external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00
Code Issues Releases Wiki Activity

Merge pull request #163 from iiab/master

Browse source 
sync from iiab/iiab
This commit is contained in:
A Holt 2018-10-08 20:24:21 -04:00 committed by GitHub
commit d8ebe7c333
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 1255 additions and 359 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
roles/1-prep/templates/.iiab.env.j2.un~ Normal file
View file

Binary file not shown.

3
roles/1-prep/templates/iiab.env.j2
View file

@ -4,7 +4,10 @@ IIAB_BASE_PATH={{ iiab_base }}
IIAB_DIR={{ iiab_dir }} IIAB_DIR={{ iiab_dir }}
IIAB_RELEASE={{ iiab_base_ver }} IIAB_RELEASE={{ iiab_base_ver }}
IIAB_REVISION={{ iiab_revision }} IIAB_REVISION={{ iiab_revision }}
IIAB_GATEWAY_ENABLED={{ iiab_gateway_enabled }}
LAN_IP={{ lan_ip }}
OS={{ ansible_local.local_facts.os }} OS={{ ansible_local.local_facts.os }}
OS_VER={{ ansible_local.local_facts.os_ver }} OS_VER={{ ansible_local.local_facts.os_ver }}
WWWROOT={{ doc_root }} WWWROOT={{ doc_root }}
STAGE=1 STAGE=1
FQDN={{ iiab_fqdn }}

19
roles/httpd/templates/010-iiab.conf.j2
View file

@ -159,8 +159,6 @@ UseCanonicalName Off
# so it doesn't move in some future version. # so it doesn't move in some future version.
# #
DocumentRoot "{{ doc_root }}" DocumentRoot "{{ doc_root }}"
ErrorLog {{ apache_log_dir }}/error.log
CustomLog {{ apache_log_dir }}/access.log combined
# #
# Each directory to which Apache has access can be configured with respect # Each directory to which Apache has access can be configured with respect
@ -175,12 +173,17 @@ CustomLog {{ apache_log_dir }}/access.log combined
AllowOverride None AllowOverride None
</Directory> </Directory>
<Directory "{{ doc_root }}"> <VirtualHost *:80>
Options Indexes FollowSymLinks ErrorLog /var/log/apache2/error.log
AllowOverride None CustomLog /var/log/apache2/access.log combined
Require all granted ServerName {{ iiab_hostname }}
</Directory> ServerAlias iiab-server.lan
<Directory "{{ doc_root }}">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
# #
# UserDir: The name of the directory that is appended onto a user's home # UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received. # directory if a ~user request is received.

23
roles/network/defaults/main.yml
View file

@ -62,20 +62,27 @@ network_config_dir: /etc/network/interfaces.d
dns_jail_enabled: False dns_jail_enabled: False
services_externally_visible: False services_externally_visible: False
# Following variables set for old Apache, dhcpd, named usage # DNS / name resolution
dhcpd_install: True dhcpd_install: True
dhcpd_enabled: True dhcpd_enabled: True
#dhcp_service: ???? # Appears nec for roles/network/tasks/dhcpd.yml ?
dhcp_service2: disabled # Proposed by @jvonau to solve #1184 -> PR #1185 as required by roles/network/tasks/computed_services.yml ?
named_install: True named_install: True
named_enabled: True named_enabled: False
dnsmasq_enabled: False dnsmasq_enabled: True
dnsmasq_install: False dnsmasq_install: True
# For @tim-moody's Nodogsplash approach to Captive Portal? High experimental as of June 2018: github.com/iiab/iiab/issues/608 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
captive_portal_enabled: False # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively refined in Sept 2018 (https://github.com/iiab/iiab/pull/1179)
# Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
py_captive_portal_install: True py_captive_portal_install: True
py_captive_portal_enabled: True py_captive_portal_enabled: True
py_captive_portal_port: "9090" py_captive_portal_port: "9090"
py_captive_portal_username: "Admin" py_captive_portal_username: "Admin"
py_captive_portal_password: "changeme" py_captive_portal_password: "changeme"
# In a pinch, disable it by running: systemctl disable py-captive-portal
# For @tim-moody's Nodogsplash approach to Captive Portal?
# Highly experimental as of June 2018: https://github.com/iiab/iiab/issues/608
# captive_portal_install: False
# captive_portal_enabled: False

54
roles/network/files/mac.template Normal file
View file

@ -0,0 +1,54 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=.75">
<title>Success</title>
<style type="text/css">
@media (min-width: 501px){
#header {
display: block;
height: 120px;
width:1024px;
background: #000 url('iiab_banner6.png') no-repeat 0 0;
border-radius: 5px;
margin: 5px;
}
body {
background-color: #CBFFAA;
font-family: sans-serif;
font-size: 100%;
width: 1024px;
margin: 3px;
}
}
.button {
font: bold 14px Arial;
text-decoration: none;
background-color: #EEEEEE;
color: #333333;
padding: 2px 6px 2px 6px;
border-top: 1px solid #CCCCCC;
border-right: 1px solid #333333;
border-bottom: 1px solid #333333;
border-left: 1px solid #CCCCCC;
radius: 5px;
}
</style>
</head>
<body>
Success
<br>
<div align="center">
<div id="header"></div>
<H1>Welcome to IIAB</H1>
<br><br>
{{ message }}
<div id="choices">
<br><br>
<br><br>
<br><br>
<br><br>
<a class="button" href="http://iiab-server.lan/home">{{ btn1 }}</a>
</div>
</body>
</html>

100
roles/network/files/simple.template Normal file
View file

@ -0,0 +1,100 @@
<!DOCTYPE html>
<html>
<head>
<title>Success</title>
<meta name="viewport" content="width=device-width, initial-scale=.75">
<script src="/jquery.min.js"></script>
<!-- <link rel="stylesheet" href="/bootstrap.min.css"/>
<script src="/bootstrap.min.js"></script> -->
<style type="text/css">
@media (max-width: 500px){
#header {
display: block;
height: 120px;
width:350px;
background: #000 url('iiab_banner6.png') no-repeat 0 0;
border-radius: 5px;
margin: 5px;
}
body {
background-color: #CBFFAA;
font-family: sans-serif;
font-size: 100%;
width: 350px;
margin: 3px;
}
}
@media (min-width: 501px){
#header {
display: block;
height: 120px;
width:1024px;
background: #000 url('iiab_banner6.png') no-repeat 0 0;
border-radius: 5px;
margin: 5px;
}
body {
background-color: #CBFFAA;
font-family: sans-serif;
font-size: 100%;
width: 1024px;
margin: 3px;
}
}
a {
color: #249;
text-decoration: none;
outline: none; /* don't outline image links (ff) */
}
.content-item {
padding: 10px 0 10px 0;
border: 1px solid #aaa;
border-radius: 5px;
margin-bottom: 2px;
background-color: #fff;
}
.button {
font: bold 14px Arial;
text-decoration: none;
background-color: #EEEEEE;
color: #333333;
padding: 2px 6px 2px 6px;
border-top: 1px solid #CCCCCC;
border-right: 1px solid #333333;
border-bottom: 1px solid #333333;
border-left: 1px solid #CCCCCC;
radius: 5px;
}
</style>
<script>
var w = window.innerWidth;
function homeclick(){
window.open("http://iiab-server.lan/home","_system");
$.ajax("/home_selected");
}
</script>
</head>
<body>
{% if success_token is defined %}
Success
{% endif %}
<br>
<div align="center">
<div id="header"></div>
<H1>Welcome to IIAB</H1>
<br><br>
{{ message }}
<div id="choices">
{% if btn2 is defined %}
<a class="button" href="https://captive.lan/android_splash">{{ btn2 }}</a>
{% endif %}
<br><br>
<br><br>
<br><br>
<br><br>
<!-- <a class="button" href="http://box.lan/home">{{ btn1 }}</a> -->
<a class="button" onclick="homeclick()">{{ btn1 }}</a>
</div>
</body>
</html>

51
roles/network/tasks/NM.yml
View file

@ -1,20 +1,33 @@
- name: Restart NetworkManager services - name: Restart NetworkManager services
service: name=NetworkManager service:
enabled=yes name: NetworkManager
state=stopped enabled: yes
- service: name=NetworkManager-dispatcher state: stopped
enabled=yes
state=stopped - service:
- wait_for: path=/etc/passwd name: NetworkManager-dispatcher
delay=4 enabled: yes
timeout=5 state: stopped
- service: name=NetworkManager
enabled=yes - wait_for:
state=started path: /etc/passwd
- wait_for: path=/etc/passwd delay: 4
delay=4 timeout: 5
timeout=5
- service: name=NetworkManager-dispatcher - service:
enabled=yes name: NetworkManager
state=started enabled: yes
- debug: msg="hopefully now NM is restarted" state: started
- wait_for:
path: /etc/passwd
delay: 4
timeout: 5
- service:
name: NetworkManager-dispatcher
enabled: yes
state: started
- debug:
msg: "hopefully now NM is restarted"

57
roles/network/tasks/avahi.yml
View file

@ -1,40 +1,47 @@
- name: Create a user for avahi - name: Create a user for avahi (debuntu)
user: name=avahi user:
createhome=no name: avahi
shell=/bin/false createhome: no
shell: /bin/false
when: is_debuntu when: is_debuntu
- name: Install avahi announce config files - name: Install avahi announce config file /etc/avahi/services/schoolserver.service
template: src=avahi/schoolserver.service template:
dest=/etc/avahi/services/schoolserver.service src: avahi/schoolserver.service
owner=avahi dest: /etc/avahi/services/schoolserver.service
group=avahi owner: avahi
mode=0640 group: avahi
mode: 0640
when: 'gui_wan == True' when: 'gui_wan == True'
- name: Find a clean copy of ssh.service - name: Find avahi_ver for clean copy of ssh.service (not debuntu)
shell: "ls /usr/share/doc/ |grep avahi | head -n1" shell: "ls /usr/share/doc/ | grep avahi | head -n1"
register: avahi_ver register: avahi_ver
ignore_errors: True ignore_errors: True
changed_when: false changed_when: false
# when: not is_debuntu # would cause failures 6 lines below
- name: Grab a clean copy of ssh.service - name: Grab a clean copy of ssh.service (not debuntu)
copy: src='/usr/share/doc/{{ avahi_ver.stdout }}/ssh.service' copy:
dest='/etc/avahi/services/' src: '/usr/share/doc/{{ avahi_ver.stdout }}/ssh.service'
dest: /etc/avahi/services/
when: avahi_ver.stdout != "" and not is_debuntu when: avahi_ver.stdout != "" and not is_debuntu
- name: Grab a clean copy of ssh.service - name: Grab a clean copy of ssh.service (debuntu)
copy: src='/usr/share/doc/avahi-daemon/examples/ssh.service' copy:
dest='/etc/avahi/services/' src: /usr/share/doc/avahi-daemon/examples/ssh.service
dest: /etc/avahi/services/
when: is_debuntu when: is_debuntu
- name: Set ssh port for avahi - name: Set ssh port for avahi
lineinfile: dest=/etc/avahi/services/ssh.service lineinfile:
regexp='</port>$' dest: /etc/avahi/services/ssh.service
line=' <port>{{ ssh_port }}</port>' regexp: '</port>$'
state=present line: ' <port>{{ ssh_port }}</port>'
backrefs=yes state: present
backrefs: yes
- name: Enable avahi service - name: Enable avahi service
service: name=avahi-daemon service:
enabled=yes name: avahi-daemon
enabled: yes

118
roles/network/tasks/captive_portal.yml
View file

@ -1,47 +1,107 @@
- name: Create directory for Captive Portal script - name: Download & install python-dateutil, sqlite3
package:
name: "{{ item }}"
state: present
with_items:
- python-dateutil
- sqlite3 # @georgehunt hopes to move this to 2-common (or more like stage 3-base-server, alongside MySQL) in October 2018
- name: Create directory /opt/iiab/captive-portal for scripts & templates
file: file:
path: /opt/iiab/captive-portal path: /opt/iiab/captive-portal
state: directory state: directory
when: py_captive_portal_install
- name: Copy Captive Portal script - name: 'Copy scripts: checkurls, capture-wsgi.py'
template: template:
src: roles/network/templates/captive_portal/captive_portal.py.j2 src: "{{ item.src }}"
dest: /opt/iiab/captive-portal/captive_portal.py dest: /opt/iiab/captive-portal/
mode: "{{ item.mode }}"
with_items:
- { src: roles/network/templates/captive-portal/checkurls, mode: '0644' }
- { src: roles/network/templates/captive-portal/capture-wsgi.py, mode: '0755' }
- name: 'Copy templates: simple.template, mac.template'
copy:
src: "{{ item }}"
dest: /opt/iiab/captive-portal/
with_items:
- roles/network/files/simple.template
- roles/network/files/mac.template
- name: Copy iiab-catch & iiab-uncatch into /usr/bin/
template:
src: "{{ item }}"
dest: /usr/bin/
owner: root owner: root
group: root group: root
mode: 0740 mode: 0755
when: py_captive_portal_install with_items:
- roles/network/templates/captive-portal/iiab-catch
- roles/network/templates/captive-portal/iiab-uncatch
- name: Copy Captive Portal service file - name: Run iiab-uncatch to generate diversion lists for dnsmasq and apache2
shell: /usr/bin/iiab-uncatch
- name: Install systemd unit file py-captive-portal.service from template
template: template:
src: roles/network/templates/captive_portal/captive_portal.service.j2 src: roles/network/templates/captive-portal/py-captive-portal.service.j2
dest: /etc/systemd/system/captive_portal.service dest: /etc/systemd/system/py-captive-portal.service
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
when: py_captive_portal_install
- name: Enable captive_portal after copying files - name: Install Apache's captive-portal.conf from template if py_captive_portal_enabled
service: template:
name: captive_portal.service src: roles/network/templates/captive-portal/captive-portal.conf
dest: /etc/{{ apache_config_dir }}/captive-portal.conf
owner: root
group: root
mode: 0740
when: py_captive_portal_enabled
- name: Enable Apache's captive-portal.conf if py_captive_portal_enabled (debuntu)
file:
src: /etc/apache2/sites-available/captive-portal.conf
path: /etc/apache2/sites-enabled/captive-portal.conf
state: link
when: py_captive_portal_enabled and is_debuntu
- name: Enable Apache's default-ssl.conf if py_captive_portal_enabled (debuntu)
file:
src: /etc/apache2/sites-available/default-ssl.conf
path: /etc/apache2/sites-enabled/default-ssl.conf
state: link
when: py_captive_portal_enabled and is_debuntu
- name: Enable & Start systemd service py-captive-portal.service if py_captive_portal_enabled
systemd:
name: py-captive-portal.service
daemon-reload: yes
enabled: yes enabled: yes
when: py_captive_portal_install and py_captive_portal_enabled
- name: Start captive_portal after copying files
service:
name: captive_portal.service
state: started state: started
when: py_captive_portal_install and py_captive_portal_enabled when: py_captive_portal_enabled
- name: Disable captive_portal after copying files - name: Disable & Stop py-captive-portal.service if not py_captive_portal_enabled
service: systemd:
name: captive_portal.service name: py-captive-portal.service
enabled: no enabled: no
when: py_captive_portal_install and py_captive_portal_enabled state: stopped
when: not py_captive_portal_enabled
- name: Stop captive_portal after copying files - name: Disable Apache's captive-portal.conf if not py_captive_portal_enabled (debuntu)
service: file:
name: captive_portal.service path: /etc/apache2/sites-enabled/captive-portal.conf
state: started state: absent
when: py_captive_portal_install and py_captive_portal_enabled when: not py_captive_portal_enabled and is_debuntu
- name: Disable Apache's default-ssl.conf if not py_captive_portal_enabled (debuntu)
file:
path: /etc/apache2/sites-enabled/default-ssl.conf
state: absent
when: not py_captive_portal_enabled and is_debuntu
- name: Make sure dnsmasq is not diverting if not py_captive_portal_enabled
file:
path: /etc/dnsmasq.d/capture
state: absent
when: not py_captive_portal_enabled

2
roles/network/tasks/computed_network.yml
View file

@ -192,7 +192,7 @@
tags: tags:
- network - network
- name: Add location section to config file - name: Add 'computed_network' variable values to /etc/iiab/iiab.ini
ini_file: ini_file:
dest: "{{ iiab_config_file }}" dest: "{{ iiab_config_file }}"
section: computed_network section: computed_network

27
roles/network/tasks/computed_services.yml
View file

@ -40,17 +40,18 @@
dhcp_service2: "dnsmasq" dhcp_service2: "dnsmasq"
when: dnsmasq_install and dnsmasq_enabled and iiab_network_mode != "Appliance" when: dnsmasq_install and dnsmasq_enabled and iiab_network_mode != "Appliance"
- name: Add location section to config file - name: Add 'network' variable values (from computed_services.yml) to /etc/iiab/iiab.ini
ini_file: dest='{{ iiab_config_file }}' ini_file:
section=network dest: "{{ iiab_config_file }}"
option='{{ item.option }}' section: network
value='{{ item.value }}' option: "{{ item.option }}"
value: "{{ item.value }}"
with_items: with_items:
- option: 'iiab_network_mode_applied' - option: iiab_network_mode_applied
value: '{{ iiab_network_mode }}' value: "{{ iiab_network_mode }}"
- option: 'dhcp_service2' - option: dhcp_service2
value: '{{ dhcp_service2 }}' value: "{{ dhcp_service2 }}"
- option: 'dnsmasq_enabled' - option: dnsmasq_enabled
value: '{{ dnsmasq_enabled }}' value: "{{ dnsmasq_enabled }}"
- option: 'no_net_restart' - option: no_net_restart
value: '{{ no_net_restart }}' value: "{{ no_net_restart }}"

0
roles/network/tasks/create_ifcfg.yml → roles/network/tasks/create_ifcfg.yml.deprecated
View file

125
roles/network/tasks/detected_network.yml
View file

@ -5,14 +5,14 @@
- name: Checking for old device gateway interface for device test - name: Checking for old device gateway interface for device test
set_fact: set_fact:
device_gw: "{{ prior_gw.stdout }}" device_gw: "{{ prior_gw.stdout }}"
device_gw2: "{{ prior_gw.stdout }}" device_gw2: "{{ prior_gw.stdout }}"
when: iiab_stage|int > 4 and prior_gw is defined and prior_gw.stdout != "" when: iiab_stage|int > 4 and prior_gw is defined and prior_gw.stdout != ""
- name: Setting WAN if detected - name: Setting WAN if detected
set_fact: set_fact:
iiab_wan_iface: "{{ discovered_wan_iface }}" iiab_wan_iface: "{{ discovered_wan_iface }}"
device_gw: "{{ discovered_wan_iface }}" device_gw: "{{ discovered_wan_iface }}"
when: ansible_default_ipv4.gateway is defined when: ansible_default_ipv4.gateway is defined
- name: Red Hat network detection (redhat) - name: Red Hat network detection (redhat)
@ -57,11 +57,11 @@
- name: Set the discovered wireless, if found - name: Set the discovered wireless, if found
set_fact: set_fact:
wifi1: "{{ item|trim }}" wifi1: "{{ item|trim }}"
discovered_wireless_iface: "{{ item|trim }}" discovered_wireless_iface: "{{ item|trim }}"
when: item|trim != "" and item|trim != discovered_wan_iface when: item|trim != "" and item|trim != discovered_wan_iface
with_items: with_items:
- "{{ wireless_list1.stdout_lines }}" - "{{ wireless_list1.stdout_lines }}"
# WIRELESS -- Sigh... Not all drivers update /proc/net/wireless correctly # WIRELESS -- Sigh... Not all drivers update /proc/net/wireless correctly
- name: Look for any wireless interfaces (take 2) - name: Look for any wireless interfaces (take 2)
@ -73,11 +73,11 @@
# Last device is used # Last device is used
- name: Set the discovered wireless, if found (take 2) - name: Set the discovered wireless, if found (take 2)
set_fact: set_fact:
wifi2: "{{ item|trim }}" wifi2: "{{ item|trim }}"
discovered_wireless_iface: "{{ item|trim }}" discovered_wireless_iface: "{{ item|trim }}"
when: wireless_list2.stdout is defined when: wireless_list2.stdout is defined
with_items: with_items:
- "{{ wireless_list2.stdout_lines }}" - "{{ wireless_list2.stdout_lines }}"
#item|trim != discovered_wan_iface #item|trim != discovered_wan_iface
- name: Count WiFi ifaces - name: Count WiFi ifaces
@ -87,19 +87,19 @@
# facts are apparently all stored as text, so do text comparisons from here on # facts are apparently all stored as text, so do text comparisons from here on
- name: Remember number of WiFi devices - name: Remember number of WiFi devices
set_fact: set_fact:
num_wifi_interfaces: "{{ count_wifi_interfaces.stdout|int }}" num_wifi_interfaces: "{{ count_wifi_interfaces.stdout|int }}"
# XO hack here ap_device would not be active therefore not set with # XO hack here ap_device would not be active therefore not set with
# wired as gw use ap_device to exclude eth0 from network calulations # wired as gw use ap_device to exclude eth0 from network calulations
- name: XO laptop override 2 WiFi on LAN - name: XO laptop override 2 WiFi on LAN
set_fact: set_fact:
ap_device: "eth0" ap_device: "eth0"
when: iiab_wan_iface != "eth0" and discovered_wireless_iface != "none" and xo_model == "XO-1.5" when: iiab_wan_iface != "eth0" and discovered_wireless_iface != "none" and xo_model == "XO-1.5"
- name: Exclude reserved WiFi adapter if defined - takes adapter name - name: Exclude reserved WiFi adapter if defined - takes adapter name
set_fact: set_fact:
ap_device: "{{ reserved_wifi }}" ap_device: "{{ reserved_wifi }}"
when: reserved_wifi is defined and discovered_wireless_iface != iiab_wan_iface and num_wifi_interfaces >= "2" when: reserved_wifi is defined and discovered_wireless_iface != iiab_wan_iface and num_wifi_interfaces >= "2"
- name: Count LAN ifaces - name: Count LAN ifaces
@ -108,7 +108,7 @@
- name: Calculate number of LAN interfaces including WiFi - name: Calculate number of LAN interfaces including WiFi
set_fact: set_fact:
num_lan_interfaces: "{{ num_lan_interfaces_result.stdout|int }}" num_lan_interfaces: "{{ num_lan_interfaces_result.stdout|int }}"
# LAN - pick non WAN's # LAN - pick non WAN's
- name: Create list of LAN (non WAN) ifaces - name: Create list of LAN (non WAN) ifaces
@ -128,19 +128,19 @@
# if there is more than one the last one wins # if there is more than one the last one wins
- name: Set discovered_wired_iface if present - name: Set discovered_wired_iface if present
set_fact: set_fact:
discovered_wired_iface: "{{ item|trim }}" discovered_wired_iface: "{{ item|trim }}"
when: lan_list_result.stdout_lines is defined and item|trim != discovered_wireless_iface when: lan_list_result.stdout_lines is defined and item|trim != discovered_wireless_iface
with_items: with_items:
- "{{ lan_list_result.stdout_lines }}" - "{{ lan_list_result.stdout_lines }}"
- name: Set iiab_wireless_lan_iface if present - name: Set iiab_wireless_lan_iface if present
set_fact: set_fact:
iiab_wireless_lan_iface: "{{ discovered_wireless_iface }}" iiab_wireless_lan_iface: "{{ discovered_wireless_iface }}"
when: discovered_wireless_iface is defined and discovered_wireless_iface != "none" and discovered_wireless_iface != iiab_wan_iface when: discovered_wireless_iface is defined and discovered_wireless_iface != "none" and discovered_wireless_iface != iiab_wan_iface
- name: Set iiab_wired_lan_iface if present - name: Set iiab_wired_lan_iface if present
set_fact: set_fact:
iiab_wired_lan_iface: "{{ discovered_wired_iface }}" iiab_wired_lan_iface: "{{ discovered_wired_iface }}"
when: discovered_wired_iface is defined and discovered_wired_iface != "none" and discovered_wired_iface != iiab_wan_iface when: discovered_wired_iface is defined and discovered_wired_iface != "none" and discovered_wired_iface != iiab_wan_iface
#unused #unused
@ -150,33 +150,33 @@
# use value only if present # use value only if present
- name: 2 or more devices on the LAN - use bridging - name: 2 or more devices on the LAN - use bridging
set_fact: set_fact:
iiab_lan_iface: br0 iiab_lan_iface: br0
when: num_lan_interfaces|int >= 2 and not is_rpi when: num_lan_interfaces|int >= 2 and not is_rpi
- name: For Debian, always use bridging - except RPi - name: For Debian, always use bridging - except RPi
set_fact: set_fact:
iiab_lan_iface: br0 iiab_lan_iface: br0
when: num_lan_interfaces|int >= 1 and is_debuntu and not is_rpi when: num_lan_interfaces|int >= 1 and is_debuntu and not is_rpi
- name: WiFi is on the LAN - use bridging - except RPi - name: WiFi is on the LAN - use bridging - except RPi
set_fact: set_fact:
iiab_lan_iface: br0 iiab_lan_iface: br0
when: iiab_wireless_lan_iface is defined and not nobridge is defined when: iiab_wireless_lan_iface is defined and not nobridge is defined
- name: Setting wired LAN as only interface - RPi - name: Setting wired LAN as only interface - RPi
set_fact: set_fact:
iiab_lan_iface: "{{ iiab_wired_lan_iface }}" iiab_lan_iface: "{{ iiab_wired_lan_iface }}"
when: iiab_wired_lan_iface is defined and nobridge is defined when: iiab_wired_lan_iface is defined and nobridge is defined
- name: Setting wireless LAN as only interface - RPi - name: Setting wireless LAN as only interface - RPi
set_fact: set_fact:
iiab_lan_iface: "{{ iiab_wireless_lan_iface }}" iiab_lan_iface: "{{ iiab_wireless_lan_iface }}"
when: iiab_wireless_lan_iface is defined and nobridge is defined when: iiab_wireless_lan_iface is defined and nobridge is defined
- name: In VM disable LAN - needs local_vars entry to activate - name: In VM disable LAN - needs local_vars entry to activate
set_fact: set_fact:
iiab_lan_iface: none iiab_lan_iface: none
no_net_restart: True no_net_restart: True
when: is_VM is defined when: is_VM is defined
# OK try old gw this is a best guess based on what's in # OK try old gw this is a best guess based on what's in
@ -188,41 +188,42 @@
gui_wan_iface: "{{ device_gw }}" gui_wan_iface: "{{ device_gw }}"
when: user_wan_iface == "auto" and device_gw != "none" and discovered_wan_iface == "none" when: user_wan_iface == "auto" and device_gw != "none" and discovered_wan_iface == "none"
- name: Add location section to config file - name: Add 'detected_network' variable values to /etc/iiab/iiab.ini
ini_file: dest='{{ iiab_config_file }}' ini_file:
section=detected_network dest: "{{ iiab_config_file }}"
option='{{ item.option }}' section: detected_network
value='{{ item.value }}' option: "{{ item.option }}"
value: "{{ item.value }}"
with_items: with_items:
- option: 'has_ifcfg_gw' - option: has_ifcfg_gw
value: '{{ has_ifcfg_gw }}' value: "{{ has_ifcfg_gw }}"
- option: 'prior_gateway_(device_gw2)' - option: prior_gateway_(device_gw2)
value: '{{ device_gw2 }}' value: "{{ device_gw2 }}"
- option: 'dhcpcd_result' - option: dhcpcd_result
value: '{{ dhcpcd_result }}' value: "{{ dhcpcd_result }}"
- option: 'network_manager_active' - option: network_manager_active
value: '{{ network_manager_active }}' value: "{{ network_manager_active }}"
- option: 'systemd_networkd_active' - option: systemd_networkd_active
value: '{{ systemd_networkd_active }}' value: "{{ systemd_networkd_active }}"
- option: 'wan_in_interfaces' - option: wan_in_interfaces
value: '{{ wan_in_interfaces }}' value: "{{ wan_in_interfaces }}"
- option: 'wireless_list_1(wifi1)' - option: wireless_list_1(wifi1)
value: '{{ wifi1 }}' value: "{{ wifi1 }}"
- option: 'wireless_list_2(wifi2)' - option: wireless_list_2(wifi2)
value: '{{ wifi2 }}' value: "{{ wifi2 }}"
- option: 'num_wifi_interfaces' - option: num_wifi_interfaces
value: '{{ num_wifi_interfaces }}' value: "{{ num_wifi_interfaces }}"
- option: 'discovered_wireless_iface' - option: discovered_wireless_iface
value: '{{ discovered_wireless_iface }}' value: "{{ discovered_wireless_iface }}"
- option: 'discovered_wired_iface' - option: discovered_wired_iface
value: '{{ discovered_wired_iface }}' value: "{{ discovered_wired_iface }}"
# - option: 'iiab_wireless_lan_iface' # - option: 'iiab_wireless_lan_iface
# value: '{{ iiab_wireless_lan_iface }}' # value: '{{ iiab_wireless_lan_iface }}"
- option: 'num_lan_interfaces' - option: num_lan_interfaces
value: '{{ num_lan_interfaces }}' value: "{{ num_lan_interfaces }}"
- option: 'gui_static_wan' - option: gui_static_wan
value: '{{ gui_static_wan }}' value: "{{ gui_static_wan }}"
- option: 'iiab_lan_iface' - option: iiab_lan_iface
value: '{{ iiab_lan_iface }}' value: "{{ iiab_lan_iface }}"
- option: 'iiab_wan_iface' - option: iiab_wan_iface
value: '{{ iiab_wan_iface }}' value: "{{ iiab_wan_iface }}"

7
roles/network/tasks/detected_redhat.yml
View file

@ -1,5 +1,6 @@
- name: Checking for ifcfg-WAN file - Can Fail - name: Checking for ifcfg-WAN file - Can Fail
stat: path=/etc/sysconfig/network-scripts/ifcfg-WAN stat:
path: /etc/sysconfig/network-scripts/ifcfg-WAN
when: not first_run when: not first_run
register: has_ifcfg_WAN register: has_ifcfg_WAN
ignore_errors: True ignore_errors: True
@ -31,7 +32,7 @@
has_ifcfg_gw: "{{ item|trim }}" has_ifcfg_gw: "{{ item|trim }}"
when: ifcfg_gw_device.stdout_lines is defined and item|trim != "" and item|trim != "/etc/sysconfig/network-scripts/ifcfg-LAN" when: ifcfg_gw_device.stdout_lines is defined and item|trim != "" and item|trim != "/etc/sysconfig/network-scripts/ifcfg-LAN"
with_items: with_items:
- "{{ ifcfg_gw_device.stdout_lines }}" - "{{ ifcfg_gw_device.stdout_lines }}"
ignore_errors: True ignore_errors: True
# returns path # returns path
@ -59,7 +60,7 @@
has_wifi_gw: "{{ item|trim }}" has_wifi_gw: "{{ item|trim }}"
when: ifcfg_WAN_wifi.changed and item|trim != "" when: ifcfg_WAN_wifi.changed and item|trim != ""
with_items: with_items:
- "{{ ifcfg_WAN_wifi.stdout_lines }}" - "{{ ifcfg_WAN_wifi.stdout_lines }}"
- name: Finding device for WiFi AP gateway - Can Fail - name: Finding device for WiFi AP gateway - Can Fail
shell: egrep -rn DEVICE /etc/sysconfig/network-scripts/{{ has_wifi_gw }} | gawk -F '=' '{print $2}' shell: egrep -rn DEVICE /etc/sysconfig/network-scripts/{{ has_wifi_gw }} | gawk -F '=' '{print $2}'

68
roles/network/tasks/dhcpd.yml
View file

@ -1,52 +1,60 @@
- name: Install dhcp package - name: Install dhcp package (debuntu)
package: name=isc-dhcp-server package:
state=present name: isc-dhcp-server
state: present
when: is_debuntu when: is_debuntu
tags: tags:
- download - download
- name: Install dhcp package - name: Install dhcp package (not debuntu)
package: name=dhcp package:
state=present name: dhcp
state: present
when: not is_debuntu when: not is_debuntu
tags: tags:
- download - download
- name: Create non-privileged user - name: Create non-privileged user 'dhcpd' (debuntu)
user: name=dhcpd user:
createhome=no name: dhcpd
createhome: no
when: is_debuntu when: is_debuntu
- name: Disable stock dhcp_service - name: Disable stock dhcp_service (debuntu)
service: name={{ dhcp_service }} service:
enabled=no name: "{{ dhcp_service }}"
state=stopped enabled: no
state: stopped
when: is_debuntu when: is_debuntu
- name: Disable stock dhcp_service ipv6 - name: Disable stock dhcp_service ipv6 (ubuntu-18)
service: name={{ dhcp_service }}6 service:
enabled=no name: "{{ dhcp_service }}6"
state=stopped enabled: no
state: stopped
when: is_ubuntu_18 when: is_ubuntu_18
- name: Install systemd unit file to /etc/systemd/system/dhcpd.service - name: Install systemd unit file to /etc/systemd/system/dhcpd.service
template: src={{ item.src }} template:
dest={{ item.dest }} src: "{{ item.src }}"
owner=root dest: "{{ item.dest }}"
group=root owner: root
mode={{ item.mode }} group: root
mode: "{{ item.mode }}"
with_items: with_items:
- { src: 'roles/network/templates/dhcp/dhcpd.service', dest: '/etc/systemd/system/dhcpd.service', mode: '0644' } - { src: 'roles/network/templates/dhcp/dhcpd.service', dest: '/etc/systemd/system/dhcpd.service', mode: '0644' }
- name: Create dhcpd needed files - name: Create file /var/lib/dhcpd/dhcpd.leases (redhat)
command: touch /var/lib/dhcpd/dhcpd.leases command: touch /var/lib/dhcpd/dhcpd.leases
creates=/var/lib/dhcpd/dhcpd.leases args:
creates: /var/lib/dhcpd/dhcpd.leases
when: is_redhat when: is_redhat
- name: Check lease's permissions - name: Set dhcpd.leases permissions/ownership (redhat)
file: path=/var/lib/dhcpd/dhcpd.leases file:
owner=dhcpd path: /var/lib/dhcpd/dhcpd.leases
group=dhcpd owner: dhcpd
mode=0644 group: dhcpd
state=file mode: 0644
state: file
when: is_redhat when: is_redhat

54
roles/network/tasks/edit_ifcfg.yml
View file

@ -1,43 +1,49 @@
- name: Turn off ISP nameservers - name: Turn off ISP nameservers
lineinfile: state=present lineinfile:
backrefs=yes state: present
regexp='^PEERDNS' backrefs: yes
line='PEERDNS="no"' regexp: '^PEERDNS'
dest={{ has_ifcfg_gw }} line: 'PEERDNS="no"'
dest: "{{ has_ifcfg_gw }}"
- name: Turn on local nameserver - name: Turn on local nameserver
lineinfile: state=present lineinfile:
line='DNS1="127.0.0.1"' state: present
dest={{ has_ifcfg_gw }} line: 'DNS1="127.0.0.1"'
dest: "{{ has_ifcfg_gw }}"
- name: Remove the UUID - name: Remove the UUID
lineinfile: state=absent lineinfile:
regexp='^UUID' state: absent
dest={{ has_ifcfg_gw }} regexp: '^UUID'
dest: "{{ has_ifcfg_gw }}"
# Leave wifi as is NAME=<AP> needs to match keyring name. # Leave wifi as is NAME=<AP> needs to match keyring name.
- name: Fix the NM name - name: Fix the NM name
lineinfile: state=present lineinfile:
backrefs=yes state: present
regexp='^NAME' backrefs: yes
line='NAME="iiab-WAN"' regexp: '^NAME'
dest={{ has_ifcfg_gw }} line: 'NAME="iiab-WAN"'
dest: "{{ has_ifcfg_gw }}"
when: has_wifi_gw == "none" when: has_wifi_gw == "none"
# testpoint - quoting and present # testpoint - quoting and present
# note DEVICE can change what is displayed via "ip and friends" # note DEVICE can change what is displayed via "ip and friends"
- name: Fix the DEVICE - name: Fix the DEVICE
lineinfile: state=present lineinfile:
backrefs=yes state: present
regexp='^DEVICE' backrefs: yes
line='DEVICE="{{ iiab_wan_iface }}"' regexp: '^DEVICE'
dest={{ has_ifcfg_gw }} line: 'DEVICE="{{ iiab_wan_iface }}"'
dest: "{{ has_ifcfg_gw }}"
when: iiab_wan_iface != "none" and has_wifi_gw == "none" when: iiab_wan_iface != "none" and has_wifi_gw == "none"
- name: Add marker - name: Add marker
lineinfile: state=present lineinfile:
line="# Modified by IIAB" state: present
dest={{ has_ifcfg_gw }} line: "# Modified by IIAB"
dest: "{{ has_ifcfg_gw }}"
- name: Rename supplied gateway ifcfg file to WAN if present - name: Rename supplied gateway ifcfg file to WAN if present
shell: mv "{{ has_ifcfg_gw }}" /etc/sysconfig/network-scripts/ifcfg-WAN shell: mv "{{ has_ifcfg_gw }}" /etc/sysconfig/network-scripts/ifcfg-WAN

44
roles/network/tasks/enable_wan.yml
View file

@ -1,32 +1,36 @@
- name: Turn off ONBOOT for WAN on reboot if disabled - name: Turn off ONBOOT for WAN on reboot if disabled
lineinfile: state=present lineinfile:
backrefs=yes state: present
regexp='^ONBOOT' backrefs: yes
line='ONBOOT="no"' regexp: '^ONBOOT'
dest=/etc/sysconfig/network-scripts/ifcfg-WAN line: 'ONBOOT="no"'
dest: /etc/sysconfig/network-scripts/ifcfg-WAN
when: has_WAN and iiab_wan_iface == "none" when: has_WAN and iiab_wan_iface == "none"
#testpoint Need to ensure we have only one entry #testpoint Need to ensure we have only one entry
- name: Ensure macaddress is correct - name: Ensure macaddress is correct
lineinfile: state=present lineinfile:
backrefs=yes state: present
regexp='^HWADDR' backrefs: yes
line='HWADDR="{{ hostvars[inventory_hostname]['ansible_' + iiab_wan_iface]['macaddress'] }}"' regexp: '^HWADDR'
dest=/etc/sysconfig/network-scripts/ifcfg-WAN line: 'HWADDR="{{ hostvars[inventory_hostname]['ansible_' + iiab_wan_iface]['macaddress'] }}"'
dest: /etc/sysconfig/network-scripts/ifcfg-WAN
when: has_WAN and iiab_wan_iface != "none" when: has_WAN and iiab_wan_iface != "none"
- name: Fix the DEVICE - name: Fix the DEVICE
lineinfile: state=present lineinfile:
backrefs=yes state: present
regexp='^NAME' backrefs: yes
line='NAME="iiab-WAN"' regexp: '^NAME'
dest=/etc/sysconfig/network-scripts/ifcfg-WAN line: 'NAME="iiab-WAN"'
dest: /etc/sysconfig/network-scripts/ifcfg-WAN
when: has_WAN and iiab_wan_iface != "none" when: has_WAN and iiab_wan_iface != "none"
- name: Turn on ONBOOT for WAN on reboot if enabled - name: Turn on ONBOOT for WAN on reboot if enabled
lineinfile: state=present lineinfile:
backrefs=yes state: present
regexp="^ONBOOT" backrefs: yes
line="ONBOOT=yes" regexp: "^ONBOOT"
dest=/etc/sysconfig/network-scripts/ifcfg-WAN line: "ONBOOT=yes"
dest: /etc/sysconfig/network-scripts/ifcfg-WAN
when: has_WAN and iiab_wan_iface != "none" when: has_WAN and iiab_wan_iface != "none"

36
roles/network/tasks/hosts.yml
View file

@ -1,23 +1,25 @@
#TODO: Use vars instead of hardcoded values #TODO: Use vars instead of hardcoded values
- name: Remove fqdn in /etc/hosts without LAN - name: Remove FQDN with 172.18.96.1 in /etc/hosts without LAN (if iiab_lan_iface == "none" and not installing)
lineinfile: dest=/etc/hosts lineinfile:
regexp='^172\.18\.96\.1' path: /etc/hosts
state=absent regexp: '^172\.18\.96\.1'
state: absent
when: iiab_lan_iface == "none" and not installing when: iiab_lan_iface == "none" and not installing
- name: Configure fqdn in /etc/hosts with LAN - name: Configure FQDN with 172.18.96.1 in /etc/hosts with LAN (if iiab_lan_iface != "none" and not installing)
lineinfile: dest=/etc/hosts lineinfile:
regexp='^172\.18\.96\.1' path: /etc/hosts
line='172.18.96.1 {{ iiab_hostname }}.{{ iiab_domain }} {{ iiab_hostname }} box' regexp: '^172\.18\.96\.1'
state=present line: '172.18.96.1 {{ iiab_hostname }}.{{ iiab_domain }} {{ iiab_hostname }} box iiab-server.lan'
state: present
when: iiab_lan_iface != "none" and not installing when: iiab_lan_iface != "none" and not installing
- name: Configure fqdn in /etc/hosts appliance mode - name: Configure FQDN with 127.0.0.1 in /etc/hosts appliance mode (if iiab_lan_iface == "none" and not installing)
lineinfile: dest=/etc/hosts lineinfile:
regexp='^127\.0\.0\.1' path: /etc/hosts
line='127.0.0.1 localhost.localdomain localhost {{ iiab_hostname }}.{{ iiab_domain }} {{ iiab_hostname }} box ' regexp: '^127\.0\.0\.1'
owner=root line: '127.0.0.1 localhost.localdomain localhost {{ iiab_hostname }}.{{ iiab_domain }} {{ iiab_hostname }} box iiab-server.lan'
group=root owner: root
mode=0644 group: root
mode: 0644
when: iiab_lan_iface == "none" and not installing when: iiab_lan_iface == "none" and not installing

2
roles/network/tasks/main.yml
View file

@ -112,7 +112,7 @@
tags: tags:
- network - network
- name: NetworkManager in use - name: NetworkManager in use (if ubuntu-18 and network_manager_active)
include_tasks: NM-debian.yml include_tasks: NM-debian.yml
when: is_ubuntu_18 and network_manager_active when: is_ubuntu_18 and network_manager_active
#and not installing #and not installing

14
roles/network/tasks/named.yml
View file

@ -1,4 +1,4 @@
- name: Install named packages (debuntu) - name: Install named packages (if debuntu)
package: package:
name: "{{ item }}" name: "{{ item }}"
state: present state: present
@ -9,7 +9,7 @@
tags: tags:
- download - download
- name: Install named packages (OS's that are not debuntu) - name: Install named packages (if not debuntu)
package: package:
name: "{{ item }}" name: "{{ item }}"
state: present state: present
@ -21,7 +21,7 @@
- download - download
# or we have to change the serial number in the config files. # or we have to change the serial number in the config files.
- name: Stop named before copying files - name: Stop named before copying files (if first_run and debuntu)
service: service:
name: "{{ dns_service }}" name: "{{ dns_service }}"
state: stopped state: stopped
@ -76,27 +76,27 @@
dest: "/etc/systemd/system/{{ dns_service }}.service" dest: "/etc/systemd/system/{{ dns_service }}.service"
mode: 0644 mode: 0644
- name: The dns-jail redirect requires the named.blackhole, disabling recursion - name: The dns-jail redirect requires the named.blackhole, disabling recursion (if dns_jail_enabled)
# in named-iiab.conf, and the redirection of 404 error documents to / # in named-iiab.conf, and the redirection of 404 error documents to /
template: template:
src: roles/network/templates/named/dns-jail.conf src: roles/network/templates/named/dns-jail.conf
dest: "/etc/{{ apache_config_dir }}/" dest: "/etc/{{ apache_config_dir }}/"
when: dns_jail_enabled when: dns_jail_enabled
- name: Separate enabling required (debuntu) - name: Separate enabling required (if debuntu and dns_jail_enabled)
file: file:
src: "/etc/{{ apache_config_dir }}/dns-jail.conf" src: "/etc/{{ apache_config_dir }}/dns-jail.conf"
path: "/etc/{{ apache_service }}/sites-enabled/dns-jail.conf" path: "/etc/{{ apache_service }}/sites-enabled/dns-jail.conf"
state: link state: link
when: is_debuntu and dns_jail_enabled when: is_debuntu and dns_jail_enabled
- name: Separate disabling required (debuntu) - name: Separate disabling required (if debuntu and not dns_jail_enabled)
file: file:
path: "/etc/{{ apache_service }}/sites-enabled/dns-jail.conf" path: "/etc/{{ apache_service }}/sites-enabled/dns-jail.conf"
state: absent state: absent
when: is_debuntu and not dns_jail_enabled when: is_debuntu and not dns_jail_enabled
- name: Separate enabling/disabling required (OS's that are not debuntu) - name: Separate enabling/disabling required (if not debuntu and not dns_jail_enabled)
file: file:
path: "/etc/{{ apache_config_dir }}/dns-jail.conf" path: "/etc/{{ apache_config_dir }}/dns-jail.conf"
state: absent state: absent

34
roles/network/tasks/redetect.yml
View file

@ -17,14 +17,17 @@
dhcp_good: False dhcp_good: False
# don't shoot ourselves in the foot.... # don't shoot ourselves in the foot....
- name: Disable dhcp server just because - name: Disable dhcpd server just because
service: name=dhcpd state=stopped service:
name: dhcpd
state: stopped
### clear all connections first ### clear all connections first
# We should have the LAN torndown at this point. # We should have the LAN torndown at this point.
- name: No ifcfg-WAN known - name: No ifcfg-WAN known
debug: msg="NO WAN known" debug:
msg: "NO WAN known"
when: not has_WAN when: not has_WAN
- name: Finding connection name for WiFi AP gateway first - name: Finding connection name for WiFi AP gateway first
@ -46,8 +49,8 @@
# We have the DEVICE? # We have the DEVICE?
- name: Now setting iiab_wan_iface based on WiFi - name: Now setting iiab_wan_iface based on WiFi
set_fact: set_fact:
iiab_wan_iface: "{{ dhcp_wifi_results.stdout }}" iiab_wan_iface: "{{ dhcp_wifi_results.stdout }}"
dhcp_good: True dhcp_good: True
when: dhcp_wifi_results.stdout is defined and dhcp_wifi_results.stdout != "" when: dhcp_wifi_results.stdout is defined and dhcp_wifi_results.stdout != ""
- name: Trying ifcfg-WAN second - name: Trying ifcfg-WAN second
@ -57,7 +60,8 @@
when: has_WAN when: has_WAN
- name: BAD ifcfg-WAN - name: BAD ifcfg-WAN
debug: msg="BAD WAN" debug:
msg: "BAD WAN"
when: dhcp_WAN is defined and dhcp_WAN|failed when: dhcp_WAN is defined and dhcp_WAN|failed
- name: Delete ifcfg-WAN - name: Delete ifcfg-WAN
@ -66,7 +70,7 @@
- name: Setting no ifcfg-WAN - name: Setting no ifcfg-WAN
set_fact: set_fact:
has_WAN: False has_WAN: False
when: dhcp_WAN is defined and dhcp_WAN|failed and wan_ip == "dhcp" when: dhcp_WAN is defined and dhcp_WAN|failed and wan_ip == "dhcp"
- name: Interface list - name: Interface list
@ -79,7 +83,7 @@
ignore_errors: True ignore_errors: True
when: item|trim != iiab_wireless_lan_iface and not dhcp_good and wan_ip == "dhcp" when: item|trim != iiab_wireless_lan_iface and not dhcp_good and wan_ip == "dhcp"
with_items: with_items:
- "{{ adapter_list.stdout_lines }}" - "{{ adapter_list.stdout_lines }}"
# monitor-connection-files defaults to no with F21, F18-F20 defaults to yes # monitor-connection-files defaults to no with F21, F18-F20 defaults to yes
- name: Reloading nmcli for deleted files - name: Reloading nmcli for deleted files
@ -93,7 +97,7 @@
ignore_errors: True ignore_errors: True
when: item|trim != discovered_wireless_iface and item|trim != iiab_wireless_lan_iface and not dhcp_good and wan_ip == "dhcp" when: item|trim != discovered_wireless_iface and item|trim != iiab_wireless_lan_iface and not dhcp_good and wan_ip == "dhcp"
with_items: with_items:
- "{{ adapter_list.stdout_lines }}" - "{{ adapter_list.stdout_lines }}"
# This should be neat on a VM with 2 bridged interfaces. # This should be neat on a VM with 2 bridged interfaces.
- name: Checking for gateway - name: Checking for gateway
@ -104,8 +108,8 @@
# We have the DEVICE? # We have the DEVICE?
- name: Now setting iiab_wan_iface via nmcli - name: Now setting iiab_wan_iface via nmcli
set_fact: set_fact:
iiab_wan_iface: "{{ dhcp_1BY1_results.stdout }}" iiab_wan_iface: "{{ dhcp_1BY1_results.stdout }}"
dhcp_good: True dhcp_good: True
when: dhcp_1BY1_results.stdout is defined and dhcp_1BY1_results.stdout != "" and not has_WAN when: dhcp_1BY1_results.stdout is defined and dhcp_1BY1_results.stdout != "" and not has_WAN
- name: Find gateway config based on device - name: Find gateway config based on device
@ -120,7 +124,7 @@
has_ifcfg_gw: "{{ item|trim }}" has_ifcfg_gw: "{{ item|trim }}"
when: dhcp_good and ifcfg_dhcp_device is defined and item|trim != "" when: dhcp_good and ifcfg_dhcp_device is defined and item|trim != ""
with_items: with_items:
- "{{ ifcfg_dhcp_device.stdout_lines }}" - "{{ ifcfg_dhcp_device.stdout_lines }}"
ignore_errors: True ignore_errors: True
# wired devices with no wire plugged in fail here # wired devices with no wire plugged in fail here
@ -129,12 +133,12 @@
ignore_errors: True ignore_errors: True
when: item|trim != iiab_wireless_lan_iface and item|trim != iiab_wan_iface and wan_ip == "dhcp" when: item|trim != iiab_wireless_lan_iface and item|trim != iiab_wan_iface and wan_ip == "dhcp"
with_items: with_items:
- "{{ adapter_list.stdout_lines }}" - "{{ adapter_list.stdout_lines }}"
### keep at end. ### keep at end.
### If dhcp fails the single interface will become LAN again because we didn't prevent the creation ### If dhcp fails the single interface will become LAN again because we didn't prevent the creation
# Now disable LAN if single interface # Now disable LAN if single interface
- name: DHCP found on Single interface forcing LAN disabled - name: DHCP found on Single interface forcing LAN disabled
set_fact: set_fact:
iiab_lan_iface: "none" iiab_lan_iface: "none"
when: dhcp_good and adapter_count.stdout|int == "1" when: dhcp_good and adapter_count.stdout|int == "1"

2
roles/network/tasks/squid.yml
View file

@ -97,7 +97,7 @@
- option: enabled - option: enabled
value: "{{ squid_enabled }}" value: "{{ squid_enabled }}"
- name: Add 'dansguardian' to list of services at /etc/iiab/iiab.ini - name: Add 'dansguardian' variable values to /etc/iiab/iiab.ini
ini_file: ini_file:
dest: "{{ service_filelist }}" dest: "{{ service_filelist }}"
section: dansguardian section: dansguardian

18
roles/network/tasks/static.yml
View file

@ -1,8 +1,9 @@
# supply an ifcfg if no gateway detected but wan_ip is set # supply an ifcfg if no gateway detected but wan_ip is set
# set user_wan_iface: <device> and use wan_* for static info # set user_wan_iface: <device> and use wan_* for static info
- name: Supply WAN interface file - name: Install WAN interface file /etc/sysconfig/network-scripts/ifcfg-WAN from template
template: src=network/ifcfg-WAN.j2 template:
dest=/etc/sysconfig/network-scripts/ifcfg-WAN src: network/ifcfg-WAN.j2
dest: /etc/sysconfig/network-scripts/ifcfg-WAN
- include_tasks: NM.yml - include_tasks: NM.yml
when: 'ansible_distribution_version <= "20" and wan_ip != "dhcp"' when: 'ansible_distribution_version <= "20" and wan_ip != "dhcp"'
@ -12,8 +13,9 @@
ignore_errors: yes ignore_errors: yes
when: 'ansible_distribution_version >= "21" and wan_ip != "dhcp"' when: 'ansible_distribution_version >= "21" and wan_ip != "dhcp"'
- name: Use upstream nameserver until named is installed - name: Use upstream nameserver until named (etc) is installed
lineinfile: dest=/etc/resolv.conf lineinfile:
line='nameserver {{ wan_nameserver }}' dest: /etc/resolv.conf
create=yes line: "nameserver {{ wan_nameserver }}"
state=present create: yes
state: present

74
roles/network/tasks/wondershaper.yml
View file

@ -1,43 +1,49 @@
- name: Copy Wondershaper service script - name: Install Wondershaper systemd unit file from template
template: backup=yes template:
src=roles/network/templates/wondershaper/wondershaper.service backup: yes
dest=/etc/systemd/system/wondershaper.service src: roles/network/templates/wondershaper/wondershaper.service
mode=0644 dest: /etc/systemd/system/wondershaper.service
mode: 0644
- name: Copy Wondershaper script - name: Install /usr/bin/wondershaper from template
template: backup=yes template:
src=roles/network/templates/wondershaper/wondershaper.j2 backup: yes
dest=/usr/bin/wondershaper src: roles/network/templates/wondershaper/wondershaper.j2
owner=root dest: /usr/bin/wondershaper
group=root owner: root
mode=0744 group: root
mode: 0744
- name: Create conf.d directory - name: Create conf.d directory
file: path=/etc/conf.d file:
owner=root path: /etc/conf.d
group=root owner: root
mode=0755 group: root
state=directory mode: 0755
state: directory
- name: Copy Wondershaper config script - name: Install /etc/conf.d/wondershaper.conf from template
template: src=roles/network/templates/wondershaper/wondershaper.conf template:
dest=/etc/conf.d/wondershaper.conf src: roles/network/templates/wondershaper/wondershaper.conf
owner=root dest: /etc/conf.d/wondershaper.conf
group=root owner: root
mode=0600 group: root
mode: 0600
- name: Create fact for Wondershaper config file - name: Create fact (link) for /etc/conf.d/wondershaper.conf
file: src=/etc/conf.d/wondershaper.conf file:
dest=/etc/ansible/facts.d/wondershaper.fact src: /etc/conf.d/wondershaper.conf
owner=root dest: /etc/ansible/facts.d/wondershaper.fact
group=root owner: root
state=link group: root
state: link
- name: Add 'wondershaper' to service list - name: Add 'wondershaper' variable values to /etc/iiab/iiab.ini
ini_file: dest='{{ service_filelist }}' ini_file:
section=wondershaper dest: "{{ service_filelist }}"
option='{{ item.option }}' section: wondershaper
value='{{ item.value }}' option: "{{ item.option }}"
value: "{{ item.value }}"
with_items: with_items:
- option: name - option: name
value: wondershaper value: wondershaper

14
roles/network/templates/captive-portal/captive-portal.conf Normal file
View file

@ -0,0 +1,14 @@
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName iiab.io
Include /etc/apache2/capture
ProxyPreserveHost On
ProxyPass / http://box.lan:{{ py_captive_portal_port }}/
ProxyPassReverse / http://box.lan:{{ py_captive_portal_port }}/
</VirtualHost>

0
roles/network/templates/captive_portal/captive_portal.py.j2 → roles/network/templates/captive-portal/captive-portal.py.j2
View file

550
roles/network/templates/captive-portal/capture-wsgi.py Executable file
View file

@ -0,0 +1,550 @@
#! /usr/bin/env python
# -*- coding: utf-8 -*-
# using Python's bundled WSGI server
from wsgiref.simple_server import make_server
import subprocess
from dateutil.tz import *
import datetime
import logging
from logging.handlers import RotatingFileHandler
import os
import sys
from jinja2 import Environment, FileSystemLoader
import sqlite3
import re
# Notes on timeout strategy
# every client timestamp is recorded into current_ts
# When splash page is clicked , return 204 timeout starts (via ajax call),
# Return 204 is android (may be different for different versions)
# captive portal redirect is triggered after inactivity timeout,
# which needs to be longer than period of normal connecetivity checks by OS
#
# Create the jinja2 environment.
CAPTIVE_PORTAL_BASE = "/opt/iiab/captive-portal"
j2_env = Environment(loader=FileSystemLoader(CAPTIVE_PORTAL_BASE),trim_blocks=True)
# Define time outs
INACTIVITY_TO = 30
PORTAL_TO = 0 # delay after triggered by ajax upon click of link to home page
# I had hoped that returning 204 status after some delay
# would dispense with android's "sign-in to network" (no work)
# Get the IIAB variables
sys.path.append('/etc/iiab/')
from iiab_env import get_iiab_env
doc_root = get_iiab_env("WWWROOT")
# make a way to find new URLs queried by new clients
# CATCH substitues this server for apache at port 80
CATCH = False
if len(sys.argv) > 1 and sys.argv[1] == '-d':
CATCH = True
PORT=80
else:
PORT=9090
# set up some logging -- selectable for diagnostics
# Create dummy iostream to capture stderr and stdout
class StreamToLogger(object):
"""
Fake file-like stream object that redirects writes to a logger instance.
"""
def __init__(self, logger, log_level=logging.INFO):
self.logger = logger
self.log_level = log_level
self.linebuf = ''
def write(self, buf):
for line in buf.rstrip().splitlines():
self.logger.log(self.log_level, line.rstrip())
if len(sys.argv) > 1 and sys.argv[1] == '-l':
loggingLevel = logging.DEBUG
else:
loggingLevel = logging.ERROR
logging.basicConfig(filename='/var/log/apache2/portal.log',format='%(asctime)s.%(msecs)03d:%(name)s:%(message)s', datefmt='%M:%S',level=loggingLevel)
logger = logging.getLogger('/var/log/apache2/portal.log')
handler = RotatingFileHandler("/var/log/apache2/portal.log", maxBytes=100000, backupCount=2)
logger.addHandler(handler)
# divert stdout and stderr to logger
stdout_logger = logging.getLogger('STDOUT')
sl = StreamToLogger(stdout_logger, logging.ERROR)
#sys.stdout = sl
stderr_logger = logging.getLogger('STDERR')
sl = StreamToLogger(stderr_logger, logging.ERROR)
sys.stderr = sl
# Define globals
MAC_SUCCESS=False
ANDROID_TRIGGERED=False
logger.debug("")
logger.debug('##########################################')
# what language are we speaking?
lang = os.environ['LANG'][0:2]
logger.debug('speaking: %s'%lang)
def tstamp(dtime):
'''return a UNIX style seconds since 1970 for datetime input'''
epoch = datetime.datetime(1970, 1, 1,tzinfo=tzutc())
newdtime = dtime.astimezone(tzutc())
since_epoch_delta = newdtime - epoch
return since_epoch_delta.total_seconds()
# ##########database operations ##############
# Use a sqlite database to store per client information
user_db = os.path.join(CAPTIVE_PORTAL_BASE,"users.sqlite")
conn = sqlite3.connect(user_db)
if not os.path.exists(user_db):
conn.close()
conn = sqlite3.connect(user_db)
c = conn.cursor()
c.row_factory = sqlite3.Row
c.execute( """create table IF NOT EXISTS users
(ip text PRIMARY KEY, mac text, current_ts integer,
lasttimestamp integer, send204after integer,
os text, os_version text,
ymd text)""")
def update_user(ip, mac, system, system_version, ymd):
sql = "SELECT * FROM users WHERE ip = ?"
c.execute(sql,(ip,))
row = c.fetchone()
if row == None:
sql = "INSERT INTO users (ip,mac,os,os_version,ymd) VALUES (?,?,?,?,?)"
c.execute(sql,(ip, mac, system, system_version, ymd ))
else:
sql = "UPDATE users SET (mac,os,os_version,ymd) = ( ?, ?, ?, ? ) WHERE ip = ?"
c.execute(sql,(mac, system, system_version, ymd, ip,))
conn.commit()
def platform_info(ip):
sql = "select * FROM users WHERE ip = ?"
c.execute(sql,(ip,))
row = c.fetchone()
if row is None: return ('','',)
return (row['os'],row['os_version'])
def timeout_info(ip):
sql = "select * FROM users WHERE ip = ?"
c.execute(sql,(ip,))
row = c.fetchone()
if row is None: return (0,0,0,)
return [row['current_ts'],row['lasttimestamp'],row['send204after']]
def is_inactive(ip):
ts=tstamp(datetime.datetime.now(tzutc()))
current_ts, last_ts, send204after = timeout_info(ip)
if not last_ts:
return True
if ts - int(last_ts) > INACTIVITY_TO:
return True
else:
return False
def is_after204_timeout(ip):
ts=tstamp(datetime.datetime.now(tzutc()))
current_ts, last_ts, send204after = timeout_info(ip)
if send204after == 0: return False
logger.debug("function: is_after204_timeout send204after:%s current: %s"%(send204after,ts,))
if not send204after:
return False
if ts - int(send204after) > 0:
return True
else:
return False
def set_204after(ip,value):
global ANDROID_TRIGGERED
ts=tstamp(datetime.datetime.now(tzutc()))
sql = 'UPDATE users SET send204after = ? where ip = ?'
c.execute(sql,(ts + value,ip,))
conn.commit()
ANDROID_TRIGGERED = False
def set_lasttimestamp(ip):
ts=tstamp(datetime.datetime.now(tzutc()))
sql = 'UPDATE users SET lasttimestamp = ? where ip = ?'
c.execute(sql,(ts,ip,))
conn.commit()
# ################### Action routines based on OS ################3
def microsoft(environ,start_response):
#logger.debug("sending microsoft response")
en_txt={ 'message':"Click on the button to go to the IIAB home page",\
'btn1':"GO TO IIAB HOME PAGE",'doc_root':get_iiab_env("WWWROOT")}
es_txt={ 'message':"Haga clic en el botón para ir a la página de inicio de IIAB",\
'btn1':"IIAB",'doc_root':get_iiab_env("WWWROOT")}
if lang == "en":
txt = en_txt
elif lang == "es":
txt = es_txt
response_body = str(j2_env.get_template("simple.template").render(**txt))
status = '200 OK'
response_headers = [('Content-type','text/html'),
('Content-Length',str(len(response_body)))]
start_response(status, response_headers)
return [response_body]
def android(environ, start_response):
global ANDROID_TRIGGERED
ip = environ['HTTP_X_FORWARDED_FOR'].strip()
system,system_version = platform_info(ip)
if system_version[0:1] < '6':
logger.debug("system < 6:%s"%system_version)
location = '/android_splash'
set_204after(ip,0)
else:
set_204after(ip,20)
location = '/android_https'
agent = environ['HTTP_USER_AGENT']
response_body = "hello"
status = '302 Moved Temporarily'
response_headers = [('Location',location)]
start_response(status, response_headers)
return [response_body]
def android_splash(environ, start_response):
en_txt={ 'message':"Click on the button to go to the IIAB home page",\
'btn1':"GO TO IIAB HOME PAGE", \
'doc_root':get_iiab_env("WWWROOT") }
es_txt={ 'message':"Haga clic en el botón para ir a la página de inicio de IIAB",\
'btn1':"IIAB",'doc_root':get_iiab_env("WWWROOT")}
if lang == "en":
txt = en_txt
elif lang == "es":
txt = es_txt
response_body = str(j2_env.get_template("simple.template").render(**txt))
status = '200 OK'
response_headers = [('Content-type','text/html'),
('Content-Length',str(len(response_body)))]
start_response(status, response_headers)
return [response_body]
def android_https(environ, start_response):
en_txt={ 'message':"""Please ignore the SECURITY warning which appears after clicking the first button""",\
'btn2':'Click this first Go to the browser we need',\
'btn1':'Then click this to go to IIAB home page',\
'doc_root':get_iiab_env("WWWROOT") }
es_txt={ 'message':"Haga clic en el botón para ir a la página de inicio de IIAB",\
'btn1':"IIAB",'doc_root':get_iiab_env("WWWROOT")}
if lang == "en":
txt = en_txt
elif lang == "es":
txt = es_txt
response_body = str(j2_env.get_template("simple.template").render(**txt))
status = '200 OK'
response_headers = [('Content-type','text/html'),
('Content-Length',str(len(response_body)))]
start_response(status, response_headers)
return [response_body]
def mac_splash(environ,start_response):
logger.debug("in function mac_splash")
en_txt={ 'message':"Click on the button to go to the IIAB home page",\
'btn1':"GO TO IIAB HOME PAGE",'success_token': 'Success',
'doc_root':get_iiab_env("WWWROOT")}
es_txt={ 'message':"Haga clic en el botón para ir a la página de inicio de IIAB",\
'btn1':"IIAB",'doc_root':get_iiab_env("WWWROOT")}
if lang == "en":
txt = en_txt
elif lang == "es":
txt = es_txt
set_lasttimestamp(ip)
response_body = str(j2_env.get_template("mac.template").render(**txt))
status = '200 Success'
response_headers = [('Content-type','text/html'),
('Content-Length',str(len(response_body)))]
start_response(status, response_headers)
return [response_body]
def macintosh(environ, start_response):
global ip
logger.debug("in function mcintosh")
if not is_inactive(ip):
set_lasttimestamp(ip)
return success(environ,start_response)
# determine if it is time to redirect again
if is_after204_timeout(ip):
set_204after(ip,10)
response_body = """<html><head><script>
window.location.reload(true)
</script></body></html>"""
status = '302 Moved Temporarily'
response_headers = [('content','text/html')]
start_response(status, response_headers)
return [response_body]
else:
return mac_splash(environ,start_response)
def microsoft_connect(environ,start_response):
status = '200 ok'
headers = [('Content-type', 'text/html')]
start_response(status, headers)
return ["Microsoft Connect Test"]
# ============= Return html pages ============================
def banner(environ, start_response):
status = '200 OK'
headers = [('Content-type', 'image/png')]
start_response(status, headers)
image = open("%s/iiab-menu/menu-files/images/iiab_banner6.png"%doc_root, "rb").read()
return [image]
def bootstrap(environ, start_response):
logger.debug("in bootstrap")
status = '200 OK'
headers = [('Content-type', 'text/javascript')]
start_response(status, headers)
boot = open("%s/common/js/bootstrap.min.js"%doc_root, "rb").read()
return [boot]
def jquery(environ, start_response):
logger.debug("in jquery")
status = '200 OK'
headers = [('Content-type', 'text/javascript')]
start_response(status, headers)
boot = open("%s/common/js/jquery.min.js"%doc_root, "rb").read()
return [boot]
def bootstrap_css(environ, start_response):
logger.debug("in bootstrap_css")
status = '200 OK'
headers = [('Content-type', 'text/css')]
start_response(status, headers)
boot = open("%s/common/css/bootstrap.min.css"%doc_root, "rb").read()
return [boot]
def null(environ, start_response):
status = '200 ok'
headers = [('Content-type', 'text/html')]
start_response(status, headers)
return [""]
def success(environ, start_response):
status = '200 ok'
html = '<html><head><title>Success</title></head><body>Success</body></html>'
headers = [('Content-type', 'text/html')]
start_response(status, headers)
return [html]
def put_204(environ, start_response):
status = '204 No Data'
response_body = ''
response_headers = [('Content-type','text/html'),
('Content-Length',str(len(response_body)))]
start_response(status, response_headers)
logger.debug("in function put_204: sending 204 html response")
return [response_body]
def parse_agent(agent):
system = ''
system_version = ''
match = re.search(r"(Android)\s([.\d]*)",agent)
if match:
system = match.group(1)
system_version = match.group(2)
match = re.search(r"(OS X)\s([\d_]*)",agent)
if match:
system = match.group(1)
system_version = match.group(2)
match = re.search(r"(iPhone OS)\s([\d_]*)",agent)
if match:
system = match.group(1)
system_version = match.group(2)
match = re.search(r"(Windows NT)\s([\d.]*)",agent)
if match:
system = match.group(1)
system_version = match.group(2)
return (system, system_version)
#
# ================== Start serving the wsgi application =================
def application (environ, start_response):
global ip
global CATCH
global LIST
global INACTIVITY_TO
global ANDROID_TRIGGERED
# Log the URLs that are not in checkurls
# This "CATCH" mode substitutes this server for apache at port 80
# CATCH mode is started by "iiab-catch" and turned off by "iiab-uncath".
if CATCH:
logger.debug("Checking for url %s. USER_AGENT:%s"%(environ['HTTP_HOST'],\
environ['HTTP_USER_AGENT'],))
if environ['HTTP_HOST'] == '/box.lan':
return
if 'HTTP_X_FORWARDED_FOR' in environ:
ip = environ['HTTP_X_FORWARDED_FOR'].strip()
else:
ip = environ['HTTP_HOST'].strip()
cmd="arp -an %s|gawk \'{print $4}\'" % ip
mac = subprocess.check_output(cmd, shell=True)
data = []
data.append("host: %s\n"%environ['HTTP_HOST'])
data.append("path: %s\n"%environ['PATH_INFO'])
data.append("query: %s\n"%environ['QUERY_STRING'])
data.append("ip: %s\n"%ip)
agent = environ['HTTP_USER_AGENT']
data.append("AGENT: %s\n"%agent)
#print(data)
found = False
url_list = os.path.join(CAPTIVE_PORTAL_BASE,"checkurls")
if os.path.exists(url_list):
with open(url_list,"r") as checkers:
for line in checkers:
if line.find(environ['HTTP_HOST']) > -1:
found = True
break
if not found:
with open(url_list,"a") as checkers:
outstr ="%s\n" % (environ['HTTP_HOST'])
checkers.write(outstr)
data = ['%s: %s\n' % (key, value) for key, value in sorted(environ.items()) ]
logger.debug("This url was missing from checkurls:%s"%data)
# Normal query for captive portal
else:
if 'HTTP_X_FORWARDED_FOR' in environ:
ip = environ['HTTP_X_FORWARDED_FOR'].strip()
else:
data = ['%s: %s\n' % (key, value) for key, value in sorted(environ.items()) ]
#logger.debug("need the correct ip:%s"%data)
ip = environ['REMOTE_ADDR'].strip()
cmd="arp -an %s|gawk \'{print $4}\'" % ip
mac = subprocess.check_output(cmd, shell=True)
data = []
data.append("host: %s\n"%environ['HTTP_HOST'])
data.append("path: %s\n"%environ['PATH_INFO'])
data.append("query: %s\n"%environ['QUERY_STRING'])
data.append("ip: %s\n"%ip)
agent = environ['HTTP_USER_AGENT']
data.append("AGENT: %s\n"%agent)
logger.debug(data)
#print(data)
found = False
return_204_flag = "False"
# record the activity with this ip
ts=tstamp(datetime.datetime.now(tzutc()))
sql = "INSERT or IGNORE INTO users (current_ts,ip) VALUES (?,?)"
c.execute(sql,(ts,ip,))
sql = "UPDATE users SET current_ts = ? where ip = ?"
c.execute(sql,(ts,ip,))
if c.rowcount == 0:
logger.debug("failed UPDATE users SET current_ts = %s WHERE ip = %s"%(ts,ip,))
conn.commit()
ymd=datetime.datetime.today().strftime("%y%m%d-%H%M")
system,system_version = parse_agent(agent)
if system != '':
update_user(ip, mac, system, system_version, ymd)
####### Return pages based upon PATH ###############
# do more specific stuff first
if environ['PATH_INFO'] == "/iiab_banner6.png":
return banner(environ, start_response)
if environ['PATH_INFO'] == "/bootstrap.min.js":
return bootstrap(environ, start_response)
if environ['PATH_INFO'] == "/bootstrap.min.css":
return bootstrap_css(environ, start_response)
if environ['PATH_INFO'] == "/jquery.min.js":
return jquery(environ, start_response)
if environ['PATH_INFO'] == "/favicon.ico":
return null(environ, start_response)
if environ['PATH_INFO'] == "/home_selected":
# the js link to home page triggers this ajax url
# mark the sign-in conversation completed, return 204 or Success or Success
ANDROID_TRIGGERED = True
#data = ['%s: %s\n' % (key, value) for key, value in sorted(environ.items()) ]
#logger.debug("need the correct ip:%s"%data)
logger.debug("function: home_selected. Setting flag to return_204")
#print("setting flag to return_204")
set_204after(ip,PORTAL_TO)
set_lasttimestamp(ip)
status = '200 OK'
headers = [('Content-type', 'text/html')]
start_response(status, headers)
return [""]
#### parse OS platform based upon URL ##################
# mac
if environ['PATH_INFO'] == "/mac_splash":
return mac_splash(environ, start_response)
if environ['PATH_INFO'] == "/step2":
return step2(environ, start_response)
if environ['HTTP_HOST'] == "captive.apple.com" or\
environ['HTTP_HOST'] == "appleiphonecell.com" or\
environ['HTTP_HOST'] == "detectportal.firefox.com" or\
environ['HTTP_HOST'] == "*.apple.com.edgekey.net" or\
environ['HTTP_HOST'] == "gsp1.apple.com" or\
environ['HTTP_HOST'] == "apple.com" or\
environ['HTTP_HOST'] == "www.apple.com":
current_ts, last_ts, send204after = timeout_info(ip)
if not send204after:
# take care of uninitialized state
set_204after(ip,0)
return macintosh(environ, start_response)
# android
if environ['PATH_INFO'] == "/android_splash":
return android_splash(environ, start_response)
if environ['PATH_INFO'] == "/android_https":
return android_https(environ, start_response)
if environ['HTTP_HOST'] == "clients3.google.com" or\
environ['HTTP_HOST'] == "mtalk.google.com" or\
environ['HTTP_HOST'] == "alt7-mtalk.google.com" or\
environ['HTTP_HOST'] == "alt6-mtalk.google.com" or\
environ['HTTP_HOST'] == "connectivitycheck.android.com" or\
environ['HTTP_HOST'] == "connectivitycheck.gstatic.com":
current_ts, last_ts, send204after = timeout_info(ip)
logger.debug("current_ts: %s laat_ts: %s send204after: %s"%(current_ts, last_ts, send204after,))
if not last_ts or (ts - int(last_ts) > INACTIVITY_TO):
return android(environ, start_response)
elif is_after204_timeout(ip):
return put_204(environ,start_response)
return null(environ,start_response) #return without doing anything
# microsoft
if environ['PATH_INFO'] == "/connecttest.txt" and not is_inactive(ip):
return microsoft_connect(environ, start_response)
if environ['HTTP_HOST'] == "ipv6.msftncsi.com" or\
environ['HTTP_HOST'] == "ipv6.msftncsi.com.edgesuite.net" or\
environ['HTTP_HOST'] == "www.msftncsi.com" or\
environ['HTTP_HOST'] == "www.msftncsi.com.edgesuite.net" or\
environ['HTTP_HOST'] == "www.msftconnecttest.com" or\
environ['HTTP_HOST'] == "teredo.ipv6.microsoft.com" or\
environ['HTTP_HOST'] == "teredo.ipv6.microsoft.com.nsatc.net":
return microsoft(environ, start_response)
logger.debug("executing the defaut 204 response. [%s"%data)
return put_204(environ,start_response)
# Instantiate the server
httpd = make_server (
"", # The host name
PORT, # A port number where to wait for the request
application # The application object name, in this case a function
)
httpd.serve_forever()
#vim: tabstop=3 expandtab shiftwidth=3 softtabstop=3 background=dark

21
roles/network/templates/captive-portal/checkurls Executable file
View file

@ -0,0 +1,21 @@
clients3.google.com
connectivitycheck.gstatic.com
detectportal.firefox.com
*.akamaitechnologies.com
appleiphonecell.com
thinkdifferent.us
*.apple.com.edgekey.net
ipv6.msftncsi.com
ipv6.msftncsi.com.edgesuite.net
www.msftncsi.com
www.msftncsi.com.edgesuite.net
www.msftconnecttest.com
teredo.ipv6.microsoft.com
teredo.ipv6.microsoft.com.nsatc.net
captive.apple.com
init-p01st.push.apple.com
mtalk.google.com
connectivitycheck.android.com
alt7-mtalk.google.com
alt6-mtalk.google.com
captive.lan

9
roles/network/templates/captive-portal/iiab-catch Executable file
View file

@ -0,0 +1,9 @@
#!/bin/bash -x
# substitute our own server to catch OS connectivity checking URL's
systemctl stop apache2
systemctl stop py-captive-portal
echo address=/#/172.18.96.1 > /etc/dnsmasq.d/capture
/opt/iiab/captive-portal/capture-wsgi.py -d &
# write the pid just started
echo $! > /opt/iiab/captive-portal/pid

13
roles/network/templates/captive-portal/iiab-uncatch Executable file
View file

@ -0,0 +1,13 @@
#!/bin/bash -x
# Turn off URL recording mode, and return to serving with apache2
kill $(cat /opt/iiab/captive-portal/pid)
# during testing, I start capture by hand -- recorded pid may be stale
pid=$(ps aux | grep "capture-wsgi.py -d" | grep -v grep | awk '{print $2}')
if [ -n "$pid" ]; then
kill $pid
fi
awk '{print("address=/" $1 "/172.18.96.1")}' /opt/iiab/captive-portal/checkurls > /etc/dnsmasq.d/capture
awk '{print("ServerAlias ",$1)}' /opt/iiab/captive-portal/checkurls > /etc/apache2/capture
systemctl start py-captive-portal
systemctl start apache2

2
roles/network/templates/captive_portal/captive_portal.service.j2 → roles/network/templates/captive-portal/py-captive-portal.service.j2
View file

@ -7,7 +7,7 @@ Type=simple
User=root User=root
Group=root Group=root
WorkingDirectory=/opt/iiab/captive-portal WorkingDirectory=/opt/iiab/captive-portal
ExecStart=/opt/iiab/captive-portal/captive_portal.py ExecStart=/opt/iiab/captive-portal/capture-wsgi.py
StandardOutput=syslog StandardOutput=syslog
StandardError=syslog StandardError=syslog

22
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -9,7 +9,7 @@ IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %} {% endif %}
LANIF=$IIAB_LAN_DEVICE LANIF=$IIAB_LAN_DEVICE
WANIF=$IIAB_WAN_DEVICE WANIF=$IIAB_WAN_DEVICE
MODE=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'` MODE=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'`
clear_fw() { clear_fw() {
$IPTABLES -F $IPTABLES -F
@ -26,7 +26,7 @@ $IPTABLES -A INPUT -p udp --dport 111 -j DROP
# mysql # mysql
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP $IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP $IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# postgre - not needed listens on lo only # postgres - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP $IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP $IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# couchdb # couchdb
@ -34,7 +34,7 @@ $IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP $IPTABLES -A INPUT -p udp --dport 5984 -j DROP
} }
if [ "x$WANIF" == "xnone" ] || [ "$MODE" == 'Appliance' ]; then if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then
clear_fw clear_fw
# save the rule set # save the rule set
{% if is_debuntu %} {% if is_debuntu %}
@ -62,7 +62,6 @@ transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }} transmission_peer_port={{ transmission_peer_port }}
sugarizer_port={{ sugarizer_port }} sugarizer_port={{ sugarizer_port }}
block_DNS={{ block_DNS }} block_DNS={{ block_DNS }}
captive_portal_enabled={{ captive_portal_enabled }}
py_captive_portal_enabled={{ py_captive_portal_enabled }} py_captive_portal_enabled={{ py_captive_portal_enabled }}
echo "LAN is $lan and WAN is $wan" echo "LAN is $lan and WAN is $wan"
@ -112,28 +111,23 @@ if [ "$gw_block_https" == "True" ]; then
fi fi
# Allow outgoing connections from the LAN side. # Allow outgoing connections from the LAN side.
if ! [ "$py_captive_portal_enabled" == "True" ];then if ! [ "$py_captive_portal_enabled" == "True" ]; then
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
fi fi
# Don't forward from the outside to the inside. # Don't forward from the outside to the inside.
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
$IPTABLES -A INPUT -i $wan -j DROP $IPTABLES -A INPUT -i $wan -j DROP
if [ "$block_DNS" == "True" ];then if [ "$block_DNS" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
fi fi
if [ "$captive_portal_enabled" == "True" ];then if [ "$py_captive_portal_enabled" == "True" ]; then
$IPTABLES -t mangle -N internet
$IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet
$IPTABLES -t mangle -A internet -j MARK --set-mark 99
$IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}
elif [ "py_$captive_portal_enabled" == "True" ];then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:{{ py_captive_portal_port }} $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:{{ py_captive_portal_port }}
fi
elif [ "$HTTPCACHE_ON" == "True" ]; then if [ "$HTTPCACHE_ON" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi fi

2
scripts/ansible
View file

@ -1,7 +1,7 @@
#!/bin/bash -e #!/bin/bash -e
CURR_VER="undefined" # Ansible version you currently have installed CURR_VER="undefined" # Ansible version you currently have installed
GOOD_VER="2.6.5" # For XO laptops (pip install) & CentOS (yum install rpm) GOOD_VER="2.7.0" # For XO laptops (pip install) & CentOS (yum install rpm)
# On other OS's we attempt the latest from PPA, which might be more recent # On other OS's we attempt the latest from PPA, which might be more recent
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive

2
scripts/ansible-2.6.x
View file

@ -1,7 +1,7 @@
#!/bin/bash -e #!/bin/bash -e
CURR_VER="undefined" # Ansible version you currently have installed CURR_VER="undefined" # Ansible version you currently have installed
GOOD_VER="2.6.5" # For XO laptops (pip install) & CentOS (yum install rpm) GOOD_VER="2.7.0" # For XO laptops (pip install) & CentOS (yum install rpm)
# On other OS's we attempt the latest from PPA, which might be more recent # On other OS's we attempt the latest from PPA, which might be more recent
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive

20
vars/default_vars.yml
View file

@ -103,23 +103,27 @@ dhcpd_enabled: False
# named # named
named_install: True named_install: True
named_enabled: True named_enabled: False
block_DNS: False block_DNS: False
# dnsmasq # dnsmasq
dnsmasq_install: True dnsmasq_install: True
dnsmasq_enabled: False dnsmasq_enabled: True
# Enable in local_vars.yml AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" # Enable in local_vars.yml AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False dns_jail_enabled: False
# For @tim-moody's Nodogsplash approach to Captive Portal? High experimental as of June 2018: github.com/iiab/iiab/issues/608 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
captive_portal_install: False # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
captive_portal_enabled: False # extensively refined in Sept 2018 (https://github.com/iiab/iiab/pull/1179)
# Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
py_captive_portal_install: True py_captive_portal_install: True
py_captive_portal_enabled: False py_captive_portal_enabled: True
# In a pinch, disable it by running: systemctl disable py-captive-portal
# For @tim-moody's Nodogsplash approach to Captive Portal?
# Highly experimental as of June 2018: https://github.com/iiab/iiab/issues/608
# captive_portal_install: False
# captive_portal_enabled: False
# Squid # Squid
squid_install: False squid_install: False

9
vars/local_vars_big.yml
View file

@ -47,14 +47,17 @@ iiab_gateway_enabled: False
# dnsmasq # dnsmasq
dnsmasq_install: True dnsmasq_install: True
dnsmasq_enabled: False dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" # Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False dns_jail_enabled: False
# Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively refined in Sept 2018 (https://github.com/iiab/iiab/pull/1179)
py_captive_portal_install: True py_captive_portal_install: True
py_captive_portal_enabled: False py_captive_portal_enabled: True
# In a pinch, disable it by running: systemctl disable py-captive-portal
# Stages 3 & 4 must be run (using iiab-install or runrole) if changing these: # Stages 3 & 4 must be run (using iiab-install or runrole) if changing these:
squid_install: True squid_install: True

9
vars/local_vars_medium.yml
View file

@ -47,14 +47,17 @@ iiab_gateway_enabled: False
# dnsmasq # dnsmasq
dnsmasq_install: True dnsmasq_install: True
dnsmasq_enabled: False dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" # Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False dns_jail_enabled: False
# Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively refined in Sept 2018 (https://github.com/iiab/iiab/pull/1179)
py_captive_portal_install: True py_captive_portal_install: True
py_captive_portal_enabled: False py_captive_portal_enabled: True
# In a pinch, disable it by running: systemctl disable py-captive-portal
# Stages 3 & 4 must be run (using iiab-install or runrole) if changing these: # Stages 3 & 4 must be run (using iiab-install or runrole) if changing these:
squid_install: False squid_install: False

9
vars/local_vars_min.yml
View file

@ -47,14 +47,17 @@ iiab_gateway_enabled: False
# dnsmasq # dnsmasq
dnsmasq_install: True dnsmasq_install: True
dnsmasq_enabled: False dnsmasq_enabled: True
# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" # Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network"
dns_jail_enabled: False dns_jail_enabled: False
# Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
# extensively refined in Sept 2018 (https://github.com/iiab/iiab/pull/1179)
py_captive_portal_install: True py_captive_portal_install: True
py_captive_portal_enabled: False py_captive_portal_enabled: True
# In a pinch, disable it by running: systemctl disable py-captive-portal
# Stages 3 & 4 must be run (using iiab-install or runrole) if changing these: # Stages 3 & 4 must be run (using iiab-install or runrole) if changing these:
squid_install: False squid_install: False