external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-13 03:32:12 +00:00
Code Issues Releases Wiki Activity

Merge branch 'iiab:master' into usr-sbin_security-norm

Browse source
This commit is contained in:
A Holt 2021-07-27 18:55:26 -04:00 committed by GitHub
commit d6205c7204
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 119 additions and 124 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
roles/1-prep/tasks/raspberry_pi.yml
View file

@ -22,7 +22,7 @@
path: /boot/firmware/usercfg.txt
line: "dtoverlay=i2c-rtc,{{ rtc_id }}=on"
state: present
when: rtc_id is defined and rtc_id != "none" and is_ubuntu
when: rtc_id is defined and rtc_id != "none" and is_ubuntu # CLARIF: Ubuntu runs increasingly well on RPi hardware, starting in 2020 especially
#- name: Enable bluetooth in /boot/firmware/syscfg.txt on Ubuntu (needs reboot)
# lineinfile:
@ -31,15 +31,28 @@
# line: 'include btcfg.txt'
# when: is_ubuntu
- name: 'Ensure packages are installed: dphys-swapfile, fake-hwclock, iw, rfkill, wireless-tools'
- name: '2021-07-27: SEE ALSO ~4 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
meta: noop
- name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml'
meta: noop
# 2021-07-27 explanation from @jvonau: The 3 BELOW (iw, rfkill, wireless-tools)
# are provided by RaspiOS. Ubuntu|Debian on the other hand are hit or miss:
# desktops might have some/all 3 preinstalled, while servers tend not to have
# these present at all, but are needed to be installed if you want to take full
# advantage of WiFi on Ubuntu and friends -- but it's only enforced on RPi
# hardware where we know in advance of the likelihood of WiFi being present.
- name: 'Install packages: cloud-guest-utils, dphys-swapfile, fake-hwclock, iw, rfkill, wireless-tools'
package:
name:
- dphys-swapfile
- fake-hwclock
- iw
- rfkill
- wireless-tools
- cloud-guest-utils
- cloud-guest-utils # Contains 'growpart' for resizing a partition during boot, which is normally done with the aid of cloud-init
- dphys-swapfile # 2021-07-27: RaspiOS installs this regardless -- autogenerate and use a swap file
- fake-hwclock # 2021-07-27: RaspiOS installs this regardless -- save/restore system clock on machines without working RTC hardware
- iw # 2021-07-27: RaspiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/clone-wifi.service.j2
- rfkill # 2021-07-27: RaspiOS installs this regardless -- enable & disable wireless devices
- wireless-tools # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions
state: present
- name: Increase swap file size (to CONF_SWAPSIZE={{ pi_swap_file_size }} in /etc/dphys-swapfile) as kalite pip download fails

21
roles/2-common/tasks/network.yml
View file

@ -1,23 +1,26 @@
- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml'
meta: noop
- name: '2021-07-27: SEE ALSO ~4 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
meta: noop
- name: Install package networkd-dispatcher (OS's other than RaspiOS)
package:
name: networkd-dispatcher
name: networkd-dispatcher # Dispatcher service for systemd-networkd connection status changes
state: present
when: not is_raspbian
# used in the network role
- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask (debuntu)'
- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
package:
name:
- iproute2
- iptables-persistent
- hostapd
- netmask
- hostapd # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
- iproute2 # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
- iptables-persistent # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however 'netfilter' is ever moving forward so keep an eye on it!
- netmask # Handy utility -- helps determine network masks
state: present
when: is_debuntu
- name: Install /etc/network/if-pre-up.d/iptables from template (0755, debuntu)
template:
src: iptables
dest: /etc/network/if-pre-up.d/iptables
mode: '0755'
when: is_debuntu

88
roles/2-common/tasks/packages.yml
View file

@ -1,59 +1,59 @@
- name: "Install 10 yum/dnf packages: avahi, avahi-tools, createrepo, linux-firmware, nss-mdns, openssl, syslog, wpa_supplicant, xml-common, yum-utils (redhat)"
package:
name:
- avahi
- avahi-tools
- createrepo
- linux-firmware
- nss-mdns
- openssl # FC 18 does not supply, but pear requires
- syslog
- wpa_supplicant
- xml-common
- yum-utils
state: present
when: is_redhat
#- name: "Install 10 yum/dnf packages: avahi, avahi-tools, createrepo, linux-firmware, nss-mdns, openssl, syslog, wpa_supplicant, xml-common, yum-utils (redhat)"
# package:
# name:
# - avahi
# - avahi-tools
# - createrepo
# - linux-firmware
# - nss-mdns
# - openssl # FC 18 does not supply, but pear requires
# - syslog
# - wpa_supplicant
# - xml-common
# - yum-utils
# state: present
# when: is_redhat
- name: "Install 6 deb/apt packages: avahi-daemon, exfat-fuse, exfat-utils, inetutils-syslogd, libnss-mdns, wpasupplicant (debuntu)"
package:
name:
#- avahi-discover
- avahi-daemon
- exfat-fuse # Should no longer be nec with 5.4+ kernels
- exfat-utils # Likewise!
- inetutils-syslogd # Error logging facility
- libnss-mdns # Provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
- wpasupplicant
state: present
when: is_debuntu
- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml'
meta: noop
- name: "Install 18 common packages: acpid, bzip2, curl, gawk, htop, i2c-tools, logrotate, mlocate, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget"
- name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml'
meta: noop
- name: "Install 20 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget, wpasupplicant"
package:
name:
- acpid # Daemon for ACPI (power mgmt) events
- bzip2 # 2021-04-26: Prob not used, but can't hurt?
- curl # Used to install roles/nodejs and roles/nodered
#- etckeeper # "nobody is really using etckeeper and it's bloating the filesystem every time apt runs" per @jvonau at https://github.com/iiab/iiab/issues/1146
- acpid # Daemon for ACPI (power mgmt) events
- avahi-daemon # 2021-07-27: RaspiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
#- avahi-discover # 2021-07-27: Commented out long ago
- bzip2 # 2021-04-26: Prob not used, but can't hurt?
- curl # Used to install roles/nodejs and roles/nodered
#- etckeeper # "nobody is really using etckeeper and it's bloating the filesystem every time apt runs" per @jvonau at https://github.com/iiab/iiab/issues/1146
#- exfat-fuse # 2021-07-27: Should no longer be nec with 5.4+ kernels, so let's try commenting it out
#- exfat-utils # Ditto! See also 'ntfs-3g' below
- gawk
- htop
- i2c-tools # Low-level bus/chip/register/EEPROM tools e.g. for RTC
#- iproute2 # Installed by roles/2-common/tasks/network.yml
- i2c-tools # Low-level bus/chip/register/EEPROM tools e.g. for RTC
#- inetutils-syslogd # 2021-07-27: Error logging facility -- holdover from the XO days, journalctl has replaced this in newer distros
#- iproute2 # Installed by roles/2-common/tasks/network.yml
- logrotate
#- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
#- make # 2021-07-27: Currently used by roles/pbx and no other roles
- libnss-mdns # 2021-07-27: RaspiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
#- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
#- make # 2021-07-27: Currently used by roles/pbx and no other roles
- mlocate
- net-tools # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
- ntfs-3g # Possibly no longer nec, similar to exfat packages above?
- net-tools # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
#- ntfs-3g # 2021-07-27: RaspiOS installs this regardless -- but this should no longer be nec, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g
#- openssh-server # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
- pandoc # For /usr/bin/iiab-refresh-wiki-docs
- pastebinit # For /usr/bin/iiab-diagnostics
- pandoc # For /usr/bin/iiab-refresh-wiki-docs
- pastebinit # For /usr/bin/iiab-diagnostics
- rsync
#- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
#- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
- sqlite3
#- sudo # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
#- sudo # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
- tar
- unzip
#- usbmount # Moved to roles/usb_lib/tasks/install.yml
- usbutils # 2021-04-26: Also move to roles/usb_lib/tasks/install.yml ?
#- usbmount # Moved to roles/usb_lib/tasks/install.yml
- usbutils # 2021-07-27: RaspiOS installs this regardless -- move to roles/usb_lib/tasks/install.yml ?
- wget
- wpasupplicant # 2021-07-27: RaspiOS installs this regardless -- client library for connections to a WiFi AP
state: present

2
roles/4-server-options/tasks/main.yml
View file

@ -18,7 +18,7 @@
name: pylibs
#when: pylibs_install # Flag might be created in future?
- name: SSHD - also run by roles/1-prep/tasks/main.yml as required by OpenVPN
- name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN
include_role:
name: sshd
when: sshd_install

2
roles/elgg/defaults/main.yml
View file

@ -21,7 +21,7 @@ dbname: elggdb
dbhost: localhost
dbprefix: elgg_
# The following variables must be in sync with template/elggdb.sql.j2
# The following variables must be in sync with templates/elggdb.sql.j2
# If you change them, you will probably have to rebuild the database.
# They can be changed from the administrative interface once Elgg is installed.

8
roles/gitea/tasks/install.yml
View file

@ -6,12 +6,12 @@
state: stopped
ignore_errors: yes
- name: Ensure group gitea exists
- name: Ensure group 'gitea' exists
group:
name: gitea
state: present
- name: Create user gitea
- name: Create user 'gitea'
user:
name: gitea
comment: Gitea daemon account
@ -26,7 +26,7 @@
group: gitea
with_items: "{{ gitea_subdirectories }}"
- name: Make directories data, indexers, and log writable
- name: Make directories data, indexers, and log writable (0750)
file:
path: "{{ gitea_root_directory }}/{{ item }}" # /library/gitea
mode: '0750'
@ -98,7 +98,7 @@
# 4. Create systemd service & prepare NGINX for http://box/gitea
- name: "Install from template: /etc/systemd/system/gitea.service"
- name: "Install from template: /etc/systemd/system/gitea.service (by default 0644)"
template:
src: gitea.service.j2
dest: /etc/systemd/system/gitea.service

8
roles/jupyterhub/tasks/install.yml
View file

@ -13,22 +13,22 @@
when: nodejs_installed is undefined
- name: Make the directories to hold JupyterHub config
- name: Make 3 directories to hold JupyterHub config
file:
state: directory
path: "{{ item }}"
with_items:
- "{{ jupyterhub_venv }}/etc/jupyter"
- "{{ jupyterhub_venv }}/etc/jupyter" # /opt/iiab/jupyterhub
- "{{ jupyterhub_venv }}/etc/jupyterhub"
- "{{ jupyterhub_venv }}/etc/systemd"
- name: Use npm to install configurable-http-proxy
- name: Use npm to install 'configurable-http-proxy'
npm:
name: configurable-http-proxy
global: yes
state: latest
- name: "Use pip to install into a virtual environment: {{ jupyterhub_venv }} (~229 MB)"
- name: "pip install 7 packages into virtual environment: {{ jupyterhub_venv }} (~229 MB)"
pip:
name:
- pip

2
roles/moodle/tasks/install.yml
View file

@ -106,7 +106,7 @@
dest: "{{ moodle_base }}"
mode: 0755
- name: Execute {{ moodle_base }}/moodle_installer IF {{ moodle_base }}/config.php doesn't yet exist -- REQUIRES 'max_input_vars = 5000' (or higher) in /etc/php/{{ php_version }}/cli/php.ini with PHP 8+ (as set up by www_options/tasks/main.yml) -- WHEREAS LATER Moodle uses /etc/php/{{ php_version }}/fpm/php.ini during regular operation
- name: Execute {{ moodle_base }}/moodle_installer IF {{ moodle_base }}/config.php doesn't yet exist -- REQUIRES 'max_input_vars = 5000' (or higher) in /etc/php/{{ php_version }}/cli/php.ini IF PHP 8+ (as set up by www_options/tasks/main.yml) -- WHEREAS LATER Moodle uses /etc/php/{{ php_version }}/fpm/php.ini during regular operation
shell: "{{ moodle_base }}/moodle_installer"
args:
creates: "{{ moodle_base }}/config.php"

10
roles/munin/tasks/install.yml
View file

@ -1,4 +1,4 @@
- name: "Install 5 packages: munin, munin-node, munin-plugins-extra, libcgi-fast-perl"
- name: "Install 4 packages: munin, munin-node, munin-plugins-extra, libcgi-fast-perl"
package:
name:
- munin
@ -8,14 +8,6 @@
#- libapache2-mod-fcgid
state: present
# - name: "Install 2 packages: munin, munin-node (OS's other than debuntu)"
# package:
# name:
# - munin
# - munin-node
# state: present
# when: not is_debuntu
- name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd
htpasswd:
path: /etc/munin/munin-htpasswd

18
roles/nodejs/tasks/install.yml
View file

@ -65,12 +65,12 @@
# state: absent
# when: internet_available and is_debuntu
- name: Set up Node.js {{ nodejs_version }} apt sources (debuntu)
- name: Set up Node.js {{ nodejs_version }} apt sources
shell: curl -sL https://deb.nodesource.com/setup_{{ nodejs_version }} | bash -
args:
warn: no
creates: /etc/apt/sources.list.d/nodesource.list
when: internet_available and is_debuntu
when: internet_available
#when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17)
# NOT NEC TO TEST FOR is_raspbian_8 OR is_raspbian_9 AS /opt/iiab/iiab/vars/<OS>.yml
# DEFINES THESE AS SUBSETS OF is_debian_8 OR is_debian_9 (FOR NOW!)
@ -80,20 +80,20 @@
# "npm install -g npm@latest" (all *SHOULD* be magically fixed by 2019-04-18 ?)
# Forces update
- name: Install latest Node.js {{ nodejs_version }} which includes /usr/bin/npm (debuntu)
- name: Install latest Node.js {{ nodejs_version }} which includes /usr/bin/npm
package:
#name: nodejs={{ nodejs_version }}
name: nodejs
state: latest
#state: present
when: internet_available and is_debuntu
when: internet_available
#when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17)
- name: Set up & install Node.js {{ nodejs_version }} which includes /usr/bin/npm (redhat)
shell: curl -sL https://rpm.nodesource.com/setup_{{ nodejs_version }} | bash -
args:
warn: no
when: internet_available and is_redhat
# - name: Set up & install Node.js {{ nodejs_version }} which includes /usr/bin/npm (redhat)
# shell: curl -sL https://rpm.nodesource.com/setup_{{ nodejs_version }} | bash -
# args:
# warn: no
# when: internet_available and is_redhat
# 2018-07-14: BOTH STEPS ABOVE TAKE TIME, but Raspbian (apt offers npm

55
roles/postgresql/tasks/install.yml
View file

@ -1,21 +1,11 @@
- name: Install 'postgresql' package
- name: 'Install packages: postgresql, postgresql-client'
package:
name: postgresql
name:
- postgresql
- postgresql-client
state: present
- name: Install 'postgresql-client' package (debuntu)
package:
name: postgresql-client
state: present
when: is_debuntu
- name: Install 'postgresql-server' package (OS's other than debuntu)
package:
name: postgresql-server
state: present
when: not is_debuntu
- name: Install /etc/systemd/system/postgresql-iiab.service from template
- name: Install /etc/systemd/system/postgresql-iiab.service from template (0644 by default)
template:
src: postgresql-iiab.service
dest: /etc/systemd/system/postgresql-iiab.service
@ -23,50 +13,47 @@
# group: root
# mode: '0644'
- name: Create PostgreSQL data dir /library/pgsql-iiab, owned by postgres:postgres
- name: Create PostgreSQL data dir /library/pgsql-iiab, owned by postgres:postgres (0700)
file:
state: directory
path: /library/pgsql-iiab
owner: postgres
group: postgres
mode: '0700'
state: directory
mode: 0700
- name: Make sure locale {{ postgresql_locale }} is enabled (debuntu) # en_US.UTF-8
- name: Make sure locale {{ postgresql_locale }} is enabled # en_US.UTF-8
lineinfile:
dest: /etc/locale.gen
line: "{{ postgresql_locale }} UTF-8"
when: is_debuntu
- name: Generate locales (debuntu)
- name: Generate locales
command: /usr/sbin/locale-gen
when: is_debuntu
- name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf (debuntu)
- name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf
#command: su - postgres -c "/usr/lib/postgresql/{{ postgresql_version }}/bin/initdb -E 'UTF-8' --locale={{ postgresql_locale }} -D /library/pgsql-iiab"
command: /usr/lib/postgresql/{{ postgresql_version }}/bin/initdb -E 'UTF-8' --locale={{ postgresql_locale }} -D /library/pgsql-iiab
args:
creates: /library/pgsql-iiab/pg_hba.conf
become: yes
become_user: postgres
when: is_debuntu
- name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf (OS's other than debuntu)
#command: su - postgres -c "/usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab"
command: /usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab
args:
creates: /library/pgsql-iiab/pg_hba.conf
become: yes
become_user: postgres
when: not is_debuntu
# - name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf (OS's other than debuntu)
# #command: su - postgres -c "/usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab"
# command: /usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab
# args:
# creates: /library/pgsql-iiab/pg_hba.conf
# become: yes
# become_user: postgres
# when: not is_debuntu
- name: Install /library/pgsql-iiab/postgresql.conf owned by postgres:postgres, from template
- name: Install /library/pgsql-iiab/postgresql.conf from template (postgres:postgres, 0640)
template:
backup: yes
src: postgresql.conf.j2
dest: /library/pgsql-iiab/postgresql.conf
owner: postgres
group: postgres
mode: '0640'
mode: 0640
- name: Disable & Stop stock 'postgresql' (parent) systemd service
systemd: