"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>A Small Institute</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>A Small Institute</title>
-<div id="outline-container-org9fda08f" class="outline-2">
-<h2 id="org9fda08f"><span class="section-number-2">1.</span> Overview</h2>
+<div id="outline-container-orgefb6095" class="outline-2">
+<h2 id="orgefb6095"><span class="section-number-2">1.</span> Overview</h2>
<div class="outline-text-2" id="text-1">
<p>
This small institute has a public server on the Internet, Front, that
<div class="outline-text-2" id="text-1">
<p>
This small institute has a public server on the Internet, Front, that
-<div id="outline-container-orge4e418d" class="outline-2">
-<h2 id="orge4e418d"><span class="section-number-2">2.</span> Caveats</h2>
+<div id="outline-container-org422f876" class="outline-2">
+<h2 id="org422f876"><span class="section-number-2">2.</span> Caveats</h2>
<div class="outline-text-2" id="text-2">
<p>
This small institute prizes its privacy, so there is little or no
<div class="outline-text-2" id="text-2">
<p>
This small institute prizes its privacy, so there is little or no
-<div id="outline-container-orga4bbd1a" class="outline-2">
-<h2 id="orga4bbd1a"><span class="section-number-2">3.</span> The Services</h2>
+<div id="outline-container-org3e07cdc" class="outline-2">
+<h2 id="org3e07cdc"><span class="section-number-2">3.</span> The Services</h2>
<div class="outline-text-2" id="text-3">
<p>
The small institute's network is designed to provide a number of
<div class="outline-text-2" id="text-3">
<p>
The small institute's network is designed to provide a number of
-<div id="outline-container-org2b275c5" class="outline-3">
-<h3 id="org2b275c5"><span class="section-number-3">3.1.</span> The Name Service</h3>
+<div id="outline-container-org4e0cff6" class="outline-3">
+<h3 id="org4e0cff6"><span class="section-number-3">3.1.</span> The Name Service</h3>
<div class="outline-text-3" id="text-3-1">
<p>
The institute has a public domain, e.g. <code>small.example.org</code>, and a
<div class="outline-text-3" id="text-3-1">
<p>
The institute has a public domain, e.g. <code>small.example.org</code>, and a
-<div id="outline-container-org5d18f36" class="outline-3">
-<h3 id="org5d18f36"><span class="section-number-3">3.2.</span> The Email Service</h3>
+<div id="outline-container-orgd68300a" class="outline-3">
+<h3 id="orgd68300a"><span class="section-number-3">3.2.</span> The Email Service</h3>
<div class="outline-text-3" id="text-3-2">
<p>
Front provides the public SMTP (Simple Mail Transfer Protocol) service
<div class="outline-text-3" id="text-3-2">
<p>
Front provides the public SMTP (Simple Mail Transfer Protocol) service
-<div id="outline-container-org975eb1d" class="outline-4">
-<h4 id="org975eb1d"><span class="section-number-4">3.2.1.</span> The Postfix Configurations</h4>
+<div id="outline-container-org77f1db7" class="outline-4">
+<h4 id="org77f1db7"><span class="section-number-4">3.2.1.</span> The Postfix Configurations</h4>
<div class="outline-text-4" id="text-3-2-1">
<p>
The institute aims to accommodate encrypted email containing short
<div class="outline-text-4" id="text-3-2-1">
<p>
The institute aims to accommodate encrypted email containing short
- { p: maximal_queue_lifetime, v: 4h }
- { p: bounce_queue_lifetime, v: 4h }
</code></pre>
- { p: maximal_queue_lifetime, v: 4h }
- { p: bounce_queue_lifetime, v: 4h }
</code></pre>
-<div id="outline-container-orgc26d78f" class="outline-4">
-<h4 id="orgc26d78f"><span class="section-number-4">3.2.2.</span> The Dovecot Configurations</h4>
+<div id="outline-container-org09a0593" class="outline-4">
+<h4 id="org09a0593"><span class="section-number-4">3.2.2.</span> The Dovecot Configurations</h4>
<div class="outline-text-4" id="text-3-2-2">
<p>
The Dovecot settings on both Front and Core disable POP and require
<div class="outline-text-4" id="text-3-2-2">
<p>
The Dovecot settings on both Front and Core disable POP and require
<span class="org-variable-name">mail_path</span> = ~/Maildir
<span class="org-variable-name">mail_inbox_path</span> = ~/Maildir
</code></pre>
<span class="org-variable-name">mail_path</span> = ~/Maildir
<span class="org-variable-name">mail_inbox_path</span> = ~/Maildir
</code></pre>
-<div id="outline-container-org8799151" class="outline-3">
-<h3 id="org8799151"><span class="section-number-3">3.3.</span> The Web Services</h3>
+<div id="outline-container-orga25cdab" class="outline-3">
+<h3 id="orga25cdab"><span class="section-number-3">3.3.</span> The Web Services</h3>
<div class="outline-text-3" id="text-3-3">
<p>
Front provides the public HTTP service that serves institute web pages
at e.g. <code>https://small.example.org/</code>. The small institute initially
runs with a self-signed, "snake oil" server certificate, causing
browsers to warn of possible fraud, but this certificate is easily
<div class="outline-text-3" id="text-3-3">
<p>
Front provides the public HTTP service that serves institute web pages
at e.g. <code>https://small.example.org/</code>. The small institute initially
runs with a self-signed, "snake oil" server certificate, causing
browsers to warn of possible fraud, but this certificate is easily
-<div id="outline-container-org2230f09" class="outline-3">
-<h3 id="org2230f09"><span class="section-number-3">3.4.</span> The Cloud Service</h3>
+<div id="outline-container-org401990b" class="outline-3">
+<h3 id="org401990b"><span class="section-number-3">3.4.</span> The Cloud Service</h3>
<div class="outline-text-3" id="text-3-4">
<p>
Core runs Nextcloud to provide a private institute cloud at
<code>https://core.small.private/nextcloud/</code>. It is managed manually per
<a href="https://docs.nextcloud.com/server/stable/admin_manual/">The Nextcloud Server Administration Guide</a>. The code <i>and</i> data,
including especially database dumps, are stored in <q>/Nextcloud/</q> which
<div class="outline-text-3" id="text-3-4">
<p>
Core runs Nextcloud to provide a private institute cloud at
<code>https://core.small.private/nextcloud/</code>. It is managed manually per
<a href="https://docs.nextcloud.com/server/stable/admin_manual/">The Nextcloud Server Administration Guide</a>. The code <i>and</i> data,
including especially database dumps, are stored in <q>/Nextcloud/</q> which
default Apache2 configuration expects to find the web scripts in
<q>/var/www/nextcloud/</q>, so the institute symbolically links this to
<q>/Nextcloud/nextcloud/</q>.
default Apache2 configuration expects to find the web scripts in
<q>/var/www/nextcloud/</q>, so the institute symbolically links this to
<q>/Nextcloud/nextcloud/</q>.
-<div id="outline-container-org0f10e5c" class="outline-3">
-<h3 id="org0f10e5c"><span class="section-number-3">3.5.</span> Accounts</h3>
+<div id="outline-container-orge68fa9b" class="outline-3">
+<h3 id="orge68fa9b"><span class="section-number-3">3.5.</span> Accounts</h3>
<div class="outline-text-3" id="text-3-5">
<p>
A small institute has just a handful of members. For simplicity (and
thus security) static configuration files are preferred over complex
account management systems, LDAP, Active Directory, and the like. The
Ansible scripts configure the same set of user accounts on Core and
<div class="outline-text-3" id="text-3-5">
<p>
A small institute has just a handful of members. For simplicity (and
thus security) static configuration files are preferred over complex
account management systems, LDAP, Active Directory, and the like. The
Ansible scripts configure the same set of user accounts on Core and
processes of enrolling, modifying and retiring members of the
institute. They update the administrator's membership roll, and run
Ansible to create (and disable) accounts on Core, Front, Nextcloud,
processes of enrolling, modifying and retiring members of the
institute. They update the administrator's membership roll, and run
Ansible to create (and disable) accounts on Core, Front, Nextcloud,
-<div id="outline-container-org5b78891" class="outline-4">
-<h4 id="org5b78891"><span class="section-number-4">3.5.1.</span> The Administration Accounts</h4>
+<div id="outline-container-org575bba9" class="outline-4">
+<h4 id="org575bba9"><span class="section-number-4">3.5.1.</span> The Administration Accounts</h4>
<div class="outline-text-4" id="text-3-5-1">
<p>
The institute avoids the use of the <code>root</code> account (<code>uid 0</code>) because
<div class="outline-text-4" id="text-3-5-1">
<p>
The institute avoids the use of the <code>root</code> account (<code>uid 0</code>) because
and programs as <code>root</code>. When installation of a Debian OS leaves the
host with no user accounts, just the <code>root</code> account, the next step is
to create a system administrator's account named <code>sysadm</code> and to give
and programs as <code>root</code>. When installation of a Debian OS leaves the
host with no user accounts, just the <code>root</code> account, the next step is
to create a system administrator's account named <code>sysadm</code> and to give
Front Machine</a>). When installation prompts for the name of an
initial, privileged user account the same name is given (e.g. as
Front Machine</a>). When installation prompts for the name of an
initial, privileged user account the same name is given (e.g. as
still create an initial user account with a distribution specific name
(e.g. <code>pi</code>). Any name can be used as long as it is provided as the
value of <code>ansible_user</code> in <a href="hosts"><q>hosts</q></a>. Its password is specified by a
vault-encrypted variable in the <a href="Secret/become.yml"><q>Secret/become.yml</q></a> file. (The
still create an initial user account with a distribution specific name
(e.g. <code>pi</code>). Any name can be used as long as it is provided as the
value of <code>ansible_user</code> in <a href="hosts"><q>hosts</q></a>. Its password is specified by a
vault-encrypted variable in the <a href="Secret/become.yml"><q>Secret/become.yml</q></a> file. (The
-<div id="outline-container-org6717f03" class="outline-4">
-<h4 id="org6717f03"><span class="section-number-4">3.5.2.</span> The Monkey Accounts</h4>
+<div id="outline-container-org3a3610b" class="outline-4">
+<h4 id="org3a3610b"><span class="section-number-4">3.5.2.</span> The Monkey Accounts</h4>
<div class="outline-text-4" id="text-3-5-2">
<p>
The institute's Core uses a special account named <code>monkey</code> to run
<div class="outline-text-4" id="text-3-5-2">
<p>
The institute's Core uses a special account named <code>monkey</code> to run
-<div id="outline-container-org15ad531" class="outline-3">
-<h3 id="org15ad531"><span class="section-number-3">3.6.</span> Keys</h3>
+<div id="outline-container-orge1a9ef2" class="outline-3">
+<h3 id="orge1a9ef2"><span class="section-number-3">3.6.</span> Keys</h3>
-<div id="outline-container-orgabf55fd" class="outline-3">
-<h3 id="orgabf55fd"><span class="section-number-3">3.7.</span> Backups</h3>
+<div id="outline-container-org51316c9" class="outline-3">
+<h3 id="org51316c9"><span class="section-number-3">3.7.</span> Backups</h3>
<div class="outline-text-3" id="text-3-7">
<p>
The small institute backs up its data, but not so much so that nothing
<div class="outline-text-3" id="text-3-7">
<p>
The small institute backs up its data, but not so much so that nothing
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
</span><span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT.
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
</span><span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT.
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
-<div id="outline-container-org0c396b4" class="outline-2">
-<h2 id="org0c396b4"><span class="section-number-2">4.</span> The Particulars</h2>
+<div id="outline-container-org967f39d" class="outline-2">
+<h2 id="org967f39d"><span class="section-number-2">4.</span> The Particulars</h2>
<div class="outline-text-2" id="text-4">
<p>
This chapter introduces Ansible variables intended to simplify
<div class="outline-text-2" id="text-4">
<p>
This chapter introduces Ansible variables intended to simplify
-<div id="outline-container-org8a9c532" class="outline-3">
-<h3 id="org8a9c532"><span class="section-number-3">4.1.</span> Generic Particulars</h3>
+<div id="outline-container-orgd52ac5a" class="outline-3">
+<h3 id="orgd52ac5a"><span class="section-number-3">4.1.</span> Generic Particulars</h3>
<div class="outline-text-3" id="text-4-1">
<p>
The small institute's domain name is used quite frequently in the
<div class="outline-text-3" id="text-4-1">
<p>
The small institute's domain name is used quite frequently in the
-<div id="outline-container-orga3d2821" class="outline-3">
-<h3 id="orga3d2821"><span class="section-number-3">4.2.</span> Subnets</h3>
+<div id="outline-container-org1f4bd95" class="outline-3">
+<h3 id="org1f4bd95"><span class="section-number-3">4.2.</span> Subnets</h3>
<div class="outline-text-3" id="text-4-2">
<p>
The small institute uses a private Ethernet, two VPNs, and a "wild",
<div class="outline-text-3" id="text-4-2">
<p>
The small institute uses a private Ethernet, two VPNs, and a "wild",
sensitive information so again the code block below "tangles" into
<a href="private/vars.yml"><q>private/vars.yml</q></a> rather than <a href="public/vars.yml"><q>public/vars.yml</q></a>. Two of the
addresses are in <code>192.168</code> subnets because they are part of a test
sensitive information so again the code block below "tangles" into
<a href="private/vars.yml"><q>private/vars.yml</q></a> rather than <a href="public/vars.yml"><q>public/vars.yml</q></a>. Two of the
addresses are in <code>192.168</code> subnets because they are part of a test
<span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('network') }}"</span>
private_net_mask:
<span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}"</span>
<span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('network') }}"</span>
private_net_mask:
<span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}"</span>
core_addr_cidr: <span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('1') }}"</span>
gate_addr_cidr: <span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('2') }}"</span>
gate_wild_addr_cidr:
core_addr_cidr: <span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('1') }}"</span>
gate_addr_cidr: <span class="org-string">"{{ private_net_cidr | ansible.utils.ipaddr('2') }}"</span>
gate_wild_addr_cidr:
-<div id="outline-container-org1bbd95f" class="outline-2">
-<h2 id="org1bbd95f"><span class="section-number-2">5.</span> The Hardware</h2>
+<div id="outline-container-org612052e" class="outline-2">
+<h2 id="org612052e"><span class="section-number-2">5.</span> The Hardware</h2>
<div class="outline-text-2" id="text-5">
<p>
The small institute's network was built by its system administrator
using Ansible on a trusted notebook. The Ansible configuration and
scripts were generated by "tangling" the Ansible code included here.
<div class="outline-text-2" id="text-5">
<p>
The small institute's network was built by its system administrator
using Ansible on a trusted notebook. The Ansible configuration and
scripts were generated by "tangling" the Ansible code included here.
-<div id="outline-container-orgee3e87d" class="outline-3">
-<h3 id="orgee3e87d"><span class="section-number-3">5.1.</span> The Front Machine</h3>
+<div id="outline-container-orge9845ca" class="outline-3">
+<h3 id="orge9845ca"><span class="section-number-3">5.1.</span> The Front Machine</h3>
<div class="outline-text-3" id="text-5-1">
<p>
Front is the small institute's public facing server, a virtual machine
<div class="outline-text-3" id="text-5-1">
<p>
Front is the small institute's public facing server, a virtual machine
-<div id="outline-container-org41b828c" class="outline-4">
-<h4 id="org41b828c"><span class="section-number-4">5.1.1.</span> A Digital Ocean Droplet</h4>
+<div id="outline-container-org6b216f0" class="outline-4">
+<h4 id="org6b216f0"><span class="section-number-4">5.1.1.</span> A Digital Ocean Droplet</h4>
<div class="outline-text-4" id="text-5-1-1">
<p>
The following example prepared a Digital Ocean droplet to be Front.
<div class="outline-text-4" id="text-5-1-1">
<p>
The following example prepared a Digital Ocean droplet to be Front.
<p>
The freshly created Digital Ocean droplet came with just one account,
<code>root</code>, but the small institute avoids remote access to the "super
<p>
The freshly created Digital Ocean droplet came with just one account,
<code>root</code>, but the small institute avoids remote access to the "super
The password for the <code>sysadm</code> account was generated by <code>gpw</code>, saved in
the administrator's password keep, and added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as
shown below. (Producing a working Ansible configuration with
The password for the <code>sysadm</code> account was generated by <code>gpw</code>, saved in
the administrator's password keep, and added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as
shown below. (Producing a working Ansible configuration with
<p>
After creating the <code>sysadm</code> account on the droplet, the administrator
concatenated a personal public ssh key and the key found in
<p>
After creating the <code>sysadm</code> account on the droplet, the administrator
concatenated a personal public ssh key and the key found in
file, copied it to the droplet, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
file, copied it to the droplet, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
subsequent reboot gets ResolveD configured properly (else <code>resolvectl</code>
hangs, causing <code>wg-quick@wg0</code> to hang…). The rest are included just
to speed up (re)testing of "prepared" test machines, e.g. prepared as
subsequent reboot gets ResolveD configured properly (else <code>resolvectl</code>
hangs, causing <code>wg-quick@wg0</code> to hang…). The rest are included just
to speed up (re)testing of "prepared" test machines, e.g. prepared as
</p>
<p>
The prospective IP address (<code>159.65.75.60</code>) is also pasted into
<a href="public/vars.yml"><q>public/vars.yml</q></a> as the value of <code>front_addr</code> (as in the example
</p>
<p>
The prospective IP address (<code>159.65.75.60</code>) is also pasted into
<a href="public/vars.yml"><q>public/vars.yml</q></a> as the value of <code>front_addr</code> (as in the example
-<div id="outline-container-org4dc7de0" class="outline-3">
-<h3 id="org4dc7de0"><span class="section-number-3">5.2.</span> The Core Machine</h3>
+<div id="outline-container-org764b20c" class="outline-3">
+<h3 id="org764b20c"><span class="section-number-3">5.2.</span> The Core Machine</h3>
<div class="outline-text-3" id="text-5-2">
<p>
Core is the small institute's private file, email, cloud and whatnot
<div class="outline-text-3" id="text-5-2">
<p>
Core is the small institute's private file, email, cloud and whatnot
freshly installed. During installation, the machine was named <code>core</code>,
no desktop or server software was installed, no root password was set,
and a privileged account named <code>sysadm</code> was created (per the policy in
freshly installed. During installation, the machine was named <code>core</code>,
no desktop or server software was installed, no root password was set,
and a privileged account named <code>sysadm</code> was created (per the policy in
The password was generated by <code>gpw</code>, saved in the administrator's
password keep, and later added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as shown below.
(Producing a working Ansible configuration with <a href="Secret/become.yml"><q>Secret/become.yml</q></a>
The password was generated by <code>gpw</code>, saved in the administrator's
password keep, and later added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as shown below.
(Producing a working Ansible configuration with <a href="Secret/become.yml"><q>Secret/become.yml</q></a>
<q>admin_keys</q> file, copied it to Core, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
<q>admin_keys</q> file, copied it to Core, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
<p>
In the example command lines below, the address <code>10.227.248.1</code> was
generated by the random subnet address picking procedure described in
<p>
In the example command lines below, the address <code>10.227.248.1</code> was
generated by the random subnet address picking procedure described in
address, <code>10.227.248.2</code>, is the corresponding address for Gate's
Ethernet interface, and is named <code>gate_addr</code> in the Ansible
code.
address, <code>10.227.248.2</code>, is the corresponding address for Gate's
Ethernet interface, and is named <code>gate_addr</code> in the Ansible
code.
-<div id="outline-container-org34398a9" class="outline-3">
-<h3 id="org34398a9"><span class="section-number-3">5.3.</span> The Gate Machine</h3>
+<div id="outline-container-org6da11e2" class="outline-3">
+<h3 id="org6da11e2"><span class="section-number-3">5.3.</span> The Gate Machine</h3>
<div class="outline-text-3" id="text-5-3">
<p>
Gate is the small institute's route to the Internet, and the campus
<div class="outline-text-3" id="text-5-3">
<p>
Gate is the small institute's route to the Internet, and the campus
-<div id="outline-container-org7615b8a" class="outline-4">
-<h4 id="org7615b8a"><span class="section-number-4">5.3.1.</span> Alternate Gate Topology</h4>
+<div id="outline-container-org4ac492a" class="outline-4">
+<h4 id="org4ac492a"><span class="section-number-4">5.3.1.</span> Alternate Gate Topology</h4>
<div class="outline-text-4" id="text-5-3-1">
<p>
While Gate and Core really need to be separate machines for security
<div class="outline-text-4" id="text-5-3-1">
<p>
While Gate and Core really need to be separate machines for security
-<div id="outline-container-org737eb06" class="outline-4">
-<h4 id="org737eb06"><span class="section-number-4">5.3.2.</span> Original Gate Topology</h4>
+<div id="outline-container-org63b27ee" class="outline-4">
+<h4 id="org63b27ee"><span class="section-number-4">5.3.2.</span> Original Gate Topology</h4>
<div class="outline-text-4" id="text-5-3-2">
<p>
The Ansible code in this document is somewhat dependent on the
<div class="outline-text-4" id="text-5-3-2">
<p>
The Ansible code in this document is somewhat dependent on the
freshly installed. During installation, the machine was named <code>gate</code>,
no desktop or server software was installed, no root password was set,
and a privileged account named <code>sysadm</code> was created (per the policy in
freshly installed. During installation, the machine was named <code>gate</code>,
no desktop or server software was installed, no root password was set,
and a privileged account named <code>sysadm</code> was created (per the policy in
The password was generated by <code>gpw</code>, saved in the administrator's
password keep, and later added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as shown below.
(Producing a working Ansible configuration with <a href="Secret/become.yml"><q>Secret/become.yml</q></a>
The password was generated by <code>gpw</code>, saved in the administrator's
password keep, and later added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as shown below.
(Producing a working Ansible configuration with <a href="Secret/become.yml"><q>Secret/become.yml</q></a>
<q>admin_keys</q> file, copied it to Gate, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
<q>admin_keys</q> file, copied it to Gate, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
<p>
In the example command lines below, the address <code>10.227.248.2</code> was
generated by the random subnet address picking procedure described in
<p>
In the example command lines below, the address <code>10.227.248.2</code> was
generated by the random subnet address picking procedure described in
campus Wi-Fi access point and the campus ISP and the values of three
variables (<code>gate_lan_mac</code>, <code>gate_wild_mac</code>, and <code>gate_isp_mac</code> in
<a href="private/vars.yml"><q>private/vars.yml</q></a>) match the actual hardware MAC addresses of the
campus Wi-Fi access point and the campus ISP and the values of three
variables (<code>gate_lan_mac</code>, <code>gate_wild_mac</code>, and <code>gate_isp_mac</code> in
<a href="private/vars.yml"><q>private/vars.yml</q></a>) match the actual hardware MAC addresses of the
-<div id="outline-container-org1fa732d" class="outline-2">
-<h2 id="org1fa732d"><span class="section-number-2">6.</span> The All Role</h2>
+<div id="outline-container-orgac6ebd5" class="outline-2">
+<h2 id="orgac6ebd5"><span class="section-number-2">6.</span> The All Role</h2>
<div class="outline-text-2" id="text-6">
<p>
The <code>all</code> role contains tasks that are executed on all of the
institute's servers. At the moment there is just the one.
</p>
</div>
<div class="outline-text-2" id="text-6">
<p>
The <code>all</code> role contains tasks that are executed on all of the
institute's servers. At the moment there is just the one.
</p>
</div>
-<div id="outline-container-org74c7242" class="outline-3">
-<h3 id="org74c7242"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-org5f981d7" class="outline-3">
+<h3 id="org5f981d7"><span class="section-number-3">6.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The <code>all</code> role's task contains a reference to a common institute
particular, the institute's <code>domain_name</code>, a variable found in the
<q>public/vars.yml</q> file. Thus the first task of the <code>all</code> role is to
<div class="outline-text-3" id="text-6-1">
<p>
The <code>all</code> role's task contains a reference to a common institute
particular, the institute's <code>domain_name</code>, a variable found in the
<q>public/vars.yml</q> file. Thus the first task of the <code>all</code> role is to
Particulars</a>). The code block below is the first to tangle into
<a href="roles/all/tasks/main.yml"><q>roles/all/tasks/main.yml</q></a>.
</p>
Particulars</a>). The code block below is the first to tangle into
<a href="roles/all/tasks/main.yml"><q>roles/all/tasks/main.yml</q></a>.
</p>
-<div id="outline-container-org81e7c74" class="outline-3">
-<h3 id="org81e7c74"><span class="section-number-3">6.2.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org9761ed6" class="outline-3">
+<h3 id="org9761ed6"><span class="section-number-3">6.2.</span> Enable Systemd Resolved</h3>
<div class="outline-text-3" id="text-6-2">
<p>
The <code>systemd-networkd</code> and <code>systemd-resolved</code> service units are not
<div class="outline-text-3" id="text-6-2">
<p>
The <code>systemd-networkd</code> and <code>systemd-resolved</code> service units are not
-<div id="outline-container-org2d0e4b9" class="outline-3">
-<h3 id="org2d0e4b9"><span class="section-number-3">6.3.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-org489cf42" class="outline-3">
+<h3 id="org489cf42"><span class="section-number-3">6.3.</span> Trust Institute Certificate Authority</h3>
<div class="outline-text-3" id="text-6-3">
<p>
All servers should recognize the institute's Certificate Authority as
trustworthy, so its certificate is added to the set of trusted CAs on
each host. More information about how the small institute manages its
<div class="outline-text-3" id="text-6-3">
<p>
All servers should recognize the institute's Certificate Authority as
trustworthy, so its certificate is added to the set of trusted CAs on
each host. More information about how the small institute manages its
-<div id="outline-container-org1b75f5d" class="outline-2">
-<h2 id="org1b75f5d"><span class="section-number-2">7.</span> The Front Role</h2>
+<div id="outline-container-org7d542aa" class="outline-2">
+<h2 id="org7d542aa"><span class="section-number-2">7.</span> The Front Role</h2>
<div class="outline-text-2" id="text-7">
<p>
The <code>front</code> role installs and configures the services expected on the
institute's publicly accessible "front door": email, web, VPN. The
virtual machine is prepared with an Ubuntu Server install and remote
access to a privileged, administrator's account. (For details, see
<div class="outline-text-2" id="text-7">
<p>
The <code>front</code> role installs and configures the services expected on the
institute's publicly accessible "front door": email, web, VPN. The
virtual machine is prepared with an Ubuntu Server install and remote
access to a privileged, administrator's account. (For details, see
-<div id="outline-container-org3ec7453" class="outline-3">
-<h3 id="org3ec7453"><span class="section-number-3">7.1.</span> Role Defaults</h3>
+<div id="outline-container-org7adc374" class="outline-3">
+<h3 id="org7adc374"><span class="section-number-3">7.1.</span> Role Defaults</h3>
<div class="outline-text-3" id="text-7-1">
<p>
The <code>front</code> role sets a number of variables to default values in its
<div class="outline-text-3" id="text-7-1">
<p>
The <code>front</code> role sets a number of variables to default values in its
<p>
The <code>membership-rolls</code> reference defines <code>membership_rolls</code> which is
used to select an empty membership roll if one has not been written
<p>
The <code>membership-rolls</code> reference defines <code>membership_rolls</code> which is
used to select an empty membership roll if one has not been written
-<div id="outline-container-org7446efc" class="outline-3">
-<h3 id="org7446efc"><span class="section-number-3">7.2.</span> Include Particulars</h3>
+<div id="outline-container-org26771ce" class="outline-3">
+<h3 id="org26771ce"><span class="section-number-3">7.2.</span> Include Particulars</h3>
particulars. The <code>front</code> role refers to private variables and the
membership roll, so these are included was well.
</p>
particulars. The <code>front</code> role refers to private variables and the
membership roll, so these are included was well.
</p>
-<div id="outline-container-org70f5d74" class="outline-3">
-<h3 id="org70f5d74"><span class="section-number-3">7.3.</span> Configure Hostname</h3>
+<div id="outline-container-org9e8314a" class="outline-3">
+<h3 id="org9e8314a"><span class="section-number-3">7.3.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-7-3">
<p>
This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
<div class="outline-text-3" id="text-7-3">
<p>
This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
-<div id="outline-container-org83f7a08" class="outline-3">
-<h3 id="org83f7a08"><span class="section-number-3">7.4.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgb13272d" class="outline-3">
+<h3 id="orgb13272d"><span class="section-number-3">7.4.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-7-4">
<p>
The administrator often needs to read (directories of) log files owned
<div class="outline-text-3" id="text-7-4">
<p>
The administrator often needs to read (directories of) log files owned
-<div id="outline-container-org1ca6e1c" class="outline-3">
-<h3 id="org1ca6e1c"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
+<div id="outline-container-orgffe4240" class="outline-3">
+<h3 id="orgffe4240"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-7-5">
<p>
The small institute runs cron jobs and web scripts that generate
<div class="outline-text-3" id="text-7-5">
<p>
The small institute runs cron jobs and web scripts that generate
system account named <code>monkey</code>. One of Monkey's more important jobs on
Core is to run <code>rsync</code> to update the public web site on Front. Monkey
on Core will login as <code>monkey</code> on Front to synchronize the files (as
system account named <code>monkey</code>. One of Monkey's more important jobs on
Core is to run <code>rsync</code> to update the public web site on Front. Monkey
on Core will login as <code>monkey</code> on Front to synchronize the files (as
-<div id="outline-container-orgdaa2f4d" class="outline-3">
-<h3 id="orgdaa2f4d"><span class="section-number-3">7.6.</span> Install Rsync</h3>
+<div id="outline-container-orgb638d29" class="outline-3">
+<h3 id="orgb638d29"><span class="section-number-3">7.6.</span> Install Rsync</h3>
<div class="outline-text-3" id="text-7-6">
<p>
Monkey uses Rsync to keep the institute's public web site up-to-date.
<div class="outline-text-3" id="text-7-6">
<p>
Monkey uses Rsync to keep the institute's public web site up-to-date.
-<div id="outline-container-org77459ac" class="outline-3">
-<h3 id="org77459ac"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org1aa2793" class="outline-3">
+<h3 id="org1aa2793"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-7-7">
<p>
The institute prefers to install security updates as soon as possible.
<div class="outline-text-3" id="text-7-7">
<p>
The institute prefers to install security updates as soon as possible.
-<div id="outline-container-org388cf78" class="outline-3">
-<h3 id="org388cf78"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
+<div id="outline-container-orge398e89" class="outline-3">
+<h3 id="orge398e89"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-7-8">
<p>
User accounts are created immediately so that Postfix and Dovecot can
start delivering email immediately, <i>without</i> returning "no such
<div class="outline-text-3" id="text-7-8">
<p>
User accounts are created immediately so that Postfix and Dovecot can
start delivering email immediately, <i>without</i> returning "no such
-<div id="outline-container-org579723f" class="outline-3">
-<h3 id="org579723f"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
+<div id="outline-container-org802c293" class="outline-3">
+<h3 id="org802c293"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-7-9">
<p>
The servers on Front use the same certificate (and key) to
<div class="outline-text-3" id="text-7-9">
<p>
The servers on Front use the same certificate (and key) to
-<div id="outline-container-org30fd7fa" class="outline-3">
-<h3 id="org30fd7fa"><span class="section-number-3">7.10.</span> Configure Postfix on Front</h3>
+<div id="outline-container-orgb6a1762" class="outline-3">
+<h3 id="orgb6a1762"><span class="section-number-3">7.10.</span> Configure Postfix on Front</h3>
<div class="outline-text-3" id="text-7-10">
<p>
Front uses Postfix to provide the institute's public SMTP service, and
<div class="outline-text-3" id="text-7-10">
<p>
Front uses Postfix to provide the institute's public SMTP service, and
includes site-wide support for larger message sizes, shorter queue
times, the relaying configuration, and the common path to incoming
emails. These and a few Front-specific Postfix configurations
includes site-wide support for larger message sizes, shorter queue
times, the relaying configuration, and the common path to incoming
emails. These and a few Front-specific Postfix configurations
- { p: smtpd_tls_key_file, v: /etc/server.key }
<<postfix-front-networks>>
<<postfix-front-restrictions>>
- { p: smtpd_tls_key_file, v: /etc/server.key }
<<postfix-front-networks>>
<<postfix-front-restrictions>>
-<div id="outline-container-orga6b965a" class="outline-3">
-<h3 id="orga6b965a"><span class="section-number-3">7.11.</span> Configure Public Email Aliases</h3>
+<div id="outline-container-orgd72bc6a" class="outline-3">
+<h3 id="orgd72bc6a"><span class="section-number-3">7.11.</span> Configure Public Email Aliases</h3>
<div class="outline-text-3" id="text-7-11">
<p>
The institute's Front needs to deliver email addressed to a number of
<div class="outline-text-3" id="text-7-11">
<p>
The institute's Front needs to deliver email addressed to a number of
-<div id="outline-container-org1d6a275" class="outline-3">
-<h3 id="org1d6a275"><span class="section-number-3">7.12.</span> Configure OpenDKIM</h3>
+<div id="outline-container-org75f922e" class="outline-3">
+<h3 id="org75f922e"><span class="section-number-3">7.12.</span> Configure OpenDKIM</h3>
<div class="outline-text-3" id="text-7-12">
<p>
Front uses OpenDKIM to sign outgoing emails. It does not verify
<div class="outline-text-3" id="text-7-12">
<p>
Front uses OpenDKIM to sign outgoing emails. It does not verify
-<div id="outline-container-org7900b27" class="outline-3">
-<h3 id="org7900b27"><span class="section-number-3">7.13.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org9d767ec" class="outline-3">
+<h3 id="org9d767ec"><span class="section-number-3">7.13.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-7-13">
<p>
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
<div class="outline-text-3" id="text-7-13">
<p>
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
bit "over the top" given that Core accesses Front via VPN, but helps
to ensure privacy even when members must, in extremis, access recent
email directly from their accounts on Front. For more information
bit "over the top" given that Core accesses Front via VPN, but helps
to ensure privacy even when members must, in extremis, access recent
email directly from their accounts on Front. For more information
-<div id="outline-container-orgf35f718" class="outline-3">
-<h3 id="orgf35f718"><span class="section-number-3">7.14.</span> Configure Apache2 <a id="org45d6521"></a></h3>
+<div id="outline-container-org230b0c3" class="outline-3">
+<h3 id="org230b0c3"><span class="section-number-3">7.14.</span> Configure Apache2 <a id="orgc0df403"></a></h3>
<div class="outline-text-3" id="text-7-14">
<p>
This is the small institute's public web site. It is simple, static,
<div class="outline-text-3" id="text-7-14">
<p>
This is the small institute's public web site. It is simple, static,
SSLHonorCipherOrder on
<span class="org-type">SSLCipherSuite {</span>{ [ <span class="org-string">'ECDHE-ECDSA-AES128-GCM-SHA256'</span>,
<span class="org-string">'ECDHE-ECDSA-AES256-GCM-SHA384'</span>,
SSLHonorCipherOrder on
<span class="org-type">SSLCipherSuite {</span>{ [ <span class="org-string">'ECDHE-ECDSA-AES128-GCM-SHA256'</span>,
<span class="org-string">'ECDHE-ECDSA-AES256-GCM-SHA384'</span>,
-<div id="outline-container-org1d204df" class="outline-3">
-<h3 id="org1d204df"><span class="section-number-3">7.15.</span> Configure Public WireGuard™ Subnet</h3>
+<div id="outline-container-org09a327c" class="outline-3">
+<h3 id="org09a327c"><span class="section-number-3">7.15.</span> Configure Public WireGuard™ Subnet</h3>
<div class="outline-text-3" id="text-7-15">
<p>
Front uses WireGuard™ to provide a public (Internet accessible) VPN
<div class="outline-text-3" id="text-7-15">
<p>
Front uses WireGuard™ to provide a public (Internet accessible) VPN
<a href="roles_t/front/tasks/main.yml"><q>roles_t/front/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Enable IP forwarding.
become: yes
<a href="roles_t/front/tasks/main.yml"><q>roles_t/front/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Enable IP forwarding.
become: yes
<div class="org-src-container">
<a href="roles_t/front/handlers/main.yml"><q>roles_t/front/handlers/main.yml</q></a><pre class="src src-conf"><code>
<div class="org-src-container">
<a href="roles_t/front/handlers/main.yml"><q>roles_t/front/handlers/main.yml</q></a><pre class="src src-conf"><code>
-<div id="outline-container-org56c35ca" class="outline-4">
-<h4 id="org56c35ca"><span class="section-number-4">7.15.1.</span> Example <q>private/front-wg0.conf</q></h4>
+<div id="outline-container-orga907b96" class="outline-4">
+<h4 id="orga907b96"><span class="section-number-4">7.15.1.</span> Example <q>private/front-wg0.conf</q></h4>
<div class="outline-text-4" id="text-7-15-1">
<p>
The example <q>private/front-wg0.conf</q> below recognizes Core by its
<div class="outline-text-4" id="text-7-15-1">
<p>
The example <q>private/front-wg0.conf</q> below recognizes Core by its
-<div id="outline-container-org4ae27af" class="outline-3">
-<h3 id="org4ae27af"><span class="section-number-3">7.16.</span> Configure Kamailio</h3>
+<div id="outline-container-orge558524" class="outline-3">
+<h3 id="orge558524"><span class="section-number-3">7.16.</span> Configure Kamailio</h3>
<div class="outline-text-3" id="text-7-16">
<p>
Front uses Kamailio to provide a SIP service on the public VPN so that
<div class="outline-text-3" id="text-7-16">
<p>
Front uses Kamailio to provide a SIP service on the public VPN so that
-<div id="outline-container-org5eb8a09" class="outline-2">
-<h2 id="org5eb8a09"><span class="section-number-2">8.</span> The Core Role</h2>
+<div id="outline-container-org5254b26" class="outline-2">
+<h2 id="org5254b26"><span class="section-number-2">8.</span> The Core Role</h2>
<div class="outline-text-2" id="text-8">
<p>
The <code>core</code> role configures many essential campus network services as
well as the institute's private cloud, so the core machine has
horsepower (CPUs and RAM) and large disks and is prepared with a
Debian install and remote access to a privileged, administrator's
<div class="outline-text-2" id="text-8">
<p>
The <code>core</code> role configures many essential campus network services as
well as the institute's private cloud, so the core machine has
horsepower (CPUs and RAM) and large disks and is prepared with a
Debian install and remote access to a privileged, administrator's
-<div id="outline-container-orge71f9ca" class="outline-3">
-<h3 id="orge71f9ca"><span class="section-number-3">8.1.</span> Role Defaults</h3>
+<div id="outline-container-org5879ca0" class="outline-3">
+<h3 id="org5879ca0"><span class="section-number-3">8.1.</span> Role Defaults</h3>
-<div id="outline-container-orgdc3e067" class="outline-3">
-<h3 id="orgdc3e067"><span class="section-number-3">8.2.</span> Include Particulars</h3>
+<div id="outline-container-org96886b7" class="outline-3">
+<h3 id="org96886b7"><span class="section-number-3">8.2.</span> Include Particulars</h3>
-<div id="outline-container-orgb994161" class="outline-3">
-<h3 id="orgb994161"><span class="section-number-3">8.3.</span> Configure Hostname</h3>
+<div id="outline-container-org325596b" class="outline-3">
+<h3 id="org325596b"><span class="section-number-3">8.3.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-8-3">
<p>
This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
<div class="outline-text-3" id="text-8-3">
<p>
This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
-<div id="outline-container-orgd4a9d48" class="outline-3">
-<h3 id="orgd4a9d48"><span class="section-number-3">8.4.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org2e9a975" class="outline-3">
+<h3 id="org2e9a975"><span class="section-number-3">8.4.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-8-4">
<p>
Core runs the campus name server, so Resolved is configured to use it
<div class="outline-text-3" id="text-8-4">
<p>
Core runs the campus name server, so Resolved is configured to use it
-<div id="outline-container-orgf7142cb" class="outline-3">
-<h3 id="orgf7142cb"><span class="section-number-3">8.5.</span> Configure Core NetworkD</h3>
+<div id="outline-container-orgd413bcb" class="outline-3">
+<h3 id="orgd413bcb"><span class="section-number-3">8.5.</span> Configure Core NetworkD</h3>
<div class="outline-text-3" id="text-8-5">
<p>
Core's network interface is statically configured using the
<div class="outline-text-3" id="text-8-5">
<p>
Core's network interface is statically configured using the
-<div id="outline-container-org9e3dacf" class="outline-3">
-<h3 id="org9e3dacf"><span class="section-number-3">8.6.</span> Configure DHCP For the Private Ethernet</h3>
+<div id="outline-container-orgd06348f" class="outline-3">
+<h3 id="orgd06348f"><span class="section-number-3">8.6.</span> Configure DHCP For the Private Ethernet</h3>
<div class="outline-text-3" id="text-8-6">
<p>
Core speaks DHCP (Dynamic Host Configuration Protocol) using the
<div class="outline-text-3" id="text-8-6">
<p>
Core speaks DHCP (Dynamic Host Configuration Protocol) using the
-<div id="outline-container-orge1d141c" class="outline-3">
-<h3 id="orge1d141c"><span class="section-number-3">8.7.</span> Configure BIND9</h3>
+<div id="outline-container-org8519578" class="outline-3">
+<h3 id="org8519578"><span class="section-number-3">8.7.</span> Configure BIND9</h3>
<div class="outline-text-3" id="text-8-7">
<p>
Core uses BIND9 to provide name service for the institute as described
<div class="outline-text-3" id="text-8-7">
<p>
Core uses BIND9 to provide name service for the institute as described
-<div id="outline-container-org7179ece" class="outline-3">
-<h3 id="org7179ece"><span class="section-number-3">8.8.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgff849e7" class="outline-3">
+<h3 id="orgff849e7"><span class="section-number-3">8.8.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-8-8">
<p>
The administrator often needs to read (directories of) log files owned
<div class="outline-text-3" id="text-8-8">
<p>
The administrator often needs to read (directories of) log files owned
-<div id="outline-container-org02fdd2d" class="outline-3">
-<h3 id="org02fdd2d"><span class="section-number-3">8.9.</span> Configure Monkey</h3>
+<div id="outline-container-org0d2aa98" class="outline-3">
+<h3 id="org0d2aa98"><span class="section-number-3">8.9.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-8-9">
<p>
The small institute runs cron jobs and web scripts that generate
reports and perform checks. The un-privileged jobs are run by a
system account named <code>monkey</code>. One of Monkey's more important jobs on
Core is to run <code>rsync</code> to update the public web site on Front (as
<div class="outline-text-3" id="text-8-9">
<p>
The small institute runs cron jobs and web scripts that generate
reports and perform checks. The un-privileged jobs are run by a
system account named <code>monkey</code>. One of Monkey's more important jobs on
Core is to run <code>rsync</code> to update the public web site on Front (as
-<div id="outline-container-orgd59c0f0" class="outline-3">
-<h3 id="orgd59c0f0"><span class="section-number-3">8.10.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org79c507b" class="outline-3">
+<h3 id="org79c507b"><span class="section-number-3">8.10.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-8-10">
<p>
The institute prefers to install security updates as soon as possible.
<div class="outline-text-3" id="text-8-10">
<p>
The institute prefers to install security updates as soon as possible.
-<div id="outline-container-org6cd8bad" class="outline-3">
-<h3 id="org6cd8bad"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
+<div id="outline-container-orgb26abc6" class="outline-3">
+<h3 id="orgb26abc6"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-8-11">
<p>
User accounts are created immediately so that backups can begin
<div class="outline-text-3" id="text-8-11">
<p>
User accounts are created immediately so that backups can begin
-<div id="outline-container-org7a39320" class="outline-3">
-<h3 id="org7a39320"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
+<div id="outline-container-org925deb8" class="outline-3">
+<h3 id="org925deb8"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-8-12">
<p>
The servers on Core use the same certificate (and key) to authenticate
<div class="outline-text-3" id="text-8-12">
<p>
The servers on Core use the same certificate (and key) to authenticate
-<div id="outline-container-org086b745" class="outline-3">
-<h3 id="org086b745"><span class="section-number-3">8.13.</span> Install Chrony</h3>
+<div id="outline-container-org3149dfc" class="outline-3">
+<h3 id="org3149dfc"><span class="section-number-3">8.13.</span> Install Chrony</h3>
<div class="outline-text-3" id="text-8-13">
<p>
Core uses Chrony to provide a time synchronization service to the campus.
<div class="outline-text-3" id="text-8-13">
<p>
Core uses Chrony to provide a time synchronization service to the campus.
-<div id="outline-container-org79b9663" class="outline-3">
-<h3 id="org79b9663"><span class="section-number-3">8.14.</span> Configure Postfix on Core</h3>
+<div id="outline-container-org322719a" class="outline-3">
+<h3 id="org322719a"><span class="section-number-3">8.14.</span> Configure Postfix on Core</h3>
<div class="outline-text-3" id="text-8-14">
<p>
Core uses Postfix to provide SMTP service to the campus. The default
<div class="outline-text-3" id="text-8-14">
<p>
Core uses Postfix to provide SMTP service to the campus. The default
to any internal domain name locally, and uses its smarthost Front to
relay the rest. Core is reachable only on institute networks, so
there is little benefit in enabling TLS, but it does need to handle
to any internal domain name locally, and uses its smarthost Front to
relay the rest. Core is reachable only on institute networks, so
there is little benefit in enabling TLS, but it does need to handle
- { p: smtpd_tls_security_level, v: none }
- { p: smtp_tls_security_level, v: none }
<<postfix-message-size>>
- { p: smtpd_tls_security_level, v: none }
- { p: smtp_tls_security_level, v: none }
<<postfix-message-size>>
-<div id="outline-container-orgf520f02" class="outline-3">
-<h3 id="orgf520f02"><span class="section-number-3">8.15.</span> Configure Private Email Aliases</h3>
+<div id="outline-container-orgdc15429" class="outline-3">
+<h3 id="orgdc15429"><span class="section-number-3">8.15.</span> Configure Private Email Aliases</h3>
<div class="outline-text-3" id="text-8-15">
<p>
The institute's Core needs to deliver email addressed to institute
<div class="outline-text-3" id="text-8-15">
<p>
The institute's Core needs to deliver email addressed to institute
-<div id="outline-container-org15d1efe" class="outline-3">
-<h3 id="org15d1efe"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orge1eb76c" class="outline-3">
+<h3 id="orge1eb76c"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-8-16">
<p>
Core uses Dovecot's IMAPd to store and serve member emails. As on
<div class="outline-text-3" id="text-8-16">
<p>
Core uses Dovecot's IMAPd to store and serve member emails. As on
networks, but helps to ensure privacy even when members accidentally
attempt connections from outside the private networks. For more
information about Core's role in the institute's email services, see
networks, but helps to ensure privacy even when members accidentally
attempt connections from outside the private networks. For more
information about Core's role in the institute's email services, see
<q>README.Debian</q> (in <q>/usr/share/dovecot-core/</q>) but replaces the
default "snake oil" certificate with another, signed by the institute.
(For more information about the institute's X.509 certificates, see
<q>README.Debian</q> (in <q>/usr/share/dovecot-core/</q>) but replaces the
default "snake oil" certificate with another, signed by the institute.
(For more information about the institute's X.509 certificates, see
-<div id="outline-container-org1ccd6a0" class="outline-3">
-<h3 id="org1ccd6a0"><span class="section-number-3">8.17.</span> Configure Fetchmail</h3>
+<div id="outline-container-org49154aa" class="outline-3">
+<h3 id="org49154aa"><span class="section-number-3">8.17.</span> Configure Fetchmail</h3>
<div class="outline-text-3" id="text-8-17">
<p>
Core runs a <code>fetchmail</code> for each member of the institute. Individual
<div class="outline-text-3" id="text-8-17">
<p>
Core runs a <code>fetchmail</code> for each member of the institute. Individual
<span class="org-variable-name">Description</span>=Fetchmail --idle task for {{ item }}.
<span class="org-variable-name">AssertPathExists</span>=/home/{{ item }}/.fetchmailrc
<span class="org-variable-name">After</span>=wg-quick@wg0.service
<span class="org-variable-name">Description</span>=Fetchmail --idle task for {{ item }}.
<span class="org-variable-name">AssertPathExists</span>=/home/{{ item }}/.fetchmailrc
<span class="org-variable-name">After</span>=wg-quick@wg0.service
-<div id="outline-container-org9d92b3b" class="outline-3">
-<h3 id="org9d92b3b"><span class="section-number-3">8.18.</span> Configure Apache2 <a id="orgad9a8c8"></a></h3>
+<div id="outline-container-org663059e" class="outline-3">
+<h3 id="org663059e"><span class="section-number-3">8.18.</span> Configure Apache2 <a id="org9ee6313"></a></h3>
<div class="outline-text-3" id="text-8-18">
<p>
This is the small institute's campus web server. It hosts several web
<div class="outline-text-3" id="text-8-18">
<p>
This is the small institute's campus web server. It hosts several web
-<div id="outline-container-orgf1ab332" class="outline-3">
-<h3 id="orgf1ab332"><span class="section-number-3">8.19.</span> Configure Website Updates</h3>
+<div id="outline-container-org31ea0cd" class="outline-3">
+<h3 id="org31ea0cd"><span class="section-number-3">8.19.</span> Configure Website Updates</h3>
<div class="outline-text-3" id="text-8-19">
<p>
Monkey on Core runs <q>/usr/local/sbin/webupdate</q> every 15 minutes via a
<div class="outline-text-3" id="text-8-19">
<p>
Monkey on Core runs <q>/usr/local/sbin/webupdate</q> every 15 minutes via a
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
</span><span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT.
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
</span><span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT.
</span><span class="org-comment-delimiter">#</span><span class="org-comment">
<p>
The following tasks install the <q>webupdate</q> script from <a href="private/"><q>private/</q></a>,
and create Monkey's <code>cron</code> job. An example <q>webupdate</q> script is
<p>
The following tasks install the <q>webupdate</q> script from <a href="private/"><q>private/</q></a>,
and create Monkey's <code>cron</code> job. An example <q>webupdate</q> script is
-<div id="outline-container-org8b4f5c4" class="outline-3">
-<h3 id="org8b4f5c4"><span class="section-number-3">8.20.</span> Configure Core WireGuard™ Interface</h3>
+<div id="outline-container-orga73db31" class="outline-3">
+<h3 id="orga73db31"><span class="section-number-3">8.20.</span> Configure Core WireGuard™ Interface</h3>
<div class="outline-text-3" id="text-8-20">
<p>
Core connects to Front's WireGuard™ service to provide members abroad
<div class="outline-text-3" id="text-8-20">
<p>
Core connects to Front's WireGuard™ service to provide members abroad
<a href="roles_t/core/tasks/main.yml"><q>roles_t/core/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Enable IP forwarding.
become: yes
<a href="roles_t/core/tasks/main.yml"><q>roles_t/core/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Enable IP forwarding.
become: yes
<div class="org-src-container">
<a href="roles_t/core/handlers/main.yml"><q>roles_t/core/handlers/main.yml</q></a><pre class="src src-conf"><code>
<div class="org-src-container">
<a href="roles_t/core/handlers/main.yml"><q>roles_t/core/handlers/main.yml</q></a><pre class="src src-conf"><code>
-<div id="outline-container-org8bbdf0c" class="outline-3">
-<h3 id="org8bbdf0c"><span class="section-number-3">8.21.</span> Configure NAGIOS</h3>
+<div id="outline-container-orgfda5a2f" class="outline-3">
+<h3 id="orgfda5a2f"><span class="section-number-3">8.21.</span> Configure NAGIOS</h3>
<div class="outline-text-3" id="text-8-21">
<p>
Core runs a <code>nagios4</code> server to monitor "services" on institute hosts.
<div class="outline-text-3" id="text-8-21">
<p>
Core runs a <code>nagios4</code> server to monitor "services" on institute hosts.
-<div id="outline-container-org1a78222" class="outline-4">
-<h4 id="org1a78222"><span class="section-number-4">8.21.1.</span> Configure NAGIOS Monitors for Core</h4>
+<div id="outline-container-org0bc858c" class="outline-4">
+<h4 id="org0bc858c"><span class="section-number-4">8.21.1.</span> Configure NAGIOS Monitors for Core</h4>
<div class="outline-text-4" id="text-8-21-1">
<p>
The first block in <q>nagios.cfg</q> specifies monitors for services on
<div class="outline-text-4" id="text-8-21-1">
<p>
The first block in <q>nagios.cfg</q> specifies monitors for services on
-<div id="outline-container-org2bfef80" class="outline-4">
-<h4 id="org2bfef80"><span class="section-number-4">8.21.2.</span> Custom NAGIOS Monitor <code>inst_sensors</code></h4>
+<div id="outline-container-org2ef8474" class="outline-4">
+<h4 id="org2ef8474"><span class="section-number-4">8.21.2.</span> Custom NAGIOS Monitor <code>inst_sensors</code></h4>
<div class="outline-text-4" id="text-8-21-2">
<p>
The <code>check_sensors</code> plugin is included in the package
<div class="outline-text-4" id="text-8-21-2">
<p>
The <code>check_sensors</code> plugin is included in the package
-<div id="outline-container-org48ecec9" class="outline-4">
-<h4 id="org48ecec9"><span class="section-number-4">8.21.3.</span> Configure NAGIOS Monitors for Remote Hosts</h4>
+<div id="outline-container-org20f5369" class="outline-4">
+<h4 id="org20f5369"><span class="section-number-4">8.21.3.</span> Configure NAGIOS Monitors for Remote Hosts</h4>
<div class="outline-text-4" id="text-8-21-3">
<p>
The following sections contain code blocks specifying monitors for
<div class="outline-text-4" id="text-8-21-3">
<p>
The following sections contain code blocks specifying monitors for
commands are defined in code blocks interleaved with the blocks that
monitor them. The command blocks are appended to <q>nrpe.cfg</q> and the
monitoring blocks to <q>nagios.cfg</q>. The <q>nrpe.cfg</q> file is installed
commands are defined in code blocks interleaved with the blocks that
monitor them. The command blocks are appended to <q>nrpe.cfg</q> and the
monitoring blocks to <q>nagios.cfg</q>. The <q>nrpe.cfg</q> file is installed
-<div id="outline-container-orgbd4232b" class="outline-4">
-<h4 id="orgbd4232b"><span class="section-number-4">8.21.4.</span> Configure NAGIOS Monitors for Gate</h4>
+<div id="outline-container-orgbb4c911" class="outline-4">
+<h4 id="orgbb4c911"><span class="section-number-4">8.21.4.</span> Configure NAGIOS Monitors for Gate</h4>
<div class="outline-text-4" id="text-8-21-4">
<p>
Define the monitored host, <code>gate</code>. Monitor its response to network
<div class="outline-text-4" id="text-8-21-4">
<p>
Define the monitored host, <code>gate</code>. Monitor its response to network
-<div id="outline-container-orgd15fea3" class="outline-3">
-<h3 id="orgd15fea3"><span class="section-number-3">8.22.</span> Configure Backups</h3>
+<div id="outline-container-orga6a8f60" class="outline-3">
+<h3 id="orga6a8f60"><span class="section-number-3">8.22.</span> Configure Backups</h3>
<div class="outline-text-3" id="text-8-22">
<p>
The following task installs the <q>backup</q> script from <a href="private/"><q>private/</q></a>. An
<div class="outline-text-3" id="text-8-22">
<p>
The following task installs the <q>backup</q> script from <a href="private/"><q>private/</q></a>. An
-<div id="outline-container-orgfffdf5a" class="outline-3">
-<h3 id="orgfffdf5a"><span class="section-number-3">8.23.</span> Configure Nextcloud</h3>
+<div id="outline-container-org3c73064" class="outline-3">
+<h3 id="org3c73064"><span class="section-number-3">8.23.</span> Configure Nextcloud</h3>
<div class="outline-text-3" id="text-8-23">
<p>
Core runs Nextcloud to provide a private institute cloud, as described
<div class="outline-text-3" id="text-8-23">
<p>
Core runs Nextcloud to provide a private institute cloud, as described
upgrading Nextcloud are manual processes documented in <a href="https://docs.nextcloud.com/server/stable/admin_manual/maintenance/">The Nextcloud
Admin Manual, Maintenance</a>. However Ansible can help prepare Core
before an install or restore, and perform basic security checks
afterwards.
</p>
</div>
upgrading Nextcloud are manual processes documented in <a href="https://docs.nextcloud.com/server/stable/admin_manual/maintenance/">The Nextcloud
Admin Manual, Maintenance</a>. However Ansible can help prepare Core
before an install or restore, and perform basic security checks
afterwards.
</p>
</div>
-<div id="outline-container-orgb0cde02" class="outline-4">
-<h4 id="orgb0cde02"><span class="section-number-4">8.23.1.</span> Prepare Core For Nextcloud</h4>
+<div id="outline-container-orgf6d36e2" class="outline-4">
+<h4 id="orgf6d36e2"><span class="section-number-4">8.23.1.</span> Prepare Core For Nextcloud</h4>
<div class="outline-text-4" id="text-8-23-1">
<p>
The Ansible code contained herein prepares Core to run Nextcloud by
<div class="outline-text-4" id="text-8-23-1">
<p>
The Ansible code contained herein prepares Core to run Nextcloud by
-<div id="outline-container-orgf615fe8" class="outline-4">
-<h4 id="orgf615fe8"><span class="section-number-4">8.23.2.</span> Configure PHP</h4>
+<div id="outline-container-org13cdb80" class="outline-4">
+<h4 id="org13cdb80"><span class="section-number-4">8.23.2.</span> Configure PHP</h4>
<div class="outline-text-4" id="text-8-23-2">
<p>
The following tasks set a number of PHP parameters for better
<div class="outline-text-4" id="text-8-23-2">
<p>
The following tasks set a number of PHP parameters for better
-<div id="outline-container-orgd31c86c" class="outline-4">
-<h4 id="orgd31c86c"><span class="section-number-4">8.23.3.</span> Create <q>/Nextcloud/</q></h4>
+<div id="outline-container-org9f538c9" class="outline-4">
+<h4 id="org9f538c9"><span class="section-number-4">8.23.3.</span> Create <q>/Nextcloud/</q></h4>
<div class="outline-text-4" id="text-8-23-3">
<p>
The Ansible tasks up to this point have completed Core's LAMP stack
<div class="outline-text-4" id="text-8-23-3">
<p>
The Ansible tasks up to this point have completed Core's LAMP stack
-<div id="outline-container-org0fcce13" class="outline-4">
-<h4 id="org0fcce13"><span class="section-number-4">8.23.4.</span> Restore Nextcloud</h4>
+<div id="outline-container-org755e8f8" class="outline-4">
+<h4 id="org755e8f8"><span class="section-number-4">8.23.4.</span> Restore Nextcloud</h4>
<div class="outline-text-4" id="text-8-23-4">
<p>
Restoring Nextcloud in the newly created <q>/Nextcloud/</q> presumably
<div class="outline-text-4" id="text-8-23-4">
<p>
Restoring Nextcloud in the newly created <q>/Nextcloud/</q> presumably
-<div id="outline-container-org4a5a9ec" class="outline-4">
-<h4 id="org4a5a9ec"><span class="section-number-4">8.23.5.</span> Install Nextcloud</h4>
+<div id="outline-container-org765a566" class="outline-4">
+<h4 id="org765a566"><span class="section-number-4">8.23.5.</span> Install Nextcloud</h4>
<div class="outline-text-4" id="text-8-23-5">
<p>
Installing Nextcloud in the newly created <q>/Nextcloud/</q> starts with
<div class="outline-text-4" id="text-8-23-5">
<p>
Installing Nextcloud in the newly created <q>/Nextcloud/</q> starts with
-<div id="outline-container-org348c162" class="outline-4">
-<h4 id="org348c162"><span class="section-number-4">8.23.6.</span> Afterwards</h4>
+<div id="outline-container-org3e4c6ed" class="outline-4">
+<h4 id="org3e4c6ed"><span class="section-number-4">8.23.6.</span> Afterwards</h4>
<div class="outline-text-4" id="text-8-23-6">
<p>
Whether Nextcloud was restored or installed, there are a few things
<div class="outline-text-4" id="text-8-23-6">
<p>
Whether Nextcloud was restored or installed, there are a few things
-<div id="outline-container-orgc20d3a1" class="outline-2">
-<h2 id="orgc20d3a1"><span class="section-number-2">9.</span> The Gate Role</h2>
+<div id="outline-container-org4b52960" class="outline-2">
+<h2 id="org4b52960"><span class="section-number-2">9.</span> The Gate Role</h2>
<div class="outline-text-2" id="text-9">
<p>
The <code>gate</code> role configures the services expected at the campus gate:
access to the private Ethernet from the untrusted Ethernet (e.g. a
campus Wi-Fi AP) via VPN, and access to the Internet via NAT. The
<div class="outline-text-2" id="text-9">
<p>
The <code>gate</code> role configures the services expected at the campus gate:
access to the private Ethernet from the untrusted Ethernet (e.g. a
campus Wi-Fi AP) via VPN, and access to the Internet via NAT. The
-<div id="outline-container-org672f4d7" class="outline-3">
-<h3 id="org672f4d7"><span class="section-number-3">9.1.</span> Role Defaults</h3>
+<div id="outline-container-org3947934" class="outline-3">
+<h3 id="org3947934"><span class="section-number-3">9.1.</span> Role Defaults</h3>
-<div id="outline-container-org5f534ee" class="outline-3">
-<h3 id="org5f534ee"><span class="section-number-3">9.2.</span> Include Particulars</h3>
+<div id="outline-container-org80ce321" class="outline-3">
+<h3 id="org80ce321"><span class="section-number-3">9.2.</span> Include Particulars</h3>
-<div id="outline-container-org855a3c9" class="outline-3">
-<h3 id="org855a3c9"><span class="section-number-3">9.3.</span> Configure Gate NetworkD</h3>
+<div id="outline-container-org83aa08b" class="outline-3">
+<h3 id="org83aa08b"><span class="section-number-3">9.3.</span> Configure Gate NetworkD</h3>
<div class="outline-text-3" id="text-9-3">
<p>
Gate's network interfaces are configured using SystemD NetworkD
<div class="outline-text-3" id="text-9-3">
<p>
Gate's network interfaces are configured using SystemD NetworkD
-<div id="outline-container-orgf13c434" class="outline-4">
-<h4 id="orgf13c434"><span class="section-number-4">9.3.1.</span> Gate's <code>lan</code> Interface</h4>
+<div id="outline-container-org27bfefc" class="outline-4">
+<h4 id="org27bfefc"><span class="section-number-4">9.3.1.</span> Gate's <code>lan</code> Interface</h4>
<div class="outline-text-4" id="text-9-3-1">
<p>
The campus Ethernet interface is named <code>lan</code> and configured by
<div class="outline-text-4" id="text-9-3-1">
<p>
The campus Ethernet interface is named <code>lan</code> and configured by
-<div id="outline-container-orgc0e3cf1" class="outline-4">
-<h4 id="orgc0e3cf1"><span class="section-number-4">9.3.2.</span> Gate's <code>wild</code> Interface</h4>
+<div id="outline-container-org7bf5f70" class="outline-4">
+<h4 id="org7bf5f70"><span class="section-number-4">9.3.2.</span> Gate's <code>wild</code> Interface</h4>
<div class="outline-text-4" id="text-9-3-2">
<p>
The institute keeps the wild ones off the campus Ethernet. Its wild
<div class="outline-text-4" id="text-9-3-2">
<p>
The institute keeps the wild ones off the campus Ethernet. Its wild
-<div id="outline-container-orgad8e76f" class="outline-4">
-<h4 id="orgad8e76f"><span class="section-number-4">9.3.3.</span> Gate's <code>isp</code> Interface</h4>
+<div id="outline-container-orga3e4e2e" class="outline-4">
+<h4 id="orga3e4e2e"><span class="section-number-4">9.3.3.</span> Gate's <code>isp</code> Interface</h4>
<div class="outline-text-4" id="text-9-3-3">
<p>
The interface to the campus ISP is named <code>isp</code> and configured by
<div class="outline-text-4" id="text-9-3-3">
<p>
The interface to the campus ISP is named <code>isp</code> and configured by
-<div id="outline-container-org918b895" class="outline-3">
-<h3 id="org918b895"><span class="section-number-3">9.4.</span> Configure Gate ResolveD</h3>
+<div id="outline-container-org7dc91ca" class="outline-3">
+<h3 id="org7dc91ca"><span class="section-number-3">9.4.</span> Configure Gate ResolveD</h3>
<div class="outline-text-3" id="text-9-4">
<p>
Gate provides name service on the wild Ethernet by having its "stub
<div class="outline-text-3" id="text-9-4">
<p>
Gate provides name service on the wild Ethernet by having its "stub
-<div id="outline-container-org2d280de" class="outline-3">
-<h3 id="org2d280de"><span class="section-number-3">9.5.</span> UFW Rules</h3>
+<div id="outline-container-org1c59284" class="outline-3">
+<h3 id="org1c59284"><span class="section-number-3">9.5.</span> UFW Rules</h3>
<div class="outline-text-3" id="text-9-5">
<p>
Gate uses the Uncomplicated FireWall (UFW) to install its packet
<div class="outline-text-3" id="text-9-5">
<p>
Gate uses the Uncomplicated FireWall (UFW) to install its packet
<p>
NAT is enabled per the <code>ufw-framework(8)</code> manual page, by introducing
<code>nat</code> table rules in a block at the end of <q>/etc/ufw/before.rules</q>.
<p>
NAT is enabled per the <code>ufw-framework(8)</code> manual page, by introducing
<code>nat</code> table rules in a block at the end of <q>/etc/ufw/before.rules</q>.
-They translate packets going to the ISP. These can come from the
-private Ethernet or the untrusted Ethernet (campus IoT, including
-Wi-Fi APs). Hosts on the other institute networks (the two VPNs)
-should not be routing their Internet traffic through their VPN.
+The rules translate packets going to the ISP. These packets can come
+from the private Ethernet or the wild Ethernet. Hosts on the other
+institute networks (the two VPNs) should not be routing their Internet
+traffic through their WireGuard™ interface.
Forwarding rules are also needed. The <code>nat</code> table is a <i>post</i> routing
rule set, so the default routing policy (<code>DENY</code>) will drop packets
before NAT can translate them. The following rules are added to allow
Forwarding rules are also needed. The <code>nat</code> table is a <i>post</i> routing
rule set, so the default routing policy (<code>DENY</code>) will drop packets
before NAT can translate them. The following rules are added to allow
-packets to be forwarded from the campus Ethernet or its wild subnet to
-an ISP on the <code>isp</code> interface. A generic routing rule in UFW accepts
-any related or established packet (according to the kernel's
-connection tracking).
+packets to be forwarded from the campus or wild Ethernets to an ISP on
+the <code>isp</code> interface. A generic routing rule in UFW accepts any
+related or established packet (according to the kernel's connection
+tracking).
-A ufw-before-forward -i wild -o isp -j ACCEPT
</code></pre>
</div>
<p>
Forwarding rules are also needed to route packets from the campus VPN
-A ufw-before-forward -i wild -o isp -j ACCEPT
</code></pre>
</div>
<p>
Forwarding rules are also needed to route packets from the campus VPN
The public VPN on Front will also be included since its packets arrive
at Gate's <code>lan</code> interface, coming from Core. Thus forwarding between
public and campus VPNs is also allowed.
</p>
<div class="org-src-container">
The public VPN on Front will also be included since its packets arrive
at Gate's <code>lan</code> interface, coming from Core. Thus forwarding between
public and campus VPNs is also allowed.
</p>
<div class="org-src-container">
-the <code>wild</code> device to the <code>lan</code> device, just the <code>wg0</code> device.
+the <code>wild</code> device to the <code>lan</code> device, only from <code>wg0</code> device is
+forwarded to <code>lan</code>.
-<div id="outline-container-orge61dbae" class="outline-3">
-<h3 id="orge61dbae"><span class="section-number-3">9.6.</span> Configure UFW</h3>
+<div id="outline-container-orgf03d906" class="outline-3">
+<h3 id="orgf03d906"><span class="section-number-3">9.6.</span> Configure UFW</h3>
<div class="outline-text-3" id="text-9-6">
<p>
The following tasks install the Uncomplicated Firewall (UFW), set its
<div class="outline-text-3" id="text-9-6">
<p>
The following tasks install the Uncomplicated Firewall (UFW), set its
-<div id="outline-container-orge9a8828" class="outline-3">
-<h3 id="orge9a8828"><span class="section-number-3">9.7.</span> Configure Campus WireGuard™ Subnet</h3>
+<div id="outline-container-orgeec3599" class="outline-3">
+<h3 id="orgeec3599"><span class="section-number-3">9.7.</span> Configure Campus WireGuard™ Subnet</h3>
<div class="outline-text-3" id="text-9-7">
<p>
Gate uses WireGuard™ to provide a campus VPN service. Gate's routes
<div class="outline-text-3" id="text-9-7">
<p>
Gate uses WireGuard™ to provide a campus VPN service. Gate's routes
<a href="roles_t/gate/tasks/main.yml"><q>roles_t/gate/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Enable IP forwarding.
become: yes
<a href="roles_t/gate/tasks/main.yml"><q>roles_t/gate/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Enable IP forwarding.
become: yes
<div class="org-src-container">
<a href="roles_t/gate/handlers/main.yml"><q>roles_t/gate/handlers/main.yml</q></a><pre class="src src-conf"><code>
<div class="org-src-container">
<a href="roles_t/gate/handlers/main.yml"><q>roles_t/gate/handlers/main.yml</q></a><pre class="src src-conf"><code>
-<div id="outline-container-org7f85baa" class="outline-4">
-<h4 id="org7f85baa"><span class="section-number-4">9.7.1.</span> Example <q>private/gate-wg0.conf</q></h4>
+<div id="outline-container-org832194b" class="outline-4">
+<h4 id="org832194b"><span class="section-number-4">9.7.1.</span> Example <q>private/gate-wg0.conf</q></h4>
<div class="outline-text-4" id="text-9-7-1">
<p>
The example <q>private/gate-wg0.conf</q> below recognizes a wired IoT
<div class="outline-text-4" id="text-9-7-1">
<p>
The example <q>private/gate-wg0.conf</q> below recognizes a wired IoT
-<div id="outline-container-org1db4cb2" class="outline-2">
-<h2 id="org1db4cb2"><span class="section-number-2">10.</span> The Campus Role</h2>
+<div id="outline-container-org2a84069" class="outline-2">
+<h2 id="org2a84069"><span class="section-number-2">10.</span> The Campus Role</h2>
<div class="outline-text-2" id="text-10">
<p>
The <code>campus</code> role configures generic campus server machines: network
<div class="outline-text-2" id="text-10">
<p>
The <code>campus</code> role configures generic campus server machines: network
-<div id="outline-container-org7eda8dd" class="outline-3">
-<h3 id="org7eda8dd"><span class="section-number-3">10.1.</span> Role Defaults</h3>
+<div id="outline-container-orga279c9d" class="outline-3">
+<h3 id="orga279c9d"><span class="section-number-3">10.1.</span> Role Defaults</h3>
-<div id="outline-container-org4b7e0aa" class="outline-3">
-<h3 id="org4b7e0aa"><span class="section-number-3">10.2.</span> Include Particulars</h3>
+<div id="outline-container-org3a0ddfc" class="outline-3">
+<h3 id="org3a0ddfc"><span class="section-number-3">10.2.</span> Include Particulars</h3>
-<div id="outline-container-orgf9c7a74" class="outline-3">
-<h3 id="orgf9c7a74"><span class="section-number-3">10.3.</span> Configure Hostname</h3>
+<div id="outline-container-orge6319fe" class="outline-3">
+<h3 id="orge6319fe"><span class="section-number-3">10.3.</span> Configure Hostname</h3>
-<div id="outline-container-org4ebb2ec" class="outline-3">
-<h3 id="org4ebb2ec"><span class="section-number-3">10.4.</span> Configure Systemd Timesyncd</h3>
+<div id="outline-container-org2157bb4" class="outline-3">
+<h3 id="org2157bb4"><span class="section-number-3">10.4.</span> Configure Systemd Timesyncd</h3>
<div class="outline-text-3" id="text-10-4">
<p>
The institute uses a common time reference throughout the campus.
<div class="outline-text-3" id="text-10-4">
<p>
The institute uses a common time reference throughout the campus.
<span class="org-variable-name">line: NTP</span>=ntp.{{ domain_priv }}
notify: Restart systemd-timesyncd.
<span class="org-variable-name">line: NTP</span>=ntp.{{ domain_priv }}
notify: Restart systemd-timesyncd.
-<div id="outline-container-org7d73154" class="outline-3">
-<h3 id="org7d73154"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org1df1d5c" class="outline-3">
+<h3 id="org1df1d5c"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-10-5">
<p>
The administrator often needs to read (directories of) log files owned
<div class="outline-text-3" id="text-10-5">
<p>
The administrator often needs to read (directories of) log files owned
-<div id="outline-container-orgfffc3c9" class="outline-3">
-<h3 id="orgfffc3c9"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org739a3ff" class="outline-3">
+<h3 id="org739a3ff"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-10-6">
<p>
The institute prefers to install security updates as soon as possible.
<div class="outline-text-3" id="text-10-6">
<p>
The institute prefers to install security updates as soon as possible.
-<div id="outline-container-org29a578d" class="outline-3">
-<h3 id="org29a578d"><span class="section-number-3">10.7.</span> Configure Postfix on Campus</h3>
+<div id="outline-container-org8bc6f75" class="outline-3">
+<h3 id="org8bc6f75"><span class="section-number-3">10.7.</span> Configure Postfix on Campus</h3>
<div class="outline-text-3" id="text-10-7">
<p>
The Postfix settings used by the campus include message size, queue
<div class="outline-text-3" id="text-10-7">
<p>
The Postfix settings used by the campus include message size, queue
-<div id="outline-container-org2acf0b2" class="outline-3">
-<h3 id="org2acf0b2"><span class="section-number-3">10.8.</span> Set Domain Name</h3>
+<div id="outline-container-org2a646f7" class="outline-3">
+<h3 id="org2a646f7"><span class="section-number-3">10.8.</span> Set Domain Name</h3>
<div class="outline-text-3" id="text-10-8">
<p>
The host's fully qualified (private) domain name (FQDN) is set by an
<div class="outline-text-3" id="text-10-8">
<p>
The host's fully qualified (private) domain name (FQDN) is set by an
-<div id="outline-container-orgd1cea9c" class="outline-3">
-<h3 id="orgd1cea9c"><span class="section-number-3">10.9.</span> Configure NRPE</h3>
+<div id="outline-container-orgadce02c" class="outline-3">
+<h3 id="orgadce02c"><span class="section-number-3">10.9.</span> Configure NRPE</h3>
<div class="outline-text-3" id="text-10-9">
<p>
Each campus host runs an NRPE (a NAGIOS Remote Plugin Executor)
server so that the NAGIOS4 server on Core can collect statistics. The
<div class="outline-text-3" id="text-10-9">
<p>
Each campus host runs an NRPE (a NAGIOS Remote Plugin Executor)
server so that the NAGIOS4 server on Core can collect statistics. The
-<div id="outline-container-orgbe73861" class="outline-2">
-<h2 id="orgbe73861"><span class="section-number-2">11.</span> The Ansible Configuration</h2>
+<div id="outline-container-orge0896ae" class="outline-2">
+<h2 id="orge0896ae"><span class="section-number-2">11.</span> The Ansible Configuration</h2>
<div class="outline-text-2" id="text-11">
<p>
The small institute uses Ansible to maintain the configuration of its
<div class="outline-text-2" id="text-11">
<p>
The small institute uses Ansible to maintain the configuration of its
role(s) to each host. Examples of these files are included here, and
are used to test the roles. The example configuration applies the
institutional roles to VirtualBox machines prepared according to
role(s) to each host. Examples of these files are included here, and
are used to test the roles. The example configuration applies the
institutional roles to VirtualBox machines prepared according to
-<div id="outline-container-orgb32b7ad" class="outline-3">
-<h3 id="orgb32b7ad"><span class="section-number-3">11.1.</span> <q>ansible.cfg</q></h3>
+<div id="outline-container-org24cb4b1" class="outline-3">
+<h3 id="org24cb4b1"><span class="section-number-3">11.1.</span> <q>ansible.cfg</q></h3>
<div class="outline-text-3" id="text-11-1">
<p>
The Ansible configuration file <a href="ansible.cfg"><q>ansible.cfg</q></a> contains just a handful
of settings, some included just to create a test jig as described in
<div class="outline-text-3" id="text-11-1">
<p>
The Ansible configuration file <a href="ansible.cfg"><q>ansible.cfg</q></a> contains just a handful
of settings, some included just to create a test jig as described in
that Python 3 can be expected on all institute hosts.</li>
<li><code>vault_password_file</code> is set to suppress prompts for the vault
password. The institute keeps its vault password in <a href="Secret/"><q>Secret/</q></a> (as
that Python 3 can be expected on all institute hosts.</li>
<li><code>vault_password_file</code> is set to suppress prompts for the vault
password. The institute keeps its vault password in <a href="Secret/"><q>Secret/</q></a> (as
<a href="Secret/vault-password"><q>Secret/vault-password</q></a>.</li>
<li><code>inventory</code> is set to avoid specifying it on the command line.</li>
<li><code>roles_path</code> is set to the recently tangled roles files in
<a href="Secret/vault-password"><q>Secret/vault-password</q></a>.</li>
<li><code>inventory</code> is set to avoid specifying it on the command line.</li>
<li><code>roles_path</code> is set to the recently tangled roles files in
-<div id="outline-container-orgc5d31e6" class="outline-3">
-<h3 id="orgc5d31e6"><span class="section-number-3">11.2.</span> <q>hosts</q></h3>
+<div id="outline-container-orge4f8016" class="outline-3">
+<h3 id="orge4f8016"><span class="section-number-3">11.2.</span> <q>hosts</q></h3>
<div class="outline-text-3" id="text-11-2">
<p>
The Ansible inventory file <a href="hosts"><q>hosts</q></a> describes all of the institute's
<div class="outline-text-3" id="text-11-2">
<p>
The Ansible inventory file <a href="hosts"><q>hosts</q></a> describes all of the institute's
-<div id="outline-container-orgc9c629f" class="outline-3">
-<h3 id="orgc9c629f"><span class="section-number-3">11.3.</span> <q>playbooks/site.yml</q></h3>
+<div id="outline-container-org72dca4d" class="outline-3">
+<h3 id="org72dca4d"><span class="section-number-3">11.3.</span> <q>playbooks/site.yml</q></h3>
<div class="outline-text-3" id="text-11-3">
<p>
The example <a href="playbooks/site.yml"><q>playbooks/site.yml</q></a> playbook (below) applies the
<div class="outline-text-3" id="text-11-3">
<p>
The example <a href="playbooks/site.yml"><q>playbooks/site.yml</q></a> playbook (below) applies the
-<div id="outline-container-orgc6594c5" class="outline-3">
-<h3 id="orgc6594c5"><span class="section-number-3">11.4.</span> <q>Secret/vault-password</q></h3>
+<div id="outline-container-org44a8214" class="outline-3">
+<h3 id="org44a8214"><span class="section-number-3">11.4.</span> <q>Secret/vault-password</q></h3>
<div class="outline-text-3" id="text-11-4">
<p>
As already mentioned, the small institute keeps its Ansible vault
<div class="outline-text-3" id="text-11-4">
<p>
As already mentioned, the small institute keeps its Ansible vault
-<div id="outline-container-org894bb3d" class="outline-3">
-<h3 id="org894bb3d"><span class="section-number-3">11.5.</span> Creating A Working Ansible Configuration</h3>
+<div id="outline-container-org12e6cd9" class="outline-3">
+<h3 id="org12e6cd9"><span class="section-number-3">11.5.</span> Creating A Working Ansible Configuration</h3>
<div class="outline-text-3" id="text-11-5">
<p>
A working Ansible configuration can be "tangled" from this document to
<div class="outline-text-3" id="text-11-5">
<p>
A working Ansible configuration can be "tangled" from this document to
tangling is done by Emacs's <code>org-babel-tangle</code> function and has
already been performed with the resulting tangle included in the
distribution with this document.
tangling is done by Emacs's <code>org-babel-tangle</code> function and has
already been performed with the resulting tangle included in the
distribution with this document.
<q>public/</q> and <q>private/</q>.</li>
<li><q>~/network/Secret</q> would be a symbolic link to the (auto-mounted?)
location of the administrator's encrypted USB drive, as described in
<q>public/</q> and <q>private/</q>.</li>
<li><q>~/network/Secret</q> would be a symbolic link to the (auto-mounted?)
location of the administrator's encrypted USB drive, as described in
-<div id="outline-container-orgedf57be" class="outline-3">
-<h3 id="orgedf57be"><span class="section-number-3">11.6.</span> Maintaining A Working Ansible Configuration</h3>
+<div id="outline-container-org130e5c0" class="outline-3">
+<h3 id="org130e5c0"><span class="section-number-3">11.6.</span> Maintaining A Working Ansible Configuration</h3>
<div class="outline-text-3" id="text-11-6">
<p>
The Ansible roles currently tangle into the <a href="roles_t/"><q>roles_t/</q></a> directory to
<div class="outline-text-3" id="text-11-6">
<p>
The Ansible roles currently tangle into the <a href="roles_t/"><q>roles_t/</q></a> directory to
-<div id="outline-container-org3b4ccaf" class="outline-2">
-<h2 id="org3b4ccaf"><span class="section-number-2">12.</span> The Institute Commands</h2>
+<div id="outline-container-org43f8955" class="outline-2">
+<h2 id="org43f8955"><span class="section-number-2">12.</span> The Institute Commands</h2>
<div class="outline-text-2" id="text-12">
<p>
The institute's administrator uses a convenience script to reliably
<div class="outline-text-2" id="text-12">
<p>
The institute's administrator uses a convenience script to reliably
-<div id="outline-container-orge144db1" class="outline-3">
-<h3 id="orge144db1"><span class="section-number-3">12.1.</span> Sub-command Blocks</h3>
+<div id="outline-container-orgf4494a3" class="outline-3">
+<h3 id="orgf4494a3"><span class="section-number-3">12.1.</span> Sub-command Blocks</h3>
<div class="outline-text-3" id="text-12-1">
<p>
The code blocks in this chapter tangle into the <a href="inst"><q>inst</q></a> script. Each
<div class="outline-text-3" id="text-12-1">
<p>
The code blocks in this chapter tangle into the <a href="inst"><q>inst</q></a> script. Each
-<div id="outline-container-org57b2ace" class="outline-3">
-<h3 id="org57b2ace"><span class="section-number-3">12.2.</span> Sanity Check</h3>
+<div id="outline-container-org0c983e7" class="outline-3">
+<h3 id="org0c983e7"><span class="section-number-3">12.2.</span> Sanity Check</h3>
<div class="outline-text-3" id="text-12-2">
<p>
The next code block does not implement a sub-command; it implements
<div class="outline-text-3" id="text-12-2">
<p>
The next code block does not implement a sub-command; it implements
-<div id="outline-container-orgad7ae99" class="outline-3">
-<h3 id="orgad7ae99"><span class="section-number-3">12.3.</span> Importing Ansible Variables</h3>
+<div id="outline-container-org21ab591" class="outline-3">
+<h3 id="org21ab591"><span class="section-number-3">12.3.</span> Importing Ansible Variables</h3>
<div class="outline-text-3" id="text-12-3">
<p>
To ensure that Ansible and <code>./inst</code> are sympatico vis-a-vi certain
<div class="outline-text-3" id="text-12-3">
<p>
To ensure that Ansible and <code>./inst</code> are sympatico vis-a-vi certain
-<div id="outline-container-orgce1d067" class="outline-3">
-<h3 id="orgce1d067"><span class="section-number-3">12.4.</span> The check-inst-vars Role</h3>
+<div id="outline-container-org8e3af24" class="outline-3">
+<h3 id="org8e3af24"><span class="section-number-3">12.4.</span> The check-inst-vars Role</h3>
<div class="outline-text-3" id="text-12-4">
<p>
This role is executed by <q>playbooks/check-inst-vars.yml</q> and is not
<div class="outline-text-3" id="text-12-4">
<p>
This role is executed by <q>playbooks/check-inst-vars.yml</q> and is not
-<div id="outline-container-orgc93805b" class="outline-3">
-<h3 id="orgc93805b"><span class="section-number-3">12.5.</span> The CA Command</h3>
+<div id="outline-container-org65c7b5a" class="outline-3">
+<h3 id="org65c7b5a"><span class="section-number-3">12.5.</span> The CA Command</h3>
<div class="outline-text-3" id="text-12-5">
<p>
The next code block implements the <code>CA</code> sub-command, which creates a
<div class="outline-text-3" id="text-12-5">
<p>
The next code block implements the <code>CA</code> sub-command, which creates a
-<div id="outline-container-org1cf99d1" class="outline-3">
-<h3 id="org1cf99d1"><span class="section-number-3">12.6.</span> The Config Command</h3>
+<div id="outline-container-orga8acaf4" class="outline-3">
+<h3 id="orga8acaf4"><span class="section-number-3">12.6.</span> The Config Command</h3>
<div class="outline-text-3" id="text-12-6">
<p>
The next code block implements the <code>config</code> sub-command, which
<div class="outline-text-3" id="text-12-6">
<p>
The next code block implements the <code>config</code> sub-command, which
-<div id="outline-container-org07823eb" class="outline-3">
-<h3 id="org07823eb"><span class="section-number-3">12.7.</span> Account Management</h3>
+<div id="outline-container-org38c0efd" class="outline-3">
+<h3 id="org38c0efd"><span class="section-number-3">12.7.</span> Account Management</h3>
<div class="outline-text-3" id="text-12-7">
<p>
For general information about members and their Unix accounts, see
<div class="outline-text-3" id="text-12-7">
<p>
For general information about members and their Unix accounts, see
associating member "usernames" (Unix account names) with their
records. The mapping is stored among other things in
<q>private/members.yml</q> as the value associated with the key <code>members</code>.
associating member "usernames" (Unix account names) with their
records. The mapping is stored among other things in
<q>private/members.yml</q> as the value associated with the key <code>members</code>.
membership_rolls:
- <span class="org-string">"../private/members.yml"</span>
- <span class="org-string">"../private/members-empty.yml"</span>
membership_rolls:
- <span class="org-string">"../private/members.yml"</span>
- <span class="org-string">"../private/members-empty.yml"</span>
-<div id="outline-container-org370f53d" class="outline-3">
-<h3 id="org370f53d"><span class="section-number-3">12.8.</span> The New Command</h3>
+<div id="outline-container-org203c192" class="outline-3">
+<h3 id="org203c192"><span class="section-number-3">12.8.</span> The New Command</h3>
<div class="outline-text-3" id="text-12-8">
<p>
The next code block implements the <code>new</code> sub-command. It adds a new
<div class="outline-text-3" id="text-12-8">
<p>
The next code block implements the <code>new</code> sub-command. It adds a new
-<div id="outline-container-orgcbb6ef6" class="outline-3">
-<h3 id="orgcbb6ef6"><span class="section-number-3">12.9.</span> The Pass Command</h3>
+<div id="outline-container-orgaed3cbb" class="outline-3">
+<h3 id="orgaed3cbb"><span class="section-number-3">12.9.</span> The Pass Command</h3>
<div class="outline-text-3" id="text-12-9">
<p>
The institute's <code>passwd</code> command on Core securely emails <code>root</code> with a
<div class="outline-text-3" id="text-12-9">
<p>
The institute's <code>passwd</code> command on Core securely emails <code>root</code> with a
-<div id="outline-container-orgaa25b82" class="outline-4">
-<h4 id="orgaa25b82"><span class="section-number-4">12.9.1.</span> Less Aggressive passwd.</h4>
+<div id="outline-container-org490d591" class="outline-4">
+<h4 id="org490d591"><span class="section-number-4">12.9.1.</span> Less Aggressive passwd.</h4>
<div class="outline-text-4" id="text-12-9-1">
<p>
The next code block implements the less aggressive <code>passwd</code> command.
<div class="outline-text-4" id="text-12-9-1">
<p>
The next code block implements the less aggressive <code>passwd</code> command.
-<div id="outline-container-org3118dd0" class="outline-4">
-<h4 id="org3118dd0"><span class="section-number-4">12.9.2.</span> Less Aggressive Pass Command</h4>
+<div id="outline-container-org53cb66d" class="outline-4">
+<h4 id="org53cb66d"><span class="section-number-4">12.9.2.</span> Less Aggressive Pass Command</h4>
<div class="outline-text-4" id="text-12-9-2">
<p>
The following code block implements the <code>./inst pass</code> command, used by
<div class="outline-text-4" id="text-12-9-2">
<p>
The following code block implements the <code>./inst pass</code> command, used by
-<div id="outline-container-org4a9db39" class="outline-4">
-<h4 id="org4a9db39"><span class="section-number-4">12.9.3.</span> Installing the Less Aggressive passwd</h4>
+<div id="outline-container-org78507bd" class="outline-4">
+<h4 id="org78507bd"><span class="section-number-4">12.9.3.</span> Installing the Less Aggressive passwd</h4>
<div class="outline-text-4" id="text-12-9-3">
<p>
The following Ansible tasks install the less aggressive <code>passwd</code>
<div class="outline-text-4" id="text-12-9-3">
<p>
The following Ansible tasks install the less aggressive <code>passwd</code>
-<div id="outline-container-orgb72d7eb" class="outline-3">
-<h3 id="orgb72d7eb"><span class="section-number-3">12.10.</span> The Old Command</h3>
+<div id="outline-container-org4dae799" class="outline-3">
+<h3 id="org4dae799"><span class="section-number-3">12.10.</span> The Old Command</h3>
<div class="outline-text-3" id="text-12-10">
<p>
The <code>old</code> command disables a member's account (and thus their clients).
<div class="outline-text-3" id="text-12-10">
<p>
The <code>old</code> command disables a member's account (and thus their clients).
-<div id="outline-container-orgc49707e" class="outline-3">
-<h3 id="orgc49707e"><span class="section-number-3">12.11.</span> The Client Command</h3>
+<div id="outline-container-org7efeef2" class="outline-3">
+<h3 id="org7efeef2"><span class="section-number-3">12.11.</span> The Client Command</h3>
<div class="outline-text-3" id="text-12-11">
<p>
The <code>client</code> command registers the public key of a client wishing to
<div class="outline-text-3" id="text-12-11">
<p>
The <code>client</code> command registers the public key of a client wishing to
-<div id="outline-container-org02cf5fc" class="outline-3">
-<h3 id="org02cf5fc"><span class="section-number-3">12.12.</span> Institute Command Help</h3>
+<div id="outline-container-orgb94f0ba" class="outline-3">
+<h3 id="orgb94f0ba"><span class="section-number-3">12.12.</span> Institute Command Help</h3>
<div class="outline-text-3" id="text-12-12">
<p>
This should be the last block tangled into the <a href="inst"><q>inst</q></a> script. It
<div class="outline-text-3" id="text-12-12">
<p>
This should be the last block tangled into the <a href="inst"><q>inst</q></a> script. It
-<div id="outline-container-orgc428202" class="outline-2">
-<h2 id="orgc428202"><span class="section-number-2">13.</span> Testing</h2>
+<div id="outline-container-orgfb808de" class="outline-2">
+<h2 id="orgfb808de"><span class="section-number-2">13.</span> Testing</h2>
<div class="outline-text-2" id="text-13">
<p>
The example files in this document, <a href="ansible.cfg"><q>ansible.cfg</q></a> and <a href="hosts"><q>hosts</q></a> as well
<div class="outline-text-2" id="text-13">
<p>
The example files in this document, <a href="ansible.cfg"><q>ansible.cfg</q></a> and <a href="hosts"><q>hosts</q></a> as well
<p>
The next two sections list the steps taken to create the simulated
Core, Gate and Front machines, and connect them to their networks.
<p>
The next two sections list the steps taken to create the simulated
Core, Gate and Front machines, and connect them to their networks.
is covered in detail here where the VirtualBox hypervisor can be
assumed and exact command lines can be given (and copied during
re-testing). The remaining sections describe the manual testing
is covered in detail here where the VirtualBox hypervisor can be
assumed and exact command lines can be given (and copied during
re-testing). The remaining sections describe the manual testing
-<div id="outline-container-org4bf7b32" class="outline-3">
-<h3 id="org4bf7b32"><span class="section-number-3">13.1.</span> The Test Networks</h3>
+<div id="outline-container-orgbb6941e" class="outline-3">
+<h3 id="orgbb6941e"><span class="section-number-3">13.1.</span> The Test Networks</h3>
-<div id="outline-container-org0198504" class="outline-3">
-<h3 id="org0198504"><span class="section-number-3">13.2.</span> The Test Machines</h3>
+<div id="outline-container-org4e299ab" class="outline-3">
+<h3 id="org4e299ab"><span class="section-number-3">13.2.</span> The Test Machines</h3>
<div class="outline-text-3" id="text-13-2">
<p>
The virtual machines are created by <code>VBoxManage</code> command lines in the
following sub-sections. They each start with a recent Debian release
(e.g. <q>debian-12.5.0-amd64-netinst.iso</q>) in their simulated DVD
<div class="outline-text-3" id="text-13-2">
<p>
The virtual machines are created by <code>VBoxManage</code> command lines in the
following sub-sections. They each start with a recent Debian release
(e.g. <q>debian-12.5.0-amd64-netinst.iso</q>) in their simulated DVD
packages and keys while the machines had Internet access. They were
then moved to the new campus network where Ansible completed the
configuration without Internet access.
packages and keys while the machines had Internet access. They were
then moved to the new campus network where Ansible completed the
configuration without Internet access.
-<div id="outline-container-org72e3f47" class="outline-4">
-<h4 id="org72e3f47"><span class="section-number-4">13.2.1.</span> The Test Wireguard™ Keys <a id="org92a466e"></a></h4>
+<div id="outline-container-orgfed28f6" class="outline-4">
+<h4 id="orgfed28f6"><span class="section-number-4">13.2.1.</span> The Test Wireguard™ Keys <a id="org394c4e9"></a></h4>
<div class="outline-text-4" id="text-13-2-1">
<p>
All of the private keys used in the example/test configuration are
<div class="outline-text-4" id="text-13-2-1">
<p>
All of the private keys used in the example/test configuration are
-<div id="outline-container-org250d1d6" class="outline-4">
-<h4 id="org250d1d6"><span class="section-number-4">13.2.2.</span> Ansible Test Authorization</h4>
+<div id="outline-container-org2cfc2f7" class="outline-4">
+<h4 id="org2cfc2f7"><span class="section-number-4">13.2.2.</span> Ansible Test Authorization</h4>
<div class="outline-text-4" id="text-13-2-2">
<p>
Part of each machine's preparation is to authorize password-less SSH
<div class="outline-text-4" id="text-13-2-2">
<p>
Part of each machine's preparation is to authorize password-less SSH
<span class="org-builtin">umask</span> 077
<span class="org-keyword">if</span> [ <span class="org-negation-char">!</span> -d .ssh ]; <span class="org-keyword">then</span> mkdir .ssh; <span class="org-keyword">fi</span>
( <span class="org-builtin">echo</span> -n <span class="org-string">"ssh-rsa"</span>
<span class="org-builtin">umask</span> 077
<span class="org-keyword">if</span> [ <span class="org-negation-char">!</span> -d .ssh ]; <span class="org-keyword">then</span> mkdir .ssh; <span class="org-keyword">fi</span>
( <span class="org-builtin">echo</span> -n <span class="org-string">"ssh-rsa"</span>
-<div id="outline-container-orga7acea5" class="outline-4">
-<h4 id="orga7acea5"><span class="section-number-4">13.2.3.</span> A Test Machine</h4>
+<div id="outline-container-orga3d353d" class="outline-4">
+<h4 id="orga3d353d"><span class="section-number-4">13.2.3.</span> A Test Machine</h4>
<div class="outline-text-4" id="text-13-2-3">
<p>
The following shell function contains most of the <code>VBoxManage</code>
<div class="outline-text-4" id="text-13-2-3">
<p>
The following shell function contains most of the <code>VBoxManage</code>
-<div id="outline-container-org0a4dfed" class="outline-4">
-<h4 id="org0a4dfed"><span class="section-number-4">13.2.4.</span> The Test Front Machine</h4>
+<div id="outline-container-orga994a42" class="outline-4">
+<h4 id="orga994a42"><span class="section-number-4">13.2.4.</span> The Test Front Machine</h4>
<div class="outline-text-4" id="text-13-2-4">
<p>
The <code>front</code> machine is created with 512MiB of RAM, 4GiB of disk, and
<div class="outline-text-4" id="text-13-2-4">
<p>
The <code>front</code> machine is created with 512MiB of RAM, 4GiB of disk, and
The following <code>VBoxManage</code> commands effect the move, connecting the
primary NIC to <code>public</code> and a second NIC to the host-only network
<code>vboxnet2</code> (making it directly accessible to the administrator's
The following <code>VBoxManage</code> commands effect the move, connecting the
primary NIC to <code>public</code> and a second NIC to the host-only network
<code>vboxnet2</code> (making it directly accessible to the administrator's
-<div id="outline-container-org6af122f" class="outline-4">
-<h4 id="org6af122f"><span class="section-number-4">13.2.5.</span> The Test Gate Machine</h4>
+<div id="outline-container-orgf23e266" class="outline-4">
+<h4 id="orgf23e266"><span class="section-number-4">13.2.5.</span> The Test Gate Machine</h4>
<div class="outline-text-4" id="text-13-2-5">
<p>
The <code>gate</code> machine is created with the same amount of RAM and disk as
<div class="outline-text-4" id="text-13-2-5">
<p>
The <code>gate</code> machine is created with the same amount of RAM and disk as
-<div id="outline-container-org5cb66a8" class="outline-4">
-<h4 id="org5cb66a8"><span class="section-number-4">13.2.6.</span> The Test Core Machine</h4>
+<div id="outline-container-org2a3caf7" class="outline-4">
+<h4 id="org2a3caf7"><span class="section-number-4">13.2.6.</span> The Test Core Machine</h4>
<div class="outline-text-4" id="text-13-2-6">
<p>
The <code>core</code> machine is created with 1GiB of RAM and 6GiB of disk.
<div class="outline-text-4" id="text-13-2-6">
<p>
The <code>core</code> machine is created with 1GiB of RAM and 6GiB of disk.
-<div id="outline-container-org18e33e6" class="outline-3">
-<h3 id="org18e33e6"><span class="section-number-3">13.3.</span> Configure Test Machines</h3>
+<div id="outline-container-orgcd26e2c" class="outline-3">
+<h3 id="orgcd26e2c"><span class="section-number-3">13.3.</span> Configure Test Machines</h3>
<div class="outline-text-3" id="text-13-3">
<p>
At this point the three test machines <code>core</code>, <code>gate</code>, and <code>front</code> are
<div class="outline-text-3" id="text-13-3">
<p>
At this point the three test machines <code>core</code>, <code>gate</code>, and <code>front</code> are
-<div id="outline-container-org4d49cec" class="outline-3">
-<h3 id="org4d49cec"><span class="section-number-3">13.4.</span> Test Basics</h3>
+<div id="outline-container-org83c00e6" class="outline-3">
+<h3 id="org83c00e6"><span class="section-number-3">13.4.</span> Test Basics</h3>
<div class="outline-text-3" id="text-13-4">
<p>
At this point the test institute is just <code>core</code>, <code>gate</code> and <code>front</code>,
<div class="outline-text-3" id="text-13-4">
<p>
At this point the test institute is just <code>core</code>, <code>gate</code> and <code>front</code>,
-<div id="outline-container-org5e4bed6" class="outline-3">
-<h3 id="org5e4bed6"><span class="section-number-3">13.5.</span> The Test Nextcloud</h3>
+<div id="outline-container-org31b0e2e" class="outline-3">
+<h3 id="org31b0e2e"><span class="section-number-3">13.5.</span> The Test Nextcloud</h3>
<div class="outline-text-3" id="text-13-5">
<p>
Further tests involve Nextcloud account management. Nextcloud is
<div class="outline-text-3" id="text-13-5">
<p>
Further tests involve Nextcloud account management. Nextcloud is
<q>/Nextcloud/</q> is created, <code>./inst config core</code> will validate
or update its configuration files.
</p>
<q>/Nextcloud/</q> is created, <code>./inst config core</code> will validate
or update its configuration files.
</p>
-<div id="outline-container-org24d956f" class="outline-3">
-<h3 id="org24d956f"><span class="section-number-3">13.6.</span> Test New Command</h3>
+<div id="outline-container-org8be29a8" class="outline-3">
+<h3 id="org8be29a8"><span class="section-number-3">13.6.</span> Test New Command</h3>
<div class="outline-text-3" id="text-13-6">
<p>
A member must be enrolled so that a member's client machine can be
<div class="outline-text-3" id="text-13-6">
<p>
A member must be enrolled so that a member's client machine can be
-<div id="outline-container-org371ae28" class="outline-3">
-<h3 id="org371ae28"><span class="section-number-3">13.7.</span> The Test Member Notebook</h3>
+<div id="outline-container-orgf840624" class="outline-3">
+<h3 id="orgf840624"><span class="section-number-3">13.7.</span> The Test Member Notebook</h3>
<div class="outline-text-3" id="text-13-7">
<p>
A test member's notebook is created next, much like the servers,
<div class="outline-text-3" id="text-13-7">
<p>
A test member's notebook is created next, much like the servers,
the SSH server option is <i>not</i> needed and the GNOME desktop option
<i>is</i>. When the machine reboots, the administrator logs into the
desktop and installs a couple additional software packages (which
the SSH server option is <i>not</i> needed and the GNOME desktop option
<i>is</i>. When the machine reboots, the administrator logs into the
desktop and installs a couple additional software packages (which
-<div id="outline-container-orgbe472d8" class="outline-3">
-<h3 id="orgbe472d8"><span class="section-number-3">13.8.</span> Test Client Command</h3>
+<div id="outline-container-org9b617de" class="outline-3">
+<h3 id="org9b617de"><span class="section-number-3">13.8.</span> Test Client Command</h3>
<div class="outline-text-3" id="text-13-8">
<p>
The <code>./inst client</code> command is used to register the public key of a
<div class="outline-text-3" id="text-13-8">
<p>
The <code>./inst client</code> command is used to register the public key of a
-<div id="outline-container-orge86b83f" class="outline-3">
-<h3 id="orge86b83f"><span class="section-number-3">13.9.</span> Test Campus WireGuard™ Subnet</h3>
+<div id="outline-container-orga591c73" class="outline-3">
+<h3 id="orga591c73"><span class="section-number-3">13.9.</span> Test Campus WireGuard™ Subnet</h3>
-<div id="outline-container-org398b9ae" class="outline-3">
-<h3 id="org398b9ae"><span class="section-number-3">13.10.</span> Test Web Pages</h3>
+<div id="outline-container-orgbb345dd" class="outline-3">
+<h3 id="orgbb345dd"><span class="section-number-3">13.10.</span> Test Web Pages</h3>
<div class="outline-text-3" id="text-13-10">
<p>
Next, the administrator copies <a href="Backup/WWW/"><q>Backup/WWW/</q></a> (included in the
<div class="outline-text-3" id="text-13-10">
<p>
Next, the administrator copies <a href="Backup/WWW/"><q>Backup/WWW/</q></a> (included in the
-<div id="outline-container-orgf5af713" class="outline-3">
-<h3 id="orgf5af713"><span class="section-number-3">13.11.</span> Test Nextcloud</h3>
+<div id="outline-container-org4d660de" class="outline-3">
+<h3 id="org4d660de"><span class="section-number-3">13.11.</span> Test Nextcloud</h3>
<div class="outline-text-3" id="text-13-11">
<p>
Using the browser on the simulated member notebook, the Nextcloud
<div class="outline-text-3" id="text-13-11">
<p>
Using the browser on the simulated member notebook, the Nextcloud
-<div id="outline-container-org4918454" class="outline-3">
-<h3 id="org4918454"><span class="section-number-3">13.12.</span> Test Email</h3>
+<div id="outline-container-org011d35c" class="outline-3">
+<h3 id="org011d35c"><span class="section-number-3">13.12.</span> Test Email</h3>
<div class="outline-text-3" id="text-13-12">
<p>
With Evolution running on the member notebook <code>dick</code>, one second email
<div class="outline-text-3" id="text-13-12">
<p>
With Evolution running on the member notebook <code>dick</code>, one second email
-<div id="outline-container-org6367018" class="outline-3">
-<h3 id="org6367018"><span class="section-number-3">13.13.</span> Test Public VPN</h3>
+<div id="outline-container-org774462c" class="outline-3">
+<h3 id="org774462c"><span class="section-number-3">13.13.</span> Test Public VPN</h3>
<div class="outline-text-3" id="text-13-13">
<p>
At this point, <code>dick</code> can move abroad, from the campus Wi-Fi
<div class="outline-text-3" id="text-13-13">
<p>
At this point, <code>dick</code> can move abroad, from the campus Wi-Fi
-<div id="outline-container-org42ab9c7" class="outline-3">
-<h3 id="org42ab9c7"><span class="section-number-3">13.14.</span> Test Pass Command</h3>
+<div id="outline-container-orgdc86273" class="outline-3">
+<h3 id="orgdc86273"><span class="section-number-3">13.14.</span> Test Pass Command</h3>
<div class="outline-text-3" id="text-13-14">
<p>
To test the <code>./inst pass</code> command, the administrator logs in to <code>core</code>
<div class="outline-text-3" id="text-13-14">
<p>
To test the <code>./inst pass</code> command, the administrator logs in to <code>core</code>
-<div id="outline-container-orga38ce71" class="outline-3">
-<h3 id="orga38ce71"><span class="section-number-3">13.15.</span> Test Old Command</h3>
+<div id="outline-container-org77c94ce" class="outline-3">
+<h3 id="org77c94ce"><span class="section-number-3">13.15.</span> Test Old Command</h3>
<div class="outline-text-3" id="text-13-15">
<p>
One more institute command is left to exercise. The administrator
<div class="outline-text-3" id="text-13-15">
<p>
One more institute command is left to exercise. The administrator
-<div id="outline-container-orgfc8e4b0" class="outline-2">
-<h2 id="orgfc8e4b0"><span class="section-number-2">14.</span> Future Work</h2>
+<div id="outline-container-orgb4993fc" class="outline-2">
+<h2 id="orgb4993fc"><span class="section-number-2">14.</span> Future Work</h2>
<div class="outline-text-2" id="text-14">
<p>
The small institute's network, as currently defined in this doocument,
is lacking in a number of respects.
</p>
</div>
<div class="outline-text-2" id="text-14">
<p>
The small institute's network, as currently defined in this doocument,
is lacking in a number of respects.
</p>
</div>
-<div id="outline-container-org06c1c88" class="outline-3">
-<h3 id="org06c1c88"><span class="section-number-3">14.1.</span> Deficiencies</h3>
+<div id="outline-container-orgf22a258" class="outline-3">
+<h3 id="orgf22a258"><span class="section-number-3">14.1.</span> Deficiencies</h3>
<div class="outline-text-3" id="text-14-1">
<p>
The current network monitoring is rudimentary. It could use some
<div class="outline-text-3" id="text-14-1">
<p>
The current network monitoring is rudimentary. It could use some
<p>
The institute's reverse domains (e.g. <code>86.177.10.in-addr.arpa</code>) are
not available on Front, yet.
</p>
</div>
</div>
<p>
The institute's reverse domains (e.g. <code>86.177.10.in-addr.arpa</code>) are
not available on Front, yet.
</p>
</div>
</div>
-<div id="outline-container-org5511bd7" class="outline-3">
-<h3 id="org5511bd7"><span class="section-number-3">14.2.</span> More Tests</h3>
+<div id="outline-container-orgcb70f46" class="outline-3">
+<h3 id="orgcb70f46"><span class="section-number-3">14.2.</span> More Tests</h3>
<div class="outline-text-3" id="text-14-2">
<p>
The testing process described in the previous chapter is far from
complete. Additional tests are needed.
</p>
</div>
<div class="outline-text-3" id="text-14-2">
<p>
The testing process described in the previous chapter is far from
complete. Additional tests are needed.
</p>
</div>
-<div id="outline-container-org7cb1167" class="outline-4">
-<h4 id="org7cb1167"><span class="section-number-4">14.2.1.</span> Backup</h4>
+<div id="outline-container-org5b37567" class="outline-4">
+<h4 id="org5b37567"><span class="section-number-4">14.2.1.</span> Backup</h4>
<div class="outline-text-4" id="text-14-2-1">
<p>
The <code>backup</code> command has not been tested. It needs an encrypted
<div class="outline-text-4" id="text-14-2-1">
<p>
The <code>backup</code> command has not been tested. It needs an encrypted
-<div id="outline-container-orgac4ba95" class="outline-4">
-<h4 id="orgac4ba95"><span class="section-number-4">14.2.2.</span> Restore</h4>
+<div id="outline-container-orgf05b647" class="outline-4">
+<h4 id="orgf05b647"><span class="section-number-4">14.2.2.</span> Restore</h4>
<div class="outline-text-4" id="text-14-2-2">
<p>
The restore process has not been tested. It might just copy <a href="Backup/"><q>Backup/</q></a>
<div class="outline-text-4" id="text-14-2-2">
<p>
The restore process has not been tested. It might just copy <a href="Backup/"><q>Backup/</q></a>
-<div id="outline-container-org8d7474e" class="outline-4">
-<h4 id="org8d7474e"><span class="section-number-4">14.2.3.</span> Campus Disconnect</h4>
+<div id="outline-container-org4583d1e" class="outline-4">
+<h4 id="org4583d1e"><span class="section-number-4">14.2.3.</span> Campus Disconnect</h4>
<div class="outline-text-4" id="text-14-2-3">
<p>
Email access (IMAPS) on <code>front</code> is… difficult to test unless
<div class="outline-text-4" id="text-14-2-3">
<p>
Email access (IMAPS) on <code>front</code> is… difficult to test unless
-<div id="outline-container-org1248e00" class="outline-2">
-<h2 id="org1248e00"><span class="section-number-2">15.</span> Appendix: The Bootstrap</h2>
+<div id="outline-container-org37b11a6" class="outline-2">
+<h2 id="org37b11a6"><span class="section-number-2">15.</span> Appendix: The Bootstrap</h2>
<div class="outline-text-2" id="text-15">
<p>
Creating the private network from whole cloth (machines with recent
<div class="outline-text-2" id="text-15">
<p>
Creating the private network from whole cloth (machines with recent
-<div id="outline-container-org1f47753" class="outline-3">
-<h3 id="org1f47753"><span class="section-number-3">15.1.</span> The Current Strategy</h3>
+<div id="outline-container-orgf004893" class="outline-3">
+<h3 id="orgf004893"><span class="section-number-3">15.1.</span> The Current Strategy</h3>
on the Internet where additional packages are accessible, then connect
them to the campus facilities (the private Ethernet switch, Wi-Fi AP,
ISP), manually configure IP addresses (while the DHCP client silently
on the Internet where additional packages are accessible, then connect
them to the campus facilities (the private Ethernet switch, Wi-Fi AP,
ISP), manually configure IP addresses (while the DHCP client silently
-<div id="outline-container-org94d2f14" class="outline-3">
-<h3 id="org94d2f14"><span class="section-number-3">15.2.</span> Starting With Gate</h3>
+<div id="outline-container-org5cd9c2c" class="outline-3">
+<h3 id="org5cd9c2c"><span class="section-number-3">15.2.</span> Starting With Gate</h3>
<div class="outline-text-3" id="text-15-2">
<p>
The strategy of Starting With Gate concentrates on configuring Gate's
<div class="outline-text-3" id="text-15-2">
<p>
The strategy of Starting With Gate concentrates on configuring Gate's
-<div id="outline-container-org2b48ad7" class="outline-3">
-<h3 id="org2b48ad7"><span class="section-number-3">15.3.</span> Pre-provision With Ansible</h3>
+<div id="outline-container-org6fd0373" class="outline-3">
+<h3 id="org6fd0373"><span class="section-number-3">15.3.</span> Pre-provision With Ansible</h3>
<div class="outline-text-3" id="text-15-3">
<p>
A refinement of the current strategy might avoid the need to maintain
<div class="outline-text-3" id="text-15-3">
<p>
A refinement of the current strategy might avoid the need to maintain
projects / Institute.git / commitdiff