let's restart OpenVPN..."
+#systemctl start openvpn
+systemctl restart openvpn
+
+echo -en "\n    "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\n  1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'"
+echo -e "  2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
+echo -e "  3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
+echo -e "  4. If necessary, run 'systemctl restart openvpn' which should"
+echo -e "     run 'systemctl restart openvpn@xscenet' for you."
+echo -e "  5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor."
+echo -e "  6. If in future you want to disable OpenVPN connections to-and-from your"
+echo -e "     Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
+echo -e "  7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
+echo -e "     http://FAQ.IIAB.IO to learn about DIY remote support alternatives"
+echo -e "     like ngrok, serveo, remot3.it and TeamViewer.\n"
+
+echo -en "    "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)"
+sleep 15
+
+echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m"
+cat /etc/iiab/openvpn_handle
+echo -en "\e[0m"
+
+vpnip=$(ip a | grep tun0$ | awk '{print $2}')
+if [ "$vpnip" != "" ]; then
+    echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
+else
+    echo -e "\n \e[41m       ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS        \e[0m\n"
+    exit 1
+fi

roles/0-DEPRECATED-ROLES/openvpn/templates/openvpn_handle.j2.unused

@@ -0,0 +1 @@
+{{ openvpn_handle }}

roles/0-DEPRECATED-ROLES/openvpn/templates/silence

@@ -0,0 +1,5 @@
+#!/bin/bash
+# if pid file for announce exists kill the process
+
+kill `pgrep ncat`
+

roles/0-DEPRECATED-ROLES/openvpn/templates/xscenet.conf.j2

@@ -0,0 +1,30 @@
+# Sample client-side OpenVPN config file for connecting to multi-client server
+#
+# Adapted from http://openvpn.sourceforge.net/20notes.html
+#
+# The server can be pinged at {{ openvpn_server_virtual_ip }}
+
+port {{ openvpn_server_port }}
+dev tun
+remote {{ openvpn_server }}
+remote {{ openvpn_server_real_ip }}
+
+# TLS parameters
+tls-client
+ca keys/ca.crt
+cert keys/client1.crt
+key keys/client1.key
+
+# This parameter is required for connecting to a multi-client server.
+# It tells the client to accept options which the server pushes to us.
+pull
+
+# Scripts can be used to do various things (change nameservers, for example).
+script-security 2
+up scripts/announce
+down scripts/silence
+log /var/log/openvpn.log
+
+verb 3
+comp-lzo yes
+keepalive 5 30