Upgrade to openhab 2

letsencrypt

.gitignore

@@ -0,0 +1 @@
+vault_password

.project

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>openhab-ansible</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+	</buildSpec>
+	<natures>
+	</natures>
+</projectDescription>

fix_nfs.yml

@@ -1,8 +1,8 @@
 ---
 
-- hosts: controller
+- hosts: raspis
   become: true
   tasks:
     - service: name=rpcbind state=restarted
     - service: name=nfs-kernel-server state=restarted
-    - shell: chmod -R ugo+w /etc/openhab
+    - shell: chmod -R ugo+w /etc/openhab*

group_vars/all/defaults

@@ -8,7 +8,7 @@ apt_config:
   cache_valid_time: 7200
 
 jdk:
-    - oracle-java7-jdk
+    - oracle-java8-jdk
     #- oracle-java7-installer
     #- oracle-java7-set-default
 
@@ -20,5 +20,5 @@ ntp:
     #- "3.ch.pool.ntp.org"
     
 
-
+letsencrypt_email: "{{vault_letsencrypt_email}}"
 

group_vars/all/vault.sample

@@ -5,6 +5,14 @@
 #vault_graphite_server: 
 #vault_openhab_config_repo:
 
-
+#vault_nginx_user: user
+#vault_nginx_password: passwd
+
+#vault_dynv6_name: "myhost.dynv6.net"
+#vault_dynv6_device: ""
+#vault_dynv6_token: 'mytoken'
+
+#vault_letsencrypt_email: myname@domain.com
+#vault_fqdn: "example.com"
 
 

group_vars/controller

@@ -1,17 +1,24 @@
 ---
 
-bindings:
+#bindings:
-    - astro
+#    - astro
-    - ntp
+#    - ntp
-    - rfxcom
+#    - rfxcom
-    - weather
+#    - weather
-    - mqtt
+#    - mqtt
+#    - zwave
 
-persistence:
+#persistence:
-    - mqtt
+#    - mqtt
+#    - mysql
 
 graphite_server: "{{vault_graphite_server}}"
 
+nginx_user: "{{vault_nginx_user}}"
+nginx_password: "{{vault_nginx_password}}"
 
+dynv6_name: "{{vault_dynv6_name}}"
+dynv6_device: "{{vault_dynv6_device}}"
+dynv6_token: "{{vault_dynv6_token}}"
 
-
+fqdn: "{{vault_fqdn}}"

inventory

@@ -1,3 +1,7 @@
 [controller]
-192.168.1.5 ansible_ssh_user=pi
+192.168.1.7 ansible_ssh_user=pi
+
+[raspis]
+192.168.1.5 ansible_ssh_user=pi
+192.168.1.7 ansible_ssh_user=pi
 

manual.txt

@@ -0,0 +1,16 @@
+http://192.168.1.7:8080/
+ -> select standard (recommeded)
+
+-> paper UI
+    -> extensions
+
+        bindings:
+            - astro
+            - ntp
+            - rfxcom
+            - weather
+            - mqtt
+            - zwave
+        persistence:
+            - mqtt
+            - mysql

raspi.yml

@@ -2,9 +2,10 @@
 
 - hosts: controller
   become: true
+  gather_facts: no
   roles:
     - raspberry
     - mqttwarn
-    - openhab
+    - openhab2
 
 

roles/openhab2/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: restart nginx
+  service: name=nginx state=restarted
+

roles/openhab2/tasks/backup.yml

@@ -0,0 +1,11 @@
+---
+
+- name: create backup script
+  template:
+     src: backup.sh.j2
+     dest: "/root/backup"
+     owner: root
+     group: root
+     mode: "u=rwx,g=r,o=r"
+  tags:
+    - backup

roles/openhab2/tasks/dynv6.yml

@@ -0,0 +1,11 @@
+---
+
+- name: install dynv6 update script
+  template:
+     src: dynv6.sh.j2
+     dest: "/root/dynv6.sh"
+     owner: root
+     group: root
+     mode: "u=rwx,g=r,o=r"
+  tags:
+    - dynv6

roles/openhab2/tasks/habmin.yml

@@ -0,0 +1,32 @@
+---
+
+
+- name: download HABmin
+  get_url:
+    url: https://github.com/cdjackson/HABmin/archive/master.zip
+    dest: /root/habmin_master.zip
+    mode: 0444
+  tags:
+    - habmin
+
+
+- name: unzip
+  unarchive:
+    remote_src: yes
+    src: /root/habmin_master.zip
+    dest: /usr/share/openhab/webapps/
+    creates: "/usr/share/openhab/webapps/habmin"
+  tags:
+    - habmin
+
+- name: rename
+  command: creates="/usr/share/openhab/webapps/habmin" mv "/usr/share/openhab/webapps/HABmin-master" "/usr/share/openhab/webapps/habmin"
+  tags:
+    - habmin
+
+- name: install addon
+  command: creates="/usr/share/openhab/addons/org.openhab.io.habmin-1.8.0.jar" mv "/usr/share/openhab/webapps/habmin/addons/org.openhab.io.habmin-1.7.0-SNAPSHOT.jar" "/usr/share/openhab/addons/org.openhab.io.habmin-1.8.0.jar"
+  tags:
+    - habmin
+
+

roles/openhab2/tasks/letsencrypt.yml

@@ -0,0 +1,27 @@
+---
+
+- name: download certbot
+  get_url:
+    url: https://dl.eff.org/certbot-auto
+    dest: /root/certbot-auto
+    mode: 0540
+  tags: 
+    - letsencrypt
+
+- name: get certificate
+  #shell: '/root/certbot-auto -n run --test-cert --nginx --agree-tos --email {{letsencrypt_email}} --cert-path /etc/nginx/ssl/cert.pem --key-path /etc/nginx/ssl/cert.key --fullchain-path /etc/nginx/ssl/chain.pem -d {{fqdn}}'
+  shell: '/root/certbot-auto -n run --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}'
+  tags: 
+    - letsencrypt
+
+
+- name: cron job
+  cron: 
+    name: "get new certificate"
+    minute: "0"
+    hour: "5"
+    day: "11"
+    job: '/root/certbot-auto -n certonly --nginx --agree-tos --email {{letsencrypt_email}} -d {{fqdn}}'
+  tags: 
+    - letsencrypt
+

roles/openhab2/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+
+- include: repo.yml
+- include: packages.yml
+- include: openhab.yml
+#- include: habmin.yml
+- include: nfs.yml
+- include: mysql.yml
+- include: backup.yml
+- include: nginx.yml
+- include: dynv6.yml
+- include: letsencrypt.yml
+
+
+

roles/openhab2/tasks/mysql.yml

@@ -0,0 +1,29 @@
+---
+
+- name: install mysql packages
+  apt: 
+    pkg: "{{item}}"
+    update_cache: "{{apt_config.update_cache}}"
+    cache_valid_time: "{{apt_config.cache_valid_time}}"
+  with_items:
+     - mysql-server
+     - python-mysqldb
+  tags:
+     - mysql
+
+- name: Create openhab database
+  mysql_db:
+    name: openhab2
+    state: present
+  tags:
+     - mysql
+
+- mysql_user:
+    name: openhab2
+    password: openhab2
+    priv: '*.*:ALL'
+    state: present
+  tags:
+     - mysql
+
+

roles/openhab2/tasks/nfs.yml

@@ -0,0 +1,31 @@
+---
+
+- name: ensure packages are installed
+  apt: 
+    pkg: "{{item}}"
+    update_cache: "{{apt_config.update_cache}}"
+    cache_valid_time: "{{apt_config.cache_valid_time}}"
+  with_items:
+     - nfs-common
+     - nfs-kernel-server
+  tags:
+     - packages
+     - nfs
+     - openhab2
+
+- name: update /etc/exports
+  lineinfile:
+    dest=/etc/exports
+    regexp="^{{item.mount_point}}\s.*"
+    line="{{item.mount_point}} {{item.options}}"
+  notify: update exportfs
+  with_items:
+    - { mount_point: "/etc/openhab2", options: "*(rw,sync,no_subtree_check,all_squash)" }
+    - { mount_point: "/var/lib/openhab2", options: "*(rw,sync,no_subtree_check,all_squash)" }
+  tags:
+    - nfs
+    - nfsconfig
+    - openhab2
+
+
+

roles/openhab2/tasks/nginx.yml

@@ -0,0 +1,83 @@
+---
+
+- name: create nginx config
+  template:
+     src: nginx.conf.j2
+     dest: "/etc/nginx/sites-available/openhab.conf"
+     owner: root
+     group: root
+     mode: "u=rwx,g=r,o=r"
+  notify: restart nginx
+  tags:
+    - nginx
+
+- stat: path=/etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem
+  register: letsencrypt_cert
+  tags:
+    - nginx
+  
+- name: overwrite nginx config for letsencrypt initialisation
+  template:
+     src: nginx.init.conf.j2
+     dest: "/etc/nginx/sites-available/openhab.conf"
+     owner: root
+     group: root
+     mode: "u=rwx,g=r,o=r"
+  notify: restart nginx
+  when: letsencrypt_cert.stat.exists == false
+  tags:
+    - nginx
+
+- name: create nginx passwd file
+  htpasswd:
+     name: "{{nginx_user}}"
+     password: "{{nginx_password}}"
+     path: "/etc/nginx/htpasswd"
+     owner: root
+     group: root
+     mode: "u=rw"
+  notify: restart nginx
+  tags:
+    - nginx
+
+- name: remove default site
+  file: 
+    dest: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: restart nginx
+  tags:
+    - nginx
+
+- name: enable openhab site
+  file: 
+    src: /etc/nginx/sites-available/openhab.conf
+    dest: /etc/nginx/sites-enabled/openhab.conf
+    state: link
+  notify: restart nginx
+  tags:
+    - nginx
+    
+
+- name: ssl dir
+  file: 
+    dest: /etc/nginx/ssl
+    state: directory
+  tags:
+    - nginx
+
+- name: create self singed certificate
+  command: 'openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=CH/ST=AG/L=Niederlenz/O=none/OU=none/CN=schnidrig.dynv6.net"'
+  args: 
+    creates: "/etc/nginx/ssl/nginx.crt"
+  tags:
+    - nginx
+
+- name: gen dhparam
+  command: 'openssl dhparam -outform PEM -out /etc/nginx/ssl/dhparam2048.pem 2048'
+  args: 
+    creates: "/etc/nginx/ssl/dhparam2048.pem"
+  notify: restart nginx
+  tags: 
+    - nginx
+
+

roles/openhab2/tasks/openhab.yml

@@ -0,0 +1,20 @@
+---
+
+- name:
+  user: 
+    name: openhab
+    groups: "dialout"
+    append: yes
+  tags:
+    - openhab2
+    - user
+
+- name: "configure systemd"
+  systemd:
+    name: openhab2
+    daemon_reload: yes
+    enabled: true
+    state: started 
+  tags:
+    - openhab2
+

roles/openhab2/tasks/packages.yml

@@ -0,0 +1,20 @@
+---
+
+- name: install openhab packages
+  apt: 
+    pkg: "{{item}}"
+    update_cache: "{{apt_config.update_cache}}"
+    cache_valid_time: "{{apt_config.cache_valid_time}}"
+  with_items:
+     - "{{jdk}}"
+     - openhab2
+     - openhab2-addons
+     - openhab2-addons-legacy
+     - sysstat
+     - nginx
+     - python-passlib
+  tags:
+     - packages
+     - openhab2
+
+

roles/openhab2/tasks/repo.old.yml

@@ -0,0 +1,22 @@
+---
+
+# http://docs.openhab.org/installation/linux.html#package-repository-installation
+
+- name: install ppa key
+  apt_key: 
+    url: "http://www.openhab.org/keys/public-key-snapshots.asc"
+    state: present
+  tags:
+     - repo
+     - openhab2
+
+- name: install openhab2 repo
+  apt_repository:
+    repo: 'deb https://openhab.ci.cloudbees.com/job/openHAB-Distribution/ws/distributions/openhab-offline/target/apt-repo/ /'
+    state: present
+    update_cache: yes
+    filename: openhab2
+  tags:
+     - repo
+     - openhab2
+

roles/openhab2/tasks/repo.yml

@@ -0,0 +1,22 @@
+---
+
+# http://docs.openhab.org/installation/linux.html#package-repository-installation
+
+- name: install ppa key
+  apt_key: 
+    url: "https://bintray.com/user/downloadSubjectPublicKey?username=openhab"
+    state: present
+  tags:
+     - repo
+     - openhab2
+
+- name: install openhab2 repo
+  apt_repository:
+    repo: 'deb http://dl.bintray.com/openhab/apt-repo2 testing main'
+    state: present
+    update_cache: yes
+    filename: openhab2
+  tags:
+     - repo
+     - openhab2
+

roles/openhab2/templates/backup.sh.j2

@@ -0,0 +1,11 @@
+# stop openhab instance (here: systemd service)
+sudo systemctl stop openhab2.service
+
+# backup current installation with settings
+TIMESTAMP=`date +%Y%m%d_%H%M%S`;
+mkdir  ~/openhab2-backup-$TIMESTAMP
+cp -arv /etc/openhab2 ~/openhab2-backup-$TIMESTAMP/conf
+cp -arv /var/lib/openhab2 ~/openhab2-backup-$TIMESTAMP/userdata
+
+# restart openhab instance
+sudo systemctl start openhab2.service

roles/openhab2/templates/dynv6.sh.j2

@@ -0,0 +1,49 @@
+#!/bin/sh -e
+hostname="{{dynv6_name}}"
+device="{{dynv6_device}}"
+token="{{dynv6_token}}"
+file=$HOME/.dynv6.addr6
+[ -e $file ] && old=`cat $file`
+
+if [ -z "$hostname" -o -z "$token" ]; then
+  echo "Usage: token=<your-authentication-token> [netmask=64] $0 your-name.dynv6.net [device]"
+  exit 1
+fi
+
+if [ -z "$netmask" ]; then
+  netmask=128
+fi
+
+if [ -n "$device" ]; then
+  device="dev $device"
+fi
+address=$(ip -6 addr list scope global $device | grep -v " fd" | sed -n 's/.*inet6 \([0-9a-f:]\+\).*/\1/p' | head -n 1)
+
+if [ -e /usr/bin/curl ]; then
+  bin="curl -fsS"
+elif [ -e /usr/bin/wget ]; then
+  bin="wget -O-"
+else
+  echo "neither curl nor wget found"
+  exit 1
+fi
+
+if [ -z "$address" ]; then
+  echo "no IPv6 address found"
+  exit 1
+fi
+
+# address with netmask
+current=$address/$netmask
+
+if [ "$old" = "$current" ]; then
+  echo "IPv6 address unchanged"
+  exit
+fi
+
+# send addresses to dynv6
+$bin "http://dynv6.com/api/update?hostname=$hostname&ipv6=$current&token=$token"
+#$bin "http://ipv4.dynv6.com/api/update?hostname=$hostname&ipv4=auto&token=$token"
+
+# save current address
+echo $current > $file

roles/openhab2/templates/nginx.conf.j2

@@ -0,0 +1,30 @@
+server {
+    listen                          80;
+    listen                          [::]:443 ssl;
+    server_name                     {{fqdn}};
+
+    ssl_certificate                 /etc/letsencrypt/live/schnidrig.dynv6.net/fullchain.pem;
+    ssl_certificate_key             /etc/letsencrypt/live/schnidrig.dynv6.net/privkey.pem;
+    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers                     EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;
+    ssl_prefer_server_ciphers on;
+    ssl_dhparam                     /etc/nginx/ssl/dhparam2048.pem;
+    ssl_ecdh_curve secp384r1;
+    # check settings with: https://www.ssllabs.com/ssltest/analyze.html?d={{fqdn}}
+
+    location / {
+        proxy_pass                              http://localhost:8080/;
+        proxy_buffering                         off;  # openHAB supports non-buffering specifically for SSEs now
+        proxy_set_header Host                   $http_host;
+        proxy_set_header X-Real-IP              $remote_addr;
+        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto      $scheme;
+
+        auth_basic                              "Openhab";
+        auth_basic_user_file                    /etc/nginx/htpasswd;
+     }
+    location /.well-known/acme-challenge/ {
+        root                                    /var/www/html;
+    }
+
+}

roles/openhab2/templates/nginx.init.conf.j2

@@ -0,0 +1,24 @@
+server {
+    listen                          [::]:80;
+    listen                          [::]:443 ssl;
+    server_name                     schnidrig.dynv6.net;
+
+    ssl_certificate                 /etc/nginx/ssl/nginx.crt;
+    ssl_certificate_key             /etc/nginx/ssl/nginx.key;
+
+    location / {
+        proxy_pass                              http://localhost:8080/;
+        proxy_buffering                         off;  # openHAB supports non-buffering specifically for SSEs now
+        proxy_set_header Host                   $http_host;
+        proxy_set_header X-Real-IP              $remote_addr;
+        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto      $scheme;
+
+        auth_basic                              "Openhab";
+        auth_basic_user_file                    /etc/nginx/htpasswd;
+     }
+    location /.well-known/acme-challenge/ {
+        root                                    /var/www/html;
+    }
+
+}

roles/raspberry/files/alias

@@ -0,0 +1,5 @@
+alias openhablog='tail -n 100 -f /var/log/openhab2/openhab.log -f /var/log/openhab2/events.log'
+alias openhablog2='multitail /var/log/openhab2/openhab.log /var/log/openhab2/events.log'
+alias openhablog3='multitail /var/log/openhab2/openhab.log -ci yellow -I /var/log/openhab2/events.log'
+alias ls='/bin/ls -aF --color=auto'
+alias karafshell="sudo su -s /bin/bash -c '/usr/share/openhab2/runtime/bin/client' openhab"

roles/raspberry/tasks/main.yml

@@ -4,6 +4,8 @@
 - include: ntp.yml
 - include: timezone.yml
 - include: locale.yml
+- include: skeleton.yml
+
 
 
 

roles/raspberry/tasks/packages.yml

@@ -11,6 +11,7 @@
      - tmux
      - python-pip
      - git
+     - multitail
   tags:
      - packages
 

roles/raspberry/tasks/skeleton.yml

@@ -0,0 +1,19 @@
+---
+
+- name: alias
+  copy:
+     src: alias
+     dest: "/home/pi/.alias"
+     owner: pi
+     group: pi
+     mode: "u=rw,g=r,o=r"
+  tags:
+    - alias
+
+- name: update bashrc
+  lineinfile:
+    dest=/home/pi/.bashrc
+    line="test -s ~/.alias && . ~/.alias"
+  tags:
+    - alias
+