the member's username, keeping a list of the member's clients (in case
all authorizations need to be revoked quickly). The list of client
certificates that have been revoked is stored along with the
-membership roll (in =private/members.yml= as the value of ~revoked~).
+membership roll (in [[file:private/members.yml][=private/members.yml=]] as the value of ~revoked~).
Finally, the institute uses an OpenPGP key to secure sensitive emails
(containing passwords or private keys) to Core.
=public/vars.yml= file. Thus the first task of the ~all~ role is to
include the variables defined in this file (described in [[*The Particulars][The
Particulars]]). The code block below is the first to tangle into
-[[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]].
+[[file:roles/all/tasks/main.yml][=roles/all/tasks/main.yml=]].
-#+CAPTION: [[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]]
+#+CAPTION: [[file:roles/all/tasks/main.yml][=roles/all/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes
---
- name: Include public variables.
(and provides =/lib/systemd/systemd-resolved=, formerly part of the
~systemd~ package).
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
+#+CAPTION: [[file:roles_t/all/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :noweb no-export
- name: Install systemd-resolved.
each host. More information about how the small institute manages its
X.509 certificates is available in [[*Keys][Keys]].
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
+#+CAPTION: [[file:roles_t/all/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes
- name: Trust the institute CA.
notify: Update CAs.
#+END_SRC
-#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/all/handlers/main.yml=]]
+#+CAPTION: [[file:roles_t/all/handlers/main.yml][=roles_t/all/handlers/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/all/handlers/main.yml :mkdirp yes
- name: Update CAs.
#+END_SRC
Now the configuration drop concerns the network device on which
-Kamailio will be listening, the ~tun~ device created by OpenVPN. The
+Kamailio will be listening, the ~ovpn~ device created by OpenVPN. The
added configuration settings inform Systemd that Kamailio should not
-be started before the ~tun~ device has appeared.
+be started before the ~ovpn~ device has appeared.
#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
The next code block implements the ~config~ sub-command, which
provisions network services by running the =site.yml= playbook
-described in [[*=playbooks/site.yml=][=playbooks/site.yml=]]. It recognizes an optional ~-n~
+described in [[file:playbooks/site.yml][=playbooks/site.yml=]]. It recognizes an optional ~-n~
flag indicating that the service configurations should just be
checked. Given an optional host name, it provisions (or checks) just
the named host.
[[*Accounts][Accounts]]. The account management sub-commands maintain a mapping
associating member "usernames" (Unix account names) with their
records. The mapping is stored among other things in
-=private/members.yml= as the value associated with the key ~members~.
+[[file:private/members.yml][=private/members.yml=]] as the value associated with the key ~members~.
A new member's record in the ~members~ mapping will have the ~status~
key value ~current~. That key gets value ~former~ when the member
The next code block implements the ~new~ sub-command. It adds a new
member to the institute's membership roll. It runs an Ansible
playbook to create the member's Nextcloud user, updates
-=private/members.yml=, and runs the [[file:playbooks/site.yml][=site.yml=]] playbook. The site
+[[file:private/members.yml][=private/members.yml=]], and runs the [[file:playbooks/site.yml][=site.yml=]] playbook. The site
playbook (re)creates the member's accounts on Core and Front,
(re)installs the member's personal homepage on Front, and the member's
Fetchmail service on Core. All services are configured with an
pass~ command. In either case, the administrator needs to update the
membership roll, and so receives an encrypted email, which gets piped
into ~./inst pass~. This command decrypts the message, parses the
-(YAML) content, updates =private/members.yml=, and runs the full
+(YAML) content, updates [[file:private/members.yml][=private/members.yml=]], and runs the full
Ansible [[file:playbooks/site.yml][=site.yml=]] playbook to update the servers. If all goes well a
message is sent to ~member@core~.
*** Less Aggressive Pass Command
The following code block implements the ~./inst pass~ command, used by
-the administrator to update =private/members.yml= before running
+the administrator to update [[file:private/members.yml][=private/members.yml=]] before running
[[file:playbooks/site.yml][=playbooks/site.yml=]] and emailing the concerned member.
#+CAPTION: [[file:inst][=inst=]]
projects / Institute / commitdiff