diff --git a/install-support.yml b/install-support.yml index 0a6dafe33..f8e6802f6 100644 --- a/install-support.yml +++ b/install-support.yml @@ -9,5 +9,4 @@ roles: - { role: 0-init } - { role: sshd } - - { role: iiab-admin } - { role: openvpn } diff --git a/roles/elgg/README.rst b/roles/0-DEPRECATED-ROLES/elgg/README.rst similarity index 100% rename from roles/elgg/README.rst rename to roles/0-DEPRECATED-ROLES/elgg/README.rst diff --git a/roles/elgg/defaults/main.yml b/roles/0-DEPRECATED-ROLES/elgg/defaults/main.yml similarity index 92% rename from roles/elgg/defaults/main.yml rename to roles/0-DEPRECATED-ROLES/elgg/defaults/main.yml index 24d621f6f..2bfcb6bd8 100644 --- a/roles/elgg/defaults/main.yml +++ b/roles/0-DEPRECATED-ROLES/elgg/defaults/main.yml @@ -21,7 +21,7 @@ dbname: elggdb dbhost: localhost dbprefix: elgg_ -# The following variables must be in sync with template/elggdb.sql.j2 +# The following variables must be in sync with templates/elggdb.sql.j2 # If you change them, you will probably have to rebuild the database. # They can be changed from the administrative interface once Elgg is installed. diff --git a/roles/elgg/tasks/apache.yml b/roles/0-DEPRECATED-ROLES/elgg/tasks/apache.yml.unused similarity index 100% rename from roles/elgg/tasks/apache.yml rename to roles/0-DEPRECATED-ROLES/elgg/tasks/apache.yml.unused diff --git a/roles/elgg/tasks/install.yml b/roles/0-DEPRECATED-ROLES/elgg/tasks/install.yml similarity index 81% rename from roles/elgg/tasks/install.yml rename to roles/0-DEPRECATED-ROLES/elgg/tasks/install.yml index 8098501a6..6ab07d2e2 100644 --- a/roles/elgg/tasks/install.yml +++ b/roles/0-DEPRECATED-ROLES/elgg/tasks/install.yml @@ -1,11 +1,12 @@ -- name: "Set 'apache_install: True' and 'apache_enabled: True'" - set_fact: - apache_install: True - apache_enabled: True +# - name: "Set 'apache_install: True' and 'apache_enabled: True'" +# set_fact: +# apache_install: True +# apache_enabled: True +# +# - name: APACHE - run 'httpd' role +# include_role: +# name: httpd -- name: APACHE - run 'httpd' role - include_role: - name: httpd # 2020-06-15: roles/httpd/tasks/install.yml now takes care of this. # # 2020-05-21: Required now that mysql/tasks/install.yml installs @@ -32,7 +33,7 @@ # creates: "{{ downloads_dir }}/elgg-{{ elgg_version }}.zip" get_url: url: "{{ iiab_download_url }}/elgg-{{ elgg_version }}.zip" - dest: "{{ downloads_dir }}" + dest: "{{ downloads_dir }}" # /opt/iiab/downloads timeout: "{{ download_timeout }}" when: internet_available @@ -41,7 +42,7 @@ path: "/opt/elgg-{{ elgg_version }}/index.php" register: elgg -- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist +- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist ({{ apache_user }}:{{ apache_user }}) #shell: "/usr/bin/unzip -o {{ downloads_dir }}/elgg-{{ elgg_version }}.zip -d /opt" unarchive: #remote_src: yes @@ -52,7 +53,7 @@ group: "{{ apache_user }}" when: elgg.stat.exists is defined and not elgg.stat.exists -- name: Create softlink from /opt/elgg to /opt/elgg-{{ elgg_version }} +- name: Symlink /opt/elgg -> /opt/elgg-{{ elgg_version }} file: src: "./elgg-{{ elgg_version }}" path: /opt/elgg @@ -69,13 +70,13 @@ group: "{{ apache_user }}" # The name of this file changed from 1.9 to 1.10. -- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree +- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree (0644) copy: src: "/opt/{{ elgg_xx }}/vendor/elgg/elgg/install/config/htaccess.dist" dest: "/opt/{{ elgg_xx }}/.htaccess" owner: "{{ apache_user }}" group: "{{ apache_user }}" - mode: '0644' + mode: 0644 #regexp='^#RewriteBase' - name: Change .htaccess to include RewriteBase for http://box{{ elgg_url }} # http://box/elgg @@ -86,12 +87,12 @@ insertafter: '^#RewriteBase' line: "RewriteBase {{ elgg_url }}/" -- name: Set /opt/elgg/engine directory permissions to 0755 so Apache can write there +- name: Set /opt/elgg/engine directory permissions to 0755 (owner {{ apache_user }}) so Apache can write there file: state: directory path: /opt/elgg/engine/ owner: "{{ apache_user }}" - mode: '0755' + mode: 0755 - name: Change /opt/elgg-{{ elgg_version }} ownership to {{ apache_user }}:{{ apache_user }} (likely not nec, as unarchive & all do this above) file: @@ -103,14 +104,14 @@ - name: Create upload directory {{ elgg_upload_path }} that Apache (and Elgg) can write to file: - path: "{{ elgg_upload_path }}" + path: "{{ elgg_upload_path }}" # /library/elgg state: directory owner: "{{ apache_user }}" -- name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }} # http://box/elgg - template: - src: elgg.conf - dest: "/etc/{{ apache_conf_dir }}/elgg.conf" +# - name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }} # http://box/elgg +# template: +# src: elgg.conf +# dest: "/etc/{{ apache_conf_dir }}/elgg.conf" - name: Set up Elgg's MySQL database diff --git a/roles/elgg/tasks/main.yml b/roles/0-DEPRECATED-ROLES/elgg/tasks/main.yml similarity index 91% rename from roles/elgg/tasks/main.yml rename to roles/0-DEPRECATED-ROLES/elgg/tasks/main.yml index b0fb38239..f8cb53fa6 100644 --- a/roles/elgg/tasks/main.yml +++ b/roles/0-DEPRECATED-ROLES/elgg/tasks/main.yml @@ -24,14 +24,13 @@ when: elgg_installed is undefined -#- name: Enable/Disable/Restart Apache if primary -- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache - include_tasks: apache.yml - #when: not nginx_enabled +# #- name: Enable/Disable/Restart Apache if primary +# - name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache +# include_tasks: apache.yml +# #when: not nginx_enabled - name: Enable/Disable/Restart NGINX if primary include_tasks: nginx.yml - when: nginx_enabled - name: Add 'elgg' variable values to {{ iiab_ini_file }} diff --git a/roles/elgg/tasks/nginx.yml b/roles/0-DEPRECATED-ROLES/elgg/tasks/nginx.yml similarity index 100% rename from roles/elgg/tasks/nginx.yml rename to roles/0-DEPRECATED-ROLES/elgg/tasks/nginx.yml diff --git a/roles/elgg/tasks/setup.yml b/roles/0-DEPRECATED-ROLES/elgg/tasks/setup.yml similarity index 100% rename from roles/elgg/tasks/setup.yml rename to roles/0-DEPRECATED-ROLES/elgg/tasks/setup.yml diff --git a/roles/elgg/templates/elgg-nginx.conf.j2 b/roles/0-DEPRECATED-ROLES/elgg/templates/elgg-nginx.conf.j2 similarity index 100% rename from roles/elgg/templates/elgg-nginx.conf.j2 rename to roles/0-DEPRECATED-ROLES/elgg/templates/elgg-nginx.conf.j2 diff --git a/roles/elgg/templates/elgg.conf b/roles/0-DEPRECATED-ROLES/elgg/templates/elgg.conf.unused similarity index 100% rename from roles/elgg/templates/elgg.conf rename to roles/0-DEPRECATED-ROLES/elgg/templates/elgg.conf.unused diff --git a/roles/elgg/templates/elggdb.sql.j2 b/roles/0-DEPRECATED-ROLES/elgg/templates/elggdb.sql.j2 similarity index 100% rename from roles/elgg/templates/elggdb.sql.j2 rename to roles/0-DEPRECATED-ROLES/elgg/templates/elggdb.sql.j2 diff --git a/roles/elgg/templates/settings.php.j2 b/roles/0-DEPRECATED-ROLES/elgg/templates/settings.php.j2 similarity index 100% rename from roles/elgg/templates/settings.php.j2 rename to roles/0-DEPRECATED-ROLES/elgg/templates/settings.php.j2 diff --git a/roles/httpd/README.md b/roles/0-DEPRECATED-ROLES/httpd/README.md similarity index 100% rename from roles/httpd/README.md rename to roles/0-DEPRECATED-ROLES/httpd/README.md diff --git a/roles/httpd/defaults/main.yml b/roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml similarity index 100% rename from roles/httpd/defaults/main.yml rename to roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml diff --git a/roles/httpd/tasks/homepage.yml b/roles/0-DEPRECATED-ROLES/httpd/tasks/homepage.yml similarity index 100% rename from roles/httpd/tasks/homepage.yml rename to roles/0-DEPRECATED-ROLES/httpd/tasks/homepage.yml diff --git a/roles/httpd/tasks/install.yml b/roles/0-DEPRECATED-ROLES/httpd/tasks/install.yml similarity index 94% rename from roles/httpd/tasks/install.yml rename to roles/0-DEPRECATED-ROLES/httpd/tasks/install.yml index a23a1dc7b..074d64746 100644 --- a/roles/httpd/tasks/install.yml +++ b/roles/0-DEPRECATED-ROLES/httpd/tasks/install.yml @@ -4,7 +4,7 @@ #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl'] # WORKS? name: - "{{ apache_service }}" # apache2 on Debuntu - - libapache2-mod-php{{ php_version }} # 2020-06-15: Required (e.g. for Elgg, Moodle & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml) + - libapache2-mod-php{{ php_version }} # 2020-06-15: Required (e.g. for Elgg, Moodle, roles/pbx's FreePBX & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml) #- "php{{ php_version }}" #- "php{{ php_version }}-curl" state: present diff --git a/roles/httpd/tasks/main.yml b/roles/0-DEPRECATED-ROLES/httpd/tasks/main.yml similarity index 100% rename from roles/httpd/tasks/main.yml rename to roles/0-DEPRECATED-ROLES/httpd/tasks/main.yml diff --git a/roles/httpd/templates/010-iiab.conf.j2 b/roles/0-DEPRECATED-ROLES/httpd/templates/010-iiab.conf.j2 similarity index 100% rename from roles/httpd/templates/010-iiab.conf.j2 rename to roles/0-DEPRECATED-ROLES/httpd/templates/010-iiab.conf.j2 diff --git a/roles/httpd/templates/iiab-homepage.conf b/roles/0-DEPRECATED-ROLES/httpd/templates/iiab-homepage.conf similarity index 100% rename from roles/httpd/templates/iiab-homepage.conf rename to roles/0-DEPRECATED-ROLES/httpd/templates/iiab-homepage.conf diff --git a/roles/httpd/templates/proxy_ajp.conf.j2 b/roles/0-DEPRECATED-ROLES/httpd/templates/proxy_ajp.conf.j2 similarity index 100% rename from roles/httpd/templates/proxy_ajp.conf.j2 rename to roles/0-DEPRECATED-ROLES/httpd/templates/proxy_ajp.conf.j2 diff --git a/roles/0-init/README.rst b/roles/0-init/README.rst index acceaff33..a206b7d09 100644 --- a/roles/0-init/README.rst +++ b/roles/0-init/README.rst @@ -2,8 +2,10 @@ 0-init README ============= -For a higher-level view, please see `IIAB Installation `_ and http://FAQ.IIAB.IO +For a higher-level view of `Internet-in-a-Box (IIAB) `_, please see http://FAQ.IIAB.IO and `IIAB Installation `_. -This 0th stage literally sets the stage for Internet-in-a-Box (IIAB) installation, prior to Ansible running `Stages 1-to-9 <.>`_ and then the `network <../network>`_ stage. +This 0th `stage `_ literally sets the stage for IIAB installation, prior to Ansible running Stages 1-to-9, which are typically then followed by the `network <../network>`_ stage. -This serves to confirm low-level Ansible facts from the OS — e.g. for housekeeping tasks related to TZ (time zone), hostname, FQDN (fully-qualified domain name), unusual systemwide dependencies etc — and whether Internet is live so that IIAB installation can proceed. +But first: This 0th stage (0-init) serves to confirm low-level Ansible facts from the OS — e.g. for housekeeping tasks related to TZ (time zone), hostname, FQDN (fully-qualified domain name), unusual systemwide dependencies etc (and whether Internet is live) — so that IIAB installation can get underway. + +Recap: Similar to 1-prep, 2-common, 3-base-server, 4-server-options and 5-xo-services ⁠— this 0th stage installs core server infra (that is not user-facing). diff --git a/roles/0-init/defaults/main.yml b/roles/0-init/defaults/main.yml index 4a9b1e4c1..95cca916b 100644 --- a/roles/0-init/defaults/main.yml +++ b/roles/0-init/defaults/main.yml @@ -1,31 +1,52 @@ +# gui_port: 80 # 2021-08-17: For iptables. And #2811 dreams of HTTPS/443 ? + +# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml +# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! + + +# SEE ALSO /opt/iiab/iiab/roles/1-prep/defaults/main.yml + +#is_F18: False # 2021-07-30: No longer used + # (PRE-)release version number, for {{ iiab_env_file }} = /etc/iiab/iiab.env -# iiab_base_ver: 7.1 +# iiab_base_ver: 8.0 # iiab_revision: 0 -# ABOVE MOVED TO /opt/iiab/iiab/vars/default_vars.yml +# ABOVE 3 LINES MOVED TO /opt/iiab/iiab/vars/default_vars.yml + # These entries should never be changed in this file. # These are defaults for boolean routines. + +# 2021-07-30: This variable (first_run) is still used in 2 places: +# (1) roles/1-prep/tasks/main.yml for raspberry_pi.yml +# (2) roles/network/tasks/named.yml +# ...after it is set in 0-init/tasks/main.yml first_run: False -rpi_model: none -xo_model: none +rpi_model: none # 2021-07-30: Broadly used! +#xo_model: none # 2021-07-30: No longer used +# 2021-07-30: Recorded to /etc/iiab/iiab.ini but not used programmatically: gw_active: False +# 2021-07-30: Broadly used, but not in an organized way -- most all IIAB +# outfitting/provisioning happens online -- in situations where connectivity +# failures should be reported to the operator, rather than papered over: internet_available: False -discovered_wan_iface: none +discovered_wan_iface: none # 2021-07-30: Very broadly used! -# Old defs -gui_port: 80 -is_F18: False +# 2021-07-30: Barely used -- for {named, dhcpd, squid} in +# roles/network/tasks/main.yml -- after being set in 0-init/tasks/network.yml +FQDN_changed: False -# Set default 1-prep discovered hardware -rtc_id: none -NUC6_firmware_needed: False +#rtc_id: none # 2021-07-30: Moved to 1-prep/defaults/main.yml +#NUC6_firmware_needed: False # 2021-07-30: Apparently never used -# Used in 2-common/tasks/xo.yml -wifi_id: none +#wifi_id: none # 2021-07-30: Had been used in 2-common/tasks/xo.yml -# Used in 2-common, 3-base-server and roles/network -installing: False +# 2021-08-16: roles/network/tasks/squid.yml#L16 to stop Squid +# ("when: not installing") was the only non-Fedora use of this var. +# Earlier, this var HAD also been used in 2-common and 3-base-server. +# installing: False -# Network +# 2021-07-30: Broadly used across roles/network/tasks/*.yml -- but things might +# possibly change if roles/network becomes optional per PR #2876 ? no_net_restart: False -no_NM_reload: False +#no_NM_reload: False # 2021-07-30: Was used in roles/network/tasks/fedora/* diff --git a/roles/0-init/tasks/iiab_ini.yml b/roles/0-init/tasks/create_iiab_ini.yml similarity index 95% rename from roles/0-init/tasks/iiab_ini.yml rename to roles/0-init/tasks/create_iiab_ini.yml index b5c3b29d3..0f2357d07 100644 --- a/roles/0-init/tasks/iiab_ini.yml +++ b/roles/0-init/tasks/create_iiab_ini.yml @@ -35,7 +35,7 @@ value: "{{ ansible_local.local_facts.iiab_commit }}" - option: install_date value: "{{ ansible_date_time.iso8601 }}" - - option: xo_model - value: "{{ xo_model }}" + #- option: xo_model + # value: "{{ xo_model }}" - option: rpi_model value: "{{ rpi_model }}" diff --git a/roles/0-init/tasks/first_run.yml b/roles/0-init/tasks/first_run.yml deleted file mode 100644 index 332da85b7..000000000 --- a/roles/0-init/tasks/first_run.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Create {{ iiab_ini_file }} - include_tasks: iiab_ini.yml diff --git a/roles/0-init/tasks/hostname.yml b/roles/0-init/tasks/hostname.yml index b7bc0e965..024e6244b 100644 --- a/roles/0-init/tasks/hostname.yml +++ b/roles/0-init/tasks/hostname.yml @@ -1,28 +1,27 @@ -- name: Does /etc/cloud/cloud.cfg exist i.e. is this ubuntu-18 server? +- name: Does /etc/cloud/cloud.cfg exist e.g. is this Ubuntu Server 18+ ? stat: path: /etc/cloud/cloud.cfg - register: U18_server + register: cloudcfg_test -- name: 'Put "preserve_hostname: true" in /etc/cloud/cloud.cfg (ubuntu-18 server)' +- name: "If so, ensure 'preserve_hostname: true' is in /etc/cloud/cloud.cfg" lineinfile: path: /etc/cloud/cloud.cfg regexp: '^preserve_hostname*' line: 'preserve_hostname: true' state: present - when: U18_server is defined and U18_server.stat.exists + when: cloudcfg_test.stat.exists -- name: 'Turn the crank for systemd: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}" (debuntu)' - shell: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}" - when: is_debuntu +- name: 'Turn the crank for systemd: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"' + command: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}" -- name: Install /etc/sysconfig/network from template (redhat) - template: - src: roles/network/templates/network/sysconfig.network.j2 - dest: /etc/sysconfig/network - owner: root - group: root - mode: 0644 - when: is_redhat +#- name: Install /etc/sysconfig/network from template (redhat) +# template: +# src: roles/network/templates/network/sysconfig.network.j2 +# dest: /etc/sysconfig/network +# owner: root +# group: root +# mode: 0644 +# when: is_redhat # roles/network/tasks/hosts.yml [no longer in use] ALSO did this: - name: 'Put FQDN & hostnames in /etc/hosts: "127.0.0.1 {{ iiab_hostname }}.{{ iiab_domain }} localhost.localdomain localhost {{ iiab_hostname }} box box.lan"' @@ -30,9 +29,9 @@ path: /etc/hosts regexp: '^127\.0\.0\.1' line: '127.0.0.1 {{ iiab_hostname }}.{{ iiab_domain }} localhost.localdomain localhost {{ iiab_hostname }} box box.lan' - owner: root - group: root - mode: 0644 + #owner: root + #group: root + #mode: 0644 #- name: Re-configuring httpd - not initial install # include_tasks: roles/httpd/tasks/main.yml diff --git a/roles/0-init/tasks/main.yml b/roles/0-init/tasks/main.yml index 0a212c215..a532bc8ac 100644 --- a/roles/0-init/tasks/main.yml +++ b/roles/0-init/tasks/main.yml @@ -1,25 +1,39 @@ # Initialize + - name: ...IS BEGINNING ============================================ stat: - path: "{{ iiab_env_file }}" - register: NewInstall + path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini + register: iiab_ini_test +# Higher-level purpose explained at the bottom of: +# https://github.com/iiab/iiab/blob/master/vars/default_vars.yml +- name: "Ansible just ran /etc/ansible/facts.d/local_facts.fact to set 10 vars -- here we extract 2 of those -- rpi_model: {{ ansible_local.local_facts.rpi_model }}, iiab_stage: {{ ansible_local.local_facts.stage }}" + set_fact: + rpi_model: "{{ ansible_local.local_facts.rpi_model }}" + #xo_model: "{{ ansible_local.local_facts.xo_model }}" + iiab_stage: "{{ ansible_local.local_facts.stage }}" + +# 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*) +#- name: Re-read local_facts.facts from /etc/ansible/facts.d +# setup: +# filter: ansible_local + +# Initialize /etc/iiab/iiab.ini writing the 'location' and 'version' sections +# once and only once, to preserve the install date and git hash. +- name: Create {{ iiab_ini_file }}, if it doesn't exist + include_tasks: create_iiab_ini.yml + when: not iiab_ini_test.stat.exists + +# 2021-07-30: The 'first_run' flag isn't much used anymore. In theory it's +# still used in these 2 places: +# (1) roles/1-prep/tasks/main.yml for raspberry_pi.yml +# (2) roles/network/tasks/named.yml for "Stop named before copying files" +# In practice however, it's no longer important, and might be reconsidered? - name: Set first_run flag set_fact: first_run: True - when: not NewInstall.stat.exists + when: not iiab_ini_test.stat.exists -- name: Set top-level variables from local_facts for convenience - set_fact: - rpi_model: "{{ ansible_local.local_facts.rpi_model }}" - xo_model: "{{ ansible_local.local_facts.xo_model }}" - iiab_stage: "{{ ansible_local.local_facts.stage }}" - -# We need to inialize the ini file and only write the location and version -# sections once and only once to preserve the install date and git hash. -- name: Create IIAB tools and {{ iiab_ini_file }}, if first_run - include_tasks: first_run.yml - when: first_run # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk). @@ -29,90 +43,26 @@ dest: /usr/bin/ mode: '0755' -- name: Create globally-writable directory /etc/iiab/diag so non-root users can run iiab-diagnostics +- name: Create globally-writable directory /etc/iiab/diag (0777) so non-root users can run 'iiab-diagnostics' file: state: directory path: /etc/iiab/diag mode: '0777' -# 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*) -#- name: Re-read local_facts.facts from /etc/ansible/facts.d -# setup: -# filter: ansible_local - name: Pre-check that IIAB's "XYZ_install" + "XYZ_enabled" vars (1) are defined, (2) are boolean-not-string variables, and (3) contain plausible values. Also checks that "XYZ_install" is True when "XYZ_installed" is defined. include_tasks: validate_vars.yml -# Discover: do we have a gateway? -# If Ansible detects gateway, becomes WAN candidate. -- name: "Do we have a gateway? If so set discovered_wan_iface: {{ ansible_default_ipv4.alias }}" - set_fact: - discovered_wan_iface: "{{ ansible_default_ipv4.alias }}" - when: ansible_default_ipv4.gateway is defined - -- name: "Verify gateway active: ping -c4 {{ ansible_default_ipv4.gateway }}" - shell: ping -c4 "{{ ansible_default_ipv4.gateway }}" | grep icmp_seq=4 | wc -l - when: discovered_wan_iface != "none" - register: gw_active_test - -- name: If so, set gw_active, iiab_wan_iface to {{ discovered_wan_iface }} - set_fact: - iiab_wan_iface: "{{ discovered_wan_iface }}" - gw_active: True - when: discovered_wan_iface != "none" and gw_active_test.stdout == "1" - -- name: Test with {{ iiab_wan_iface }} for Internet access ({{ iiab_download_url }}/heart-beat.txt) - get_url: - url: "{{ iiab_download_url }}/heart-beat.txt" - dest: /tmp/heart-beat.txt - #timeout: "{{ download_timeout }}" - # @jvonau recommends: 100sec is too much (keep 10sec default) - ignore_errors: True - #async: 10 - #poll: 2 - register: internet_access_test - -- name: Set internet_available if download succeeded and not disregard_network - set_fact: - internet_available: True - when: not internet_access_test.failed and not disregard_network - -- name: Remove downloaded Internet test file /tmp/heart-beat.txt - file: - path: /tmp/heart-beat.txt - state: absent - -# Put all computed vars here so derive properly from any prior var file. -- name: If the TZ is not set in env, set it to UTC +- name: "Time Zone / TZ: Set symlink /etc/localtime to UTC if it doesn't exist?" include_tasks: tz.yml -- name: Set port 80 for Admin Console if not adm_cons_force_ssl - set_fact: - gui_port: 80 - when: not adm_cons_force_ssl +- name: Test Gateway + Test Internet + Set new hostname/domain (hostname.yml) if nec + Set 'gui_port' to 80 or 443 for Admin Console + include_tasks: network.yml -- name: Set port 443 for Admin Console if adm_cons_force_ssl - set_fact: - gui_port: 443 - when: adm_cons_force_ssl - -- name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}" - set_fact: - iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}" - FQDN_changed: False - -- name: Set FQDN_changed when iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }}) - set_fact: - FQDN_changed: True - when: iiab_fqdn != ansible_fqdn - -- name: Set hostname if FQDN_changed - include_tasks: hostname.yml - when: FQDN_changed - name: Add 'runtime' variable values to {{ iiab_ini_file }} ini_file: - dest: "{{ iiab_ini_file }}" + path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini section: runtime option: "{{ item.option }}" value: "{{ item.value | string }}" @@ -137,9 +87,6 @@ value: "{{ ansible_memtotal_mb }}" - option: swap_mb value: "{{ ansible_swaptotal_mb }}" - # 2021-01-28: Non-existent var, so fails with ansible-base 2.10.5 (#2669) - #- option: product_id - # value: "{{ ansible_product_uuid }}" - option: gw_active value: "{{ gw_active }}" - option: internet_available @@ -148,18 +95,20 @@ value: "{{ rpi_model }}" - option: first_run value: "{{ first_run }}" - - option: local_tz + - option: local_tz # e.g. 'EDT' (summer) or 'EST' (winter) after Ansible interprets symlink /etc/localtime -- or 'UTC' if /etc/localtime doesn't exist value: "{{ local_tz }}" - - option: no_NM_reload - value: "{{ no_NM_reload }}" - - option: is_F18 - value: "{{ is_F18 }}" + - option: etc_localtime.stdout # e.g. 'America/New_York' direct from symlink /etc/localtime -- or '' if /etc/localtime doesn't exist + value: "{{ etc_localtime.stdout }}" + #- option: no_NM_reload + # value: "{{ no_NM_reload }}" + #- option: is_F18 + # value: "{{ is_F18 }}" - option: FQDN_changed value: "{{ FQDN_changed }}" - name: Add 'runtime' variable 'is_VM' value if defined, to {{ iiab_ini_file }} ini_file: - dest: "{{ iiab_ini_file }}" + path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini section: runtime option: "{{ item.option }}" value: "{{ item.value | string }}" @@ -169,4 +118,4 @@ when: is_VM is defined - name: STAGE 0 HAS COMPLETED ====================================== - command: echo # "name: XYZ" fails to appear with "meta: noop" + meta: noop # Or use "command: echo" to force instantiation of vars e.g. "name: {{ var }}" diff --git a/roles/0-init/tasks/network.yml b/roles/0-init/tasks/network.yml new file mode 100644 index 000000000..c0d52ba68 --- /dev/null +++ b/roles/0-init/tasks/network.yml @@ -0,0 +1,74 @@ +- name: Do we have a gateway? If 'ip route' specifies a default route, Ansible parses details here... + debug: + var: ansible_default_ipv4 + +- name: "If above ansible_default_ipv4.gateway is defined, set WAN candidate 'discovered_wan_iface: {{ ansible_default_ipv4.alias }}' -- using ansible_default_ipv4.alias" + set_fact: + discovered_wan_iface: "{{ ansible_default_ipv4.alias }}" + when: ansible_default_ipv4.gateway is defined + +- name: "Verify gateway active: ping -c4 {{ ansible_default_ipv4.gateway }} -- using ansible_default_ipv4.gateway" + shell: ping -c4 "{{ ansible_default_ipv4.gateway }}" | grep icmp_seq=4 | wc -l + register: gw_active_test + when: discovered_wan_iface != "none" + +- name: "If gateway responded, set 'gw_active: True' and 'iiab_wan_iface: {{ discovered_wan_iface }}' -- using discovered_wan_iface" + set_fact: + iiab_wan_iface: "{{ discovered_wan_iface }}" + gw_active: True + when: discovered_wan_iface != "none" and gw_active_test.stdout == "1" + + +- name: 'Test for Internet access, using: {{ iiab_download_url }}/heart-beat.txt' + get_url: + url: "{{ iiab_download_url }}/heart-beat.txt" + dest: /tmp/heart-beat.txt + #timeout: "{{ download_timeout }}" + # @jvonau recommends: 100sec is too much (keep 10sec default) + ignore_errors: True + #async: 10 + #poll: 2 + register: internet_access_test + +- name: "Set 'internet_available: True' if above download succeeded AND not disregard_network" + set_fact: + internet_available: True # Initialized to 'False' in 0-init/defaults/main.yml + when: not internet_access_test.failed and not disregard_network + +- name: Remove downloaded Internet test file /tmp/heart-beat.txt + file: + path: /tmp/heart-beat.txt + state: absent + + +- name: "Set 'iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}'" + set_fact: + iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}" + FQDN_changed: False + +- name: Set hostname / domain (etc) in various places -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }}) + include_tasks: hostname.yml + when: iiab_fqdn != ansible_fqdn + +# 2021-07-30: FQDN_changed isn't used as in the past -- its remaining use is +# for {named, dhcpd, squid} in roles/network/tasks/main.yml -- possibly it +# should be reconsidered? See PR #2876: roles/network might become optional? +- name: "Also set 'FQDN_changed: True' -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})" + set_fact: + FQDN_changed: True + when: iiab_fqdn != ansible_fqdn + + +# 2021-08-17: (1) iiab-gen-iptables works better if gui_port is set directly in +# default_vars.yml and/or local_vars.yml (2) Admin Console's iiab-admin.yml +# and js-menu.yml set 'adm_cons_force_ssl: False' + +# - name: "Set 'gui_port: 80' for Admin Console if not adm_cons_force_ssl" +# set_fact: +# gui_port: 80 +# when: not adm_cons_force_ssl + +# - name: "Set 'gui_port: 443' for Admin Console if adm_cons_force_ssl" +# set_fact: +# gui_port: 443 +# when: adm_cons_force_ssl diff --git a/roles/0-init/tasks/tz.yml b/roles/0-init/tasks/tz.yml index 6dfd2e624..017947a05 100644 --- a/roles/0-init/tasks/tz.yml +++ b/roles/0-init/tasks/tz.yml @@ -1,32 +1,70 @@ -- name: Check if the TZ is not already set via /etc/localtime - Can Fail - shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}' - register: TZ_set - ignore_errors: True +- name: "'local_tz: {{ local_tz }}' was set by ansible_date_time.tz in /opt/iiab/iiab/vars/default_vars.yml -- e.g. if Ansible finds symlink /etc/localtime -> ../usr/share/zoneinfo/America/New_York -- it will simplify that to 'EDT' (in the summer) or 'EST' (in the winter)" + command: echo -- name: Set local and iiab TZ to UTC if /etc/localtime is not set - set_fact: - local_tz: "UTC" - iiab_TZ: "UTC" - when: TZ_set.stdout == "" +- name: "Create symlink /etc/localtime if it doesn't exist, by running 'timedatectl set-timezone UTC' -- THIS ALL MIGHT NO LONGER BE NEC IN 2021, AS ANSIBLE CORRECTLY NOW INTERPRETS THE ABSENCE OF /etc/localtime AS 'UTC' -- PER https://www.freedesktop.org/software/systemd/man/localtime.html" + command: timedatectl set-timezone UTC + args: + creates: /etc/localtime -- name: Override ansible on timezone if TZ set - set_fact: - local_tz: "{{ TZ_set.stdout }}" - when: TZ_set.stdout != "" +- name: Symlink /etc/localtime points to which TZ? + shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}' # Overall shell command always completes (return code 0) even when /etc/localtime is missing -- due to the '|' pipe + register: etc_localtime -- name: Using iiab TZ for local TZ - set_fact: - local_tz: "{{ iiab_TZ }}" - when: iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout" +- name: "/etc/localtime now specifies: {{ etc_localtime.stdout }}" + command: echo # 'meta: noop' is not enough to force instantiation of 'name: {{ var }}' just above -- name: Set default Timezone from iiab TZ (debuntu) - shell: timedatectl set-timezone {{ iiab_TZ }} - when: is_debuntu and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout" -- name: Set default Timezone from iiab TZ (redhat) - file: - path: /etc/localtime - src: "/usr/share/zoneinfo/{{ iiab_TZ }}" - force: yes - state: link - when: is_redhat and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout" +#- name: Check for a /etc/localtime symlink to TZ - NEVER FAILS DUE TO PIPE +# shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}' +# register: tz_set + +#- debug: +# var: tz_set + +#- name: "If /etc/localtime specified TZ, set 'local_tz: {{ tz_set.stdout }}' overriding the value Ansible set via /etc/iiab/default_vars.yml" +# set_fact: +# local_tz: "{{ tz_set.stdout }}" +# when: tz_set.stdout != "" + +#- name: "If not, run 'timedatectl set-timezone UTC' and..." +# command: timedatectl set-timezone UTC +# when: tz_set.stdout == "" + +#- name: "...also set 'local_tz: UTC'" +# set_fact: +# local_tz: UTC +# when: tz_set.stdout == "" + + +#- name: Check if the TZ is not already set via /etc/localtime - Can Fail +# shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}' +# register: TZ_set +# ignore_errors: True + +#- name: Set local and iiab TZ to UTC if /etc/localtime is not set +# set_fact: +# local_tz: "UTC" +# iiab_TZ: "UTC" +# when: TZ_set.stdout == "" + +#- name: Override ansible on timezone if TZ set +# set_fact: +# local_tz: "{{ TZ_set.stdout }}" +# when: TZ_set.stdout != "" + +#- name: Using iiab TZ for local TZ +# set_fact: +# local_tz: "{{ iiab_TZ }}" +# when: iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout" + +#- name: Set default Timezone from iiab TZ (debuntu) +# shell: timedatectl set-timezone {{ iiab_TZ }} +# when: is_debuntu and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout" + +#- name: Set default Timezone from iiab TZ (redhat) +# file: +# path: /etc/localtime +# src: "/usr/share/zoneinfo/{{ iiab_TZ }}" +# force: yes +# state: link +# when: is_redhat and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout" diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml index 44fac82b8..e42bcacdf 100644 --- a/roles/0-init/tasks/validate_vars.yml +++ b/roles/0-init/tasks/validate_vars.yml @@ -61,9 +61,9 @@ # https://github.com/iiab/iiab/blob/master/tests/test.yml # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/validate_vars.yml # -# 2020-11-04: Fix validation of 5 core dependencies, for ./runrole etc +# 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc -- name: Set vars_checklist for 46 + 46 + 41 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked +- name: Set vars_checklist for 43 + 43 + 39 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked set_fact: vars_checklist: - hostapd @@ -76,10 +76,10 @@ - openvpn - admin_console #- nginx # MANDATORY - - apache # Dependency - excluded from _installed check below + #- apache # Unmaintained - former dependency #- mysql # MANDATORY - squid - - dansguardian + #- dansguardian # Unmaintained - cups - samba - usb_lib @@ -90,7 +90,7 @@ - azuracast #- dokuwiki # Unmaintained #- ejabberd # Unmaintained - - elgg + #- elgg # Unmaintained - gitea - jupyterhub - lokole @@ -99,7 +99,6 @@ - nodejs # Dependency - excluded from _installed check below - nodered - nextcloud - - pbx - wordpress - kalite - kolibri @@ -116,11 +115,12 @@ - phpmyadmin - vnstat - yarn # Dependency - excluded from _installed check below - - internetarchive - captiveportal + - internetarchive - minetest - - calibre - calibreweb + - calibre + - pbx - name: Assert that {{ vars_checklist | length }} "XYZ_install" vars are all... defined assert: @@ -162,5 +162,5 @@ that: "{{ item }}_install or {{ item }}_installed is undefined" fail_msg: "DISALLOWED: '{{ item }}_install: False' (e.g. in /etc/iiab/local_vars.yml) WHEN '{{ item }}_installed' is defined (e.g. in /etc/iiab/iiab_state.yml) -- IIAB DOES NOT SUPPORT UNINSTALLS -- please verify those 2 files especially, and other places variables are defined?" quiet: yes - when: item != 'apache' and item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn' # Exclude auto-installed dependencies + when: item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn' # Exclude auto-installed dependencies loop: "{{ vars_checklist }}" diff --git a/roles/1-prep/README.rst b/roles/1-prep/README.rst index b8fe2d884..171263f5b 100644 --- a/roles/1-prep/README.rst +++ b/roles/1-prep/README.rst @@ -2,15 +2,24 @@ 1-prep README ============= -This 1st stage (1-prep) is primarily hardware-focused, prior to OS -additions/mods, but also includes critical pieces sometimes needed for -remote support: +This 1st `stage `_ (1-prep) arranges low-level things like remote support infra, DNS prep, hardware, low-level OS quirks, and basic security: -- SSH -- `iiab-admin `_ username and group to log into Admin Console -- OpenVPN software if/as needed later for remote support +- SSHD +- OpenVPN if/as needed later for remote support +- `iiab-admin `_ username and group, to log into Admin Console +- dnsmasq (install now, configure later!) +- Universally unique identifier: /etc/iiab/uuid +- Ubermix (distro) needs /etc/tmpfiles.d/iiab.conf to create essential /var/log subdirs on each boot +- Hardware actions: + - `raspberry_pi.yml `_: + - RTC (real-time clock): install udev rule, configure, enable + - Install packages related to: + - growpart + - swapfile + - fake-hwclock (as RTC is often missing or dead!) + - Wi-Fi + - Increase swap file size + - `rootfs auto-resizing `_ + - NUC 6 Wi-Fi firmware -Traditionally 1-prep also included preliminaries like hostname and -hardware-oriented things specific to a particular platform (such as -One Laptop Per Child's XO laptop) i.e. critical setup prior to the -bulk of IIAB's software install. +Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services — this 1st stage installs core server infra (that is not user-facing). diff --git a/roles/1-prep/defaults/main.yml b/roles/1-prep/defaults/main.yml new file mode 100644 index 000000000..c4a59810e --- /dev/null +++ b/roles/1-prep/defaults/main.yml @@ -0,0 +1,11 @@ +# Real-time clock: RTC chip family. Future auto-detection plausible? + +# rtc_id: none # Or ds3231 ? Used in 1-prep/tasks/raspberry_pi.yml + +# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml +# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! + + +# SEE ALSO /opt/iiab/iiab/roles/0-init/defaults/main.yml + +#NUC6_firmware_needed: False # 2021-07-30: Apparently never used diff --git a/roles/1-prep/tasks/hardware.yml b/roles/1-prep/tasks/hardware.yml new file mode 100644 index 000000000..2a5c5c2ba --- /dev/null +++ b/roles/1-prep/tasks/hardware.yml @@ -0,0 +1,17 @@ +## DISCOVER PLATFORMS ###### +# Put conditional actions for hardware platforms here + +- include_tasks: raspberry_pi.yml + when: first_run and rpi_model != "none" + +- name: Check if the identifier for Intel's NUC6 built-in WiFi is present + shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'" + register: usb_NUC6 + ignore_errors: True + +- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6 # iiab_download_url is http://download.iiab.io/packages + get_url: + url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode" + dest: /lib/firmware + timeout: "{{ download_timeout }}" + when: internet_available and usb_NUC6.stdout|int > 0 diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index 273aedc94..5366f7d97 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -1,87 +1,31 @@ -# Preparations (Hardware Level) +# Preparations (low-level e.g. remote support, DNS prep, HW/OS, basic security) - name: ...IS BEGINNING ============================================ - command: echo + meta: noop -- name: dnsmasq (install now, configure LATER in 'network', after Stage 9) - include_tasks: roles/network/tasks/dnsmasq.yml - #when: dnsmasq_install # Flag might be used in future? - - -- name: Install uuid-runtime package (debuntu) - package: - name: - - uuid-runtime - - sudo - state: present - when: is_debuntu - -- name: Does /etc/iiab/uuid file exist? - stat: - path: /etc/iiab/uuid - register: uuid_file - -- name: If no uuid exists, create one - shell: uuidgen - register: uuid_response - when: not uuid_file.stat.exists - -- name: Put uuid in place at /etc/iiab/uuid - shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid - when: not uuid_file.stat.exists - -- name: Grab the uuid from /etc/iiab/uuid, into register stored_uuid - command: cat /etc/iiab/uuid - register: stored_uuid - -- name: Place the uuid from register into variable/fact "uuid" - set_fact: - uuid: "{{ stored_uuid.stdout_lines[0] }}" - - -- name: Does 'ubermix' exist in /etc/lsb-release? - shell: grep -i ubermix /etc/lsb-release # Pipe to cat to avoid red errors? - register: grep_ubermix - failed_when: False # Universal way to hide alarmist red errors! - #ignore_errors: True - #check_mode: no - -- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix - copy: - src: roles/1-prep/files/iiab.conf - dest: /etc/tmpfiles.d/ - # owner: root - # group: root - # mode: '0644' - force: yes - when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist - -# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml -# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-* -# pkgs are not installed FWIW. But it's included to safeguard us across all -# OS's, in case others OS's like Ubermix later appear. See #1382 for details. -# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix! -- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix - shell: apt -y remove "libgeos-*" - when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist - - -# Required by OpenVPN below. Also run by roles/4-server-options/tasks/main.yml -- name: SSHD +- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml include_role: name: sshd when: sshd_install -- name: IIAB-ADMIN - include_role: - name: iiab-admin - #when: iiab_admin_install # Flag might be created in future? - - name: OPENVPN include_role: name: openvpn when: openvpn_install +- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml + include_role: + name: iiab-admin + #when: iiab_admin_install # Flag might be created in future? + +- name: Install dnsmasq -- configure LATER in 'network', after Stage 9 + include_tasks: roles/network/tasks/dnsmasq.yml + #when: dnsmasq_install # Flag might be used in future? + +- include_tasks: uuid.yml +- include_tasks: ubermix.yml +- include_tasks: hardware.yml # Can run raspberry_pi.yml + # Debian 10 "Buster" is apparently enabling AppArmor in 2019: # https://wiki.debian.org/AppArmor/Progress @@ -111,27 +55,7 @@ # when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed -## DISCOVER PLATFORMS ###### -# Put conditional actions for hardware platforms here - -- include_tasks: raspberry_pi.yml - when: first_run and rpi_model != "none" - -- name: Check if the identifier for Intel's NUC6 built-in WiFi is present - shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'" - register: usb_NUC6 - ignore_errors: True - -- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6 # iiab_download_url is http://download.iiab.io/packages - get_url: - url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode" - dest: /lib/firmware - timeout: "{{ download_timeout }}" - when: internet_available and usb_NUC6.stdout|int > 0 - - -# This script can be sourced to get IIAB path/location - name: Recording STAGE 1 HAS COMPLETED ============================ template: src: roles/1-prep/templates/iiab.env.j2 - dest: "{{ iiab_env_file }}" + dest: "{{ iiab_env_file }}" # Can also be run as a script if absolutely nec, e.g. 'source /etc/iiab/iiab.env && echo $WWWROOT' diff --git a/roles/1-prep/tasks/raspberry_pi.yml b/roles/1-prep/tasks/raspberry_pi.yml index 3c9ed54ad..bc54f58af 100644 --- a/roles/1-prep/tasks/raspberry_pi.yml +++ b/roles/1-prep/tasks/raspberry_pi.yml @@ -1,12 +1,12 @@ # Specific to Raspberry Pi -- name: Install udev rule /etc/udev/rules.d/92-rtc-i2c.rules from template, to transfer hwclock to system clock at dev creation, if rtc_id is defined and rtc_id != "none" +- name: Install udev rule /etc/udev/rules.d/92-rtc-i2c.rules from template, to transfer hwclock to system clock at dev creation, if rtc_id is defined and rtc_id != "none" (root:root, 0644 by default) template: src: 92-rtc-i2c.rules dest: /etc/udev/rules.d/92-rtc-i2c.rules - owner: root - group: root - mode: 0644 + #owner: root + #group: root + #mode: 0644 when: rtc_id is defined and rtc_id != "none" # RTC requires a change to the device tree (and reboot) @@ -22,7 +22,7 @@ path: /boot/firmware/usercfg.txt line: "dtoverlay=i2c-rtc,{{ rtc_id }}=on" state: present - when: rtc_id is defined and rtc_id != "none" and is_ubuntu + when: rtc_id is defined and rtc_id != "none" and is_ubuntu # CLARIF: Ubuntu runs increasingly well on RPi hardware, starting in 2020 especially #- name: Enable bluetooth in /boot/firmware/syscfg.txt on Ubuntu (needs reboot) # lineinfile: @@ -31,17 +31,32 @@ # line: 'include btcfg.txt' # when: is_ubuntu -- name: 'Ensure packages are installed: dphys-swapfile, fake-hwclock, iw, rfkill, wireless-tools' + +- name: '2021-07-27: SEE ALSO ~4 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml' + meta: noop + +- name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml' + meta: noop + +# 2021-07-27 explanation from @jvonau: The 3 BELOW (iw, rfkill, wireless-tools) +# are provided by RaspiOS. Ubuntu|Debian on the other hand are hit or miss: +# desktops might have some/all 3 preinstalled, while servers tend not to have +# these present at all, but are needed to be installed if you want to take full +# advantage of WiFi on Ubuntu and friends -- but it's only enforced on RPi +# hardware where we know in advance of the likelihood of WiFi being present. + +- name: 'Install packages: cloud-guest-utils, dphys-swapfile, fake-hwclock, iw, rfkill, wireless-tools' package: name: - - dphys-swapfile - - fake-hwclock - - iw - - rfkill - - wireless-tools - - cloud-guest-utils + - cloud-guest-utils # Contains 'growpart' for resizing a partition during boot, which is normally done with the aid of cloud-init + - dphys-swapfile # 2021-07-27: RaspiOS installs this regardless -- autogenerate and use a swap file + - fake-hwclock # 2021-07-27: RaspiOS installs this regardless -- save/restore system clock on machines without working RTC hardware + - iw # 2021-07-27: RaspiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/iiab-clone-wifi.service.j2 + - rfkill # 2021-07-27: RaspiOS installs this regardless -- enable & disable wireless devices + - wireless-tools # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions state: present + - name: Increase swap file size (to CONF_SWAPSIZE={{ pi_swap_file_size }} in /etc/dphys-swapfile) as kalite pip download fails lineinfile: path: /etc/dphys-swapfile @@ -50,20 +65,21 @@ - name: Restart swap service "dphys-swapfile" #command: /etc/init.d/dphys-swapfile restart - service: # A rare/legacy service that is NOT systemd + systemd: # Had been...a rare/legacy service that was NOT systemd name: dphys-swapfile state: restarted -- name: Install RPi rootfs resizing (iiab-rpi-max-rootfs.sh) and its systemd service (iiab-rpi-root-resize.service), from templates + +- name: Install RPi rootfs resizing (/usr/sbin/iiab-rpi-max-rootfs.sh) and its systemd service (/etc/systemd/system/iiab-rpi-root-resize.service), from templates (root:root by default) template: src: "{{ item.src }}" dest: "{{ item.dest }}" - owner: root - group: root + #owner: root + #group: root mode: "{{ item.mode }}" with_items: - - { src: 'iiab-rpi-max-rootfs.sh', dest: '/usr/sbin/iiab-rpi-max-rootfs.sh', mode: '0755'} - - { src: 'iiab-rpi-root-resize.service', dest: '/etc/systemd/system/iiab-rpi-root-resize.service', mode: '0644'} + - { src: 'iiab-rpi-max-rootfs.sh', dest: '/usr/sbin/', mode: '0755' } + - { src: 'iiab-rpi-root-resize.service', dest: '/etc/systemd/system/', mode: '0644' } - name: Enable RPi rootfs resizing (systemd service iiab-rpi-root-resize.service) systemd: diff --git a/roles/1-prep/tasks/ubermix.yml b/roles/1-prep/tasks/ubermix.yml new file mode 100644 index 000000000..fa9e1c891 --- /dev/null +++ b/roles/1-prep/tasks/ubermix.yml @@ -0,0 +1,25 @@ +- name: Does 'ubermix' exist in /etc/lsb-release? + shell: grep -i ubermix /etc/lsb-release # Pipe to cat to avoid red errors? + register: grep_ubermix + failed_when: False # Universal way to hide alarmist red errors! + #ignore_errors: True + #check_mode: no + +- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix (root:root, 0644 by default) + copy: + src: roles/1-prep/files/iiab.conf + dest: /etc/tmpfiles.d/ + # owner: root + # group: root + # mode: 0644 + force: yes + when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist + +# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml +# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-* +# pkgs are not installed FWIW. But it's included to safeguard us across all +# OS's, in case others OS's like Ubermix later appear. See #1382 for details. +# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix! +- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix + shell: apt -y remove "libgeos-*" + when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist diff --git a/roles/1-prep/tasks/uuid.yml b/roles/1-prep/tasks/uuid.yml new file mode 100644 index 000000000..28ab30340 --- /dev/null +++ b/roles/1-prep/tasks/uuid.yml @@ -0,0 +1,26 @@ +- name: "Install packages: uuid-runtime" + package: + name: uuid-runtime + state: present + +- name: Does /etc/iiab/uuid exist? + stat: + path: /etc/iiab/uuid + register: uuid_file + +- name: If not, run 'uuidgen' to create a uuid, in register uuid_response + command: uuidgen + register: uuid_response + when: not uuid_file.stat.exists + +- name: Save it to /etc/iiab/uuid + shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid + when: not uuid_file.stat.exists + +- name: Load /etc/iiab/uuid, into register stored_uuid + command: cat /etc/iiab/uuid + register: stored_uuid + +- name: Store it in Ansible variable 'uuid' + set_fact: + uuid: "{{ stored_uuid.stdout_lines[0] }}" diff --git a/roles/1-prep/templates/chrony.conf.j2 b/roles/1-prep/templates/chrony.conf.j2.unused similarity index 100% rename from roles/1-prep/templates/chrony.conf.j2 rename to roles/1-prep/templates/chrony.conf.j2.unused diff --git a/roles/2-common/README.rst b/roles/2-common/README.rst index 90bee5c7e..be1ccd5c9 100644 --- a/roles/2-common/README.rst +++ b/roles/2-common/README.rst @@ -2,7 +2,13 @@ 2-common README =============== -This 2nd stage is for OS-level roles/packages/tasks *common* to all platforms, -prerequisites to building up a functioning server. +This 2nd `stage `_ is for OS-level basics *common* to all platforms, i.e. core prerequisites to building up a functioning `Internet-in-a-Box (IIAB) `_ server. -As in the case of 3-base-server, 4-server-options and 5-xo-services: this stage installs core server infra, that is not user-facing. +These are (partially) put in place: + +- IIAB directory structure (`file layout `_) +- Common `apt `_ software packages +- Networking (including the `iptables `_ firewall) +- `/usr/libexec/iiab-startup.sh `_ similar to AUTOEXEC.BAT and /etc/rc.local, in order to run jobs on boot + +Recap: As with 0-init, 1-prep, 3-base-server, 4-server-options and 5-xo-services — this 2nd stage installs core server infra (that is not user-facing). diff --git a/roles/2-common/tasks/centos.yml b/roles/2-common/tasks/centos.yml.unused similarity index 100% rename from roles/2-common/tasks/centos.yml rename to roles/2-common/tasks/centos.yml.unused diff --git a/roles/2-common/tasks/fedora.yml b/roles/2-common/tasks/fedora.yml.unused similarity index 100% rename from roles/2-common/tasks/fedora.yml rename to roles/2-common/tasks/fedora.yml.unused diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml index e55d12c05..a89928992 100644 --- a/roles/2-common/tasks/main.yml +++ b/roles/2-common/tasks/main.yml @@ -1,53 +1,46 @@ # Common OS-Level Additions & Mods (that only need to be performed once) - name: ...IS BEGINNING ========================================== - command: echo + meta: noop - name: Create IIAB directory structure ("file layout") include_tasks: fl.yml -- include_tasks: centos.yml - when: ansible_distribution == "CentOS" - -- include_tasks: fedora.yml - when: ansible_distribution == "Fedora" - -- include_tasks: prep.yml - when: not is_debuntu - -- include_tasks: xo.yml - when: xo_model != "none" or osbuilder is defined - - include_tasks: packages.yml -- include_tasks: network.yml -# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes: -- name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible - sysctl: # Places these settings in /etc/sysctl.conf, to survive reboot - name: "{{ item.name }}" - value: "{{ item.value }}" - with_items: - - { name: 'net.ipv4.ip_forward', value: '1' } # Masquerading LAN->Internet - - { name: 'net.ipv4.conf.default.rp_filter', value: '1' } - - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } - #- { name: 'kernel.sysrq', value: '1' } # OS values differ, Ok? - - { name: 'kernel.core_uses_pid', value: '1' } - #- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Very standard in 2020 - #- { name: 'kernel.shmmax', value: '268435456' } # OS values differ, Ok? - - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # IPv6 disabled - #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } # AUTO-SET - #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' } # BY ABOVE - -- name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH - template: - dest: /etc/profile.d/zzz_iiab.sh - src: zzz_iiab.sh - -- include_tasks: net_mods.yml - when: not is_debuntu and not is_F18 +- name: "Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml" + include_tasks: network.yml - include_tasks: iiab-startup.yml + +# UNMAINTAINED +#- include_tasks: centos.yml +# when: ansible_distribution == "CentOS" + +# UNMAINTAINED +#- include_tasks: fedora.yml +# when: ansible_distribution == "Fedora" + +# UNMAINTAINED +#- include_tasks: prep.yml +# when: not is_debuntu + +# UNMAINTAINED +#- include_tasks: xo.yml +# when: xo_model != "none" or osbuilder is defined + +# UNMAINTAINED +#- include_tasks: net_mods.yml +# when: not is_debuntu and not is_F18 + +# UNMAINTAINED +#- name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH +# template: +# dest: /etc/profile.d/zzz_iiab.sh +# src: zzz_iiab.sh + + - name: Recording STAGE 2 HAS COMPLETED ========================== lineinfile: path: "{{ iiab_env_file }}" diff --git a/roles/2-common/tasks/net_mods.yml b/roles/2-common/tasks/net_mods.yml.unused similarity index 100% rename from roles/2-common/tasks/net_mods.yml rename to roles/2-common/tasks/net_mods.yml.unused diff --git a/roles/2-common/tasks/network.yml b/roles/2-common/tasks/network.yml index dc71f4a13..435c0bb1f 100644 --- a/roles/2-common/tasks/network.yml +++ b/roles/2-common/tasks/network.yml @@ -1,23 +1,45 @@ +- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml' + meta: noop + +- name: '2021-07-27: SEE ALSO ~4 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml' + meta: noop + - name: Install package networkd-dispatcher (OS's other than RaspiOS) package: - name: networkd-dispatcher + name: networkd-dispatcher # Dispatcher service for systemd-networkd connection status changes state: present when: not is_raspbian -# used in the network role -- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask (debuntu)' +- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask -- later used by https://github.com/iiab/iiab/tree/master/roles/network' package: name: - - iproute2 - - iptables-persistent - - hostapd - - netmask + - hostapd # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired + - iproute2 # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools + - iptables-persistent # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it! + - netmask # Handy utility -- helps determine network masks state: present - when: is_debuntu -- name: Install /etc/network/if-pre-up.d/iptables from template (0755, debuntu) - template: - src: iptables - dest: /etc/network/if-pre-up.d/iptables - mode: '0755' - when: is_debuntu +# 2021-08-17: Debian ignores this, according to 2013 post: +# https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables +# - name: Install /etc/network/if-pre-up.d/iptables from template (0755) +# template: +# src: iptables +# dest: /etc/network/if-pre-up.d/iptables +# mode: '0755' + +# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes: +- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)" + sysctl: # Places these settings in /etc/sysctl.conf, to survive reboot + name: "{{ item.name }}" + value: "{{ item.value }}" + with_items: + - { name: 'net.ipv4.ip_forward', value: '1' } # Masquerading LAN->Internet + - { name: 'net.ipv4.conf.default.rp_filter', value: '1' } + - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } + #- { name: 'kernel.sysrq', value: '1' } # OS values differ, Ok? + - { name: 'kernel.core_uses_pid', value: '1' } + #- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Very standard in 2020 + #- { name: 'kernel.shmmax', value: '268435456' } # OS values differ, Ok? + - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # IPv6 disabled + #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } # AUTO-SET + #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' } # BY ABOVE diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml index 22ba624af..81bc35c94 100644 --- a/roles/2-common/tasks/packages.yml +++ b/roles/2-common/tasks/packages.yml @@ -1,59 +1,61 @@ -- name: "Install 10 yum/dnf packages: avahi, avahi-tools, createrepo, linux-firmware, nss-mdns, openssl, syslog, wpa_supplicant, xml-common, yum-utils (redhat)" - package: - name: - - avahi - - avahi-tools - - createrepo - - linux-firmware - - nss-mdns - - openssl # FC 18 does not supply, but pear requires - - syslog - - wpa_supplicant - - xml-common - - yum-utils - state: present - when: is_redhat +- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml' + meta: noop -- name: "Install 6 deb/apt packages: avahi-daemon, exfat-fuse, exfat-utils, inetutils-syslogd, libnss-mdns, wpasupplicant (debuntu)" - package: - name: - #- avahi-discover - - avahi-daemon - - exfat-fuse # Should no longer be nec with 5.4+ kernels - - exfat-utils # Likewise! - - inetutils-syslogd # Error logging facility - - libnss-mdns # Provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi - - wpasupplicant - state: present - when: is_debuntu +- name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml' + meta: noop -- name: "Install 20 common packages: acpid, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget" +- name: "Install 20 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget, wpasupplicant" package: name: - - acpid # Daemon for ACPI (power mgmt) events - - bzip2 # 2021-04-26: Prob not used, but can't hurt? - - curl # Used to install roles/nodejs and roles/nodered - #- etckeeper # "nobody is really using etckeeper and it's bloating the filesystem every time apt runs" per @jvonau at https://github.com/iiab/iiab/issues/1146 + - acpid # Daemon for ACPI (power mgmt) events + - avahi-daemon # 2021-07-27: RaspiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml + #- avahi-discover # 2021-07-27: Commented out long ago + - bzip2 # 2021-04-26: Prob not used, but can't hurt? + - curl # Used to install roles/nodejs and roles/nodered + #- etckeeper # "nobody is really using etckeeper and it's bloating the filesystem every time apt runs" per @jvonau at https://github.com/iiab/iiab/issues/1146 + #- exfat-fuse # 2021-07-27: Should no longer be nec with 5.4+ kernels, so let's try commenting it out + #- exfat-utils # Ditto! See also 'ntfs-3g' below - gawk - htop - - i2c-tools # Low-level bus/chip/register/EEPROM tools e.g. for RTC - - iproute2 + - i2c-tools # Low-level bus/chip/register/EEPROM tools e.g. for RTC + #- inetutils-syslogd # 2021-07-27: Error logging facility -- holdover from the XO days, journalctl has replaced this in newer distros + #- iproute2 # Installed by roles/2-common/tasks/network.yml - logrotate - #- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml - - make # 2021-04-26: What roles (if any) truly still use this? + - libnss-mdns # 2021-07-27: RaspiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi + #- lynx # Installed by 1-prep's roles/iiab-admin/tasks/access.yml + #- make # 2021-07-27: Currently used by roles/pbx and no other roles - mlocate - - net-tools # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output? - - ntfs-3g # Possibly no longer nec, similar to exfat packages above? + - net-tools # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output? + #- ntfs-3g # 2021-07-31: RaspiOS installs this regardless -- but this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15 #- openssh-server # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml - - pandoc # For /usr/bin/iiab-refresh-wiki-docs - - pastebinit # For /usr/bin/iiab-diagnostics + - pandoc # For /usr/bin/iiab-refresh-wiki-docs + - pastebinit # For /usr/bin/iiab-diagnostics + #- python3-pip # 2021-07-29: Already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc + #- python3-venv # 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves. FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RaspiOS 10 do not. - rsync - #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml + #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml - sqlite3 - #- sudo # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml + #- sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml - tar - unzip - #- usbmount # Moved to roles/usb_lib/tasks/install.yml - - usbutils # 2021-04-26: Also move to roles/usb_lib/tasks/install.yml ? + #- usbmount # Moved to roles/usb_lib/tasks/install.yml + - usbutils # 2021-07-27: RaspiOS installs this regardless -- move to roles/usb_lib/tasks/install.yml ? - wget + - wpasupplicant # 2021-07-27: RaspiOS installs this regardless -- client library for connections to a WiFi AP state: present + +#- name: "Install 10 yum/dnf packages: avahi, avahi-tools, createrepo, linux-firmware, nss-mdns, openssl, syslog, wpa_supplicant, xml-common, yum-utils (redhat)" +# package: +# name: +# - avahi +# - avahi-tools +# - createrepo +# - linux-firmware +# - nss-mdns +# - openssl # FC 18 does not supply, but pear requires +# - syslog +# - wpa_supplicant +# - xml-common +# - yum-utils +# state: present +# when: is_redhat diff --git a/roles/2-common/tasks/prep.yml b/roles/2-common/tasks/prep.yml.unused similarity index 100% rename from roles/2-common/tasks/prep.yml rename to roles/2-common/tasks/prep.yml.unused diff --git a/roles/2-common/tasks/xo.yml b/roles/2-common/tasks/xo.yml.unused similarity index 100% rename from roles/2-common/tasks/xo.yml rename to roles/2-common/tasks/xo.yml.unused diff --git a/roles/2-common/tasks/yum-historical.yml b/roles/2-common/tasks/yum-historical.yml.unused similarity index 100% rename from roles/2-common/tasks/yum-historical.yml rename to roles/2-common/tasks/yum-historical.yml.unused diff --git a/roles/2-common/templates/ansible.repo b/roles/2-common/templates/ansible.repo.unused similarity index 100% rename from roles/2-common/templates/ansible.repo rename to roles/2-common/templates/ansible.repo.unused diff --git a/roles/2-common/templates/iiab-centos.repo b/roles/2-common/templates/iiab-centos.repo.unused similarity index 100% rename from roles/2-common/templates/iiab-centos.repo rename to roles/2-common/templates/iiab-centos.repo.unused diff --git a/roles/2-common/templates/iiab-extra.repo b/roles/2-common/templates/iiab-extra.repo.unused similarity index 99% rename from roles/2-common/templates/iiab-extra.repo rename to roles/2-common/templates/iiab-extra.repo.unused index d8977bb36..8218e57a8 100644 --- a/roles/2-common/templates/iiab-extra.repo +++ b/roles/2-common/templates/iiab-extra.repo.unused @@ -13,4 +13,3 @@ baseurl=http://download.iiab.io/repos/xsce-extra/ enabled=1 metadata_expire=1d gpgcheck=0 - diff --git a/roles/2-common/templates/iiab-testing.repo b/roles/2-common/templates/iiab-testing.repo.unused similarity index 100% rename from roles/2-common/templates/iiab-testing.repo rename to roles/2-common/templates/iiab-testing.repo.unused diff --git a/roles/2-common/templates/iptables-config b/roles/2-common/templates/iptables-config.unused similarity index 100% rename from roles/2-common/templates/iptables-config rename to roles/2-common/templates/iptables-config.unused diff --git a/roles/2-common/templates/iptables b/roles/2-common/templates/iptables.unused similarity index 100% rename from roles/2-common/templates/iptables rename to roles/2-common/templates/iptables.unused diff --git a/roles/2-common/templates/li.nux.ro.repo b/roles/2-common/templates/li.nux.ro.repo.unused similarity index 98% rename from roles/2-common/templates/li.nux.ro.repo rename to roles/2-common/templates/li.nux.ro.repo.unused index 299d01fe5..2e0a28112 100644 --- a/roles/2-common/templates/li.nux.ro.repo +++ b/roles/2-common/templates/li.nux.ro.repo.unused @@ -4,5 +4,3 @@ baseurl=http://li.nux.ro/download/nux/dextop/el7/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro - - diff --git a/roles/2-common/templates/local.repo b/roles/2-common/templates/local.repo.unused similarity index 100% rename from roles/2-common/templates/local.repo rename to roles/2-common/templates/local.repo.unused diff --git a/roles/2-common/templates/rpmfusion-free-updates.repo b/roles/2-common/templates/rpmfusion-free-updates.repo.unused similarity index 99% rename from roles/2-common/templates/rpmfusion-free-updates.repo rename to roles/2-common/templates/rpmfusion-free-updates.repo.unused index 9ac901387..e10a34ab6 100644 --- a/roles/2-common/templates/rpmfusion-free-updates.repo +++ b/roles/2-common/templates/rpmfusion-free-updates.repo.unused @@ -21,4 +21,3 @@ mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-rele enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-$releasever - diff --git a/roles/2-common/templates/zzz_iiab.sh b/roles/2-common/templates/zzz_iiab.sh.unused similarity index 100% rename from roles/2-common/templates/zzz_iiab.sh rename to roles/2-common/templates/zzz_iiab.sh.unused diff --git a/roles/3-base-server/README.rst b/roles/3-base-server/README.rst index 2711231eb..e458d7be0 100644 --- a/roles/3-base-server/README.rst +++ b/roles/3-base-server/README.rst @@ -2,7 +2,7 @@ 3-base-server README ==================== -This 3rd stage installs base server infra that Internet-in-a-Box requires, including: +This 3rd `stage `_ installs base server infra that `Internet-in-a-Box (IIAB) `_ requires, including: - `MySQL `_ (database underlying many/most user-facing apps). This IIAB role also installs apt package: - **php{{ php_version }}-mysql** — which forcibly installs **php{{ php_version }}-common** @@ -10,6 +10,6 @@ This 3rd stage installs base server infra that Internet-in-a-Box requires, inclu - **php{{ php_version }}-fpm** — which forcibly installs **php{{ php_version }}-cli**, **php{{ php_version }}-common** and **libsodium23** - `www_base `_ (similar to `www_options `_ which runs later in 4-server-options) -Recap: as with 2-common, 4-server-options and 5-xo-services: this 3rd stage installs core server infra, that is not user-facing. +Recap: As with 0-init, 1-prep, 2-common, 4-server-options and 5-xo-services — this 3rd stage installs core server infra (that is not user-facing). The next stage (4-server-options) brings more diverse/optional server infra functionality. diff --git a/roles/3-base-server/tasks/main.yml b/roles/3-base-server/tasks/main.yml index c364ef6b3..5e2e7355d 100644 --- a/roles/3-base-server/tasks/main.yml +++ b/roles/3-base-server/tasks/main.yml @@ -1,7 +1,7 @@ # Base Server - name: ...IS BEGINNING ===================================== - command: echo + meta: noop - name: MYSQL + CORE PHP include_role: diff --git a/roles/4-server-options/README.rst b/roles/4-server-options/README.rst index 61d79f77e..6355f85e7 100644 --- a/roles/4-server-options/README.rst +++ b/roles/4-server-options/README.rst @@ -2,8 +2,18 @@ 4-server-options README ======================= -Whereas 3-base-server installs critical packages needed by all, this 4th stage installs a broad array of *options* -- depending on which server apps will be installed in later stages -- as specified in /etc/iiab/local_vars.yml +Whereas 3-base-server installs critical packages needed by all, this 4th `stage `_ installs a broad array of *options* ⁠— depending on which server apps will be installed in later stages ⁠— as specified in `/etc/iiab/local_vars.yml `_ -This includes some networking fundamentals, before they're configured later on. +This includes more networking fundamentals, that may further be configured later on. -As in the case of 2-common, 3-base-server and 5-xo-services: this stage installs core server infra, that is not user-facing. +Specifically, these might be installed: + +- Python libraries +- SSH daemon +- Bluetooth for Raspberry Pi +- Instant-sharing of `USB stick content `_ +- CUPS Printing +- Samba for Windows filesystems +- `www_options `_ + +Recap: As with 0-init, 1-prep, 2-common, 3-base-server and 5-xo-services ⁠— this 4th stage installs core server infra (that is not user-facing). diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml index fd977cc02..f5bc2f269 100644 --- a/roles/4-server-options/tasks/main.yml +++ b/roles/4-server-options/tasks/main.yml @@ -18,23 +18,27 @@ name: pylibs #when: pylibs_install # Flag might be created in future? -# Also run by roles/1-prep/tasks/main.yml as required by OpenVPN. -- name: SSHD +- name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN include_role: name: sshd when: sshd_install + +# UNMAINTAINED - name: Install named / BIND include_tasks: roles/network/tasks/named.yml - when: named_install + when: named_install is defined and named_install +# UNMAINTAINED - name: Install dhcpd include_tasks: roles/network/tasks/dhcpd.yml - when: dhcpd_install + when: dhcpd_install is defined and dhcpd_install -- name: Install Squid (and DansGuardian if dansguardian_install) +# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879 +- name: Install Squid include_tasks: roles/network/tasks/squid.yml - when: squid_install + when: squid_install is defined and squid_install + - name: Install Bluetooth - only on Raspberry Pi include_role: @@ -67,6 +71,7 @@ name: www_options #when: www_options_install # Flag might be created in future? + - name: Recording STAGE 4 HAS COMPLETED ================== lineinfile: path: "{{ iiab_env_file }}" diff --git a/roles/5-xo-services/README.rst b/roles/5-xo-services/README.rst index 1cb725bf7..42c73832c 100644 --- a/roles/5-xo-services/README.rst +++ b/roles/5-xo-services/README.rst @@ -2,6 +2,6 @@ 5-xo-services README ==================== -This 5th stage provides underlying services for One Laptop Per Child's XO laptops. +This 5th `stage `_ provides underlying services for One Laptop Per Child's XO laptops. -As in the case of 2-common, 3-base-server and 4-server-options: this stage installs core server infra, that is not user-facing. +Recap: As with 0-init, 1-prep, 2-common, 3-base-server and 4-server-options — this 5th stage installs core server infra (that is not user-facing). diff --git a/roles/5-xo-services/tasks/main.yml b/roles/5-xo-services/tasks/main.yml index 40f9d2d6e..7ede42d65 100644 --- a/roles/5-xo-services/tasks/main.yml +++ b/roles/5-xo-services/tasks/main.yml @@ -1,7 +1,7 @@ # XO Services - name: ...IS BEGINNING ===================================== - command: echo + meta: noop # UNMAINTAINED - name: ACTIVITY-SERVER diff --git a/roles/6-generic-apps/tasks/main.yml b/roles/6-generic-apps/tasks/main.yml index d1bdc56a1..f241095f6 100644 --- a/roles/6-generic-apps/tasks/main.yml +++ b/roles/6-generic-apps/tasks/main.yml @@ -1,9 +1,8 @@ # Generic Apps - name: ...IS BEGINNING ==================================== - command: echo + meta: noop -# UNMAINTAINED - name: AZURACAST include_role: name: azuracast @@ -21,10 +20,11 @@ name: ejabberd when: ejabberd_install is defined and ejabberd_install +# UNMAINTAINED - name: ELGG include_role: name: elgg - when: elgg_install + when: elgg_install is defined and elgg_install - name: GITEA include_role: @@ -61,11 +61,6 @@ name: nextcloud when: nextcloud_install -- name: PBX - include_role: - name: pbx - when: pbx_install - - name: WORDPRESS include_role: name: wordpress diff --git a/roles/7-edu-apps/tasks/main.yml b/roles/7-edu-apps/tasks/main.yml index 726b86447..8f223b1fd 100644 --- a/roles/7-edu-apps/tasks/main.yml +++ b/roles/7-edu-apps/tasks/main.yml @@ -1,7 +1,7 @@ # Educational Apps - name: ...IS BEGINNING ======================================== - command: echo + meta: noop - name: KALITE include_role: diff --git a/roles/8-mgmt-tools/tasks/main.yml b/roles/8-mgmt-tools/tasks/main.yml index 6a9e6d6a4..e75f97e23 100644 --- a/roles/8-mgmt-tools/tasks/main.yml +++ b/roles/8-mgmt-tools/tasks/main.yml @@ -1,7 +1,7 @@ # Administration and Monitoring/Assessment Tools - name: ...IS BEGINNING ====================================== - command: echo + meta: noop - name: TRANSMISSION include_role: diff --git a/roles/9-local-addons/tasks/main.yml b/roles/9-local-addons/tasks/main.yml index 7922c4dac..54420a743 100644 --- a/roles/9-local-addons/tasks/main.yml +++ b/roles/9-local-addons/tasks/main.yml @@ -1,12 +1,7 @@ # Local Add-ons - name: ...IS BEGINNING ==================================== - command: echo - -- name: INTERNETARCHIVE - include_role: - name: internetarchive - when: internetarchive_install + meta: noop # Is porting to Python 3 complete, and if so does this belong elsewhere? - name: CAPTIVE PORTAL @@ -14,21 +9,33 @@ name: captiveportal when: captiveportal_install +- name: INTERNETARCHIVE + include_role: + name: internetarchive + when: internetarchive_install + - name: MINETEST include_role: name: minetest when: minetest_install -# KEEP AT THE END as this installs dependencies from Debian's 'testing' branch! +- name: CALIBRE-WEB + include_role: + name: calibre-web + when: calibreweb_install + +# KEEP NEAR THE VERY END as this installs dependencies from Debian's 'testing' branch! - name: CALIBRE include_role: name: calibre when: calibre_install -- name: CALIBRE-WEB +# Pulls in a large number of devel packages, via asterisk.yml -> 'install_prereq install' +# https://github.com/asterisk/asterisk/blob/master/contrib/scripts/install_prereq#L21-L35 +- name: PBX - Asterisk & FreePBX include_role: - name: calibre-web - when: calibreweb_install + name: pbx + when: pbx_install - name: "2021-06-27 TEMPORARY CODE TO INSTALL 'php-pear' UNTIL ADMIN CONSOLE DECLARES ITS OWN DEPENDENCY FOR: https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19" package: diff --git a/roles/calibre-web/tasks/install.yml b/roles/calibre-web/tasks/install.yml index 7fc422397..0e8a88122 100644 --- a/roles/calibre-web/tasks/install.yml +++ b/roles/calibre-web/tasks/install.yml @@ -1,4 +1,4 @@ -- name: "Install ImageMagick package: imagemagick" +- name: "Install packages: imagemagick, python3-venv" package: name: - imagemagick diff --git a/roles/calibre/tasks/install.yml b/roles/calibre/tasks/install.yml index 764515763..840440583 100644 --- a/roles/calibre/tasks/install.yml +++ b/roles/calibre/tasks/install.yml @@ -37,13 +37,13 @@ # 2. SYSTEMD SERVICES -- name: Create /etc/systemd/system/calibre-serve.service and /etc/{{ apache_conf_dir }}/calibre.conf +- name: 'Install from template: /etc/systemd/system/calibre-serve.service' template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: 'calibre-serve.service.j2', dest: '/etc/systemd/system/calibre-serve.service' } - - { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' } # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!) + #- { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' } # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!) - name: Stop service 'calibre-serve' (/usr/bin/calibre-server by Kovid Goyal) systemd: diff --git a/roles/calibre/templates/calibre.conf b/roles/calibre/templates/calibre.conf.unused similarity index 100% rename from roles/calibre/templates/calibre.conf rename to roles/calibre/templates/calibre.conf.unused diff --git a/roles/captiveportal/tasks/enable-or-disable.yml b/roles/captiveportal/tasks/enable-or-disable.yml index c1b390a6d..0abb05c8a 100644 --- a/roles/captiveportal/tasks/enable-or-disable.yml +++ b/roles/captiveportal/tasks/enable-or-disable.yml @@ -36,8 +36,8 @@ state: absent when: not captiveportal_enabled -- name: Run iiab-divert-to-nginx to generate diversion lists for NGINX - shell: /usr/sbin/iiab-divert-to-nginx +- name: Run /usr/sbin/iiab-divert-to-nginx to generate diversion lists for NGINX + command: /usr/sbin/iiab-divert-to-nginx when: captiveportal_enabled - name: Delete /etc/dnsmasq.d/capture to make sure dnsmasq is not diverting (if not captiveportal_enabled) diff --git a/roles/captiveportal/tasks/install.yml b/roles/captiveportal/tasks/install.yml index 01c1d932a..af022f0e9 100644 --- a/roles/captiveportal/tasks/install.yml +++ b/roles/captiveportal/tasks/install.yml @@ -43,7 +43,7 @@ - simple.template - mac.template -- name: Run iiab-make-cp-servers.py to generate NGINX servers from /opt/iiab/captiveportal/checkurls input list (creates /etc/nginx/sites-available/capture.conf) +- name: Run /usr/sbin/iiab-make-cp-servers.py to generate NGINX servers from /opt/iiab/captiveportal/checkurls input list (creates /etc/nginx/sites-available/capture.conf) command: /usr/sbin/iiab-make-cp-servers.py args: creates: /etc/nginx/sites-available/capture.conf diff --git a/roles/firmware/tasks/install.yml b/roles/firmware/tasks/install.yml index 94c219d5c..ce7004ea2 100644 --- a/roles/firmware/tasks/install.yml +++ b/roles/firmware/tasks/install.yml @@ -2,19 +2,19 @@ include_tasks: download.yml when: firmware_downloaded is undefined # SEE ALSO firmware_installed below -- name: 'Install from template: check-firmware.service, iiab-check-firmware & fw_warn.sh' +- name: 'Install from template: /usr/bin/iiab-check-firmware, /etc/systemd/system/iiab-check-firmware.service & /etc/profile.d/iiab-firmware-warn.sh' template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode }}" with_items: - - { src: 'check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' } - - { src: 'iiab-check-firmware', dest: '/usr/sbin/', mode: '0755' } - - { src: 'fw_warn.sh', dest: '/etc/profile.d/', mode: '0644' } + - { src: 'iiab-check-firmware', dest: '/usr/bin/', mode: '0755' } + - { src: 'iiab-check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' } + - { src: 'iiab-firmware-warn.sh', dest: '/etc/profile.d/', mode: '0644' } -- name: Enable & (Re)Start check-firmware.service (also runs on each boot) +- name: Enable & (Re)Start iiab-check-firmware.service (also runs on each boot) systemd: - name: check-firmware.service + name: iiab-check-firmware.service daemon_reload: yes state: restarted enabled: yes diff --git a/roles/firmware/templates/iiab-check-firmware b/roles/firmware/templates/iiab-check-firmware index 951d143e6..94c690314 100644 --- a/roles/firmware/templates/iiab-check-firmware +++ b/roles/firmware/templates/iiab-check-firmware @@ -3,7 +3,14 @@ WARN=0 DATE=$(date +%F-%T) -if grep -q '^wifi_hotspot_capacity_rpi_fix: False' /etc/iiab/local_vars.yml ; then +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml +# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 +# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN + +if grep -q '^wifi_hotspot_capacity_rpi_fix:\s\+[fF]alse\b' /etc/iiab/local_vars.yml ; then echo "'wifi_hotspot_capacity_rpi_fix: False' found in /etc/iiab/local_vars.yml" echo "...so WiFi firmware will NOT be checked or replaced." diff --git a/roles/firmware/templates/check-firmware.service b/roles/firmware/templates/iiab-check-firmware.service similarity index 59% rename from roles/firmware/templates/check-firmware.service rename to roles/firmware/templates/iiab-check-firmware.service index 43c7adf8c..bebf5a43d 100644 --- a/roles/firmware/templates/check-firmware.service +++ b/roles/firmware/templates/iiab-check-firmware.service @@ -1,11 +1,10 @@ [Unit] Description=Check Firmware service -Before=clone-wifi.service +Before=iiab-clone-wifi.service [Service] Type=oneshot -ExecStart=/usr/sbin/iiab-check-firmware +ExecStart=/usr/bin/iiab-check-firmware [Install] WantedBy=multi-user.target - diff --git a/roles/firmware/templates/fw_warn.sh b/roles/firmware/templates/iiab-firmware-warn.sh similarity index 100% rename from roles/firmware/templates/fw_warn.sh rename to roles/firmware/templates/iiab-firmware-warn.sh diff --git a/roles/gitea/tasks/install.yml b/roles/gitea/tasks/install.yml index e5bfc9b1e..fb0c5966a 100644 --- a/roles/gitea/tasks/install.yml +++ b/roles/gitea/tasks/install.yml @@ -6,12 +6,12 @@ state: stopped ignore_errors: yes -- name: Ensure group gitea exists +- name: Ensure group 'gitea' exists group: name: gitea state: present -- name: Create user gitea +- name: Create user 'gitea' user: name: gitea comment: Gitea daemon account @@ -26,7 +26,7 @@ group: gitea with_items: "{{ gitea_subdirectories }}" -- name: Make directories data, indexers, and log writable +- name: Make directories data, indexers, and log writable (0750) file: path: "{{ gitea_root_directory }}/{{ item }}" # /library/gitea mode: '0750' @@ -98,7 +98,7 @@ # 4. Create systemd service & prepare NGINX for http://box/gitea -- name: "Install from template: /etc/systemd/system/gitea.service" +- name: "Install from template: /etc/systemd/system/gitea.service (by default 0644)" template: src: gitea.service.j2 dest: /etc/systemd/system/gitea.service diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index e19ea8e7d..c61ca57c5 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -14,7 +14,7 @@ name: "{{ admin_console_group }}" state: present -- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line +- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-*) at the command-line user: name: "{{ iiab_admin_user }}" #group: "{{ iiab_admin_user }}" # Not nec. Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs @@ -34,7 +34,7 @@ # sudo-prereqs.yml needs to have been run! -- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo +- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands in /usr/bin like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo" user: name: "{{ iiab_admin_user }}" diff --git a/roles/iiab-admin/tasks/sudo-prereqs.yml b/roles/iiab-admin/tasks/sudo-prereqs.yml index 66c790d0a..1b608fef1 100644 --- a/roles/iiab-admin/tasks/sudo-prereqs.yml +++ b/roles/iiab-admin/tasks/sudo-prereqs.yml @@ -1,7 +1,6 @@ -# roles/2-common/tasks/packages.yml also installed sudo, but that's too late - name: 'Install package: sudo' package: - name: sudo + name: sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!) - name: Temporarily make file /etc/sudoers editable (0640) file: diff --git a/roles/internetarchive/tasks/apache.yml b/roles/internetarchive/tasks/apache.yml.unused similarity index 100% rename from roles/internetarchive/tasks/apache.yml rename to roles/internetarchive/tasks/apache.yml.unused diff --git a/roles/internetarchive/tasks/install.yml b/roles/internetarchive/tasks/install.yml index 689851636..c7df0e689 100644 --- a/roles/internetarchive/tasks/install.yml +++ b/roles/internetarchive/tasks/install.yml @@ -62,12 +62,6 @@ src: internetarchive.service.j2 dest: /etc/systemd/system/internetarchive.service -- name: "Install from template: /etc/{{ apache_conf_dir }}/internetarchive.conf" - template: - src: internetarchive.conf - dest: "/etc/{{ apache_conf_dir }}/internetarchive.conf" # apache2/sites-available - when: apache_installed is defined - # 4. RECORD Internet Archive AS INSTALLED diff --git a/roles/internetarchive/tasks/main.yml b/roles/internetarchive/tasks/main.yml index 9bd1c6ae2..830211ddd 100644 --- a/roles/internetarchive/tasks/main.yml +++ b/roles/internetarchive/tasks/main.yml @@ -68,13 +68,13 @@ state: stopped when: not internetarchive_enabled -- name: Enable/Disable/Restart Apache if primary - include_tasks: apache.yml - when: apache_installed is defined and not nginx_enabled +# - name: Enable/Disable/Restart Apache if primary +# include_tasks: apache.yml +# when: apache_installed is defined and not nginx_enabled - name: Enable/Disable/Restart NGINX if primary include_tasks: nginx.yml - when: nginx_enabled + #when: nginx_enabled - name: Add 'internetarchive' variable values to {{ iiab_ini_file }} diff --git a/roles/internetarchive/templates/internetarchive.conf b/roles/internetarchive/templates/internetarchive.conf.unused similarity index 100% rename from roles/internetarchive/templates/internetarchive.conf rename to roles/internetarchive/templates/internetarchive.conf.unused diff --git a/roles/jupyterhub/README.md b/roles/jupyterhub/README.md index 357d4a156..8294671b6 100644 --- a/roles/jupyterhub/README.md +++ b/roles/jupyterhub/README.md @@ -1,10 +1,38 @@ ## JupyterHub programming environment with student Notebooks -#### High Schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their notebook/document/blog: +#### Secondary schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their own blog-like "Jupyter Notebooks." -* Jupyter Notebooks are widely used in the scientific community. -* This IIAB package permits individual users to start using their own notebook on the server (http://box.lan/jupyterhub) without needing an individual server account. -* Once a user signs in with a username and password, these credentials are stored, and are used thereafter to gain access to the user's files. -* Individual folders are created for all student work in the path `/var/lib/protected/` — individual students will only be able to see their own work in that directory. -* Students will not have any privileges outside of their own folder. -* They may upload Jupyter Notebooks from a local machine, and download the current state of their work via a normal browser download. +* Jupyter Notebooks are widely used in the scientific community: + * [Intitutional FAQ](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html) + * [Getting Started](https://jupyterhub.readthedocs.io/en/stable/getting-started/) +* Students create their own accounts on first use — e.g. at http://box.lan/jupyterhub — just as if they're logging in regularly (unfortunately the login screen doesn't make that clear, but the teacher _does not_ need to be involved!) + * A student can then sign in with their username and password, to gain access to their files (Jupyter Notebooks). + * The teacher should set and protect JupyterHub's overall ``Admin`` password, just in case. As with student accounts, the login screen doesn't make that clear — so just log in with username `Admin` using any password that you want to become permanent. +* Individual student folders are created in ``/var/lib/private/`` on the Internet-in-a-Box (IIAB) server: + * A student will only be able to see their own work — they do not have privileges outside of their own folder. + * Students may upload Jupyter Notebooks to the IIAB server, and download the current state of their work via a normal browser. + +### Settings + +Linux administrators please see `/opt/iiab/jupyterhub/etc/jupyterhub/jupyterhub_config.py` which originates from: + +https://github.com/iiab/iiab/blob/master/roles/jupyterhub/templates/jupyterhub_config.py + +Note that `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated with the usual formula: + +``` +source /opt/iiab/jupyterhub/bin/activate +``` + +### PAWS/Jupyter Notebooks for Python Beginners + +While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01. + +He explains PAWS as a "powerful Python execution environment http://paws.wmcloud.org [allowing] ordinary folks to write interactive scripts to work with Wikimedia content." + +### Known Issues + +* 2021-08-07: The page that allows you to reset/change your own password is not accessible. Likewise Admin users cannot reset/change the password of any _individual_ user at this time. [#2918](https://github.com/iiab/iiab/pull/2918) + * If necessary, a Linux administrator can delete the `/passwords.dbm.db` file at the very top of your Linux filesystem, allowing all JupyterHub users to (re)create new passwords. This does work, but is very heavy-handed. [PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890551682) +* 2021-08-07: Teachers (i.e. Admin users) cannot currently access the very helpful "administrator's page" discussed at [JupyterHub FAQ >> "How do I manage users?"](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html#how-do-i-manage-users) and [roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054 >> "Admin users have extra privileges"](https://github.com/iiab/iiab/blob/d0e8e048347bf46c02a2cdb0da9c5cd0c489fe40/roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054). [#2919](https://github.com/iiab/iiab/pull/2919) +* 2021-08-08: Password [dbm file](https://github.com/jupyterhub/firstuseauthenticator#firstuseauthenticatordbm_path) `/passwords.dbm.db` should be moved from the top of the filesystem to a better place — e.g. to `/opt/iiab/jupyterhub/etc/` ? [PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890579789) diff --git a/roles/jupyterhub/tasks/enable-or-disable.yml b/roles/jupyterhub/tasks/enable-or-disable.yml index 8aa7c0e57..b8a504589 100644 --- a/roles/jupyterhub/tasks/enable-or-disable.yml +++ b/roles/jupyterhub/tasks/enable-or-disable.yml @@ -1,17 +1,14 @@ -- name: systemd daemon-reload - systemd: - daemon_reload: yes - - - name: Enable & Restart jupyterhub.service systemd: + daemon_reload: yes name: jupyterhub enabled: yes state: restarted when: jupyterhub_enabled -- name: Disable jupyterhub.service +- name: Disable & Stop jupyterhub.service systemd: + daemon_reload: yes name: jupyterhub enabled: no state: stopped diff --git a/roles/jupyterhub/tasks/install.yml b/roles/jupyterhub/tasks/install.yml index 948c5f453..1f71ba454 100644 --- a/roles/jupyterhub/tasks/install.yml +++ b/roles/jupyterhub/tasks/install.yml @@ -13,22 +13,27 @@ when: nodejs_installed is undefined -- name: Make the directories to hold JupyterHub config +- name: "Install package: python3-venv" + package: + name: python3-venv + state: present + +- name: Make 3 directories to hold JupyterHub config file: state: directory path: "{{ item }}" with_items: - - "{{ jupyterhub_venv }}/etc/jupyter" + - "{{ jupyterhub_venv }}/etc/jupyter" # /opt/iiab/jupyterhub - "{{ jupyterhub_venv }}/etc/jupyterhub" - "{{ jupyterhub_venv }}/etc/systemd" -- name: Use npm to install configurable-http-proxy +- name: Use npm to install 'configurable-http-proxy' npm: name: configurable-http-proxy global: yes state: latest -- name: "Use pip to install into a virtual environment: {{ jupyterhub_venv }} (~229 MB)" +- name: "pip install 7 packages into virtual environment: {{ jupyterhub_venv }} (~229 MB)" pip: name: - pip @@ -40,8 +45,8 @@ - jupyterhub-systemdspawner virtualenv: "{{ jupyterhub_venv }}" # /opt/iiab/jupyterhub virtualenv_site_packages: no - virtualenv_command: /usr/bin/virtualenv - virtualenv_python: python3 + virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}" # 2021-07-29: This works on RaspiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below + #virtualenv_python: python3 # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2) extra_args: "--no-cache-dir" when: internet_available diff --git a/roles/jupyterhub/templates/jupyterhub_config.py b/roles/jupyterhub/templates/jupyterhub_config.py index d78f82f80..ee9a6a3f6 100644 --- a/roles/jupyterhub/templates/jupyterhub_config.py +++ b/roles/jupyterhub/templates/jupyterhub_config.py @@ -64,7 +64,7 @@ # # Users should be properly informed if this is enabled. # Default: False -# c.JupyterHub.admin_access = False +c.JupyterHub.admin_access = True ## DEPRECATED since version 0.7.2, use Authenticator.admin_users instead. # Default: set() @@ -1057,7 +1057,7 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner' # # Defaults to an empty set, in which case no user has admin access. # Default: set() -c.Authenticator.admin_users = set('iiab-admin') +c.Authenticator.admin_users = set('Admin') ## Set of usernames that are allowed to log in. # diff --git a/roles/kalite/tasks/install.yml b/roles/kalite/tasks/install.yml index a03208fd2..df85a2140 100644 --- a/roles/kalite/tasks/install.yml +++ b/roles/kalite/tasks/install.yml @@ -11,13 +11,14 @@ # ignore_errors: yes # when: is_raspbian -- name: Install python2, if Raspbian/Debian > 10 or Ubuntu > 19 +- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2)' package: name: - python2 - - python-setuptools # provides setuptools-44 last version compatible with python2 + - python-setuptools # Provides setuptools-44 on recent OS's (last version compatible with python2) + - virtualenv # For Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole} state: present - when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19) + #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19) # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already. - name: Use pip to pin setuptools to 44 in {{ kalite_venv }} if Raspbian/Debian > 10 or Ubuntu > 19 @@ -53,11 +54,11 @@ # Useless stanza, for 2 reasons: (1) http://box/kalite was never made to work # (2) /etc/apache2/sites-available does not exist on many IIAB's w/o Apache -- name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)" - template: - src: kalite.conf - dest: "/etc/{{ apache_conf_dir }}" # apache2/sites-available on debuntu - when: apache_installed is defined +# - name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)" +# template: +# src: kalite.conf +# dest: "/etc/{{ apache_conf_dir }}" # apache2/sites-available on debuntu +# when: apache_installed is defined - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian > 10 or Ubuntu > 19 replace: @@ -89,6 +90,8 @@ poll: 10 +# RECORD KA Lite AS INSTALLED + - name: "Set 'kalite_installed: True'" set_fact: kalite_installed: True diff --git a/roles/moodle/tasks/install.yml b/roles/moodle/tasks/install.yml index 66dd5cb74..8e4f7c584 100644 --- a/roles/moodle/tasks/install.yml +++ b/roles/moodle/tasks/install.yml @@ -106,7 +106,7 @@ dest: "{{ moodle_base }}" mode: 0755 -- name: Execute {{ moodle_base }}/moodle_installer IF {{ moodle_base }}/config.php doesn't yet exist -- REQUIRES 'max_input_vars = 5000' (or higher) in /etc/php/{{ php_version }}/cli/php.ini with PHP 8+ (as set up by www_options/tasks/main.yml) -- WHEREAS LATER Moodle uses /etc/php/{{ php_version }}/fpm/php.ini during regular operation +- name: Execute {{ moodle_base }}/moodle_installer IF {{ moodle_base }}/config.php doesn't yet exist -- REQUIRES 'max_input_vars = 5000' (or higher) in /etc/php/{{ php_version }}/cli/php.ini IF PHP 8+ (as set up by www_options/tasks/main.yml) -- WHEREAS LATER Moodle uses /etc/php/{{ php_version }}/fpm/php.ini during regular operation shell: "{{ moodle_base }}/moodle_installer" args: creates: "{{ moodle_base }}/config.php" diff --git a/roles/munin/tasks/install.yml b/roles/munin/tasks/install.yml index c04aa97b4..7d439ff5a 100644 --- a/roles/munin/tasks/install.yml +++ b/roles/munin/tasks/install.yml @@ -1,21 +1,14 @@ -- name: "Install 5 packages: munin, munin-node, munin-plugins-extra, libcgi-fast-perl" +- name: "Install 5 packages: libcgi-fast-perl, munin, munin-node, munin-plugins-extra, python3-passlib" package: name: + #- libapache2-mod-fcgid + - libcgi-fast-perl - munin - munin-node - munin-plugins-extra - - libcgi-fast-perl - #- libapache2-mod-fcgid + - python3-passlib # For Ansible module 'htpasswd' in Ansible collection community.general -- used just below state: present -# - name: "Install 2 packages: munin, munin-node (OS's other than debuntu)" -# package: -# name: -# - munin -# - munin-node -# state: present -# when: not is_debuntu - - name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd htpasswd: path: /etc/munin/munin-htpasswd diff --git a/roles/mysql/tasks/centos.yml b/roles/mysql/tasks/centos.yml.unused similarity index 100% rename from roles/mysql/tasks/centos.yml rename to roles/mysql/tasks/centos.yml.unused diff --git a/roles/mysql/tasks/fedora.yml b/roles/mysql/tasks/fedora.yml.unused similarity index 100% rename from roles/mysql/tasks/fedora.yml rename to roles/mysql/tasks/fedora.yml.unused diff --git a/roles/mysql/tasks/install.yml b/roles/mysql/tasks/install.yml index 30ed53f54..ceff65c66 100644 --- a/roles/mysql/tasks/install.yml +++ b/roles/mysql/tasks/install.yml @@ -1,113 +1,31 @@ -# Stanzas as of 2020-05-21: -# -# - 1 base install -# - 6 double timeout for slow CPUs -# - 7 DB config -# - 2 record as installed - -- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql' +- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql, python3-pymysql' package: name: - mariadb-server - mariadb-client #- php{{ php_version }}-common # Auto-installed as an apt dependency. REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml - - php{{ php_version }}-mysql # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml + - php{{ php_version }}-mysql # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx.yml, wordpress/tasks/install.yml + - python3-pymysql # For Ansible modules {mysql_db, mysql_user} in Ansible collection community.mysql -- used in MySQL roles {mediawiki, nextcloud, wordpress} and possibly {elgg, pbx} state: present -# 2020-07-11: -# 10 PHP package installs moved to roles/www_base/tasks/main.yml +# 2020-07-11: 10 PHP package installs moved to roles/www_base/tasks/main.yml # php{{ php_version }}-sqlite3 install moved to roles/osm-vector-maps/tasks/install.yml -# - name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)" -# package: -# name: -# - MySQL-python -# - mysql -# - php -# - php-mysql -# - php-pear -# - php-gd -# - php-imap -# - php-ldap -# - php-odbc -# - php-xml -# - php-xmlrpc -# state: present -# when: not is_debuntu -# -# - include_tasks: centos.yml -# when: ansible_distribution == "CentOS" -# -# - include_tasks: fedora.yml -# when: ansible_distribution == "Fedora" - - -# 2019-07-03 @jvonau @holta: the next 50 lines (6 stanzas) double MariaDB's -# default boot timeout (90s to 180s) for slow CPUs like this Ubuntu 18.04.2 VM: -# https://github.com/iiab/iiab/issues/1802 +# 2021-08-11: 50 lines (6 stanzas) removed, that had been doubling MariaDB's +# default boot timeout (90s to 180s) since 2019-07-03, for slow CPUs like this +# Ubuntu 18.04.2 VM: https://github.com/iiab/iiab/issues/1802 -> PR #1813 # https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd - -- name: Check if /lib/systemd/system/mariadb.service exists - stat: - path: /lib/systemd/system/mariadb.service - register: mariadb_unit_file - -- name: Copy pkg's /lib/systemd/system/mariadb.service to /etc/systemd/system/ to be customized (CREATES TIMESTAMPED BACKUPS OF /etc/systemd/system/mariadb.service e.g. IF OPERATOR CUSTOMIZED IT, EVEN DESPITE WARNING BELOW!) - copy: - force: yes - backup: yes - src: /lib/systemd/system/mariadb.service - dest: /etc/systemd/system/ - when: mariadb_unit_file.stat.exists - -- name: Symlink /etc/systemd/system/mysql.service -> /etc/systemd/system/mariadb.service - file: - state: link - force: yes - src: /etc/systemd/system/mariadb.service - path: /etc/systemd/system/mysql.service - when: mariadb_unit_file.stat.exists - -- name: Symlink /etc/systemd/system/mysqld.service -> /etc/systemd/system/mariadb.service - file: - state: link - force: yes - src: /etc/systemd/system/mariadb.service - path: /etc/systemd/system/mysqld.service - when: mariadb_unit_file.stat.exists - -- name: "WARN OPERATOR: Changes made to /etc/systemd/system/mariadb.service WILL BE LOST whenever 'mysql' playbook is run" - lineinfile: - path: /etc/systemd/system/mariadb.service - insertbefore: BOF # Beginning of file - line: "# WARNING: CHANGES TO THIS FILE WILL BE REGULARLY *OVERWRITTEN* BY:\n# /opt/iiab/iiab/roles/mysql/tasks/main.yml\n" - when: mariadb_unit_file.stat.exists - -- name: Set systemd boot timeout to 180 seconds for slow machines, in /etc/systemd/system/mariadb.service - lineinfile: - path: /etc/systemd/system/mariadb.service - insertafter: '^\[Service\]$' - regexp: "^TimeoutStartSec=" - line: "\n# 2019-07-03: @jvonau @holta doubled MariaDB's default boot timeout, from\n# 90 seconds to 180 seconds, for slow machines like this Ubuntu 18.04.2 VM:\n# https://github.com/iiab/iiab/issues/1802\n# https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd\nTimeoutStartSec=180\n" - # If the line above were to be run repeatedly (never happens here!) Ansible - # would pollute MariaDB's systemd unit file. As multi-line regexp's are - # not allowed (both regexp's should match, for idempotency). If nec, use - # the 1-liner below, or Ansible's 'blockinfile' which pollutes config files - # in its own way...surrounding blocks with marker lines. - # line: "TimeoutStartSec=180" - when: mariadb_unit_file.stat.exists - - -# 7 STANZAS BELOW...could later be put into setup.yml or config.yml or or provision.yml ? +# OS's have finally caught up - default timeout is now 900 seconds: +# https://github.com/iiab/iiab/pull/2936 # Name of MySQL service varies by OS, so hardcoded in /opt/iiab/iiab/vars/.yml (formerly in roles/0-init/tasks/main.yml) -- name: Start MySQL systemd service ({{ mysql_service }}) to permit configuration +- name: Restart MySQL systemd service ({{ mysql_service }}) to permit configuration systemd: - name: "{{ mysql_service }}" daemon_reload: yes + name: "{{ mysql_service }}" state: restarted -- name: Install /root/.my.cnf file from template, with root password credentials +- name: "Install /root/.my.cnf file from template -- used to contain root password credential, prior to 2020-08-24: https://github.com/iiab/iiab/pull/2488" template: src: my.cnf.j2 dest: /root/.my.cnf diff --git a/roles/network/README.rst b/roles/network/README.rst index 89b446b89..cbe01f450 100644 --- a/roles/network/README.rst +++ b/roles/network/README.rst @@ -2,13 +2,13 @@ Network README ============== -This is run by `Ansible `_ after it has installed the core (`Stages 0-to-9 `_) of `Internet-in-a-Box (IIAB) `_ and its apps/services. +This is run by `Ansible `_ after it has installed the core (`Stages 0-to-9 `_) of `Internet-in-a-Box (IIAB) `_ and its apps/services. Specifically, this 'network' role is run... - ...automatically during IIAB installation, after `/opt/iiab/iiab/iiab-install <../../iiab-install>`_ has run `Stages 0-to-9 <..>`_ (thanks to `iiab-stages.yml <../../iiab-stages.yml>`_). -- ...automatically by IIAB's Admin Console (http://box/admin) if you click ``Configure`` menu -> ``Install Configured Options`` — this is similar to the above, but only runs Stage 0, then Stage 4-to-9, and then finally this 'network' role/stage (thanks to `iiab-from-console.yml <../../iiab-from-console.yml>`_). -- ...or manually, if you run ``cd /opt/iiab/iiab`` then `./iiab-network <../../iiab-network>`_ (which is much the same as running ``./runrole network``). +- ...automatically by IIAB's **Admin Console** (http://box/admin) if you click **Configure** -> **Install Configured Options** — this is similar to the above, but only runs Stage 0, then Stage 4-to-9, and then finally this 'network' role/stage (thanks to `iiab-from-console.yml <../../iiab-from-console.yml>`_). +- ...or manually, if you run ``cd /opt/iiab/iiab`` then `sudo ./iiab-network <../../iiab-network>`_ (which is much the same as running ``sudo ./runrole network``). Many IIAB networking questions can be answered in these 2 documents: diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml index 93e416cad..f647af6ec 100644 --- a/roles/network/defaults/main.yml +++ b/roles/network/defaults/main.yml @@ -85,8 +85,8 @@ systemd_networkd_active: False # The values here are default local variables gui_wan_iface: unset gui_static_wan_ip: unset -wondershaper_dspeed: 4096 -wondershaper_upspeed: 1024 +# wondershaper_dspeed: 4096 +# wondershaper_upspeed: 1024 # netplan fix_dispatcher: True diff --git a/roles/network/tasks/computed_network.yml b/roles/network/tasks/computed_network.yml index 94f70833b..730274380 100644 --- a/roles/network/tasks/computed_network.yml +++ b/roles/network/tasks/computed_network.yml @@ -1,15 +1,18 @@ # just lie about active gateway present on XOs to suppress ifcfg-WAN # auto-creation/moving with XOs using NM/system-connections/ via keyfile. # ifcfg-rh acts on /etc/sys*/net*/ifcfg-* where we search for devices. -- name: Setting XO has WiFi gateway - set_fact: - user_wan_iface: "{{ discovered_wan_iface }}" - when: not (discovered_wan_iface == "none") and not (xo_model == "none") and has_ifcfg_gw == "none" -- name: XO laptop wants USB WiFi interface as AP mode - set_fact: - iiab_wireless_lan_iface: "{{ discovered_lan_iface }}" - when: num_wifi_interfaces >= "2" and not (xo_model == "none") and not (discovered_wan_iface == "none") and discovered_wireless_iface == "eth0" +# 2021-07-30: Var 'xo_model' is being deprecated +#- name: Setting XO has WiFi gateway +# set_fact: +# user_wan_iface: "{{ discovered_wan_iface }}" +# when: not (discovered_wan_iface == "none") and not (xo_model == "none") and has_ifcfg_gw == "none" + +# 2021-07-30: Var 'xo_model' is being deprecated +#- name: XO laptop wants USB WiFi interface as AP mode +# set_fact: +# iiab_wireless_lan_iface: "{{ discovered_lan_iface }}" +# when: num_wifi_interfaces >= "2" and not (xo_model == "none") and not (discovered_wan_iface == "none") and discovered_wireless_iface == "eth0" # static backout suppy new template file - name: gui-static-wan @@ -150,7 +153,7 @@ - name: Add 'computed_network' variable values to {{ iiab_ini_file }} ini_file: - dest: "{{ iiab_ini_file }}" + dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini section: computed_network option: "{{ item.option }}" value: "{{ item.value | string }}" diff --git a/roles/network/tasks/computed_services.yml b/roles/network/tasks/computed_services.yml index b056e7c04..47c3cd7cc 100644 --- a/roles/network/tasks/computed_services.yml +++ b/roles/network/tasks/computed_services.yml @@ -1,17 +1,17 @@ - name: No LAN configured - 'Appliance' mode set_fact: - dansguardian_enabled: False + # dansguardian_enabled: False squid_enabled: False - wondershaper_enabled: False + # wondershaper_enabled: False hostapd_enabled: False iiab_network_mode: "Appliance" when: iiab_lan_iface == "none" or user_lan_iface == "none" - name: LAN configured - 'LanController' mode set_fact: - dansguardian_enabled: False + # dansguardian_enabled: False squid_enabled: False - wondershaper_enabled: False + # wondershaper_enabled: False iiab_network_mode: "LanController" when: iiab_lan_iface != "none" and iiab_wan_iface == "none" @@ -52,7 +52,7 @@ - name: Add 'network' variable values (from computed_services.yml) to {{ iiab_ini_file }} ini_file: - dest: "{{ iiab_ini_file }}" + dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini section: network option: "{{ item.option }}" value: "{{ item.value | string }}" diff --git a/roles/network/tasks/dansguardian.yml b/roles/network/tasks/dansguardian.yml.unused similarity index 100% rename from roles/network/tasks/dansguardian.yml rename to roles/network/tasks/dansguardian.yml.unused diff --git a/roles/network/tasks/enable_services.yml b/roles/network/tasks/enable_services.yml index 71bd1798e..d87f9ab36 100644 --- a/roles/network/tasks/enable_services.yml +++ b/roles/network/tasks/enable_services.yml @@ -11,29 +11,29 @@ enabled: yes when: dhcpd_install and dhcpd_enabled -- name: Install /etc/sysconfig/dhcpd, /etc/dhcpd-iiab.conf from templates +- name: Install /etc/sysconfig/dhcpd, /etc/dhcpd-iiab.conf from templates (root:root, 0644 by default) template: src: "{{ item.src }}" dest: "{{ item.dest }}" - owner: root - group: root - mode: "{{ item.mode }}" + # owner: root + # group: root + # mode: "{{ item.mode }}" with_items: - - { src: 'dhcp/dhcpd-env.j2', dest: '/etc/sysconfig/dhcpd', mode: '0644' } - - { src: 'dhcp/dhcpd-iiab.conf.j2', dest: '/etc/dhcpd-iiab.conf', mode: '0644' } + - { src: 'dhcp/dhcpd-env.j2', dest: '/etc/sysconfig/dhcpd' } + - { src: 'dhcp/dhcpd-iiab.conf.j2', dest: '/etc/dhcpd-iiab.conf' } when: dhcpd_install and dhcpd_enabled -- name: Install /etc/named-iiab.conf and two *.zone.db files into /var/named-iiab +- name: Install /etc/named-iiab.conf and two *.zone.db files into /var/named-iiab (root:root, 0644 by default) template: src: "{{ item.src }}" dest: "{{ item.dest }}" - owner: root - group: root - mode: "{{ item.mode }}" + # owner: root + # group: root + # mode: "{{ item.mode }}" with_items: - - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf', mode: '0644' } - - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/', mode: '0644' } - - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/', mode: '0644' } + - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf' } + - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/' } + - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/' } when: named_install and named_enabled - name: Enable named service ({{ dns_service }}) if named_enabled @@ -93,13 +93,13 @@ #- debug: # var: nd_dir -- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04 or later) +- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04 or later) (root:root by default) template: src: roles/network/templates/network/dnsmasq.sh.j2 dest: /etc/networkd-dispatcher/routable.d/dnsmasq.sh mode: 0755 - owner: root - group: root + # owner: root + # group: root when: dnsmasq_install and dnsmasq_enabled and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance") #when: dnsmasq_install and dnsmasq_enabled and nd_enabled is defined and nd_enabled.stdout == "enabled" and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance") #when: dnsmasq_install and dnsmasq_enabled and systemd_out.status.UnitFileState == "enabled" and networkd_dir.stat.exists and networkd_dir.stat.isdir and (iiab_network_mode != "Appliance") @@ -122,104 +122,96 @@ enabled: no when: dnsmasq_install and not dnsmasq_enabled -- name: Enable DansGuardian systemd service, if dansguardian_enabled - systemd: - name: dansguardian - enabled: yes - when: dansguardian_install and dansguardian_enabled +# - name: Enable DansGuardian systemd service, if dansguardian_enabled +# systemd: +# name: dansguardian +# enabled: yes +# when: dansguardian_install and dansguardian_enabled -- name: Disable DansGuardian, if not dansguardian_enabled - systemd: - name: dansguardian - enabled: no - when: (dansguardian_install or dansguardian_installed is defined) and not dansguardian_enabled +# - name: Disable DansGuardian, if not dansguardian_enabled +# systemd: +# name: dansguardian +# enabled: no +# when: (dansguardian_install or dansguardian_installed is defined) and not dansguardian_enabled -- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }}, if squid_enabled +- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }} - if squid_install [{{ squid_install }}] and squid_enabled [{{ squid_enabled }}] lineinfile: path: "{{ iiab_env_file }}" regexp: '^HTTPCACHE_ON=*' line: 'HTTPCACHE_ON=True' - state: present when: squid_install and squid_enabled -- name: Enable Squid systemd service ({{ proxy }}) if squid_enabled +- name: Enable systemd service '{{ proxy }}' - if squid_install and squid_enabled systemd: - name: "{{ proxy }}" + name: "{{ proxy }}" # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml) enabled: yes when: squid_install and squid_enabled -- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }} +- name: Install /etc/{{ proxy }}/squid.conf from template (root:root, 0644 by default) - and create a timestamped backup of the original - if squid_install and squid_enabled template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner }}" - group: "{{ item.group }}" - mode: "{{ item.mode }}" - with_items: - - src: squid/squid-iiab.conf.j2 - dest: "/etc/{{ proxy }}/squid-iiab.conf" - owner: "{{ proxy_user }}" - group: "{{ proxy_user }}" - mode: 0644 + src: squid/squid.conf.j2 + dest: /etc/{{ proxy }}/squid.conf + # owner: "{{ proxy_user }}" # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml) + # group: "{{ proxy_user }}" + backup: yes when: squid_install and squid_enabled -- name: Point to Squid config file from startup file, if squid_enabled (debuntu) - lineinfile: - regexp: '^CONFIG' - line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf" - path: "/etc/init.d/{{ proxy }}" - when: squid_install and squid_enabled and is_debuntu +# - name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled +# lineinfile: +# regexp: '^CONFIG' +# line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf" +# path: "/etc/init.d/{{ proxy }}" +# when: squid_install and squid_enabled -- name: Disable Squid service, if not squid_enabled +- name: Disable systemd service '{{ proxy }}' - if (squid_install or squid_installed [{{ squid_installed }}] is defined) and not squid_enabled systemd: name: "{{ proxy }}" enabled: no when: (squid_install or squid_installed is defined) and not squid_enabled -- name: Revert to 'HTTPCACHE_ON=False' if not squid_enabled +- name: Revert {{ iiab_env_file }} to 'HTTPCACHE_ON=False' - if squid_install and not squid_enabled lineinfile: path: "{{ iiab_env_file }}" regexp: '^HTTPCACHE_ON=*' line: 'HTTPCACHE_ON=False' - state: present when: squid_install and not squid_enabled -- name: Enable Wondershaper service, if wondershaper_enabled - systemd: - name: wondershaper - enabled: yes - when: wondershaper_install and wondershaper_enabled +# - name: Enable Wondershaper service, if wondershaper_enabled +# systemd: +# name: wondershaper +# enabled: yes +# when: wondershaper_install and wondershaper_enabled -- name: Disable Wondershaper service, if not wondershaper_enabled - systemd: - name: wondershaper - enabled: no - when: (wondershaper_install or wondershaper_installed is defined) and not wondershaper_enabled +# - name: Disable Wondershaper service, if not wondershaper_enabled +# systemd: +# name: wondershaper +# enabled: no +# when: (wondershaper_install or wondershaper_installed is defined) and not wondershaper_enabled # check-LAN should be iptables.yml remove later -- name: Install clean copy of /usr/bin/iiab-gen-iptables from template +- name: Install clean copy of /usr/bin/iiab-gen-iptables from template (root:root by default) template: src: gateway/iiab-gen-iptables dest: /usr/bin/iiab-gen-iptables - owner: root - group: root + # owner: root + # group: root mode: 0755 -- name: Install iiab-internet-on|off +- name: Install /usr/bin/iiab-internet-on|off from template (root:root by default) template: src: "{{ item }}" dest: /usr/bin/ - owner: root - group: root + # owner: root + # group: root mode: 0755 with_items: - gateway/iiab-internet-on - gateway/iiab-internet-off -- name: Add 'squid' variable values to {{ iiab_ini_file }} +- name: Add 'squid' variable values to {{ iiab_ini_file }} - if squid_installed is defined ini_file: - path: "{{ iiab_ini_file }}" + path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini section: squid option: "{{ item.option }}" value: "{{ item.value | string }}" @@ -230,28 +222,28 @@ value: "{{ squid_enabled }}" when: squid_installed is defined -- name: Add 'dansguardian' variable values to {{ iiab_ini_file }} - ini_file: - path: "{{ iiab_ini_file }}" - section: dansguardian - option: "{{ item.option }}" - value: "{{ item.value | string }}" - with_items: - - option: dansguardian_install - value: "{{ dansguardian_install }}" - - option: dansguardian_enabled - value: "{{ dansguardian_enabled }}" - when: dansguardian_installed is defined +# - name: Add 'dansguardian' variable values to {{ iiab_ini_file }} +# ini_file: +# path: "{{ iiab_ini_file }}" +# section: dansguardian +# option: "{{ item.option }}" +# value: "{{ item.value | string }}" +# with_items: +# - option: dansguardian_install +# value: "{{ dansguardian_install }}" +# - option: dansguardian_enabled +# value: "{{ dansguardian_enabled }}" +# when: dansguardian_installed is defined -- name: Add 'wondershaper' variable values to {{ iiab_ini_file }} - ini_file: - path: "{{ iiab_ini_file }}" - section: wondershaper - option: "{{ item.option }}" - value: "{{ item.value | string }}" - with_items: - - option: wondershaper_install - value: "{{ wondershaper_install }}" - - option: wondershaper_enabled - value: "{{ wondershaper_enabled }}" - when: wondershaper_installed is defined +# - name: Add 'wondershaper' variable values to {{ iiab_ini_file }} +# ini_file: +# path: "{{ iiab_ini_file }}" +# section: wondershaper +# option: "{{ item.option }}" +# value: "{{ item.value | string }}" +# with_items: +# - option: wondershaper_install +# value: "{{ wondershaper_install }}" +# - option: wondershaper_enabled +# value: "{{ wondershaper_enabled }}" +# when: wondershaper_installed is defined diff --git a/roles/network/tasks/hostapd.yml b/roles/network/tasks/hostapd.yml index b34b32c11..33e0a6468 100644 --- a/roles/network/tasks/hostapd.yml +++ b/roles/network/tasks/hostapd.yml @@ -39,7 +39,7 @@ set_fact: ap0_mac_addr: "{{ ap0_mac.stdout }}" -- name: Use custom 'hostapd' systemd service unit file using ap0 +- name: "Use custom 'hostapd' systemd service unit file using ap0 -- install from template: /etc/systemd/system/hostapd.service, /etc/systemd/system/iiab-clone-wifi.service, /etc/systemd/system/iiab-wifi-test.service, /usr/sbin/iiab-test-wifi" template: owner: root group: root @@ -48,9 +48,9 @@ mode: "{{ item.mode }}" with_items: - { src: 'hostapd/hostapd.service.j2', dest: '/etc/systemd/system/hostapd.service', mode: '0644' } - - { src: 'hostapd/clone-wifi.service.j2', dest: '/etc/systemd/system/clone-wifi.service', mode: '0644' } - - { src: 'hostapd/wifi-test.service.j2', dest: '/etc/systemd/system/wifi-test.service', mode: '0644'} - - { src: 'hostapd/test-wifi', dest: '/sbin/test-wifi', mode: '0755' } + - { src: 'hostapd/iiab-clone-wifi.service.j2', dest: '/etc/systemd/system/iiab-clone-wifi.service', mode: '0644' } + - { src: 'hostapd/iiab-wifi-test.service.j2', dest: '/etc/systemd/system/iiab-wifi-test.service', mode: '0644'} + - { src: 'hostapd/iiab-test-wifi.j2', dest: '/usr/sbin/iiab-test-wifi', mode: '0755' } when: discovered_wireless_iface != "none" - name: Use custom 'hostapd' systemd service unit file for {{ discovered_wireless_iface }} when not wifi_up_down @@ -145,8 +145,8 @@ enabled: no daemon_reload: yes with_items: - - clone-wifi.service - - wifi-test.service + - iiab-clone-wifi.service + - iiab-wifi-test.service when: not wifi_up_down - name: Enable the Access Point 'hostapd' and ap0 related services @@ -156,8 +156,8 @@ daemon_reload: yes with_items: - hostapd.service - - clone-wifi.service - - wifi-test.service + - iiab-clone-wifi.service + - iiab-wifi-test.service when: hostapd_enabled and wifi_up_down - name: Record HOSTAPD_ENABLED to {{ iiab_env_file }} diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index 17164c417..d849cebaf 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -21,9 +21,9 @@ - name: computed_network include_tasks: computed_network.yml -- name: Configure wondershaper - include_tasks: wondershaper.yml - when: wondershaper_install or wondershaper_installed is defined +# - name: Configure wondershaper +# include_tasks: wondershaper.yml +# when: wondershaper_install or wondershaper_installed is defined - name: (Re)Install named include_tasks: named.yml diff --git a/roles/network/tasks/restart.yml b/roles/network/tasks/restart.yml index d1573dd5e..d286e987c 100644 --- a/roles/network/tasks/restart.yml +++ b/roles/network/tasks/restart.yml @@ -23,17 +23,17 @@ async: 120 when: squid_install or squid_installed is defined -- name: Stop DansGuardian - systemd: - name: dansguardian - state: stopped - when: dansguardian_install or dansguardian_installed is defined +# - name: Stop DansGuardian +# systemd: +# name: dansguardian +# state: stopped +# when: dansguardian_install or dansguardian_installed is defined -- name: Restart DansGuardian service (dansguardian) except Ubuntu which needs reboot to activate - systemd: - name: dansguardian - state: restarted - when: dansguardian_enabled and dansguardian_install and ( not is_ubuntu and iiab_stage|int < 4 ) +# - name: Restart DansGuardian service (dansguardian) except Ubuntu which needs reboot to activate +# systemd: +# name: dansguardian +# state: restarted +# when: dansguardian_enabled and dansguardian_install and ( not is_ubuntu and iiab_stage|int < 4 ) # Squid get re-loaded with dispatcher.d - name: Restart Squid service ({{ proxy }}) @@ -42,11 +42,11 @@ state: restarted when: squid_enabled and squid_install -- name: Restart Wondershaper service (wondershaper) - systemd: - name: wondershaper - state: restarted - when: wondershaper_enabled +# - name: Restart Wondershaper service (wondershaper) +# systemd: +# name: wondershaper +# state: restarted +# when: wondershaper_enabled - name: Restart Avahi service (avahi-daemon) systemd: diff --git a/roles/network/tasks/rpi_debian.yml b/roles/network/tasks/rpi_debian.yml index dea080d0c..1887a7d15 100644 --- a/roles/network/tasks/rpi_debian.yml +++ b/roles/network/tasks/rpi_debian.yml @@ -58,7 +58,7 @@ - name: Clone wifi if needed systemd: - name: clone-wifi + name: iiab-clone-wifi state: started when: discovered_wireless_iface != "none" # Whereas sysd-netd-debian.yml uses... diff --git a/roles/network/tasks/squid.yml b/roles/network/tasks/squid.yml index 586e0a5be..e959d43de 100644 --- a/roles/network/tasks/squid.yml +++ b/roles/network/tasks/squid.yml @@ -1,85 +1,108 @@ -- name: "Install 2 packages: {{ proxy }}, cadaver" +- name: "Install package: {{ proxy }}" package: - name: - - "{{ proxy }}" - - cadaver + name: "{{ proxy }}" # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml) + # - cadaver state: present -- name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop" - command: /etc/init.d/squid stop - when: is_ubuntu +# - name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop" +# command: /etc/init.d/squid stop +# when: is_ubuntu -- name: Stop Squid - service: +- name: Stop systemd service '{{ proxy }}' + systemd: name: "{{ proxy }}" state: stopped - when: not installing + when: squid_installed is undefined -- name: "Create the Squid user: {{ proxy_user }}" +# 2021-08-17: This stanza is gratuitous on most distros, where the user 'proxy' +# or 'squid' is preinstalled (typically with UID and GID 13 in /etc/passwd) but +# let's be sure, as distro internals / favorite distros change without warning. +- name: Ensure Linux user:group '{{ proxy_user }}:{{ proxy_user }}' exists, to own /library/cache -- and for recent versions of /usr/lib/systemd/system/squid.service that use 'Group=proxy' user: - name: "{{ proxy_user }}" - createhome: False - shell: /bin/false + name: "{{ proxy_user }}" # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml) + group: "{{ proxy_user }}" + create_home: False + shell: /bin/false # UNIX norm should work across all distros, overriding Debian/Ubuntu norm /usr/sbin/nologin -- name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files" - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner }}" - group: "{{ item.group }}" - mode: "{{ item.mode }}" - force: no - with_items: - - src: 'roles/network/templates/squid/squid.sysconfig' - dest: '/etc/sysconfig/squid' - owner: 'root' - group: 'root' - mode: '0755' - - src: 'roles/network/templates/squid/sites.whitelist.txt' - dest: '/etc/{{ proxy }}/sites.whitelist.txt' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/allowregex.rules' - dest: '/etc/{{ proxy }}/allowregex.rules' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/denyregex.rules' - dest: '/etc/{{ proxy }}/denyregex.rules' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/dstaddress.rules' - dest: '/etc/{{ proxy }}/dstaddress.rules' - owner: '{{ proxy_user }}' - group: '{{ proxy_user }}' - mode: '0644' - - src: 'roles/network/templates/squid/iiab-httpcache.j2' - dest: '/usr/bin/iiab-httpcache' - owner: 'root' - group: 'root' - mode: '0755' +# 2021-08-16: Squid runs as 'nobody' when started as root: +# http://www.squid-cache.org/Doc/config/cache_effective_user/ +# Much more detail here, but neither directive is recommended: +# http://www.squid-cache.org/Doc/config/cache_effective_group/ +# +# So nobody:root or root:root ownership don't work for cache_dir /library/cache +# +# Squid auto-creation of cache_dir (or the old way, 'squid -z') both fail: +# "FATAL: Failed to make swap directory /library/cache: (13) Permission denied" +# +# SEE ALSO: https://github.com/iiab/iiab/blob/master/roles/network/templates/squid/squid.conf.j2#L10-L30 -- name: Create Squid directory /library/cache +- name: Create Squid directory /library/cache ({{ proxy_user }}:{{ proxy_user }}, 0750) file: + state: directory path: /library/cache owner: "{{ proxy_user }}" group: "{{ proxy_user }}" - mode: '0750' - state: directory + mode: 0750 -- name: Create Squid directory /var/log/{{ proxy }} - file: - path: "/var/log/{{ proxy }}" - owner: "{{ proxy_user }}" - group: "{{ proxy_user }}" - mode: '0750' - state: directory +- name: Install site allowlists/whitelists /etc/{{ proxy }}/allow_dst_domains, /etc/{{ proxy }}/allow_url_regexs from template (root:root, 0644 by default) + template: + src: "{{ item }}" + dest: /etc/{{ proxy }}/ + backup: yes + with_items: + - roles/network/templates/squid/allow_dst_domains + - roles/network/templates/squid/allow_url_regexs +# - name: "Install from template: /usr/bin/iiab-httpcache, /etc/sysconfig/squid, /etc/{{ proxy }}/sites.whitelist.txt and 3 .rules files" +# template: +# src: "{{ item.src }}" +# dest: "{{ item.dest }}" +# owner: "{{ item.owner }}" +# group: "{{ item.group }}" +# mode: "{{ item.mode }}" +# force: no +# with_items: +# - src: 'roles/network/templates/squid/squid.sysconfig' +# dest: '/etc/sysconfig/squid' +# owner: 'root' +# group: 'root' +# mode: '0755' +# - src: 'roles/network/templates/squid/sites.whitelist.txt' +# dest: '/etc/{{ proxy }}/sites.whitelist.txt' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/allowregex.rules' +# dest: '/etc/{{ proxy }}/allowregex.rules' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/denyregex.rules' +# dest: '/etc/{{ proxy }}/denyregex.rules' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/dstaddress.rules' +# dest: '/etc/{{ proxy }}/dstaddress.rules' +# owner: '{{ proxy_user }}' +# group: '{{ proxy_user }}' +# mode: '0644' +# - src: 'roles/network/templates/squid/iiab-httpcache.j2' +# dest: '/usr/bin/iiab-httpcache' +# owner: 'root' +# group: 'root' +# mode: '0755' -- include_tasks: roles/network/tasks/dansguardian.yml - when: dansguardian_install +# - name: Create Squid directory /var/log/{{ proxy }} +# file: +# path: "/var/log/{{ proxy }}" +# owner: "{{ proxy_user }}" +# group: "{{ proxy_user }}" +# mode: '0750' +# state: directory + +# - include_tasks: roles/network/tasks/dansguardian.yml +# when: dansguardian_install # RECORD Squid AS INSTALLED @@ -98,7 +121,7 @@ # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8 - name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }} ini_file: - dest: "{{ iiab_ini_file }}" + dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini section: "{{ proxy }}" option: "{{ item.option }}" value: "{{ item.value | string }}" @@ -112,18 +135,18 @@ - option: squid_enabled value: "{{ squid_enabled }}" -- name: Add 'dansguardian' variable values to {{ iiab_ini_file }} - ini_file: - dest: "{{ iiab_ini_file }}" - section: dansguardian - option: "{{ item.option }}" - value: "{{ item.value | string }}" - with_items: - - option: name - value: DansGuardian - - option: description - value: '"DansGuardian searches web content for objectionable references and denies access when found."' - - option: dansguardian_install - value: "{{ dansguardian_install }}" - - option: dansguardian_enabled - value: "{{ dansguardian_enabled }}" +# - name: Add 'dansguardian' variable values to {{ iiab_ini_file }} +# ini_file: +# dest: "{{ iiab_ini_file }}" +# section: dansguardian +# option: "{{ item.option }}" +# value: "{{ item.value | string }}" +# with_items: +# - option: name +# value: DansGuardian +# - option: description +# value: '"DansGuardian searches web content for objectionable references and denies access when found."' +# - option: dansguardian_install +# value: "{{ dansguardian_install }}" +# - option: dansguardian_enabled +# value: "{{ dansguardian_enabled }}" diff --git a/roles/network/tasks/sysd-netd-debian.yml b/roles/network/tasks/sysd-netd-debian.yml index 622663462..4b3048256 100644 --- a/roles/network/tasks/sysd-netd-debian.yml +++ b/roles/network/tasks/sysd-netd-debian.yml @@ -53,7 +53,7 @@ - name: Clone wifi if needed systemd: - name: clone-wifi + name: iiab-clone-wifi state: started when: wifi_up_down and discovered_wireless_iface != "none" diff --git a/roles/network/tasks/wondershaper.yml b/roles/network/tasks/wondershaper.yml.unused similarity index 100% rename from roles/network/tasks/wondershaper.yml rename to roles/network/tasks/wondershaper.yml.unused diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index 8380304fa..1d196ccb7 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -34,48 +34,74 @@ IPTABLES=/usr/sbin/iptables IPTABLES_DATA=/etc/sysconfig/iptables {% endif %} -source {{ iiab_env_file }} +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml +# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 +# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN + +# "awk '{print $2}'" almost works, but: (1) Fails to remove outer quotes, and +# (2) Chops up Ansible vars containing multiple words w/o surrounding quotes. +# So: sed is used instead, to emulate Ansible's parsing of vars from .yml + +iiab_var_value() { + v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + [ "$v2" != "" ] && echo $v2 || echo $v1 # [ "$v2" ] ALSO WORKS +} + +source /etc/iiab/iiab.env lan=$IIAB_LAN_DEVICE wan=$IIAB_WAN_DEVICE iiab_gateway_enabled=$IIAB_GATEWAY_ENABLED -echo -e "\nLAN: $lan" -echo -e "WAN: $wan\n" -#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'` +echo +echo "Extracted 3 network vars from /etc/iiab/iiab.env :" +echo +echo "lan: $lan" +echo "wan: $wan" +echo "iiab_gateway_enabled: $iiab_gateway_enabled" +echo +#network_mode=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'` #echo -e "Network Mode: $network_mode\n" +lan_ip=$(iiab_var_value lan_ip) # 172.18.96.1 -# "Good thing we replace this file; should be treated like Squid below" ? -ports_externally_visible={{ ports_externally_visible }} -gw_block_https={{ gw_block_https }} -sshd_port={{ sshd_port }} +ports_externally_visible=$(iiab_var_value ports_externally_visible) +gw_block_https=$(iiab_var_value gw_block_https) +sshd_port=$(iiab_var_value sshd_port) #gui_wan= [no longer needed] -gui_port={{ gui_port }} -block_DNS={{ block_DNS }} +gui_port=$(iiab_var_value gui_port) +block_DNS=$(iiab_var_value block_DNS) -azuracast_ports="{{ azuracast_port_range_prefix }}000:{{ azuracast_port_range_prefix }}100" -azuracast_https_port={{ azuracast_https_port }} -azuracast_http_port={{ azuracast_http_port }} -calibre_port={{ calibre_port }} -calibreweb_port={{ calibreweb_port }} -cups_port={{ cups_port }} -internetarchive_port={{ internetarchive_port }} -kalite_server_port={{ kalite_server_port }} -kiwix_port={{ kiwix_port }} -kolibri_http_port={{ kolibri_http_port }} -minetest_port={{ minetest_port }} -mosquitto_port={{ mosquitto_port }} -nodered_port={{ nodered_port }} -pbx_enabled={{ pbx_enabled }} -pbx_http_port={{ pbx_http_port }} -pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }} -pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }} -pbx_data_ports={{ pbx_data_ports }} -sugarizer_port={{ sugarizer_port }} -transmission_http_port={{ transmission_http_port }} -transmission_peer_port={{ transmission_peer_port }} -jupyterhub_port={{ jupyterhub_port }} +azuracast_ports=$(iiab_var_value azuracast_port_range_prefix)000:$(iiab_var_value azuracast_port_range_prefix)100 +azuracast_https_port=$(iiab_var_value azuracast_https_port) +azuracast_http_port=$(iiab_var_value azuracast_http_port) +calibre_port=$(iiab_var_value calibre_port) +calibreweb_port=$(iiab_var_value calibreweb_port) +cups_port=$(iiab_var_value cups_port) +internetarchive_port=$(iiab_var_value internetarchive_port) +jupyterhub_port=$(iiab_var_value jupyterhub_port) +kalite_server_port=$(iiab_var_value kalite_server_port) +kiwix_port=$(iiab_var_value kiwix_port) +kolibri_http_port=$(iiab_var_value kolibri_http_port) +minetest_port=$(iiab_var_value minetest_port) +mosquitto_port=$(iiab_var_value mosquitto_port) +nodered_port=$(iiab_var_value nodered_port) -samba_udp_ports={{ samba_udp_ports }} -samba_tcp_mports={{ samba_tcp_mports }} +pbx_enabled=$(iiab_var_value pbx_enabled) +pbx_http_port=$(iiab_var_value pbx_http_port) +pbx_signaling_ports_chan_sip=$(iiab_var_value pbx_signaling_ports_chan_sip) +pbx_signaling_ports_chan_pjsip=$(iiab_var_value pbx_signaling_ports_chan_pjsip) +pbx_data_ports=$(iiab_var_value pbx_data_ports) + +sugarizer_port=$(iiab_var_value sugarizer_port) +transmission_http_port=$(iiab_var_value transmission_http_port) +transmission_peer_port=$(iiab_var_value transmission_peer_port) + +samba_udp_ports=$(iiab_var_value samba_udp_ports) +samba_tcp_mports=$(iiab_var_value samba_tcp_mports) + +squid_enabled=$(iiab_var_value squid_enabled) echo -e "\nports_externally_visible: "$ports_externally_visible"\n" if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then @@ -143,6 +169,7 @@ if [ "$wan" != "none" ]; then $IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport $jupyterhub_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT @@ -160,7 +187,6 @@ if [ "$wan" != "none" ]; then $IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT - $IPTABLES -A INPUT -p tcp --dport $jupyterhub_port -m state --state NEW -i $wan -j ACCEPT fi # 4 = ssh + http-or-https + common IIAB services + Samba @@ -179,7 +205,7 @@ if [ "$wan" != "none" ]; then $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT # Block https traffic except if directed at server if [ "$gw_block_https" == "True" ]; then - $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP + $IPTABLES -A FORWARD -p tcp ! -d $lan_ip --dport 443 -j DROP fi # Allow outgoing connections from the LAN side $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT @@ -198,13 +224,13 @@ fi # TCP & UDP block of DNS port 53 if truly nec if [ "$block_DNS" == "True" ]; then - $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 - $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 + $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d $lan_ip -j DNAT --to $lan_ip:53 + $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d $lan_ip -j DNAT --to $lan_ip:53 fi -# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env -if [ "$HTTPCACHE_ON" == "True" ]; then - $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 +# if [ "$HTTPCACHE_ON" == "True" ]; then # Via /etc/iiab/iiab.env +if [ "$squid_enabled" == "True" ]; then # Direct from default_vars.yml and local_vars.yml + $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d $lan_ip -j DNAT --to $lan_ip:3128 fi # Save the whole rule set diff --git a/roles/network/templates/hostapd/README.ap0 b/roles/network/templates/hostapd/README.ap0 index ea53ec1da..0d44b9df1 100644 --- a/roles/network/templates/hostapd/README.ap0 +++ b/roles/network/templates/hostapd/README.ap0 @@ -1,8 +1,8 @@ start up order # network-pre bridge is created -clone-wifi +iiab-clone-wifi wpa_supplicant #--dbus version does not start the interface directly -test-wifi # uses dbus to scan the network grabbing the channel alters hostapd.conf if needed +iiab-test-wifi # uses dbus to scan the network grabbing the channel alters hostapd.conf if needed hostapd # network diff --git a/roles/network/templates/hostapd/hostapd.service.j2 b/roles/network/templates/hostapd/hostapd.service.j2 index 3c19dfcf8..78ed478d0 100644 --- a/roles/network/templates/hostapd/hostapd.service.j2 +++ b/roles/network/templates/hostapd/hostapd.service.j2 @@ -2,8 +2,8 @@ Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator Wants=network-pre.target After=network-pre.target -After=clone-wifi.service -Requires=clone-wifi.service +After=iiab-clone-wifi.service +Requires=iiab-clone-wifi.service Before=dhcpcd.service Before=wpa_supplicant@{{ discovered_wireless_iface }}.service Before=NetworkManager.service diff --git a/roles/network/templates/hostapd/clone-wifi.service.j2 b/roles/network/templates/hostapd/iiab-clone-wifi.service.j2 similarity index 100% rename from roles/network/templates/hostapd/clone-wifi.service.j2 rename to roles/network/templates/hostapd/iiab-clone-wifi.service.j2 diff --git a/roles/network/templates/hostapd/test-wifi b/roles/network/templates/hostapd/iiab-test-wifi.j2 similarity index 98% rename from roles/network/templates/hostapd/test-wifi rename to roles/network/templates/hostapd/iiab-test-wifi.j2 index b2ed7c971..be13af4c6 100755 --- a/roles/network/templates/hostapd/test-wifi +++ b/roles/network/templates/hostapd/iiab-test-wifi.j2 @@ -5,7 +5,7 @@ NETPLAN=0 SSID="NA" # when we get here br0 should be available and dbus wpa_supplicant was started if enabled. None # of the backends that use wpa_supplicant should be active yet based on the Before= After= lines -# in the wifi-test.service unit file. +# in the iiab-wifi-test.service unit file. # covers systemd-networkd if [ -f /etc/wpa_supplicant/wpa_supplicant-$IFACE.conf ]; then diff --git a/roles/network/templates/hostapd/wifi-test.service.j2 b/roles/network/templates/hostapd/iiab-wifi-test.service.j2 similarity index 92% rename from roles/network/templates/hostapd/wifi-test.service.j2 rename to roles/network/templates/hostapd/iiab-wifi-test.service.j2 index 875a12f50..682680a07 100644 --- a/roles/network/templates/hostapd/wifi-test.service.j2 +++ b/roles/network/templates/hostapd/iiab-wifi-test.service.j2 @@ -12,7 +12,7 @@ Before=network.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/sbin/test-wifi +ExecStart=/usr/sbin/iiab-test-wifi [Install] WantedBy=multi-user.target diff --git a/roles/network/templates/network/iiab-hotspot-off b/roles/network/templates/network/iiab-hotspot-off index d3f811365..78d86cdd1 100755 --- a/roles/network/templates/network/iiab-hotspot-off +++ b/roles/network/templates/network/iiab-hotspot-off @@ -3,9 +3,9 @@ sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" {{ iiab_env_file }} systemctl disable hostapd systemctl stop hostapd {% if wifi_up_down %} -systemctl disable clone-wifi.service -systemctl disable wifi-test.service -systemctl stop clone-wifi.service +systemctl disable iiab-clone-wifi.service +systemctl disable iiab-wifi-test.service +systemctl stop iiab-clone-wifi.service echo " IIAB hotspot access point Disabled" exit 0 {% else %} diff --git a/roles/network/templates/network/iiab-hotspot-on b/roles/network/templates/network/iiab-hotspot-on index 34d1cda46..d92cb5f21 100755 --- a/roles/network/templates/network/iiab-hotspot-on +++ b/roles/network/templates/network/iiab-hotspot-on @@ -1,9 +1,9 @@ #!/bin/bash sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=True/" {{ iiab_env_file }} {% if wifi_up_down %} -systemctl enable clone-wifi.service +systemctl enable iiab-clone-wifi.service systemctl enable hostapd -systemctl enable wifi-test.service +systemctl enable iiab-wifi-test.service echo -e "\nPlease reboot to activate hostapd feature.\n" exit 0 {% else %} diff --git a/roles/network/templates/squid/allow_dst_domains b/roles/network/templates/squid/allow_dst_domains new file mode 100644 index 000000000..f16722ed1 --- /dev/null +++ b/roles/network/templates/squid/allow_dst_domains @@ -0,0 +1,17 @@ +# SEE ALSO /etc/squid/allow_url_regexs +# the leading dot matches anything preceding +# don't remove the .lan line +# change this to your domain if necessary +.lan +.laptop.org +.olpcMAP.net +.mapmeld.appspot.com +.googlecode.com +.googleapis.com +.gstatic.com +.unleashkids.org +.iiab.io +.hopeforhaitischildren.org +.lenouvelliste.com +.voanouvel.com +.sugarlabs.org diff --git a/roles/network/templates/squid/allow_url_regexs b/roles/network/templates/squid/allow_url_regexs new file mode 100644 index 000000000..21a003f59 --- /dev/null +++ b/roles/network/templates/squid/allow_url_regexs @@ -0,0 +1,4 @@ +# SEE ALSO /etc/squid/allow_url_regexs +# put regular expressions that match desired urls +translator +translate diff --git a/roles/network/templates/squid/allowregex.rules b/roles/network/templates/squid/allowregex.rules.unused similarity index 100% rename from roles/network/templates/squid/allowregex.rules rename to roles/network/templates/squid/allowregex.rules.unused diff --git a/roles/network/templates/squid/dansguardian.conf.centos.j2 b/roles/network/templates/squid/dansguardian.conf.centos.j2.unused similarity index 100% rename from roles/network/templates/squid/dansguardian.conf.centos.j2 rename to roles/network/templates/squid/dansguardian.conf.centos.j2.unused diff --git a/roles/network/templates/squid/dansguardian.conf.debian.j2 b/roles/network/templates/squid/dansguardian.conf.debian.j2.unused similarity index 100% rename from roles/network/templates/squid/dansguardian.conf.debian.j2 rename to roles/network/templates/squid/dansguardian.conf.debian.j2.unused diff --git a/roles/network/templates/squid/dansguardian.conf.j2 b/roles/network/templates/squid/dansguardian.conf.j2.unused similarity index 100% rename from roles/network/templates/squid/dansguardian.conf.j2 rename to roles/network/templates/squid/dansguardian.conf.j2.unused diff --git a/roles/network/templates/squid/denyregex.rules b/roles/network/templates/squid/denyregex.rules.unused similarity index 100% rename from roles/network/templates/squid/denyregex.rules rename to roles/network/templates/squid/denyregex.rules.unused diff --git a/roles/network/templates/squid/dstaddress.rules b/roles/network/templates/squid/dstaddress.rules.unused similarity index 100% rename from roles/network/templates/squid/dstaddress.rules rename to roles/network/templates/squid/dstaddress.rules.unused diff --git a/roles/network/templates/squid/iiab-httpcache.j2 b/roles/network/templates/squid/iiab-httpcache.j2.unused similarity index 100% rename from roles/network/templates/squid/iiab-httpcache.j2 rename to roles/network/templates/squid/iiab-httpcache.j2.unused diff --git a/roles/network/templates/squid/sites.whitelist.txt b/roles/network/templates/squid/sites.whitelist.txt.unused similarity index 96% rename from roles/network/templates/squid/sites.whitelist.txt rename to roles/network/templates/squid/sites.whitelist.txt.unused index da2b29330..e03fc419d 100644 --- a/roles/network/templates/squid/sites.whitelist.txt +++ b/roles/network/templates/squid/sites.whitelist.txt.unused @@ -10,7 +10,7 @@ .translate.google.com .gstatic.com .unleashkids.org -.iiab.io.org +.iiab.io .hopeforhaitischildren.org .lenouvelliste.com .voanouvel.com diff --git a/roles/network/templates/squid/squid-iiab.conf.j2 b/roles/network/templates/squid/squid-iiab.conf.j2.unused similarity index 98% rename from roles/network/templates/squid/squid-iiab.conf.j2 rename to roles/network/templates/squid/squid-iiab.conf.j2.unused index 1bce0547d..f3d610715 100644 --- a/roles/network/templates/squid/squid-iiab.conf.j2 +++ b/roles/network/templates/squid/squid-iiab.conf.j2.unused @@ -4,11 +4,11 @@ ############################### # Network Interface -{% if dansguardian_enabled %} -http_port 127.0.0.1:3130 -{% else %} +# ## if dansguardian_enabled ## +# http_port 127.0.0.1:3130 +# ## else ## http_port 0.0.0.0:3128 transparent -{% endif %} +# ## endif ## icp_port 0 diff --git a/roles/network/templates/squid/squid.conf.j2 b/roles/network/templates/squid/squid.conf.j2 new file mode 100644 index 000000000..666a6a677 --- /dev/null +++ b/roles/network/templates/squid/squid.conf.j2 @@ -0,0 +1,52 @@ +# 2021-08-16 IIAB PR #2948 - April 2007 OLPC School Server legacy moved to: +# https://github.com/iiab/iiab/blob/master/roles/network/templates/squid/squid-iiab.conf.j2.unused + +http_port 3129 +http_port 3128 intercept + +# Some measure of privacy: mask off the lowest byte of logged IP addresses +client_netmask 255.255.255.0 + +# https://wiki.squid-cache.org/Features/CacheManager +# https://wiki.squid-cache.org/SquidFaq/SecurityPitfalls#The_manager_ACLs +http_access allow localhost manager +http_access deny manager + +# 2021-08-16: Squid's auto-creation of cache_dir (or the old way, 'squid -z') +# don't work well in recent years. So we do it manually, as explained here: +# https://github.com/iiab/iiab/blob/master/roles/network/tasks/squid.yml#L17-L45 + +# Where is the cache stored on disk? http://www.squid-cache.org/Doc/config/cache_dir/ +# +# Type (ufs, aufs, or COSS) +# | Where +# | | Size (in MB) +# | | | +# | | | L1 (directories) +# | | | | L2 (directories) +# | | | | | +#cache_dir aufs /library/cache 20000 32 256 +cache_dir ufs /library/cache 200 16 128 +# Remove the line above IF YOU WANT SQUID'S CACHE IN MEMORY INSTEAD OF DISK! + +{% if gw_squid_whitelist %} +#acl allow_src_ips src "/etc/squid/allow_src_ips" +acl allow_dst_domains dstdomain "/etc/squid/allow_dst_domains" +acl allow_url_regexs url_regex -i "/etc/squid/allow_url_regexs" +#acl allow_dst_ips dst "/etc/squid/allow_dst_ips" +#acl deny_url_regexs url_regex -i "/etc/squid/deny_url_regexs" +#acl deny_dst_ips src "/etc/squid/deny_dst_ips" + +#http_access allow allow_src_ips +http_access allow allow_dst_domains +http_access allow allow_url_regexs +#http_access allow allow_dst_ips +#http_access deny deny_url_regexs +#http_access deny deny_dst_ips +{% endif %} + +# 2021-08-16: DEFAULTS HAPPEN ANYWAY +# http_access deny all +# access_log /var/log/squid/access.log +# cache_log /var/log/squid/cache.log +# pid_filename /var/run/squid.pid diff --git a/roles/network/templates/squid/squid.sysconfig b/roles/network/templates/squid/squid.sysconfig.unused similarity index 100% rename from roles/network/templates/squid/squid.sysconfig rename to roles/network/templates/squid/squid.sysconfig.unused diff --git a/roles/network/templates/wondershaper/wondershaper.conf b/roles/network/templates/wondershaper.unused/wondershaper.conf similarity index 100% rename from roles/network/templates/wondershaper/wondershaper.conf rename to roles/network/templates/wondershaper.unused/wondershaper.conf diff --git a/roles/network/templates/wondershaper/wondershaper.j2 b/roles/network/templates/wondershaper.unused/wondershaper.j2 similarity index 100% rename from roles/network/templates/wondershaper/wondershaper.j2 rename to roles/network/templates/wondershaper.unused/wondershaper.j2 diff --git a/roles/network/templates/wondershaper/wondershaper.service b/roles/network/templates/wondershaper.unused/wondershaper.service similarity index 100% rename from roles/network/templates/wondershaper/wondershaper.service rename to roles/network/templates/wondershaper.unused/wondershaper.service diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index 06dd8beb7..da5ab374f 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -1,4 +1,4 @@ -# Nextcloud +# Nextcloud README Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org). diff --git a/roles/nginx/README.md b/roles/nginx/README.md index b38a46862..422704f9c 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -2,15 +2,15 @@ 1. Initial testing strategy (December 2019 - February 2020) was to move NGINX to [port 80](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services), and proxy everything to Apache on [port 8090](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) — creating "Shims" for each IIAB App/Service in *Section iii.* below. - Until "Native" NGINX is later implemented for each such IIAB App/Service — allowing each to move up to *Section ii.* below. + Until "Native" NGINX was later implemented for each such IIAB App/Service — allowing each to move up to *Section ii.* below. - And potentially later moving each up to *Section i.* if its Apache support is dropped! + And progressively later moving each up to *Section i.* when its Apache support was dropped. (Background: IIAB Apps/Services are generally [Ansible roles](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible) that live in [/opt/iiab/iiab/roles](https://github.com/iiab/iiab/tree/master/roles)) -2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX. +2. Without PHP available via FastCGI, any function at all for PHP-based applications validated NGINX. -3. Current state of IIAB App/Service migrations as of 2021-07-16: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))* +3. Current state of IIAB App/Service migrations as of 2021-08-08: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))* 1. These support "Native" NGINX but ***NOT*** Apache @@ -37,27 +37,27 @@ 2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!) Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service: - * NONE: Apache support is being fully removed starting 2021-07-06 ([PR #2850](https://github.com/iiab/iiab/pull/2850)) + * **NONE: Apache support is now fully REMOVED as of 2021-08-08** ([PR #2850](https://github.com/iiab/iiab/pull/2850)) 3. These support Apache but ***NOT*** "Native" NGINX. They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090. See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache. - * elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?] + * elgg [deprecated -- consider assisting with a complete overhaul from Elgg 2.x to 4.x ?] 4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations). In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite) * bluetooth * calibre (menu goes directly to port 8080) - * cups (NGINX redirects http://box/print to port 631, changing hostname as appropriate, per [PR #2858](https://github.com/iiab/iiab/pull/2858)) + * cups (NGINX redirects http://box/print to port 631, changing URL hostname to localhost when necessary, per [PR #2858](https://github.com/iiab/iiab/pull/2858)) * internetarchive (menu goes directly to port 4244) [*, [PR #2120](https://github.com/iiab/iiab/pull/2120)] * kalite (menu goes directly to ports 8006-8008) * minetest * mosquitto * openvpn - * pbx [*, requires Apache for now, as in Section iii., [#2856](https://github.com/iiab/iiab/issues/2856)] + * pbx [*, recommends Apache for now, as in Section iii., [#2914](https://github.com/iiab/iiab/issues/2914)] * phpmyadmin [*, requires Apache for now, as in Section iii.] - * samba + * samba [*, [PR #2923](https://github.com/iiab/iiab/pull/2923)] * sshd * transmission * vnstat -[*] The 4 above starred roles could use improvement, as of 2021-07-16. +[*] The 4 above starred roles could use improvement, as of 2021-08-08. diff --git a/roles/nginx/tasks/enable-or-disable.yml b/roles/nginx/tasks/enable-or-disable.yml index 510203110..0ef223866 100644 --- a/roles/nginx/tasks/enable-or-disable.yml +++ b/roles/nginx/tasks/enable-or-disable.yml @@ -1,29 +1,29 @@ -- name: Ensure that Apache ({{ apache_service }}) is not running -- we may need port swap - systemd: - name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/.yml - state: stopped - ignore_errors: yes - # 'when: apache_installed is defined' might also work, as mysql's php no longer installs apache2 (but 'ignore_errors: yes' remains safer!) +# - name: Ensure that Apache ({{ apache_service }}) is not running -- we may need port swap +# systemd: +# name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/.yml +# state: stopped +# ignore_errors: yes +# # 'when: apache_installed is defined' might also work, as mysql's php no longer installs apache2 (but 'ignore_errors: yes' remains safer!) -- name: Install /etc/{{ apache_service }}/ports.conf from template 1 of 2 (ports.conf.j2) if nginx_enabled, to enable Apache port {{ apache_port }} localhost only - template: - src: ports.conf.j2 - dest: "/etc/{{ apache_service }}/ports.conf" - when: nginx_enabled +# - name: Install /etc/{{ apache_service }}/ports.conf from template 1 of 2 (ports.conf.j2) if nginx_enabled, to enable Apache port {{ apache_port }} localhost only +# template: +# src: ports.conf.j2 +# dest: "/etc/{{ apache_service }}/ports.conf" +# when: nginx_enabled -- name: Install /etc/{{ apache_service }}/ports.conf from template 2 of 2 (stock-apache-ports.conf) if not nginx_enabled, to disable Apache port {{ apache_port }} localhost only - template: - src: stock-apache-ports.conf - dest: "/etc/{{ apache_service }}/ports.conf" - when: not nginx_enabled +# - name: Install /etc/{{ apache_service }}/ports.conf from template 2 of 2 (stock-apache-ports.conf) if not nginx_enabled, to disable Apache port {{ apache_port }} localhost only +# template: +# src: stock-apache-ports.conf +# dest: "/etc/{{ apache_service }}/ports.conf" +# when: not nginx_enabled -- name: Enable & Restart '{{ apache_service }}' if Apache is installed and enabled, since we stopped it - systemd: - name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/.yml - daemon_reload: yes - state: restarted - enabled: true - when: apache_installed is defined and apache_enabled # or not nginx_enabled +# - name: Enable & Restart '{{ apache_service }}' if Apache is installed and enabled, since we stopped it +# systemd: +# name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/.yml +# daemon_reload: yes +# state: restarted +# enabled: true +# when: apache_installed is defined and apache_enabled # or not nginx_enabled - name: Enable & (Re)Start 'nginx' systemd service, if nginx_enabled diff --git a/roles/nginx/tasks/install.yml b/roles/nginx/tasks/install.yml index 3516825c1..d9f3c4dda 100644 --- a/roles/nginx/tasks/install.yml +++ b/roles/nginx/tasks/install.yml @@ -1,25 +1,42 @@ -- name: Stop '{{ apache_service }}' systemd service +- name: Stop & Disable '{{ apache_service }}' systemd service, in case it exists systemd: name: "{{ apache_service }}" # apache2 or httpd, per /opt/iiab/iiab/vars/.yml state: stopped + enabled: no ignore_errors: yes - # 'when: apache_installed is defined' insuff b/c mysql's php installs apache2 + # 'when: apache_installed is defined' insuff b/c mysql's php (etc) can install apache2 - name: 'Install 5 packages for NGINX: libnginx-mod-http-subs-filter, nginx-extras, php{{ php_version }}-fpm, uwsgi, uwsgi-plugin-python3' package: name: - libnginx-mod-http-subs-filter - nginx-extras - - php{{ php_version }}-fpm # Drags in [1] php{{ php_version }}-cli (superset of php{{ php_version }}-common) [2] libsodium23 (likewise installed in moodle/tasks/install.yml AND wordpress/tasks/install.yml) [3] php{{ php_version }}-json if PHP < 8.0 (NEEDED FOR nextcloud/tasks/install.yml AND pbx/tasks/freepbx_dependencies.yml AND wordpress/tasks/install.yml) + - php{{ php_version }}-fpm # INSTALLS [0] /etc/apache2/conf-available/php{{ php_version }}-fpm.conf AND DRAGS IN [1] php{{ php_version }}-cli (superset of php{{ php_version }}-common) [2] libsodium23 (likewise installed in moodle/tasks/install.yml AND wordpress/tasks/install.yml) [3] php{{ php_version }}-json if PHP < 8.0 (NEEDED FOR nextcloud/tasks/install.yml AND pbx/tasks/freepbx_dependencies.yml AND wordpress/tasks/install.yml) - uwsgi # Admin Console & roles/captiveportal should really install - uwsgi-plugin-python3 # these 2 packages on demand (not every IIAB needs these). state: present + +# 2021-08-07: Legacy from roles/httpd/tasks/install.yml + +# - name: 'Create group: admin' +# group: +# name: admin + # 2020-10-16: Removed per #2560 -#- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console -# user: -# name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/.yml -# groups: shadow +# - name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console +# user: +# name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/.yml +# groups: shadow + +# - name: Add user {{ apache_user }} (from variable apache_user) to groups admin, shadow +# user: +# name: "{{ apache_user }}" # www-data on Debuntu +# #groups: admin,shadow +# groups: shadow # 2020-06-04: shadow nec for Admin Console login (this line had been clobbering user www-data's membership in group shadow, as set earlier by nginx/tasks/install.yml, SEE #2431) +# createhome: no +# append: yes + - name: Remove NGINX default config /etc/nginx/sites-enabled/default file: @@ -34,8 +51,8 @@ - { src: 'server.conf.j2', dest: '/etc/nginx/server.conf' } - { src: 'nginx.conf.j2', dest: '/etc/nginx/nginx.conf' } - { src: 'mime.types.j2', dest: '/etc/nginx/mime.types' } - #- { src: 'ports.conf.j2', dest: '/etc/{{ apache_service }}/ports.conf' } # Moved to enable-or-disable.yml - #- { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" } # Moved into homepage.yml below + # - { src: 'ports.conf', dest: '/etc/{{ apache_service }}/ports.conf' } # 2021-08-09: Restored from enable-or-disable.yml then moved to roles/pbx/tasks/apache.yml + # - { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" } # Moved into homepage.yml, invoked later by roles/www_options/tasks/main.yml (see below!) - debug: msg: roles/nginx/tasks/homepage.yml will run LATER (invoked by roles/www_options/tasks/main.yml) SO THAT NGINX CAN REDIRECT http://box TO http://box{{ iiab_home_url }} (based on var iiab_home_url) @@ -45,7 +62,6 @@ systemd: name: "php{{ php_version }}-fpm" state: restarted - #when: nginx_enabled # RECORD NGINX AS INSTALLED diff --git a/roles/nginx/templates/server.conf.j2 b/roles/nginx/templates/server.conf.j2 index 0272a27f8..6e996c4bb 100644 --- a/roles/nginx/templates/server.conf.j2 +++ b/roles/nginx/templates/server.conf.j2 @@ -1,6 +1,8 @@ server { root {{ doc_root }}; - server_name {{ iiab_hostname }}; + server_name $hostname; # e.g. box.lan, set dynamically when NGINX starts + #server_name {{ iiab_hostname }}.{{ iiab_domain }}; + #server_name {{ iiab_hostname }}; listen 80; index index.php index.html index.htm; @@ -20,9 +22,10 @@ server { include fastcgi_params; } - location /cgi-bin { - root /usr/lib; - } + # 2021-07-30: Security risk identified by @tim-moody + #location /cgi-bin { + # root /usr/lib; + #} # if you don't like seeing all the errors for missing favicon.ico in root location = /favicon.ico { access_log off; log_not_found off; } diff --git a/roles/nginx/templates/stock-apache-ports.conf b/roles/nginx/templates/stock-apache-ports.conf.unused similarity index 100% rename from roles/nginx/templates/stock-apache-ports.conf rename to roles/nginx/templates/stock-apache-ports.conf.unused diff --git a/roles/nodejs/tasks/install.yml b/roles/nodejs/tasks/install.yml index ba3536c96..f2843bc47 100644 --- a/roles/nodejs/tasks/install.yml +++ b/roles/nodejs/tasks/install.yml @@ -7,11 +7,12 @@ # 2019-07-04: FOR A SOMEWHAT MORE MODERN "VERSION DETECTOR" SEE: # github.com/iiab/iiab/blob/master/roles/nextcloud/tasks/install.yml#L1-L40 -- name: Try to run 'nodejs -v' to get Node.js version - # 'node -v' doesn't work with older versions e.g. Ubuntu 16.04's nodejs 4.2.6 +- name: Try to run 'node -v' to get Node.js version + # 'node -v' doesn't work with older versions e.g. Ubuntu 16.04's Node.js 4.2.6 + # 'nodejs -v' doesn't work with newer versions e.g. Node.js 16.x # Both below convert v10.15.1 to 10.x, but this is safer: (removes non-digits) - shell: nodejs -v | sed 's/[^0-9]*//' | sed 's/[^0-9].*/.x/' - #shell: nodejs -v | sed 's/^[vV]//' | sed 's/\..*/.x/' + shell: node -v | sed 's/[^0-9]*//' | sed 's/[^0-9].*/.x/' + #shell: node -v | sed 's/^[vV]//' | sed 's/\..*/.x/' register: nodejs_version_installed #- debug: @@ -32,22 +33,23 @@ # /etc/iiab/local_vars.yml -- then re-run this IIAB installer. # when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stderr == "" +# 2021-08-04: Regardless, nodesource.com (below) overwrites /etc/apt/sources.list.d/nodesource.list # Forces < 16.x or > 16.x to be removed, ignored if file is absent -- name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }} - file: - state: absent - path: /etc/apt/sources.list.d/nodesource.list - when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != "" +#- name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }} +# file: +# state: absent +# path: /etc/apt/sources.list.d/nodesource.list +# when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != "" # BRUTAL but ensures consistency across OS's / distros like Raspbian Desktop & Ubermix that often include an older version of Node.js # Forces < 16.x or > 16.x to be uninstalled -- name: ASK apt/yum/dnf TO REMOVE PRE-EXISTING Node.js {{ nodejs_version_installed.stdout }} (IF IT'S NOT {{ nodejs_version }}) +- name: ASK apt/yum/dnf TO REMOVE PRE-EXISTING Node.js "{{ nodejs_version_installed.stdout }}" (IF IT'S NOT {{ nodejs_version }}) package: name: nodejs state: absent - when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != "" + when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version + #when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != "" -# Forces == 16.x - name: Warn if Node.js {{ nodejs_version}} already installed & might be updated debug: msg: "WARN: YOUR Node.js {{ nodejs_version }} MIGHT NOW BE UPDATED USING nodesource.com" @@ -65,12 +67,12 @@ # state: absent # when: internet_available and is_debuntu -- name: Set up Node.js {{ nodejs_version }} apt sources (debuntu) +- name: Run 'curl -sL https://deb.nodesource.com/setup_{{ nodejs_version }} | bash -' to overwrite /etc/apt/sources.list.d/nodesource.list shell: curl -sL https://deb.nodesource.com/setup_{{ nodejs_version }} | bash - - args: - warn: no - creates: /etc/apt/sources.list.d/nodesource.list - when: internet_available and is_debuntu + #args: + # warn: no + # creates: /etc/apt/sources.list.d/nodesource.list + #when: internet_available # 2021-08-04: Better to fail & notify implementer! #when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17) # NOT NEC TO TEST FOR is_raspbian_8 OR is_raspbian_9 AS /opt/iiab/iiab/vars/.yml # DEFINES THESE AS SUBSETS OF is_debian_8 OR is_debian_9 (FOR NOW!) @@ -80,21 +82,15 @@ # "npm install -g npm@latest" (all *SHOULD* be magically fixed by 2019-04-18 ?) # Forces update -- name: Install latest Node.js {{ nodejs_version }} which includes /usr/bin/npm (debuntu) +- name: Install latest Node.js {{ nodejs_version }} which includes /usr/bin/npm package: #name: nodejs={{ nodejs_version }} name: nodejs state: latest #state: present - when: internet_available and is_debuntu + #when: internet_available # 2021-08-04: Better to fail & notify implementer! #when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17) -- name: Set up & install Node.js {{ nodejs_version }} which includes /usr/bin/npm (redhat) - shell: curl -sL https://rpm.nodesource.com/setup_{{ nodejs_version }} | bash - - args: - warn: no - when: internet_available and is_redhat - # 2018-07-14: BOTH STEPS ABOVE TAKE TIME, but Raspbian (apt offers npm # 1.4.21) & Debian 9 (apt offers no npm!) STILL NEED the above diff --git a/roles/openvpn/tasks/install.yml b/roles/openvpn/tasks/install.yml index 025f3b9c4..cbe2e36af 100644 --- a/roles/openvpn/tasks/install.yml +++ b/roles/openvpn/tasks/install.yml @@ -1,17 +1,12 @@ -- name: Install OpenVPN and Nmap packages +- name: "Install packages: ncat, nmap, openvpn, sudo" package: name: - - openvpn + - ncat # Newer versions of NMap do not include NCat, needed to announce openvpn_handle (if Debian > 9 or Ubuntu > 18) - nmap + - openvpn + - sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!) state: present -# Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle -- name: Install Ncat package (if Debian > 9 or Ubuntu > 18) - package: - name: ncat - state: present - when: is_debuntu and not (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18) - - name: Install ssh public keys for remote support (if openvpn_install) lineinfile: line: "{{ item.pubkey }}" @@ -60,22 +55,23 @@ mode: "{{ item.mode }}" backup: yes with_items: - - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', mode: '0644' } - - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', mode: '0644' } - - { src: 'client1.key', dest: '/etc/openvpn/keys/client1.key', mode: '0600' } - - { src: 'announce', dest: '/etc/openvpn/scripts/announce', mode: '0755' } - - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' } - - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' } + - { src: 'ca.crt', dest: '/etc/openvpn/keys/', mode: '0644' } + - { src: 'client1.crt', dest: '/etc/openvpn/keys/', mode: '0644' } + - { src: 'client1.key', dest: '/etc/openvpn/keys/', mode: '0600' } + - { src: 'announce', dest: '/etc/openvpn/scripts/', mode: '0755' } + - { src: 'announcer', dest: '/etc/openvpn/scripts/', mode: '0755' } + - { src: 'silence', dest: '/etc/openvpn/scripts/', mode: '0755' } - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' } - - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } + # - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } # 2021-08-18 SSOT: Please instead set it in /etc/iiab/local_vars.yml + - { src: 'iiab-support', dest: '/usr/bin/', mode: '0755' } - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' } - - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' } + - { src: 'iiab-remote-off', dest: '/usr/bin/', mode: '0755' } -- name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install - copy: - src: "{{ iiab_dir }}/iiab-support" - dest: /usr/bin/ - mode: '0755' +# - name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install +# copy: +# src: "{{ iiab_dir }}/iiab-support" +# dest: /usr/bin/ +# mode: '0755' - name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-support file: diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 576ce225a..8c8577767 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -2,6 +2,24 @@ # http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?" +# AUGUST 2018 - AUGUST 2021 + +# (1) openvpn_handle could no longer be left undefined OR null +# (two different concepts in Ansible, see /opt/iiab/iiab/test.yml) + +# 2021-08-19 UPDATE: the /usr/bin/iiab-support command can now handle almost +# any /etc/iiab/local_vars.yml (PR #2957) making it all much more resilient! + +# (2) openvpn_handle: "" (EMPTY STRING) IS HOWEVER TOLERATED -- in which case +# the OpenVPN server instead tries to use the 1st 6 chars of /etc/iiab/uuid + +# (3) Finally if there's no client UUID (/etc/iiab/uuid) -- the OpenVPN server +# falls back to labelling that machine as generic: "client1's certificate" + +# SEE ALSO /etc/openvpn/scripts/announcer & /usr/bin/iiab-support from: +# https://github.com/iiab/iiab/tree/master/roles/openvpn/templates + + # "How do i fail a task in Ansible if the variable contains a boolean value? # I want to perform input validation for Ansible playbooks" # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 @@ -42,7 +60,6 @@ value: OpenVPN - option: description value: '"OpenVPN enables live/remote support by connecting machines anywhere on the Internet, via a middleman server, using Virtual Private Network (VPN) techniques to create secure connections."' -# openvpn_handle variable can no longer be left completely undefined of August 2018 (EMPTY STRING "" IS TOLERATED, in which case OpenVPN server should use /etc/iiab/uuid in lieu of the handle) - option: openvpn_install value: "{{ openvpn_install }}" - option: openvpn_enabled diff --git a/roles/openvpn/templates/15-openvpn.deprecated b/roles/openvpn/templates/15-openvpn.unused similarity index 100% rename from roles/openvpn/templates/15-openvpn.deprecated rename to roles/openvpn/templates/15-openvpn.unused diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer new file mode 100755 index 000000000..824a43ba4 --- /dev/null +++ b/roles/openvpn/templates/announcer @@ -0,0 +1,74 @@ +#!/bin/bash -x +# Small daemon to identify this machine to the OpenVPN server + +# SEE /usr/bin/iiab-support for local_vars.yml var extraction explanation + +# EMULATE ANSIBLE: but additionally Force Empty String Where Nec, e.g. whether +# local_vars.yml sets openvpn_handle to "" (or worst case null, or not at all!) +HANDLE=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + +# ALSO GO 1 STEP FURTHER THAN ANSIBLE: convert remaining spaces to underscores, +# for OpenVPN server. iiab-support emulates this, to help folks understand. +HANDLE=${HANDLE// /_} # Same as "s/ /_/g" + +# Likewise empty string is the worst case, e.g. if file doesn't exist. +# If $HANDLE is "", OpenVPN server tries to use the 1st 6 chars of UUID, +# e.g. e1a3d4 from e1a3d4e2-2d1a-4f37-9ba0-e836d7c8e3ca +# SEE "AUGUST 2018 - AUGUST 2021" RECAP ON TOP OF: roles/openvpn/tasks/main.yml +UUID=$(cat /etc/iiab/uuid) + +/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & + + + +# 2021-08-18: Let's finally do it 3 years lster, simplifying from 4 places to 1 +# at long last. Per SSOT (single source of truth). + +# #HANDLE= +# #UUID= +# #if [ -f /etc/iiab/openvpn_handle ]; then +# # Option #1: Source directly from /etc/iiab/local_vars.yml in future? +# # Option #2 +# HANDLE=$(cat /etc/iiab/openvpn_handle) # Sets to "" if file doesn't exist (error is ok!) + +# # Sourcing a variable from ~4 different places is a recipe for total confusion +# # (or worse!) Far better to make variable openvpn_handle and file +# # /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH +# # CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...) + +# # CLARIF: "systemctl restart openvpn" still works tolerably even if the above +# # is defied, auto-starting child service openvpn@xscenet per usual +# # (e.g. if /etc/iiab/openvpn_handle is deleted by accident!) + +# #else +# # # Option #3: Dangerous to invoke hypothetical variables :( +# # source {{ iiab_env_file }} +# # # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ? +# # if [ -z "$HANDLE" ]; then +# # HANDLE=`cat {{ iiab_ini_file }} | gawk \ +# # '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` +# # fi +# #fi +# HANDLE=${HANDLE// /_} # Change all spaces to underscores +# #if [ -f /etc/iiab/uuid ]; then +# UUID=$(cat /etc/iiab/uuid) # Sets to "" if file doesn't exist (error is ok!) +# #fi + +# SERVER=/usr/bin/ncat +# #ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID) +# #ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}") +# ID=$(echo "HANDLE = $HANDLE|UUID = $UUID") +# # August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04 +# #ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` + +# # Start the daemon which will serve the handle on demand +# {% if is_debuntu %} +# $SERVER -l -k -p1705 --exec "/bin/echo $ID" & +# # 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu: +# #/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & +# {% else %} +# source /etc/init.d/functions +# PID_FILE=/var/run/openvpn/announce.pid +# daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" & +# #daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & +# {% endif %} diff --git a/roles/openvpn/templates/announcer.j2 b/roles/openvpn/templates/announcer.j2 deleted file mode 100755 index 7d55d305b..000000000 --- a/roles/openvpn/templates/announcer.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -x -# Small daemon to identify this machine to the OpenVPN server - -#HANDLE= -#UUID= -#if [ -f /etc/iiab/openvpn_handle ]; then - # Option #1: Source directly from /etc/iiab/local_vars.yml in future? - # Option #2 - HANDLE=$(cat /etc/iiab/openvpn_handle) # Sets to "" if file doesn't exist (error is ok!) - -# Sourcing a variable from ~4 different places is a recipe for total confusion -# (or worse!) Far better to make variable openvpn_handle and file -# /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH -# CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...) - -# CLARIF: "systemctl restart openvpn" still works tolerably even if the above -# is defied, auto-starting child service openvpn@xscenet per usual -# (e.g. if /etc/iiab/openvpn_handle is deleted by accident!) - -#else -# # Option #3: Dangerous to invoke hypothetical variables :( -# source {{ iiab_env_file }} -# # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ? -# if [ -z "$HANDLE" ]; then -# HANDLE=`cat {{ iiab_ini_file }} | gawk \ -# '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` -# fi -#fi -HANDLE=${HANDLE// /_} # Change all spaces to underscores -#if [ -f /etc/iiab/uuid ]; then - UUID=$(cat /etc/iiab/uuid) # Sets to "" if file doesn't exist (error is ok!) -#fi - -SERVER=/usr/bin/ncat -#ID=$(printf "HANDLE = %s|UUID = %s" $HANDLE $UUID) -#ID=$(echo "HANDLE = ${HANDLE}|UUID = ${UUID}") -ID=$(echo "HANDLE = $HANDLE|UUID = $UUID") -# August 2018: Removal of trailing '|' tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04 -#ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` - -# Start the daemon which will serve the handle on demand -{% if is_debuntu %} -$SERVER -l -k -p1705 --exec "/bin/echo $ID" & -# 2020-11-23: USE 1 LINE INSTEAD OF 9 LINES, IF WE MANDATE debuntu: -#/usr/bin/ncat -l -k -p1705 --exec "/bin/echo HANDLE = $HANDLE|UUID = $UUID" & -{% else %} -source /etc/init.d/functions -PID_FILE=/var/run/openvpn/announce.pid -daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" & -#daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & -{% endif %} diff --git a/roles/openvpn/templates/iiab-remote-off b/roles/openvpn/templates/iiab-remote-off old mode 100644 new mode 100755 diff --git a/roles/openvpn/templates/iiab-support b/roles/openvpn/templates/iiab-support new file mode 100755 index 000000000..784327d31 --- /dev/null +++ b/roles/openvpn/templates/iiab-support @@ -0,0 +1,184 @@ +#!/bin/bash + +# Run 'sudo iiab-support' to turn on OpenVPN without hassle. GENERAL TIPS: +# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?" + +# "AUGUST 2018 - AUGUST 2021" Technical Recap at the top of: +# https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml + +DEBUG=false # Using /usr/bin/true or /usr/bin/false +PLAYBOOK="install-support.yml" +INVENTORY="ansible_hosts" + +# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml +# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52 +# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 +# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN + +# PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO: +# (1) In case var's defined multiple times, 'tail 1' takes the last assignment. +# (2) sed: Strip 'varname:\s' on left. +# (3) sed: Strip '#comment' on right. +# (4) sed: Strip any outer spacing. +# (5) sed: Strip up-to-1 pair of matching outer quotes. + +# 'announcer' (from openvpn/templates) ALSO GOES ONE STEP FURTHER THAN ANSIBLE: +# (6) Convert remaining spaces to underscores. + +# Steps (1) and (2) are Not Applicable with live/keyboard input. +# Steps (3), (4) and (5) are Optional with live/keyboard input (here we do it!) +# Step (6) is always required for OpenVPN here (file input or live/keyboard!) + +# NOTE Ansible vars can have non-string value null. This is different from +# undefined -- from Ansible's perspective -- SEE /opt/iiab/iiab/test.yml +# BUT HERE IN BASH, we focus only on string values e.g. "" empty string if nec: +# (a) WITH INPUT, we choose to ignore lines like "^var:$" that lack whitespace. +# Ansible would have assigned the null value. We do not. We force "" +# (b) INPUT LINES "^var:\s\+$" (trailing whitespace) we force to empty string. +# Ansible would have assigned the null value. We do not. We force "" +# (c) WITH *OUTPUT* we aggressively overwrite null var lines, including both +# "^var:$" (no trailing whitespace) and "^var:\s\+$" (trailing whitespace). + +echo -e "\e[0m" # Turn off all ANSI/VT100 colors + +if [ -f /etc/iiab/openvpn_handle ]; then + echo -e "\n \e[41mFYI /etc/iiab/openvpn_handle is no longer supported.\e[0m\n" + echo -e " \e[41m/etc/iiab/local_vars.yml is now used instead (SSOT).\e[0m\n\n" +fi + +# (1), (2), (3) and (4) for now -- then (5) and (6) further below +handle=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//") + +if $($DEBUG); then + echo -e "/etc/iiab/local_vars.yml shows:\n" + grep "^openvpn_" /etc/iiab/local_vars.yml + echo + echo "Your OpenVPN machine name -- source: $handle" +fi + +# Preview of steps (5) and (6) +echo -ne "\e[1mYour OpenVPN machine name is set to: \e[100m" +echo -n "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/; s/ /_/g" # Avoid '-e' interpreting backlash escapes, to show var accurately! Double quote var to prevent field splitting (eats spaces) +echo -e "\e[0m\n" # Separate line also for trailing backslash in var + +echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n" + +echo -e " cape-town-school-36-rpi-2019-05-31\n" + +echo -en "Or hit [Enter] to keep the existing name:\e[0m " +read ans < /dev/tty # Strips outer whitespace, whether we like it or not! + +if [ "$ans" = "" ]; then # (A) Simple! Writes to local_vars.yml a bit more often than nec. +# if [ "$ans" = "" ] || [ "$ans" = "$handle" ]; then # (B) Only write when nec? Also works. +# if ( [ "$ans" = "" ] || [ "$ans" = "$handle" ] ) && [ "$handle" != "" ]; then # (C) Overkill. + echo -e "\n \e[100mopenvpn_handle REMAINS UNCHANGED IN /etc/iiab/local_vars.yml\e[0m\n" +else + if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml + else + echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml + fi + + echo -e "\n \e[7mSAVED TO: /etc/iiab/local_vars.yml\e[0m\n" + + if $($DEBUG); then + echo -e "/etc/iiab/local_vars.yml shows:\n" + grep "^openvpn_" /etc/iiab/local_vars.yml + echo + fi + + # NEXT 4 LINES AREN'T ESSENTIAL: but they allow user to type in a '# comment' for the right side of /etc/iiab/local_vars.yml + + # (3) sed: Strip '# comment' on right, as Ansible would do. + ans=$(echo "$ans" | sed "s/#.*//") # Double quote var to prevent field splitting (eats spaces) + # (4) sed: Strip any outer spacing, as Ansible would do. + ans=$(echo "$ans" | sed "s/^\s*//; s/\s*$//") # Code Safety: lstrip not nec, given "read" command above, but one day $ans might arise from elsewhere + + handle=$ans; # For display at bottom +fi + +if $($DEBUG); then + echo '$handle after (1)-(4), prior to (5)-(6):' "$handle" + echo +fi + +# (5) sed: Strip up-to-1 pair of matching outer quotes, as Ansible would do. +handle=$(echo "$handle" | sed "s/^\(['\"]\)\(.*\)\1$/\2/") +# (6) Convert remaining spaces to underscores, just as /etc/openvpn/scripts/announcer does -- same as "s/ /_/g" +handle=${handle// /_} + +if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then + echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" +else + echo -e "Plz wait a few minutes as sshd & OpenVPN are confirmed/installed...\n" + if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml + else + echo "openvpn_install: True" >> /etc/iiab/local_vars.yml + fi + + if [ -d /opt/iiab/iiab ]; then + cd /opt/iiab/iiab + export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log" + ansible -m setup -i $INVENTORY localhost --connection=local | grep python + ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local + # 2 roles (sshd & openvpn) faster than running all of "./runrole 1-prep" + echo + else + echo -e " \e[41m Directory /opt/iiab/iiab does not exist: CANNOT INSTALL OPENVPN! \e[0m\n" + exit 1 + fi +fi + +echo -e "Now let's (re)enable OpenVPN...\n" +if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml +else + echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml +fi +systemctl enable openvpn + +echo -e "\nNow let's restart OpenVPN..." +#systemctl start openvpn +systemctl restart openvpn + +echo -en "\n " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\n 1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'" +echo -e " 2. Check your OpenVPN connection: run 'ping 10.8.0.1'" +echo -e " 3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x" +echo -e " 4. If necessary, run 'systemctl restart openvpn' which should" +echo -e " run 'systemctl restart openvpn@xscenet' for you." +echo -e " 5. SOMETIMES WAITING A MINUTE HELPS -- retry steps 2 and 3 to monitor." +echo -e " 6. If in future you want to disable OpenVPN connections to-and-from your" +echo -e " Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time." +echo -e " 7. Read 'How can I remotely manage my Internet-in-a-Box?' at" +echo -e " http://FAQ.IIAB.IO to learn about DIY remote support alternatives" +echo -e " like ngrok, serveo, remot3.it and TeamViewer.\n" + +echo -en " " +for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done +echo -en " OpenVPN TIPS " +for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done + +echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)" +sleep 15 + +# echo -ne "\nYour OpenVPN machine name, per openpvn_handle: \e[32m" +# echo -ne "\nYour OpenVPN machine name is set to..........: \e[32m" +echo -ne "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m" # Actually step (6) above took it just beyond Ansible's (1)-(5) interpretation of openvpn_handle -- i.e. this line just provides a hint to users -- as to how /etc/openvpn/scripts/announcer converts their spaces to underscores when starting OpenVPN. +echo -n "$handle" # Avoid '-e' interpreting backlash escapes, to show var accurately! Double quote var to prevent field splitting (eats spaces) +echo -e "\e[0m" + +vpnip=$(ip a | grep tun0$ | awk '{print $2}') +if [ "$vpnip" != "" ]; then + echo -e "Your OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n" +else + echo -e "\n \e[41m ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS \e[0m\n" + exit 1 +fi diff --git a/iiab-support b/roles/openvpn/templates/iiab-support.older similarity index 79% rename from iiab-support rename to roles/openvpn/templates/iiab-support.older index 91ec00a7d..7896579eb 100755 --- a/iiab-support +++ b/roles/openvpn/templates/iiab-support.older @@ -6,7 +6,13 @@ INVENTORY="ansible_hosts" # openvpn_handle is stored in 2 files on disk, one slightly stripped down (from # the other) due to Ansible. So we emulate Ansible's behavior, when reading from # (and later writing to) disk, removing outer cruft as explained on Lines 31-33: -handle1=$(grep "^openvpn_handle:" /etc/iiab/local_vars.yml | sed -e "s/^openvpn_handle://; s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") +handle1=$(grep "^openvpn_handle:\s" /etc/iiab/local_vars.yml | sed "s/^openvpn_handle:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") +# 2021-08-17: bash scripts using default_vars.yml &/or local_vars.yml +# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97 +# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L12 +# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L47-L51 +# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34 +# https://github.com/iiab/iiab/blob/master/iiab-support READS AND WRITES, INCL NON-BOOLEAN (openvpn_handle) echo -e "\n/etc/iiab/local_vars.yml source/master copy: $handle1" if [ -f /etc/iiab/openvpn_handle ]; then handle2=$(cat /etc/iiab/openvpn_handle) @@ -25,8 +31,8 @@ read ans < /dev/tty #if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -f /etc/iiab/openvpn_handle ] ); then # -v (below) checks if var's defined: equivalent to file existence test above if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then - if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then - sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml + if grep -q '^openvpn_handle:\s' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_handle:\s.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml else echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml fi @@ -34,7 +40,7 @@ if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then # BEHAVIOR JUST LIKE ANSIBLE'S: create /etc/iiab/openvpn_handle from the # "^openvpn_handle:" line in /etc/iiab/local_vars.yml by (1) removing outer # spacing IF NEC, then (2) removing 1 pair of matching outer quotes IF NEC: - ans=$(echo $ans | sed -e "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") + ans=$(echo $ans | sed "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/") echo $ans > /etc/iiab/openvpn_handle echo -e "\n\e[1mSAVED: openvpn_handle recorded into both above files.\e[0m\n" elif [ "$handle1" != "$handle2" ]; then # Sloppily, but conveniently here, @@ -46,12 +52,12 @@ else echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n" fi -if grep -q '^openvpn_installed: True\b' /etc/iiab/iiab_state.yml; then +if grep -q '^openvpn_installed:\s\+[tT]rue\b' /etc/iiab/iiab_state.yml; then echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n" else echo -e "Plz wait a few minutes as sshd, iiab-admin & OpenVPN are confirmed/installed...\n" - if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then - sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml + if grep -q '^openvpn_install:\s' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_install:\s.*/openvpn_install: True/" /etc/iiab/local_vars.yml else echo "openvpn_install: True" >> /etc/iiab/local_vars.yml fi @@ -70,8 +76,8 @@ else fi echo -e "Now let's (re)enable OpenVPN...\n" -if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then - sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml +if grep -q '^openvpn_enabled:\s' /etc/iiab/local_vars.yml; then + sed -i "s/^openvpn_enabled:\s.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml else echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml fi diff --git a/roles/openvpn/templates/openvpn_handle.j2 b/roles/openvpn/templates/openvpn_handle.j2.unused similarity index 100% rename from roles/openvpn/templates/openvpn_handle.j2 rename to roles/openvpn/templates/openvpn_handle.j2.unused diff --git a/roles/pbx/README.adoc b/roles/pbx/README.adoc new file mode 100644 index 000000000..7a0d62f5b --- /dev/null +++ b/roles/pbx/README.adoc @@ -0,0 +1,318 @@ += PBX README +:toc: preamble +:toc-title: + +https://internet-in-a-box.org[Internet-in-a-Box (IIAB)] can install https://asterisk.org/[Asterisk] and https://freepbx.org/[FreePBX] for Voice over IP (VoIP) calls using regular Android and iPhone softphone (SIP) apps — e.g. for low-cost and rural telephony. + +As of August 2021, IIAB installs https://wiki.asterisk.org/wiki/display/AST/Asterisk+18+Documentation[Asterisk 18] and https://www.freepbx.org/freepbx-16-beta-is-here/[FreePBX 16 Beta], as required by the latest PHP 7.4 Linux OS's (https://github.com/iiab/iiab/pull/2899[PR #2899]). Please consider installing this on https://github.com/iiab/iiab/wiki/IIAB-Platforms#operating-systems[Ubuntu 20.04+, Debian 11 — or the imminent Raspberry Pi OS 11 "Bullseye"]. + +_PLEASE UNDERSTAND THIS MEANS THAT: IIAB no longer supports FreePBX 15 (Linux with PHP < 7.4, e.g. Raspberry Pi OS 10 "Buster"). Thank you for your understanding, as we look to the future together!_ + +_Upcoming:_ IIAB will consider supporting Asterisk 19, on or around its 2021-09-28 expected release date (https://github.com/iiab/iiab/issues/2934[#2934]). + +_Historical:_ Back in February 2019, IIAB had installed Asterisk 16 and FreePBX 15, e.g. for Ubuntu 18.04, Debian 9 "Stretch" and experimentally, Raspberry Pi (https://github.com/iiab/iiab/issues/1467[#1467]). + + + +== What Asterisk & FreePBX do + +https://en.wikipedia.org/wiki/Asterisk_(PBX)[Asterisk] is a software implementation of a private branch exchange (PBX). In conjunction with suitable telephony hardware interfaces and network applications, Asterisk is used to establish and control telephone calls between telecommunication endpoints, such as customary telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on Voice over Internet Protocol (VoIP) networks. Its name comes from the asterisk (*) symbol for a signal used in dual-tone multi-frequency (DTMF) dialing. + +https://en.wikipedia.org/wiki/FreePBX[FreePBX] is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), the open source communications server. + + +== Install it + +. As you begin installing Internet-in-a-Box (IIAB) from http://download.iiab.io[download.iiab.io], it will prompt you: ++ +---- +Edit /etc/iiab/local_vars.yml to customize your Internet-in-a-Box? [Y/n] +---- ++ +Accept the challenge! Make sure your IIAB configuration file (http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F[/etc/iiab/local_vars.yml]) contains: ++ +---- +pbx_install: True +pbx_enabled: True +---- ++ +FreePBX can be used with either or both web servers, NGINX on port 80 (as is new) and/or Apache on port 83 (as is traditional). ++ +If you don't want Apache installed on your IIAB, and you prefer NGINX's shorter URL (http://box/freepbx), optionally set this line in your http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F[/etc/iiab/local_vars.yml] prior to installing IIAB: ++ +---- +pbx_use_apache: False +---- ++ +Or, if you want to use FreePBX with Apache alone (http://box:83/freepbx), optionally set this line in your /etc/iiab/local_vars.yml: ++ +---- +pbx_use_nginx: False +---- ++ +If using PBX intensively, please adjust `/etc/php/X.Y/apache2/php.ini`, `/etc/php/X.Y/cli/php.ini` and/or `/etc/php/X.Y/nginx/php.ini` (where `X.Y` is typically 7.4) as outlined within https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L88-L131[/opt/iiab/iiab/roles/www_options/tasks/main.yml] — some of which happens automatically if you also set: ++ +---- +nginx_high_php_limits: True +---- ++ +Optionally, you may want to enable https://github.com/wdoekes/asterisk-chan-dongle[chan_dongle], which is a channel driver for Huawei UMTS cards (e.g. 3G USB dongles) allowing regular voice calls over GSM mobile networks. You will need to configure a dongle post-install, for it to be recognized properly: ++ +---- +asterisk_chan_dongle: True +---- + +. _Complete the installation,_ proceeding with the regular instructions (e.g. run `sudo iiab`, repeatedly if necessary). +// of IIAB and this https://github.com/iiab/iiab/tree/master/roles/pbx[roles/pbx] Ansible playbook + +. _After IIAB is installed with Asterisk and FreePBX,_ verify that the FreePBX service is running, by running this at the command-line: ++ +---- +systemctl status freepbx +---- ++ +If FreePBX is not running well, check the long-form output of `journalctl -u freepbx` and the <> section further below. + +// After installing PBX as part of IIAB, please visit http://box.lan/freepbx (NGINX) or http://box.lan:83/freepbx (Apache) and proceed with initial configuration (no login/password is required initially — you will be asked to set this up!) + + +== Try it out with an Android or iPhone softphone (SIP) app +// SIP Set up a basic working FreePBX configuration with a PJSIP extension + +. Log in to FreePBX ++ +// After installing PBX as part of IIAB, please +Browse to http://box/freepbx (NGINX) or http://box:83/freepbx (Apache), and proceed with initial configuration (no login/password is required initially — you will be asked to set this up!) +// You will be asked to set up your username and password the first time you login, which will be used in future to log in for FreePBX configuration. ++ +To log in, click the first option: *FreePBX Administration* ++ +If you forgot your FreePBX password, see <<#Password_Recovery,further below>>. + +. Change your Asterisk password, if you choose + +* Click *Settings* > *Advanced Settings* +** In section *Asterisk Manager*, change your *Asterisk Manager Password* +* Click *Submit* (bottom of page), then *Apply Config* (top of page) ++ +image::files/advanced_settings.jpg[] + +. Set Network NAT Settings + +* Go to *Settings* > *Asterisk SIP settings* + +** In section *NAT Settings*, click *Detect Network Settings* to populate your *External Address* and *Local Networks*. +** Under *Local Networks*, you can also manually set an IP/CIDR (e.g. `192.168.0.0/24`) or an IP/NETMASK (e.g. `192.168.0.0/255.255.255.0`). + +* Click *Submit* (bottom of page), then *Apply Config* (top of page) ++ +image::files/asterisk_sip_settings.jpg[] + +. Create SIP phone extensions, so you can make calls + +* Go to *Applications* > *Extensions* > *Add Extension* > *Add New SIP [chan_pjsip] Extension*, and create a phone extension (local phone number) such as the following: + +** *User Extension*: _301_ +** *Display Name*: _John Doe_ +** *Secret*: _y0ur 0wn $tr0ng p4ssw0rd_ + +* Click *Submit* (bottom of page), then *Apply Config* (top of page) +* Using the same steps, create extensions for every user! ++ +image::files/add_extn_01_top.jpg[] ++ +image::files/add_extn_02.jpg[] + +. [[Register_Extension]]Register the extension, on your smartphone or laptop ++ +You can now register the extension using a softphone (SIP) app on your smartphone or laptop. In this example we will use the https://en.wikipedia.org/wiki/Linphone[Linphone] app, on an Android phone. After you open the app, follow these steps: + +* Connect your smartphone or laptop to the *Internet in a Box* WiFi hotspot +* Select *USE SIP ACCOUNT* +* Enter those same details that you entered above into the FreePBX administration website: + +** *Username* is the same as above *User Extension* +** *Password* is the same as above *Secret* +** *Domain* is your IIAB server's IP address + +* Select *UDP* under *Transport* +* Select *LOGIN* ++ +image::files/linphone_setup.jpg[width='33%'] + +* If the connection is successful, you will see a green circle next to *Connected* on this next screen: ++ +image::files/linphone_connected.jpg[width='33%'] + +* _If you've created more than one extension, make a call to another extension!_ If you've not yet made more than one extension, try calling an arbitrary extension, or try calling your own extension (your own phone number). + +** You should see activity in the *FreePBX Statistics* applet at http://box/freebx (or http://box:83/freebx) > *Dashboard* +** Connection details may also be seen in the Asterisk logs at: `/var/logs/asterisk/full` +** Please create a https://en.wikipedia.org/wiki/Privacy_policy[Privacy Policy] against abusive surveillance, and explain it to the people in your community. Strongly consider giving them access to their own statistics with the <<#UCP,User Control Panel>> summarized further below. + + +== Automatically create extensions, automated test call + +. Try the script link:templates/iiab-asterisk-test[*iiab-asterisk-test*] to: + +* Create two extensions *301* and *302*, and configure a dialplan for routing calls (as specified in link:templates/pjsip_custom.conf[pjsip_custom.conf] and link:templates/extensions_custom.conf[extensions_custom.conf], located within `/opt/iiab/iiab/roles/pbx/templates`). +* Make a test call to extension 1000 (that has no physical device associated with it) that plays some sound files. +* After the script completes, it deletes the extensions and reverts file changes to restore asterisk to its original state. If you'd like your changes to persist, read the options below. + +. Usage: + +* `sudo ./iiab-asterisk-test` ++ +Default option - Executes the complete script and reverts file changes done during the test. + +* `sudo ./iiab-asterisk-test retain` ++ +Extensions created during the test are retained. Files are not reverted after the test. ++ +You may try making calls to extension 302 or 1000 after registering your softphone as <<#Register_Extension,mentioned above>>. The password for the extension is present in pjsip_custom.conf, feel free to change it before executing the script. + +* `sudo ./iiab-asterisk-test revert` ++ +Use this option if you executed the script using the *retain* option, but would like to have the changes reverted now. This will only revert the changes to the files and restart asterisk, no other actions are performed. + +* `sudo ./iiab-asterisk-test restart` ++ +Restarts asterisk, no other actions are performed + +* `sudo ./iiab-asterisk-test testcall` ++ +Makes a test call from Asterisk's console to extension 1000, and confirms from the logs if the call was successful. ++ +_Note: This will only work if you've created extension 1000 manually, or using FreePBX or using the *retain* option of this script_ + +. Read more about creating https://wiki.asterisk.org/wiki/display/AST/Creating+SIP+Accounts[*extensions and dialplans*] if you want to extend this script. + + +== Troubleshooting + +. Check if Asterisk is up and running: + +* Run Linux command: `sudo asterisk -rvvv` +* The number of v's denotes the verbosity level. In this case, it is 3. +* If Asterisk is running, it'll take you to the Asterisk CLI (command-line interface). + +. If you see _Asterisk is not connected_ in red within FreePBX's web interface, check that Asterisk is running using Linux command `sudo pgrep asterisk`. You should see at least 2 different process numbers. If not, please restart Asterisk using Linux command: `sudo fwconsole restart` + +. Check all log files carefully, within this directory: ++ +---- +/var/log/asterisk/ +---- + +. If you see an _fwconsole read_ error when you save FreePBX settings, try to run these Linux commands: ++ +---- +sudo fwconsole chown +sudo fwconsole reload +---- + + +== Some useful Asterisk commands + +. To reach Asterisk's own CLI (command-line interface) + +* Run Linux command: `sudo asterisk -rvvvv` +* Note: The number of v's denotes the verbosity level. In this case, it is 4. + +. To see all available Asterisk commands: + +* Run Asterix command: `core show help` + +. To see all commands that start with `pjsip show`: + +* Run Asterix command: `pjsip show [tab]` or `pjsip show ?` +* Try this with any command! + +. To run an Asterisk command outside of Asterisk's CLI, e.g. for use in a script: + +* Exit the Asterisk CLI, and try Linux commands like: ++ +---- +asterisk -rx "pjsip show endpoints" +asterisk -rx "cdr show status" +---- + + +== Additional FreePBX info + +. `/etc/freepbx.conf` allows you to override FreePBX's stored settings if necessary. ++ +A better way however, is to use http://box/freepbx or http://box:83/freepbx > *Settings* > *Advanced Settings* to modify those stored settings — or equivalently, run Linux commands like: ++ +---- +sudo fwconsole set -l # Show all FreePBX settings' raw values +sudo fwconsole set CHECKREFERER # Show setting's value, in human-readable form +sudo fwconsole set CHECKREFERER 0 # 0 means false (or set it to 1, to re-enable FreePBX's default) +---- + +. Also try FreePBX commands like the following, at the Linux command-line: ++ +---- +sudo fwconsole list # List commands +sudo fwconsole -h +sudo fwconsole restart +sudo fwconsole ma list # ma = Module Administration (e.g. shows ~16 default modules, of ~70 total) +sudo fwconsole ma -h +sudo fwconsole ma showupgrades +sudo fwconsole ma upgradeall # Upgrade your FreePBX modules (as normally happens Saturday 4-8AM) +---- + +. [[UCP]]*User Control Panel* + +* If you'd like to allow users more control over their own settings, and the ability to review their own statistics, install the https://wiki.freepbx.org/pages/viewpage.action?pageId=28180526[User Control Panel] FreePBX module from http://box/freepbx or http://box:83/freepbx > *Admin* > *Module Admin* > *Check Online*. + +. [[Password_Recovery]]If you forget your FreePBX password, you can bypass it using Linux command `sudo fwconsole unlock ` and then refresh your FreePBX web page: ++ +* To get the Session ID, press `Ctrl + a` which will highlight all the text on the page. The text highlighted in the middle of the page, is the Session ID: ++ +image::files/pwdless_login.jpg[] ++ +* Once you've logged in, change your password under *Admin* > *Administrators*. On the right side, you will see the list of available users. You can select the appropriate user and change the password: ++ +image::files/password_change.jpg[] + + +== Known Issues + +Please also check the "Known Issues" at the bottom of https://github.com/iiab/iiab/wiki#our-evolution[IIAB's latest release notes]. + +_If there's a bug or serious problem with IIAB, please do https://internet-in-a-box.org/pages/contributing.html[make contact] and post an issue here: https://github.com/iiab/iiab/issues_ + +. Apache's `/var/lib/php/asterisk_sessions/` directory might also be needed for NGINX? ++ +If not, the https://github.com/iiab/iiab/blob/master/roles/pbx/tasks/freepbx.yml#L151-L163[configuration of /var/lib/php/asterisk_sessions/] might be made conditional upon `when: not pbx_use_apache` + +. The https://github.com/iiab/iiab/blob/master/roles/pbx/tasks/freepbx.yml#L208-L211[installation of /etc/odbc.ini] for CDR (Call Detail Records) database `asteriskcdrdb` might benefit from compiling the ODBC driver for aarch64, per http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html ? ++ +See the output of `asterisk -rx "cdr show status"` as mentioned at https://github.com/iiab/iiab/pull/2938#issuecomment-898693126[#2938] and https://github.com/iiab/iiab/pull/2942[PR #2942]. + +. Raspberry Pi Zero W Warning ++ +Node.js applications like Asterisk/FreePBX, Node-RED and Sugarizer won't work on Raspberry Pi Zero W (ARMv6) if you installed Node.js while on RPi 3, 3 B+ (ARMv7) or RPi 4 (ARMv8). If necessary, run `apt remove nodejs` or `apt purge nodejs` then `rm /etc/apt/sources.list.d/nodesource.list; apt update` then (https://nodered.org/docs/hardware/raspberrypi#swapping-sd-cards[attempt!]) to https://github.com/iiab/iiab/blob/master/roles/nodejs/tasks/main.yml[install Node.js] _on the Raspberry Pi Zero W itself_ (a better approach than "cd /opt/iiab/iiab; ./runrole nodejs" is to try `apt install nodejs` or try installing the tar file mentioned at https://github.com/iiab/iiab/issues/2082#issuecomment-569344617[#2082]). You might also need `apt install npm`. Whatever versions of Node.js and npm you install, make sure `/etc/iiab/iiab_state.yml` contains the line `nodejs_installed: True` (add it if nec!) Finally, proceed to install Asterisk/FreePBX, Node-RED and/or Sugarizer. https://github.com/iiab/iiab/issues/1799[#1799] + + +//// +== Raspberry Pi Known Issues + +As of 2019-02-14, "systemctl restart freepbx" failed more than 50% of the time when run on a http://wiki.laptop.org/go/IIAB/FAQ#What_services_.28IIAB_apps.29_are_suggested_during_installation.3F[BIG-sized] install of IIAB 6.7 on RPi 3 or RPi 3 B+. + +It is possible that FreePBX restarts much more reliably when run on a MIN-sized install of IIAB? Please http://wiki.laptop.org/go/IIAB/FAQ#What_are_the_best_places_for_community_support.3F[contact us] if you can assist here in any way: https://github.com/iiab/iiab/issues/1493[#1493] +//// + + +== Attribution + +In February 2019, this https://github.com/iiab/iiab/tree/master/roles/pbx[roles/pbx] IIAB https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible[Ansible playbook] was originally inspired by Yannik Sembritzki's https://github.com/Yannik/ansible-role-asterisk[Asterisk] and https://github.com/Yannik/ansible-role-freepbx[FreePBX] Ansible work from 2017-2019. + +In August 2021 it was overhauled, with thanks to these 3 sources especially: + +* "Official" recipe: https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9 +* Comprehensive & recent recipe for Raspberry Pi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html +* Popular but dated recipe: https://computingforgeeks.com/how-to-install-asterisk-16-with-freepbx-15-on-ubuntu-debian/ + +Thank you to _ALL_ who've contributed — including Lemuel D'Souza, Jerry Vonau, Adam Holt and Anish Mangal! diff --git a/roles/pbx/README.rst b/roles/pbx/README.rst deleted file mode 100644 index 22d83d4d6..000000000 --- a/roles/pbx/README.rst +++ /dev/null @@ -1,49 +0,0 @@ -========== -PBX README -========== - -This 'pbx' playbook adds `Asterisk `_ and `FreePBX `_ to Internet-in-a-Box (IIAB) for VoIP and SIP functionality e.g. for rural telephony. - -This initial release (for IIAB 6.7 in February 2019) supports Ubuntu 18.04, Debian 9 "Stretch" — and experimentally supports Raspberry Pi: `#1467 `_ - -What Asterisk & FreePBX Do --------------------------- - -Asterisk is a software implementation of a private branch exchange (PBX). In conjunction with suitable telephony hardware interfaces and network applications, Asterisk is used to establish and control telephone calls between telecommunication endpoints, such as customary telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on Voice over Internet Protocol (VoIP) networks. Its name comes from the asterisk (*) symbol for a signal used in dual-tone multi-frequency (DTMF) dialing. - -FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), the open source communication server. - -Using It --------- - -Prior to installing IIAB, make sure your `/etc/iiab/local_vars.yml `_ contains:: - - pbx_install: True - pbx_enabled: True - -Optionally, you may want to enable `chan_dongle `_, which is a channel driver for Huawei UMTS cards allowing regular voice calls over GSM. You will need to configure a dongle post-install, for it to be recognized properly:: - - asterisk_chan_dongle: True - -After installing PBX as part of IIAB, please visit http://box.lan:83/freepbx and proceed with initial configuration (no login/password is required initially — you will be asked to set this up). - -You can monitor the FreePBX service with command:: - - systemctl status freepbx - -Raspberry Pi Known Issue ------------------------- - -As of 2019-02-14, "systemctl restart freepbx" fails more than 50% of the time when run on a `BIG-sized `_ install of IIAB 6.7 on RPi 3 or RPi 3 B+. - -It is possible that FreePBX restarts much more reliably when run on a MIN-sized install of IIAB? Please `contact us `_ if you can assist here in any way: `#1493 `_ - -Raspberry Pi Zero W Warning ---------------------------- - -Node.js applications like Asterisk/FreePBX, Node-RED and Sugarizer won't work on Raspberry Pi Zero W (ARMv6) if you installed Node.js while on RPi 3, 3 B+ (ARMv7) or RPi 4 (ARMv8). If necessary, run ``apt remove nodejs`` or ``apt purge nodejs`` then ``rm /etc/apt/sources.list.d/nodesource.list; apt update`` then (`attempt! `_) to `install Node.js `_ *on the Raspberry Pi Zero W itself* (a better approach than "cd /opt/iiab/iiab; ./runrole nodejs" is to try ``apt install nodejs`` or try installing the tar file mentioned at `#2082 `_). You might also need ``apt install npm``. Whatever versions of Node.js and npm you install, make sure ``/etc/iiab/iiab_state.yml`` contains the line ``nodejs_installed: True`` (add it if nec!) Finally, proceed to install Asterisk/FreePBX, Node-RED and/or Sugarizer. `#1799 `_ - -Attribution ------------ - -This 'pbx' playbook was heavily inspired by Yannik Sembritzki's `Asterisk `_ and `FreePBX `_ Ansible work, Thank You! diff --git a/roles/pbx/README.rst.unused b/roles/pbx/README.rst.unused new file mode 100644 index 000000000..19371b11e --- /dev/null +++ b/roles/pbx/README.rst.unused @@ -0,0 +1,176 @@ +.. |ss| raw:: html + + + +.. |se| raw:: html + + + +.. |nbsp| unicode:: 0xA0 + :trim: + +========== +PBX README +========== + +This "pbx" playbook adds `Asterisk `_ and `FreePBX `_ to Internet-in-a-Box (IIAB) for VoIP and SIP functionality e.g. for rural telephony. + +The initial release (for IIAB 6.7 in February 2019) supported Ubuntu 18.04, Debian 9 "Stretch" — and experimentally, Raspberry Pi: `#1467 `_ + +*2021-08-02 GOOD NEWS: IIAB has upgraded from Asterisk 16.x (released 2018-10-09) to 18.x (released 2020-10-20*, `docs `_): `PR #2896 `_ + +*2021-08-02 WORK IN PROGRESS: The latest versions of Ubuntu (20.04, 20.10, 21.04), Debian 11 "Bullseye" and the imminent Raspberry Pi OS 11 "Bullseye" all include PHP 7.4 — which does not work with FreePBX 15 — so IIAB is making the transition to* `FreePBX 16 Beta `_ *which emerged on 2021-06-21:* `PR #2899 `_ + +*PLEASE UNDERSTAND THIS MEANS THAT: IIAB no longer supports FreePBX 15 (i.e. Linux distros with PHP <= 7.3, e.g. on Raspberry Pi OS 10 "Buster"). Thank you for your understanding, as we look to the future together!* + +What Asterisk & FreePBX Do +-------------------------- + +Asterisk is a software implementation of a private branch exchange (PBX). In conjunction with suitable telephony hardware interfaces and network applications, Asterisk is used to establish and control telephone calls between telecommunication endpoints, such as customary telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on Voice over Internet Protocol (VoIP) networks. Its name comes from the asterisk (*) symbol for a signal used in dual-tone multi-frequency (DTMF) dialing. + +FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), the open source communication server. + +Using It +-------- + +Prior to installing IIAB, make sure your `/etc/iiab/local_vars.yml `_ contains:: + + pbx_install: True + pbx_enabled: True + +Optionally, you may want to enable `chan_dongle `_, which is a channel driver for Huawei UMTS cards allowing regular voice calls over GSM. You will need to configure a dongle post-install, for it to be recognized properly:: + + asterisk_chan_dongle: True + +If using PBX intensively, please adjust ``/etc/php/7.4/apache2/php.ini`` as outlined within `/opt/iiab/iiab/roles/www_options/tasks/main.yml `_ — much like other IIAB Apps that use:: + + nginx_high_php_limits: True + +After installing PBX as part of IIAB, please visit http://box.lan:83/freepbx and proceed with initial configuration (no login/password is required initially — you will be asked to set this up). + +You can monitor the FreePBX service with command:: + + systemctl status freepbx + + +Steps to setup a basic FreePBX configuration with a SIP extension +------------------------------------------------------------------ +1. After installing PBX as part of IIAB, please visit http://box.lan:83/freepbx and proceed with initial configuration. You will be asked to setup your username and password the first time you login which will be used in future to login to the FreePBX configuration screen. Once you login, select the first option 'FreePBX Administrator'. + +2. Change the default asterisk password + + Go to Settings >> Asterisk settings. Click on 'Submit' button below and then clic'Apply config' that'll appear on the top right side of the web page. + + +3. Change asterisk SIP settings + + Go to Settings >> Asterisk SIP settings >> Under NAT settings, clicking "Detect Network Settings" will populate your external IP + Under Local networks, enter your local IP settings in the form of IP/CIDR or IP/NETMASK such as, “192.168.0.0/24" or “192.168.0.0/255.255.255.0” + + Click on 'Submit' button below and then click 'Apply config' that'll appear on the top right side of the web page. + + Refer - https://wiki.freepbx.org/display/FPG/Asterisk+SIP+Settings+User+Guide + + +4. Create SIP phone extensions to enable you to make calls within your network + Go to Applications >> Extensions >> Add Extension >> New chan_pjsip extension + + **Extension** - <> + + **Display name** - <> + + **Secret** - <> + + Click on 'Submit' button below and then click 'Apply config' that'll appear on the top right side of the web page. + + Using the same steps, you could create more extensions for other users. + +5. Register the extension on your softphone app + + You can now register these extensions using a softphone app on your smartphone. For this example we will use the Linphone app on an Android phone + + Once you open the app, follow these steps + + 1. Select option "USE SIP ACCOUNT" + + 2. Enter the following details that you set in the FreePBX console + Username - 101 + + Password - Password you set for your extension + + Domain - Asterisk server IP address (To find this out, on the system where you've installed FreePBX, go to Terminal and run 'ifconfig' to find your IP address) + + 3. Select "UDP" option under TRANSPORT + 4. Click on login. + 5. If connection is successful, you will see 'connected' with a green cirle on the next screen + 6. Make a call to a random number or another extension you've created. You should be able to see activity on the applet at the right side of your FreePBX Dashboard + + Refer - https://wiki.freepbx.org/display/FPG/Extensions+Module+-+PJSIP+Extension + +Troubleshooting +---------------- +1. Check if asterisk is up and running + Execute the command on your terminal and an asterisk console should open + + sudo asterisk -rvvv + +2. If you see a "Asterisk not connected" in red on the FreePBX web console, check if asterisk is 'running' using this command on your terminal + systemctl status asterisk + + If asterisk is not running (status does not show 'running'), restart asterisk + + sudo systemctl restart asterisk (confirm status shows up as running after executing this command) + +3. If you see a "fwconsole read error" when you save settings, execute these commands on your terminal + sudo fwconsole chown + + sudo fwconsole reload + + +4. Radcli error + In files /etc/asterisk/cdr.conf and /etc/asterisk/cel.conf, this line sometimes needs to be added: (possibly this manual step is no longer necessary with Asterisk 18.x now!) + + radiuscfg => /etc/radcli/radiusclient.conf + + In any case, make 100% sure the file /etc/radcli/radiusclient.conf is non-empty. You can end up with a zero-length file here, if IIAB's roles/pbx install was interrupted (it should be about 2-to-3 kBytes initially). Probably best to start over with a clean OS in such situations! + + Also make sure any older lines including radiuscfg => /usr/local/etc/radiusclient-ng/radiusclient.conf are commented out within cdr.conf and cel.conf + + +Some useful asterisk commands and information +---------------------------------------------- +1. pjsip show endpoints + This shows you the list of extensions along created on your FreePBX server along with its details + +2. Asterisk log file is at /var/log/asterisk/full + +3. If you do not see any activity on your asterisk console, you may need to increase the verbosity by executing either of these commands + core set verbose 3, OR + + core set debug 3 + +4. To see all asterisk commands available + core show help + +5. To see all commands that start with core show + ``core show [tab]`` or ``core show?`` + + +Raspberry Pi Known Issues +------------------------- + +|ss| As of 2019-02-14, "systemctl restart freepbx" failed more than 50% of the time when run on a `BIG-sized `_ install of IIAB 6.7 on RPi 3 or RPi 3 B+. + +It is possible that FreePBX restarts much more reliably when run on a MIN-sized install of IIAB? Please `contact us `_ if you can assist here in any way: `#1493 `_ |se| + +Raspberry Pi Zero W Warning +--------------------------- + +Node.js applications like Asterisk/FreePBX, Node-RED and Sugarizer won't work on Raspberry Pi Zero W (ARMv6) if you installed Node.js while on RPi 3, 3 B+ (ARMv7) or RPi 4 (ARMv8). If necessary, run ``apt remove nodejs`` or ``apt purge nodejs`` then ``rm /etc/apt/sources.list.d/nodesource.list; apt update`` then (`attempt! `_) to `install Node.js `_ *on the Raspberry Pi Zero W itself* (a better approach than "cd /opt/iiab/iiab; ./runrole nodejs" is to try ``apt install nodejs`` or try installing the tar file mentioned at `#2082 `_). You might also need ``apt install npm``. Whatever versions of Node.js and npm you install, make sure ``/etc/iiab/iiab_state.yml`` contains the line ``nodejs_installed: True`` (add it if nec!) Finally, proceed to install Asterisk/FreePBX, Node-RED and/or Sugarizer. `#1799 `_ + +Please also check the "Known Issues" at the bottom of `IIAB's latest release notes `_. + +Attribution +----------- + +This "pbx" playbook was heavily inspired by Yannik Sembritzki's `Asterisk `_ and `FreePBX `_ Ansible work, Thank You! diff --git a/roles/pbx/defaults/main.yml b/roles/pbx/defaults/main.yml index 200e9384f..ea5d2d5ae 100644 --- a/roles/pbx/defaults/main.yml +++ b/roles/pbx/defaults/main.yml @@ -1,28 +1,30 @@ # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. -# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi 3. +# 2019: Worked on Ubuntu 18.04, Debian 9 w/ Node.js 10.x, and seemingly RPi 3+. +# 2021-08-03: Attempts FreePBX 16 Beta -- as required w/ PHP 7.4 OS's for #2897 # pbx_install: False # pbx_enabled: False +# pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please +# pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX! + # asterisk_chan_dongle: False # pbx_signaling_ports_chan_sip: 5160:5161 # pbx_signaling_ports_chan_pjsip: 5060 # pbx_data_ports: 10000:20000 # pbx_http_port: 83 -# + # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! -#pbx_installed: False +asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk +asterisk_src_file: asterisk-18-current.tar.gz +asterisk_src_dir: "{{ iiab_base }}/asterisk" # /opt/iiab -asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk/ -asterisk_src_file: asterisk-16-current.tar.gz -asterisk_src_dir: /opt/iiab/asterisk - -freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/ -freepbx_src_file: freepbx-15.0-latest.tgz -freepbx_src_dir: /opt/iiab/freepbx +freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/7.4 +freepbx_src_file: freepbx-16.0-latest.tgz # Beta as of 2021-06-21 but looking great! Does NOT support PHP < 7.4 (you've been warned!) Please review https://github.com/iiab/iiab/blob/master/roles/pbx/README.rst +freepbx_src_dir: "{{ iiab_base }}/freepbx" freepbx_install_dir: /var/www/html/freepbx asterisk_db_host: localhost @@ -31,6 +33,6 @@ asterisk_db_dbname: asterisk asterisk_db_password: asterisk asterisk_db_cdrdbname: asteriskcdrdb -chan_dongle_url: https://github.com/wdoekes/asterisk-chan-dongle/archive/ +chan_dongle_url: https://github.com/wdoekes/asterisk-chan-dongle/archive chan_dongle_src_file: master.zip -chan_dongle_src_dir: /opt/iiab/chan_dongle +chan_dongle_src_dir: "{{ iiab_base }}/chan_dongle" diff --git a/roles/pbx/files/add_extn_01_top.jpg b/roles/pbx/files/add_extn_01_top.jpg new file mode 100644 index 000000000..f64f2b3a3 Binary files /dev/null and b/roles/pbx/files/add_extn_01_top.jpg differ diff --git a/roles/pbx/files/add_extn_02.jpg b/roles/pbx/files/add_extn_02.jpg new file mode 100644 index 000000000..83583b1e5 Binary files /dev/null and b/roles/pbx/files/add_extn_02.jpg differ diff --git a/roles/pbx/files/advanced_settings.jpg b/roles/pbx/files/advanced_settings.jpg new file mode 100644 index 000000000..e3aacd300 Binary files /dev/null and b/roles/pbx/files/advanced_settings.jpg differ diff --git a/roles/pbx/files/asterisk_sip_settings.jpg b/roles/pbx/files/asterisk_sip_settings.jpg new file mode 100644 index 000000000..cea344400 Binary files /dev/null and b/roles/pbx/files/asterisk_sip_settings.jpg differ diff --git a/roles/pbx/files/linphone_connected.jpg b/roles/pbx/files/linphone_connected.jpg new file mode 100644 index 000000000..ae7169771 Binary files /dev/null and b/roles/pbx/files/linphone_connected.jpg differ diff --git a/roles/pbx/files/linphone_setup.jpg b/roles/pbx/files/linphone_setup.jpg new file mode 100644 index 000000000..b41854325 Binary files /dev/null and b/roles/pbx/files/linphone_setup.jpg differ diff --git a/roles/pbx/files/password_change.jpg b/roles/pbx/files/password_change.jpg new file mode 100644 index 000000000..403b43192 Binary files /dev/null and b/roles/pbx/files/password_change.jpg differ diff --git a/roles/pbx/files/pwdless_login.jpg b/roles/pbx/files/pwdless_login.jpg new file mode 100644 index 000000000..bb3800f92 Binary files /dev/null and b/roles/pbx/files/pwdless_login.jpg differ diff --git a/roles/pbx/tasks/apache.yml b/roles/pbx/tasks/apache.yml new file mode 100644 index 000000000..5462a5ca5 --- /dev/null +++ b/roles/pbx/tasks/apache.yml @@ -0,0 +1,41 @@ +# Must happen before install of Apache, or it'll collide with NGINX port 80. +# 2021-08-09: Used to be done by roles/nginx/tasks/install.yml +- name: "FreePBX - Install from template: /etc/{{ apache_service }}/ports.conf containing 'Listen {{ pbx_http_port }}'" # i.e. port 83 + template: + src: ports.conf + dest: /etc/{{ apache_service }}/ + +- name: "FreePBX - Install Apache packages: {{ apache_service }}, libapache2-mod-php, libapache2-mpm-itk" + package: + name: + - "{{ apache_service }}" # 2021-08-07: Install apache2 directly, as we prepare to deprecate roles/httpd + - libapache2-mod-php # NOTE duplication: roles/httpd/tasks.install.yml installed libapache2-mod-php{{ php_version }} ostensibly for "Elgg, Moodle, etc" + - libapache2-mpm-itk # To serve FreePBX through a VirtualHost as asterisk user (#2914: Is this possible via NGINX?) + +- name: 'FreePBX - Enable Apache module, as with "a2enmod" command: rewrite' + apache2_module: + name: rewrite + +# Legacy code from roles/httpd/tasks/install.yml +# - name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc)' +# apache2_module: +# name: "{{ item }}" +# with_items: +# - headers +# - proxy +# - proxy_html +# - proxy_http +# - rewrite + +# 2021-08-08: Security risks? But official install doc recommends this: +# https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9 +# (lineinfile doesn't quite do the job, as all instances are replaced) +- name: FreePBX - Run "sed -i 's/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf" + command: sed -i 's/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf + +- name: FreePBX - Install /etc/{{ apache_service }}/sites-available/freepbx.conf from template ({{ apache_user }}:{{ apache_user }}, 0644 by default) + template: + src: freepbx.conf.j2 + dest: /etc/{{ apache_service }}/sites-available/freepbx.conf # apache2 + owner: "{{ apache_user }}" # www-data + group: "{{ apache_user }}" diff --git a/roles/pbx/tasks/asterisk.yml b/roles/pbx/tasks/asterisk.yml index 032a2f9bf..29dc22279 100644 --- a/roles/pbx/tasks/asterisk.yml +++ b/roles/pbx/tasks/asterisk.yml @@ -1,121 +1,158 @@ -- name: Asterisk - Install dependencies - include: asterisk_dependencies.yml +# 2021-08-16 README.adoc, with screenshots: +# https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme -- name: Asterisk - Download software to /opt/iiab/downloads + +# 2021-08-05: Asterisk's own install_prereq (below) handles essentially all of these +# - name: Asterisk - Install dependencies +# include_tasks: asterisk_dependencies.yml + +# BEWARE: 'systemctl is-active asterix' falsely reports 'inactive' even when systemd +# is compiled in below! FWIW: /opt/iiab/asterisk/contrib/systemd/asterisk.service +# https://github.com/asterisk/asterisk/blob/master/contrib/systemd/asterisk.service + +- name: Asterisk - Install package 'libsystemd-dev' so Asterisk compiles in imperfect-but-improving systemd support -- if ./configure below places '#define HAVE_SYSTEMD 1' in /opt/iiab/asterisk/include/asterisk/autoconfig.h -- please later confirm with 'ldd /usr/sbin/asterisk | grep systemd' -- per https://community.asterisk.org/t/systemctl-start-asterisk-is-fail-with-timeout/81123/3 + package: + name: libsystemd-dev + state: present + +- name: Asterisk - Download {{ asterisk_url }}/{{ asterisk_src_file }} to {{ downloads_dir }} get_url: url: "{{ asterisk_url }}/{{ asterisk_src_file }}" - dest: "{{ downloads_dir }}/{{ asterisk_src_file }}" + dest: "{{ downloads_dir }}" # e.g. /opt/iiab/downloads/asterisk-18-current.tar.gz timeout: "{{ download_timeout }}" when: internet_available -- name: Asterisk - Check for /opt/iiab/downloads/{{ asterisk_src_file }} +- name: Asterisk - Check for {{ downloads_dir }}/{{ asterisk_src_file }} stat: path: "{{ downloads_dir }}/{{ asterisk_src_file }}" register: asterisk_src -- name: Asterisk - FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ asterisk_src_file }} doesn't exist +- name: Asterisk - FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ asterisk_src_file }} doesn't exist fail: - msg: "{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED in order to install." + msg: "{{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED to install Asterisk." when: not asterisk_src.stat.exists -- name: Asterisk - Create install source directory - file: - path: "{{ asterisk_src_dir }}" +- name: Asterisk - Create source dir {{ asterisk_src_dir }} + file: + path: "{{ asterisk_src_dir }}" # /opt/iiab/asterisk state: directory -- name: Asterisk - Extract source - unarchive: +- name: Asterisk - Extract to source dir (root:root by default) + unarchive: src: "{{ downloads_dir }}/{{ asterisk_src_file }}" dest: "{{ asterisk_src_dir }}" - owner: root - group: root + # owner: root + # group: root extra_opts: [--strip-components=1] creates: "{{ asterisk_src_dir }}/Makefile" -- name: Asterisk - Download mp3 decoder library into source tree - command: "./contrib/scripts/get_mp3_source.sh" - args: - chdir: "{{ asterisk_src_dir }}" - creates: "addons/mp3/mpg123.h" -- name: Asterisk - Install aptitude (otherwise install_prereq fails?) - package: - name: aptitude - state: latest +# 2021-08-03: Asterisk's install_prereq script (stanza just below) installs +# 'aptitude' regardless, within handle_debian() here: +# https://github.com/asterisk/asterisk/blob/master/contrib/scripts/install_prereq#L262-L271 +# +# - name: Asterisk - Install aptitude (otherwise install_prereq fails?) +# package: +# name: aptitude +# state: latest -- name: Asterisk - Ensure all dependencies are resolved - CAN TAKE 5 MIN OR LONGER! - shell: export DEBIAN_FRONTEND=noninteractive && ./contrib/scripts/install_prereq install +- name: Asterisk - Run 'install_prereq install' for dependencies - CAN TAKE 5 MIN OR LONGER! + shell: export DEBIAN_FRONTEND=noninteractive && ./contrib/scripts/install_prereq install args: chdir: "{{ asterisk_src_dir }}" -- name: Asterisk - Run the configure script - command: "./configure --with-jansson-bundled" +- name: Asterisk - Download mp3 decoder library into source tree - requires 'subversion' installed just above + command: ./contrib/scripts/get_mp3_source.sh + args: + chdir: "{{ asterisk_src_dir }}" + creates: addons/mp3/mpg123.h + +- name: Asterisk - Run './configure --with-pjproject-bundled --with-jansson-bundled' + command: ./configure --with-pjproject-bundled --with-jansson-bundled args: chdir: "{{ asterisk_src_dir }}" -- name: Asterisk - Run make menuselect.makeopts - command: "make menuselect.makeopts" +- name: Asterisk - Run 'make menuselect.makeopts' + command: make menuselect.makeopts args: chdir: "{{ asterisk_src_dir }}" - creates: "menuselect.makeopts" + creates: menuselect.makeopts - name: Asterisk - Do a bit of menuselect configuration - command: > - menuselect/menuselect --enable app_macro --enable format_mp3 - --enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722 - --enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 --enable EXTRA-SOUNDS-EN-GSM - --disable-category MENUSELECT_MOH + command: menuselect/menuselect --enable app_macro --enable format_mp3 menuselect.makeopts + # 2021-08-06: Let's standardize (ABOVE) if 6 others (BELOW) aren't needed? + # command: > + # menuselect/menuselect --enable app_macro --enable format_mp3 + # --enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722 + # --enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 --enable EXTRA-SOUNDS-EN-GSM + # --disable-category MENUSELECT_MOH args: chdir: "{{ asterisk_src_dir }}" -- name: Asterisk - Run 'make' - CAN TAKE 30 MIN OR LONGER! - command: make +- name: Asterisk - Run 'make' - CAN TAKE 8-30 MIN OR LONGER! + command: make args: chdir: "{{ asterisk_src_dir }}" - creates: "defaults.h" + creates: defaults.h - name: Asterisk - Run 'make install' - CAN TAKE 2 MIN OR LONGER! command: make install args: chdir: "{{ asterisk_src_dir }}" - creates: "/usr/sbin/asterisk" + creates: /usr/sbin/asterisk - name: Asterisk - Run 'make config' command: make config args: chdir: "{{ asterisk_src_dir }}" -- name: Asterisk - Run 'make samples' +- name: Asterisk - Run 'make samples' - this creates /etc/asterisk/asterisk.conf used below command: make samples args: chdir: "{{ asterisk_src_dir }}" - name: Asterisk - Run 'ldconfig' - shell: ldconfig + command: ldconfig args: chdir: "{{ asterisk_src_dir }}" -- name: Asterisk - Ensure group 'asterisk' exists - group: - name: asterisk - state: present +# 2021-08-06: Most install recipes do 'update-rc.d -f asterisk remove' here. +# Can't hurt but we do that a bit later in freepbx.yml -- name: Asterisk - Ensure user 'asterisk' exists, and belongs to the required groups + +# 2021-08-06: Taken care of just below +# - name: Asterisk - Ensure group 'asterisk' exists +# group: +# name: asterisk +# state: present + +#- name: Asterisk - Ensure system user 'asterisk' has primary group 'asterisk', groups 'audio,dialout', home '/var/lib/asterisk' +- name: Asterisk - Create Linux user 'asterisk' user: name: asterisk - group: asterisk - groups: audio,dialout - home: "/var/lib/asterisk" - system: yes - append: yes + # group: asterisk # 2021-08-06: Implicit + groups: audio,dialout # 2021-08-08: Plausibly might help? + home: /var/lib/asterisk # 2021-08-07: /home/asterisk (default) ok too + system: yes # 2021-08-08: No evidence this is needed. Hopefully it doesn't cause harm? (FYI Ansible doesn't change pre-existing users) + append: yes # 2021-08-08: Not essential. So Ansible adds groups w/o deleting existing group memberships. -- name: 'Asterisk - Set ownership of 5 directories: /etc/asterisk, /var/lib/asterisk, /var/log/asterisk, /var/spool/asterisk, /usr/lib/asterisk' - file: - dest: "{{ item }}" - owner: asterisk +# 2021-08-17: Moved to enable-or-disable.yml +# - name: Asterisk - Add user 'www-data' to group 'asterisk' - if pbx_use_nginx +# user: +# name: www-data +# groups: asterisk +# # system: yes # 2021-08-06: Ansible doesn't change pre-existing users +# append: yes +# when: pbx_use_nginx + +- name: Asterisk - Set ownership for 6 directories (asterisk:asterisk, recurse) + file: + dest: "{{ item }}" + owner: asterisk group: asterisk recurse: yes with_items: + - /var/run/asterisk - /etc/asterisk - /var/lib/asterisk - /var/log/asterisk diff --git a/roles/pbx/tasks/asterisk_dependencies.yml b/roles/pbx/tasks/asterisk_dependencies.yml.unused similarity index 53% rename from roles/pbx/tasks/asterisk_dependencies.yml rename to roles/pbx/tasks/asterisk_dependencies.yml.unused index 0738ddfe4..a3f26a5c3 100644 --- a/roles/pbx/tasks/asterisk_dependencies.yml +++ b/roles/pbx/tasks/asterisk_dependencies.yml.unused @@ -1,12 +1,12 @@ - name: Asterisk - Install dependencies package: name: - - git - - curl + - git # 2021-08-05: Not in Asterisk's install_prereq + - curl # 2021-08-05: Not in Asterisk's install_prereq - wget - libnewt-dev - libssl-dev - - libncurses5-dev + - libncurses5-dev # 2021-08-05: Not in Asterisk's install_prereq - subversion - libsqlite3-dev - build-essential diff --git a/roles/pbx/tasks/chan_dongle.yml b/roles/pbx/tasks/chan_dongle.yml index 5cef9861f..119b552fd 100644 --- a/roles/pbx/tasks/chan_dongle.yml +++ b/roles/pbx/tasks/chan_dongle.yml @@ -1,49 +1,52 @@ -- name: chan_dongle - Download software to /opt/iiab/downloads +# RPi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html + +- name: chan_dongle - Download {{ chan_dongle_url }}/{{ chan_dongle_src_file }} to {{ downloads_dir }} get_url: - url: "{{ chan_dongle_url }}/{{ chan_dongle_src_file }}" - dest: "{{ downloads_dir }}/{{ chan_dongle_src_file }}" + url: "{{ chan_dongle_url }}/{{ chan_dongle_src_file }}" # /opt/iiab/downloads/master.zip + dest: "{{ downloads_dir }}/{{ chan_dongle_src_file }}" # Keep name as "master.zip" whereas browsers rename it to asterisk-chan-dongle-master.zip timeout: "{{ download_timeout }}" when: internet_available -- name: chan_dongle - Check for /opt/iiab/downloads/{{ chan_dongle_src_file }} +- name: chan_dongle - Check for {{ downloads_dir }}/{{ chan_dongle_src_file }} stat: path: "{{ downloads_dir }}/{{ chan_dongle_src_file }}" register: chan_dongle_src - name: chan_dongle - FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ chan_dongle_src_file }} doesn't exist fail: - msg: "{ downloads_dir }}/{{ chan_dongle_src_file }} is REQUIRED in order to install." + msg: "{ downloads_dir }}/{{ chan_dongle_src_file }} is REQUIRED to install chan_dongle." when: not chan_dongle_src.stat.exists -- name: chan_dongle - Create install source directory +- name: chan_dongle - Create source dir {{ chan_dongle_src_dir }} file: - path: "{{ chan_dongle_src_dir }}" + path: "{{ chan_dongle_src_dir }}" # /opt/iiab/chan_dongle state: directory -- name: chan_dongle - Extract source +- name: chan_dongle - Extract to {{ downloads_dir }} (root:root) unarchive: src: "{{ downloads_dir }}/{{ chan_dongle_src_file }}" dest: "{{ downloads_dir }}" owner: root group: root -- name: chan_dongle - move to {{ chan_dongle_src_dir }} +- name: chan_dongle - Run 'rsync -av {{ downloads_dir }}/asterisk-chan-dongle-master/ {{ chan_dongle_src_dir }}' command: rsync -av {{ downloads_dir }}/asterisk-chan-dongle-master/ {{ chan_dongle_src_dir }} args: chdir: "{{ downloads_dir }}" -- name: chan_dongle - Run the bootstrap script - command: "./bootstrap" + +- name: chan_dongle - Run './bootstrap' + command: ./bootstrap args: chdir: "{{ chan_dongle_src_dir }}" creates: "{{ chan_dongle_src_dir }}/configure" -- name: chan_dongle - Find out asterisk version - shell: asterisk -V |cut -d " " -f 2 +- name: chan_dongle - Run 'asterisk -V | cut -d " " -f 2' for asterisk_ver + shell: asterisk -V | cut -d " " -f 2 register: asterisk_ver -- name: chan_dongle - Run the configure script - command: "./configure --with-astversion={{asterisk_ver.stdout}}" +- name: chan_dongle - Run './configure --with-astversion={{ asterisk_ver.stdout }}' + command: ./configure --with-astversion={{ asterisk_ver.stdout }} args: chdir: "{{ chan_dongle_src_dir }}" creates: "{{ chan_dongle_src_dir }}/Makefile" @@ -60,9 +63,8 @@ chdir: "{{ chan_dongle_src_dir }}" creates: "/usr/lib/asterisk/modules/chan_dongle.so" -- name: chan_dongle - Copy dongle.conf over +- name: chan_dongle - Run 'cp {{ chan_dongle_src_dir }}/etc/dongle.conf /etc/asterisk/' command: cp {{ chan_dongle_src_dir }}/etc/dongle.conf /etc/asterisk/ args: chdir: "{{ chan_dongle_src_dir }}" creates: "/etc/asterisk/dongle.conf" - diff --git a/roles/pbx/tasks/enable-or-disable.yml b/roles/pbx/tasks/enable-or-disable.yml new file mode 100644 index 000000000..2abc11405 --- /dev/null +++ b/roles/pbx/tasks/enable-or-disable.yml @@ -0,0 +1,122 @@ +- name: JUST 1 SETTING TO TURN ON/OFF FOR APACHE - whereas NGINX below has 4... + meta: noop + +- name: EITHER - Create symlink /etc/{{ apache_service }}/sites-enabled/freepbx.conf to enable Apache's http://box:{{ pbx_http_port }}/freepbx - if pbx_use_apache and pbx_enabled # http://box:83/freepbx + command: a2ensite freepbx.conf + when: pbx_use_apache and pbx_enabled + +- name: OR ELSE - Delete symlink /etc/{{ apache_service }}/sites-enabled/freepbx.conf to disable Apache's http://box:{{ pbx_http_port }}/freepbx - if not (pbx_use_apache and pbx_enabled) + file: # As 'a2dissite freepbx.conf' might not be installed + path: /etc/{{ apache_service }}/sites-enabled/freepbx.conf # apache2 + state: absent + when: not (pbx_use_apache and pbx_enabled) + + +- name: "ENACT ABOVE SETTING FOR APACHE - 'pbx_use_apache: False' might arise later, so best ALWAYS run..." + meta: noop + +- name: EITHER - Restart & Enable '{{ apache_service }}' systemd service - if pbx_use_apache and pbx_enabled + systemd: + daemon_reload: yes + name: "{{ apache_service }}" # apache2 + state: restarted + enabled: yes + when: pbx_use_apache and pbx_enabled + ignore_errors: yes # In case Apache not installed + +- name: OR ELSE - Stop & Disable '{{ apache_service }}' systemd service - if not (pbx_use_apache and pbx_enabled) + systemd: + daemon_reload: yes + name: "{{ apache_service }}" + state: stopped + enabled: no + when: not (pbx_use_apache and pbx_enabled) + ignore_errors: yes # In case Apache not installed + +- name: Open-or-Close Asterix ports (including Apache port {{ pbx_http_port }}) in iptables firewall, depending on pbx_enabled [{{ pbx_enabled }}] in local_vars.yml - in support of './runrole pbx' + command: /usr/bin/iiab-gen-iptables + ignore_errors: yes # iptables installed in 2-common, but iiab-gen-tables may not be set up until roles/network runs later + + + + +- block: + + - name: EITHER - TURN ON 4 SETTINGS FOR NGINX - if pbx_use_nginx and pbx_enabled + meta: noop + + - name: "Add user 'www-data' to group 'asterisk' BEFORE restarting Asterisk (via FreePBX, below) -- Ansible doesn't support removing a single non-primary group, so if you later change to 'pbx_use_nginx: False' please manually edit /etc/group to revert this" + user: + name: www-data + groups: asterisk + append: yes + + - name: Run 'fwconsole set CHECKREFERER 0' (0 means false) so 'Submit' button definitively works with NGINX at http://box/freepbx >> Settings >> Advanced Settings -- FYI you can run 'fwconsole set -l' or 'fwconsole set CHECKREFERER' to view FreePBX settings -- FYI /etc/freepbx.conf can completely override FreePBX's stored settings if nec + command: fwconsole set CHECKREFERER 0 # Or/later try to run 'fwconsole set CHECKREFERER 1' (1 means true) to restore FreePBX's default strict checking! + + - name: Install /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf converted from www.conf for user 'asterisk' + copy: + src: roles/pbx/templates/asterisk.conf + dest: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf + + - name: Enable http://box/freepbx via NGINX, by installing {{ nginx_conf_dir }}/freepbx-nginx.conf from template + template: + src: freepbx-nginx.conf.j2 + dest: "{{ nginx_conf_dir }}/freepbx-nginx.conf" # /etc/nginx/conf.d + + when: pbx_use_nginx and pbx_enabled + +- block: + + - name: OR ELSE - TURN OFF 3 SETTINGS FOR NGINX (1st of 4 above settings too hard!) - if not (pbx_use_nginx and pbx_enabled) + meta: noop + + - name: Restore FreePBX default by running 'fwconsole set CHECKREFERER 1' (1 means true) as works with Apache -- FYI you can run 'fwconsole set -l' or 'fwconsole set CHECKREFERER' to view FreePBX settings -- FYI /etc/freepbx.conf can completely override FreePBX's stored settings if nec + command: fwconsole set CHECKREFERER 1 + + - name: Remove /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf + file: + path: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf + state: absent + + - name: Disable http://box/freepbx via NGINX, by removing {{ nginx_conf_dir }}/freepbx-nginx.conf + file: + path: "{{ nginx_conf_dir }}/freepbx-nginx.conf" + state: absent + + when: not (pbx_use_nginx and pbx_enabled) + + +- name: "ENACT ABOVE 3-4 SETTINGS FOR NGINX - 'pbx_use_nginx: False' might arise later, so best ALWAYS run these 2..." + meta: noop + +- name: Enable & Restart 'php{{ php_version }}-fpm' systemd service + systemd: + name: php{{ php_version }}-fpm + state: restarted + enabled: yes + +- name: Restart 'nginx' systemd service + systemd: + name: nginx + state: restarted + + + + +- name: WRAP UP - Asterisk VIA FreePBX systemd service... + meta: noop + +- name: EITHER - Enable & (Re)start 'freepbx' systemd service, if pbx_enabled + systemd: + name: freepbx + enabled: yes + state: restarted + when: pbx_enabled + +- name: OR ELSE - Disable & Stop 'freepbx' systemd service, if not pbx_enabled + systemd: + name: freepbx + enabled: no + state: stopped + when: not pbx_enabled diff --git a/roles/pbx/tasks/freepbx.yml b/roles/pbx/tasks/freepbx.yml index 7f07b8d0f..307d26266 100644 --- a/roles/pbx/tasks/freepbx.yml +++ b/roles/pbx/tasks/freepbx.yml @@ -1,10 +1,75 @@ -- name: FreePBX - Install dependencies - include: freepbx_dependencies.yml +# 2021-08-16 README.adoc, with screenshots: +# https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme -- name: FreePBX - Download software to /opt/iiab/downloads + +# 2021-08-04: Non-native systemd service 'asterisk.service' (redirects via +# systemd-sysv-install, to '/etc/init.d/asterisk status' etc) is Enabled but +# Not Active at this point. +# 2021-08-05: Asterisk's systemd / systemctl support is getting there but Very +# Imperfect (even when compiled in, as a result of package 'libsystemd-dev' at +# the top of asterisk.yml). +# 2021-08-12: Let's try to track the "official" init.d / update-rc.d +# instructions ('update-rc.d -f asterisk remove') but using systemd instead, +# to be more future-proof? +- name: "FreePBX - Disable 'asterisk' systemd service, giving FreePBX full control during boot - similar to officially recommended 'update-rc.d -f asterisk remove' at: https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9" + systemd: + daemon_reload: yes + name: asterisk + #state: stopped + enabled: no + + +- name: FreePBX - Install 24 packages = 7 (wget, git, unixodbc, sudo, net-tools, cron, sox) + 12 PHP dependencies (run 'php -m' or 'php -i' to verify PHP modules) + 5 for CDR ODBC (cmake, make, gcc, libssl-dev, unixodbc-dev) + package: + name: + - wget + - git + - unixodbc # For Asterisk CDR (Call Detail Records) + - sudo # Required by FreePBX install script + - net-tools # Required by FWConsole (command-line utility, that controls FreePBX) + - cron # Required by FreePBX UCP package (User Control Panel) + - sox # Required for CDR web-playback + # - php{{ php_version }} # Basically drags in phpX.Y-cgi (already below!) + - php{{ php_version }}-bcmath # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml + - php{{ php_version }}-cgi + # - php{{ php_version }}-common # Auto-installed as an apt dependency. REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml + - php{{ php_version }}-curl # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + - php{{ php_version }}-fpm # Likewise installed in nginx/tasks/install.yml + # - php{{ php_version }}-gettext + - php{{ php_version }}-gd # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml + - php{{ php_version }}-imap + # - php{{ php_version }}-json # See stanza just below + - php{{ php_version }}-mbstring # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + # - python-mysqldb # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33 + - php{{ php_version }}-mysql # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + - php-pear # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19 + - php{{ php_version }}-snmp + - php{{ php_version }}-xml # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter} + - php{{ php_version }}-zip # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + - cmake + - make + - gcc + - libssl-dev + - unixodbc-dev + state: latest + +# For PHP >= 8.0: phpX.Y-json is baked into PHP itself. +# For PHP < 8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json +# +# - name: Install php{{ php_version }}-json if PHP < 8.0 +# package: +# name: php{{ php_version }}-json +# state: present +# when: php_version is version('8.0', '<') + +- name: FreePBX - Install and configure Apache - if pbx_use_apache + include_tasks: apache.yml + when: pbx_use_apache + +- name: FreePBX - Download {{ freepbx_url }}/{{ freepbx_src_file }} to {{ downloads_dir }} get_url: url: "{{ freepbx_url }}/{{ freepbx_src_file }}" - dest: "{{ downloads_dir }}/{{ freepbx_src_file }}" + dest: "{{ downloads_dir }}" # e.g. /opt/iiab/downloads/freepbx-16.0-latest.tgz timeout: "{{ download_timeout }}" when: internet_available @@ -15,16 +80,16 @@ - name: FreePBX - FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ freepbx_src_file }} doesn't exist fail: - msg: "{ downloads_dir }}/{{ freepbx_src_file }} is REQUIRED in order to install." + msg: "{{ downloads_dir }}/{{ freepbx_src_file }} is REQUIRED to install FreePBX." when: not freepbx_src.stat.exists -- name: FreePBX - Create install source directory - file: - path: "{{ freepbx_src_dir }}" +- name: FreePBX - Create source dir {{ freepbx_src_dir }} + file: + path: "{{ freepbx_src_dir }}" # /opt/iiab/freepbx state: directory -- name: FreePBX - Extract source - unarchive: +- name: FreePBX - Extract to source dir (root:root) + unarchive: src: "{{ downloads_dir }}/{{ freepbx_src_file }}" dest: "{{ freepbx_src_dir }}" owner: root @@ -32,53 +97,72 @@ extra_opts: [--strip-components=1] creates: "{{ freepbx_src_dir }}/install" -- name: FreePBX - Patch FreePBX source - IIAB Bug 1685 - patch: - src: "roles/pbx/templates/71-freepbx-framework.patch" - dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/BMO/Framework.class.php" +# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch +# - name: FreePBX - Patch FreePBX source - IIAB Bug 1685 +# patch: +# src: roles/pbx/templates/71-freepbx-framework.patch +# dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/BMO/Framework.class.php" -- name: FreePBX - Patch FreePBX source - wants [] not {} - patch: - src: "roles/pbx/templates/pbx.patch" - dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/Composer/vendor/neitanod/forceutf8/src/ForceUTF8/Encoding.php" +# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch +# - name: FreePBX - Patch FreePBX source - wants [] not {} +# patch: +# src: roles/pbx/templates/pbx.patch +# dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/Composer/vendor/neitanod/forceutf8/src/ForceUTF8/Encoding.php" -- name: FreePBX - Disable & Stop asterisk service - systemd: - daemon_reload: yes - name: asterisk - enabled: no - state: stopped +# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch +# - name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc() +# patch: +# src: roles/pbx/templates/pbx2.patch +# dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php" -- name: FreePBX - Add mysql user + +- name: FreePBX - Add MySQL user ({{ asterisk_db_user }}) mysql_user: - name: "{{ asterisk_db_user }}" - password: "{{ asterisk_db_password }}" + name: "{{ asterisk_db_user }}" # asterisk + password: "{{ asterisk_db_password }}" # asterisk priv: "{{ asterisk_db_dbname }}.*:ALL/{{ asterisk_db_cdrdbname }}.*:ALL" -# login_host: "{{ asterisk_db_host }}" -# login_user: "root" -# login_password: "{{ mysql_root_password }}" + # login_host: "{{ asterisk_db_host }}" + # login_user: root + # login_password: "{{ mysql_root_password }}" host: "{{ (asterisk_db_host == 'localhost') | ternary('localhost', ansible_default_ipv4.address) }}" state: present -- name: FreePBX - Add mysql db +- name: FreePBX - Add MySQL db ({{ asterisk_db_dbname }}) mysql_db: - name: "{{ asterisk_db_dbname }}" - encoding: utf8 - collation: utf8_general_ci -# login_host: "{{ asterisk_db_host }}" -# login_user: "root" -# login_password: "{{ mysql_root_password }}" - state: present - -- name: FreePBX - Add cdr mysql db - mysql_db: - name: "{{ asterisk_db_cdrdbname }}" + name: "{{ asterisk_db_dbname }}" # asterisk encoding: utf8 collation: utf8_general_ci login_host: "{{ asterisk_db_host }}" + login_user: "{{ asterisk_db_user }}" + login_password: "{{ asterisk_db_password }}" state: present -- name: FreePBX - Don't let freepbx take over the php sessions dir +- name: FreePBX - Add CDR MySQL db ({{ asterisk_db_cdrdbname }}) + mysql_db: + name: "{{ asterisk_db_cdrdbname }}" # asteriskcdrdb + encoding: utf8 + collation: utf8_general_ci + login_host: "{{ asterisk_db_host }}" + login_user: "{{ asterisk_db_user }}" + login_password: "{{ asterisk_db_password }}" + state: present + + +# 2021-08-16: DOES NGINX NEED THE NEXT 2 STANZAS? (If not, should 'when: pbx_use_apache' be added?) + +- name: FreePBX - Create new php sessions dir /var/lib/php/asterisk_sessions/ - SEE 'php_value session.save_path /var/lib/php/asterisk_sessions/' IN pbx/templates/freepbx.conf.j2 + file: + path: /var/lib/php/asterisk_sessions/ + state: directory + +- name: FreePBX - Set ownership for new php sessions dir (asterisk:asterisk) + file: + dest: /var/lib/php/asterisk_sessions/ + owner: asterisk + group: asterisk + recurse: yes + +- name: "FreePBX - Populate /etc/asterisk/freepbx_chown.conf to prevent 'fwconsole chown' takeover of /var/lib/php/sessions" # And possibly later /etc/freepbx.conf, /var/log/asterisk/freepbx.log, /var/spool/asterisk/cache blockinfile: content: | [blacklist] @@ -89,59 +173,122 @@ group: asterisk create: yes -- name: FreePBX - Create php sessions directory - file: - path: "/var/lib/php/asterisk_sessions/" - state: directory -- name: FreePBX - Set ownership for php sessions directory - file: - dest: "/var/lib/php/asterisk_sessions/" - owner: asterisk - group: asterisk - recurse: yes - -- name: FreePBX - Install (just run once) - CAN TAKE 12 MIN OR LONGER! - command: ./start_asterisk start +- name: FreePBX - git clone https://github.com/mariadb-corporation/mariadb-connector-odbc to /usr/src/mariadb-connector-odbc + git: + repo: https://github.com/mariadb-corporation/mariadb-connector-odbc + dest: /usr/src/mariadb-connector-odbc + version: master + force: yes + depth: 1 + +- name: FreePBX - Run scripts/mk-odbc-connector to build mariadb-connector-odbc, creating /usr/local/lib/mariadb/libmaodbc.so + command: "{{ iiab_dir }}/scripts/mk-odbc-connector" + args: + creates: /usr/local/lib/mariadb/libmaodbc.so + +# http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html +- name: FreePBX - Install /etc/odbc.ini, /etc/odbcinst.ini from template (root:root, 0644 by default) + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - { src: odbc.ini.j2, dest: /etc/odbc.ini } + - { src: odbcinst.ini, dest: /etc/odbcinst.ini } + +- name: FreePBX - Install /etc/asterisk/cdr_mysql.conf from template (root:root, 0644 by default) + template: + src: cdr_mysql.conf.j2 + dest: /etc/asterisk/cdr_mysql.conf + + +- name: FreePBX - 2-step install - won't run if {{ freepbx_install_dir }} already exists - CAN TAKE 3-12 MIN OR LONGER! + command: "{{ item }}" args: chdir: "{{ freepbx_src_dir }}" - creates: "{{ freepbx_install_dir }}" + creates: "{{ freepbx_install_dir }}" # /var/www/html/freepbx + with_items: + - ./start_asterisk start + - ./install -n --webroot {{ freepbx_install_dir }} --dbuser {{ asterisk_db_user }} --dbpass {{ asterisk_db_password }} + # - ./install -n --webroot {{ freepbx_install_dir }} --dbuser {{ asterisk_db_user }} --dbpass {{ asterisk_db_password }} --dbname {{ asterisk_db_dbname }} --cdrdbname {{ asterisk_db_cdrdbname }} -- name: FreePBX - Install (just run once) - CAN TAKE 12 MIN OR LONGER! - command: ./install -n --webroot {{ freepbx_install_dir }} --dbuser {{ asterisk_db_user }} --dbpass {{ asterisk_db_password }} --dbname {{ asterisk_db_dbname }} --cdrdbname {{ asterisk_db_cdrdbname }} - args: - chdir: "{{ freepbx_src_dir }}" - creates: "{{ freepbx_install_dir }}" +- name: FreePBX - Run 'fwconsole stop', 'killall -9 safe_asterisk' to stop both main Asterisk processes - this avoids "Unable to run Pre-Asterisk hooks, because Asterisk is already running" in 'journalctl -u freepbx' logs + command: "{{ item }}" + with_items: + - fwconsole stop + - killall -9 safe_asterisk # 2021-08-08: Stronger medicine needed for 64-bit Ubuntu Server 21.04 on RPi 4. Originally from @jvonau's PR #2912. + # - killall -9 asterisk # 2021-08-05: Also from @jvonau's PR #2912, to brute force this. In the end, above 'fwconsole stop' works more gracefully. + # - ./start_asterisk stop # Buggy! + # - /usr/sbin/asterisk -rx "core stop gracefully" + # - fwconsole reload + # - fwconsole restart + # - fwconsole ma disablerepo commercial + # - fwconsole ma installall + # - fwconsole ma delete firewall + # - fwconsole reload + # - fwconsole restart + ignore_errors: yes # 2021-08-08: As 'killall -9 safe_asterisk' will fail when process doesn't exist (on many OS's!) -- name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc() - patch: - src: "roles/pbx/templates/pbx2.patch" - dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php" +- name: "FreePBX - Run 'killall -9 \"PM2 v4.5.0: God\"' for good measure" + command: 'killall -9 "PM2 v4.5.0: God"' # 2021-08-09: Missed by above 'fwconsole stop' (does this matter?) + ignore_errors: yes # 2021-08-16: As 'killall -9 "PM2 v4.5.0: God"' will fail if process doesn't exist (e.g. if version number changes, etc) -- name: FreePBX - Create /etc/odbc.ini +# 2021-08-06: This stanza works, but above is more graceful. (FYI PRs #2908, +# #2912, #2913 didn't quite work -- whereas this PR #2915 at least worked!) +# - name: FreePBX - Run 'systemctl restart freepbx' TWICE (THIS IS 1 OF 2) to get past 'systemctl status freepbx' glitch "Unable to run Pre-Asterisk hooks, because Asterisk is already running" +# systemd: +# daemon_reload: yes +# name: freepbx +# enabled: yes +# state: restarted + + +- name: FreePBX - Install /etc/systemd/system/freepbx.service from template (root:root, 0644 by default) template: - src: odbc.ini.j2 - dest: /etc/odbc.ini - # owner: root - # group: root - # mode: '0644' + src: freepbx.service + dest: /etc/systemd/system/ -- name: FreePBX - Install Apache's sites-available/freepbx.conf from template - template: - src: freepbx.conf.j2 - dest: /etc/apache2/sites-available/freepbx.conf - owner: "{{ apache_user }}" - group: "{{ apache_user }}" - mode: '0644' +# Default module list https://github.com/iiab/iiab/pull/2916#issuecomment-894601522 +- name: FreePBX - Run 'fwconsole ma upgradeall' on installed FreePBX modules, e.g. 16 default modules (of about 70 total) - CAN TAKE 1 MIN OR LONGER! + command: fwconsole ma upgradeall -- name: FreePBX - Add {{ pbx_http_port }} as a Listen directive to apache ports.conf - lineinfile: - path: /etc/apache2/ports.conf - line: "Listen {{ pbx_http_port }}" - insertafter: Listen 80 +# - name: FreePBX - Add "$amp_conf['CHECKREFERER'] = false;" to /etc/freepbx.conf #2931 - if pbx_use_nginx" +# lineinfile: +# path: /etc/freepbx.conf +# insertbefore: '^\?>$' # Match exact line '?>' -- BOTTOM OF FILE NEC! +# line: "$amp_conf['CHECKREFERER'] = false;" +# when: pbx_use_nginx -- name: FreePBX - Install /etc/systemd/system/freepbx.service systemd unit file from template - template: - src: freepbx.service.j2 - dest: /etc/systemd/system/freepbx.service - # mode: '0755' # Let's go with '0644' per unit file norms +# - name: 'FreePBX - fix file permissions for NGINX: /etc/freepbx.conf (0644), /var/log/asterisk/freepbx.log (0666)' +# file: +# #state: file +# path: "{{ item.path }}" +# mode: "{{ item.mode }}" +# with_items: +# - { path: '/etc/freepbx.conf', mode: u=rw,g=r,o=r } # 2021-08-04: LATER ENDS UP AS 0660 +# - { path: '/var/log/asterisk/freepbx.log', mode: u=rw,g=rw,o=rw } # 2021-08-04: LATER ENDS UP AS 0664 +# when: pbx_use_nginx + +# - name: 'FreePBX - fix dir permissions for NGINX: /var/spool/asterisk/cache (0777)' +# file: +# state: directory +# path: "{{ item }}" +# mode: u=rwx,g=rwx,o=rwx # 2021-08-04: MOST CONTENT THEREIN ENDS UP AS asterisk:asterisk 664 (files) & 775 (dirs) +# # recurse: yes # Probably Doesn't Help? +# with_items: +# # - /var/www/html/freepbx/admin/assets/less/cache +# - /var/spool/asterisk/cache +# when: pbx_use_nginx + +# For 'pbx_use_nginx: True' -- FreePBX's initial page (Admin user registration) +# tries to set up a cron job but fails: +# "Exception: Trying to edit user asterisk, when I'm running as www-data" +# 2021-08-10: Hacking /etc/freepbx.conf WAS NOT TESTED PROPERLY -- some vars MAY +# need to be NEAR BOTTOM: github.com/iiab/iiab/pull/2916#issuecomment-894585322 +# - name: "2021-08-06: Try \"$amp_conf['AMPASTERISKWEBUSER'] = 'www-data';\" in /etc/freepbx.conf for #2916 registration cron fix ?'" +# lineinfile: +# path: /etc/freepbx.conf +# #insertafter: '^<\?php$' # Match exact line '$' # Match exact line '?>' -- BOTTOM OF FILE NECESSARY :) +# line: "$amp_conf['AMPASTERISKWEBUSER'] = 'www-data';" +# when: pbx_use_nginx diff --git a/roles/pbx/tasks/freepbx_dependencies.yml b/roles/pbx/tasks/freepbx_dependencies.yml deleted file mode 100644 index 379236fa0..000000000 --- a/roles/pbx/tasks/freepbx_dependencies.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: FreePBX - Install dependencies (run 'php -m' or 'php -i' to verify PHP modules) - package: - name: - - wget - - git - - unixodbc # for Asterisk CDR (Call Detail Records) - - sudo # required by FreePBX install script - - net-tools # required by FWConsole (command-line utility, that controls FreePBX) - - cron # required by FreePBX UCP package (User Control Panel) - - sox # required for CDR web-playback - #- php{{ php_version }} # Basically drags in phpX.Y-cgi (already below!) - - php{{ php_version }}-bcmath # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml - - php{{ php_version }}-cgi - #- php{{ php_version }}-common # Auto-installed as an apt dependency. REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml - - php{{ php_version }}-curl # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml - - php{{ php_version }}-fpm # Likewise installed in nginx/tasks/install.yml - #- php{{ php_version }}-gettext - - php{{ php_version }}-gd # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml - - php{{ php_version }}-imap - #- php{{ php_version }}-json # See stanza just below - - php{{ php_version }}-mbstring # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml - - php{{ php_version }}-mysql # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml - - php-pear # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19 - - php{{ php_version }}-snmp - - php{{ php_version }}-xml # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter} - - php{{ php_version }}-zip # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml - - libapache2-mod-php - #- python-mysqldb # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33 - - libapache2-mpm-itk # To serve FreePBX through a VirtualHost as asterisk user - state: latest - -# For PHP >= 8.0: phpX.Y-json is baked into PHP itself. -# For PHP < 8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json -# -#- name: Install php{{ php_version }}-json if PHP < 8.0 -# package: -# name: php{{ php_version }}-json -# state: present -# when: php_version is version('8.0', '<') diff --git a/roles/pbx/tasks/freepbx_dependencies.yml.unused b/roles/pbx/tasks/freepbx_dependencies.yml.unused new file mode 100644 index 000000000..49d002ac4 --- /dev/null +++ b/roles/pbx/tasks/freepbx_dependencies.yml.unused @@ -0,0 +1,37 @@ +- name: FreePBX - Install wget, git, unixodbc, sudo, net-tools, cron, sox + ~12 PHP dependencies (run 'php -m' or 'php -i' to verify PHP modules) + package: + name: + - wget + - git + - unixodbc # For Asterisk CDR (Call Detail Records) + - sudo # Required by FreePBX install script + - net-tools # Required by FWConsole (command-line utility, that controls FreePBX) + - cron # Required by FreePBX UCP package (User Control Panel) + - sox # Required for CDR web-playback + # - php{{ php_version }} # Basically drags in phpX.Y-cgi (already below!) + - php{{ php_version }}-bcmath # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml + - php{{ php_version }}-cgi + # - php{{ php_version }}-common # Auto-installed as an apt dependency. REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml + - php{{ php_version }}-curl # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + - php{{ php_version }}-fpm # Likewise installed in nginx/tasks/install.yml + # - php{{ php_version }}-gettext + - php{{ php_version }}-gd # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml + - php{{ php_version }}-imap + # - php{{ php_version }}-json # See stanza just below + - php{{ php_version }}-mbstring # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + # - python-mysqldb # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33 + - php{{ php_version }}-mysql # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + - php-pear # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19 + - php{{ php_version }}-snmp + - php{{ php_version }}-xml # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter} + - php{{ php_version }}-zip # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml + state: latest + +# For PHP >= 8.0: phpX.Y-json is baked into PHP itself. +# For PHP < 8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json +# +# - name: Install php{{ php_version }}-json if PHP < 8.0 +# package: +# name: php{{ php_version }}-json +# state: present +# when: php_version is version('8.0', '<') diff --git a/roles/pbx/tasks/freepbx_enable.yml b/roles/pbx/tasks/freepbx_enable.yml deleted file mode 100644 index 2f3f1976b..000000000 --- a/roles/pbx/tasks/freepbx_enable.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: FreePBX - Enable & (Re)start 'freepbx' systemd service (if pbx_enabled) - systemd: - daemon_reload: yes - name: freepbx - enabled: yes - state: restarted - when: pbx_enabled - -- name: FreePBX - Disable & Stop 'freepbx' systemd service (if not pbx_enabled) - systemd: - daemon_reload: yes - name: freepbx - enabled: no - state: stopped - when: not pbx_enabled - -- name: FreePBX - Enable http://box:{{ pbx_http_port }} via Apache, if pbx_enabled # http://box:83 - command: a2ensite freepbx.conf - when: pbx_enabled - -- name: FreePBX - Disable http://box:{{ pbx_http_port }} via Apache, if not pbx_enabled # http://box:83 - command: a2dissite freepbx.conf - when: not pbx_enabled - -- name: FreePBX - Restart Apache service ({{ apache_service }}) - systemd: - name: "{{ apache_service }}" # httpd or apache2 - state: restarted diff --git a/roles/pbx/tasks/install.yml b/roles/pbx/tasks/install.yml index 7a6c41364..eb3163fe4 100644 --- a/roles/pbx/tasks/install.yml +++ b/roles/pbx/tasks/install.yml @@ -1,3 +1,7 @@ +- name: "ONLY PHP 7.4 IS SUPPORTED AS OF AUG 2021 -- PLEASE READ: https://github.com/iiab/iiab/tree/master/roles/pbx/#pbx-readme" + meta: noop + + - name: "Set 'nodejs_install: True' and 'nodejs_enabled: True'" set_fact: nodejs_install: True @@ -12,49 +16,29 @@ msg: "PBX install cannot proceed, as Node.js is not installed." when: nodejs_installed is undefined -#- name: FAIL (STOP THE INSTALL) IF 'nodejs_version != "12.x"' -# fail: -# msg: "PBX install cannot proceed, as it currently requires Node.js 12.x, whereas nodejs_version is set to {{ nodejs_version }}. Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml, /etc/iiab/local_vars.yml, /opt/iiab/iiab/roles/nodejs, etc." -# when: nodejs_version != "12.x" +# - name: FAIL (STOP THE INSTALL) IF 'nodejs_version != "12.x"' +# fail: +# msg: "PBX install cannot proceed, as it currently requires Node.js 12.x, whereas nodejs_version is set to {{ nodejs_version }}. Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml, /etc/iiab/local_vars.yml, /opt/iiab/iiab/roles/nodejs, etc." +# when: nodejs_version != "12.x" -- name: "Set 'apache_install: True' and 'apache_enabled: True'" - set_fact: - apache_install: True - apache_enabled: True -- name: APACHE - run 'httpd' role - include_role: - name: httpd +# 2021-08-09: Moved to roles/pbx/tasks/apache.yml -#- name: TODO: Check if asterisk and freepbx are already installed +# - name: "Set 'apache_install: True' and 'apache_enabled: True'" +# set_fact: +# apache_install: True +# apache_enabled: True -- debug: # Crazy spacing below is tuned for 80-column screens - msg: >- - ####################################################################WARNING: - ONLY UBUNTU 18.04, DEBIAN 9 & RASPBIAN ARE SUPPORTED AS OF FEB 2019. Please - assist Internet-in-a-Box communities worldwide if you can make - Asterisk and FreePBX work on other OS's / distros, Thank - You! http://FAQ.IIAB.IO ############################################################################### +# - name: APACHE - run 'httpd' role +# include_role: +# name: httpd -- name: Check if /etc/systemd/system/freepbx.service is already installed - stat: - path: /etc/systemd/system/freepbx.service - register: freepbx_installed -- debug: - msg: >- - FreePBX already installed. Reinstall shall be skipped - when: freepbx_installed.stat.exists - -- name: Install Asterisk (debuntu) +- name: Install Asterisk include_tasks: asterisk.yml - when: internet_available and pbx_install and (pbx_installed is undefined) and is_debuntu and (not freepbx_installed.stat.exists) - #when: internet_available and pbx_install and (not pbx_installed) and ((is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18) -- name: Install FreePBX (debuntu) +- name: Install FreePBX include_tasks: freepbx.yml - when: internet_available and pbx_install and (pbx_installed is undefined) and is_debuntu and (not freepbx_installed.stat.exists) - #when: internet_available and pbx_install and (not pbx_installed) and ((is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18) # RECORD PBX AS INSTALLED diff --git a/roles/pbx/tasks/main.yml b/roles/pbx/tasks/main.yml index fc7d29442..ea98e9161 100644 --- a/roles/pbx/tasks/main.yml +++ b/roles/pbx/tasks/main.yml @@ -23,14 +23,13 @@ include_tasks: install.yml when: pbx_installed is undefined -- name: Enable FreePBX (debuntu) - include_tasks: freepbx_enable.yml - when: pbx_installed is defined - -- name: Asterisk - Install chan_dongle +- name: Install & Enable chan_dongle for Huawei USB modems - if asterisk_chan_dongle include: chan_dongle.yml when: asterisk_chan_dongle +- include_tasks: enable-or-disable.yml + + - name: Add 'pbx' variable values to {{ iiab_ini_file }} ini_file: path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini diff --git a/roles/pbx/templates/71-freepbx-framework.patch b/roles/pbx/templates/71-freepbx-framework.patch.unused similarity index 100% rename from roles/pbx/templates/71-freepbx-framework.patch rename to roles/pbx/templates/71-freepbx-framework.patch.unused diff --git a/roles/pbx/templates/asterisk.conf b/roles/pbx/templates/asterisk.conf new file mode 100644 index 000000000..1b1792e63 --- /dev/null +++ b/roles/pbx/templates/asterisk.conf @@ -0,0 +1,467 @@ +; 2021-08-10: @jvonau derived this from /etc/php/7.4/fpm/pool.d/www.conf (apt +; package php7.4-fpm) with just 4 changes: (github.com/iiab/iiab/pull/2930) +; +; 1. [www] -> [asterisk] +; 2. user = www-data -> user = asterisk +; 3. listen = /run/php/php7.4-fpm.sock -> listen = /run/php/php-asterisk.sock +; 4. listen.owner = www-data -> listen.owner = asterisk +; +; See also the top of asterisk.conf.patch and asterisk.conf.diff here: +; https://github.com/iiab/iiab/tree/master/roles/pbx/templates +; +; "One set of workers is running as www-data and the other set of workers is +; running as asterisk but on different sockets." +; +; This should resolve both iiab/iiab#2914 -> iiab/iiab#2916 "NGINX" issues: +; (1) As you tried to register at http://box/freepbx, cron setup failed with +; exception "Trying to edit user asterisk, when I'm running as www-data" +; https://github.com/iiab/iiab/pull/2916#issuecomment-894585322 +; (2) When you clicked Settings >> Advanced Settings >> Submit >> Apply Config, +; it failed with "Unknown Error. Please Run: fwconsole reload --verbose" +; https://github.com/iiab/iiab/pull/2916#issuecomment-894604982 + +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[asterisk] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = asterisk +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php/php-asterisk.sock + +; Set listen(2) backlog. +; Default Value: 511 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. +; Default Values: user and group are set as the running user +; mode is set to 0660 +listen.owner = asterisk +listen.group = www-data +;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is differrent than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +;pm.max_children = 5 +pm.max_children=120 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: (min_spare_servers + max_spare_servers) / 2 +;pm.start_servers = 2 +pm.start_servers=12 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +;pm.min_spare_servers = 1 +pm.min_spare_servers=6 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +;pm.max_spare_servers = 3 +pm.max_spare_servers=18 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php/7.4/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no +clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +env[PATH]=/usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/roles/pbx/templates/asterisk.conf.diff b/roles/pbx/templates/asterisk.conf.diff new file mode 100644 index 000000000..d1d90aa30 --- /dev/null +++ b/roles/pbx/templates/asterisk.conf.diff @@ -0,0 +1,40 @@ +4c4 +< [www] +--- +> [asterisk] +23c23 +< user = www-data +--- +> user = asterisk +36c36 +< listen = /run/php/php7.4-fpm.sock +--- +> listen = /run/php/php-asterisk.sock +48c48 +< listen.owner = www-data +--- +> listen.owner = asterisk +114c114,115 +< pm.max_children = 5 +--- +> ;pm.max_children = 5 +> pm.max_children=120 +119c120,121 +< pm.start_servers = 2 +--- +> ;pm.start_servers = 2 +> pm.start_servers=12 +124c126,127 +< pm.min_spare_servers = 1 +--- +> ;pm.min_spare_servers = 1 +> pm.min_spare_servers=6 +129c132,133 +< pm.max_spare_servers = 3 +--- +> ;pm.max_spare_servers = 3 +> pm.max_spare_servers=18 +397a402 +> clear_env = no +411a417 +> env[PATH]=/usr/local/bin:/usr/bin:/bin diff --git a/roles/pbx/templates/asterisk.conf.patch b/roles/pbx/templates/asterisk.conf.patch new file mode 100644 index 000000000..bc4932d0a --- /dev/null +++ b/roles/pbx/templates/asterisk.conf.patch @@ -0,0 +1,85 @@ +--- /etc/php/7.4/fpm/pool.d/www.conf 2021-07-01 23:59:48.000000000 -0400 ++++ /etc/php/7.4/fpm/pool.d/asterisk.conf 2021-08-10 05:25:09.808067373 -0400 +@@ -1,7 +1,7 @@ + ; Start a new pool named 'www'. + ; the variable $pool can be used in any directive and will be replaced by the + ; pool name ('www' here) +-[www] ++[asterisk] + + ; Per pool prefix + ; It only applies on the following directives: +@@ -20,7 +20,7 @@ + ; Unix user/group of processes + ; Note: The user is mandatory. If the group is not set, the default user's group + ; will be used. +-user = www-data ++user = asterisk + group = www-data + + ; The address on which to accept FastCGI requests. +@@ -33,7 +33,7 @@ + ; (IPv6 and IPv4-mapped) on a specific port; + ; '/path/to/unix/socket' - to listen on a unix socket. + ; Note: This value is mandatory. +-listen = /run/php/php7.4-fpm.sock ++listen = /run/php/php-asterisk.sock + + ; Set listen(2) backlog. + ; Default Value: 511 (-1 on FreeBSD and OpenBSD) +@@ -45,7 +45,7 @@ + ; and group can be specified either by name or by their numeric IDs. + ; Default Values: user and group are set as the running user + ; mode is set to 0660 +-listen.owner = www-data ++listen.owner = asterisk + listen.group = www-data + ;listen.mode = 0660 + ; When POSIX Access Control Lists are supported you can set them using +@@ -111,22 +111,26 @@ + ; forget to tweak pm.* to fit your needs. + ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' + ; Note: This value is mandatory. +-pm.max_children = 5 ++;pm.max_children = 5 ++pm.max_children=120 + + ; The number of child processes created on startup. + ; Note: Used only when pm is set to 'dynamic' + ; Default Value: (min_spare_servers + max_spare_servers) / 2 +-pm.start_servers = 2 ++;pm.start_servers = 2 ++pm.start_servers=12 + + ; The desired minimum number of idle server processes. + ; Note: Used only when pm is set to 'dynamic' + ; Note: Mandatory when pm is set to 'dynamic' +-pm.min_spare_servers = 1 ++;pm.min_spare_servers = 1 ++pm.min_spare_servers=6 + + ; The desired maximum number of idle server processes. + ; Note: Used only when pm is set to 'dynamic' + ; Note: Mandatory when pm is set to 'dynamic' +-pm.max_spare_servers = 3 ++;pm.max_spare_servers = 3 ++pm.max_spare_servers=18 + + ; The number of seconds after which an idle process will be killed. + ; Note: Used only when pm is set to 'ondemand' +@@ -395,6 +399,7 @@ + ; via getenv(), $_ENV and $_SERVER. + ; Default Value: yes + ;clear_env = no ++clear_env = no + + ; Limits the extensions of the main script FPM will allow to parse. This can + ; prevent configuration mistakes on the web server side. You should only limit +@@ -409,6 +414,7 @@ + ; Default Value: clean env + ;env[HOSTNAME] = $HOSTNAME + ;env[PATH] = /usr/local/bin:/usr/bin:/bin ++env[PATH]=/usr/local/bin:/usr/bin:/bin + ;env[TMP] = /tmp + ;env[TMPDIR] = /tmp + ;env[TEMP] = /tmp diff --git a/roles/pbx/templates/cdr_mysql.conf.j2 b/roles/pbx/templates/cdr_mysql.conf.j2 new file mode 100644 index 000000000..5935118f9 --- /dev/null +++ b/roles/pbx/templates/cdr_mysql.conf.j2 @@ -0,0 +1,6 @@ +[global] +hostname = localhost +dbname = {{ asterisk_db_cdrdbname }} +user = {{ asterisk_db_password }} +password = {{ asterisk_db_password }} +userfield = 1 diff --git a/roles/pbx/templates/extensions_custom.conf b/roles/pbx/templates/extensions_custom.conf new file mode 100644 index 000000000..cc36d5551 --- /dev/null +++ b/roles/pbx/templates/extensions_custom.conf @@ -0,0 +1,19 @@ +; +; Added for IIAB's FreePBX test +; Refer asterisk documentation to for more details - https://wiki.asterisk.org/wiki/display/AST/Creating+Dialplan+Extensions +; +[general] +[iiab-test] +exten => 301,1,Dial(PJSIP/301) + +exten => 302,1,Dial(PJSIP/302) + +exten => 1000,1,Answer() +same => n,Wait(1) +same => n,Playback(sorry) +same => n,Playback(you-have-reached-a-test-number) +same => n,Playback(thanks-for-calling-today) +same => n,Wait(1) +same => n,Playback(goodbye) +same => n,Hangup() + diff --git a/roles/pbx/templates/freepbx-nginx.conf.j2 b/roles/pbx/templates/freepbx-nginx.conf.j2 new file mode 100644 index 000000000..1399a11a4 --- /dev/null +++ b/roles/pbx/templates/freepbx-nginx.conf.j2 @@ -0,0 +1,31 @@ +location ~ ^/freepbx(|/.*)$ { # '~' -> '~*' for case-insensitive regex + + root /var/www/html; + # root {{ freepbx_install_dir }}; # /var/www/html/freepbx + # root {{ doc_root }}; # /library/www/html + + # location ~ ^/freepbx { + # root {{ doc_root }}; + # } + + location ~ ^/freepbx(.*)\.php(.*)$ { + alias {{ freepbx_install_dir }}$1.php$2; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + fastcgi_pass unix:/run/php/php-asterisk.sock; + + include fastcgi_params; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; + #fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + fastcgi_param HTACCESS on; # disables FreePBX htaccess warning + } + + # disallows the things that the FreePBX .htaccess files disallow + location ~ /freepbx(/\.ht|/\.git|\.ini$|/libraries|/helpers|/i18n|/node|/views/.+php$) { + deny all; + } + + # from the api module .htaccess file + rewrite ^/freepbx/admin/api/([^/]*)/([^/]*)/?(.*)?$ /freepbx/admin/api/api.php?module=$1&command=$2&route=$3 last; +} diff --git a/roles/pbx/templates/freepbx.service b/roles/pbx/templates/freepbx.service new file mode 100644 index 000000000..289b1ec9d --- /dev/null +++ b/roles/pbx/templates/freepbx.service @@ -0,0 +1,17 @@ +[Unit] +Description=FreePBX VoIP Server +After=mysql.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/sbin/fwconsole start +ExecStop=/usr/sbin/fwconsole stop +ExecStopPost=killall -9 "PM2 v4.5.0: God" +# 2021-08-10: Asterisk stuff doesn't stop reliably, right after freepbx.yml +# 'install -n' completes -- hence "Unable to run Pre-Asterisk hooks, because +# Asterisk is already running" issue when freepbx.service next tries to start +# it. See pbx/tasks/freepbx.yml workarounds e.g. github.com/iiab/iiab/pull/2915 + +[Install] +WantedBy=multi-user.target diff --git a/roles/pbx/templates/freepbx.service.j2 b/roles/pbx/templates/freepbx.service.j2 deleted file mode 100644 index 50a23eea8..000000000 --- a/roles/pbx/templates/freepbx.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=FreePBX VoIP Server -After=mysql.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/sbin/fwconsole start -ExecStop=/usr/sbin/fwconsole stop - -[Install] -WantedBy=multi-user.target diff --git a/roles/pbx/templates/iiab-asterisk-test b/roles/pbx/templates/iiab-asterisk-test new file mode 100755 index 000000000..9406c1339 --- /dev/null +++ b/roles/pbx/templates/iiab-asterisk-test @@ -0,0 +1,245 @@ +#!/bin/bash + +# +# This script creates two extensions (301 and 302) +# Credentials can be found in pjsip_custom.conf +# For regular implementation, you are requested to create extensions using the FreePBX webpage to avoid any issues +# +# Usage: +# sudo ./iiab-asterisk-test +# Default option +# Reverts file changes done during the test and restarts asterisk towards the end +# +# sudo ./iiab-asterisk-test retain +# Files not reverted after the test. Extensions created remain active +# +# sudo ./iiab-asterisk-test revert +# This option exists in case you selected retain earlier, but now like to revert the changes +# This only reverts the changes to the files and restarts asterisk, no other actions are performed +# +# sudo ./iiab-asterisk-test restart +# Restarts asterisk, no other actions are performed +# +# sudo ./iiab-asterisk-test testcall +# Makes a test call from asterisk console to extension 1000 which just responds with some audio +# +# Algo: +# Please run the script as root +# +# 1. First check that asterisk -rx "pjsip show endpoints" returns no extensions as we haven't created any yet +# +# 2. Take a backup of existing files +# * Rename existing pjsip_custom.conf at /etc/asterisk/ to pjsip_custom.freepbx.conf +# * Rename existing extensions_custom.conf at /etc/asterisk/ to extensions_custom.freepbx.conf +# +# 3. Copy files pjsip_custom.conf and extensions_custom.conf provided with this script to /etc/asterisk +# +# 4. Change file permissions to asterisk:asterisk +# +# 5. Run fwconsole restart so that it picks up the new confs +# +# 6. asterisk -rx "pjsip show endpoints" should now show the extensions created +# +# 7. Make a call from asterisk console to the internal extension 1000. This extension is only used to respond +# with an audio message, no need to register this extension. +# * Check asterisk logs at /var/log/asterisk/full to see if you can see information about calls to +# extension 1000 or to context iiab-test or check if the any of the playback files are executed +# * If found, test is successful +# +# 8. Once done with the experiment, delete the two newly created files and +# * rename pjsip_custom.freepbx.conf to pjsip_custom.conf and +# * rename extensions_custom.freepbx.conf to extensions_custom.conf +# +# 9. A better test would be to register the extension using your softphone app (using Linphone android app for this example) +# * Register the created extension on a softphone with the help of PBX README (check the credentials in pjsip_custom.conf) +# * Dial '1000' and hear the automated response +# * Or Dial the other extension that you created if you have registered two extensions +# + + +ROOT_UID=0 +E_NOTROOT=67 +AST_DIR=/etc/asterisk +AST_LOG_FILE=/var/log/asterisk/full +PJSIP_CUST_CONF=pjsip_custom.conf +PJSIP_CUST_CONF_BKUP=pjsip_custom.freepbx.conf +EXT_CUST_CONF=extensions_custom.conf +EXT_CUST_CONF_BKUP=extensions_custom.freepbx.conf +SCRIPT_ARG=$1 + +# +# Check if extensions that you created exist +# +function check_if_extensions_exist() { + echo -e "\n${FUNCNAME[0]}(): Checking if test extension exists..." + extn_exists=`asterisk -rx 'pjsip show endpoints'|grep '301'` + if [ -z "$extn_exists" ] + then + echo -e "${FUNCNAME[0]}(): Test extension does not exist" + else + echo -e "${FUNCNAME[0]}(): Test extension exists" + fi +} + +# +# Copy files to AST_DIR for testing +# +function copy_files_for_test() { + echo -e "\n${FUNCNAME[0]}(): Copying files for testing..." + + # Proceed if source files exist in pwd + if [[ -f "${PJSIP_CUST_CONF}" && -f "${EXT_CUST_CONF}" ]] + then + # Rename original files + mv ${AST_DIR}/${PJSIP_CUST_CONF} ${AST_DIR}/${PJSIP_CUST_CONF_BKUP} + mv ${AST_DIR}/${EXT_CUST_CONF} ${AST_DIR}/${EXT_CUST_CONF_BKUP} + + # Copy files supplied with the script to destination and change their owner and permissions + cp ${PJSIP_CUST_CONF} ${EXT_CUST_CONF} ${AST_DIR} + chown asterisk:asterisk ${AST_DIR}/${PJSIP_CUST_CONF} ${AST_DIR}/${EXT_CUST_CONF} + chmod ug=rw,o=r ${AST_DIR}/${PJSIP_CUST_CONF} ${AST_DIR}/${EXT_CUST_CONF} + else + echo -e "\n${FUNCNAME[0]}(): Files ${PJSIP_CUST_CONF} and ${EXT_CUST_CONF} do not exist in pwd. Exiting!!!" + exit 1 + fi +} + +# +# Check if test call was successful +# +function check_call_success() { + echo -e "\n${FUNCNAME[0]}(): Making a test call to extension 1000..." + + # Make a call from asterisk to extension 1000 to receive automated response + asterisk -rx 'console dial 1000@iiab-test' + + # This may not be the best way in case you plan to run the script multiple times + # or if the script is run at the end of the hour, but since this will be run + # as a basic test after first time freepbx install, this should work. + # Feel free to try a better search or add minute check - $(date +"%Y-%m-%d %H:%M") + # if you find that better + test_run=`grep "$(date +'%Y-%m-%d %H')" ${AST_LOG_FILE}|grep "Playing 'goodbye"` + + if [ -z "$test_run" ] + then + echo -e "${FUNCNAME[0]}(): Test call to extension 1000 not successful" + else + echo -e "${FUNCNAME[0]}(): Test call to extension 1000 successful" + fi +} + +# +# Restart asterisk and make sure it's running +# +function restart_asterisk() { + echo -e "\n${FUNCNAME[0]}(): Restarting asterisk..." + + # There should be a better way than a fwconsole restart, but for now this works + # If you haven't installed FreePBX, use systemctl restart asterisk + # It doesn't work so well, so you may have to execute it twice + fwconsole restart + + sleep 5 + + # Occasionally displays 3 or 4 during tests, the old process takes time to exit + no_of_astersisk_procs=`pgrep -c asterisk` + echo -e "${FUNCNAME[0]}(): No of asterisk procs: ${no_of_astersisk_procs}" +} + +# +# Revert file changes +# +function revert_file_changes() { + + # Do this only if extensions_custom.freepbx.conf and pjsip_custom.freepbx.conf exist + if [[ -f "${AST_DIR}/${PJSIP_CUST_CONF_BKUP}" && -f "${AST_DIR}/${EXT_CUST_CONF_BKUP}" ]] + then + echo -e "\n${FUNCNAME[0]}(): Reverting file changes" + rm ${AST_DIR}/${PJSIP_CUST_CONF} ${AST_DIR}/${EXT_CUST_CONF} + mv ${AST_DIR}/${EXT_CUST_CONF_BKUP} ${AST_DIR}/${EXT_CUST_CONF} + mv ${AST_DIR}/${PJSIP_CUST_CONF_BKUP} ${AST_DIR}/${PJSIP_CUST_CONF} + else + echo -e "\n${FUNCNAME[0]}(): Nothing to revert - Files ${PJSIP_CUST_CONF_BKUP} and ${EXT_CUST_CONF_BKUP} do not exist in ${AST_DIR} Exiting!!!" + exit 1 + fi +} + +# +# Revert file changes and restart asterisk +# +function revert_changes_and_restart_asterisk() { + if [ "$SCRIPT_ARG" == "retain" ] + then + echo -e "\n${FUNCNAME[0]}(): User decided to retain changes done during the test..." + else + # Default - revert changes + echo -e "\n${FUNCNAME[0]}(): Reverting file changes done during the test and restarting asterisk to get back to original state..." + + revert_file_changes + restart_asterisk + fi +} + +# +# Script usage +# +function script_usage() { + echo -e "sudo ./iiab-asterisk-test" + echo -e "\tDefault - Reverts file changes done during the test and restarts asterisk" + echo -e "sudo ./iiab-asterisk-test retain" + echo -e "\tFiles not reverted after the test. Extensions created remain active" + echo -e "sudo ./iiab-asterisk-test revert" + echo -e "\tIn case you selected retain earlier, but now like to revert the changes" + echo -e "\tThis only reverts the changes to the files and restarts asterisk, no other actions are performed" + echo -e "sudo ./iiab-asterisk-test restart" + echo -e "\tRestarts asterisk, no other actions are performed" + echo -e "sudo ./iiab-asterisk-test testcall" + echo -e "\tMakes a test call to extension 1000" + exit 1 +} + +# +# Main function that runs the script +# +function runscript() { + echo -e "\n--------- Asterisk extension setup script - START --------------" + + check_if_extensions_exist + copy_files_for_test + restart_asterisk + check_if_extensions_exist + + check_call_success + revert_changes_and_restart_asterisk + + echo -e "\n-------- Asterisk extension setup script - COMPLETE -------------" + exit 0 +} + + + +if [ "$UID" -ne "$ROOT_UID" ] +then + echo -e "\nSorry, you must be root to run this script." + exit $E_NOTROOT +fi + + +case "$SCRIPT_ARG" in + retain|"") + runscript + ;; + revert) + revert_changes_and_restart_asterisk + ;; + restart) + restart_asterisk + ;; + testcall) + check_call_success + ;; + *) + script_usage + exit 2 + ;; +esac diff --git a/roles/pbx/templates/odbc.ini.j2 b/roles/pbx/templates/odbc.ini.j2 index 9ed77609a..f13bfde2b 100644 --- a/roles/pbx/templates/odbc.ini.j2 +++ b/roles/pbx/templates/odbc.ini.j2 @@ -1,8 +1,8 @@ [MySQL-asteriskcdrdb] -Description=MySQL connection to 'asteriskcdrdb' database -driver=MySQL -server=localhost -database=asteriskcdrdb -Port=3306 -Socket=/var/run/mysqld/mysqld.sock -option=3 +Description = MySQL connection to 'asteriskcdrdb' database +driver = MySQL +server = localhost +database = {{ asterisk_db_cdrdbname }} +Port = 3306 +Socket = /var/run/mysqld/mysqld.sock +option = 3 diff --git a/roles/pbx/templates/odbcinst.ini b/roles/pbx/templates/odbcinst.ini new file mode 100644 index 000000000..74c6ca0e8 --- /dev/null +++ b/roles/pbx/templates/odbcinst.ini @@ -0,0 +1,4 @@ +[MySQL] +Description = ODBC for MySQL (MariaDB) +Driver = /usr/local/lib/mariadb/libmaodbc.so +FileUsage = 1 diff --git a/roles/pbx/templates/pbx.patch b/roles/pbx/templates/pbx.patch.unused similarity index 100% rename from roles/pbx/templates/pbx.patch rename to roles/pbx/templates/pbx.patch.unused diff --git a/roles/pbx/templates/pbx2.patch b/roles/pbx/templates/pbx2.patch.unused similarity index 100% rename from roles/pbx/templates/pbx2.patch rename to roles/pbx/templates/pbx2.patch.unused diff --git a/roles/pbx/templates/pjsip_custom.conf b/roles/pbx/templates/pjsip_custom.conf new file mode 100644 index 000000000..a5fdee46a --- /dev/null +++ b/roles/pbx/templates/pjsip_custom.conf @@ -0,0 +1,44 @@ +; +; Added for IIAB's FreePBX test +; Refer asterisk documentation to for more details - https://wiki.asterisk.org/wiki/display/AST/Creating+SIP+Accounts +; +[transport-udp] +type=transport +protocol=udp +bind=0.0.0.0 + +[301] +type=endpoint +context=iiab-test +disallow=all +allow=ulaw +auth=301-auth +aors=301 + +[301-auth] +type=auth +auth_type=userpass +username=301 +password=iiabtest + +[301] +type=aor +max_contacts=1 + +[302] +type=endpoint +context=iiab-test +disallow=all +allow=ulaw +auth=302-auth +aors=302 + +[302-auth] +type=auth +auth_type=userpass +username=302 +password=iiabtest + +[302] +type=aor +max_contacts=1 diff --git a/roles/nginx/templates/ports.conf.j2 b/roles/pbx/templates/ports.conf similarity index 64% rename from roles/nginx/templates/ports.conf.j2 rename to roles/pbx/templates/ports.conf index 5591d27be..724f76be8 100644 --- a/roles/nginx/templates/ports.conf.j2 +++ b/roles/pbx/templates/ports.conf @@ -2,7 +2,14 @@ # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf -Listen 127.0.0.1:{{ apache_port }} +# Apache's stock default +#Listen 80 + +# IIAB NGINX proxying to legacy svcs (Dec 2019 - Aug 2021) +#Listen 127.0.0.1:8090 + +# IIAB FreePBX for Asterisk +Listen {{ pbx_http_port }} # # Listen 443 diff --git a/roles/phpmyadmin/tasks/enable-or-disable.yml b/roles/phpmyadmin/tasks/enable-or-disable.yml index 31faa2de3..76dfae4e2 100644 --- a/roles/phpmyadmin/tasks/enable-or-disable.yml +++ b/roles/phpmyadmin/tasks/enable-or-disable.yml @@ -1,9 +1,9 @@ -- name: Enable phpMyAdmin via Apache, if phpmyadmin_enabled - command: a2ensite phpmyadmin.conf - when: phpmyadmin_enabled - #when: apache_installed is defined and phpmyadmin_enabled +# - name: Enable phpMyAdmin via Apache, if phpmyadmin_enabled +# command: a2ensite phpmyadmin.conf +# when: phpmyadmin_enabled +# #when: apache_installed is defined and phpmyadmin_enabled -- name: Disable phpMyAdmin via Apache, if not phpmyadmin_enabled - command: a2dissite phpmyadmin.conf - when: not phpmyadmin_enabled - #when: apache_installed is defined and not phpmyadmin_enabled +# - name: Disable phpMyAdmin via Apache, if not phpmyadmin_enabled +# command: a2dissite phpmyadmin.conf +# when: not phpmyadmin_enabled +# #when: apache_installed is defined and not phpmyadmin_enabled diff --git a/roles/phpmyadmin/tasks/install.yml b/roles/phpmyadmin/tasks/install.yml index 9b8cf357c..75fd05adb 100644 --- a/roles/phpmyadmin/tasks/install.yml +++ b/roles/phpmyadmin/tasks/install.yml @@ -1,17 +1,17 @@ -- name: "Set 'apache_install: True' and 'apache_enabled: True'" - set_fact: - apache_install: True - apache_enabled: True - -- name: APACHE - run 'httpd' role - include_role: - name: httpd +# - name: "Set 'apache_install: True' and 'apache_enabled: True'" +# set_fact: +# apache_install: True +# apache_enabled: True +# +# - name: APACHE - run 'httpd' role +# include_role: +# name: httpd - name: Unarchive {{ phpmyadmin_dl_url }} (7+ MB) to /opt (60+ MB) unarchive: remote_src: yes # Overwrite even if "already exists on the target" - src: "{{ phpmyadmin_dl_url }}" # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-all-languages.tar.xv + src: "{{ phpmyadmin_dl_url }}" # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.xv dest: /opt owner: "{{ apache_user }}" # www-data on debuntu group: "{{ apache_user }}" @@ -33,11 +33,11 @@ owner: "{{ apache_user }}" group: "{{ apache_user }}" -- name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template - template: - src: phpmyadmin.j2 - dest: "/etc/{{ apache_conf_dir }}/phpmyadmin.conf" - #when: apache_installed is defined +# - name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template +# template: +# src: phpmyadmin.j2 +# dest: "/etc/{{ apache_conf_dir }}/phpmyadmin.conf" +# #when: apache_installed is defined # RECORD phpMyAdmin AS INSTALLED diff --git a/roles/phpmyadmin/tasks/main.yml b/roles/phpmyadmin/tasks/main.yml index 5df581694..55339f268 100644 --- a/roles/phpmyadmin/tasks/main.yml +++ b/roles/phpmyadmin/tasks/main.yml @@ -19,12 +19,13 @@ quiet: yes -- name: Install phpMyAdmin if 'phpmyadmin_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml +- name: "INCOMPLETE WITHOUT APACHE AS OF 2021-07-06: Install phpMyAdmin if 'phpmyadmin_installed' not defined, e.g. in {{ iiab_state_file }}" # /etc/iiab/iiab_state.yml include_tasks: install.yml when: phpmyadmin_installed is undefined -- include_tasks: enable-or-disable.yml +- name: INCOMPLETE WITHOUT APACHE AS OF 2021-07-06 + include_tasks: enable-or-disable.yml - name: Add 'phpmyadmin' variable values to {{ iiab_ini_file }} diff --git a/roles/phpmyadmin/templates/phpmyadmin.j2 b/roles/phpmyadmin/templates/phpmyadmin.j2.unused similarity index 100% rename from roles/phpmyadmin/templates/phpmyadmin.j2 rename to roles/phpmyadmin/templates/phpmyadmin.j2.unused diff --git a/roles/postgresql/tasks/install.yml b/roles/postgresql/tasks/install.yml index fc78589af..3fa1a95d0 100644 --- a/roles/postgresql/tasks/install.yml +++ b/roles/postgresql/tasks/install.yml @@ -1,21 +1,12 @@ -- name: Install 'postgresql' package +- name: 'Install packages: postgresql, postgresql-client' package: - name: postgresql + name: + - postgresql + - postgresql-client + - python3-psycopg2 # For Ansible modules {postgresql_db, postgresql_user} in Ansible collection community.postgresql -- used in moodle/tasks/install.yml state: present -- name: Install 'postgresql-client' package (debuntu) - package: - name: postgresql-client - state: present - when: is_debuntu - -- name: Install 'postgresql-server' package (OS's other than debuntu) - package: - name: postgresql-server - state: present - when: not is_debuntu - -- name: Install /etc/systemd/system/postgresql-iiab.service from template +- name: Install /etc/systemd/system/postgresql-iiab.service from template (0644 by default) template: src: postgresql-iiab.service dest: /etc/systemd/system/postgresql-iiab.service @@ -23,50 +14,47 @@ # group: root # mode: '0644' -- name: Create PostgreSQL data dir /library/pgsql-iiab, owned by postgres:postgres +- name: Create PostgreSQL data dir /library/pgsql-iiab, owned by postgres:postgres (0700) file: + state: directory path: /library/pgsql-iiab owner: postgres group: postgres - mode: '0700' - state: directory + mode: 0700 -- name: Make sure locale {{ postgresql_locale }} is enabled (debuntu) # en_US.UTF-8 +- name: Make sure locale {{ postgresql_locale }} is enabled # en_US.UTF-8 lineinfile: dest: /etc/locale.gen line: "{{ postgresql_locale }} UTF-8" - when: is_debuntu -- name: Generate locales (debuntu) +- name: Generate locales command: /usr/sbin/locale-gen - when: is_debuntu -- name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf (debuntu) +- name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf #command: su - postgres -c "/usr/lib/postgresql/{{ postgresql_version }}/bin/initdb -E 'UTF-8' --locale={{ postgresql_locale }} -D /library/pgsql-iiab" command: /usr/lib/postgresql/{{ postgresql_version }}/bin/initdb -E 'UTF-8' --locale={{ postgresql_locale }} -D /library/pgsql-iiab args: creates: /library/pgsql-iiab/pg_hba.conf become: yes become_user: postgres - when: is_debuntu -- name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf (OS's other than debuntu) - #command: su - postgres -c "/usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab" - command: /usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab - args: - creates: /library/pgsql-iiab/pg_hba.conf - become: yes - become_user: postgres - when: not is_debuntu +# - name: Initialize the PostgreSQL db, creating /library/pgsql-iiab/pg_hba.conf (OS's other than debuntu) +# #command: su - postgres -c "/usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab" +# command: /usr/bin/initdb -E 'UTF-8' --lc-collate={{ postgresql_locale }} --lc-ctype={{ postgresql_locale }} -D /library/pgsql-iiab +# args: +# creates: /library/pgsql-iiab/pg_hba.conf +# become: yes +# become_user: postgres +# when: not is_debuntu -- name: Install /library/pgsql-iiab/postgresql.conf owned by postgres:postgres, from template +- name: Install /library/pgsql-iiab/postgresql.conf from template (postgres:postgres, 0640) template: backup: yes src: postgresql.conf.j2 dest: /library/pgsql-iiab/postgresql.conf owner: postgres group: postgres - mode: '0640' + mode: 0640 - name: Disable & Stop stock 'postgresql' (parent) systemd service systemd: diff --git a/roles/usb_lib/tasks/apache.yml b/roles/usb_lib/tasks/apache.yml.unused similarity index 100% rename from roles/usb_lib/tasks/apache.yml rename to roles/usb_lib/tasks/apache.yml.unused diff --git a/roles/usb_lib/tasks/install.yml b/roles/usb_lib/tasks/install.yml index 3304a0f16..c34042781 100644 --- a/roles/usb_lib/tasks/install.yml +++ b/roles/usb_lib/tasks/install.yml @@ -47,22 +47,22 @@ state: present when: is_ubuntu -- name: Add dir {{ doc_root }}/local_content, where USB drive links can appear +- name: Add dir {{ doc_root }}/local_content, where USB drive links can appear (0775) file: state: directory path: "{{ doc_root }}/local_content" owner: "{{ apache_user }}" group: "{{ apache_user }}" # 2020-02-13: changed from iiab_admin_user, after discussion on weekly call (#1228, #2222) - mode: '0775' + mode: 0775 -- name: 'Install from template: /etc/udev/rules.d/usbmount.rules, /etc/systemd/system/usbmount@.service, /usr/bin/iiab-usb_lib-show-all-on, /usr/bin/iiab-usb_lib-show-all-off' +- name: 'Install from template: /etc/udev/rules.d/usbmount.rules, /etc/systemd/system/usbmount@.service, /usr/bin/iiab-usb_lib-show-all-on, /usr/bin/iiab-usb_lib-show-all-off, /usr/sbin/iiab-clean-usb.sh' template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode }}" with_items: - - { src: 'usbmount@.service.j2', dest: '/etc/systemd/system/usbmount@.service', mode: '0644' } - { src: 'usbmount.rules.j2', dest: '/etc/udev/rules.d/usbmount.rules', mode: '0644' } + - { src: 'usbmount@.service.j2', dest: '/etc/systemd/system/usbmount@.service', mode: '0644' } - { src: 'iiab-usb_lib-show-all-on', dest: '/usr/bin/', mode: '0755' } - { src: 'iiab-usb_lib-show-all-off', dest: '/usr/bin/', mode: '0755' } - { src: 'iiab-clean-usb.sh', dest: '/usr/sbin/', mode: '0755' } @@ -81,13 +81,6 @@ path: /etc/usbmount/mount.d/00_create_model_symlink state: absent -# 2021-03-25: Consider removing this stanza & all of this role's Apache logic! -- name: Install /etc/{{ apache_conf_dir }}/content_dir.conf from template - template: - src: content_dir.conf - dest: "/etc/{{ apache_conf_dir }}" # apache2/sites-available on debuntu - when: apache_installed is defined - # RECORD 'USB_LIB' AS INSTALLED diff --git a/roles/usb_lib/tasks/main.yml b/roles/usb_lib/tasks/main.yml index 75cd8e4e7..7836f2d3a 100644 --- a/roles/usb_lib/tasks/main.yml +++ b/roles/usb_lib/tasks/main.yml @@ -56,13 +56,9 @@ when: not usb_lib_umask0000_for_kolibri -- name: Enable/Disable/Restart Apache if primary - include_tasks: apache.yml - when: not nginx_enabled - -- name: Enable/Disable/Restart NGINX if primary +- name: Enable/Disable/Restart NGINX include_tasks: nginx.yml - when: nginx_enabled + # 2021-04-29: Clean up here to catch the already installed users, remove for the next release (PR #2760) - name: Remove /etc/usbmount/mount.d/00_create_model_symlink diff --git a/roles/www_options/tasks/main.yml b/roles/www_options/tasks/main.yml index 99889b480..b2c1afbc5 100644 --- a/roles/www_options/tasks/main.yml +++ b/roles/www_options/tasks/main.yml @@ -85,18 +85,18 @@ - { regexp: '^max_input_vars', line: 'max_input_vars = 1000 ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' } when: not nginx_high_php_limits and not moodle_install # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install + # WARNING: This might cause excess use of RAM/disk or other resources! + # The first 5 values below were chosen by @ericnitschke and @kananigit on + # 2018-09-19: https://github.com/iiab/iiab/issues/1147 + # 2020-03-08: IIAB DOES NOT SUPPORT UNINSTALLING APPS, so additional # clauses (to reset/restore PHP's defaults) are not necessary at this time. # 2021-06-28: WITH PHP 8, MOODLE'S CLI INSTALLER UNFORTUNATELY *REQUIRES* - # editing /etc/php/{{ php_version }}/cli/php.ini (below) -- even though during - # regular operation it instead uses .../apache2/php.ini or .../fpm/php.ini - # - # SEE ALSO roles/moodle/tasks/install.yml WHERE SIMILAR SURGERY'S DONE TO - # /etc/php/{{ php_version }}/apache2/php.ini UNTIL MOODLE'S PORTED TO NGINX! + # editing /etc/php/{{ php_version }}/cli/php.ini (below) -- though during + # regular operation it uses: .../fpm/php.ini + # And in the past it used: .../apache2/php.ini - # WARNING: This might cause excess use of RAM/disk or other resources! - # The 5 first values below were chosen by @ericnitschke and @kananigit in ~2018. - name: "Enact 'nginx_high_php_limits: True' in /etc/php/{{ php_version }}/fpm/php.ini for schools that use WordPress/Moodle/Nextcloud/PBX intensively (allow photos/docs up to 500MB, 300s timeouts, memory_limit = 512M for Nextcloud, max_input_vars = 5000 for Moodle)" lineinfile: path: /etc/php/{{ php_version }}/fpm/php.ini # COMPARE /etc/php/{{ php_version }}/cli/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini diff --git a/scripts/ansible b/scripts/ansible index b76c888ed..11186b51f 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -4,12 +4,11 @@ # https://stackoverflow.com/questions/9952177/whats-the-meaning-of-the-parameter-e-for-bash-shell-command-line/9952249 # PLZ SEE http://FAQ.IIAB.IO > "What is Ansible and what version should I use?" -# https://github.com/iiab/iiab/tree/master/scripts/ansible.md # https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible APT_PATH=/usr/bin # Avoids problematic /usr/local/bin/apt on Linux Mint CURR_VER=undefined # Ansible version you currently have installed -GOOD_VER=2.11.3 # Orig for 'yum install [rpm]' & XO laptops (pip install) +GOOD_VER=2.11.4 # Orig for 'yum install [rpm]' & XO laptops (pip install) # 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and # .gpg key etc) are commented out with ### below. Associated guidance/comments @@ -59,13 +58,13 @@ GOOD_VER=2.11.3 # Orig for 'yum install [rpm]' & XO laptops (pip install) #pip3 install --upgrade ansible-core # Then start a new shell, so /usr/local/bin works #ansible-galaxy collection install -r collections.yml -# TEMPORARILY USE ansible-base 2.10.12 (REMOVE W/ "pip3 uninstall ansible-base") +# TEMPORARILY USE ansible-base 2.10.13 (REMOVE W/ "pip3 uninstall ansible-base") #apt install python3-pip -#pip3 install ansible-base==2.10.12 # Start new shell, so /usr/local/bin works +#pip3 install ansible-base==2.10.13 # Start new shell, so /usr/local/bin works -# TEMPORARILY USE ANSIBLE 2.9.24 (REMOVE IT WITH "pip3 uninstall ansible") +# TEMPORARILY USE ANSIBLE 2.9.25 (REMOVE IT WITH "pip3 uninstall ansible") #apt install python3-pip -#pip3 install ansible==2.9.24 +#pip3 install ansible==2.9.25 # TEMPORARILY USE ANSIBLE 2.4.2 DUE TO 2.4.3 MEMORY BUG. Details: iiab/iiab#669 #echo "Install http://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb" @@ -149,13 +148,24 @@ fi ###echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n' ###grep '^deb .*ansible' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v '^/etc/apt/sources.list.d/iiab-ansible.list:' || true # Override bash -e (instead of aborting at 1st error) -echo -e "\napt update; apt install of python3-* / virtualenv packages explained at:" -echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n" +echo -e "\napt update; apt install python3-pip # Also installs 'python3-setuptools' and 'python3' etc" +#echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n" $APT_PATH/apt update +$APT_PATH/apt -y install python3-pip + +# 2021-07-29: +# 'python3-packaging' dropped for now +# 'python3-pymysql' (drags in 'python3' which drags in 'python3-venv' on Debian 11 but not on Ubuntu 20.04) -- moved to roles/mysql/tasks/install.yml +# 'python3-psycopg2' moved to roles/postgresql/tasks/install.yml +# 'python3-passlib' moved to roles/munin/tasks/install.yml +# 'python3-venv' moved to roles/2-common/tasks/packages.yml +# 'virtualenv' for Python 2 moved to roles/kalite/tasks/install.yml +# +#$APT_PATH/apt -y install \ +# python3-pymysql python3-psycopg2 python3-passlib python3-pip \ +# python3-setuptools python3-packaging python3-venv virtualenv + #$APT_PATH/apt -y --allow-downgrades install ansible-core \ -$APT_PATH/apt -y install \ - python3-pymysql python3-psycopg2 python3-passlib python3-pip \ - python3-setuptools python3-packaging python3-venv virtualenv echo -e "\n\n'pip3 install --upgrade ansible-core' will now run:\n" pip3 install --upgrade ansible-core diff --git a/scripts/ansible.md b/scripts/ansible.md.unused similarity index 100% rename from scripts/ansible.md rename to scripts/ansible.md.unused diff --git a/scripts/iiab-diagnostics b/scripts/iiab-diagnostics index 35b4965b2..3e8edfcd5 100755 --- a/scripts/iiab-diagnostics +++ b/scripts/iiab-diagnostics @@ -19,7 +19,7 @@ echo -e " sudo iiab-diagnostics PATH/FILE1 PATH/FILE2 ... # COMPLETE RESU echo echo -ne "Can you provide a \e[1mshort public nickname:\e[0m (no spaces!) " read nickname < /dev/tty -if [ -z "$nickname" ]; then +if [ "$nickname" = "" ]; then nickname="NONAME" fi @@ -87,9 +87,13 @@ function cat_cmd() { # $1 = command + params, $2 = explan echo "=IIAB==========================================================================" >> $outfile cmd=$(echo "$1" | sed 's/\s.*$//') # Keep command on left; Drop params on right pth=$(which $cmd | sed 's/[^/]*$//') # Keep only path on left; Drop command on right - echo "COMMAND: $pth$1 # $2" >> $outfile + if [ "$2" = "" ]; then + echo "COMMAND: $pth$1" >> $outfile + else + echo "COMMAND: $pth$1 # $2" >> $outfile + fi echo >> $outfile - if [ -z "$pth" ]; then + if [ "$pth" = "" ]; then echo "COMMAND NOT FOUND: $1" >> $outfile else $(echo "eval $1") >> $outfile # eval is nec within backticks, so | (pipes) work: https://stackoverflow.com/a/7184782 @@ -131,6 +135,9 @@ fi echo >> $outfile cat_file /etc/issue.net cat_file /etc/debian_version +cat_cmd 'dpkg --print-architecture' 'RaspiOS-on-PC shows: i386' +cat_cmd 'dpkg --print-foreign-architectures' 'RaspiOS-on-PC shows: amd64' +cat_cmd 'grep "^openvpn_" /etc/iiab/local_vars.yml' echo -e '\n\n 1. Files Specially Requested: (from "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n' echo -e '\n\n\n\n1. FILES SPECIALLY REQUESTED (FROM "iiab-diagnostics PATH/FILE1 PATH/FILE2")\n' >> $outfile @@ -149,7 +156,6 @@ echo -e "\n\n\n\n2. REGULAR FILES\n" >> $outfile #cat_file /opt/iiab/iiab # Directory test #cat_file /tmp/empty-file # Empty file test #cat_file /usr/bin/iiab-support-on # Symlink test -cat_file /etc/iiab/openvpn_handle cat_file /.iiab-image cat_file /etc/iiab/iiab.env cat_file /etc/iiab/iiab.ini diff --git a/scripts/iiab-diagnostics.README.md b/scripts/iiab-diagnostics.README.md index 00ae4ddc7..70c627429 100644 --- a/scripts/iiab-diagnostics.README.md +++ b/scripts/iiab-diagnostics.README.md @@ -8,7 +8,7 @@ The ``pastebinit`` command can then be used to auto-upload this file, creating a But first off, the file is compiled by harvesting 1 + 6 kinds of things: -0. Filename Header + Git Hashes + Raspberry Pi Model + OS +0. Filename Header + Git Hashes + Raspberry Pi Model + OS + CPU Architecture(s) 1. Files specially requested (if you run ``sudo iiab-diagnostics PATH/FILE1 PATH/FILE2``) @@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things: ## Source Code -Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-222 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. +Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 110-228 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible. diff --git a/scripts/local_facts.fact b/scripts/local_facts.fact index ae58c28c9..e31078caf 100755 --- a/scripts/local_facts.fact +++ b/scripts/local_facts.fact @@ -1,6 +1,9 @@ #!/bin/bash -# 2020-10-27: Most of the 11 variables require a command[*] to be run to +# Higher-level purpose explained at the bottom of: +# https://github.com/iiab/iiab/blob/master/vars/default_vars.yml + +# 2020-10-27: Most of the 10 variables require a command[*] to be run to # establish the var's value. WE DISPLAY ALL ERRORS / DIAGNOSTICS AND CONTINUE. # # [*] DOESN'T MATTER WHAT COMMAND: so long as it fails with Return Code != 0 @@ -11,7 +14,7 @@ OS="none" VERSION_ID="none" # This var's combined with the above, before being output IIAB_BRANCH="none" IIAB_COMMIT="none" -XO_MODEL="none" +#XO_MODEL="none" RPI_MODEL="none" ANSIBLE_VERSION="none" DHCPCD="none" # The last 3 conditioned on string output not RC. SEE BELOW. @@ -49,6 +52,7 @@ OS_VER=$OS-$VERSION_ID #"fedora-22" | \ #"debian-8" | \ #"debian-9" | \ + #"debian-10" | \ #"ubuntu-16" | \ #"ubuntu-17" | \ #"ubuntu-18" | \ @@ -57,23 +61,23 @@ OS_VER=$OS-$VERSION_ID #"raspbian-8" | \ #"raspbian-9" | \ -# 2020-10-21: Debian 11 (Bullseye) not yet supported but adding this line to -# its /etc/os-release can help testing this unreleased OS: VERSION_ID="11" - # 2021-06-19: Ubuntu 21.10 (Impish Indri) not yet supported but this # unreleased OS can help testing. For now this means MANUALLY changing # php_version: 7.4 to 8.0 in /opt/iiab/iiab/vars/ubuntu-21.yml +# 2020-07-31: Debian 12 (Bookworm) not yet supported but adding this line +# to its /etc/os-release can help testing this upcoming OS: VERSION_ID="12" + case $OS_VER in - "debian-10" | \ "debian-11" | \ + "debian-12" | \ "ubuntu-20" | \ "ubuntu-21" | \ "linuxmint-20" | \ "raspbian-10" | \ "raspbian-11") ;; - *) OS_VER="OS_not_supported" + *) OS_VER="OS Not Supported -- Plz Read: https://github.com/iiab/iiab/wiki/IIAB-Platforms" ;; esac @@ -84,8 +88,8 @@ tmp=$(git rev-parse --abbrev-ref HEAD) && tmp=$(git rev-parse --verify HEAD) && IIAB_COMMIT=$tmp -tmp=$(cat /proc/device-tree/mfg-data/MN) && - XO_MODEL=$tmp +#tmp=$(cat /proc/device-tree/mfg-data/MN) && +# XO_MODEL=$tmp tmp=$(cat /proc/device-tree/model) && RPI_MODEL=$tmp @@ -125,9 +129,10 @@ cat < /etc/ld.so.conf.d/99-iiab.conf +/usr/local/lib/mariadb/ +EOF + +ldconfig diff --git a/test.yml b/test.yml index be808dc92..ac372d43a 100644 --- a/test.yml +++ b/test.yml @@ -21,6 +21,7 @@ - debug: msg: "{{ 'changeme' | password_hash('sha512') }}" + # msg: "{{ 'changeme' | password_hash('yescrypt') }}" # crypt.crypt STILL doesn't support 'yescrypt' algorithm ? #- pause: @@ -32,4 +33,26 @@ debug: msg: "'\"'" # FAILS: "'""'" + - name: a shows "VARIABLE IS NOT DEFINED!" -- whereas b (w/o whitespace) AND c (with space) AND d (with tab) show null (without quotes!) -- whereas d (singlequotes) and e (doublequotes) show "" empty string + set_fact: + #a: + b: + c: # Space + d: # Tab + e: '' + f: "" + + - debug: + var: a + - debug: + var: b + - debug: + var: c + - debug: + var: d + - debug: + var: e + - debug: + var: f + # TEST ANSIBLE COMMANDS/MODULES HERE! diff --git a/tests/test.yml b/tests/test.yml index b429180f7..b604fbc11 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -14,6 +14,7 @@ - { role: 9-local-addons } #- { role: activity-server #- { role: ajenti } + - { role: all-vars } #- { role: authserver } - { role: awstats } - { role: azuracast } @@ -28,11 +29,11 @@ #- { role: dokuwiki } #- { role: ejabberd } #- { role: ejabberd_xs } - - { role: elgg } + #- { role: elgg } - { role: firmware } - { role: gitea } #- { role: homepage } - - { role: httpd } + #- { role: httpd } #- { role: idmgr } - { role: iiab-admin } - { role: internetarchive } @@ -80,9 +81,10 @@ - { role: yarn } #- { roles: xovis } -# Let's try to keep these 9 aligned: +# Let's try to keep these 10 aligned: # # http://FAQ.IIAB.IO > "What services (IIAB apps) are suggested during installation?" +# https://github.com/iiab/iiab/blob/master/vars/local_vars_unittest.yml # https://github.com/iiab/iiab/blob/master/vars/local_vars_min.yml # https://github.com/iiab/iiab/blob/master/vars/local_vars_medium.yml # https://github.com/iiab/iiab/blob/master/vars/local_vars_big.yml diff --git a/unmaintained-roles.txt b/unmaintained-roles.txt index bb6253dd3..c30178fbc 100644 --- a/unmaintained-roles.txt +++ b/unmaintained-roles.txt @@ -6,7 +6,9 @@ docker dokuwiki ejabberd ejabberd_xs +elgg homepage +httpd httpd-enable idmgr moodle-1.9 diff --git a/vars/debian-12.yml b/vars/debian-12.yml new file mode 100644 index 000000000..4ac59c25d --- /dev/null +++ b/vars/debian-12.yml @@ -0,0 +1,29 @@ +# Every is_ var is initially set to 'False' at the bottom of +# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that: +is_debuntu: True +is_debian: True # Opposite of is_ubuntu for now +is_debian_12: True + +# 2019-01-31: These apply if-only-if named_install and/or dhcpd_install are True +# (This is quite rare now that vars/default_vars.yml sets dnsmasq_install: True) +dns_service: bind9 +dhcp_service: isc-dhcp-server +dns_user: bind + +proxy: squid +proxy_user: proxy +apache_service: apache2 +apache_conf_dir: apache2/sites-available +apache_user: www-data +apache_log_dir: /var/log/apache2 +smb_service: smbd +nmb_service: nmbd +systemctl_program: /bin/systemctl +mysql_service: mariadb +apache_log: /var/log/apache2/access.log +sshd_package: openssh-server +sshd_service: ssh +php_version: 8.0 +postgresql_version: 13 +systemd_location: /lib/systemd/system +python_ver: 3.9 diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 3fcc88be7..e07d7bb46 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -43,12 +43,8 @@ py3_dist_path: /usr/lib/python3/dist-packages # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails download_timeout: 200 -# Languages (for Apache) -default_language: en -language_priority: en es fr - -# Real-time clock: set RTC chip family here. Future auto-detection plausible? -# rtc_id: ds3231 +# Real-time clock: RTC chip family. Future auto-detection plausible? +rtc_id: none # Or ds3231 ? Used in 1-prep/tasks/raspberry_pi.yml # Please read more about the 'iiab-admin' Linux user, for login to IIAB's # Admin Console (http://box.lan/admin) AND to help you at the command-line: @@ -70,13 +66,17 @@ admin_console_group: iiab-admin # This group & sudo log in to Admin Console. # Obtain a password hash - OLD WAY: # python -c 'import crypt; print crypt.crypt("", "$6$<salt>")' -# Time Zone (php needs timezone to be set) +# Time Zone (php used to need timezone set). SEE: roles/0-init/tasks/tz.yml local_tz: "{{ ansible_date_time.tz }}" # Set these to False if you do not want to install/enable IIAB Admin Console admin_console_install: True admin_console_enabled: True # +# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) +iiab_home_url: /home +# You might also want to set captiveportal_splash_page (below!) +# # Set to "False" if you do not want to use the latest js-menus, either because # you use WordPress or another home page, or if you prefer the older # https://github.com/iiab/iiab-menu (no longer maintained) @@ -99,10 +99,6 @@ iiab_domain: lan lan_ip: 172.18.96.1 lan_netmask: 255.255.224.0 -# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) -iiab_home_url: /home -# You might also want to set captiveportal_splash_page (below!) - # Internal Wi-Fi Access Point # Values are used if there is an internal Wi-Fi adapter and hostapd is enabled. # @@ -124,15 +120,34 @@ wifi_hotspot_capacity_rpi_fix: True # Restores the ability of RPi internal # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472. wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot). -# You can set iiab_gateway_enabled below, to enable "passthrough" to Internet. + +# Set True if client machines should have "passthrough" access to WAN/Internet: +iiab_gateway_enabled: False # Gateway mode iiab_lan_enabled: True iiab_wan_enabled: True -# Ties in what the user populated in the GUI for static WAN IP address info: -gui_wan: True -adm_cons_force_ssl: False -adm_cons_allow_downloads: False + +# Intended for developers: ONLY CHANGE THESE IF YOU KNOW WHAT YOU ARE DOING +# The following 2 override the detection when not "auto" +user_wan_iface: auto +user_lan_iface: auto + +# See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO +wan_ip: dhcp # wan_ip: 192.168.1.99 +wan_netmask: # wan_netmask: 255.255.255.0 +wan_gateway: # wan_gateway: 192.168.1.254 +# If nec wan_nameserver can override ISP-provided DNS servers via dnsmasq: +# /etc/resolv.conf dictates which backend is used for the machine itself, so +# 127.0.0.1 means you get dnsmasq (so it works right away on RaspiOS) while +# 127.0.0.53 gives you systemd-networkd (so Ubuntu itself does NOT use this +# dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!) +wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1 +wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems +# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf + +gui_port: 80 # 2021-08-17: For iptables. And #2811 dreams of HTTPS/443 ? +# adm_cons_force_ssl: False # Likewise: iiab-admin.yml & js-menu.yml set it. # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server. @@ -149,63 +164,26 @@ ports_externally_visible: 3 # ssh + http-or-https + common IIAB services # /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables # And then run: cd /opt/iiab/iiab; ./iiab-network -# Set True if client machines should have "passthrough" access to WAN/Internet: -iiab_gateway_enabled: False -gw_squid_whitelist: False -gw_block_https: False +# dnsmasq - handles DHCP and DNS +dnsmasq_install: True +dnsmasq_enabled: True +# UNMAINTAINED as of July 2021 dhcpd_install: False dhcpd_enabled: False +# UNMAINTAINED as of July 2021 # named (BIND) named_install: False named_enabled: False block_DNS: False -# dnsmasq - handles DHCP and DNS -dnsmasq_install: True -dnsmasq_enabled: True - # Enable in local_vars.yml AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" dns_jail_enabled: False -# Python-based Captive Portal, that @m-anish & @jvonau experimented with in -# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt -# extensively later refined (PRs #1179, #1300, #1327, #2070). -captiveportal_install: True -captiveportal_enabled: False -captiveportal_port: 9090 -captiveportal_splash_page: / -# You might also want to set iiab_home_url (above!) -# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO - -# Bluetooth PAN access to IIAB server -bluetooth_install: True -bluetooth_enabled: False -bluetooth_term_enabled: False - # UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382 -wondershaper_install: False -wondershaper_enabled: False - -# Intended for developers: ONLY CHANGE THESE IF YOU KNOW WHAT YOU ARE DOING -# The following 2 override the detection when not "auto" -user_wan_iface: auto -user_lan_iface: auto - -# See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO -# Ethernet - IF NECESSARY, CUSTOMIZE THESE 4+1 VARS IN /etc/iiab/local_vars.yml -wan_ip: dhcp # wan_ip: 192.168.1.99 -wan_netmask: # wan_netmask: 255.255.255.0 -wan_gateway: # wan_gateway: 192.168.1.254 -# If nec wan_nameserver can override ISP-provided DNS servers via dnsmasq: -# /etc/resolv.conf dictates which backend is used for the machine itself, so -# 127.0.0.1 means you get dnsmasq (so it works right away on RaspiOS) while -# 127.0.0.53 gives you systemd-networkd (so Ubuntu itself does NOT use this -# dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!) -wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1 -wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems -# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf +# wondershaper_install: False +# wondershaper_enabled: False # 1-PREP @@ -215,9 +193,6 @@ sshd_install: True # Required by OpenVPN sshd_enabled: True sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml -# IIAB-ADMIN runs here - see its vars near top of this file: -# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash - openvpn_install: True openvpn_enabled: False # For /etc/iiab/openvpn_handle @@ -231,6 +206,14 @@ openvpn_server_real_ip: 3.89.148.185 openvpn_server_virtual_ip: 10.8.0.1 openvpn_server_port: 1194 +# IIAB-ADMIN runs here - see its vars near top of this file: +# e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo, +# iiab_admin_published_pwd, admin_console_group + +# dnsmasq is installed here -- configure LATER in 'network', after Stage 9. +# (The full network stage runs after 9-LOCAL-ADDONS. Or manually run +# "cd /opt/iiab/iiab; sudo ./iiab-network"). Design under discussion: #2876 + # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ pi_swap_file_size: 1024 @@ -253,7 +236,6 @@ mysql_enabled: True # 2020-09-24: NGINX is MANDATORY but still evolving - please see: # https://github.com/iiab/iiab/blob/master/roles/nginx/README.md -# https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml # THESE 2 LEGACY VARS ARE PRESERVED BUT HAVE NO EFFECT: nginx_install: True nginx_enabled: True @@ -261,44 +243,44 @@ nginx_port: 80 nginx_interface: 0.0.0.0 nginx_conf_dir: /etc/nginx/conf.d nginx_log_dir: /var/log/nginx -# -# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: -nginx_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' -# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 -# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini +# SEE BELOW: nginx_high_php_limits, apache_allow_sudo -# Make this False to disable http://box/common/services/power_off.php button: -apache_allow_sudo: True - -# See also Apache vars {default_language, language_priority} @ top of this file -# -# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Apache is installed on demand as -# a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX &/or phpMyAdmin -apache_install: False -apache_enabled: False -# -# NGINX proxies to Apache for legacy IIAB services, using: -apache_port: 8090 -apache_interface: 127.0.0.1 # 2020-01-13: Var unused +# roles/www_base runs here (mandatory) # 4-SERVER-OPTIONS # SSHD runs here & also above in 1-PREP -# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs -# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network") +# DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! +gw_block_https: False +# UNMAINTAINED as of July 2021 # DansGuardian REQUIRES Squid (above) be installed & enabled. # DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019. -dansguardian_install: False -dansguardian_enabled: False +# dansguardian_install: False +# dansguardian_enabled: False + +# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS +bluetooth_install: True +bluetooth_enabled: False +bluetooth_term_enabled: False + +# USB_LIB +usb_lib_install: True +usb_lib_enabled: True +# Show entire contents of USB sticks/drives (at http://box/usb) +iiab_usb_lib_show_all: True +# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so +# Kolibri can export & import channels to USB sticks/drive: +usb_lib_umask0000_for_kolibri: True # Common UNIX Printing System (CUPS) cups_install: False @@ -312,14 +294,18 @@ samba_udp_ports: 137:138 samba_tcp_mports: 139,445 shared_dir : "{{ content_base }}/public" # /library/public -# USB_LIB -usb_lib_install: True -usb_lib_enabled: True -# Show entire contents of USB sticks/drives (at http://box/usb) -iiab_usb_lib_show_all: True -# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so -# Kolibri can export & import channels to USB sticks/drive: -usb_lib_umask0000_for_kolibri: True +# roles/www_options HANDLES THE 3 VARS BELOW: + +# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: +nginx_high_php_limits: False +# WARNING: Enabling this might cause excess use of RAM/disk or other resources! +# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' +# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... +# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 +# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini + +# Make this False to disable http://box/common/services/power_off.php button: +apache_allow_sudo: True # Toggle iiab-refresh-wiki-docs scraping for offline docs (http://box/info) nodocs: False @@ -349,7 +335,7 @@ idmgr_enabled: False # 2020-01-23: UNUSED # 6-GENERIC-APPS -# UNMAINTAINED as of September 2020 +# Simple, Self-Hosted Web Radio - from AzuraCast.com azuracast_install: False azuracast_enabled: False # This var is currently IGNORED azuracast_http_port: 10080 @@ -370,6 +356,7 @@ dokuwiki_url: /dokuwiki ejabberd_install: False ejabberd_enabled: False +# UNMAINTAINED as of July 2021 elgg_install: False elgg_enabled: False # elgg_mysql_password: $6$iiab51$jeTwnATcbaa92xo0QBTgjLBU.5aVDDrbKeNyyC99R/TAWz6pvfzj.L7lfnOVVjD78nxqT.gkNn6XZmuRV0W3o1 @@ -395,6 +382,7 @@ lokole_enabled: False lokole_sim_type: LocalOnly lokole_client_id: None +# Wikipedia's community editing platform - from MediaWiki.org mediawiki_install: False mediawiki_enabled: False @@ -432,17 +420,6 @@ nextcloud_enabled: False # Uncomment the following line to end that: (might install an older Nextcloud!) # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 -# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. -# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi. -# If using PBX intensively, set nginx_high_php_limits further above. -pbx_install: False -pbx_enabled: False -asterisk_chan_dongle: False -pbx_signaling_ports_chan_sip: 5160:5161 -pbx_signaling_ports_chan_pjsip: 5060 -pbx_data_ports: 10000:20000 -pbx_http_port: 83 - # If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: False wordpress_enabled: False @@ -456,6 +433,7 @@ kalite_enabled: True kalite_server_port: 8008 kalite_root: "{{ content_base }}/ka-lite" # /library/ka-lite +# Successor to KA Lite, for offline-first teaching and learning - from learningequality.org kolibri_install: False kolibri_enabled: False kolibri_language: en # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py @@ -552,33 +530,48 @@ transmission_kalite_languages: # then click "Scan content folder for videos" (can take many minutes!) # E. READ "KA Lite Administration: What tips & tricks exist?" AT http://FAQ.IIAB.IO +# AWStats, originally known as Advanced Web Statistics - from https://awstats.sourceforge.io awstats_install: True awstats_enabled: True +# Process supervision tool - from https://mmonit.com/monit/ # 2020-09-22 WARNING: both vars are IGNORED on Debian 10 due to: iiab/iiab#1849 monit_install: False monit_enabled: False watchdog: - sshd - - idmgr - - ejabberd - - httpd + #- idmgr + #- ejabberd + #- httpd - postgresql - - squid + #- squid +# Networked resource monitoring/graphing tool - from munin-monitoring.org munin_install: False munin_enabled: False +# UNMAINTAINED as of July 2021 # Handy for maintaining tables, but DANGEROUS if not locked down phpmyadmin_install: False phpmyadmin_enabled: False +# Network traffic monitor - from https://humdi.net/vnstat/ vnstat_install: False vnstat_enabled: False # 9-LOCAL-ADDONS +# Python-based Captive Portal, that @m-anish & @jvonau experimented with in +# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt +# extensively later refined (PRs #1179, #1300, #1327, #2070). +captiveportal_install: True +captiveportal_enabled: False +captiveportal_port: 9090 +captiveportal_splash_page: / +# You might also want to set iiab_home_url (above!) +# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO + # 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Yarn is installed on demand as a # dependency -- by Internet Archive yarn_install: False @@ -599,7 +592,20 @@ minetest_server_admin: Admin minetest_default_game: carbone-ng # only carbone-ng and minetest are supported minetest_flat_world: False -# Calibre E-Book Library +# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX +calibreweb_install: False +calibreweb_enabled: False +calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) +# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? +calibreweb_url1: /books # For SHORT URL http://box/books (English) +calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) +calibreweb_url3: /livres # For SHORT URL http://box/livres (French) +calibreweb_home: "{{ content_base }}/calibre-web" # /library/calibre-web + +# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so +# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!) + +# Calibre E-Book Library -- https://calibre-ebook.com # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED. calibre_install: False @@ -616,18 +622,19 @@ calibre_port: 8080 calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below! -# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert -# program, so we recommend you also install Calibre (above!) - -# Calibre-Web alternative to Calibre, offers a clean/modern UX -calibreweb_install: False -calibreweb_enabled: False -calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) -# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? -calibreweb_url1: /books # For SHORT URL http://box/books (English) -calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) -calibreweb_url3: /livres # For SHORT URL http://box/livres (French) -calibreweb_home: "{{ content_base }}/calibre-web" # /library/calibre-web +# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. +# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work. +# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme +# If using PBX intensively, investigate nginx_high_php_limits further above. +pbx_install: False +pbx_enabled: False +pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please +pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX! +asterisk_chan_dongle: False +pbx_signaling_ports_chan_sip: 5160:5161 +pbx_signaling_ports_chan_pjsip: 5060 +pbx_data_ports: 10000:20000 +pbx_http_port: 83 # ============================================================================= @@ -716,6 +723,7 @@ is_linuxmint: False # Subset of is_ubuntu is_linuxmint_20: False is_debian: False # Covers both: Debian, Raspberry Pi OS (Raspbian) +is_debian_12: False is_debian_11: False is_debian_10: False is_debian_9: False diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index a97ecda83..68be9319e 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -15,12 +15,8 @@ # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails download_timeout: 200 -# Languages (for Apache) -default_language: en -language_priority: en es fr - # Real-time clock: set RTC chip family here. Future auto-detection plausible? -# rtc_id: ds3231 +rtc_id: none # Or ds3231 ? # Please read more about the 'iiab-admin' Linux user, for login to IIAB's # Admin Console (http://box.lan/admin) AND to help you at the command-line: @@ -37,6 +33,10 @@ iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. admin_console_install: True admin_console_enabled: True # +# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) +iiab_home_url: /home +# You might also want to set captiveportal_splash_page (below!) +# # Set to "False" if you do not want to use the latest js-menus, either because # you use WordPress or another home page, or if you prefer the older # https://github.com/iiab/iiab-menu (no longer maintained) @@ -50,10 +50,6 @@ js_menu_install: True iiab_hostname: box iiab_domain: lan -# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) -iiab_home_url: /home -# You might also want to set captiveportal_splash_page (below!) - # WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz, # YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM # CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT. See "wifi_up_down: True" below. @@ -70,7 +66,9 @@ wifi_hotspot_capacity_rpi_fix: True # Restores the ability of RPi internal # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472. wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot). -# You can set iiab_gateway_enabled below, to enable "passthrough" to Internet. + +# Set True if client machines should have "passthrough" access to WAN/Internet: +iiab_gateway_enabled: False # See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO wan_ip: dhcp # wan_ip: 192.168.1.99 @@ -83,6 +81,7 @@ wan_gateway: # wan_gateway: 192.168.1.254 # dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!) wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1 wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems +# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server. @@ -99,41 +98,9 @@ ports_externally_visible: 3 # ssh + http-or-https + common IIAB services # /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables # And then run: cd /opt/iiab/iiab; ./iiab-network -# Set True if client machines should have "passthrough" access to WAN/Internet: -iiab_gateway_enabled: False - -dhcpd_install: False -dhcpd_enabled: False - -# named (BIND) -named_install: False -named_enabled: False - -# dnsmasq - handles DHCP and DNS -dnsmasq_install: True -dnsmasq_enabled: True - # Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" dns_jail_enabled: False -# Python-based Captive Portal, that @m-anish & @jvonau experimented with in -# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt -# extensively later refined (PRs #1179, #1300, #1327, #2070). -captiveportal_install: True -captiveportal_enabled: False -captiveportal_splash_page: / -# You might also want to set iiab_home_url (above!) -# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO - -# Bluetooth PAN access to IIAB server -bluetooth_install: True -bluetooth_enabled: False -bluetooth_term_enabled: False - -# UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382 -# wondershaper_install: False -# wondershaper_enabled: False - # 1-PREP @@ -141,15 +108,19 @@ bluetooth_term_enabled: False sshd_install: True # Required by OpenVPN sshd_enabled: True -# IIAB-ADMIN runs here - see its vars near top of this file: -# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash - # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: BIG-sized - Put Your Name Here +# IIAB-ADMIN runs here - see its vars near top of this file: +# e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo + +# dnsmasq is installed here -- configure LATER in 'network', after Stage 9. +# (The full network stage runs after 9-LOCAL-ADDONS. Or manually run +# "cd /opt/iiab/iiab; sudo ./iiab-network"). Design under discussion: #2876 + # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ pi_swap_file_size: 1024 @@ -164,35 +135,36 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER # roles/mysql runs here (mandatory) +# roles/nginx runs here (mandatory) +# roles/www_base runs here (mandatory) -# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: -nginx_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' -# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 -# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini - -# See also Apache vars {default_language, language_priority} @ top of this file -# -# Make this False to disable http://box/common/services/power_off.php button: -apache_allow_sudo: True +# SEE BELOW: nginx_high_php_limits, apache_allow_sudo # 4-SERVER-OPTIONS # SSHD runs here & also above in 1-PREP -# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs -# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network") +# DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! +gw_block_https: False -# DansGuardian REQUIRES Squid (above) be installed & enabled. -# DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019. -dansguardian_install: False -dansguardian_enabled: False +# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS +bluetooth_install: True +bluetooth_enabled: False +bluetooth_term_enabled: False + +# Show entire contents of USB sticks/drives (at http://box/usb) +iiab_usb_lib_show_all: True +# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so +# Kolibri can export & import channels to USB sticks/drive: +usb_lib_umask0000_for_kolibri: True # Common UNIX Printing System (CUPS) cups_install: True @@ -202,11 +174,21 @@ cups_enabled: True samba_install: True samba_enabled: False -# Show entire contents of USB sticks/drives (at http://box/usb) -iiab_usb_lib_show_all: True -# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so -# Kolibri can export & import channels to USB sticks/drive: -usb_lib_umask0000_for_kolibri: True +# roles/www_options HANDLES THE 3 VARS BELOW: + +# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: +nginx_high_php_limits: False +# WARNING: Enabling this might cause excess use of RAM/disk or other resources! +# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' +# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... +# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 +# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini + +# Make this False to disable http://box/common/services/power_off.php button: +apache_allow_sudo: True + +# Toggle iiab-refresh-wiki-docs scraping for offline docs (http://box/info) +nodocs: False # 5-XO-SERVICES @@ -214,42 +196,13 @@ usb_lib_umask0000_for_kolibri: True # Lesser-supported XO services need additional testing. Please contact # http://lists.laptop.org/pipermail/server-devel/ if you're able to help test. -# UNMAINTAINED -# xo_services_install: False -# xo_services_enabled: False - -# UNMAINTAINED -# activity_server_install: False -# activity_server_enabled: False - -# UNMAINTAINED -# Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below -# ejabberd_xs_install: False -# ejabberd_xs_enabled: False - -# UNMAINTAINED -# Change calibre_port from 8080 to 8010 below, if you enable idmgr -# idmgr_install: False -# idmgr_enabled: False - # 6-GENERIC-APPS -# UNMAINTAINED as of September 2020 +# Simple, Self-Hosted Web Radio - from AzuraCast.com azuracast_install: False azuracast_enabled: False # This var is currently IGNORED. -# UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056 -# dokuwiki_install: False -# dokuwiki_enabled: False - -# UNMAINTAINED as of November 2019 -# ejabberd_install: False -# ejabberd_enabled: False - -elgg_install: True -elgg_enabled: True - # Gitea (lightweight self-hosted "GitHub") from https://gitea.io gitea_install: True gitea_enabled: True @@ -262,6 +215,7 @@ jupyterhub_enabled: True lokole_install: True lokole_enabled: True +# Wikipedia's community editing platform - from MediaWiki.org mediawiki_install: True mediawiki_enabled: True @@ -289,13 +243,6 @@ nextcloud_enabled: True # Uncomment the following line to end that: (might install an older Nextcloud!) # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 -# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. -# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi. -# If using PBX intensively, set nginx_high_php_limits further above. -pbx_install: False -pbx_enabled: False -asterisk_chan_dongle: False - # If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: True wordpress_enabled: True @@ -307,6 +254,7 @@ wordpress_enabled: True kalite_install: True kalite_enabled: True +# Successor to KA Lite, for offline-first teaching and learning - from learningequality.org kolibri_install: True kolibri_enabled: True kolibri_language: en # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans @@ -357,26 +305,40 @@ transmission_kalite_languages: # then click "Scan content folder for videos" (can take many minutes!) # E. READ "KA Lite Administration: What tips & tricks exist?" AT http://FAQ.IIAB.IO +# AWStats, originally known as Advanced Web Statistics - from https://awstats.sourceforge.io awstats_install: True awstats_enabled: True +# Process supervision tool - from https://mmonit.com/monit/ # 2020-09-22 WARNING: both vars are IGNORED on Debian 10 due to: iiab/iiab#1849 monit_install: False monit_enabled: False +# Networked resource monitoring/graphing tool - from munin-monitoring.org munin_install: True munin_enabled: True +# UNMAINTAINED as of July 2021 # Handy for maintaining tables, but DANGEROUS if not locked down -phpmyadmin_install: True +phpmyadmin_install: False phpmyadmin_enabled: False +# Network traffic monitor - from https://humdi.net/vnstat/ vnstat_install: True vnstat_enabled: True # 9-LOCAL-ADDONS +# Python-based Captive Portal, that @m-anish & @jvonau experimented with in +# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt +# extensively later refined (PRs #1179, #1300, #1327, #2070). +captiveportal_install: True +captiveportal_enabled: False +captiveportal_splash_page: / +# You might also want to set iiab_home_url (above!) +# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO + # Internet Archive Decentralized Web - create your own offline version box:4244 # (or http://box/archive) arising from digital library https://dweb.archive.org internetarchive_install: True @@ -386,7 +348,20 @@ internetarchive_enabled: True minetest_install: True minetest_enabled: True -# Calibre E-Book Library +# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX +calibreweb_install: True +calibreweb_enabled: True +calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) +# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? +calibreweb_url1: /books # For SHORT URL http://box/books (English) +calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) +calibreweb_url3: /livres # For SHORT URL http://box/livres (French) +calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web" + +# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so +# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!) + +# Calibre E-Book Library -- https://calibre-ebook.com # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED. calibre_install: False @@ -397,15 +372,12 @@ calibre_port: 8080 calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below! -# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert -# program, so we recommend you also install Calibre (above!) - -# Calibre-Web alternative to Calibre, offers a clean/modern UX -calibreweb_install: True -calibreweb_enabled: True -calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) -# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? -calibreweb_url1: /books # For SHORT URL http://box/books (English) -calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) -calibreweb_url3: /livres # For SHORT URL http://box/livres (French) -calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web" +# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. +# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work. +# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme +# If using PBX intensively, investigate nginx_high_php_limits further above. +pbx_install: False +pbx_enabled: False +pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please +pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX! +asterisk_chan_dongle: False diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 54bec6639..6ede6593b 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -15,12 +15,8 @@ # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails download_timeout: 200 -# Languages (for Apache) -default_language: en -language_priority: en es fr - # Real-time clock: set RTC chip family here. Future auto-detection plausible? -# rtc_id: ds3231 +rtc_id: none # Or ds3231 ? # Please read more about the 'iiab-admin' Linux user, for login to IIAB's # Admin Console (http://box.lan/admin) AND to help you at the command-line: @@ -37,6 +33,10 @@ iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. admin_console_install: True admin_console_enabled: True # +# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) +iiab_home_url: /home +# You might also want to set captiveportal_splash_page (below!) +# # Set to "False" if you do not want to use the latest js-menus, either because # you use WordPress or another home page, or if you prefer the older # https://github.com/iiab/iiab-menu (no longer maintained) @@ -50,10 +50,6 @@ js_menu_install: True iiab_hostname: box iiab_domain: lan -# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) -iiab_home_url: /home -# You might also want to set captiveportal_splash_page (below!) - # WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz, # YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM # CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT. See "wifi_up_down: True" below. @@ -70,7 +66,9 @@ wifi_hotspot_capacity_rpi_fix: True # Restores the ability of RPi internal # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472. wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot). -# You can set iiab_gateway_enabled below, to enable "passthrough" to Internet. + +# Set True if client machines should have "passthrough" access to WAN/Internet: +iiab_gateway_enabled: False # See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO wan_ip: dhcp # wan_ip: 192.168.1.99 @@ -83,6 +81,7 @@ wan_gateway: # wan_gateway: 192.168.1.254 # dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!) wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1 wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems +# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server. @@ -99,41 +98,9 @@ ports_externally_visible: 3 # ssh + http-or-https + common IIAB services # /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables # And then run: cd /opt/iiab/iiab; ./iiab-network -# Set True if client machines should have "passthrough" access to WAN/Internet: -iiab_gateway_enabled: False - -dhcpd_install: False -dhcpd_enabled: False - -# named (BIND) -named_install: False -named_enabled: False - -# dnsmasq - handles DHCP and DNS -dnsmasq_install: True -dnsmasq_enabled: True - # Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" dns_jail_enabled: False -# Python-based Captive Portal, that @m-anish & @jvonau experimented with in -# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt -# extensively later refined (PRs #1179, #1300, #1327, #2070). -captiveportal_install: True -captiveportal_enabled: False -captiveportal_splash_page: / -# You might also want to set iiab_home_url (above!) -# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO - -# Bluetooth PAN access to IIAB server -bluetooth_install: True -bluetooth_enabled: False -bluetooth_term_enabled: False - -# UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382 -# wondershaper_install: False -# wondershaper_enabled: False - # 1-PREP @@ -141,15 +108,19 @@ bluetooth_term_enabled: False sshd_install: True # Required by OpenVPN sshd_enabled: True -# IIAB-ADMIN runs here - see its vars near top of this file: -# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash - # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: MEDIUM-sized - Put Your Name Here +# IIAB-ADMIN runs here - see its vars near top of this file: +# e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo + +# dnsmasq is installed here -- configure LATER in 'network', after Stage 9. +# (The full network stage runs after 9-LOCAL-ADDONS. Or manually run +# "cd /opt/iiab/iiab; sudo ./iiab-network"). Design under discussion: #2876 + # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ pi_swap_file_size: 1024 @@ -164,35 +135,36 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER # roles/mysql runs here (mandatory) +# roles/nginx runs here (mandatory) +# roles/www_base runs here (mandatory) -# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: -nginx_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' -# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 -# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini - -# See also Apache vars {default_language, language_priority} @ top of this file -# -# Make this False to disable http://box/common/services/power_off.php button: -apache_allow_sudo: True +# SEE BELOW: nginx_high_php_limits, apache_allow_sudo # 4-SERVER-OPTIONS # SSHD runs here & also above in 1-PREP -# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs -# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network") +# DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! +gw_block_https: False -# DansGuardian REQUIRES Squid (above) be installed & enabled. -# DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019. -dansguardian_install: False -dansguardian_enabled: False +# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS +bluetooth_install: True +bluetooth_enabled: False +bluetooth_term_enabled: False + +# Show entire contents of USB sticks/drives (at http://box/usb) +iiab_usb_lib_show_all: True +# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so +# Kolibri can export & import channels to USB sticks/drive: +usb_lib_umask0000_for_kolibri: True # Common UNIX Printing System (CUPS) cups_install: False @@ -202,11 +174,21 @@ cups_enabled: False samba_install: False samba_enabled: False -# Show entire contents of USB sticks/drives (at http://box/usb) -iiab_usb_lib_show_all: True -# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so -# Kolibri can export & import channels to USB sticks/drive: -usb_lib_umask0000_for_kolibri: True +# roles/www_options HANDLES THE 3 VARS BELOW: + +# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: +nginx_high_php_limits: False +# WARNING: Enabling this might cause excess use of RAM/disk or other resources! +# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' +# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... +# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 +# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini + +# Make this False to disable http://box/common/services/power_off.php button: +apache_allow_sudo: True + +# Toggle iiab-refresh-wiki-docs scraping for offline docs (http://box/info) +nodocs: False # 5-XO-SERVICES @@ -214,42 +196,13 @@ usb_lib_umask0000_for_kolibri: True # Lesser-supported XO services need additional testing. Please contact # http://lists.laptop.org/pipermail/server-devel/ if you're able to help test. -# UNMAINTAINED -# xo_services_install: False -# xo_services_enabled: False - -# UNMAINTAINED -# activity_server_install: False -# activity_server_enabled: False - -# UNMAINTAINED -# Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below -# ejabberd_xs_install: False -# ejabberd_xs_enabled: False - -# UNMAINTAINED -# Change calibre_port from 8080 to 8010 below, if you enable idmgr -# idmgr_install: False -# idmgr_enabled: False - # 6-GENERIC-APPS -# UNMAINTAINED as of September 2020 +# Simple, Self-Hosted Web Radio - from AzuraCast.com azuracast_install: False azuracast_enabled: False # This var is currently IGNORED. -# UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056 -# dokuwiki_install: False -# dokuwiki_enabled: False - -# UNMAINTAINED as of November 2019 -# ejabberd_install: False -# ejabberd_enabled: False - -elgg_install: False -elgg_enabled: False - # Gitea (lightweight self-hosted "GitHub") from https://gitea.io gitea_install: False gitea_enabled: False @@ -262,6 +215,7 @@ jupyterhub_enabled: False lokole_install: False lokole_enabled: False +# Wikipedia's community editing platform - from MediaWiki.org mediawiki_install: False mediawiki_enabled: False @@ -289,13 +243,6 @@ nextcloud_enabled: True # Uncomment the following line to end that: (might install an older Nextcloud!) # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 -# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. -# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi. -# If using PBX intensively, set nginx_high_php_limits further above. -pbx_install: False -pbx_enabled: False -asterisk_chan_dongle: False - # If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: True wordpress_enabled: True @@ -307,6 +254,7 @@ wordpress_enabled: True kalite_install: True kalite_enabled: True +# Successor to KA Lite, for offline-first teaching and learning - from learningequality.org kolibri_install: False kolibri_enabled: False kolibri_language: en # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans @@ -357,26 +305,40 @@ transmission_kalite_languages: # then click "Scan content folder for videos" (can take many minutes!) # E. READ "KA Lite Administration: What tips & tricks exist?" AT http://FAQ.IIAB.IO +# AWStats, originally known as Advanced Web Statistics - from https://awstats.sourceforge.io awstats_install: True awstats_enabled: True +# Process supervision tool - from https://mmonit.com/monit/ # 2020-09-22 WARNING: both vars are IGNORED on Debian 10 due to: iiab/iiab#1849 monit_install: False monit_enabled: False +# Networked resource monitoring/graphing tool - from munin-monitoring.org munin_install: False munin_enabled: False +# UNMAINTAINED as of July 2021 # Handy for maintaining tables, but DANGEROUS if not locked down phpmyadmin_install: False phpmyadmin_enabled: False +# Network traffic monitor - from https://humdi.net/vnstat/ vnstat_install: False vnstat_enabled: False # 9-LOCAL-ADDONS +# Python-based Captive Portal, that @m-anish & @jvonau experimented with in +# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt +# extensively later refined (PRs #1179, #1300, #1327, #2070). +captiveportal_install: True +captiveportal_enabled: False +captiveportal_splash_page: / +# You might also want to set iiab_home_url (above!) +# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO + # Internet Archive Decentralized Web - create your own offline version box:4244 # (or http://box/archive) arising from digital library https://dweb.archive.org internetarchive_install: False @@ -386,7 +348,20 @@ internetarchive_enabled: False minetest_install: False minetest_enabled: False -# Calibre E-Book Library +# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX +calibreweb_install: True +calibreweb_enabled: True +calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) +# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? +calibreweb_url1: /books # For SHORT URL http://box/books (English) +calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) +calibreweb_url3: /livres # For SHORT URL http://box/livres (French) +calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web" + +# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so +# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!) + +# Calibre E-Book Library -- https://calibre-ebook.com # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED. calibre_install: False @@ -397,15 +372,12 @@ calibre_port: 8080 calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below! -# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert -# program, so we recommend you also install Calibre (above!) - -# Calibre-Web alternative to Calibre, offers a clean/modern UX -calibreweb_install: True -calibreweb_enabled: True -calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) -# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? -calibreweb_url1: /books # For SHORT URL http://box/books (English) -calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) -calibreweb_url3: /livres # For SHORT URL http://box/livres (French) -calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web" +# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. +# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work. +# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme +# If using PBX intensively, investigate nginx_high_php_limits further above. +pbx_install: False +pbx_enabled: False +pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please +pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX! +asterisk_chan_dongle: False diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index afee5a6b3..464b00890 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -15,12 +15,8 @@ # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails download_timeout: 200 -# Languages (for Apache) -default_language: en -language_priority: en es fr - # Real-time clock: set RTC chip family here. Future auto-detection plausible? -# rtc_id: ds3231 +rtc_id: none # Or ds3231 ? # Please read more about the 'iiab-admin' Linux user, for login to IIAB's # Admin Console (http://box.lan/admin) AND to help you at the command-line: @@ -37,6 +33,10 @@ iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. admin_console_install: True admin_console_enabled: True # +# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) +iiab_home_url: /home +# You might also want to set captiveportal_splash_page (below!) +# # Set to "False" if you do not want to use the latest js-menus, either because # you use WordPress or another home page, or if you prefer the older # https://github.com/iiab/iiab-menu (no longer maintained) @@ -50,10 +50,6 @@ js_menu_install: True iiab_hostname: box iiab_domain: lan -# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) -iiab_home_url: /home -# You might also want to set captiveportal_splash_page (below!) - # WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz, # YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM # CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT. See "wifi_up_down: True" below. @@ -70,7 +66,9 @@ wifi_hotspot_capacity_rpi_fix: True # Restores the ability of RPi internal # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472. wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot). -# You can set iiab_gateway_enabled below, to enable "passthrough" to Internet. + +# Set True if client machines should have "passthrough" access to WAN/Internet: +iiab_gateway_enabled: False # See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO wan_ip: dhcp # wan_ip: 192.168.1.99 @@ -83,6 +81,7 @@ wan_gateway: # wan_gateway: 192.168.1.254 # dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!) wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1 wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems +# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server. @@ -99,41 +98,9 @@ ports_externally_visible: 3 # ssh + http-or-https + common IIAB services # /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables # And then run: cd /opt/iiab/iiab; ./iiab-network -# Set True if client machines should have "passthrough" access to WAN/Internet: -iiab_gateway_enabled: False - -dhcpd_install: False -dhcpd_enabled: False - -# named (BIND) -named_install: False -named_enabled: False - -# dnsmasq - handles DHCP and DNS -dnsmasq_install: True -dnsmasq_enabled: True - # Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" dns_jail_enabled: False -# Python-based Captive Portal, that @m-anish & @jvonau experimented with in -# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt -# extensively later refined (PRs #1179, #1300, #1327, #2070). -captiveportal_install: True -captiveportal_enabled: False -captiveportal_splash_page: / -# You might also want to set iiab_home_url (above!) -# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO - -# Bluetooth PAN access to IIAB server -bluetooth_install: True -bluetooth_enabled: False -bluetooth_term_enabled: False - -# UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382 -# wondershaper_install: False -# wondershaper_enabled: False - # 1-PREP @@ -141,15 +108,19 @@ bluetooth_term_enabled: False sshd_install: True # Required by OpenVPN sshd_enabled: True -# IIAB-ADMIN runs here - see its vars near top of this file: -# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash - # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False -# Set /etc/iiab/openvpn_handle in advance here: +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle openvpn_handle: MIN-sized - Put Your Name Here +# IIAB-ADMIN runs here - see its vars near top of this file: +# e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo + +# dnsmasq is installed here -- configure LATER in 'network', after Stage 9. +# (The full network stage runs after 9-LOCAL-ADDONS. Or manually run +# "cd /opt/iiab/iiab; sudo ./iiab-network"). Design under discussion: #2876 + # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ pi_swap_file_size: 1024 @@ -164,35 +135,36 @@ pi_swap_file_size: 1024 # 3-BASE-SERVER # roles/mysql runs here (mandatory) +# roles/nginx runs here (mandatory) +# roles/www_base runs here (mandatory) -# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: -nginx_high_php_limits: False -# WARNING: Enabling this might cause excess use of RAM/disk or other resources! -# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' -# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... -# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 -# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini - -# See also Apache vars {default_language, language_priority} @ top of this file -# -# Make this False to disable http://box/common/services/power_off.php button: -apache_allow_sudo: True +# SEE BELOW: nginx_high_php_limits, apache_allow_sudo # 4-SERVER-OPTIONS # SSHD runs here & also above in 1-PREP -# DNS prep (dnsmasq, named &/or dhcpd) run here. The full network stage runs -# after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network") +# DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs squid_install: False -squid_enabled: False +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! +gw_block_https: False -# DansGuardian REQUIRES Squid (above) be installed & enabled. -# DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019. -dansguardian_install: False -dansguardian_enabled: False +# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS +bluetooth_install: True +bluetooth_enabled: False +bluetooth_term_enabled: False + +# Show entire contents of USB sticks/drives (at http://box/usb) +iiab_usb_lib_show_all: True +# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so +# Kolibri can export & import channels to USB sticks/drive: +usb_lib_umask0000_for_kolibri: True # Common UNIX Printing System (CUPS) cups_install: False @@ -202,11 +174,21 @@ cups_enabled: False samba_install: False samba_enabled: False -# Show entire contents of USB sticks/drives (at http://box/usb) -iiab_usb_lib_show_all: True -# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so -# Kolibri can export & import channels to USB sticks/drive: -usb_lib_umask0000_for_kolibri: True +# roles/www_options HANDLES THE 3 VARS BELOW: + +# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: +nginx_high_php_limits: False +# WARNING: Enabling this might cause excess use of RAM/disk or other resources! +# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' +# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... +# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 +# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini + +# Make this False to disable http://box/common/services/power_off.php button: +apache_allow_sudo: True + +# Toggle iiab-refresh-wiki-docs scraping for offline docs (http://box/info) +nodocs: False # 5-XO-SERVICES @@ -214,42 +196,13 @@ usb_lib_umask0000_for_kolibri: True # Lesser-supported XO services need additional testing. Please contact # http://lists.laptop.org/pipermail/server-devel/ if you're able to help test. -# UNMAINTAINED -# xo_services_install: False -# xo_services_enabled: False - -# UNMAINTAINED -# activity_server_install: False -# activity_server_enabled: False - -# UNMAINTAINED -# Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below -# ejabberd_xs_install: False -# ejabberd_xs_enabled: False - -# UNMAINTAINED -# Change calibre_port from 8080 to 8010 below, if you enable idmgr -# idmgr_install: False -# idmgr_enabled: False - # 6-GENERIC-APPS -# UNMAINTAINED as of September 2020 +# Simple, Self-Hosted Web Radio - from AzuraCast.com azuracast_install: False azuracast_enabled: False # This var is currently IGNORED. -# UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056 -# dokuwiki_install: False -# dokuwiki_enabled: False - -# UNMAINTAINED as of November 2019 -# ejabberd_install: False -# ejabberd_enabled: False - -elgg_install: False -elgg_enabled: False - # Gitea (lightweight self-hosted "GitHub") from https://gitea.io gitea_install: False gitea_enabled: False @@ -262,6 +215,7 @@ jupyterhub_enabled: False lokole_install: False lokole_enabled: False +# Wikipedia's community editing platform - from MediaWiki.org mediawiki_install: False mediawiki_enabled: False @@ -289,13 +243,6 @@ nextcloud_enabled: False # Uncomment the following line to end that: (might install an older Nextcloud!) # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 -# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. -# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x. Experimental on RPi. -# If using PBX intensively, set nginx_high_php_limits further above. -pbx_install: False -pbx_enabled: False -asterisk_chan_dongle: False - # If using WordPress intensively, set nginx_high_php_limits further above. wordpress_install: False wordpress_enabled: False @@ -307,6 +254,7 @@ wordpress_enabled: False kalite_install: True kalite_enabled: True +# Successor to KA Lite, for offline-first teaching and learning - from learningequality.org kolibri_install: False kolibri_enabled: False kolibri_language: en # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans @@ -357,26 +305,40 @@ transmission_kalite_languages: # then click "Scan content folder for videos" (can take many minutes!) # E. READ "KA Lite Administration: What tips & tricks exist?" AT http://FAQ.IIAB.IO +# AWStats, originally known as Advanced Web Statistics - from https://awstats.sourceforge.io awstats_install: True awstats_enabled: True +# Process supervision tool - from https://mmonit.com/monit/ # 2020-09-22 WARNING: both vars are IGNORED on Debian 10 due to: iiab/iiab#1849 monit_install: False monit_enabled: False +# Networked resource monitoring/graphing tool - from munin-monitoring.org munin_install: False munin_enabled: False +# UNMAINTAINED as of July 2021 # Handy for maintaining tables, but DANGEROUS if not locked down phpmyadmin_install: False phpmyadmin_enabled: False +# Network traffic monitor - from https://humdi.net/vnstat/ vnstat_install: False vnstat_enabled: False # 9-LOCAL-ADDONS +# Python-based Captive Portal, that @m-anish & @jvonau experimented with in +# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt +# extensively later refined (PRs #1179, #1300, #1327, #2070). +captiveportal_install: True +captiveportal_enabled: False +captiveportal_splash_page: / +# You might also want to set iiab_home_url (above!) +# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO + # Internet Archive Decentralized Web - create your own offline version box:4244 # (or http://box/archive) arising from digital library https://dweb.archive.org internetarchive_install: False @@ -386,7 +348,20 @@ internetarchive_enabled: False minetest_install: False minetest_enabled: False -# Calibre E-Book Library +# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX +calibreweb_install: False +calibreweb_enabled: False +calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) +# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? +calibreweb_url1: /books # For SHORT URL http://box/books (English) +calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) +calibreweb_url3: /livres # For SHORT URL http://box/livres (French) +calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web" + +# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so +# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!) + +# Calibre E-Book Library -- https://calibre-ebook.com # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED. calibre_install: False @@ -397,15 +372,12 @@ calibre_port: 8080 calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below! -# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert -# program, so we recommend you also install Calibre (above!) - -# Calibre-Web alternative to Calibre, offers a clean/modern UX -calibreweb_install: False -calibreweb_enabled: False -calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) -# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? -calibreweb_url1: /books # For SHORT URL http://box/books (English) -calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) -calibreweb_url3: /livres # For SHORT URL http://box/livres (French) -calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web" +# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. +# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work. +# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme +# If using PBX intensively, investigate nginx_high_php_limits further above. +pbx_install: False +pbx_enabled: False +pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please +pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX! +asterisk_chan_dongle: False diff --git a/vars/local_vars_olpc.yml b/vars/local_vars_olpc.yml.unused similarity index 100% rename from vars/local_vars_olpc.yml rename to vars/local_vars_olpc.yml.unused diff --git a/vars/local_vars_unittest.yml b/vars/local_vars_unittest.yml new file mode 100644 index 000000000..e3e1dd866 --- /dev/null +++ b/vars/local_vars_unittest.yml @@ -0,0 +1,383 @@ +# This is local_vars_unittest.yml -- copy it to /etc/iiab/local_vars.yml then... +# modify variables below, to override /opt/iiab/iiab/vars/default_vars.yml + +# PLZ READ http://wiki.laptop.org/go/IIAB/local_vars.yml AND http://FAQ.IIAB.IO +# Orig Idea: branch github.com/xsce/xsce-local for your deployment/community + +# IIAB does NOT currently support uninstalling apps! So: if any IIAB app is +# installed with 'APP_XYZ_install: True' below, do NOT later change that. + +# WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz, +# YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM +# CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT. See "wifi_up_down: True" below. + + +# Ansible's default timeout for "get_url:" downloads (10 seconds) often fails +download_timeout: 200 + +# Real-time clock: set RTC chip family here. Future auto-detection plausible? +rtc_id: none # Or ds3231 ? + +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: +# https://github.com/iiab/iiab/tree/master/roles/iiab-admin +# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. +# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. + +# Set these to False if you do not want to install/enable IIAB Admin Console +admin_console_install: False +admin_console_enabled: False +# +# Homepage: set to /home or /wordpress or /wiki (for MediaWiki) +iiab_home_url: /home +# You might also want to set captiveportal_splash_page (below!) +# +# Set to "False" if you do not want to use the latest js-menus, either because +# you use WordPress or another home page, or if you prefer the older +# https://github.com/iiab/iiab-menu (no longer maintained) +js_menu_install: True + + +# IIAB Networking README: https://github.com/iiab/iiab/tree/master/roles/network +# IIAB Networking Doc: https://github.com/iiab/iiab/wiki/IIAB-Networking +# Read it offline too: http://box/info > "IIAB Networking" + +iiab_hostname: box +iiab_domain: lan + +# WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz, +# YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM +# CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT. See "wifi_up_down: True" below. +# +# Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: +host_country_code: US +host_ssid: unittest +host_wifi_mode: g +host_channel: 6 +hostapd_secure: False # 2021-03-02 #2696 WiFi EAPOL fails if hotspot passwords, +hostapd_password: changeme # eg if firmware wifi_hotspot_capacity_rpi_fix: True +wifi_hotspot_capacity_rpi_fix: True # Restores the ability of RPi internal +# WiFi hotspots to service 30-to-32 client devices. Background explanation: +# https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472. +wifi_up_down: True # Creates a 2nd virtual WiFi adapter for upstream WiFi +# (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot). + +# Set True if client machines should have "passthrough" access to WAN/Internet: +iiab_gateway_enabled: False + +# See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO +wan_ip: dhcp # wan_ip: 192.168.1.99 +wan_netmask: # wan_netmask: 255.255.255.0 +wan_gateway: # wan_gateway: 192.168.1.254 +# If nec wan_nameserver can override ISP-provided DNS servers via dnsmasq: +# /etc/resolv.conf dictates which backend is used for the machine itself, so +# 127.0.0.1 means you get dnsmasq (so it works right away on RaspiOS) while +# 127.0.0.53 gives you systemd-networkd (so Ubuntu itself does NOT use this +# dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!) +wan_nameserver: # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1 +wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems +# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf + +# Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite +# (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server. +# Only 1 of the 6 lines below should be uncommented: +# +#ports_externally_visible: 0 # none +#ports_externally_visible: 1 # ssh only +#ports_externally_visible: 2 # ssh + http-or-https (for Admin Console's box.lan/admin too) +ports_externally_visible: 3 # ssh + http-or-https + common IIAB services +#ports_externally_visible: 4 # ssh + http-or-https + common IIAB services + Samba +#ports_externally_visible: 5 # all but databases +# +# Or further customize your iptables firewall by editing: +# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables +# And then run: cd /opt/iiab/iiab; ./iiab-network + +# Enable AFTER installing IIAB! Then run "cd /opt/iiab/iiab; ./iiab-network" +dns_jail_enabled: False + + +# 1-PREP + +# SSHD runs here & also below in 4-SERVER-OPTIONS +sshd_install: True # Required by OpenVPN +sshd_enabled: True + +# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security +openvpn_install: True +openvpn_enabled: True +# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle +openvpn_handle: unittest - Put Your Name Here + +# IIAB-ADMIN runs here - see its vars near top of this file: +# e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo + +# dnsmasq is installed here -- configure LATER in 'network', after Stage 9. +# (The full network stage runs after 9-LOCAL-ADDONS. Or manually run +# "cd /opt/iiab/iiab; sudo ./iiab-network"). Design under discussion: #2876 + +# Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. +# Please see recommendations at: https://itsfoss.com/swap-size/ +pi_swap_file_size: 1024 + + +# 2-COMMON + +# /usr/libexec/iiab-startup.sh is much like autoexec.bat & /etc/rc.local +# It's put in place by 2-common/tasks/iiab-startup.yml at the end of Stage 2. + + +# 3-BASE-SERVER + +# roles/mysql runs here (mandatory) +# roles/nginx runs here (mandatory) +# roles/www_base runs here (mandatory) + +# SEE BELOW: nginx_high_php_limits, apache_allow_sudo + + +# 4-SERVER-OPTIONS + +# SSHD runs here & also above in 1-PREP + +# DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. + +# Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_dst_domains +# e.g. /opt/iiab/iiab/roles/network/templates/squid/allow_url_regexs +squid_install: False +squid_enabled: False # SET 'iiab_gateway_enabled' FURTHER ABOVE ? +gw_squid_whitelist: False # Works with HTTP sites, not HTTPS sites ! +gw_block_https: False + +# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS +bluetooth_install: False +bluetooth_enabled: False +bluetooth_term_enabled: False + +# Show entire contents of USB sticks/drives (at http://box/usb) +iiab_usb_lib_show_all: True +# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so +# Kolibri can export & import channels to USB sticks/drive: +usb_lib_umask0000_for_kolibri: True + +# Common UNIX Printing System (CUPS) +cups_install: False +cups_enabled: False + +# At Your Own Risk: take a security audit seriously before deploying this +samba_install: False +samba_enabled: False + +# roles/www_options HANDLES THE 3 VARS BELOW: + +# For schools that use WordPress/Nextcloud/Moodle/PBX intensively: +nginx_high_php_limits: False +# WARNING: Enabling this might cause excess use of RAM/disk or other resources! +# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True' +# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS... +# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133 +# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini + +# Make this False to disable http://box/common/services/power_off.php button: +apache_allow_sudo: True + +# Toggle iiab-refresh-wiki-docs scraping for offline docs (http://box/info) +nodocs: False + + +# 5-XO-SERVICES + +# Lesser-supported XO services need additional testing. Please contact +# http://lists.laptop.org/pipermail/server-devel/ if you're able to help test. + + +# 6-GENERIC-APPS + +# Simple, Self-Hosted Web Radio - from AzuraCast.com +azuracast_install: False +azuracast_enabled: False # This var is currently IGNORED. + +# Gitea (lightweight self-hosted "GitHub") from https://gitea.io +gitea_install: False +gitea_enabled: False + +# JupyterHub programming environment with student Notebooks +jupyterhub_install: False +jupyterhub_enabled: False + +# Lokole (email for rural communities) from https://ascoderu.ca +lokole_install: False +lokole_enabled: False + +# Wikipedia's community editing platform - from MediaWiki.org +mediawiki_install: False +mediawiki_enabled: False + +# MQTT pub-sub broker for IoT on Raspberry Pi etc +mosquitto_install: False +mosquitto_enabled: False + +# Flow-based visual programming for wiring together IoT hardware devices etc +nodered_install: False +nodered_enabled: False + +# Store your docs, calendar, contacts & photos on your local server not cloud! +# If using Nextcloud intensively, set nginx_high_php_limits further above. +nextcloud_install: False +nextcloud_enabled: False +# +# 2020-02-15: UNUSED at this time. Legacy remains from Apache: +# nextcloud_allow_public_ips: True +# +# Configuration tips for IPv4 access controls and tuning RAM/resources: +# https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md +# +# 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle +# you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112). +# Uncomment the following line to end that: (might install an older Nextcloud!) +# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2 + +# If using WordPress intensively, set nginx_high_php_limits further above. +wordpress_install: False +wordpress_enabled: False + + +# 7-EDU-APPS + +# KA Lite - SEE THE "Transmission" BITTORRENT DOWNLOADER FURTHER BELOW, TO INSTALL THOUSANDS OF VIDEOS +kalite_install: False +kalite_enabled: False + +# Successor to KA Lite, for offline-first teaching and learning - from learningequality.org +kolibri_install: False +kolibri_enabled: False +kolibri_language: en # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans + +# kiwix_install: True is REQUIRED, if you install IIAB's Admin Console +kiwix_install: False +kiwix_enabled: False + +# Warning: Moodle is a serious LMS, that takes a while to install. +moodle_install: False +moodle_enabled: False +# If using Moodle intensively, set nginx_high_php_limits further above. + +# Regional OSM vector maps use far less disk space than bitmap/raster versions. +# Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps +osm_vector_maps_install: False +osm_vector_maps_enabled: False +# Set to "True" to download .mbtiles files from Archive.org (might be slow!) +maps_from_internet_archive: False + +# Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879 +# Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957 +# 2020-09-22: Both vars WERE IGNORED on Deb 10 (MongoDB) but no longer? #1437 +sugarizer_install: False +sugarizer_enabled: False + + +# 8-MGMT-TOOLS + +# BitTorrent downloader for large Content Packs etc +transmission_install: False +transmission_enabled: False +# A. UNCOMMENT LANGUAGE(S) TO DOWNLOAD KA Lite VIDEOS TO /library/transmission +# using http://pantry.learningequality.org/downloads/ka-lite/0.17/content/ +transmission_kalite_languages: + #- english + #- french + #- hindi + #- portugal-portuguese + #- brazilian-portuguese + #- spanish + #- swahili +# B. Monitor BitTorrent downloads at http://box:9091 using Admin/changeme +# until the download is confirmed complete (can take hours if not days!) +# C. Carefully move all videos/thumbnails into /library/ka-lite/content +# (DO NOT OVERWRITE SUBFOLDERS assessment, locale, srt !) +# D. Log in to KA Lite at http://box:8008/updates/videos/ using Admin/changeme +# then click "Scan content folder for videos" (can take many minutes!) +# E. READ "KA Lite Administration: What tips & tricks exist?" AT http://FAQ.IIAB.IO + +# AWStats, originally known as Advanced Web Statistics - from https://awstats.sourceforge.io +awstats_install: False +awstats_enabled: False + +# Process supervision tool - from https://mmonit.com/monit/ +# 2020-09-22 WARNING: both vars are IGNORED on Debian 10 due to: iiab/iiab#1849 +monit_install: False +monit_enabled: False + +# Networked resource monitoring/graphing tool - from munin-monitoring.org +munin_install: False +munin_enabled: False + +# UNMAINTAINED as of July 2021 +# Handy for maintaining tables, but DANGEROUS if not locked down +phpmyadmin_install: False +phpmyadmin_enabled: False + +# Network traffic monitor - from https://humdi.net/vnstat/ +vnstat_install: False +vnstat_enabled: False + + +# 9-LOCAL-ADDONS + +# Python-based Captive Portal, that @m-anish & @jvonau experimented with in +# July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt +# extensively later refined (PRs #1179, #1300, #1327, #2070). +captiveportal_install: False +captiveportal_enabled: False +captiveportal_splash_page: / +# You might also want to set iiab_home_url (above!) +# In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO + +# Internet Archive Decentralized Web - create your own offline version box:4244 +# (or http://box/archive) arising from digital library https://dweb.archive.org +internetarchive_install: False +internetarchive_enabled: False + +# Minetest is an open source clone of the Minecraft building blocks game +minetest_install: False +minetest_enabled: False + +# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX +calibreweb_install: False +calibreweb_enabled: False +calibreweb_port: 8083 # PORT VARIABLE HAS NO EFFECT (as of January 2019) +# http://box/books works. Add {box/libros, box/livres, box/livros, box/liv} etc? +calibreweb_url1: /books # For SHORT URL http://box/books (English) +calibreweb_url2: /libros # For SHORT URL http://box/libros (Spanish) +calibreweb_url3: /livres # For SHORT URL http://box/livres (French) +calibreweb_home: /library/calibre-web # default_vars.yml uses: "{{ content_base }}/calibre-web" + +# SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so +# ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!) + +# Calibre E-Book Library -- https://calibre-ebook.com +# WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL +# ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED. +calibre_install: False +calibre_enabled: False +# Change calibre_port to 8010 if you're using XO laptops needing above idmgr ? +calibre_port: 8080 +# Change calibre to XYZ to add your own mnemonic URL like: http://box/XYZ +calibre_web_path: calibre #NEEDS WORK: https://github.com/iiab/iiab/issues/529 +# Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below! + +# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX. +# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work. +# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme +# If using PBX intensively, investigate nginx_high_php_limits further above. +pbx_install: False +pbx_enabled: False +pbx_use_apache: True # 2021-08-17: Set either to 'False' if nec -- please +pbx_use_nginx: True # read github.com/iiab/iiab/issues/2914 & #2916, THX! +asterisk_chan_dongle: False