"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2024-09-20 Fri 13:28 -->
+<!-- 2024-10-22 Tue 10:04 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Birchwood Abbey Networks</title>
philosophy, attitude.
</p>
-<pre class="example" id="orgff81049">
+<pre class="example" id="org988225d">
|
=
_|||_
Dovecot-IMAPd, and hosting a VPN with OpenVPN.
</p>
</div>
-<div id="outline-container-org5cff3f5" class="outline-3">
-<h3 id="org5cff3f5"><span class="section-number-3">3.1.</span> Install Emacs</h3>
+<div id="outline-container-org832124f" class="outline-3">
+<h3 id="org832124f"><span class="section-number-3">3.1.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-3-1">
<p>
The monks of the abbey are masters of the staff (bo) and Emacs.
entered as shown below).
</p>
-<pre class="example" id="orgc807cc9">
+<pre class="example" id="org39bc53f">
$ sudo apt install python3-certbot-apache
$ sudo certbot --apache -d birchwood-abbey.net
...
NTP, DNS and DHCP.
</p>
</div>
-<div id="outline-container-orge3238f6" class="outline-3">
-<h3 id="orge3238f6"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
+<div id="outline-container-org3e1f87c" class="outline-3">
+<h3 id="org3e1f87c"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-4-1">
<p>
In this abbey specific document, most abbey particulars are not
</div>
</div>
</div>
-<div id="outline-container-orga5b3bf9" class="outline-3">
-<h3 id="orga5b3bf9"><span class="section-number-3">4.8.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-orgedd1215" class="outline-3">
+<h3 id="orgedd1215"><span class="section-number-3">4.8.</span> Use Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-4-8">
<p>
Core itself will benefit from using the package cache, but should
./abbey client campus new-host-name
</pre>
</div>
-<div id="outline-container-orgedd1215" class="outline-3">
-<h3 id="orgedd1215"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-org28d77ae" class="outline-3">
+<h3 id="org28d77ae"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The Apt-Cacher:TNG program does not work well on the frontier, so is
</div>
</div>
</div>
-<div id="outline-container-org832124f" class="outline-3">
-<h3 id="org832124f"><span class="section-number-3">6.4.</span> Install Emacs</h3>
+<div id="outline-container-orgc296167" class="outline-3">
+<h3 id="orgc296167"><span class="section-number-3">6.4.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-6-4">
<p>
The monks of the abbey are masters of the staff and Emacs.
<div class="outline-text-2" id="text-8">
<p>
The abbey uses AgentDVR to record video from PoE IP HD security
-cameras. The "download" button on iSpy's Download page
+cameras. It is installed and configured as described here.
+</p>
+</div>
+<div id="outline-container-org1485bcd" class="outline-3">
+<h3 id="org1485bcd"><span class="section-number-3">8.1.</span> AgentDVR Installation</h3>
+<div class="outline-text-3" id="text-8-1">
+<p>
+AgentDVR is installed at the abbey according to the iSpy web site's
+latest(?) instructions. The "download" button on iSpy's Download page
(<a href="https://www.ispyconnect.com/download">https://www.ispyconnect.com/download</a>), when "Agent DVR - Linux/
macOS/ RPi" is chosen, suggests the following command lines (the
second of which is broken across three lines).
</div>
<p>
-Ansible assists by creating the system user <code>agentdvr</code> and granting it
-enough <code>sudo</code> latitude to run the installer as instructed above.
-Though a system user, the account gets a home directory,
-<q>/home/agentdvr/</q> in which to do the installation. The rest of the
-DVR role, "phase two", waits until AgentDVR is installed.
+<i>Before</i> executing these commands, Ansible is enlisted to make certain
+preparations.
+</p>
+</div>
+<div id="outline-container-orge3711be" class="outline-4">
+<h4 id="orge3711be"><span class="section-number-4">8.1.1.</span> AgentDVR Installation Preparation</h4>
+<div class="outline-text-4" id="text-8-1-1">
+<p>
+AgentDVR runs in the abbey as a system user, <code>agentdvr</code>, which
+installs and runs the service. Though a system user, the account gets
+a home directory, <q>/home/agentdvr/</q> in which to install AgentDVR, and
+a login shell, <q>/bin/bash</q>. This much Ansible can do in preparation.
+</p>
+
+<pre class="example">
+./abbey config dvrs
+</pre>
+
+
+<p>
+After the <code>agentdvr</code> account is created, it is temporarily authorized
+to run a handful of system commands (as <code>root</code>!). This small set is
+sufficient <i>if</i> the offer to create the system service is declined.
+The following commands create this authorization in <q>~/01agentdvr</q>,
+validate and install it in <q>/etc/sudoers.d/01agentdvr</q>. Such caution
+is taken because a syntax error anywhere in <q>/etc/sudoers.d/</q> can make
+the <code>sudo</code> command inoperative, cutting off access to all elevated
+privileges until a "rescue" (involving a reboot) is performed.
</p>
+<div class="org-src-container">
+<pre class="src src-sh"><span class="org-builtin">echo</span> <span class="org-string">"ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\</span>
+<span class="org-string"> /sbin/adduser,/sbin/usermod"</span> >~/01agentdvr
+sudo chown root:root ~/01agentdvr
+sudo chmod 440 ~/01agentdvr
+visudo --check --owner --perms ~/01agentdvr
+sudo mv ~/01agentdvr /etc/sudoers.d/
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org53fe590" class="outline-4">
+<h4 id="org53fe590"><span class="section-number-4">8.1.2.</span> AgentDVR Installation Execution</h4>
+<div class="outline-text-4" id="text-8-1-2">
+<p>
+With the above preparations, the system administrator can get a shell
+session under the <code>agentdvr</code> account to run iSpy's installation script
+in the empty <q>/home/agentdvr/</q> directory.
+</p>
+
+<div class="org-src-container">
+<pre class="src src-sh">sudo apt-get install curl
+sudo -u agentdvr <(curl -s <span class="org-string">"https:.../install.sh"</span>)
+</pre>
+</div>
+
+<p>
+The script creates the <q>/home/agentdvr/AgentDVR/</q> directory, and
+offers to install a system service. The offer is declined. Instead,
+Ansible is run again.
+</p>
+</div>
+</div>
+<div id="outline-container-org27ee283" class="outline-4">
+<h4 id="org27ee283"><span class="section-number-4">8.1.3.</span> AgentDVR Installation Completion</h4>
+<div class="outline-text-4" id="text-8-1-3">
<p>
-AgentDVR is installed, after Ansible has set things up, by running the
-command lines prescribed by iSpy while logged in as <code>agentdvr</code> with
-the current default directory <q>/home/agentdvr/</q>. The installer should
-create the <q>/home/agentdvr/AgentDVR/</q> directory. Its offer to install
-a system service is declined.
+When Ansible is run a second time, after the installation script, it
+sees the new <q>/home/agentdvr/AgentDVR/</q> directory and creates (and
+starts) the new system service.
</p>
+<pre class="example">
+./abbey config dvrs
+</pre>
+
+
<p>
-After AgentDVR is installed, when the <q>/home/agentdvr/AgentDVR/</q>
-directory exists, Ansible is run again to install the system service.
+Also after the installation, the system administrator revokes the
+<code>agentdvr</code> account's authorizations to modify packages and accounts.
</p>
+
+<pre class="example">
+sudo rm /etc/sudoers.d/01agentdvr
+</pre>
+</div>
+</div>
</div>
<div id="outline-container-orgb219961" class="outline-3">
-<h3 id="orgb219961"><span class="section-number-3">8.1.</span> Create User <code>agentdvr</code></h3>
-<div class="outline-text-3" id="text-8-1">
+<h3 id="orgb219961"><span class="section-number-3">8.2.</span> Create User <code>agentdvr</code></h3>
+<div class="outline-text-3" id="text-8-2">
<p>
AgentDVR runs as the system user <code>agentdvr</code>, which is created here.
</p>
</div>
</div>
</div>
-<div id="outline-container-org9c7e794" class="outline-3">
-<h3 id="org9c7e794"><span class="section-number-3">8.2.</span> Authorize User <code>agentdvr</code></h3>
-<div class="outline-text-3" id="text-8-2">
-<p>
-The AgentDVR installer is also run by <code>agentdvr</code>, which is authorized
-to run a handful of system commands. This small set is sufficient
-<i>if</i> the offer to create the system service is declined. In that
-case, the installer will run the program in the terminal.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-dvr/tasks/main.yml"><q>roles_t/abbey-dvr/tasks/main.yml</q></a><pre class="src src-conf">
-- name: Authorize agentdvr.
- copy:
- content: |
- <span class="org-variable-name">ALL ALL</span>=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
- /sbin/adduser,/sbin/usermod
- dest: /etc/sudoers.d/agentdvr
-</pre>
-</div>
-</div>
-</div>
<div id="outline-container-org0f20387" class="outline-3">
<h3 id="org0f20387"><span class="section-number-3">8.3.</span> Test For <q>AgentDVR/</q></h3>
<div class="outline-text-3" id="text-8-3">
</p>
</div>
</div>
-<div id="outline-container-org3e1f87c" class="outline-3">
-<h3 id="org3e1f87c"><span class="section-number-3">9.3.</span> Include Abbey Variables</h3>
+<div id="outline-container-orgb645c48" class="outline-3">
+<h3 id="orgb645c48"><span class="section-number-3">9.3.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-9-3">
<p>
Private variables in <q>private/vars-abbey.yml</q> are needed, as in the
the OTA (over the air) broadcasts.
</p>
-<pre class="example" id="orgd6730f4">
+<pre class="example" id="org7599441">
$ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
Cache file for lineups, schedules and programs.
Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
<span class="org-comment-delimiter"># </span><span class="org-comment">Notebooks</span>
endor:
ansible_become_password: <span class="org-string">"{{ become_endor }}"</span>
- geonosis:
+ sullust:
ansible_host: 127.0.0.1
- ansible_user: matt
- ansible_become_password: <span class="org-string">"{{ become_geonosis }}"</span>
+ ansible_become_password: <span class="org-string">"{{ become_sullust }}"</span>
postfix_mydestination: >-
- geonosis.birchwood.private
- geonosis
- geonosis.localdomain
+ sullust.birchwood.private
+ sullust
+ sullust.localdomain
localhost.localdomain
localhost
children:
notebooks:
hosts:
endor:
- geonosis:
+ sullust:
builders:
hosts:
- geonosis:
+ sullust:
kamino:
</pre>
</div>
</div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2024-09-20 Fri 13:28</p>
+<p class="date">Created: 2024-10-22 Tue 10:04</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Network / commitdiff