Merge pull request #192 from iiab/master

sync from iiab/iiab

roles/0-init/tasks/main.yml

@@ -135,21 +135,24 @@
 # For various reasons the mysql service cannot be enabled on Fedora 20, but
 # 'mariadb', which is its real name can.  On Fedora 18 we need to use 'mysqld'.
 
-- name: "Set mysql_service: mariadb by default"
-  set_fact:
-    mysql_service: mariadb
+# BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
+#- name: "Set mysql_service: mariadb by default"
+#  set_fact:
+#    mysql_service: mariadb
 
 - name: "Set mysql_service: mysqld etc (Fedora 18)"
   set_fact:
-    mysql_service: mysqld
+    # BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
+    #mysql_service: mysqld
     no_NM_reload: True
     is_F18: True
   when: (ansible_distribution_release == "based on Fedora 18" or ansible_distribution_version == "18") and ansible_distribution == "Fedora"
 
-- name: "Set mysql_service: mysql (debuntu)"
-  set_fact:
-    mysql_service: mysql
-  when: is_debuntu
+# BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
+#- name: "Set mysql_service: mysql (debuntu)"
+#  set_fact:
+#    mysql_service: mysql
+#  when: is_debuntu
 
 - name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
   set_fact:
@@ -206,6 +209,10 @@
       value:  "{{ first_run }}"
     - option: local_tz
       value:  "{{ local_tz }}"
+    - option: no_NM_reload
+      value: "{{ no_NM_reload }}"
+    - option: is_F18
+      value: "{{ is_F18 }}"
     - option: FQDN_changed
       value:  "{{ FQDN_changed }}"
 

roles/2-common/tasks/packages.yml

@@ -33,7 +33,7 @@
     state: present
   when: is_debuntu
 
-- name: "Install 23 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, openssh-server, pandoc, rsync, sudo, tar, unzip, usbmount, usbutils, wget"
+- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, rsync, sudo, tar, unzip, usbmount, usbutils, wget"
   package:
     name:
       - acpid
@@ -52,7 +52,7 @@
       - netmask
       - net-tools
       - ntfs-3g
-      - openssh-server
+      #- openssh-server    # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
       - pandoc
       - rsync
       - sudo

roles/network/tasks/dnsmasq.yml

@@ -3,30 +3,18 @@
     name: dnsmasq
     state: present
 
-- name: Install /etc/dnsmasq.d/dnsmasq-iiab, allowing systemd-resolved AND dnsmasq to work (#1306)
+- name: Install /etc/dnsmasq.d/dnsmasq-iiab, allowing systemd-resolved AND dnsmasq to work (#1306) and custom unit file
   template:
-    src: roles/network/templates/network/dnsmasq-iiab
-    dest: /etc/dnsmasq.d/dnsmasq-iiab
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  with_items:
+   - { src: 'roles/network/templates/network/dnsmasq.service.u18', dest: '/etc/systemd/system/iiab-dnsmasq.service', mode: '0644' }
+   - { src: 'roles/network/templates/network/dnsmasq-iiab', dest: '/etc/dnsmasq.d/dnsmasq-iiab', mode: '644' }
 
-#- name: Stop dnsmasq
-#  service:
-#    name: dnsmasq
-#    state: stopped
-
-#- name: Configure dnsmasq
-#  template:
-#    src: "{{ item.src }}"
-#    dest: "{{ item.dest }}"
-#    owner: root
-#    group: root
-#    mode: "{{ item.mode }}"
-#  with_items:
-##   - { src: 'network/dnsmasq.service.rh', dest: '/etc/systemd/system/dnsmasq.service', mode: '0644' }
-#   - { src: 'roles/network/templates/network/dnsmasq.conf.j2', dest: '/etc/dnsmasq.conf', mode: '644' }
-
-#- name: Start dnsmasq
-#  systemd:
-#    name: dnsmasq
-#    state: restarted
-#    enabled: yes
-#    daemon_reload: yes
+- name: Don't use stock dnsmasq systemd unit file during boot
+  systemd:
+    name: dnsmasq
+    enabled: no

roles/network/tasks/enable_services.yml

@@ -47,24 +47,24 @@
     enabled: no
   when: not named_enabled and named_install
 
-- name: Disable dnsmasq, if not dnsmasq_enabled
-  systemd:
-    name: dnsmasq
-    enabled: no
-  when: not dnsmasq_enabled and dnsmasq_install
-
 - name: Install /etc/dnsmasq.conf from template, if dnsmasq_enabled
   template:
     src: network/dnsmasq.conf.j2
     dest: /etc/dnsmasq.conf
   when: dnsmasq_enabled and dnsmasq_install
 
-- name: Enable dnsmasq systemd service, if dnsmasq_enabled
+- name: Enable iiab-dnsmasq systemd service, if dnsmasq_enabled
   systemd:
-    name: dnsmasq
+    name: iiab-dnsmasq
     enabled: yes
   when: dnsmasq_enabled and dnsmasq_install
 
+- name: Disable iiab-dnsmasq, if not dnsmasq_enabled
+  systemd:
+    name: iiab-dnsmasq
+    enabled: no
+  when: not dnsmasq_enabled and dnsmasq_install
+
 - name: Enable DansGuardian systemd service, if dansguardian_enabled
   systemd:
     name: dansguardian

roles/network/tasks/main.yml

@@ -104,9 +104,16 @@
   tags:
     - network
 
-- name: NetworkManager in use (if ubuntu-18 and network_manager_active)
+- name: Netplan in use on ubuntu 18
+  include_tasks: netplan.yml
+  when: is_ubuntu_18
+#and not installing
+  tags:
+    - network
+
+- name: NetworkManager in use
   include_tasks: NM-debian.yml
-  when: is_ubuntu_18 and network_manager_active
+  when: is_debuntu and network_manager_active
 #and not installing
   tags:
     - network

roles/network/tasks/netplan.yml

@@ -0,0 +1,70 @@
+# netplan.yml
+- name: Figure out netplan file name on Ubuntu 18
+  shell: ls /etc/netplan
+  register: netplan
+
+- name: Disable cloud-init the easy way
+  shell: touch /etc/cloud/cloud-init.disabled
+  when: ("item" == "50-cloud-init.yaml")
+  with_items:
+    - "{{ netplan.stdout_lines }}"
+
+- name: Remove stock netplan template
+  file:
+    state: absent
+    dest: /etc/netplan/{{ item }}
+  with_items:
+    - "{{ netplan.stdout_lines }}"
+  when: netplan.stdout.find("yaml") != -1
+
+- name: Cheap way to do systemd unmask
+  file:
+    state: absent
+    dest: /etc/systemd/system/systemd-networkd-wait-online.service
+
+- name: Ensure systemd-networkd-wait-online is enabled
+  systemd:
+    name: "{{ item }}"
+    enabled: yes
+  with_items:
+    - systemd-networkd-wait-online
+  when: systemd_networkd_active
+
+# ICO will always set gui_static_wan_ip away from the default of 'unset' while
+# gui_static_wan turns dhcp on/off through wan_ip in computed_network and
+# overrides gui_static_wan_ip that is present. Changing wan_ip in local_vars
+# is a oneway street to static.
+- name: Static IP computing CIDR
+  shell: netmask {{ wan_ip }}/{{ wan_netmask }} | awk -F "/" '{print $2}'
+  register: CIDR
+  when: wan_ip != "dhcp"
+
+- name: Static IP setting CIDR
+  set_fact:
+    wan_cidr: "{{ CIDR.stdout }}"
+  when: wan_ip != "dhcp"
+
+- name: Supply netplan template
+  template:
+    dest: /etc/netplan/01-iiab-config.yaml
+    src: network/netplan.j2
+    backup: no
+
+# should blow up here if we messed up the yml file
+#- name: Generate netplan config
+#  shell: netplan generate --debug
+
+#- name: Stopping services
+#  include_tasks: down-debian.yml
+
+# wants a controlling terminal for the ENTER key, so it fails
+#- name: Test netplan config
+#  shell: netplan try --debug --timeout=2
+#  register: test-netplan
+#  ignore_errors: True
+
+# and does not apply the generated config until rebooted
+# or ignore the above test - on the fence atm...
+#- name: Reload netplan
+#  shell: netplan apply
+#  when: not no_net_restart and test-netplan == "Configuration accepted"

roles/network/tasks/sysd-netd-debian.yml

@@ -17,16 +17,11 @@
     src: network/systemd-br0-slave.j2
   when: iiab_wired_lan_iface is defined and iiab_lan_iface == "br0"
 
-- name: Stopping services
-  include_tasks: down-debian.yml
-
-- name: Disable and mask systemd-networkd-wait-online
-  systemd:
-    name: systemd-networkd-wait-online
-    enabled: no
-    masked: yes
-    state: stopped
-  when: is_ubuntu_18
+- name: Remove static WAN template
+  file:
+    state: absent
+    dest: /etc/systemd/network/IIAB-Static.network
+  when: wan_ip == "dhcp"
 
 - name: Static IP computing CIDR
   shell: netmask {{ wan_ip }}/{{ wan_netmask }} | awk -F "/" '{print $2}'
@@ -38,34 +33,15 @@
     wan_cidr: "{{ CIDR.stdout }}"
   when: wan_ip != "dhcp"
 
-- name: Figure out netplan file name on Ubuntu 18
-  shell: ls /etc/netplan
-  register: netplan
-  when: is_ubuntu_18
-
-# ICO will always set gui_static_wan_ip away from the default of 'unset' while
-# gui_static_wan turns dhcp on/off through wan_ip in computed_network and
-# overrides gui_static_wan_ip that is present. Changing wan_ip in local_vars
-# is a oneway street to static.
-- name: Supply static template
-  template:
-    dest:  /etc/netplan/{{ netplan.stdout }}
-    src: network/cloud-init.j2
-    backup: no
-  when: (wan_ip != "dhcp" or gui_static_wan_ip == "undefined") and is_ubuntu_18
-
-- name: Remove static WAN template
-  file:
-    state: absent
-    dest: /etc/systemd/network/IIAB-Static.network
-  when: wan_ip == "dhcp" and not is_ubuntu_18
-
 - name: Supply static WAN template
   template:
     dest: /etc/systemd/network/IIAB-Static.network
     src: network/systemd-static-net.j2
   when: wan_ip != "dhcp" and not is_ubuntu_18
 
+- name: Stopping services
+  include_tasks: down-debian.yml
+
 - name: Reload systemd
   systemd:
     daemon_reload: yes

roles/network/templates/hostapd/hostapd.service.j2

@@ -1,6 +1,7 @@
 [Unit]
 Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
-After=network-online.target
+Before=network.target
+Wants=network-pre.target
 
 [Service]
 Type=idle

roles/network/templates/network/cloud-init.j2

@@ -1,23 +0,0 @@
-{% if wan_ip != "dhcp" %}
-network:
-    ethernets:
-        {{ iiab_wan_iface }}:
-            addresses:
-            - {{ wan_ip }}/{{ wan_cidr }}
-            gateway4: {{ wan_gateway }}
-            nameservers:
-               addresses:
-               - {{ wan_nameserver }}
-               search:
-               - {{ iiab_domain }}
-            optional: true
-    version: 2
-{% else %}
-network:
-    ethernets:
-        {{ iiab_wan_iface }}:
-            addresses: []
-            dhcp4: true
-            optional: true
-    version: 2
-{% endif %}

roles/network/templates/network/dnsmasq.service.u18

@@ -0,0 +1,11 @@
+[Unit]
+Description=Network iiab-dnsmasq
+After=network-online.target
+Requires=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/systemctl start dnsmasq
+
+[Install]
+WantedBy=multi-user.target

roles/network/templates/network/iiab-hotspot-off

@@ -2,8 +2,8 @@
 sed -i -e "s/^denyinterfaces/#denyinterfaces/" /etc/dhcpcd.conf
 systemctl disable hostapd
 systemctl stop hostapd
-systemctl disable dhcpd
-systemctl stop dhcpd
+systemctl disable dnsmasq
+systemctl stop dnsmasq
 systemctl daemon-reload
 systemctl restart dhcpcd
 systemctl restart networking

roles/network/templates/network/iiab-hotspot-on

@@ -2,12 +2,12 @@
 cp -f /etc/hostapd/hostapd.conf.iiab /etc/hostapd/hostapd.conf
 sed -i -e "s/^#denyinterfaces/denyinterfaces/" /etc/dhcpcd.conf
 systemctl enable hostapd
-systemctl enable dhcpd
+systemctl enable dnsmasq
 systemctl daemon-reload
 systemctl restart dhcpcd
 systemctl restart networking
 systemctl start hostapd
-systemctl start dhcpd
+systemctl start dnsmasq
 
 # Temporary promiscuous-mode workaround for RPi's WiFi "10SEC disease"
 # Disable "promiscuous" on wlan0 when AP (i.e. no WiFi gateway)

roles/network/templates/network/netplan.j2

@@ -0,0 +1,37 @@
+network:
+  version: 2
+{% if network_manager_active %}
+  renderer: NetworkManager
+{% else  %}
+  renderer: networkd
+{% endif %}
+  ethernets:
+    {{ iiab_wan_iface }}:
+{% if wan_ip != "dhcp" %}
+      addresses:
+      - {{ wan_ip }}/{{ wan_cidr }}
+      gateway4: {{ wan_gateway }}
+      nameservers:
+        addresses:
+        - {{ wan_nameserver }}
+      search:
+      - {{ iiab_domain }}
+{% else %}
+      dhcp4: yes
+{% endif %}
+#{% if iiab_lan_iface == "br0" %}
+#    bridges:
+#      # the key name is the name for virtual (created) interfaces
+#        br0:
+#        # IDs of the components; switchports expands into multiple interfaces
+#        # interfaces: [switchports]
+#            # should really compute the netmask like the wan side
+#            addresses: [ {{ lan_ip }}/19]
+#            # there should really not be a gateway present testing to prove
+#            gateway4: {{ lan_ip }}
+#            nameservers:
+#                addresses: [{{ lan_ip }}]
+#            parameters:
+#                forward-delay: 0
+#                stp: false
+#{% endif %}

roles/sshd/tasks/main.yml

@@ -1,9 +1,16 @@
+- name: Install ssh daemon
+  package:
+    name: "{{ sshd_package }}"
+    state: present
+  when: sshd_enabled
+
 - name: Disable root login with password
   lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: '^PermitRootLogin'
     line: 'PermitRootLogin without-password'
     state: present
+  when: sshd_enabled
 #TODO: use handler to reload ssh
 
 - name: Create root .ssh
@@ -25,14 +32,14 @@
     force: no
   when: sshd_enabled
 
-- name: Enable & start sshd
+- name: Enable & start ssh daemon
   service:
     name: "{{ sshd_service }}"
     enabled: yes
     state: started
   when: sshd_enabled
 
-- name: Disable sshd
+- name: Disable ssh daemon
   service:
     name: "{{ sshd_service }}"
     enabled: no

vars/centos-7.yml

@@ -14,6 +14,7 @@ systemctl_program: /usr/bin/systemctl
 mysql_service: mariadb
 dhcp_service: dhcpd
 apache_log: /var/log/httpd/access_log
+sshd_package: openssh-server
 sshd_service: sshd
 php_version: 7.0
 postgresql_version: 9.5

vars/debian-10.yml

@@ -15,6 +15,7 @@ nmb_service: nmbd
 systemctl_program: /bin/systemctl
 mysql_service: mariadb
 apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
 sshd_service: ssh
 php_version: 7.1
 postgresql_version: 10

vars/debian-8.yml

@@ -14,6 +14,7 @@ nmb_service: nmbd
 systemctl_program: /bin/systemctl
 mysql_service: mysql
 apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
 sshd_service: ssh
 php_version: 5
 postgresql_version: 9.4

vars/debian-9.yml

@@ -13,8 +13,9 @@ apache_log_dir: /var/log/apache2
 smb_service: smbd
 nmb_service: nmbd
 systemctl_program: /bin/systemctl
-mysql_service: mysql
+mysql_service: mariadb
 apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
 sshd_service: ssh
 php_version: 7.0
 postgresql_version: 9.6

vars/fedora-18.yml

@@ -10,10 +10,11 @@ apache_log_dir: /var/log/httpd
 smb_service: smb
 nmb_service: nmb
 systemctl_program: /usr/bin/systemctl
-mysql_service: mariadb
+mysql_service: mysqld
 apache_log: /var/log/httpd/access_log
 apache_log_dir: /var/log/httpd
 php_version: 5
+sshd_package: openssh-server
 sshd_service: sshd
 nextcloud_install: False
 nextcloud_enabled: False

vars/fedora-22.yml

@@ -12,6 +12,7 @@ nmb_service: nmb
 systemctl_program: /usr/bin/systemctl
 mysql_service: mariadb
 apache_log: /var/log/httpd/access_log
+sshd_package: openssh-server
 sshd_service: sshd
 systemd_location: /usr/lib/systemd/system
 # Upgrade OS's own Calibre to very latest:

vars/raspbian-8.yml

@@ -16,6 +16,7 @@ nmb_service: nmbd
 systemctl_program: /bin/systemctl
 mysql_service: mysql
 apache_log: /var/log/apache2/access.log
+sshd_package: ssh
 sshd_service: ssh
 php_version: 5
 postgresql_version: 9.4

vars/raspbian-9.yml

@@ -15,8 +15,9 @@ apache_log_dir: /var/log/apache2
 smb_service: smbd
 nmb_service: nmbd
 systemctl_program: /bin/systemctl
-mysql_service: mysql
+mysql_service: mariadb
 apache_log: /var/log/apache2/access.log
+sshd_package: ssh
 sshd_service: ssh
 php_version: 7.0
 postgresql_version: 9.6

vars/ubuntu-16.yml

@@ -15,6 +15,7 @@ nmb_service: nmbd
 systemctl_program: /bin/systemctl
 mysql_service: mysql
 apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
 sshd_service: ssh
 php_version: 7.0
 postgresql_version: 9.5

vars/ubuntu-17.yml

@@ -15,6 +15,7 @@ systemctl_program: /bin/systemctl
 # issue raised 
 mysql_service: mysql
 apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
 sshd_service: ssh
 php_version: 7.1
 postgresql_version: 9.6

vars/ubuntu-18.yml

@@ -14,8 +14,9 @@ smb_service: smbd
 nmb_service: nmbd
 systemctl_program: /bin/systemctl
 # issue raised 
-mysql_service: mysql
+mysql_service: mariadb
 apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
 sshd_service: ssh
 php_version: 7.2
 # "postgresql_version: 10.3" fails (too detailed for /etc/systemd/system/postgresql-iiab.service on Ubuntu 18.04)