Merge branch 'master' into virtualenv-for-kalite

roles/0-init/defaults/main.yml

@@ -1,14 +1,21 @@
+# adm_cons_force_ssl: False
+
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 
 # SEE ALSO /opt/iiab/iiab/roles/1-prep/defaults/main.yml
 
+# 2021-07-30: Primarily for Admin Console: later change to 443 for #2811 HTTPS?
+gui_port: 80
+#is_F18: False                  # 2021-07-30: No longer used
+
 # (PRE-)release version number, for {{ iiab_env_file }} = /etc/iiab/iiab.env
 # iiab_base_ver: 8.0
 # iiab_revision: 0
 # ABOVE 3 LINES MOVED TO /opt/iiab/iiab/vars/default_vars.yml
 
+
 # These entries should never be changed in this file.
 # These are defaults for boolean routines.
 
@@ -27,10 +34,6 @@ gw_active: False
 internet_available: False
 discovered_wan_iface: none      # 2021-07-30: Very broadly used!
 
-# 2021-07-30: Primarily for Admin Console: later change to 443 for #2811 HTTPS?
-gui_port: 80
-#is_F18: False                  # 2021-07-30: No longer used
-
 # 2021-07-30: Barely used -- for {named, dhcpd, squid} in
 # roles/network/tasks/main.yml -- after being set in 0-init/tasks/network.yml
 FQDN_changed: False
@@ -46,6 +49,6 @@ FQDN_changed: False
 installing: False
 
 # 2021-07-30: Broadly used across roles/network/tasks/*.yml -- but things might
-# possibly change if roles/network becomes optional per #2876 ?
+# possibly change if roles/network becomes optional per PR #2876 ?
 no_net_restart: False
 #no_NM_reload: False    # 2021-07-30: Was used in roles/network/tasks/fedora/*

roles/0-init/tasks/main.yml

@@ -13,6 +13,11 @@
     #xo_model: "{{ ansible_local.local_facts.xo_model }}"
     iiab_stage: "{{ ansible_local.local_facts.stage }}"
 
+# 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
+#- name: Re-read local_facts.facts from /etc/ansible/facts.d
+#  setup:
+#    filter: ansible_local
+
 # Initialize /etc/iiab/iiab.ini writing the 'location' and 'version' sections
 # once and only once, to preserve the install date and git hash.
 - name: Create {{ iiab_ini_file }}, if it doesn't exist
@@ -29,11 +34,6 @@
     first_run: True
   when: not iiab_ini_test.stat.exists
 
-# 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
-#- name: Re-read local_facts.facts from /etc/ansible/facts.d
-#  setup:
-#    filter: ansible_local
-
 
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).

roles/1-prep/README.rst

@@ -2,21 +2,24 @@
 1-prep README
 =============
 
-This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) is primarily hardware-focused, prior to OS
-additions/mods — but also includes critical pieces sometimes needed for
-remote support:
+This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) arranges low-level things like remote support infra, DNS prep, hardware, low-level OS quirks, and basic security:
 
-- dnsmasq
-- /etc/iiab/uuid
-- Customizing /var/log/* for Ubermix on each boot, using /etc/tmpfiles.d
-- SSH
-- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin>`_ username and group to log into Admin Console
-- OpenVPN software if/as needed later for remote support
-- `raspberry_pi.yml <tasks/raspberry_pi.yml>`_ including RTC, essential packages, and networking basics
+- SSHD
+- OpenVPN if/as needed later for remote support
+- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin#iiab-admin-readme>`_ username and group, to log into Admin Console
+- dnsmasq (install now, configure later!)
+- Universally unique identifier: /etc/iiab/uuid
+- Ubermix (distro) needs /etc/tmpfiles.d/iiab.conf to create essential /var/log subdirs on each boot
+- Hardware actions:
+   - `raspberry_pi.yml <tasks/raspberry_pi.yml>`_:
+      - RTC (real-time clock): install udev rule, configure, enable
+      - Install packages related to:
+         - growpart
+         - swapfile
+         - fake-hwclock (as RTC is often missing or dead!)
+         - Wi-Fi
+      - Increase swap file size
+      - `rootfs auto-resizing <https://github.com/iiab/iiab/blob/master/roles/1-prep/templates/iiab-rpi-max-rootfs.sh>`_
+   - NUC 6 Wi-Fi firmware
 
-Traditionally 1-prep also included preliminaries like hostname and
-hardware-oriented things specific to a particular platform (such as
-One Laptop Per Child's XO laptop) i.e. critical setup prior to the
-bulk of IIAB's software install.
-
-Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services ⁠— this 1st stage installs core server infra (that is not user-facing).
+Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services — this 1st stage installs core server infra (that is not user-facing).

roles/1-prep/tasks/hardware.yml

@@ -0,0 +1,17 @@
+##  DISCOVER PLATFORMS ######
+# Put conditional actions for hardware platforms here
+
+- include_tasks: raspberry_pi.yml
+  when: first_run and rpi_model != "none"
+
+- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
+  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
+  register: usb_NUC6
+  ignore_errors: True
+
+- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
+  get_url:
+    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
+    dest: /lib/firmware
+    timeout: "{{ download_timeout }}"
+  when: internet_available and usb_NUC6.stdout|int > 0

roles/1-prep/tasks/main.yml

@@ -1,85 +1,31 @@
-# Preparations (Hardware Level)
+# Preparations (low-level e.g. remote support, DNS prep, HW/OS, basic security)
 
 - name: ...IS BEGINNING ============================================
   meta: noop
 
-- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
-  include_tasks: roles/network/tasks/dnsmasq.yml
-  #when: dnsmasq_install    # Flag might be used in future?
-
-
-- name: 'Install packages: sudo, uuid-runtime'
-  package:
-    name:
-      - sudo
-      - uuid-runtime
-    state: present
-
-- name: Does /etc/iiab/uuid exist?
-  stat:
-    path: /etc/iiab/uuid
-  register: uuid_file
-
-- name: If not, run 'uuidgen' to create a uuid, in register uuid_response
-  command: uuidgen
-  register: uuid_response
-  when: not uuid_file.stat.exists
-
-- name: Save it to /etc/iiab/uuid
-  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
-  when: not uuid_file.stat.exists
-
-- name: Load /etc/iiab/uuid, into register stored_uuid
-  command: cat /etc/iiab/uuid
-  register: stored_uuid
-
-- name: Store it in Ansible variable 'uuid'
-  set_fact:
-    uuid: "{{ stored_uuid.stdout_lines[0] }}"
-
-
-- name: Does 'ubermix' exist in /etc/lsb-release?
-  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
-  register: grep_ubermix
-  failed_when: False    # Universal way to hide alarmist red errors!
-  #ignore_errors: True
-  #check_mode: no
-
-- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
-  copy:
-    src: roles/1-prep/files/iiab.conf
-    dest: /etc/tmpfiles.d/
-    # owner: root
-    # group: root
-    # mode: '0644'
-    force: yes
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
-# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
-# pkgs are not installed FWIW.  But it's included to safeguard us across all
-# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
-# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
-- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
-  shell: apt -y remove "libgeos-*"
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-
 - name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
   include_role:
     name: sshd
   when: sshd_install
 
-- name: IIAB-ADMIN
-  include_role:
-    name: iiab-admin
-  #when: iiab_admin_install    # Flag might be created in future?
-
 - name: OPENVPN
   include_role:
     name: openvpn
   when: openvpn_install
 
+- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
+  include_role:
+    name: iiab-admin
+  #when: iiab_admin_install    # Flag might be created in future?
+
+- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
+  include_tasks: roles/network/tasks/dnsmasq.yml
+  #when: dnsmasq_install    # Flag might be used in future?
+
+- include_tasks: uuid.yml
+- include_tasks: ubermix.yml
+- include_tasks: hardware.yml    # Can run raspberry_pi.yml
+
 
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
@@ -109,25 +55,6 @@
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
 
 
-##  DISCOVER PLATFORMS ######
-# Put conditional actions for hardware platforms here
-
-- include_tasks: raspberry_pi.yml
-  when: first_run and rpi_model != "none"
-
-- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
-  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
-  register: usb_NUC6
-  ignore_errors: True
-
-- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
-  get_url:
-    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
-    dest: /lib/firmware
-    timeout: "{{ download_timeout }}"
-  when: internet_available and usb_NUC6.stdout|int > 0
-
-
 - name: Recording STAGE 1 HAS COMPLETED ============================
   template:
     src: roles/1-prep/templates/iiab.env.j2

roles/1-prep/tasks/raspberry_pi.yml

@@ -31,6 +31,7 @@
 #    line: 'include btcfg.txt'
 #  when: is_ubuntu
 
+
 - name: '2021-07-27: SEE ALSO ~4 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
   meta: noop
 
@@ -55,6 +56,7 @@
       - wireless-tools    # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions
     state: present
 
+
 - name: Increase swap file size (to CONF_SWAPSIZE={{ pi_swap_file_size }} in /etc/dphys-swapfile) as kalite pip download fails
   lineinfile:
     path: /etc/dphys-swapfile
@@ -67,6 +69,7 @@
     name: dphys-swapfile
     state: restarted
 
+
 - name: Install RPi rootfs resizing (/usr/sbin/iiab-rpi-max-rootfs.sh) and its systemd service (/etc/systemd/system/iiab-rpi-root-resize.service), from templates (root:root by default)
   template:
     src: "{{ item.src }}"

roles/1-prep/tasks/ubermix.yml

@@ -0,0 +1,25 @@
+- name: Does 'ubermix' exist in /etc/lsb-release?
+  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
+  register: grep_ubermix
+  failed_when: False    # Universal way to hide alarmist red errors!
+  #ignore_errors: True
+  #check_mode: no
+
+- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix (root:root, 0644 by default)
+  copy:
+    src: roles/1-prep/files/iiab.conf
+    dest: /etc/tmpfiles.d/
+    # owner: root
+    # group: root
+    # mode: 0644
+    force: yes
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
+
+# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
+# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
+# pkgs are not installed FWIW.  But it's included to safeguard us across all
+# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
+# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
+- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
+  shell: apt -y remove "libgeos-*"
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist

roles/1-prep/tasks/uuid.yml

@@ -0,0 +1,26 @@
+- name: "Install packages: uuid-runtime"
+  package:
+    name: uuid-runtime
+    state: present
+
+- name: Does /etc/iiab/uuid exist?
+  stat:
+    path: /etc/iiab/uuid
+  register: uuid_file
+
+- name: If not, run 'uuidgen' to create a uuid, in register uuid_response
+  command: uuidgen
+  register: uuid_response
+  when: not uuid_file.stat.exists
+
+- name: Save it to /etc/iiab/uuid
+  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
+  when: not uuid_file.stat.exists
+
+- name: Load /etc/iiab/uuid, into register stored_uuid
+  command: cat /etc/iiab/uuid
+  register: stored_uuid
+
+- name: Store it in Ansible variable 'uuid'
+  set_fact:
+    uuid: "{{ stored_uuid.stdout_lines[0] }}"

roles/2-common/tasks/main.yml

@@ -8,11 +8,12 @@
 
 - include_tasks: packages.yml
 
-- name: 'Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml'
+- name: "Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml"
   include_tasks: network.yml
 
 - include_tasks: iiab-startup.yml
 
+
 # UNMAINTAINED
 #- include_tasks: centos.yml
 #  when: ansible_distribution == "CentOS"
@@ -39,6 +40,7 @@
 #    dest: /etc/profile.d/zzz_iiab.sh
 #    src: zzz_iiab.sh
 
+
 - name: Recording STAGE 2 HAS COMPLETED ==========================
   lineinfile:
     path: "{{ iiab_env_file }}"

roles/2-common/tasks/packages.yml

@@ -4,7 +4,7 @@
 - name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml'
   meta: noop
 
-- name: "Install 21 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, python3-venv, rsync, sqlite3, tar, unzip, usbutils, wget, wpasupplicant"
+- name: "Install 21 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget, wpasupplicant"
   package:
     name:
       - acpid              # Daemon for ACPI (power mgmt) events
@@ -26,7 +26,7 @@
       #- make              # 2021-07-27: Currently used by roles/pbx and no other roles
       - mlocate
       - net-tools          # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
-      #- ntfs-3g           # 2021-07-27: RaspiOS installs this regardless -- but this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g
+      #- ntfs-3g           # 2021-07-31: RaspiOS installs this regardless -- but this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
       #- openssh-server    # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
       - pandoc             # For /usr/bin/iiab-refresh-wiki-docs
       - pastebinit         # For /usr/bin/iiab-diagnostics
@@ -35,7 +35,7 @@
       - rsync
       #- screen            # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - sqlite3
-      #- sudo              # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
+      - sudo
       - tar
       - unzip
       #- usbmount          # Moved to roles/usb_lib/tasks/install.yml

roles/4-server-options/tasks/main.yml

@@ -23,6 +23,7 @@
     name: sshd
   when: sshd_install
 
+
 # UNMAINTAINED
 - name: Install named / BIND
   include_tasks: roles/network/tasks/named.yml
@@ -38,6 +39,7 @@
   include_tasks: roles/network/tasks/squid.yml
   when: squid_install is defined and squid_install
 
+
 - name: Install Bluetooth - only on Raspberry Pi
   include_role:
     name: bluetooth
@@ -69,6 +71,7 @@
     name: www_options
   #when: www_options_install    # Flag might be created in future?
 
+
 - name: Recording STAGE 4 HAS COMPLETED ==================
   lineinfile:
     path: "{{ iiab_env_file }}"

roles/jupyterhub/tasks/enable-or-disable.yml

@@ -1,17 +1,14 @@
-- name: systemd daemon-reload
-  systemd:
-    daemon_reload: yes
-
-
 - name: Enable & Restart jupyterhub.service
   systemd:
+    daemon_reload: yes
     name: jupyterhub
     enabled: yes
     state: restarted
   when: jupyterhub_enabled
 
-- name: Disable jupyterhub.service
+- name: Disable & Stop jupyterhub.service
   systemd:
+    daemon_reload: yes
     name: jupyterhub
     enabled: no
     state: stopped

roles/nextcloud/README.md

@@ -1,4 +1,4 @@
-# Nextcloud
+# Nextcloud README
 
 Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org).
 

scripts/local_facts.fact

@@ -52,6 +52,7 @@ OS_VER=$OS-$VERSION_ID
     #"fedora-22"    | \
     #"debian-8"     | \
     #"debian-9"     | \
+    #"debian-10"    | \
     #"ubuntu-16"    | \
     #"ubuntu-17"    | \
     #"ubuntu-18"    | \
@@ -60,23 +61,23 @@ OS_VER=$OS-$VERSION_ID
     #"raspbian-8"   | \
     #"raspbian-9"   | \
 
-# 2020-10-21: Debian 11 (Bullseye) not yet supported but adding this line to
-# its /etc/os-release can help testing this unreleased OS: VERSION_ID="11"
-
 # 2021-06-19: Ubuntu 21.10 (Impish Indri) not yet supported but this
 # unreleased OS can help testing.  For now this means MANUALLY changing
 # php_version: 7.4 to 8.0 in /opt/iiab/iiab/vars/ubuntu-21.yml
 
+# 2020-07-31: Debian 12 (Bookworm) not yet supported but adding this line
+# to its /etc/os-release can help testing this upcoming OS: VERSION_ID="12"
+
 case $OS_VER in
-    "debian-10"    | \
     "debian-11"    | \
+    "debian-12"    | \
     "ubuntu-20"    | \
     "ubuntu-21"    | \
     "linuxmint-20" | \
     "raspbian-10"  | \
     "raspbian-11")
        ;;
-    *) OS_VER="OS_not_supported"
+    *) OS_VER="OS Not Supported -- Plz Read: https://github.com/iiab/iiab/wiki/IIAB-Platforms"
        ;;
 esac
 

vars/debian-12.yml

@@ -0,0 +1,29 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
+is_debuntu: True
+is_debian: True    # Opposite of is_ubuntu for now
+is_debian_12: True
+
+# 2019-01-31: These apply if-only-if named_install and/or dhcpd_install are True
+# (This is quite rare now that vars/default_vars.yml sets dnsmasq_install: True)
+dns_service: bind9
+dhcp_service: isc-dhcp-server
+dns_user: bind
+
+proxy: squid
+proxy_user: proxy
+apache_service: apache2
+apache_conf_dir: apache2/sites-available
+apache_user: www-data
+apache_log_dir: /var/log/apache2
+smb_service: smbd
+nmb_service: nmbd
+systemctl_program: /bin/systemctl
+mysql_service: mariadb
+apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
+sshd_service: ssh
+php_version: 8.0
+postgresql_version: 13
+systemd_location: /lib/systemd/system
+python_ver: 3.9

vars/default_vars.yml

@@ -716,6 +716,7 @@ is_linuxmint: False    # Subset of is_ubuntu
 is_linuxmint_20: False
 
 is_debian: False    # Covers both: Debian, Raspberry Pi OS (Raspbian)
+is_debian_12: False
 is_debian_11: False
 is_debian_10: False
 is_debian_9: False