tags: accounts
#+END_SRC
+** Enable Systemd Resolved
+
+The ~systemd-networkd~ and ~systemd-resolved~ service units are not
+enabled by default in Debian, but /are/ the default in Ubuntu. The
+institute attempts to make use of their link-local name resolution, so
+they are enabled on all institute hosts.
+
+The =/usr/share/doc/systemd/README.Debian.gz= file recommends both
+services be enabled /and/ =/etc/resolv.conf= be replaced with a
+symbolic link to =/run/systemd/resolve/resolv.conf=. The institute
+follows these recommendations (and /not/ the suggestion to enable
+"persistent logging", yet). In Debian 12 there is a
+~systemd-resolved~ package that symbolically links =/etc/resolv.conf=
+(and provides =/lib/systemd/systemd-resolved=, formerly part of the
+~systemd~ package).
+
+#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :noweb yes
+
+- name: Install systemd-resolved.
+ become: yes
+ apt: pkg=systemd-resolved
+ when:
+ - ansible_distribution == 'Debian'
+ - 11 < ansible_distribution_major_version|int
+
+- name: Enable/Start systemd-networkd.
+ become: yes
+ systemd:
+ service: systemd-networkd
+ enabled: yes
+ state: started
+
+- name: Enable/Start systemd-resolved.
+ become: yes
+ systemd:
+ service: systemd-resolved
+ enabled: yes
+ state: started
+
+- name: Link /etc/resolv.conf.
+ become: yes
+ file:
+ path: /etc/resolv.conf
+ src: /run/systemd/resolve/resolv.conf
+ state: link
+ force: yes
+ when:
+ - ansible_distribution == 'Debian'
+ - 12 > ansible_distribution_major_version|int
+#+END_SRC
+
** Trust Institute Certificate Authority
All servers should recognize the institute's Certificate Authority as
command: hostname -F /etc/hostname
#+END_SRC
-** Enable Systemd Resolved <<resolved-front>>
-
-The ~systemd-networkd~ and ~systemd-resolved~ service units are not
-enabled by default in Debian, but /are/ the default in Ubuntu, and
-work with Netplan. The =/usr/share/doc/systemd/README.Debian.gz= file
-recommends both services be enabled /and/ =/etc/resolv.conf= be
-replaced with a symbolic link to =/run/systemd/resolve/resolv.conf=.
-The institute follows these recommendations (and /not/ the suggestion
-to enable "persistent logging", yet). In Debian 12 there is a
-~systemd-resolved~ package that symbolically links =/etc/resolv.conf=
-(and provides =/lib/systemd/systemd-resolved=, formerly part of the
-~systemd~ package).
-
-These tasks are included in all of the roles, and so are given in a
-separate code block named ~enable-resolved~.[fn:2]
-
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :noweb yes
-<<enable-resolved>>
-#+END_SRC
-
-#+NAME: enable-resolved
-#+CAPTION: ~enable-resolved~
-#+BEGIN_SRC conf
-
-- name: Install systemd-resolved.
- become: yes
- apt: pkg=systemd-resolved
- when:
- - ansible_distribution == 'Debian'
- - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
- become: yes
- systemd:
- service: systemd-networkd
- enabled: yes
- state: started
-
-- name: Enable/Start systemd-resolved.
- become: yes
- systemd:
- service: systemd-resolved
- enabled: yes
- state: started
-
-- name: Link /etc/resolv.conf.
- become: yes
- file:
- path: /etc/resolv.conf
- src: /run/systemd/resolve/resolv.conf
- state: link
- force: yes
- when:
- - ansible_distribution == 'Debian'
- - 12 > ansible_distribution_major_version|int
-#+END_SRC
-
** Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned
The ~apache-ciphers~ block below is included last in the Apache2
configuration, so that its ~SSLCipherSuite~ directive can override
(narrow) any list of ciphers set earlier (e.g. by Let's
-Encrypt![fn:3]). The protocols and cipher suites specified here were
+Encrypt![fn:2]). The protocols and cipher suites specified here were
taken from [[https://www.ssllabs.com/projects/best-practices]] in 2022.
#+NAME: apache-ciphers
command: hostname -F /etc/hostname
#+END_SRC
-** Enable Systemd Resolved
-
-Core starts the ~systemd-networkd~ and ~systemd-resolved~ service
-units on boot. See [[resolved-front][Enable Systemd Resolved]].
-
-#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml :noweb yes
-<<enable-resolved>>
-#+END_SRC
-
** Configure Systemd Resolved
Core runs the campus name server, so Resolved is configured to use it
when: inventory_hostname != ansible_hostname
#+END_SRC
-** Enable Systemd Resolved
-
-Campus machines start the ~systemd-networkd~ and ~systemd-resolved~
-service units on boot. See [[resolved-front][Enable Systemd Resolved]].
-
-#+CAPTION: [[file:roles_t/campus/tasks/main.yml][=roles_t/campus/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/campus/tasks/main.yml :noweb yes
-<<enable-resolved>>
-#+END_SRC
-
** Configure Systemd Resolved
Campus machines use the campus name server on Core (or ~dns.google~),
A new member's record in the ~members~ mapping will have the ~status~
key value ~current~. That key gets value ~former~ when the member
-leaves.[fn:4] Access by former members is revoked by invalidating the
+leaves.[fn:3] Access by former members is revoked by invalidating the
Unix account passwords, removing any authorized SSH keys from Front
and Core, and disabling their VPN certificates.
not accessible to the administrator's notebook (the host). To work
around this restriction, ~front~ gets a second network interface
connected to the ~vboxnet1~ network and used only for ssh access from
-the host.[fn:5]
+the host.[fn:4]
The networks described above are created and "started" with the
following ~VBoxManage~ commands.
"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast
DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G]]
-[fn:2] Why not create a role named ~all~ and put these tasks that are
-the same on all machines in that role? If there were more than a
-stable handful, and no tangling mechanism to do the duplication, a
-catch-all role would be a higher priority.
-
-[fn:3] The cipher set specified by Let's Encrypt is large enough to
+[fn:2] The cipher set specified by Let's Encrypt is large enough to
turn orange many parts of an SSL Report from Qualys SSL Labs.
-[fn:4] Presumably, eventually, a former member's home directories are
+[fn:3] Presumably, eventually, a former member's home directories are
archived to external storage, their other files are given new
ownerships, and their Unix accounts are deleted. This has never been
done, and is left as a manual exercise.
-[fn:5] Front is accessible via Gate but routing from the host address
+[fn:4] Front is accessible via Gate but routing from the host address
on ~vboxnet0~ through Gate requires extensive interference with the
routes on Front and Gate, making the simulation less... similar.
projects / Institute / commitdiff