mirror of
https://github.com/iiab/iiab.git
synced 2025-03-09 15:40:17 +00:00
commit
d486e5f9ba
20 changed files with 205 additions and 172 deletions
|
@ -96,46 +96,6 @@
|
||||||
gui_port: 443
|
gui_port: 443
|
||||||
when: adm_cons_force_ssl | bool
|
when: adm_cons_force_ssl | bool
|
||||||
|
|
||||||
- name: Turn on both vars for MySQL (mandatory in Stage 3!)
|
|
||||||
set_fact:
|
|
||||||
mysql_install: True
|
|
||||||
mysql_enabled: True
|
|
||||||
|
|
||||||
# We decided to enable mysql unconditionally.
|
|
||||||
# when: elgg_enabled or rachel_enabled or owncloud_enabled or phpmyadmin_enabled or wordpress_enabled or iiab_menu_install
|
|
||||||
|
|
||||||
- name: "Set python_path: /lib/python2.7/site-packages/ (redhat)"
|
|
||||||
set_fact:
|
|
||||||
python_path: /lib/python2.7/site-packages/
|
|
||||||
when: is_redhat | bool
|
|
||||||
|
|
||||||
- name: "Set python_path: /usr/local/lib/python2.7/dist-packages/ (debuntu)"
|
|
||||||
set_fact:
|
|
||||||
python_path: /usr/local/lib/python2.7/dist-packages/
|
|
||||||
when: is_debuntu | bool
|
|
||||||
|
|
||||||
# For various reasons the mysql service cannot be enabled on Fedora 20, but
|
|
||||||
# 'mariadb', which is its real name can. On Fedora 18 we need to use 'mysqld'.
|
|
||||||
|
|
||||||
# BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
|
|
||||||
#- name: "Set mysql_service: mariadb by default"
|
|
||||||
# set_fact:
|
|
||||||
# mysql_service: mariadb
|
|
||||||
|
|
||||||
- name: "Set mysql_service: mysqld etc (Fedora 18)"
|
|
||||||
set_fact:
|
|
||||||
# BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
|
|
||||||
#mysql_service: mysqld
|
|
||||||
no_NM_reload: True
|
|
||||||
is_F18: True
|
|
||||||
when: (ansible_distribution_release == "based on Fedora 18" or ansible_distribution_version == "18") and ansible_distribution == "Fedora"
|
|
||||||
|
|
||||||
# BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
|
|
||||||
#- name: "Set mysql_service: mysql (debuntu)"
|
|
||||||
# set_fact:
|
|
||||||
# mysql_service: mysql
|
|
||||||
# when: is_debuntu | bool
|
|
||||||
|
|
||||||
- name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
|
- name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
|
||||||
set_fact:
|
set_fact:
|
||||||
iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
|
iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
|
||||||
|
|
|
@ -42,7 +42,7 @@
|
||||||
# are officially now UNMAINTAINED in default_vars.yml and
|
# are officially now UNMAINTAINED in default_vars.yml and
|
||||||
# https://github.com/iiab/iiab/blob/master/unmaintained-roles.txt etc?
|
# https://github.com/iiab/iiab/blob/master/unmaintained-roles.txt etc?
|
||||||
|
|
||||||
- name: Set vars_checklist for 53 + 53 + up-to-53 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
|
- name: Set vars_checklist for 47 + 47 + up-to-47 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
|
||||||
set_fact:
|
set_fact:
|
||||||
vars_checklist:
|
vars_checklist:
|
||||||
- hostapd
|
- hostapd
|
||||||
|
@ -55,12 +55,11 @@
|
||||||
- sshd
|
- sshd
|
||||||
- openvpn
|
- openvpn
|
||||||
- admin_console
|
- admin_console
|
||||||
- nginx
|
#- nginx # MANDATORY
|
||||||
- apache
|
#- apache # Dependency installed on demand, by other apps/services
|
||||||
- mysql
|
#- mysql # MANDATORY
|
||||||
- squid
|
- squid
|
||||||
- dansguardian
|
- dansguardian
|
||||||
- postgresql
|
|
||||||
- cups
|
- cups
|
||||||
- samba
|
- samba
|
||||||
- usb_lib
|
- usb_lib
|
||||||
|
@ -76,7 +75,7 @@
|
||||||
- lokole
|
- lokole
|
||||||
- mediawiki
|
- mediawiki
|
||||||
- mosquitto
|
- mosquitto
|
||||||
- nodejs
|
#- nodejs # Dependency installed on demand, by other apps/services
|
||||||
- nodered
|
- nodered
|
||||||
- nextcloud
|
- nextcloud
|
||||||
- pbx
|
- pbx
|
||||||
|
@ -84,8 +83,9 @@
|
||||||
- kalite
|
- kalite
|
||||||
- kolibri
|
- kolibri
|
||||||
- kiwix
|
- kiwix
|
||||||
|
#- postgresql # Dependency installed on demand, by other apps/services
|
||||||
- moodle
|
- moodle
|
||||||
- mongodb
|
#- mongodb # Dependency installed on demand, by other apps/services
|
||||||
- sugarizer
|
- sugarizer
|
||||||
- osm_vector_maps
|
- osm_vector_maps
|
||||||
- transmission
|
- transmission
|
||||||
|
@ -94,6 +94,7 @@
|
||||||
- munin
|
- munin
|
||||||
- phpmyadmin
|
- phpmyadmin
|
||||||
- vnstat
|
- vnstat
|
||||||
|
#- yarn # Dependency installed on demand, by other apps/services
|
||||||
- internetarchive
|
- internetarchive
|
||||||
- minetest
|
- minetest
|
||||||
- calibre
|
- calibre
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
|
- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
|
||||||
include_tasks: roles/network/tasks/dnsmasq.yml
|
include_tasks: roles/network/tasks/dnsmasq.yml
|
||||||
#when: dnsmasq_install | bool
|
#when: dnsmasq_install | bool # Flag might be used in future?
|
||||||
|
|
||||||
- name: Install uuid-runtime package (debuntu)
|
- name: Install uuid-runtime package (debuntu)
|
||||||
package:
|
package:
|
||||||
|
@ -75,10 +75,11 @@
|
||||||
shell: apt -y remove "libgeos-*"
|
shell: apt -y remove "libgeos-*"
|
||||||
when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist
|
when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist
|
||||||
|
|
||||||
|
# Required by OpenVPN below. Also run by roles/4-server-options/tasks/main.yml
|
||||||
- name: SSHD
|
- name: SSHD
|
||||||
include_role:
|
include_role:
|
||||||
name: sshd
|
name: sshd
|
||||||
#when: sshd_install | bool # Flag might be created in future?
|
when: sshd_install | bool
|
||||||
|
|
||||||
- name: IIAB-ADMIN
|
- name: IIAB-ADMIN
|
||||||
include_role:
|
include_role:
|
||||||
|
|
|
@ -40,7 +40,7 @@
|
||||||
- htop
|
- htop
|
||||||
- i2c-tools
|
- i2c-tools
|
||||||
- logrotate
|
- logrotate
|
||||||
#- lynx # Already installed by 1-prep's roles/iiab-admin/tasks/access.yml
|
#- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
|
||||||
- make
|
- make
|
||||||
- mlocate
|
- mlocate
|
||||||
- netmask
|
- netmask
|
||||||
|
@ -50,6 +50,7 @@
|
||||||
- pandoc
|
- pandoc
|
||||||
- pastebinit
|
- pastebinit
|
||||||
- rsync
|
- rsync
|
||||||
|
#- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
|
||||||
- sqlite3
|
- sqlite3
|
||||||
- sudo
|
- sudo
|
||||||
- tar
|
- tar
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
- name: MYSQL
|
- name: MYSQL
|
||||||
include_role:
|
include_role:
|
||||||
name: mysql
|
name: mysql
|
||||||
when: mysql_install | bool
|
#when: mysql_install | bool
|
||||||
|
|
||||||
# 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
|
# 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
|
||||||
#
|
#
|
||||||
|
@ -22,7 +22,7 @@
|
||||||
- name: NGINX
|
- name: NGINX
|
||||||
include_role:
|
include_role:
|
||||||
name: nginx
|
name: nginx
|
||||||
when: nginx_install | bool
|
#when: nginx_install | bool
|
||||||
|
|
||||||
- name: WWW_BASE (WWW_OPTIONS should be installed later)
|
- name: WWW_BASE (WWW_OPTIONS should be installed later)
|
||||||
include_role:
|
include_role:
|
||||||
|
|
|
@ -18,6 +18,12 @@
|
||||||
name: pylibs
|
name: pylibs
|
||||||
#when: pylibs_install | bool # Flag might be created in future?
|
#when: pylibs_install | bool # Flag might be created in future?
|
||||||
|
|
||||||
|
# Also run by roles/1-prep/tasks/main.yml as required by OpenVPN.
|
||||||
|
- name: SSHD
|
||||||
|
include_role:
|
||||||
|
name: sshd
|
||||||
|
when: sshd_install | bool
|
||||||
|
|
||||||
- name: Install named / BIND
|
- name: Install named / BIND
|
||||||
include_tasks: roles/network/tasks/named.yml
|
include_tasks: roles/network/tasks/named.yml
|
||||||
when: named_install | bool
|
when: named_install | bool
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
|
# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
|
||||||
|
|
||||||
mediawiki_major_version: 1.34 # "1.34" also works
|
mediawiki_major_version: 1.34 # "1.34" also works
|
||||||
mediawiki_minor_version: 3
|
mediawiki_minor_version: 4
|
||||||
mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
|
mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
|
||||||
|
|
||||||
mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"
|
mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"
|
||||||
|
|
|
@ -40,8 +40,9 @@
|
||||||
# enabled: no
|
# enabled: no
|
||||||
# when: not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)
|
# when: not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)
|
||||||
|
|
||||||
- name: "Set 'postgresql_enabled: True' if moodle_enabled"
|
- name: "Set 'postgresql_install: True' and 'postgresql_enabled: True' if moodle_enabled"
|
||||||
set_fact:
|
set_fact:
|
||||||
|
postgresql_install: True
|
||||||
postgresql_enabled: True
|
postgresql_enabled: True
|
||||||
when: moodle_enabled | bool
|
when: moodle_enabled | bool
|
||||||
|
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/avahi/services/ssh.service
|
dest: /etc/avahi/services/ssh.service
|
||||||
regexp: '</port>$'
|
regexp: '</port>$'
|
||||||
line: ' <port>{{ ssh_port }}</port>'
|
line: ' <port>{{ sshd_port }}</port>'
|
||||||
state: present
|
state: present
|
||||||
backrefs: yes
|
backrefs: yes
|
||||||
|
|
||||||
|
|
|
@ -46,7 +46,7 @@ echo -e "WAN: $wan\n"
|
||||||
ports_externally_visible={{ ports_externally_visible }}
|
ports_externally_visible={{ ports_externally_visible }}
|
||||||
#services_externally_visible= [deprecated]
|
#services_externally_visible= [deprecated]
|
||||||
gw_block_https={{ gw_block_https }}
|
gw_block_https={{ gw_block_https }}
|
||||||
ssh_port={{ ssh_port }}
|
sshd_port={{ sshd_port }}
|
||||||
#gui_wan= [no longer needed]
|
#gui_wan= [no longer needed]
|
||||||
gui_port={{ gui_port }}
|
gui_port={{ gui_port }}
|
||||||
iiab_gateway_enabled={{ iiab_gateway_enabled }}
|
iiab_gateway_enabled={{ iiab_gateway_enabled }}
|
||||||
|
@ -132,7 +132,7 @@ if [ "$wan" != "none" ]; then
|
||||||
|
|
||||||
# 1 = ssh only
|
# 1 = ssh only
|
||||||
if [ "$ports_externally_visible" -ge 1 ]; then
|
if [ "$ports_externally_visible" -ge 1 ]; then
|
||||||
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
|
$IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
|
# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
|
2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
|
||||||
|
|
||||||
3. Current state of IIAB App/Service migrations as of 2020-09-22:
|
3. Current state of IIAB App/Service migrations as of 2020-09-24:
|
||||||
|
|
||||||
1. These support "Native" NGINX but ***NOT*** Apache
|
1. These support "Native" NGINX but ***NOT*** Apache
|
||||||
* Admin Console
|
* Admin Console
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
* OER2Go/RACHEL modules
|
* OER2Go/RACHEL modules
|
||||||
* usb_lib
|
* usb_lib
|
||||||
|
|
||||||
2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!) Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service. But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB. You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)
|
2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!) Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB. You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
|
||||||
* awstats
|
* awstats
|
||||||
* calibre-web
|
* calibre-web
|
||||||
* gitea
|
* gitea
|
||||||
|
@ -48,9 +48,10 @@
|
||||||
* mosquitto
|
* mosquitto
|
||||||
* openvpn
|
* openvpn
|
||||||
* pbx [*, requires Apache for now, as in Section iii.]
|
* pbx [*, requires Apache for now, as in Section iii.]
|
||||||
* phpmyadmin [requires Apache for now, as in Section iii.]
|
* phpmyadmin [*, requires Apache for now, as in Section iii.]
|
||||||
* samba
|
* samba
|
||||||
|
* sshd
|
||||||
* transmission
|
* transmission
|
||||||
* vnstat
|
* vnstat
|
||||||
|
|
||||||
[*] The 3 above starred roles could use improvement, as of 2020-09-22.
|
[*] The 4 above starred roles could use improvement, as of 2020-09-24.
|
||||||
|
|
15
roles/sshd/tasks/enable-or-disable.yml
Normal file
15
roles/sshd/tasks/enable-or-disable.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
- name: Enable & (Re)Start ssh daemon ({{ sshd_service }}) if sshd_enabled
|
||||||
|
systemd:
|
||||||
|
daemon_reload: yes
|
||||||
|
name: "{{ sshd_service }}"
|
||||||
|
enabled: yes
|
||||||
|
state: restarted
|
||||||
|
when: sshd_enabled | bool
|
||||||
|
|
||||||
|
- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
|
||||||
|
systemd:
|
||||||
|
daemon_reload: yes
|
||||||
|
name: "{{ sshd_service }}"
|
||||||
|
enabled: no
|
||||||
|
state: stopped
|
||||||
|
when: not sshd_enabled
|
55
roles/sshd/tasks/install.yml
Normal file
55
roles/sshd/tasks/install.yml
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
# TODO:
|
||||||
|
#
|
||||||
|
# 1) Implement sshd_port IF it's truly needed? Mentioned here as of 2020-09-24:
|
||||||
|
#
|
||||||
|
# vars/default_vars.yml Line 212
|
||||||
|
# roles/sshd/tasks/main.yml Lines 41-42
|
||||||
|
# roles/network/tasks/avahi.yml Line 46
|
||||||
|
# roles/network/templates/gateway/iiab-gen-iptables Line 49 & 135
|
||||||
|
#
|
||||||
|
# 2) Use Ansible handler to reload ssh?
|
||||||
|
|
||||||
|
- name: "Install ssh daemon using package: {{ sshd_package }}"
|
||||||
|
package:
|
||||||
|
name: "{{ sshd_package }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Disable password-based logins to root
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^PermitRootLogin'
|
||||||
|
line: 'PermitRootLogin without-password'
|
||||||
|
state: present
|
||||||
|
#when: sshd_enabled | bool
|
||||||
|
|
||||||
|
- name: mkdir /root/.ssh
|
||||||
|
file:
|
||||||
|
state: directory
|
||||||
|
path: /root/.ssh
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0700'
|
||||||
|
#when: sshd_enabled | bool
|
||||||
|
|
||||||
|
- name: Install dummy root keys as placeholder
|
||||||
|
copy:
|
||||||
|
src: dummy_authorized_keys
|
||||||
|
dest: /root/.ssh/authorized_keys
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
force: no
|
||||||
|
#when: sshd_enabled | bool
|
||||||
|
|
||||||
|
|
||||||
|
# RECORD sshd AS INSTALLED
|
||||||
|
|
||||||
|
- name: "Set 'sshd_installed: True'"
|
||||||
|
set_fact:
|
||||||
|
sshd_installed: True
|
||||||
|
|
||||||
|
- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
|
||||||
|
lineinfile:
|
||||||
|
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
|
||||||
|
regexp: '^sshd_installed'
|
||||||
|
line: 'sshd_installed: True'
|
|
@ -1,61 +1,44 @@
|
||||||
- name: "Install ssh daemon using package: {{ sshd_package }}"
|
# "How do i fail a task in Ansible if the variable contains a boolean value?
|
||||||
package:
|
# I want to perform input validation for Ansible playbooks"
|
||||||
name: "{{ sshd_package }}"
|
# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Disable password-based logins to root
|
# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
|
||||||
lineinfile:
|
# to re-check whether vars are defined here. As Ansible vars cannot be unset:
|
||||||
dest: /etc/ssh/sshd_config
|
# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
|
||||||
regexp: '^PermitRootLogin'
|
|
||||||
line: 'PermitRootLogin without-password'
|
|
||||||
state: present
|
|
||||||
#when: sshd_enabled | bool
|
|
||||||
#TODO: use handler to reload ssh
|
|
||||||
|
|
||||||
- name: mkdir /root/.ssh
|
- name: Assert that "sshd_install is sameas true" (boolean not string etc)
|
||||||
file:
|
assert:
|
||||||
state: directory
|
that: sshd_install is sameas true
|
||||||
path: /root/.ssh
|
fail_msg: "PLEASE SET 'sshd_install: True' e.g. IN: /etc/iiab/local_vars.yml"
|
||||||
owner: root
|
quiet: yes
|
||||||
group: root
|
|
||||||
mode: '0700'
|
|
||||||
#when: sshd_enabled | bool
|
|
||||||
|
|
||||||
- name: Install dummy root keys as placeholder
|
- name: Assert that "sshd_enabled | type_debug == 'bool'" (boolean not string etc)
|
||||||
copy:
|
assert:
|
||||||
src: dummy_authorized_keys
|
that: sshd_enabled | type_debug == 'bool'
|
||||||
dest: /root/.ssh/authorized_keys
|
fail_msg: "PLEASE GIVE VARIABLE 'sshd_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
|
||||||
owner: root
|
quiet: yes
|
||||||
group: root
|
|
||||||
mode: '0600'
|
|
||||||
force: no
|
|
||||||
#when: sshd_enabled | bool
|
|
||||||
|
|
||||||
|
|
||||||
# RECORD sshd AS INSTALLED
|
- name: Install sshd if 'sshd_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml
|
||||||
|
include_tasks: install.yml
|
||||||
- name: "Set 'sshd_installed: True'"
|
when: sshd_installed is undefined
|
||||||
set_fact:
|
|
||||||
sshd_installed: True
|
|
||||||
|
|
||||||
- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
|
|
||||||
lineinfile:
|
|
||||||
path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml
|
|
||||||
regexp: '^sshd_installed'
|
|
||||||
line: 'sshd_installed: True'
|
|
||||||
|
|
||||||
|
|
||||||
- name: Enable & Start ssh daemon ({{ sshd_service }}) if sshd_enabled
|
- include_tasks: enable-or-disable.yml
|
||||||
systemd:
|
|
||||||
name: "{{ sshd_service }}"
|
|
||||||
daemon_reload: yes
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
when: sshd_enabled | bool
|
|
||||||
|
|
||||||
- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
|
|
||||||
systemd:
|
- name: Add 'sshd' variable values to {{ iiab_ini_file }}
|
||||||
name: "{{ sshd_service }}"
|
ini_file:
|
||||||
enabled: no
|
path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini
|
||||||
state: stopped
|
section: sshd
|
||||||
when: not sshd_enabled
|
option: "{{ item.option }}"
|
||||||
|
value: "{{ item.value | string }}"
|
||||||
|
with_items:
|
||||||
|
- option: name
|
||||||
|
value: sshd
|
||||||
|
- option: description
|
||||||
|
value: '"Secure Shell daemon (typically implemented by openssh-server) for remote login using the ''ssh'' low-level protocol."'
|
||||||
|
- option: sshd_port
|
||||||
|
value: "{{ sshd_port }}"
|
||||||
|
- option: sshd_enabled
|
||||||
|
value: "{{ sshd_enabled }}"
|
||||||
|
|
|
@ -211,8 +211,9 @@ cat_cmd 'sudo iptables-save' 'Firewall rules'
|
||||||
echo -e "\n 6. Log Files: (last 100 lines of each)\n"
|
echo -e "\n 6. Log Files: (last 100 lines of each)\n"
|
||||||
echo -e "\n\n\n\n6. LOG FILES (LAST 100 LINES OF EACH)\n" >> $outfile
|
echo -e "\n\n\n\n6. LOG FILES (LAST 100 LINES OF EACH)\n" >> $outfile
|
||||||
cat_tail /opt/iiab/iiab/iiab-install.log 100
|
cat_tail /opt/iiab/iiab/iiab-install.log 100
|
||||||
cat_tail /opt/iiab/iiab/iiab-network.log 100
|
cat_tail /opt/iiab/iiab/iiab-configure.log 100
|
||||||
cat_tail /opt/iiab/iiab/iiab-debug.log 100
|
cat_tail /opt/iiab/iiab/iiab-debug.log 100
|
||||||
|
cat_tail /opt/iiab/iiab/iiab-network.log 100
|
||||||
cat_tail /opt/iiab/iiab-admin-console/admin-install.log 100
|
cat_tail /opt/iiab/iiab-admin-console/admin-install.log 100
|
||||||
cat_tail /var/log/messages 100
|
cat_tail /var/log/messages 100
|
||||||
cat_tail /var/log/syslog 100
|
cat_tail /var/log/syslog 100
|
||||||
|
|
|
@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things:
|
||||||
|
|
||||||
## Source Code
|
## Source Code
|
||||||
|
|
||||||
Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-218 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
|
Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-219 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
|
||||||
|
|
|
@ -113,7 +113,6 @@ wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi
|
||||||
# Gateway mode
|
# Gateway mode
|
||||||
iiab_lan_enabled: True
|
iiab_lan_enabled: True
|
||||||
iiab_wan_enabled: True
|
iiab_wan_enabled: True
|
||||||
ssh_port: 22 # SEE sshd_* vars below.
|
|
||||||
# Ties in what the user populated in the GUI for static WAN IP address info:
|
# Ties in what the user populated in the GUI for static WAN IP address info:
|
||||||
gui_wan: True
|
gui_wan: True
|
||||||
adm_cons_force_ssl: False
|
adm_cons_force_ssl: False
|
||||||
|
@ -207,13 +206,13 @@ wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems
|
||||||
|
|
||||||
# 1-PREP
|
# 1-PREP
|
||||||
|
|
||||||
# SEE ssh_port var above.
|
# SSHD runs here & also below in 4-SERVER-OPTIONS
|
||||||
sshd_install: True # 2020-01-21: do not rely on this var for now (might be implemented in future)
|
sshd_install: True # Required by OpenVPN
|
||||||
sshd_enabled: True
|
sshd_enabled: True
|
||||||
|
sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml
|
||||||
|
|
||||||
# roles/iiab-admin runs here
|
# IIAB-ADMIN runs here - see its vars near top of this file:
|
||||||
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
|
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
|
||||||
# iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
|
|
||||||
|
|
||||||
openvpn_install: True
|
openvpn_install: True
|
||||||
openvpn_enabled: False
|
openvpn_enabled: False
|
||||||
|
@ -244,12 +243,17 @@ pi_swap_file_size: 1024
|
||||||
admin_console_install: True
|
admin_console_install: True
|
||||||
admin_console_enabled: True
|
admin_console_enabled: True
|
||||||
|
|
||||||
# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml
|
# 2020-09-24: MySQL / MariaDB is MANDATORY but still evolving - please see:
|
||||||
|
# https://github.com/iiab/iiab/blob/master/roles/mysql/tasks/install.yml
|
||||||
|
# https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml
|
||||||
|
# THESE 2 LEGACY VARS ARE PRESERVED BUT HAVE NO EFFECT:
|
||||||
mysql_install: True
|
mysql_install: True
|
||||||
mysql_enabled: True
|
mysql_enabled: True
|
||||||
|
|
||||||
# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
|
# 2020-09-24: NGINX is MANDATORY but still evolving - please see:
|
||||||
# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
|
# https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
|
||||||
|
# https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml
|
||||||
|
# THESE 2 LEGACY VARS ARE PRESERVED BUT HAVE NO EFFECT:
|
||||||
nginx_install: True
|
nginx_install: True
|
||||||
nginx_enabled: True
|
nginx_enabled: True
|
||||||
nginx_port: 80
|
nginx_port: 80
|
||||||
|
@ -269,12 +273,9 @@ apache_allow_sudo: True
|
||||||
|
|
||||||
# See also Apache vars {default_language, language_priority} @ top of this file
|
# See also Apache vars {default_language, language_priority} @ top of this file
|
||||||
#
|
#
|
||||||
# 2020-05-21: apache_install is completely ignored as Apache is installed on
|
# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Apache is installed on demand as
|
||||||
# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED and/or
|
# a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX &/or phpMyAdmin
|
||||||
# phpMyAdmin -- but for now we set fake value 'apache_install: True' so that
|
apache_install: False
|
||||||
# 'apache_installed is defined' input validation works, e.g. in
|
|
||||||
# 0-init/tasks/validate_vars.yml
|
|
||||||
apache_install: True
|
|
||||||
apache_enabled: False
|
apache_enabled: False
|
||||||
#
|
#
|
||||||
# NGINX proxies to Apache for legacy IIAB services, using:
|
# NGINX proxies to Apache for legacy IIAB services, using:
|
||||||
|
@ -284,6 +285,8 @@ apache_interface: 127.0.0.1 # 2020-01-13: Var unused
|
||||||
|
|
||||||
# 4-SERVER-OPTIONS
|
# 4-SERVER-OPTIONS
|
||||||
|
|
||||||
|
# SSHD runs here & also above in 1-PREP
|
||||||
|
|
||||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||||
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
||||||
|
|
||||||
|
@ -295,14 +298,6 @@ squid_enabled: False
|
||||||
dansguardian_install: False
|
dansguardian_install: False
|
||||||
dansguardian_enabled: False
|
dansguardian_enabled: False
|
||||||
|
|
||||||
# 2020-02-04: postgresql_install is completely ignored as PostgreSQL is
|
|
||||||
# installed on demand as a dependency -- by Moodle &/or Pathagar -- but for now
|
|
||||||
# we set fake value 'postgresql_install: True' so that
|
|
||||||
# 'postgresql_installed is defined' input validation works, e.g. in
|
|
||||||
# 0-init/tasks/validate_vars.yml
|
|
||||||
postgresql_install: True
|
|
||||||
postgresql_enabled: False
|
|
||||||
|
|
||||||
# Common UNIX Printing System (CUPS)
|
# Common UNIX Printing System (CUPS)
|
||||||
cups_install: False
|
cups_install: False
|
||||||
cups_enabled: False
|
cups_enabled: False
|
||||||
|
@ -351,7 +346,7 @@ idmgr_enabled: False # 2020-01-23: UNUSED
|
||||||
|
|
||||||
# UNMAINTAINED as of September 2020
|
# UNMAINTAINED as of September 2020
|
||||||
azuracast_install: False
|
azuracast_install: False
|
||||||
azuracast_enabled: False # This var is currently IGNORED.
|
azuracast_enabled: False # This var is currently IGNORED
|
||||||
azuracast_http_port: 10080
|
azuracast_http_port: 10080
|
||||||
azuracast_https_port: 10443
|
azuracast_https_port: 10443
|
||||||
#
|
#
|
||||||
|
@ -393,12 +388,9 @@ mosquitto_install: False
|
||||||
mosquitto_enabled: False
|
mosquitto_enabled: False
|
||||||
mosquitto_port: 1883
|
mosquitto_port: 1883
|
||||||
|
|
||||||
# 2020-02-04: nodejs_install is completely ignored as Node.js is installed on
|
# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Node.js is installed on demand
|
||||||
# demand as a dependency -- by Node-RED, Sugarizer and/or Internet Archive --
|
# as a dependency -- by Node-RED, Sugarizer &/or Internet Archive
|
||||||
# but for now we set fake value 'nodejs_install: True' so that
|
nodejs_install: False
|
||||||
# 'nodejs_installed is defined' input validation works, e.g. in
|
|
||||||
# 0-init/tasks/validate_vars.yml
|
|
||||||
nodejs_install: True
|
|
||||||
nodejs_enabled: False
|
nodejs_enabled: False
|
||||||
# Node.js version used by roles/nodejs/tasks/main.yml for 3 roles:
|
# Node.js version used by roles/nodejs/tasks/main.yml for 3 roles:
|
||||||
# nodered (Node-RED), pbx (Asterix, FreePBX) & sugarizer (Sugarizer)
|
# nodered (Node-RED), pbx (Asterix, FreePBX) & sugarizer (Sugarizer)
|
||||||
|
@ -463,25 +455,15 @@ kiwix_incl_apk: False
|
||||||
kiwix_apk_url: /software/kiwix
|
kiwix_apk_url: /software/kiwix
|
||||||
kiwix_apk_src: https://download.kiwix.org/release/kiwix-android/kiwix.apk
|
kiwix_apk_src: https://download.kiwix.org/release/kiwix-android/kiwix.apk
|
||||||
|
|
||||||
|
# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as PostgreSQL is installed on
|
||||||
|
# demand as a dependency -- by Moodle &/or Pathagar
|
||||||
|
postgresql_install: False
|
||||||
|
postgresql_enabled: False
|
||||||
|
|
||||||
moodle_install: False
|
moodle_install: False
|
||||||
moodle_enabled: False
|
moodle_enabled: False
|
||||||
# If using Moodle intensively, set nginx_high_php_limits further above.
|
# If using Moodle intensively, set nginx_high_php_limits further above.
|
||||||
|
|
||||||
# MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience.
|
|
||||||
# This role was formerly installed by roles/sugarizer/meta/main.yml
|
|
||||||
#
|
|
||||||
# 2020-02-04: mongodb_install is completely ignored as MongoDB is installed on
|
|
||||||
# demand as a dependency -- by Sugarizer -- but for now we set fake value
|
|
||||||
# 'mongodb_install: True' so that 'mongodb_installed is defined' input
|
|
||||||
# validation works, e.g. in 0-init/tasks/validate_vars.yml
|
|
||||||
mongodb_install: True
|
|
||||||
# FYI 'mongodb_enabled: False' works when Sugarizer is disabled. Required by
|
|
||||||
# mongodb/tasks/enable.yml to shut down the service and log status, but that is
|
|
||||||
# misleading as Sugarizer starts mongodb's systemd service on its own, due to
|
|
||||||
# 'Requires=mongodb.service' within /etc/systemd/system/sugarizer.service
|
|
||||||
mongodb_enabled: False
|
|
||||||
mongodb_port: 27018
|
|
||||||
|
|
||||||
# Regional OSM vector maps use far less disk space than bitmap/raster versions.
|
# Regional OSM vector maps use far less disk space than bitmap/raster versions.
|
||||||
# Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
|
# Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
|
||||||
osm_vector_maps_install: True
|
osm_vector_maps_install: True
|
||||||
|
@ -489,6 +471,19 @@ osm_vector_maps_enabled: False
|
||||||
iiab_map_url : http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
|
iiab_map_url : http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
|
||||||
vector_map_path: "{{ content_base }}/www/osm-vector-maps" # /library/www/osm-vector-maps
|
vector_map_path: "{{ content_base }}/www/osm-vector-maps" # /library/www/osm-vector-maps
|
||||||
|
|
||||||
|
# MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience.
|
||||||
|
# This role was formerly installed by roles/sugarizer/meta/main.yml
|
||||||
|
#
|
||||||
|
# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as MongoDB is installed on demand
|
||||||
|
# as a dependency -- by Sugarizer
|
||||||
|
mongodb_install: False
|
||||||
|
# 'mongodb_enabled: False' MAY work when Sugarizer is disabled. Required by
|
||||||
|
# mongodb/tasks/enable.yml to shut down the service and log status, but that is
|
||||||
|
# misleading as Sugarizer starts mongodb's systemd service on its own, due to
|
||||||
|
# 'Requires=mongodb.service' within /etc/systemd/system/sugarizer.service
|
||||||
|
mongodb_enabled: False
|
||||||
|
mongodb_port: 27018
|
||||||
|
|
||||||
# roles/sugarizer/meta/main.yml auto-invokes 2 above prereqs: mongodb & nodejs
|
# roles/sugarizer/meta/main.yml auto-invokes 2 above prereqs: mongodb & nodejs
|
||||||
# Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
|
# Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
|
||||||
# Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
|
# Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
|
||||||
|
@ -564,11 +559,9 @@ vnstat_enabled: False
|
||||||
|
|
||||||
# 9-LOCAL-ADDONS
|
# 9-LOCAL-ADDONS
|
||||||
|
|
||||||
# 2020-02-04: yarn_install is completely ignored as the Yarn package manager is
|
# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Yarn is installed on demand as a
|
||||||
# installed on demand as a dependency -- by Internet Archive -- but for now we
|
# dependency -- by Internet Archive
|
||||||
# set fake value 'yarn_install: True' so that 'yarn_installed is defined' input
|
yarn_install: False
|
||||||
# validation works, e.g. in 0-init/tasks/validate_vars.yml
|
|
||||||
yarn_install: True
|
|
||||||
yarn_enabled: False
|
yarn_enabled: False
|
||||||
|
|
||||||
# Internet Archive Offline / Decentralized Web - create your own offline
|
# Internet Archive Offline / Decentralized Web - create your own offline
|
||||||
|
|
|
@ -130,8 +130,11 @@ js_menu_install: True
|
||||||
|
|
||||||
# 1-PREP
|
# 1-PREP
|
||||||
|
|
||||||
# roles/sshd & roles/iiab-admin run here
|
# SSHD runs here & also below in 4-SERVER-OPTIONS
|
||||||
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
|
sshd_install: True # Required by OpenVPN
|
||||||
|
sshd_enabled: True
|
||||||
|
|
||||||
|
# IIAB-ADMIN runs here - see its vars near top of this file:
|
||||||
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
|
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
|
||||||
|
|
||||||
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
|
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
|
||||||
|
@ -170,6 +173,8 @@ apache_allow_sudo: True
|
||||||
|
|
||||||
# 4-SERVER-OPTIONS
|
# 4-SERVER-OPTIONS
|
||||||
|
|
||||||
|
# SSHD runs here & also above in 1-PREP
|
||||||
|
|
||||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||||
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
||||||
|
|
||||||
|
|
|
@ -130,8 +130,11 @@ js_menu_install: True
|
||||||
|
|
||||||
# 1-PREP
|
# 1-PREP
|
||||||
|
|
||||||
# roles/sshd & roles/iiab-admin run here
|
# SSHD runs here & also below in 4-SERVER-OPTIONS
|
||||||
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
|
sshd_install: True # Required by OpenVPN
|
||||||
|
sshd_enabled: True
|
||||||
|
|
||||||
|
# IIAB-ADMIN runs here - see its vars near top of this file:
|
||||||
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
|
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
|
||||||
|
|
||||||
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
|
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
|
||||||
|
@ -170,6 +173,8 @@ apache_allow_sudo: True
|
||||||
|
|
||||||
# 4-SERVER-OPTIONS
|
# 4-SERVER-OPTIONS
|
||||||
|
|
||||||
|
# SSHD runs here & also above in 1-PREP
|
||||||
|
|
||||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||||
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
||||||
|
|
||||||
|
|
|
@ -130,8 +130,11 @@ js_menu_install: True
|
||||||
|
|
||||||
# 1-PREP
|
# 1-PREP
|
||||||
|
|
||||||
# roles/sshd & roles/iiab-admin run here
|
# SSHD runs here & also below in 4-SERVER-OPTIONS
|
||||||
# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
|
sshd_install: True # Required by OpenVPN
|
||||||
|
sshd_enabled: True
|
||||||
|
|
||||||
|
# IIAB-ADMIN runs here - see its vars near top of this file:
|
||||||
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
|
# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
|
||||||
|
|
||||||
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
|
# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
|
||||||
|
@ -170,6 +173,8 @@ apache_allow_sudo: True
|
||||||
|
|
||||||
# 4-SERVER-OPTIONS
|
# 4-SERVER-OPTIONS
|
||||||
|
|
||||||
|
# SSHD runs here & also above in 1-PREP
|
||||||
|
|
||||||
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs
|
||||||
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
|
||||||
|
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue