diff --git a/roles/openvpn/defaults/main.yml b/roles/0-DEPRECATED-ROLES/openvpn/defaults/main.yml similarity index 100% rename from roles/openvpn/defaults/main.yml rename to roles/0-DEPRECATED-ROLES/openvpn/defaults/main.yml diff --git a/roles/openvpn/tasks/enable-or-disable.yml b/roles/0-DEPRECATED-ROLES/openvpn/tasks/enable-or-disable.yml similarity index 100% rename from roles/openvpn/tasks/enable-or-disable.yml rename to roles/0-DEPRECATED-ROLES/openvpn/tasks/enable-or-disable.yml diff --git a/roles/openvpn/tasks/install.yml b/roles/0-DEPRECATED-ROLES/openvpn/tasks/install.yml similarity index 100% rename from roles/openvpn/tasks/install.yml rename to roles/0-DEPRECATED-ROLES/openvpn/tasks/install.yml diff --git a/roles/openvpn/tasks/main.yml b/roles/0-DEPRECATED-ROLES/openvpn/tasks/main.yml similarity index 100% rename from roles/openvpn/tasks/main.yml rename to roles/0-DEPRECATED-ROLES/openvpn/tasks/main.yml diff --git a/roles/openvpn/templates/15-openvpn.unused b/roles/0-DEPRECATED-ROLES/openvpn/templates/15-openvpn.unused similarity index 100% rename from roles/openvpn/templates/15-openvpn.unused rename to roles/0-DEPRECATED-ROLES/openvpn/templates/15-openvpn.unused diff --git a/roles/openvpn/templates/announce b/roles/0-DEPRECATED-ROLES/openvpn/templates/announce similarity index 100% rename from roles/openvpn/templates/announce rename to roles/0-DEPRECATED-ROLES/openvpn/templates/announce diff --git a/roles/openvpn/templates/announcer b/roles/0-DEPRECATED-ROLES/openvpn/templates/announcer similarity index 100% rename from roles/openvpn/templates/announcer rename to roles/0-DEPRECATED-ROLES/openvpn/templates/announcer diff --git a/roles/openvpn/templates/ca.crt b/roles/0-DEPRECATED-ROLES/openvpn/templates/ca.crt similarity index 100% rename from roles/openvpn/templates/ca.crt rename to roles/0-DEPRECATED-ROLES/openvpn/templates/ca.crt diff --git a/roles/openvpn/templates/client1.crt b/roles/0-DEPRECATED-ROLES/openvpn/templates/client1.crt similarity index 100% rename from roles/openvpn/templates/client1.crt rename to roles/0-DEPRECATED-ROLES/openvpn/templates/client1.crt diff --git a/roles/openvpn/templates/client1.key b/roles/0-DEPRECATED-ROLES/openvpn/templates/client1.key similarity index 100% rename from roles/openvpn/templates/client1.key rename to roles/0-DEPRECATED-ROLES/openvpn/templates/client1.key diff --git a/roles/openvpn/templates/iiab-remote-off b/roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-remote-off similarity index 100% rename from roles/openvpn/templates/iiab-remote-off rename to roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-remote-off diff --git a/roles/openvpn/templates/iiab-remote-on.j2 b/roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-remote-on.j2 similarity index 100% rename from roles/openvpn/templates/iiab-remote-on.j2 rename to roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-remote-on.j2 diff --git a/roles/openvpn/templates/iiab-support b/roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support similarity index 100% rename from roles/openvpn/templates/iiab-support rename to roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support diff --git a/roles/openvpn/templates/iiab-support.older b/roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support.older similarity index 100% rename from roles/openvpn/templates/iiab-support.older rename to roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support.older diff --git a/roles/openvpn/templates/openvpn_handle.j2.unused b/roles/0-DEPRECATED-ROLES/openvpn/templates/openvpn_handle.j2.unused similarity index 100% rename from roles/openvpn/templates/openvpn_handle.j2.unused rename to roles/0-DEPRECATED-ROLES/openvpn/templates/openvpn_handle.j2.unused diff --git a/roles/openvpn/templates/silence b/roles/0-DEPRECATED-ROLES/openvpn/templates/silence similarity index 100% rename from roles/openvpn/templates/silence rename to roles/0-DEPRECATED-ROLES/openvpn/templates/silence diff --git a/roles/openvpn/templates/xscenet.conf.j2 b/roles/0-DEPRECATED-ROLES/openvpn/templates/xscenet.conf.j2 similarity index 100% rename from roles/openvpn/templates/xscenet.conf.j2 rename to roles/0-DEPRECATED-ROLES/openvpn/templates/xscenet.conf.j2 diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml index 383f911a3f..dee75addd1 100644 --- a/roles/0-init/tasks/validate_vars.yml +++ b/roles/0-init/tasks/validate_vars.yml @@ -71,7 +71,8 @@ - dnsmasq - bluetooth - sshd - - openvpn + #- openvpn # Deprecated + - tailscale - remoteit - admin_console #- nginx # MANDATORY diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index 929dd04da0..16cf5976e4 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -3,22 +3,22 @@ - name: ...IS BEGINNING ============================================ meta: noop -- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml +- name: SSHD include_role: name: sshd when: sshd_install -- name: OPENVPN +- name: TAILSCALE (VPN) include_role: - name: openvpn - when: openvpn_install + name: tailscale + when: tailscale_install - name: REMOTE.IT include_role: name: remoteit when: remoteit_install -- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml +- name: IIAB-ADMIN -- includes {lynx, screen, sudo-prereqs.yml, admin-user.yml, pwd-warnings.yml} include_role: name: iiab-admin #when: iiab_admin_install # Flag might be created in future? diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml index 9bed4e5e82..583cb763d9 100644 --- a/roles/4-server-options/tasks/main.yml +++ b/roles/4-server-options/tasks/main.yml @@ -19,11 +19,6 @@ #when: pylibs_installed is undefined #when: pylibs_install # Flag might be created in future? -- name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN - include_role: - name: sshd - when: sshd_install - - name: Install Bluetooth - only on Raspberry Pi include_role: name: bluetooth diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index c7c4ec5fcf..2dbadaa62b 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -36,7 +36,7 @@ Security #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml `_) #. ``sudo`` * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md -* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support. Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security +* If your IIAB includes Tailscale (VPN), ``/root/.ssh/authorized_keys`` should be installed by `roles/tailscale/tasks/install.yml <../tailscale/tasks/install.yml>`_ to facilitate remote community support. Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d `_ (and `/etc/xdg/lxsession/LXDE-pi `_ when it exists, i.e. on Raspberry Pi OS with desktop). Example @@ -56,7 +56,7 @@ Historical Notes Remote Support Tools -------------------- -The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN `_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you. +The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `Tailscale (VPN) `_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you. Similarly, `tasks/main.yml `_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections: diff --git a/roles/iiab-admin/tasks/sudo-prereqs.yml b/roles/iiab-admin/tasks/sudo-prereqs.yml index 1b608fef1d..9370666b23 100644 --- a/roles/iiab-admin/tasks/sudo-prereqs.yml +++ b/roles/iiab-admin/tasks/sudo-prereqs.yml @@ -1,6 +1,6 @@ - name: 'Install package: sudo' package: - name: sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!) + name: sudo # (1) Should be installed prior to installing IIAB, (2) Can be installed by 1-prep's roles/tailscale/tasks/install.yml, (3) Can be installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!) - name: Temporarily make file /etc/sudoers editable (0640) file: diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 5c9c5dc174..83a3cf36a8 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -1,4 +1,4 @@ -# sshd_install: True # Required by OpenVPN +# sshd_install: True # sshd_enabled: True # sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml diff --git a/roles/tailscale/tasks/install.yml b/roles/tailscale/tasks/install.yml new file mode 100644 index 0000000000..0e3bee8c19 --- /dev/null +++ b/roles/tailscale/tasks/install.yml @@ -0,0 +1,113 @@ +- name: Record (initial) disk space used + shell: df -B1 --output=used / | tail -1 + register: df1 + + +- name: "Set up apt source (jammy) in /etc/apt/sources.list.d/tailscale.list and its key /usr/share/keyrings/tailscale-archive-keyring.gpg, to install Tailscale" + shell: | + curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg > /usr/share/keyrings/tailscale-archive-keyring.gpg + curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.tailscale-keyring.list > /etc/apt/sources.list.d/tailscale.list + +- name: "Install packages: jq, sudo, tailscale" + package: + name: + #- ncat # Newer versions of NMap do not include NCat, WAS needed to announce openvpn_handle (if Debian > 9 or Ubuntu > 18) + #- nmap + - jq # JSON parser used by /usr/bin/iiab-support == /usr/bin/iiab-vpn + - sudo # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!) + - tailscale + update_cache: yes + +- name: Set up tab completion for 'tailscale' at the command-line + shell: tailscale completion bash > /etc/bash_completion.d/tailscale + +- name: "Install ssh public keys for remote support (only runs if 'tailscale_install: True')" + lineinfile: + line: "{{ item.pubkey }}" + regexp: "{{ item.regexp }}" + path: /root/.ssh/authorized_keys + with_items: + - regexp: "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$" # Tim Moody + pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhlQIh8ZPx4awdM0O6QNcPbx3qIZ39FHjF2YJ2SX3z7iLnYiz03Ek6Bux9P4HvaVAqlApiz2I68Vq8TfU2s/+LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=" + - regexp: "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$" + pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxAmjU7VojyK+0Pjp2p8CCGTNBtE565A/L8IVbAT8MIucRE9LN1g5LjGnOHUShFJpwuTR1JLX2r9EDRMsf9MmyTgUAnuyP005giWVHXLPtjyjTzbsJ1DEtXRytulmF+GlCOaqPWNde6EOmReqPHbmjIQpRZ/Sc8hziS4jVSQuBA9EhaBmZ62CPqK33mPJvnpwMtdd6nHXAcXsZhStd3NhVDm27+B3sHI6mr2w7ExdBXE5DKiZL2po8n2y4hJYZreJopbjcQmv4oWdDWvPu5I92xDgYCsqcE7zSrv1um+tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal" + - regexp: "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$" + pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApHPly+EA1M4bispl3AulTLjyYCjcJzh6s779K3epDkqh600a+fHsdIiddWCAfIonRq+9MJyOiaNQ+WYLOuajI1IiFZWFt45xDAiyCUnyuT+ytAX+IA3TgTwgTZPfzDOzI8rDRV9Sgl+LZLfPno7T3qxcGx2l51bRk+koRK+Txpph//M3jGvsFmTKhjvfxgEIUmMH9SkASxEdyqASr0+/+uLR92MnT+8CT1pOYYoJyZp9Lta5eGqJvbEmd3Dn7MXqD3vXE57o4rBJ0bR3q5LK59WVNxNQbulJ9z5V7aTJ4AbBFQWxm0fH0gBx+heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank" + +# CLARIF: plus signs (+) in public keys cause duplicate key additions (above) +# and failure during removal (below) as "+" has a special meaning as +# interpreted in a Python regexp, as implemented by Ansible's lineinfile module: +# https://docs.python.org/2/library/re.html + +# WORKAROUND: the tail end of each public key (after the last plus sign) is +# being used (instead of the full key) as an abbreviated regexp for now. +# A backslash in front of each plus sign (+) would also work. + +# - name: Remove those ssh public keys, if not tailscale_enabled +# lineinfile: +# regexp: "{{ item }}" +# path: /root/.ssh/authorized_keys +# state: absent +# with_items: +# - "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$" +# - "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$" +# - "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$" +# when: not tailscale_enabled + +- name: Install /usr/bin/iiab-vpn & /usr/bin/iiab-vpn-off (BACKS UP FILES IF CHANGED) + template: + src: "{{ item }}" + dest: /usr/bin/ + mode: '0755' + backup: yes + with_items: + - iiab-vpn + - iiab-vpn-off + +- name: Symlink /usr/bin/iiab-vpn-on -> /usr/bin/iiab-vpn + file: + src: /usr/bin/iiab-vpn + path: /usr/bin/iiab-vpn-on + state: link + +- name: Symlink /usr/bin/iiab-support -> /usr/bin/iiab-vpn + file: + src: /usr/bin/iiab-vpn + path: /usr/bin/iiab-support + state: link + +- name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-vpn + file: + src: /usr/bin/iiab-vpn + path: /usr/bin/iiab-support-on + state: link + +- name: Symlink /usr/bin/iiab-support-off -> /usr/bin/iiab-vpn-off + file: + src: /usr/bin/iiab-vpn-off + path: /usr/bin/iiab-support-off + state: link + + +# RECORD Tailscale AS INSTALLED + +- name: Record (final) disk space used + shell: df -B1 --output=used / | tail -1 + register: df2 + +- name: Add 'tailscale_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }} + ini_file: + path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini + section: tailscale + option: tailscale_disk_usage + value: "{{ df2.stdout|int - df1.stdout|int }}" + +- name: "Set 'tailscale_installed: True'" + set_fact: + tailscale_installed: True + +- name: "Add 'tailscale_installed: True' to {{ iiab_state_file }}" + lineinfile: + path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml + regexp: '^tailscale_installed' + line: 'tailscale_installed: True' diff --git a/roles/tailscale/tasks/main.yml b/roles/tailscale/tasks/main.yml new file mode 100644 index 0000000000..fc8af13e51 --- /dev/null +++ b/roles/tailscale/tasks/main.yml @@ -0,0 +1,47 @@ +# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?" + + +# "How do i fail a task in Ansible if the variable contains a boolean value? +# I want to perform input validation for Ansible playbooks" +# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 + +# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need +# to re-check whether vars are defined here. As Ansible vars cannot be unset: +# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible + +- name: Assert that "tailscale_install is sameas true" (boolean not string etc) + assert: + that: tailscale_install is sameas true + fail_msg: "PLEASE SET 'tailscale_install: True' e.g. IN: /etc/iiab/local_vars.yml" + quiet: yes + +- name: Assert that "tailscale_enabled | type_debug == 'bool'" (boolean not string etc) + assert: + that: tailscale_enabled | type_debug == 'bool' + fail_msg: "PLEASE GIVE VARIABLE 'tailscale_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml" + quiet: yes + + +- name: Install Tailscale if 'tailscale_installed' not defined, e.g. in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml + include_tasks: install.yml + when: tailscale_installed is undefined + + +#- include_tasks: enable-or-disable.yml + + +- name: Add 'tailscale' variable values to {{ iiab_ini_file }} + ini_file: + path: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini + section: tailscale + option: "{{ item.option }}" + value: "{{ item.value | string }}" + with_items: + - option: name + value: Tailscale (VPN) + - option: description + value: '"Tailscale enables live/remote support by connecting machines anywhere on the Internet, using a software-defined mesh virtual private network (VPN), and optional web-based management service."' + - option: tailscale_install + value: "{{ tailscale_install }}" + - option: tailscale_enabled + value: "{{ tailscale_enabled }}" diff --git a/roles/tailscale/templates/iiab-vpn b/roles/tailscale/templates/iiab-vpn new file mode 100755 index 0000000000..05ae623f36 --- /dev/null +++ b/roles/tailscale/templates/iiab-vpn @@ -0,0 +1,54 @@ +#!/bin/bash + +# USEFUL DOC: https://tailscale.com/kb/1080/cli#status + +VPN_URL=https://iiab.net +VPN_KEY="$1" + +# if tailscale status > /dev/null; then # MANY IMPERFECT TESTS OF TAILNET CONNECTIVITY: tailscale0 CAN lose its IP address, as shown by 'ip a' and 'hostname -I' (testing 'systemctl is-active tailscaled' is likely no better!) Unclear if 'tailscale status --json | jq -r .Self.Online' is much better? Maybe explore 'tailscale debug --help' and 'tailscale debug prefs' for a cleaner/authoritative verdict? Or use + display string output of 'systemctl show tailscaled --property=StatusText' e.g. 'StatusText=Connected; iiab; 100.64.0.4' ? (OR JUST DON'T WORRY ABOUT IT, AS THE ~3 'tailscale up' COMMANDS BELOW ARE MORE PROACTIVE... AND APPEAR FAST + SAFE!) +# echo -e "\n\e[1;33mAlready connected to VPN!?\e[0m" +# else +# [NEST ~20 LINES OF IF STATEMENTS FURTHER BELOW?] + +# Check that current profile key still exists in /var/lib/tailscale/tailscaled.state ? (As 'tailscale logout' wipes it!) In the end, these are 3 lousy tests... +# if [ -f /var/lib/tailscale/tailscaled.state ] && [[ $(grep -c $(jq -r '."_current-profile"' /var/lib/tailscale/tailscaled.state) /var/lib/tailscale/tailscaled.state) > 1 ]]; then +# if ! [[ $(tailscale status | tr '[:upper:]' '[:lower:]') =~ "logged out" ]]; then +# if [[ $(tailscale status --json | jq -r .CurrentTailnet.Name) = "iiab.community" ]]; then + +# UX Optimization: {iiab-vpn, iiab-support} can be run WITHOUT key *IF* .BackendState is "Stopped" or "Running" *AND* .ControlURL is $VPN_URL (avoid their default, https://controlplane.tailscale.com !) +if [[ $(tailscale status --json | jq -r .BackendState) != "NeedsLogin" && $(tailscale debug prefs | jq -r .ControlURL) = $VPN_URL ]]; then + if ! tailscale up --login-server "$VPN_URL" --timeout 8s; then # (Re-)passing $VPN_URL is overkill on this line, but can't hurt! + echo -e "\n\e[41;1mERROR $?: Failed to connect to VPN\e[0m\n" + exit 1 + fi +elif [ -z $VPN_KEY ]; then + echo -e "\n\e[1;33mVPN key required!\e[0m\n\nEmail holt@unleashkids.org to explain your need?\n" + exit 1 +else + if ! tailscale up --login-server "$VPN_URL" --auth-key "$VPN_KEY" --timeout 8s; then + echo -e "\n\e[41;1mERROR $?: Failed to connect to VPN, so let's try --force-reauth\e[0m\n" + # If 'tailscale up' just above fails w/ exit code 1 ~= "can't change --login-server without --force-reauth" (i.e. if switching login server, e.g. to/from their default (https://controlplane.tailscale.com) -- SEE ALSO: 'tailscale switch -h' and https://tailscale.com/blog/fast-user-switching) then more "brute force" is attempted below... + # https://github.com/tailscale/tailscale/issues/3849 "Please warn that --force-reauth immediately disconnects" (brute force, only as a last resort!) + # https://github.com/tailscale/tailscale/issues/4854 "Tailscale CLI has poor UX with expiring keys" (long-term node keys thankfully mitigate this!) + if ! tailscale up --login-server "$VPN_URL" --auth-key "$VPN_KEY" --force-reauth --timeout 8s; then + echo -e "\n\e[41;1mERROR $?: Failed to connect to VPN, even with --force-reauth\e[0m\n" + exit 1 + fi + fi +fi + +# jq 1.7 (2023-09-05) on new OS's also allows new syntax... jq -r .Node.Tags.[] +# Can also work: tailscale whois --json $(tailscale ip -1) | jq -r .Node.Tags[]) +echo -e "\n\e[44;1mCheck that VPN ($(tailscale status --json | jq -r .Self.Tags[])) is now live:\e[0m\n" +echo -e " hostname -I" +echo -e " tailscale ip" +echo -e " tailscale status" +echo -e " tailscale whois $(tailscale ip -1)" +echo -e " tailscale whois --json $(tailscale ip -1) | jq" +echo -e " tailscale ping [IP or HOSTNAME]" +echo -e " tailscale status --json | jq" +echo -e " systemctl status tailscaled\n" +echo -e "\e[4mTo disconnect from VPN:\e[0m\n" +echo -e " tailscale down\n" +echo -e "\e[4mTo permanently log out of VPN:\e[0m\n" +echo -e " tailscale logout\n" diff --git a/roles/tailscale/templates/iiab-vpn-off b/roles/tailscale/templates/iiab-vpn-off new file mode 100755 index 0000000000..75ea5c0f39 --- /dev/null +++ b/roles/tailscale/templates/iiab-vpn-off @@ -0,0 +1,7 @@ +#!/bin/bash + +tailscale down + +echo -e "\n\e[44;1mDisconnecting from VPN...\e[0m\n" +echo -e "\e[4mTo permanently log out of VPN:\e[0m\n" # Expires machine node key, from /var/lib/tailscale/tailscaled.state +echo -e " tailscale logout\n" # ...as seen by 'tailscale status --json' (related: 'tailscale debug prefs') diff --git a/scripts/iiab-summary b/scripts/iiab-summary index 7551aad08e..80b6e521fc 100755 --- a/scripts/iiab-summary +++ b/scripts/iiab-summary @@ -79,8 +79,13 @@ echo /opt/iiab/iiab/scripts/iiab-apps-to-be-installed > /dev/null echo "$(df -h /) ZIMs: $(ls /library/zims/content/ | wc -l) OER2Go: $(ls /library/www/html/modules/ | wc -l) Apps2B: $(cat /tmp/iiab-apps-to-be-installed | wc -l)" echo +#grep "^openvpn_handle:" /etc/iiab/local_vars.yml +#grep "^tailscale_installed:" /etc/iiab/iiab_state.yml +if [[ $(command -v /usr/bin/tailscale) ]]; then + #echo "VPN: $(tailscale ip) $(tailscale whois --json $(tailscale ip -1) | jq -r .Node.Tags[])" + echo "VPN: $(tailscale ip) $(tailscale status --json | jq -r .Self.Tags[])" +fi echo $(ip -o link show | awk -F': ' '{print $2}') # Better order than: ls -rt /sys/class/net -grep "^openvpn_enabled:" /etc/iiab/local_vars.yml -grep "^openvpn_handle:" /etc/iiab/local_vars.yml +echo $(echo $(hostname -A) $(hostname -a) | xargs -n1 | sort | uniq) hostname -I echo diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 13291b20d3..68a5209708 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -219,8 +219,8 @@ dns_jail_enabled: False # 1-PREP -# SSHD runs here & also below in 4-SERVER-OPTIONS -sshd_install: True # Required by OpenVPN +# OPENSSH-SERVER +sshd_install: True sshd_enabled: True sshd_port: 22 # Not fully functional. SEE: roles/sshd/tasks/install.yml @@ -232,17 +232,9 @@ remoteit_enabled: False # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6 # SECURITY WARNING: https://wiki.iiab.io/go/Security -openvpn_install: True -openvpn_enabled: False -openvpn_handle: "" # Empty string on purpose since ~2016, for /etc/iiab/uuid -# SEE https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml#L5-L20 -# cron seemed necessary on CentOS: -openvpn_cron_enabled: False -# General OpenVPN settings -openvpn_server: xscenet.net -openvpn_server_real_ip: 3.89.148.185 -openvpn_server_virtual_ip: 10.8.0.1 -openvpn_server_port: 1194 +# New VPN replaced OpenVPN in Sept 2024: +tailscale_install: True +tailscale_enabled: False # Stub var, doesn't yet do anything! # IIAB-ADMIN runs here - see its vars near top of this file: # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo, @@ -289,8 +281,6 @@ nginx_log_dir: /var/log/nginx # 4-SERVER-OPTIONS -# SSHD runs here & also above in 1-PREP - # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) diff --git a/vars/local_vars_large.yml b/vars/local_vars_large.yml index 3903530ed1..7f0d398fed 100644 --- a/vars/local_vars_large.yml +++ b/vars/local_vars_large.yml @@ -132,8 +132,8 @@ dns_jail_enabled: False # 1-PREP -# SSHD runs here & also below in 4-SERVER-OPTIONS -sshd_install: True # Required by OpenVPN +# OPENSSH-SERVER +sshd_install: True sshd_enabled: True # https://remote.it can help you remotely maintain an IIAB. @@ -144,10 +144,9 @@ remoteit_enabled: False # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6 # SECURITY WARNING: https://wiki.iiab.io/go/Security -openvpn_install: True -openvpn_enabled: False -# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle -openvpn_handle: LARGE - Put Your Name Here +# New VPN replaced OpenVPN in Sept 2024: +tailscale_install: True +tailscale_enabled: False # Stub var, doesn't yet do anything! # IIAB-ADMIN runs here - see its vars near top of this file: # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo @@ -178,8 +177,6 @@ pi_swap_file_size: 1024 # 4-SERVER-OPTIONS -# SSHD runs here & also above in 1-PREP - # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) diff --git a/vars/local_vars_medical.yml b/vars/local_vars_medical.yml index 66798cb054..5df26eb52c 100644 --- a/vars/local_vars_medical.yml +++ b/vars/local_vars_medical.yml @@ -12,7 +12,6 @@ munin_install: True munin_enabled: True vnstat_install: True vnstat_enabled: True -openvpn_handle: "MEDICAL - Put Your Name Here" usb_lib_umask0000_for_kolibri: False apache_allow_sudo: True # By default diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 40b960608b..08afaab939 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -132,8 +132,8 @@ dns_jail_enabled: False # 1-PREP -# SSHD runs here & also below in 4-SERVER-OPTIONS -sshd_install: True # Required by OpenVPN +# OPENSSH-SERVER +sshd_install: True sshd_enabled: True # https://remote.it can help you remotely maintain an IIAB. @@ -144,10 +144,9 @@ remoteit_enabled: False # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6 # SECURITY WARNING: https://wiki.iiab.io/go/Security -openvpn_install: True -openvpn_enabled: False -# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle -openvpn_handle: MEDIUM-sized - Put Your Name Here +# New VPN replaced OpenVPN in Sept 2024: +tailscale_install: True +tailscale_enabled: False # Stub var, doesn't yet do anything! # IIAB-ADMIN runs here - see its vars near top of this file: # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo @@ -178,8 +177,6 @@ pi_swap_file_size: 1024 # 4-SERVER-OPTIONS -# SSHD runs here & also above in 1-PREP - # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) diff --git a/vars/local_vars_none.yml b/vars/local_vars_none.yml index a13c825acb..1e5c03ead6 100644 --- a/vars/local_vars_none.yml +++ b/vars/local_vars_none.yml @@ -1,6 +1,6 @@ # turn off defaults remoteit_install: False -openvpn_install: False +tailscale_install: False kolibri_install: False kolibri_enabled: False kiwix_install: False diff --git a/vars/local_vars_small.yml b/vars/local_vars_small.yml index 288395d696..70206e9ecb 100644 --- a/vars/local_vars_small.yml +++ b/vars/local_vars_small.yml @@ -132,8 +132,8 @@ dns_jail_enabled: False # 1-PREP -# SSHD runs here & also below in 4-SERVER-OPTIONS -sshd_install: True # Required by OpenVPN +# OPENSSH-SERVER +sshd_install: True sshd_enabled: True # https://remote.it can help you remotely maintain an IIAB. @@ -144,10 +144,9 @@ remoteit_enabled: False # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6 # SECURITY WARNING: https://wiki.iiab.io/go/Security -openvpn_install: True -openvpn_enabled: False -# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle -openvpn_handle: SMALL - Put Your Name Here +# New VPN replaced OpenVPN in Sept 2024: +tailscale_install: True +tailscale_enabled: False # Stub var, doesn't yet do anything! # IIAB-ADMIN runs here - see its vars near top of this file: # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo @@ -178,8 +177,6 @@ pi_swap_file_size: 1024 # 4-SERVER-OPTIONS -# SSHD runs here & also above in 1-PREP - # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists) diff --git a/vars/local_vars_unittest.yml b/vars/local_vars_unittest.yml index 19c47ca741..0261870755 100644 --- a/vars/local_vars_unittest.yml +++ b/vars/local_vars_unittest.yml @@ -132,8 +132,8 @@ dns_jail_enabled: False # 1-PREP -# SSHD runs here & also below in 4-SERVER-OPTIONS -sshd_install: True # Required by OpenVPN +# OPENSSH-SERVER +sshd_install: True sshd_enabled: True # https://remote.it can help you remotely maintain an IIAB. @@ -144,10 +144,9 @@ remoteit_enabled: False # remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6 # SECURITY WARNING: https://wiki.iiab.io/go/Security -openvpn_install: True -openvpn_enabled: True -# 2021-08-18 SSOT: Please set it here, no longer in /etc/iiab/openvpn_handle -openvpn_handle: UNITTEST - Put Your Name Here +# New VPN replaced OpenVPN in Sept 2024: +tailscale_install: True +tailscale_enabled: False # Stub var, doesn't yet do anything! # IIAB-ADMIN runs here - see its vars near top of this file: # e.g. iiab_admin_user, iiab_admin_user_install, iiab_admin_can_sudo @@ -178,8 +177,6 @@ pi_swap_file_size: 1024 # 4-SERVER-OPTIONS -# SSHD runs here & also above in 1-PREP - # DNS prep (named &/or dhcpd) used to run here. See dnsmasq in 1-PREP above. # Proxy Cache & basic site blocking using /etc/squid allowlists: (whitelists)