Merge pull request #2883 from holta/2-common_update

Modernize 2-common

roles/0-init/README.rst

@@ -2,8 +2,10 @@
 0-init README
 =============
 
-For a higher-level view, please see `IIAB Installation <https://github.com/iiab/iiab/wiki/IIAB-Installation>`_ and http://FAQ.IIAB.IO
+For a higher-level view of `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_, please see http://FAQ.IIAB.IO and  `IIAB Installation <https://github.com/iiab/iiab/wiki/IIAB-Installation>`_.
 
-This 0th stage literally sets the stage for Internet-in-a-Box (IIAB) installation, prior to Ansible running `Stages 1-to-9 <.>`_ and then the `network <../network>`_ stage.
+This 0th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ literally sets the stage for IIAB installation, prior to Ansible running Stages 1-to-9, which are typically then followed by the `network <../network>`_ stage.
 
-This serves to confirm low-level Ansible facts from the OS — e.g. for housekeeping tasks related to TZ (time zone), hostname, FQDN (fully-qualified domain name), unusual systemwide dependencies etc — and whether Internet is live so that IIAB installation can proceed.
+But first: This 0th stage (0-init) serves to confirm low-level Ansible facts from the OS — e.g. for housekeeping tasks related to TZ (time zone), hostname, FQDN (fully-qualified domain name), unusual systemwide dependencies etc (and whether Internet is live) — so that IIAB installation can get underway.
+
+Recap: Similar to 1-prep, 2-common, 3-base-server, 4-server-options and 5-xo-services ⁠— this 0th stage installs core server infra (that is not user-facing).

roles/1-prep/README.rst

@@ -2,15 +2,21 @@
 1-prep README
 =============
 
-This 1st stage (1-prep) is primarily hardware-focused, prior to OS
-additions/mods, but also includes critical pieces sometimes needed for
+This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) is primarily hardware-focused, prior to OS
+additions/mods — but also includes critical pieces sometimes needed for
 remote support:
 
+- dnsmasq
+- /etc/iiab/uuid
+- Customizing /var/log/* for Ubermix on each boot, using /etc/tmpfiles.d
 - SSH
 - `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin>`_ username and group to log into Admin Console
 - OpenVPN software if/as needed later for remote support
+- `raspberry_pi.yml <tasks/raspberry_pi.yml>`_ including RTC, essential packages, and networking basics
 
 Traditionally 1-prep also included preliminaries like hostname and
 hardware-oriented things specific to a particular platform (such as
 One Laptop Per Child's XO laptop) i.e. critical setup prior to the
 bulk of IIAB's software install.
+
+Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services ⁠— this 1st stage installs core server infra (that is not user-facing).

roles/2-common/README.rst

@@ -2,7 +2,13 @@
 2-common README
 ===============
 
-This 2nd stage is for OS-level roles/packages/tasks *common* to all platforms,
-prerequisites to building up a functioning server.
+This 2nd `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ is for OS-level basics *common* to all platforms, i.e. core prerequisites to building up a functioning `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_ server.
 
-As in the case of 3-base-server, 4-server-options and 5-xo-services: this stage installs core server infra, that is not user-facing.
+These are (partially) put in place:
+
+- IIAB directory structure (`file layout <tasks/fl.yml>`_)
+- Common `apt <https://en.wikipedia.org/wiki/APT_(software)>`_ software packages
+- Networking (including the `iptables <https://en.wikipedia.org/wiki/Iptables>`_ firewall)
+- `/usr/libexec/iiab-startup.sh <tasks/iiab-startup.yml>`_ similar to AUTOEXEC.BAT and /etc/rc.local, in order to run jobs on boot
+
+Recap: As with 0-init, 1-prep, 3-base-server, 4-server-options and 5-xo-services — this 2nd stage installs core server infra (that is not user-facing).

roles/2-common/tasks/main.yml

@@ -1,46 +1,37 @@
 # Common OS-Level Additions & Mods (that only need to be performed once)
 
 - name: ...IS BEGINNING ==========================================
-  command: echo
+  meta: noop
 
 - name: Create IIAB directory structure ("file layout")
   include_tasks: fl.yml
 
-# UNMAINTAINED
-- include_tasks: centos.yml
-  when: ansible_distribution == "CentOS"
-
-# UNMAINTAINED
-- include_tasks: fedora.yml
-  when: ansible_distribution == "Fedora"
-
-# UNMAINTAINED
-- include_tasks: prep.yml
-  when: not is_debuntu
-
-# UNMAINTAINED
-- include_tasks: xo.yml
-  when: xo_model != "none" or osbuilder is defined
-
 - include_tasks: packages.yml
-- include_tasks: network.yml
 
-# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
-- name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible
-  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-  with_items:
-    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
-    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
-    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
-    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
-    - { name: 'kernel.core_uses_pid', value: '1' }
-    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
-    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
-    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
-    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
-    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
+- name: 'Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml'
+  include_tasks: network.yml
+
+- include_tasks: iiab-startup.yml
+
+# UNMAINTAINED
+#- include_tasks: centos.yml
+#  when: ansible_distribution == "CentOS"
+
+# UNMAINTAINED
+#- include_tasks: fedora.yml
+#  when: ansible_distribution == "Fedora"
+
+# UNMAINTAINED
+#- include_tasks: prep.yml
+#  when: not is_debuntu
+
+# UNMAINTAINED
+#- include_tasks: xo.yml
+#  when: xo_model != "none" or osbuilder is defined
+
+# UNMAINTAINED
+#- include_tasks: net_mods.yml
+#  when: not is_debuntu and not is_F18
 
 # UNMAINTAINED
 #- name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
@@ -48,12 +39,6 @@
 #    dest: /etc/profile.d/zzz_iiab.sh
 #    src: zzz_iiab.sh
 
-# UNMAINTAINED
-- include_tasks: net_mods.yml
-  when: not is_debuntu and not is_F18
-
-- include_tasks: iiab-startup.yml
-
 - name: Recording STAGE 2 HAS COMPLETED ==========================
   lineinfile:
     path: "{{ iiab_env_file }}"

roles/2-common/tasks/network.yml

@@ -24,3 +24,20 @@
     src: iptables
     dest: /etc/network/if-pre-up.d/iptables
     mode: '0755'
+
+# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
+- name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible
+  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+  with_items:
+    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
+    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
+    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
+    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
+    - { name: 'kernel.core_uses_pid', value: '1' }
+    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
+    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
+    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
+    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
+    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE

roles/2-common/templates/iiab-extra.repo.unused

@@ -13,4 +13,3 @@ baseurl=http://download.iiab.io/repos/xsce-extra/
 enabled=1
 metadata_expire=1d
 gpgcheck=0
-

roles/2-common/templates/li.nux.ro.repo.unused

@@ -4,5 +4,3 @@ baseurl=http://li.nux.ro/download/nux/dextop/el7/x86_64/
 enabled=0
 gpgcheck=1
 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
-
-

roles/2-common/templates/rpmfusion-free-updates.repo.unused

@@ -21,4 +21,3 @@ mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-rele
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-$releasever
-

roles/3-base-server/README.rst

@@ -2,7 +2,7 @@
 3-base-server README
 ====================
 
-This 3rd stage installs base server infra that Internet-in-a-Box requires, including:
+This 3rd `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs base server infra that `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_ requires, including:
 
 - `MySQL <https://github.com/iiab/iiab/blob/master/roles/mysql>`_ (database underlying many/most user-facing apps).  This IIAB role also installs apt package:
    - **php{{ php_version }}-mysql** — which forcibly installs **php{{ php_version }}-common**
@@ -10,6 +10,6 @@ This 3rd stage installs base server infra that Internet-in-a-Box requires, inclu
    - **php{{ php_version }}-fpm** — which forcibly installs **php{{ php_version }}-cli**, **php{{ php_version }}-common** and **libsodium23**
 - `www_base <https://github.com/iiab/iiab/blob/master/roles/www_base>`_ (similar to `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options>`_ which runs later in 4-server-options)
 
-Recap: as with 2-common, 4-server-options and 5-xo-services, this 3rd stage installs core server infra (that is not user-facing).
+Recap: As with 0-init, 1-prep, 2-common, 4-server-options and 5-xo-services — this 3rd stage installs core server infra (that is not user-facing).
 
 The next stage (4-server-options) brings more diverse/optional server infra functionality.

roles/4-server-options/README.rst

@@ -2,8 +2,18 @@
 4-server-options README
 =======================
 
-Whereas 3-base-server installs critical packages needed by all, this 4th stage installs a broad array of *options* -- depending on which server apps will be installed in later stages -- as specified in /etc/iiab/local_vars.yml
+Whereas 3-base-server installs critical packages needed by all, this 4th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs a broad array of *options* ⁠— depending on which server apps will be installed in later stages ⁠— as specified in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
 
-This includes some networking fundamentals, before they're configured later on.
+This includes more networking fundamentals, that may further be configured later on.
 
-As in the case of 2-common, 3-base-server and 5-xo-services: this stage installs core server infra, that is not user-facing.
+Specifically, these might be installed:
+
+- Python libraries
+- SSH daemon
+- Bluetooth for Raspberry Pi
+- Instant-sharing of `USB stick content <https://wiki.iiab.io/go/FAQ#Can_teachers_display_their_own_content.3F>`_
+- CUPS Printing
+- Samba for Windows filesystems
+- `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml>`_
+
+Recap: As with 0-init, 1-prep, 2-common, 3-base-server and 5-xo-services ⁠— this 4th stage installs core server infra (that is not user-facing).

roles/5-xo-services/README.rst

@@ -2,6 +2,6 @@
 5-xo-services README
 ====================
 
-This 5th stage provides underlying services for One Laptop Per Child's XO laptops.
+This 5th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ provides underlying services for One Laptop Per Child's XO laptops.
 
-As in the case of 2-common, 3-base-server and 4-server-options: this stage installs core server infra, that is not user-facing.
+Recap: As with 0-init, 1-prep, 2-common, 3-base-server and 4-server-options — this 5th stage installs core server infra (that is not user-facing).