external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-13 19:52:06 +00:00
Code Issues Releases Wiki Activity

Merge pull request #1226 from holta/iiab-admin-cleaner

Browse source 
(1) iiab-admin role variables (2) alerts of pi & iiab-admin published passwords (3) introduce iiab_env_file (4) service_filelist | iiab_config_file -> iiab_ini_file
This commit is contained in:
A Holt 2018-10-15 09:44:49 -04:00 committed by GitHub
commit c95a0d496d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
83 changed files with 356 additions and 306 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/0-init/defaults/main.yml
View file

@ -1,4 +1,4 @@
# Use these to tag a release at a point in time, for /etc/iiab/iiab.env
# Use these to tag a release at a point in time, for {{ iiab_env_file }}
iiab_base_ver: 6.7
iiab_revision: 0

12
roles/0-init/tasks/iiab_ini.yml
View file

@ -1,12 +1,12 @@
# workaround for fact that auto create does not work on ini_file
- name: Create /etc/iiab/iiab.ini (iiab_config_file)
# workaround for fact that auto create does not work on iiab_ini_file (/etc/iiab/iiab.ini)
- name: Create {{ iiab_ini_file }}
file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
state: touch
- name: Add location section to config file
ini_file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
section: location
option: "{{ item.option }}"
value: "{{ item.value }}"
@ -16,9 +16,9 @@
- option: iiab_dir
value: "{{ iiab_dir }}"
- name: Add version section
- name: Add 'version' variable values to {{ iiab_ini_file }}
ini_file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
section: version
option: "{{ item.option }}"
value: "{{ item.value }}"

17
roles/0-init/tasks/main.yml
View file

@ -2,7 +2,7 @@
- name: ...IS BEGINNING ============================================
stat:
path: /etc/iiab/iiab.env
path: "{{ iiab_env_file }}"
register: NewInstall
- name: Setting first run flag
@ -165,9 +165,9 @@
include_tasks: hostname.yml
when: FQDN_changed
- name: Add 'runtime' section alongside list of services at /etc/iiab/iiab.ini
- name: Add 'runtime' variable values to {{ iiab_ini_file }}
ini_file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
section: runtime
option: "{{ item.option }}"
value: "{{ item.value }}"
@ -209,13 +209,9 @@
- option: FQDN_changed
value: "{{ FQDN_changed }}"
#- name: Now changing FQDN
# include_tasks: hostname.yml
# when: FQDN_changed
- name: STAGE 0 HAS COMPLETED ======================================
- name: Add 'runtime' variable 'is_VM' value if defined, to {{ iiab_ini_file }}
ini_file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
section: runtime
option: "{{ item.option }}"
value: "{{ item.value }}"
@ -223,3 +219,6 @@
- option: is_VM
value: "yes"
when: is_VM is defined
- name: STAGE 0 HAS COMPLETED ======================================
meta: noop

2
roles/1-prep/tasks/main.yml
View file

@ -111,7 +111,7 @@
- name: Recording STAGE 1 HAS COMPLETED ============================
template:
src: roles/1-prep/templates/iiab.env.j2
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
owner: root
group: root
mode: 0644

4
roles/1-prep/templates/iiab-network-reset
View file

@ -38,8 +38,8 @@ echo "/etc/resolv.conf"
cat /etc/resolv.conf
echo
echo "=========================================================="
echo "cat /etc/iiab/iiab.ini"
cat /etc/iiab/iiab.ini
echo "cat {{ iiab_ini_file }}"
cat {{ iiab_ini_file }}
echo
echo "=========================================================="
echo "routing table"

2
roles/1-prep/templates/iiab_env.py.j2
View file

@ -4,7 +4,7 @@
def get_iiab_env(name):
""" read iiab.env file for a value, return "" if does not exist"""
try:
fd = open("/etc/iiab/iiab.env","r")
fd = open("{{ iiab_env_file }}","r")
for line in fd:
line = line.lstrip()
line = line.rstrip('\n')

2
roles/2-common/tasks/main.yml
View file

@ -89,7 +89,7 @@
- name: Recording STAGE 2 HAS COMPLETED ==========================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=2'
state: present

2
roles/2-common/templates/iiab-startup.sh
View file

@ -15,7 +15,7 @@ fi
if [[ $(grep -i raspbian /etc/*release) &&
#($(grep "hostapd_enabled = False" /etc/iiab/config_vars.yml) ||
#((! $(grep "hostapd_enabled = True" /etc/iiab/config_vars.yml)) &&
! $(grep "^HOSTAPD_ENABLED=True" /etc/iiab/iiab.env) ]];
! $(grep "^HOSTAPD_ENABLED=True" {{ iiab_env_file }}) ]];
# NEGATED LOGIC HELPS FORCE PROMISCUOUS MODE EARLY IN INSTALL
# (when network/tasks/main.yml hasn't yet populated iiab.env)

4
roles/3-base-server/tasks/main.yml
View file

@ -3,7 +3,7 @@
- name: ...IS BEGINNING =====================================
command: echo
- name: HTTPD
- name: HTTPD (APACHE)
include_role:
name: httpd
# has no "when: XXXXX_install" flag
@ -23,7 +23,7 @@
- name: Recording STAGE 3 HAS COMPLETED =====================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=3'
state: present

2
roles/4-server-options/tasks/main.yml
View file

@ -78,7 +78,7 @@
- name: Recording STAGE 4 HAS COMPLETED ==================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=4'
state: present

2
roles/5-xo-services/tasks/main.yml
View file

@ -23,7 +23,7 @@
- name: Recording STAGE 5 HAS COMPLETED =====================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=5'
state: present

2
roles/6-generic-apps/tasks/main.yml
View file

@ -47,7 +47,7 @@
- name: Recording STAGE 6 HAS COMPLETED ====================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=6'
state: present

2
roles/7-edu-apps/tasks/main.yml
View file

@ -47,7 +47,7 @@
- name: Recording STAGE 7 HAS COMPLETED ========================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=7'
state: present

2
roles/8-mgmt-tools/tasks/main.yml
View file

@ -59,7 +59,7 @@
- name: Recording STAGE 8 HAS COMPLETED ======================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=8'
state: present

2
roles/9-local-addons/tasks/main.yml
View file

@ -17,7 +17,7 @@
- name: Recording STAGE 9 HAS COMPLETED ====================
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^STAGE=*'
line: 'STAGE=9'
state: present

2
roles/activity-server/tasks/main.yml
View file

@ -117,7 +117,7 @@
state=restarted
- name: add xs-activity-server to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=activity-server
option='{{ item.option }}'
value='{{ item.value }}'

2
roles/ajenti/tasks/main.yml
View file

@ -48,7 +48,7 @@
when: ajenti_enabled
- name: Add ajenti to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=ajenti
option='{{ item.option }}'
value='{{ item.value }}'

2
roles/authserver/tasks/main.yml
View file

@ -51,7 +51,7 @@
when: authserver_enabled
- name: add xs-authserver to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=xs-authserver
option='{{ item.option }}'
value='{{ item.value }}'

4
roles/awstats/tasks/main.yml
View file

@ -1,9 +1,9 @@
- include_tasks: install.yml
when: awstats_install
- name: Add 'awstats' to list of services at /etc/iiab/iiab.ini
- name: Add 'awstats' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: awstats
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/calibre-web/tasks/main.yml
View file

@ -122,9 +122,9 @@
name: "{{ apache_service }}" # httpd or apache2
state: restarted
- name: Add 'calibre-web' to list of services at /etc/iiab/iiab.ini
- name: Add 'calibre-web' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: calibre-web
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/calibre/tasks/main.yml
View file

@ -132,9 +132,9 @@
name: "{{ apache_service }}"
state: reloaded
- name: Add 'calibre' to list of services at /etc/iiab/iiab.ini
- name: Add 'calibre' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: calibre
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/cups/tasks/main.yml
View file

@ -64,9 +64,9 @@
enabled: no
when: not cups_enabled and is_F18
- name: Add 'cups' to list of services at /etc/iiab/iiab.ini
- name: Add 'cups' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: cups
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/docker/tasks/main.yml
View file

@ -41,7 +41,7 @@
when: not docker_enabled
- name: add docker to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=docker
option='{{ item.option }}'
value='{{ item.value }}'

4
roles/dokuwiki/tasks/main.yml
View file

@ -2,9 +2,9 @@
include_tasks: install.yml
when: dokuwiki_install
- name: Add 'dokuwiki' to list of services at /etc/iiab/iiab.ini
- name: Add 'dokuwiki' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: dokuwiki
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/elgg/tasks/main.yml
View file

@ -138,9 +138,9 @@
state: absent
when: not elgg_enabled and is_redhat
- name: Add 'elgg' to list of services at /etc/iiab/iiab.ini
- name: Add 'elgg' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: elgg
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/httpd/tasks/html.yml
View file

@ -59,9 +59,9 @@
with_fileglob:
- html/services/*
- name: Create symlink from assets to /etc/iiab/iiab.ini
- name: Create symlink from assets to {{ iiab_ini_file }}
file:
src: "/etc/iiab/iiab.ini"
src: "{{ iiab_ini_file }}"
dest: "{{ doc_root }}/common/assets/iiab.ini"
owner: root
group: root

2
roles/httpd/templates/refresh-wiki-docs.sh
View file

@ -3,7 +3,7 @@
# Pull down repo's entire wiki (and similar) to create offline docs
set -e
source /etc/iiab/iiab.env
source {{ iiab_env_file }}
INPUT=/tmp/iiab-wiki
OUTPUT=/tmp/iiab-wiki.out
DESTPATH=/library/www/html/info

2
roles/idmgr/tasks/main.yml
View file

@ -80,7 +80,7 @@
line=allowsftp
- name: Add idmgr to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=idmgr
option='{{ item.option }}'
value='{{ item.value }}'

22
roles/iiab-admin/defaults/main.yml
View file

@ -1,5 +1,21 @@
---
# must keep roles/0-once/defaults/main.yml sync'd
# The values here are defaults.
# Must keep roles/0-init/defaults/main.yml sync'd ? (Seems no longer true as of 2018-10-15)
# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
iiab_admin_user_install: True
# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
# Linux user that has sudo access, for login to Admin Console http://box/admin
# ODDLY THIS IS ALSO USED BY roles/usb-lib/tasks/main.yml TO SET GROUP PERM FOR /library/www/html/local_content (ISN'T {{ apache_user }} MORE APPROPRIATE?)
iiab_admin_user: iiab-admin
# For live checks/alerts of published pwds
iiab_admin_published_pwd: g0adm1n
# Password hash to override above, if Ansible creates above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'

6
roles/iiab-admin/tasks/admin-user.yml
View file

@ -1,7 +1,7 @@
- name: Create iiab-admin user and password
- name: Create user {{ iiab_admin_user }} for Admin Console; set password from hardcoded hash if newly creating account
user:
name: "{{ iiab_admin_user }}"
password: "{{ iiab_admin_passw_hash }}"
password: "{{ iiab_admin_pwd_hash }}"
update_password: on_create
shell: /bin/bash
@ -16,7 +16,7 @@
state: present
when: is_redhat
- name: Add user to wheel group
- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
user:
name: "{{ iiab_admin_user }}"
groups: wheel,sudo

6
roles/iiab-admin/tasks/main.yml
View file

@ -1,15 +1,15 @@
- include_tasks: admin-user.yml
tags:
- base
when: admin_install
when: iiab_admin_user_install
- include_tasks: access.yml
tags:
- base
- name: Add 'iiab-admin' to list at /etc/iiab/iiab.ini
- name: Add 'iiab-admin' to list at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: iiab-admin
option: "{{ item.option }}"
value: "{{ item.value }}"

38
roles/iiab-admin/templates/lxde_ssh_warn.sh
View file

@ -1,22 +1,32 @@
#!/bin/bash
function check_user_pwd() {
# $meth (hashing method) is typically '6' which implies 5000 rounds
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
}
# credit to the folks at raspberry pi foundatioon
check_hash ()
{
check_hash () {
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
test -x /usr/bin/mkpasswd || return 0
SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
test -n "${SHADOW}" || return 0
if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
if [ "$SHADOW_PW" != "\$6\$iiab51\$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop." ]; then return 0 ; fi
if echo "${SHADOW}" | grep -q "${HASH}"; then
zenity --warning --text="SSH is enabled and the default password for the 'iiab-admin' user has not been changed.\nThis is a security risk - please go to the iiab-console and use utilities-> change password to set a new password."
#test -x /usr/bin/mkpasswd || return 0
#SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
#test -n "${SHADOW}" || return 0
#if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
#SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
#if [ "$SHADOW_PW" != "\$6\$iiab51\$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop." ]; then return 0 ; fi
#if echo "${SHADOW}" | grep -q "${HASH}"; then
if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
zenity --warning --text="SSH is enabled and the published password for user 'iiab-admin' is in use.\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box/admin) -> Utilities -> Change Password."
fi
}
if service ssh status | grep -q running; then
check_hash
fi
#if service ssh status | grep -q running; then
# check_hash
#fi
systemctl is-active {{ sshd_service }} > /dev/null && check_hash
unset check_hash

37
roles/iiab-admin/templates/profile_ssh_warn.sh
View file

@ -1,19 +1,28 @@
#!/bin/bash
# credit to the folks at raspberry pi foundatioon
check_hash ()
{
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
test -n "${SHADOW}" || return 0
if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
if [ "$SHADOW_PW" != '{{ iiab_admin_passw_hash }}' ]; then return 0 ; fi
echo
echo "SSH is enabled and the default password for the 'iiab-admin' user is unchanged."
echo "This is a security risk - please login as the 'iiab-admin' user and type 'passwd' to change password."
echo
function check_user_pwd() {
# $meth (hashing method) is typically '6' which implies 5000 rounds
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
}
# credit to the folks at raspberry pi foundatioon
check_hash () {
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
#SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
#test -n "${SHADOW}" || return 0
#if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
#SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
#if [ "$SHADOW_PW" != '{{ iiab_admin_pwd_hash }}' ]; then return 0 ; fi
if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
echo -e "\nSSH is enabled and the published password for user 'iiab-admin' is in use."
echo -e "THIS IS A SECURITY RISK - please log in as user 'iiab-admin' and run 'passwd'"
echo -e "to change its password.\n"
fi
}
systemctl is-active {{ sshd_service }} > /dev/null && check_hash

4
roles/kalite/tasks/main.yml
View file

@ -36,9 +36,9 @@
- include_tasks: enable.yml
- name: Add 'kalite' to list of services at /etc/iiab/iiab.ini
- name: Add 'kalite' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: kalite
option: "{{ item.option }}"
value: "{{ item.value }}"

0
roles/kalite/templates/settings.py.j2 → roles/kalite/templates/settings.py.j2.deprecated
View file

4
roles/kiwix/tasks/kiwix_install.yml
View file

@ -149,9 +149,9 @@
# 5. FINALIZE
- name: Add 'kiwix' to list of services at /etc/iiab/iiab.ini
- name: Add 'kiwix' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: kiwix
option: "{{ item.option }}"
value: "{{ item.value }}"

10
roles/kiwix/templates/iiab-make-kiwix-lib.py
View file

@ -29,13 +29,13 @@ if not IIAB_PATH in sys.path:
from iiab_env import get_iiab_env
# Config Files
# iiab_config_file should be in /etc/iiab/iiab.env
iiab_config_file = "{{ iiab_config_file }}" # nominally /etc/iiab/iiab.ini
# iiab_config_file = "/etc/iiab/iiab.ini" # comment out after testing
# iiab_ini_file should be in {{ iiab_env_file }} (/etc/iiab/iiab.env) ?
iiab_ini_file = "{{ iiab_ini_file }}" # nominally /etc/iiab/iiab.ini
# iiab_ini_file = "/etc/iiab/iiab.ini" # comment out after testing
IIAB_INI = get_iiab_env('IIAB_INI') # future
if IIAB_INI:
iiab_config_file = IIAB_INI
iiab_ini_file = IIAB_INI
# Variables that should be read from config file
# All of these variables will be read from config files and recomputed in init()
@ -187,7 +187,7 @@ def init():
global kiwix_manage
config = ConfigParser.SafeConfigParser()
config.read(iiab_config_file)
config.read(iiab_ini_file)
iiab_base_path = config.get('location','iiab_base')
zim_path = config.get('kiwix','iiab_zim_path')
kiwix_library_xml = config.get('kiwix','kiwix_library_xml')

4
roles/kolibri/tasks/main.yml
View file

@ -80,9 +80,9 @@
state: stopped
when: not kolibri_enabled
- name: Add 'kolibri' to list of services at /etc/iiab/iiab.ini
- name: Add 'kolibri' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: kolibri
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/mediawiki/tasks/install.yml
View file

@ -85,9 +85,9 @@
name: "{{ apache_service }}"
state: restarted
- name: Add 'mediawiki' to list of services at /etc/iiab/iiab.ini
- name: Add 'mediawiki' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: mediawiki
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/mongodb/tasks/main.yml
View file

@ -60,9 +60,9 @@
# state: stopped
# when: not mongodb_enabled
- name: Add 'mongodb' to list of services at /etc/iiab/iiab.ini
- name: Add 'mongodb' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: mongodb
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/monit/tasks/main.yml
View file

@ -45,9 +45,9 @@
#- name: Restart monit service
# command: service monit restart
- name: Add 'monit' to list of services at /etc/iiab/iiab.ini
- name: Add 'monit' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: monit
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/moodle-1.9/moodle/tasks/main.yml
View file

@ -76,7 +76,7 @@
register: moodlepw
- name: add moodle to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=moodle
option='{{ item.option }}'
value='{{ item.value }}'

4
roles/moodle/tasks/main.yml
View file

@ -155,9 +155,9 @@
path: "{{ moodle_base }}/config.php"
mode: 0644
- name: Add 'moodle' to list of services at /etc/iiab/iiab.ini
- name: Add 'moodle' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: moodle
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/munin/tasks/main.yml
View file

@ -84,9 +84,9 @@
- /usr/share/munin/plugins/mysql_threads
when: mysql_enabled
- name: Add 'munin' to list of services at /etc/iiab/iiab.ini
- name: Add 'munin' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: munin
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/mysql/tasks/main.yml
View file

@ -133,9 +133,9 @@
state: stopped
when: not mysql_enabled
- name: Add 'mysql' to list of services at /etc/iiab/iiab.ini
- name: Add 'mysql' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: mysql
option: "{{ item.option }}"
value: "{{ item.value }}"

12
roles/network/tasks/computed_network.yml
View file

@ -172,9 +172,9 @@
iiab_wan_iface: "none"
when: adapter_count.stdout|int >= "5" and device_gw == "none" and gui_wan_iface == "unset" and gui_static_wan is defined
- name: Record IIAB_WAN_DEVICE to /etc/iiab/iiab.env
- name: Record IIAB_WAN_DEVICE to {{ iiab_env_file }}
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^IIAB_WAN_DEVICE=*'
line: 'IIAB_WAN_DEVICE="{{ iiab_wan_iface }}"'
state: present
@ -182,9 +182,9 @@
tags:
- network
- name: Record IIAB_LAN_DEVICE to /etc/iiab/iiab.env
- name: Record IIAB_LAN_DEVICE to {{ iiab_env_file }}
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^IIAB_LAN_DEVICE=*'
line: 'IIAB_LAN_DEVICE="{{ iiab_lan_iface }}"'
state: present
@ -192,9 +192,9 @@
tags:
- network
- name: Add 'computed_network' variable values to /etc/iiab/iiab.ini
- name: Add 'computed_network' variable values to {{ iiab_ini_file }}
ini_file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
section: computed_network
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/network/tasks/computed_services.yml
View file

@ -49,9 +49,9 @@
dhcp_service2: "dnsmasq disabled"
when: dnsmasq_install and iiab_network_mode == "Appliance"
- name: Add 'network' variable values (from computed_services.yml) to /etc/iiab/iiab.ini
- name: Add 'network' variable values (from computed_services.yml) to {{ iiab_ini_file }}
ini_file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
section: network
option: "{{ item.option }}"
value: "{{ item.value }}"

6
roles/network/tasks/detected_network.yml
View file

@ -1,5 +1,5 @@
- name: iiab_wan_device
shell: grep IIAB_WAN_DEVICE /etc/iiab/iiab.env | awk -F "=" '{print $2}'
shell: grep IIAB_WAN_DEVICE {{ iiab_env_file }} | awk -F "=" '{print $2}'
when: iiab_stage|int > 4
register: prior_gw
@ -188,9 +188,9 @@
gui_wan_iface: "{{ device_gw }}"
when: user_wan_iface == "auto" and device_gw != "none" and discovered_wan_iface == "none"
- name: Add 'detected_network' variable values to /etc/iiab/iiab.ini
- name: Add 'detected_network' variable values to {{ iiab_ini_file }}
ini_file:
dest: "{{ iiab_config_file }}"
dest: "{{ iiab_ini_file }}"
section: detected_network
option: "{{ item.option }}"
value: "{{ item.value }}"

16
roles/network/tasks/enable_services.yml
View file

@ -79,7 +79,7 @@
- name: Create xs_httpcache flag
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^HTTPCACHE_ON=*'
line: 'HTTPCACHE_ON=True'
state: present
@ -121,7 +121,7 @@
- name: Remove xs_httpcache flag
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^HTTPCACHE_ON=*'
line: 'HTTPCACHE_ON=False'
state: present
@ -150,9 +150,9 @@
with_items:
- { 0: 'gateway/iiab-gen-iptables', 1: '/usr/bin/iiab-gen-iptables' }
- name: Add 'squid' to list of services at /etc/iiab/iiab.ini
- name: Add 'squid' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: squid
option: "{{ item.option }}"
value: "{{ item.value }}"
@ -160,9 +160,9 @@
- option: enabled
value: "{{ squid_enabled }}"
- name: Add 'dansguardian' to list of services at /etc/iiab/iiab.ini
- name: Add 'dansguardian' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: dansguardian
option: "{{ item.option }}"
value: "{{ item.value }}"
@ -170,9 +170,9 @@
- option: enabled
value: "{{ dansguardian_enabled }}"
- name: Add 'wondershaper' to list of services at /etc/iiab/iiab.ini
- name: Add 'wondershaper' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: wondershaper
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/network/tasks/hostapd.yml
View file

@ -55,9 +55,9 @@
enabled: yes
when: hostapd_enabled and iiab_wireless_lan_iface is defined and iiab_network_mode != "Appliance"
- name: Record HOSTAPD_ENABLED to /etc/iiab/iiab.env
- name: Record HOSTAPD_ENABLED to {{ iiab_env_file }}
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: '^HOSTAPD_ENABLED=*'
line: 'HOSTAPD_ENABLED={{ hostapd_enabled }}'
state: present

2
roles/network/tasks/main.yml
View file

@ -11,7 +11,7 @@
no_net_restart: True # used below in (1) sysd-netd-debian.yml,
# (2) debian.yml, (3) rpi_debian.yml
when: discovered_wireless_iface == iiab_wan_iface and not reboot_to_AP
# EITHER WAY: hostapd_enabled's state is RECORDED into /etc/iiab/iiab.env
# EITHER WAY: hostapd_enabled's state is RECORDED into {{ iiab_env_file }}
# in hostapd.yml for later use by...
# /usr/libexec/iiab-startup.sh, iiab-hotspot-off & iiab-hotspot-on
#

8
roles/network/tasks/squid.yml
View file

@ -83,9 +83,9 @@
when: dansguardian_install
# {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
- name: Add '{{ proxy }}' to list of services at /etc/iiab/iiab.ini
- name: Add '{{ proxy }}' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: "{{ proxy }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
@ -97,9 +97,9 @@
- option: enabled
value: "{{ squid_enabled }}"
- name: Add 'dansguardian' variable values to /etc/iiab/iiab.ini
- name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: dansguardian
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/network/tasks/wondershaper.yml
View file

@ -38,9 +38,9 @@
group: root
state: link
- name: Add 'wondershaper' variable values to /etc/iiab/iiab.ini
- name: Add 'wondershaper' variable values to {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: wondershaper
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -1,5 +1,5 @@
#!/bin/bash -x
source /etc/iiab/iiab.env
source {{ iiab_env_file }}
{% if is_debuntu %}
IPTABLES=/sbin/iptables
IPTABLES_DATA=/etc/iptables.up.rules
@ -9,7 +9,7 @@ IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %}
LANIF=$IIAB_LAN_DEVICE
WANIF=$IIAB_WAN_DEVICE
MODE=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'`
MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
clear_fw() {
$IPTABLES -F

2
roles/network/templates/network/iiab-hotspot-off
View file

@ -16,4 +16,4 @@ if grep -qi raspbian /etc/*release; then
ip link set dev wlan0 promisc on
fi
sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" /etc/iiab/iiab.env
sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" {{ iiab_env_file }}

2
roles/network/templates/network/iiab-hotspot-on
View file

@ -17,6 +17,6 @@ if grep -qi raspbian /etc/*release; then
ip link set dev wlan0 promisc off
fi
sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=True/" /etc/iiab/iiab.env
sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=True/" {{ iiab_env_file }}
echo -e "\nPlease consider rebooting now.\n"

4
roles/nextcloud/tasks/main.yml
View file

@ -162,9 +162,9 @@
# following enables and disables
- include_tasks: nextcloud_enabled.yml
- name: Add 'nextcloud' to list of services at /etc/iiab/iiab.ini
- name: Add 'nextcloud' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: Nextcloud
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/nodogsplash/tasks/rpi.yml
View file

@ -52,9 +52,9 @@
state: stopped
when: not nodogsplash_enabled
- name: Add 'nodogsplash' to list of services at /etc/iiab/iiab.ini
- name: Add 'nodogsplash' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: nodogsplash
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/openvpn/tasks/main.yml
View file

@ -206,9 +206,9 @@
# when: not openvpn_enabled and not installing
- name: Add 'openvpn' to list of services at /etc/iiab/iiab.ini
- name: Add 'openvpn' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: openvpn
option: "{{ item.option }}"
value: "{{ item.value }}"

6
roles/openvpn/templates/announcer.j2
View file

@ -19,10 +19,10 @@ if [ -f /etc/iiab/openvpn_handle ]; then
#else
# # Option #3: Dangerous to invoke hypothetical variables :(
# source /etc/iiab/iiab.env
# # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from /etc/iiab/iiab.ini, but safer now that relegated to #4 ?
# source {{ iiab_env_file }}
# # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ?
# if [ -z "$HANDLE" ]; then
# HANDLE=`cat /etc/iiab/iiab.ini | gawk \
# HANDLE=`cat {{ iiab_ini_file }} | gawk \
# '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'`
# fi
fi

4
roles/osm/tasks/main.yml
View file

@ -174,9 +174,9 @@
name: "{{ apache_service }}"
state: restarted
- name: Add 'osm' to list of services at /etc/iiab/iiab.ini
- name: Add 'osm' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: osm
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/owncloud/tasks/main.yml
View file

@ -106,7 +106,7 @@
when: owncloud_enabled
- name: Add owncloud to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=owncloud
option='{{ item.option }}'
value='{{ item.value }}'

4
roles/pathagar/tasks/main.yml
View file

@ -193,9 +193,9 @@
name: "{{ apache_service }}"
state: reloaded
- name: Add 'pathagar' to list of services at /etc/iiab/iiab.ini
- name: Add 'pathagar' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: pathagar
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/phpmyadmin/tasks/main.yml
View file

@ -65,9 +65,9 @@
state: absent
when: not phpmyadmin_enabled and is_debuntu
- name: Add 'phpmyadmin' to list of services at /etc/iiab/iiab.ini
- name: Add 'phpmyadmin' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: phpmyadmin
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/postgresql/tasks/main.yml
View file

@ -93,9 +93,9 @@
enabled: no
when: not postgresql_enabled
- name: Add 'postgresql' to list of services at /etc/iiab/iiab.ini
- name: Add 'postgresql' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: postgresql
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/rachel/tasks/main.yml
View file

@ -24,7 +24,7 @@
when: rachel_enabled and rachel_content_found
- name: Add rachel to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=rachel
option='{{ item.option }}'
value='{{ item.value }}'

4
roles/samba/tasks/main.yml
View file

@ -71,9 +71,9 @@
- samba
when : not samba_enabled
- name: Add 'samba' to list of services at /etc/iiab/iiab.ini
- name: Add 'samba' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: samba
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/schooltool/tasks/main.yml
View file

@ -56,7 +56,7 @@
when: not schooltool_enabled
- name: add schooltool to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=schooltool
option='{{ item.option }}'
value='{{ item.value }}'

2
roles/sugar-stats/tasks/main.yml
View file

@ -41,7 +41,7 @@
- include_tasks: statistics-consolidation.yml
- name: Add sugar-stats to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=sugar_stats
option='{{ item.option }}'
value='{{ item.value }}'

4
roles/sugarizer/tasks/main.yml
View file

@ -228,9 +228,9 @@
# state: stopped
# when: not sugarizer_enabled
- name: Add 'sugarizer' to list of services at /etc/iiab/iiab.ini
- name: Add 'sugarizer' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: sugarizer
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/teamviewer/tasks/main.yml
View file

@ -9,7 +9,7 @@
when: teamviewer_install
- name: Add teamviewer to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=teamviewer
option='{{ item.option }}'
value='{{ item.value }}'

4
roles/transmission/tasks/main.yml
View file

@ -54,9 +54,9 @@
state: stopped
when: not transmission_enabled
- name: Add transmission to list of services at /etc/iiab/iiab.ini
- name: Add transmission to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: transmission
option: "{{ item.option }}"
value: "{{ item.value }}"

6
roles/usb-lib/tasks/main.yml
View file

@ -3,7 +3,7 @@
dest: "{{ doc_root }}/local_content"
state: directory
owner: "{{ apache_user }}"
group: "{{ iiab_admin_user }}"
group: "{{ iiab_admin_user }}" # ISN'T "{{ apache_user }}" MORE APPROPRIATE?
mode: 0775
- name: Copy mount file to usbmount when enabled
@ -55,7 +55,7 @@
- name: Put variable in iiab.env that enables display of content at root of USB
lineinfile:
dest: /etc/iiab/iiab.env
dest: "{{ iiab_env_file }}"
regexp: "^IIAB_USB_LIB_SHOW_ALL.*"
line: "IIAB_USB_LIB_SHOW_ALL={{ iiab_usb_lib_show_all }}"
@ -87,7 +87,7 @@
- name: Add usb-lib to service list
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: usb-lib
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/usb-lib/templates/iiab-usb-lib-show-all-off
View file

@ -1,5 +1,5 @@
#!/bin/bash
# turn on the flag which registers new USB sticks at root directory
sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=False/' /etc/iiab/iiab.env
sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=False/' {{ iiab_env_file }}

2
roles/usb-lib/templates/iiab-usb-lib-show-all-on
View file

@ -1,5 +1,5 @@
#!/bin/bash
# turn on the flag which registers new USB sticks at root directory
sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=True/' /etc/iiab/iiab.env
sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=True/' {{ iiab_env_file }}

2
roles/usb-lib/templates/mount.d/70-usb-library
View file

@ -9,7 +9,7 @@
#
# by Tim Moody tim@timmoody.com
source /etc/iiab/iiab.env
source {{ iiab_env_file }}
case $IIAB_USB_LIB_SHOW_ALL in
'True'|'true'|'TRUE')
logger -p user.notice -t "70-usb-library" -- "Displaying root directory on $UM_MOUNTPOINT."

4
roles/vnstat/tasks/main.yml
View file

@ -29,9 +29,9 @@
enabled: yes
state: started
- name: Add 'vnstat' to list of services at /etc/iiab/iiab.ini
- name: Add 'vnstat' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: vnstat
option: "{{ item.option }}"
value: "{{ item.value }}"

4
roles/wordpress/tasks/install.yml
View file

@ -135,9 +135,9 @@
name: "{{ apache_service }}"
state: restarted
- name: Add 'wordpress' to list of services at /etc/iiab/iiab.ini
- name: Add 'wordpress' to list of services at {{ iiab_ini_file }}
ini_file:
dest: "{{ service_filelist }}"
dest: "{{ iiab_ini_file }}"
section: wordpress
option: "{{ item.option }}"
value: "{{ item.value }}"

2
roles/xovis/tasks/main.yml
View file

@ -82,7 +82,7 @@
when: xovis_enabled
- name: Add xovis to service list
ini_file: dest='{{ service_filelist }}'
ini_file: dest='{{ iiab_ini_file }}'
section=xovis
option='{{ item.option }}'
value='{{ item.value }}'

111
vars/default_vars.yml
View file

@ -5,11 +5,12 @@
# By convention we use True/False to indicate boolean constants.
# Installation Constants
content_base: "/library"
#doc_base: "/var"
doc_base: "{{ content_base }}/www"
doc_root: "{{ doc_base }}/html"
# Configuration Files
iiab_local_vars_file: /etc/iiab/local_vars.yml
iiab_env_file: /etc/iiab/iiab.env
iiab_ini_file: /etc/iiab/iiab.ini
#iiab_config_file: "{{ iiab_ini_file }}" # Legacy support / let's phase this out eventually
#service_filelist: "{{ iiab_ini_file }}" # Legacy support / let's phase this out eventually
iiab_base: /opt/iiab
iiab_dir: "{{ iiab_base }}/iiab"
@ -17,35 +18,32 @@ pip_packages_dir: "{{ iiab_base }}/pip-packages"
yum_packages_dir: "{{ iiab_base }}/yum-packages"
downloads_dir: "{{ iiab_base }}/downloads"
iiab_download_url: http://download.iiab.io/packages
content_base: "/library"
doc_base: "{{ content_base }}/www"
doc_root: "{{ doc_base }}/html"
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Configuration File(s)
iiab_config_file: /etc/iiab/iiab.ini
iiab_local_vars_file: /etc/iiab/local_vars.yml
service_filelist: "{{ iiab_config_file }}"
# The following variable may be useful in debugging
disregard_network: False # use cache or error out if cache does not exist
# Users and Passwords
iiab_admin_user: iiab-admin
# Obtain a password hash with:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
iiab_admin_passw_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
admin_install: True
# Set admin_install: False if you don't want iiab_admin_user & wheel group
# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
# If admin_install: False, set iiab_admin_user (above) to an existing Linux
# user that has sudo access, so you can login to Admin Console http://box/admin
# Languages
# Languages (for Apache)
default_language: en
language_priority: en es
language_priority: en es fr
# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
iiab_admin_user_install: True
# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
# Linux user that has sudo access, for login to Admin Console http://box/admin
iiab_admin_user: iiab-admin
iiab_admin_published_pwd: g0adm1n # For live checks/alerts of published pwds
# Password hash to override above, if Ansible creates above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# Time Zone (php needs timezone to be set)
local_tz: "{{ ansible_date_time.tz }}"
@ -53,10 +51,13 @@ local_tz: "{{ ansible_date_time.tz }}"
# Read https://github.com/iiab/iiab/wiki/IIAB-Networking
# Also readable offline @ http://box/info/IIAB-Networking.html
# NETWORK PARAMETERS FOLLOW ACROSS THE NEXT 65 LINES, as enabled by Ansible's
# NETWORK PARAMETERS FOLLOW ACROSS THE NEXT 100 LINES, as enabled by Ansible's
# NETWORK role (/opt/iiab/iiab/roles/network/*) in 4-SERVER-OPTIONS below.
# SEE ALSO: /opt/iiab/iiab/roles/network/defaults/main.yml
# The following variable may be useful in debugging
disregard_network: False # use cache or error out if cache does not exist
iiab_hostname: box
iiab_domain: lan
lan_ip: 172.18.96.1
@ -149,17 +150,36 @@ wan_nameserver:
# exFAT is auto-enabled for all "debuntu" OS's as of Nov 2017, in roles/2-common/tasks/packages.yml#L35-L36
# exFAT_enabled: True
# Parameters by Aggregate Roles
# Each Role must have the following variables which are either True or False:
# Parameters for Aggregate Roles
# Each Role should have the following variables which are either True or False:
# <role-name>_install
# <role-name>_enabled
# Our past convention was to install everything in all aggregates
# Past convention had been to install everything in all aggregate roles (stages)
# And to enable everything in 1-PREP, 2-COMMON, and 3-BASE-SERVER
# 1-PREP
# sshd
sshd_enabled: True
# roles/iiab-admin runs here
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
# iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
# OpenVPN
openvpn_install: True
openvpn_enabled: False
# For /etc/iiab/openvpn_handle
openvpn_handle: ""
# cron seems necessary on CentOS:
openvpn_cron_enabled: False
# General OpenVPN settings
openvpn_server: xscenet.net
openvpn_server_virtual_ip: 10.8.0.1
openvpn_server_port: 1194
# 2-COMMON
# 3-BASE-SERVER
@ -168,12 +188,10 @@ wan_nameserver:
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
# WARNING: Enabling this (might) cause excess use of RAM or other resources?
apache_high_php_limits: False
# roles/iiab-admin runs here
# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
# MySQL MANDATORY - THESE SETTINGS HAVE NO EFFECT - SEE roles/1-prep/tasks/computed_vars.yml, roles/mysql/tasks/main.yml
mysql_install: True
@ -184,23 +202,6 @@ mysql_root_password: fixmysql
# 4-SERVER-OPTIONS
# sshd
sshd_enabled: True
# OpenVPN
openvpn_install: True
openvpn_enabled: False
# For /etc/iiab/openvpn_handle
openvpn_handle: ""
# cron seems necessary on CentOS:
openvpn_cron_enabled: False
openvpn_server: xscenet.net
openvpn_server_virtual_ip: 10.8.0.1
openvpn_server_port: 1194
# roles/network runs here (MANY SETTINGS ABOVE)
# Homepage

51
vars/local_vars_big.yml
View file

@ -8,20 +8,23 @@
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Users and Passwords
# Languages (for Apache)
default_language: en
language_priority: en es fr
# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
iiab_admin_user_install: True
# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
# Linux user that has sudo access, for login to Admin Console http://box/admin
iiab_admin_user: iiab-admin
# Obtain a password hash with:
# Password hash to be used if Ansible creates the above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# iiab_admin_passw_hash:
admin_install: True
# Set admin_install: False if you don't want iiab_admin_user & wheel group
# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
# If admin_install: False, set iiab_admin_user (above) to an existing Linux
# user that has sudo access, so you can login to Admin Console http://box/admin
iiab_hostname: box
iiab_domain: lan
@ -73,32 +76,34 @@ dansguardian_enabled: True
# 1-PREP
# roles/sshd & roles/iiab-admin run here
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: ""
# The following seems necessary on CentOS:
# openvpn_cron_enabled: True
# 2-COMMON
# 3-BASE-SERVER
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
# WARNING: Enabling this (might) cause excess use of RAM or other resources?
apache_high_php_limits: False
# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
# roles/mysql runs here (mandatory)
# 4-SERVER-OPTIONS
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: ""
# The following seems necessary on CentOS:
# openvpn_cron_enabled: True
# roles/network runs here (MANY SETTINGS ABOVE)
# PostgreSQL - auto-installed by Moodle and/or Pathagar - no need to touch!

51
vars/local_vars_medium.yml
View file

@ -8,20 +8,23 @@
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Users and Passwords
# Languages (for Apache)
default_language: en
language_priority: en es fr
# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
iiab_admin_user_install: True
# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
# Linux user that has sudo access, for login to Admin Console http://box/admin
iiab_admin_user: iiab-admin
# Obtain a password hash with:
# Password hash to be used if Ansible creates the above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# iiab_admin_passw_hash:
admin_install: True
# Set admin_install: False if you don't want iiab_admin_user & wheel group
# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
# If admin_install: False, set iiab_admin_user (above) to an existing Linux
# user that has sudo access, so you can login to Admin Console http://box/admin
iiab_hostname: box
iiab_domain: lan
@ -73,32 +76,34 @@ dansguardian_enabled: False
# 1-PREP
# roles/sshd & roles/iiab-admin run here
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: ""
# The following seems necessary on CentOS:
# openvpn_cron_enabled: True
# 2-COMMON
# 3-BASE-SERVER
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
# WARNING: Enabling this (might) cause excess use of RAM or other resources?
apache_high_php_limits: False
# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
# roles/mysql runs here (mandatory)
# 4-SERVER-OPTIONS
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: ""
# The following seems necessary on CentOS:
# openvpn_cron_enabled: True
# roles/network runs here (MANY SETTINGS ABOVE)
# PostgreSQL - auto-installed by Moodle and/or Pathagar - no need to touch!

51
vars/local_vars_min.yml
View file

@ -8,20 +8,23 @@
# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
download_timeout: 200
# Users and Passwords
# Languages (for Apache)
default_language: en
language_priority: en es fr
# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
iiab_admin_user_install: True
# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
# Linux user that has sudo access, for login to Admin Console http://box/admin
iiab_admin_user: iiab-admin
# Obtain a password hash with:
# Password hash to be used if Ansible creates the above user:
iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
# Obtain a password hash - NEW MORE SECURE WAY:
# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Obtain a password hash - OLD WAY:
# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
# iiab_admin_passw_hash:
admin_install: True
# Set admin_install: False if you don't want iiab_admin_user & wheel group
# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
# If admin_install: False, set iiab_admin_user (above) to an existing Linux
# user that has sudo access, so you can login to Admin Console http://box/admin
iiab_hostname: box
iiab_domain: lan
@ -73,32 +76,34 @@ dansguardian_enabled: False
# 1-PREP
# roles/sshd & roles/iiab-admin run here
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: ""
# The following seems necessary on CentOS:
# openvpn_cron_enabled: True
# 2-COMMON
# 3-BASE-SERVER
# Make this False to disable http://box/common/services/power_off.php button:
apache_allow_sudo: True
# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
# WARNING: Enabling this (might) cause excess use of RAM or other resources?
apache_high_php_limits: False
# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
# roles/mysql runs here (mandatory)
# 4-SERVER-OPTIONS
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
openvpn_install: True
openvpn_enabled: False
# Set /etc/iiab/openvpn_handle in advance here:
openvpn_handle: ""
# The following seems necessary on CentOS:
# openvpn_cron_enabled: True
# roles/network runs here (MANY SETTINGS ABOVE)
# PostgreSQL - auto-installed by Moodle and/or Pathagar - no need to touch!