"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2024-04-21 Sun 14:40 -->
+<!-- 2024-05-03 Fri 10:44 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>A Small Institute</title>
members off campus.
</p>
-<pre class="example" id="org9c367ba">
+<pre class="example" id="org54e48fc">
=
_|||_
=-The-Institute-=
</pre>
</div>
-<div class="TEXT" id="org10a0f5d">
+<div class="TEXT" id="orgba5292c">
<p>
=> 10.62.17.0/24
</p>
campground Wi-Fi access point, etc.</li>
</ol>
-<pre class="example" id="org68b3f43">
+<pre class="example" id="org7ce76e5">
=============== | ==================================================
| Premises
(Campus ISP)
following topology.
</p>
-<pre class="example" id="orgb83deda">
+<pre class="example" id="org10903d3">
=============== | ==================================================
| Premises
(House ISP)
institute's servers. At the moment there is just the one.
</p>
</div>
-<div id="outline-container-org0fcff87" class="outline-3">
-<h3 id="org0fcff87"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-org4e74a72" class="outline-3">
+<h3 id="org4e74a72"><span class="section-number-3">6.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The <code>all</code> role's task contains a reference to a common institute
certificates signed by the institute CA.
</p>
</div>
-<div id="outline-container-orgcbd54ab" class="outline-3">
-<h3 id="orgcbd54ab"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-org46c277d" class="outline-3">
+<h3 id="org46c277d"><span class="section-number-3">7.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-7-1">
<p>
The first task, as in <a href="#orgd60dcd1">The All Role</a>, is to include the institute
</div>
</div>
</div>
-<div id="outline-container-orgef26e47" class="outline-3">
-<h3 id="orgef26e47"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-org6f97126" class="outline-3">
+<h3 id="org6f97126"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-7-2">
<p>
This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org1d7831c" class="outline-3">
-<h3 id="org1d7831c"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgc133751" class="outline-3">
+<h3 id="orgc133751"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-7-3">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-orgf602306" class="outline-3">
-<h3 id="orgf602306"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
+<div id="outline-container-org7915c60" class="outline-3">
+<h3 id="org7915c60"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-7-5">
<p>
The small institute runs cron jobs and web scripts that generate
</div>
</div>
</div>
-<div id="outline-container-orgfb6d583" class="outline-3">
-<h3 id="orgfb6d583"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org09cd0a8" class="outline-3">
+<h3 id="org09cd0a8"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-7-7">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-org9d61acb" class="outline-3">
-<h3 id="org9d61acb"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
+<div id="outline-container-org257e089" class="outline-3">
+<h3 id="org257e089"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-7-8">
<p>
User accounts are created immediately so that Postfix and Dovecot can
</div>
</div>
</div>
-<div id="outline-container-orgc30c758" class="outline-3">
-<h3 id="orgc30c758"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
+<div id="outline-container-org5259a7b" class="outline-3">
+<h3 id="org5259a7b"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-7-9">
<p>
The servers on Front use the same certificate (and key) to
</div>
</div>
</div>
-<div id="outline-container-orgf01b935" class="outline-3">
-<h3 id="orgf01b935"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org8c230d4" class="outline-3">
+<h3 id="org8c230d4"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-7-12">
<p>
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
</div>
</div>
</div>
-<div id="outline-container-orgb967873" class="outline-3">
-<h3 id="orgb967873"><span class="section-number-3">7.14.</span> Configure OpenVPN</h3>
+<div id="outline-container-org19cf6c6" class="outline-3">
+<h3 id="org19cf6c6"><span class="section-number-3">7.14.</span> Configure OpenVPN</h3>
<div class="outline-text-3" id="text-7-14">
<p>
Front uses OpenVPN to provide the institute's public VPN service. The
account. (For details, see <a href="#org8d60b7b">The Core Machine</a>.)
</p>
</div>
-<div id="outline-container-org3b3706b" class="outline-3">
-<h3 id="org3b3706b"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org813bdbd" class="outline-3">
+<h3 id="org813bdbd"><span class="section-number-3">8.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-8-1">
<p>
The first task, as in <a href="#org9240129">The Front Role</a>, is to include the institute
</div>
</div>
</div>
-<div id="outline-container-orgecf0c60" class="outline-3">
-<h3 id="orgecf0c60"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
+<div id="outline-container-org9e33869" class="outline-3">
+<h3 id="org9e33869"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-8-2">
<p>
This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org64e4c11" class="outline-3">
-<h3 id="org64e4c11"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org1fe8eef" class="outline-3">
+<h3 id="org1fe8eef"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-8-3">
<p>
Core runs the campus name server, so Resolved is configured to use it
</div>
</div>
</div>
-<div id="outline-container-org5ed8d7b" class="outline-3">
-<h3 id="org5ed8d7b"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org9cd1752" class="outline-3">
+<h3 id="org9cd1752"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-8-7">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-org7915c60" class="outline-3">
-<h3 id="org7915c60"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
+<div id="outline-container-org6be797b" class="outline-3">
+<h3 id="org6be797b"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-8-8">
<p>
The small institute runs cron jobs and web scripts that generate
pubkeyfile: <span class="org-string">"{{ pubkeypath }}/ssh_host_ecdsa_key.pub"</span>
pubkey: <span class="org-string">"{{ lookup('file', pubkeyfile) }}"</span>
lineinfile:
- regexp: <span class="org-string">"^{{ domain_name }}"</span>
+ regexp: <span class="org-string">"^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 "</span>
line: <span class="org-string">"{{ domain_name }},{{ front_addr }} {{ pubkey }}"</span>
path: /home/monkey/.ssh/known_hosts
create: yes
owner: monkey
group: monkey
- mode: <span class="org-string">"u=rw,g=r,o="</span>
+ mode: <span class="org-string">"u=rw,g=,o="</span>
</pre>
</div>
</div>
</div>
-<div id="outline-container-org15f2e66" class="outline-3">
-<h3 id="org15f2e66"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-orgedf22e5" class="outline-3">
+<h3 id="orgedf22e5"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-8-9">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-org257e089" class="outline-3">
-<h3 id="org257e089"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
+<div id="outline-container-org24a298d" class="outline-3">
+<h3 id="org24a298d"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-8-11">
<p>
User accounts are created immediately so that backups can begin
</div>
</div>
</div>
-<div id="outline-container-org76dff78" class="outline-3">
-<h3 id="org76dff78"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
+<div id="outline-container-org7bba6c0" class="outline-3">
+<h3 id="org7bba6c0"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-8-12">
<p>
The servers on Core use the same certificate (and key) to authenticate
</div>
</div>
</div>
-<div id="outline-container-org8c230d4" class="outline-3">
-<h3 id="org8c230d4"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org191f07f" class="outline-3">
+<h3 id="org191f07f"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-8-16">
<p>
Core uses Dovecot's IMAPd to store and serve member emails. As on
become: yes
command:
cmd: phpenmod {{ item }}
- creates: /etc/php/7.4/apache2/conf.d/20-{{ item }}.ini
+ creates: /etc/php/8.2/apache2/conf.d/20-{{ item }}.ini
loop: [ nextcloud, apcu ]
notify: Restart Apache2.
</pre>
configurations, etc.
</p>
</div>
-<div id="outline-container-org665e760" class="outline-3">
-<h3 id="org665e760"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-org085ec93" class="outline-3">
+<h3 id="org085ec93"><span class="section-number-3">9.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-9-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-org5259a7b" class="outline-3">
-<h3 id="org5259a7b"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
+<div id="outline-container-orgedcf028" class="outline-3">
+<h3 id="orgedcf028"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-9-6">
<p>
The (OpenVPN) server on Gate uses an institute certificate (and key)
</div>
</div>
</div>
-<div id="outline-container-org19cf6c6" class="outline-3">
-<h3 id="org19cf6c6"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
+<div id="outline-container-org7d0940f" class="outline-3">
+<h3 id="org7d0940f"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
<div class="outline-text-3" id="text-9-7">
<p>
Gate uses OpenVPN to provide the institute's campus VPN service. Its
configured manually.
</p>
</div>
-<div id="outline-container-org4e74a72" class="outline-3">
-<h3 id="org4e74a72"><span class="section-number-3">10.1.</span> Include Particulars</h3>
+<div id="outline-container-orgdb99136" class="outline-3">
+<h3 id="orgdb99136"><span class="section-number-3">10.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-10-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-org6f97126" class="outline-3">
-<h3 id="org6f97126"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
+<div id="outline-container-org873736d" class="outline-3">
+<h3 id="org873736d"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-10-2">
<p>
Clients should be using the expected host name.
</div>
</div>
</div>
-<div id="outline-container-org1fe8eef" class="outline-3">
-<h3 id="org1fe8eef"><span class="section-number-3">10.3.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org8d7a075" class="outline-3">
+<h3 id="org8d7a075"><span class="section-number-3">10.3.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-10-3">
<p>
Campus machines use the campus name server on Core (or <code>dns.google</code>),
</div>
</div>
</div>
-<div id="outline-container-orgc133751" class="outline-3">
-<h3 id="orgc133751"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org65ae49f" class="outline-3">
+<h3 id="org65ae49f"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-10-5">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-org09cd0a8" class="outline-3">
-<h3 id="org09cd0a8"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-orgbd8ac82" class="outline-3">
+<h3 id="orgbd8ac82"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-10-6">
<p>
The institute prefers to install security updates as soon as possible.
</div></div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2024-04-21 Sun 14:40</p>
+<p class="date">Created: 2024-05-03 Fri 10:44</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Institute / commitdiff