Merge branch 'master' of https://github.com/iiab/iiab

roles/openvpn/defaults/main.yml

@@ -1,7 +1,9 @@
 openvpn_install: True
 openvpn_enable: False
 
-openvpn_handle: UNNAMED
+# For /etc/iiab/openvpn_handle
+openvpn_handle: ""
+
 # cron seems necessary on CentOS:
 openvpn_cron_enabled: False
 

roles/openvpn/tasks/main.yml

@@ -24,18 +24,20 @@
     group: root
     mode: 0755
 
-- name: Create a folder for iiab executable not on path
+# Comment out in future?  Might still be relevant for CentOS but unused for ~2 years as of August 2018:
+- name: Create folder /usr/lib/iiab (not on path) for iiab executable up_wan
   file:
     path: /usr/lib/iiab
     state: directory
 
-- name: Configure OpenVPN
+- name: Configure OpenVPN (BACKS UP FILES IF CHANGED)
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     owner: root
     group: root
     mode: "{{ item.mode }}"
+    backup: yes
   with_items:
     - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', mode: '0644' }
     - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', mode: '0644' }
@@ -44,39 +46,52 @@
     - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' }
     - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' }
     - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
-    - { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' }
-    - { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
-    - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
-    - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' }
-    - { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' }
-    - { src: 'iiab-remote-on', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
+    - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
     - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
+    - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
+    # Comment out in future?  Not recommended as of August 2018:
+    - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
+    # Comment out in future?  Might still be relevant for CentOS but unused for ~2 years as of August 2018:
+    - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' }
+    # Unused for ~2 years as of August 2018:
+    #- { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' }
+    # Buggy & rarely used as of August 2018:
+    #- { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' }
+    # Buggy & rarely used as of August 2018:
+    #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
 
-- name: Save openvpn_handle variable into /etc/iiab/openvpn_handle (BACKS UP FILE IF CHANGED)
-  template:
-    src: openvpn_handle.j2
-    dest: /etc/iiab/openvpn_handle
-    owner: root
-    group: root
-    mode: 0644
-    backup: yes
+#- name: Save openvpn_handle variable into /etc/iiab/openvpn_handle (BACKS UP FILE IF CHANGED)
+#  template:
+#    src: openvpn_handle.j2
+#    dest: /etc/iiab/openvpn_handle
+#    owner: root
+#    group: root
+#    mode: 0644
+#    backup: yes
+#  when: openvpn_handle is defined
 
-- name: Put up_wan in place (debuntu)
-  template:
-    src: up_wan
-    dest: /usr/lib/iiab/up_wan
-  when: is_debuntu
+# Comment out in future?  up_wan was being installed twice (also above) and
+# was unused for ~2 years as of August 2018: (see 15-openvpn below)
+#- name: Put up_wan in place (debuntu)
+#  template:
+#    src: up_wan
+#    dest: /usr/lib/iiab/up_wan
+#  when: is_debuntu
 
+# Comment out in future?  Contained serious bug (15-openvpn called
+# up-wan instead of up_wan in /usr/lib/iiab/) so evidently unused
+# for ~2 years, as of Aug 2018:
 - name: Put dispatcher up for NM (not debuntu)
   template:
     src: 15-openvpn
     dest: /etc/NetworkManager/dispatcher.d/
   when: not is_debuntu
 
-- name: Check for manually configured OpenVPN tunnel
-  stat:
-    path: /etc/openvpn/iiab-vpn.conf
-  register: stat
+# Was buggy & unused for ~2 years as of August 2018:
+#- name: Check for manually configured OpenVPN tunnel
+#  stat:
+#    path: /etc/openvpn/iiab-vpn.conf
+#  register: stat
 
 
 # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
@@ -108,13 +123,13 @@
     name: openvpn@xscenet.service
     enabled: yes
     state: restarted
-  when: openvpn_enabled and not stat.exists is defined
+  when: openvpn_enabled
 
 - name: Enable hourly cron job for OpenVPN
   lineinfile:
     path: /etc/crontab
     line: "25 *  *  *  * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null"
-  when: openvpn_enabled and openvpn_cron_enabled and not stat.exists is defined
+  when: openvpn_enabled and openvpn_cron_enabled
 
 - name: Remove hourly cron job for OpenVPN
   lineinfile:
@@ -159,6 +174,7 @@
     value: "OpenVPN is a means of connecting to other machines anywhere on the internet, via a middleman server, using Virtual Private Network techniques to create secure connections."
   - option: enabled
     value: "{{ openvpn_enabled }}"
+# Uncommented as openvpn_handle variable is now mandatory: (if set to "", /etc/iiab/uuid will be used instead)
   - option: handle
     value: "{{ openvpn_handle }}"
   - option: cron_enabled

roles/openvpn/templates/15-openvpn

@@ -13,7 +13,7 @@ if [ "$2" = "up" ]; then
     sleep 2
     /sbin/ip route list dev "$1" | grep -q '^default' &&
     # restart the services
-    systemctl -q is-enabled openvpn@xscenet.service && /usr/lib/iiab/up-wan
+    systemctl -q is-enabled openvpn@xscenet.service && /usr/lib/iiab/up_wan
 fi
 
 # we added this to prevent logs from filling with openvpn errors

roles/openvpn/templates/announcer.j2

@@ -4,17 +4,19 @@
 HANDLE=
 UUID=
 if [ -f /etc/iiab/openvpn_handle ]; then
-    # Option #0: Might source directly from /etc/iiab/local_vars.yml in future
+    # Option #0: Source directly from /etc/iiab/local_vars.yml in future?
     # Option #1
     HANDLE=`cat /etc/iiab/openvpn_handle`
-else
-    # Option #2: Dangerous to invoke hypothetical variables :(
-    source /etc/iiab/iiab.env
-    # Option #3: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from /etc/iiab/iiab.ini, but safer now that relegated to #3 ?
-    if [ -z "$HANDLE" ]; then
-        HANDLE=`cat /etc/iiab/iiab.ini | gawk \
-        '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'`
-    fi
+    # Option #2: UUID is later used, if openvpn_handle is not set
+# Sourcing a variable from ~4 different places is a recipe for total confusion (or worse!)
+#else
+#    # Option #3: Dangerous to invoke hypothetical variables :(
+#    source /etc/iiab/iiab.env
+#    # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from /etc/iiab/iiab.ini, but safer now that relegated to #4 ?
+#    if [ -z "$HANDLE" ]; then
+#        HANDLE=`cat /etc/iiab/iiab.ini | gawk \
+#        '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'`
+#    fi
 fi
 HANDLE=${HANDLE// /_}
 if [ -f /etc/iiab/uuid ]; then

roles/openvpn/templates/iiab-handle.j2

@@ -1,13 +1,18 @@
 #!/bin/bash
-# script to write a handle file that identifies the openvpn client to server
+# Interactive script (over)writes /etc/iiab/openvpn_handle file, identifying client to server
+
+echo -e '\nCORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml'
+echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n'
+
+echo -e "Or, for a temporary solution until the next time Ansible is run,"
+read -p "what OpenVPN handle do you want to use? " ans
 echo
-echo
-read -p "what identifying handle would you like to use? " ans
+
 if [ "$ans" == "" ]; then
-  if [ -f /etc/iiab/openvpn_handle ]; then
-    rm -f /etc/iiab/openvpn_handle
-  fi
+    if [ -f /etc/iiab/openvpn_handle ]; then
+        rm -f /etc/iiab/openvpn_handle
+    fi
 else
-  echo $ans > /etc/iiab/openvpn_handle
+    echo $ans > /etc/iiab/openvpn_handle
 fi
 {{ systemctl_program }} restart openvpn@xscenet

roles/openvpn/templates/iiab-remote-on.j2

@@ -11,7 +11,7 @@ systemctl enable openvpn@xscenet.service
 systemctl start openvpn@xscenet.service
 
 sleep 5
-ping -c 2 10.8.0.1
+ping -c 2 {{ openvpn_server_virtual_ip }}    # 10.8.0.1
 if [ $? -eq 0 ]; then
     echo OpenVPN successfully started.
 else

roles/openvpn/templates/iiab-vpn.j2.deprecated

@@ -2,7 +2,7 @@
 # script to manage openvpn
 
 if [ ! -f "/etc/openvpn/iiab-vpn.conf" ]; then
-    VPNCONFIG='party-line.conf'
+    VPNCONFIG='xscenet.conf'    # WAS BUGGY (set to non-existent "party-line.conf", but thankfully unused) as of August 2018
     VPNIP={{ openvpn_server_virtual_ip }}
 else
     # expect the sourced file to set the above variables

roles/openvpn/templates/party-line.conf.j2.deprecated

@@ -1,3 +1,5 @@
+# REPLACED BY xscenet.conf.j2 -> /etc/openvpn/xscenet.conf
+
 #########################################
 # Sample client-side OpenVPN config file
 # for connecting to multi-client server.

roles/openvpn/templates/start.j2

@@ -1,27 +0,0 @@
-$!/bin/bash
-$ start the openvpn tunnel if the service is enabled
-
-enabled={{ openvpn_enabled }}
-VPNIP-{{ openvpn_server_port }}
-
-if [ "$enabled" = 'True' ]; then
-	# make sure the wan is functioning
-	# 8.8.8.8 is one of google's dns servers
-	ping -c 3 -i 3 8.8.8.8
-	if [ $? -ne 0 ]; then
-		#echo "internet is not available, tunnel not possible"
-		exit 1
-	fi
-	
-	# check the vpn tunnel
-	ping -c 5 -i 5 "$VPNIP"
-	# a zero return means the tunnel is up
-	if [ $? -eq 0 ]; then
-                exit 0
-        else
-		killall openvpn
-		sleep 10
-		#echo "Starting openvpn and waiting 10 seconds for daemon to become ready"
-                systemctl start openvpn@xscenet
-	fi
-fi

roles/openvpn/templates/start.j2.deprecated

@@ -0,0 +1,27 @@
+$!/bin/bash
+$ start the openvpn tunnel if the service is enabled
+
+enabled={{ openvpn_enabled }}
+VPNIP={{ openvpn_server_port }}
+
+if [ "$enabled" = 'True' ]; then
+    # make sure the wan is functioning
+    # 8.8.8.8 is one of google's dns servers
+    ping -c 3 -i 3 8.8.8.8
+    if [ $? -ne 0 ]; then
+        #echo "internet is not available, tunnel not possible"
+        exit 1
+    fi
+
+    # check the vpn tunnel
+    ping -c 5 -i 5 "$VPNIP"
+    # a zero return means the tunnel is up
+    if [ $? -eq 0 ]; then
+        exit 0
+    else
+        killall openvpn
+        sleep 10
+        #echo "Starting openvpn and waiting 10 seconds for daemon to become ready"
+        systemctl start openvpn@xscenet
+    fi
+fi

roles/openvpn/templates/up_wan

@@ -2,8 +2,8 @@
 # if the wan has recently come up, see if we need to start openvpn
 systemctl is-enabled openvpn
 if [ $? -eq 0 ]; then
-   pgrep openvpn
-   if [ $? -ne 0 ]; then
-      systemctl start openvpn@xscenet
-   fi
+    pgrep openvpn
+    if [ $? -ne 0 ]; then
+        systemctl start openvpn@xscenet
+    fi
 fi

vars/default_vars.yml

@@ -190,7 +190,7 @@ openvpn_install: True
 openvpn_enabled: False
 
 # For /etc/iiab/openvpn_handle
-openvpn_handle: UNNAMED
+openvpn_handle: ""
 
 # cron seems necessary on CentOS:
 openvpn_cron_enabled: False

vars/local_vars_big.yml

@@ -87,7 +87,7 @@ openvpn_install: True
 openvpn_enabled: False
 
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: UNNAMED
+openvpn_handle: ""
 
 # The following seems necessary on CentOS:
 # openvpn_cron_enabled: True

vars/local_vars_big_vpn.yml

@@ -87,7 +87,7 @@ openvpn_install: True
 openvpn_enabled: True
 
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: UNNAMED
+openvpn_handle: ""
 
 # The following seems necessary on CentOS:
 # openvpn_cron_enabled: True

vars/local_vars_medium.yml

@@ -87,7 +87,7 @@ openvpn_install: True
 openvpn_enabled: False
 
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: UNNAMED
+openvpn_handle: ""
 
 # The following seems necessary on CentOS:
 # openvpn_cron_enabled: True

vars/local_vars_medium_vpn.yml

@@ -87,7 +87,7 @@ openvpn_install: True
 openvpn_enabled: True
 
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: UNNAMED
+openvpn_handle: ""
 
 # The following seems necessary on CentOS:
 # openvpn_cron_enabled: True

vars/local_vars_min.yml

@@ -87,7 +87,7 @@ openvpn_install: True
 openvpn_enabled: False
 
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: UNNAMED
+openvpn_handle: ""
 
 # The following seems necessary on CentOS:
 # openvpn_cron_enabled: True

vars/local_vars_min_vpn.yml

@@ -87,7 +87,7 @@ openvpn_install: True
 openvpn_enabled: True
 
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: UNNAMED
+openvpn_handle: ""
 
 # The following seems necessary on CentOS:
 # openvpn_cron_enabled: True