"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2024-01-01 Mon 10:48 -->
+<!-- 2024-02-26 Mon 20:06 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Birchwood Abbey Networks</title>
philosophy, attitude.
</p>
-<pre class="example" id="org5eb02a9">
+<pre class="example" id="orgd483448">
|
=
_|||_
Dovecot-IMAPd, and hosting a VPN with OpenVPN.
</p>
</div>
-<div id="outline-container-org4777a67" class="outline-3">
-<h3 id="org4777a67"><span class="section-number-3">3.1.</span> Install Emacs</h3>
+<div id="outline-container-org6aa9431" class="outline-3">
+<h3 id="org6aa9431"><span class="section-number-3">3.1.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-3-1">
<p>
The monks of the abbey are masters of the staff (bo) and Emacs.
entered as shown below).
</p>
-<pre class="example" id="orge6cf15b">
+<pre class="example" id="org22fb3c8">
$ sudo apt install python3-certbot-apache
$ sudo certbot --apache -d birchwood-abbey.net
...
NTP, DNS and DHCP.
</p>
</div>
-<div id="outline-container-org001474c" class="outline-3">
-<h3 id="org001474c"><span class="section-number-3">4.1.</span> Install Additional Packages</h3>
+<div id="outline-container-orgf97678f" class="outline-3">
+<h3 id="orgf97678f"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-4-1">
<p>
+In this abbey specific document, most abbey particulars are not
+replaced with variables, but specified in-line. Some, however, are
+private (e.g. database passwords), not to be published in this
+document, and so replaced with variables set in
+<q>private/vars-abbey.yml</q>. The file path is relative to the playbook's
+directory, <q>playbooks/</q>.
+</p>
+
+<div class="org-src-container">
+<q>roles_t/abbey-core/tasks/main.yml</q><pre class="src src-conf">---
+- name: Include private abbey variables.
+ include_vars: ../private/vars-abbey.yml
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org001474c" class="outline-3">
+<h3 id="org001474c"><span class="section-number-3">4.2.</span> Install Additional Packages</h3>
+<div class="outline-text-3" id="text-4-2">
+<p>
The scripts that maintain the abbey's web site and run the Weather
project use a number of additional software packages. The
<q>/WWW/live/Private/make-top-index</q> script uses <code>HTML::TreeBuilder</code> in
</p>
<div class="org-src-container">
-<q>roles_t/abbey-core/tasks/main.yml</q><pre class="src src-conf">---
+<q>roles_t/abbey-core/tasks/main.yml</q><pre class="src src-conf">
- name: Install additional packages.
apt:
pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]
</div>
</div>
<div id="outline-container-orgd7a5da4" class="outline-3">
-<h3 id="orgd7a5da4"><span class="section-number-3">4.2.</span> Configure Private Email Aliases</h3>
-<div class="outline-text-3" id="text-4-2">
+<h3 id="orgd7a5da4"><span class="section-number-3">4.3.</span> Configure Private Email Aliases</h3>
+<div class="outline-text-3" id="text-4-3">
<p>
The abbey uses several additional email aliases. These are the campus
mailboxes <code>@*.birchwood-abbey.net</code>. The institute already includes
</div>
</div>
<div id="outline-container-org6cfc8e7" class="outline-3">
-<h3 id="org6cfc8e7"><span class="section-number-3">4.3.</span> Configure Git Daemon on Core</h3>
-<div class="outline-text-3" id="text-4-3">
+<h3 id="org6cfc8e7"><span class="section-number-3">4.4.</span> Configure Git Daemon on Core</h3>
+<div class="outline-text-3" id="text-4-4">
<p>
These tasks are identical to those executed on Front, for similar Git
services on Front and Core. See <a href="#org31d6bbb">3.3</a> and
</div>
</div>
<div id="outline-container-orged71937" class="outline-3">
-<h3 id="orged71937"><span class="section-number-3">4.4.</span> Configure Apache on Core</h3>
-<div class="outline-text-3" id="text-4-4">
+<h3 id="orged71937"><span class="section-number-3">4.5.</span> Configure Apache on Core</h3>
+<div class="outline-text-3" id="text-4-5">
<p>
The Apache2 configuration on Core specifies three web sites (live,
test, and campus). The live and test sites must operate just like the
</div>
</div>
<div id="outline-container-org7cfc2f1" class="outline-3">
-<h3 id="org7cfc2f1"><span class="section-number-3">4.5.</span> Configure Documentation URLs</h3>
-<div class="outline-text-3" id="text-4-5">
+<h3 id="org7cfc2f1"><span class="section-number-3">4.6.</span> Configure Documentation URLs</h3>
+<div class="outline-text-3" id="text-4-6">
<p>
The institute serves its <q>/usr/share/doc/</q> on the house (campus) web
site. This is a debugging convenience, making some HTML documentation
</div>
</div>
<div id="outline-container-org1ad313a" class="outline-3">
-<h3 id="org1ad313a"><span class="section-number-3">4.6.</span> Install Apt Cacher</h3>
-<div class="outline-text-3" id="text-4-6">
+<h3 id="org1ad313a"><span class="section-number-3">4.7.</span> Install Apt Cacher</h3>
+<div class="outline-text-3" id="text-4-7">
<p>
The abbey uses the Apt-Cacher:TNG package cache on Core. The
<code>apt-cacher</code> domain name is defined in <q>private/db.domain</q>.
</div>
</div>
</div>
-<div id="outline-container-org1626d5e" class="outline-3">
-<h3 id="org1626d5e"><span class="section-number-3">4.7.</span> Use Cloister Apt Cache</h3>
-<div class="outline-text-3" id="text-4-7">
+<div id="outline-container-org4353e7c" class="outline-3">
+<h3 id="org4353e7c"><span class="section-number-3">4.8.</span> Use Cloister Apt Cache</h3>
+<div class="outline-text-3" id="text-4-8">
<p>
Core itself will benefit from using the package cache.
</p>
</div>
</div>
<div id="outline-container-org30c2703" class="outline-3">
-<h3 id="org30c2703"><span class="section-number-3">4.8.</span> Configure NAGIOS</h3>
-<div class="outline-text-3" id="text-4-8">
+<h3 id="org30c2703"><span class="section-number-3">4.9.</span> Configure NAGIOS</h3>
+<div class="outline-text-3" id="text-4-9">
<p>
A small institute uses <code>nagios4</code> to monitor the health of its network,
with an initial smattering of monitors adopted from the Debian
</div>
</div>
<div id="outline-container-org5b67d8f" class="outline-3">
-<h3 id="org5b67d8f"><span class="section-number-3">4.9.</span> Monitoring The Home Disk</h3>
-<div class="outline-text-3" id="text-4-9">
+<h3 id="org5b67d8f"><span class="section-number-3">4.10.</span> Monitoring The Home Disk</h3>
+<div class="outline-text-3" id="text-4-10">
<p>
The abbey adds monitoring of the space remaining on the volume at
<q>/home/</q> on Core. (The small institute only monitors the space
</div>
</div>
<div id="outline-container-org154a00c" class="outline-3">
-<h3 id="org154a00c"><span class="section-number-3">4.10.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h3>
-<div class="outline-text-3" id="text-4-10">
+<h3 id="org154a00c"><span class="section-number-3">4.11.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h3>
+<div class="outline-text-3" id="text-4-11">
<p>
The <code>check_sensors</code> plugin is included in the package
<code>monitoring-plugins-basic</code>, but it does not report any readings. The
</div>
</div>
<div id="outline-container-org362dff5" class="outline-3">
-<h3 id="org362dff5"><span class="section-number-3">4.11.</span> Monitoring The Cloister</h3>
-<div class="outline-text-3" id="text-4-11">
+<h3 id="org362dff5"><span class="section-number-3">4.12.</span> Monitoring The Cloister</h3>
+<div class="outline-text-3" id="text-4-12">
<p>
The abbey adds monitoring for more servers: Kamino, Kessel and
Devaron. They are <code>abbey-cloister</code> servers, so they are configured as
Kessel is a wireless host while Kamino is wired. Devaron, the
Raspberry Pi OS (ARM64) machine, uses the <code>abbey_pisensors</code> monitor.
</p>
+</div>
+<div id="outline-container-org668580c" class="outline-4">
+<h4 id="org668580c"><span class="section-number-4">4.12.1.</span> Cloister Network Addresses</h4>
+<div class="outline-text-4" id="text-4-12-1">
+<p>
+The IP addresses of all three hosts are nice to use in the NAGIOS
+configuration (to avoid depending on name service) and so are
+included in <q>private/vars-abbey.yml</q>.
+</p>
+<div class="org-src-container">
+<q>private/vars-abbey.yml</q><pre class="src src-conf">devaron_addr: 10.84.138.10
+kamino_addr: 192.168.56.14
+kessel_addr: 10.84.138.8
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org5225aac" class="outline-4">
+<h4 id="org5225aac"><span class="section-number-4">4.12.2.</span> Installing NAGIOS Configurations</h4>
+<div class="outline-text-4" id="text-4-12-2">
<p>
-Kamino is currently unmonitored as it is now rarely powered up.
+The following task installs each host's NAGIOS configuration. Note
+that Kamino is not included. It is currently unmonitored as it is now
+rarely powered up.
</p>
<div class="org-src-container">
notify: Reload NAGIOS4.
</pre>
</div>
-
+</div>
+</div>
+<div id="outline-container-org2e4fb52" class="outline-4">
+<h4 id="org2e4fb52"><span class="section-number-4">4.12.3.</span> NAGIOS Monitoring of Devaron</h4>
+<div class="outline-text-4" id="text-4-12-3">
<div class="org-src-container">
<q>roles_t/abbey-core/templates/nagios-devaron.cfg</q><pre class="src src-conf"><span class="org-type">define host</span> {
use linux-server
}
</pre>
</div>
-
+</div>
+</div>
+<div id="outline-container-orge8ccd3b" class="outline-4">
+<h4 id="orge8ccd3b"><span class="section-number-4">4.12.4.</span> NAGIOS Monitoring of Kamino</h4>
+<div class="outline-text-4" id="text-4-12-4">
<div class="org-src-container">
<q>roles_t/abbey-core/templates/nagios-kamino.cfg</q><pre class="src src-conf"><span class="org-type">define host</span> {
use linux-server
}
</pre>
</div>
-
+</div>
+</div>
+<div id="outline-container-org4f9ed4f" class="outline-4">
+<h4 id="org4f9ed4f"><span class="section-number-4">4.12.5.</span> NAGIOS Monitoring of Kessel</h4>
+<div class="outline-text-4" id="text-4-12-5">
<div class="org-src-container">
<q>roles_t/abbey-core/templates/nagios-kessel.cfg</q><pre class="src src-conf"><span class="org-type">define host</span> {
use linux-server
</div>
</div>
</div>
+</div>
<div id="outline-container-orga9351cb" class="outline-3">
-<h3 id="orga9351cb"><span class="section-number-3">4.12.</span> Install Analog</h3>
-<div class="outline-text-3" id="text-4-12">
+<h3 id="orga9351cb"><span class="section-number-3">4.13.</span> Install Analog</h3>
+<div class="outline-text-3" id="text-4-13">
<p>
The abbey's public web site's access and error logs are emailed
regularly to <code>webmaster</code>, who saves them in <q>/Logs/apache2-public/</q>
</div>
</div>
<div id="outline-container-org4cc42f5" class="outline-3">
-<h3 id="org4cc42f5"><span class="section-number-3">4.13.</span> Add Monkey to Web Server Group</h3>
-<div class="outline-text-3" id="text-4-13">
+<h3 id="org4cc42f5"><span class="section-number-3">4.14.</span> Add Monkey to Web Server Group</h3>
+<div class="outline-text-3" id="text-4-14">
<p>
Monkey needs to be in <code>www-data</code> so that it can run
<q>/WWW/live/Photos/Private/cronjob</q> to publish photos from multiple
</div>
</div>
<div id="outline-container-orgb69761e" class="outline-3">
-<h3 id="orgb69761e"><span class="section-number-3">4.14.</span> Install netpbm For Photo Processing</h3>
-<div class="outline-text-3" id="text-4-14">
+<h3 id="orgb69761e"><span class="section-number-3">4.15.</span> Install netpbm For Photo Processing</h3>
+<div class="outline-text-3" id="text-4-15">
<p>
Monkey's photo processing scripts use <code>netpbm</code> commands like
<code>jpegtopnm</code>.
</div>
</div>
<div id="outline-container-org9a9dc68" class="outline-3">
-<h3 id="org9a9dc68"><span class="section-number-3">4.15.</span> Configure Weather Updates</h3>
-<div class="outline-text-3" id="text-4-15">
+<h3 id="org9a9dc68"><span class="section-number-3">4.16.</span> Configure Weather Updates</h3>
+<div class="outline-text-3" id="text-4-16">
<p>
Monkey on Core runs <q>/WWW/campus/Weather/Private/cronjob</q> every 5
minutes and <q>cronjob-midnight</q> at midnight.
</p>
<p>
-The abbey could have avoided buying a separate campus Wi-Fi access
+The abbey could have avoided buying a separate cloister Wi-Fi access
point, and used Starlink's Wi-Fi instead, with or without its add-on
Ethernet interface. Instead, the abbey invested in a 2.4GHz-only
Think Penguin access point, and connected it to a third Ethernet
-interface on Gate.
+interface on Gate. This was preferred for a number of reasons.
+</p>
+
+<p>
+The abbey uses ISPs other than Starlink, tethering to a cellphone when
+under trees, or even limping along on campground Wi-Fi where the land
+of woven trees has cut off even cell service.
+</p>
+
+<p>
+The abbey uses long and complex passwords, especially on public
+facing services like Wi-Fi. Such a password has been laboriously
+entered into several household IoT devices. Connecting them to a
+dedicated, ISP-independent cloister Wi-Fi access point ensures a
+reliable IoT with zero re-configuration.
</p>
<p>
-This was preferred for a number of reasons. Using the add-on Ethernet
-interface allowed Starlink's Wi-Fi to be disabled, reducing the Wi-Fi
-clutter in the campground ether. Starlink is not always available.
-(It does not work well under trees.) A dedicated campus Wi-Fi is
-always available. The password to the campus Wi-Fi is long and
-complex and has been laboriously entered into several household IoT
-devices. The Think Penguin access point is transparent, trustworthy
-hardware that has earned a Respects Your Freedom certification (see
-<a href="https://ryf.fsf.org/">https://ryf.fsf.org/</a>). And most importantly, a campus Wi-Fi keeps
-campus network traffic out of the hands of the abbey's ISPs.
+Using Starlink's add-on Ethernet interface allowed its Wi-Fi to be
+disabled, reducing the Wi-Fi clutter in the campground ether.
+</p>
+
+<p>
+The Think Penguin access point is transparent, trustworthy hardware
+that has earned a Respects Your Freedom certification (see
+<a href="https://ryf.fsf.org/">https://ryf.fsf.org/</a>).
+</p>
+
+<p>
+And most importantly, a dedicated and trustworthy cloister Wi-Fi keeps
+at least our local network traffic out of view of our ISPs.
</p>
</div>
</div>
Birchwood Abbey's cloister is a small institute campus. The <code>campus</code>
role configures all campus machines to trust the institute's CA, sync
with the campus time server, and forward email to Core. The
-<code>cloister</code> role additionally configures cloistered machines to use the
-cloister Apt cache, respond to Core's NAGIOS network monitor, and to
-install Emacs. There are also a few OS specific tasks, namely
+<code>abbey-cloister</code> role additionally configures cloistered machines to
+use the cloister Apt cache, respond to Core's NAGIOS network monitor,
+and to install Emacs. There are also a few OS specific tasks, namely
configuration required on Raspberry Pi OS machines.
</p>
is not associated with a member of the small institute.
</p>
</div>
-<div id="outline-container-orgf272ac0" class="outline-3">
-<h3 id="orgf272ac0"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-org5b2da2f" class="outline-3">
+<h3 id="org5b2da2f"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The Apt-Cacher:TNG program does not work well on the frontier, so is
</div>
</div>
</div>
-<div id="outline-container-orgce301be" class="outline-3">
-<h3 id="orgce301be"><span class="section-number-3">6.3.</span> Install Emacs</h3>
+<div id="outline-container-org94f285e" class="outline-3">
+<h3 id="org94f285e"><span class="section-number-3">6.3.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-6-3">
<p>
The monks of the abbey are masters of the staff and Emacs.
below. A test session is shown below.
</p>
-<pre class="example" id="orgd78ab99">
+<pre class="example" id="org5a977fb">
monkey@new$ owdir
...
/26.2153B6000000/
</p>
</div>
</div>
-<div id="outline-container-org2965e55" class="outline-3">
-<h3 id="org2965e55"><span class="section-number-3">8.4.</span> Include Abbey Variables</h3>
+<div id="outline-container-org8d4ee62" class="outline-3">
+<h3 id="org8d4ee62"><span class="section-number-3">8.4.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-8-4">
<p>
-In this abbey specific document, most abbey particulars are not
-replaced with variables, but specified in-line. Some, however, are
-not published (e.g. database passwords). The variables that replace
-them are included from <q>private/vars-abbey.yml</q>. Example values are
-given in this document.
+Private variables in <q>private/vars-abbey.yml</q> are needed, and included
+here, as in the <code>abbey-core</code> role. The file path is relative to the
+playbook's directory, <q>playbooks/</q>.
</p>
<div class="org-src-container">
include_vars: ../private/vars-abbey.yml
</pre>
</div>
-
-<p>
-The relative filename should be found only in the playbook's
-directory, <q>playbooks/</q>.
-</p>
</div>
</div>
<div id="outline-container-orgccc0d2c" class="outline-3">
</p>
</div>
</div>
-<div id="outline-container-org569a9d4" class="outline-3">
-<h3 id="org569a9d4"><span class="section-number-3">9.3.</span> Include Abbey Variables</h3>
+<div id="outline-container-org71e3f52" class="outline-3">
+<h3 id="org71e3f52"><span class="section-number-3">9.3.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-9-3">
<p>
-In this abbey specific document, most abbey particulars are not
-replaced with variables, but specified in-line. Some, however, are
-not published (e.g. database passwords). The variables that replace
-them are included from <q>private/vars-abbey.yml</q>. Example values are
-given in this document.
+Private variables in <q>private/vars-abbey.yml</q> are needed, as in the
+<code>abbey-core</code> role. The file path is relative to the playbook's
+directory, <q>playbooks/</q>.
</p>
<div class="org-src-container">
include_vars: ../private/vars-abbey.yml
</pre>
</div>
-
-<p>
-The relative filename should be found only in the playbook's
-directory, <q>playbooks/</q>.
-</p>
</div>
</div>
<div id="outline-container-org004060a" class="outline-3">
the OTA (over the air) broadcasts.
</p>
-<pre class="example" id="org6b26992">
+<pre class="example" id="orga3162a1">
$ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xmltv
Cache file for lineups, schedules and programs.
Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
hosts: gate
roles: [ gate ]
-- name: Configure Campus
+- name: Configure Cloister
hosts: campus
roles: [ campus, abbey-cloister ]
<p>
Wireless IoT devices are manually configured with the cloister Wi-Fi
-password and may be given a private domain name as described here.
+password and may be given a private domain name as described in the
+last step:
</p>
<ul class="org-ul">
<h3 id="org390d48b"><span class="section-number-3">12.2.</span> Raspberry Pis</h3>
<div class="outline-text-3" id="text-12-2">
<p>
-The abbey's Raspberry Pis run Raspberry Pi OS, either the desktop
-(PIXEL) or the Lite version (for headless servers). The following was
-the installation process with a wireless desktop Raspberry Pi OS
-Bookworm (12) machine.
+The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an
+external, USB3.0 SSD. A fresh install should go something like this:
</p>
<ul class="org-ul">
-<li>Write the disk image, <q>2023-10-10-raspios-bookworm-arm64.img.xz</q>, to
-a fast (U3 and/or A1) µSD card and insert it in the Pi.</li>
+<li>Write the disk image, <q>2023-12-05-raspios-bookworm-arm64.img.xz</q>, to
+the SSD and plug it into the Pi. Leave the µSD card socket empty.</li>
<li>Attach an HDMI monitor, a USB keyboard/mouse, and the cloister
Ethernet, and power up.</li>
<li>Answer first-boot installation questions:
<p>
With the new device's Ethernet MAC in hand, a stanza like the
following is added to the bottom of <q>private/core-dhcpd.conf</q>. The IP
-address must be unique. Typically the next host number after the
-last entry is chosen.
+address must be unique. Typically the next host number after the last
+entry is chosen.
</p>
<div class="org-src-container">
</div>
<p>
-The DHCP service is then <i>restarted</i>.
+The DHCP service is then restarted (not reloaded).
</p>
<div class="org-src-container">
<pre class="example">
D=apt-cacher.small.private.
echo "Acquire::http::Proxy \"http://$D:3142\";" \
-> | sudo tee /etc/apt/apt.conf.d/01proxy
+| sudo tee /etc/apt/apt.conf.d/01proxy
</pre></li>
<li><p>
Update the system and reboot.
<h3 id="org0929940"><span class="section-number-3">12.10.</span> Connect to Cloister VPN</h3>
<div class="outline-text-3" id="text-12-10">
<p>
-Wireless devices connected to the cloister Wi-Fi will get an IP
-address on the access point's local network and a default route to the
-Internet, per the default configuration of a commodity cable modem
-with Wi-Fi access point included. Access to further abbey resources,
-however, is possible only via the cloister VPN.
+Wireless devices (with the cloister Wi-Fi password) can get an IP
+address and a default route to the Internet with no special
+configuration. Neither said devices <i>nor</i> the access point require
+special configuration. Any Wi-Fi access point, e.g. as found in a
+cable modem, will work with zero configuration. The abbey's networks,
+however, are <i>not</i> accessible except via the cloister VPN.
</p>
<p>
<ul class="org-ul">
<li>Create a new client certificate and OpenVPN configuration for the
-new campus server.</li>
-<li>Copy the <q>campus.ovpn</q> file to <q>/etc/openvpn/cloister.conf</q>.</li>
-<li>In a secure shell session on the new machine as <code>sysadm</code>:</li>
-<li>Install the <code>openvpn</code> and <code>openvpn-systemd-resolved</code> software
-packages.</li>
-<li>Start the SystemD service unit.</li>
-<li>Test the connection (and name resolution).</li>
-<li>Enable the SystemD service unit.</li>
-<li>Clean up secrets on the new machine.</li>
-<li>Clean up secrets on the administrator's machine.</li>
+new abbey server.</li>
+<li>Copy the <q>campus.ovpn</q> file to the new machine.</li>
+<li>On the new machine:</li>
+<li>Install the <code>openvpn-systemd-resolved</code> package.</li>
+<li>Copy <q>campus.ovpn</q> to <q>/etc/openvpn/cloister.conf</q>.</li>
+<li>Start the OpenVPN service.</li>
+<li>Check that the cloister VPN was connected.</li>
+<li>Logout and unplug the cloister Ethernet.</li>
+<li>Test the cloister VPN connection (and private name resolution)
+with <code>ping -c1 core</code>.</li>
</ul>
<p>
-And these are the commands.
+And these are the commands:
</p>
<div class="org-src-container">
<pre class="src src-sh">./abbey client campus new
scp campus.ovpn sysadm@new-w:
ssh sysadm@new-w
-sudo apt install openvpn openvpn-systemd-resolved
-( <span class="org-builtin">cd</span>; <span class="org-builtin">umask</span> 077; sudo cp campus.ovpn /etc/openvpn/cloister.conf )
+sudo apt install openvpn-systemd-resolved
+sudo cp campus.ovpn /etc/openvpn/cloister.conf
sudo systemctl start openvpn@cloister
+systemctl status openvpn@cloister
ping -c1 core
sudo systemctl enable openvpn@cloister
rm campus.ovpn
rm campus.ovpn
</pre>
</div>
+
+<p>
+It may be necessary to reboot before the final tests.
+</p>
</div>
</div>
<div id="outline-container-org110b3d7" class="outline-4">
<h4 id="org110b3d7"><span class="section-number-4">12.10.2.</span> Debian Desktops</h4>
<div class="outline-text-4" id="text-12-10-2">
<p>
-Wireless Debian desktop machines (both PCs and Pis, running
-NetworkManager) and are connected to the cloister VPN via the
-following process. Note that they do not appear in the set of
-<code>campus</code> hosts and are not configured by Ansible. They do not appear
-in Ansible's host inventory at all unless the desktop owner is willing
-to provide the password to a privileged account on their machine.
+Wireless Debian desktops (with NetworkManager) include our 8GB Core i3
+NUC (Intel®'s Next Unit of Computing) and our 8GB Raspberry Pi 4.
+They run the Pop!<sub>OS</sub> and Raspberry Pi OS desktops respectively. They
+are connected to the cloister VPN via the following process.
</p>
<ul class="org-ul">
-<li>Create a new client certificate and campus/public OpenVPN
-configurations for the new abbey desktop.</li>
-<li>Copy the <q>campus.ovpn</q> and <q>public.ovpn</q> files to the new desktop.</li>
-<li>Install the <code>openvpn</code>, <code>openvpn-systemd-resolved</code> and
-<code>network-manager-openvpn-gnome</code> packages on the new desktop.</li>
+<li>Create a new client certificate and OpenVPN configuration for the
+new abbey desktop, a <q>campus.ovpn</q> file.</li>
+<li><p>
+Create a <q>wifi</q> file that looks like this (assuming the wireless
+network device is named <code>wlan0</code>).
+</p>
+
+<pre class="example">
+auto wlan0
+iface wlan0 inet dhcp
+ wpa-ssid "Birchwood Abbey"
+ wpa-psk "PASSWORD"
+</pre></li>
+
+<li>Copy the <q>wifi</q> and <q>campus.ovpn</q> files to the new machine.</li>
+<li>On the new machine:</li>
+<li>Install the <code>openvpn-systemd-resolved</code> package.</li>
+<li>Copy <q>wifi</q> to <q>/etc/network/interfaces.d/</q>.</li>
+<li>Bring up the Wi-Fi interface.</li>
+<li>Copy <q>campus.ovpn</q> to <q>/etc/openvpn/cloister.conf</q>.</li>
+<li>Start the OpenVPN service.</li>
+<li>Check that the cloister VPN was connected.</li>
+<li>Logout and unplug the cloister Ethernet.</li>
+<li>Test the cloister VPN connection (and private name resolution)
+with <code>ping -c1 core</code>.</li>
+</ul>
+
+<p>
+And these are the commands:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-sh">./abbey client campus new
+scp wifi campus.ovpn sysadm@new-w:
+ssh sysadm@new-w
+sudo apt install openvpn-systemd-resolved
+sudo cp wifi /etc/network/interfaces.d/
+sudo ifup wlan0
+sudo cp campus.ovpn /etc/openvpn/cloister.conf
+sudo systemctl start openvpn@cloister
+systemctl status openvpn@cloister
+ping -c1 core
+sudo systemctl enable openvpn@cloister
+rm wifi campus.ovpn
+<span class="org-keyword">logout</span>
+rm wifi campus.ovpn
+</pre>
+</div>
+
+<p>
+It may be necessary to reboot before the final tests.
+</p>
+
+<p>
+As configured above, the wireless Debian desktops make automatic,
+persistent connections to the cloister Wi-Fi and VPN, and so can be
+used much like a wired desktop machine. They are typically connected
+to a large TV and auto-login to an unprivileged account named <code>house</code>,
+i.e. anyone in the house.
+</p>
+</div>
+</div>
+<div id="outline-container-org23ebe84" class="outline-4">
+<h4 id="org23ebe84"><span class="section-number-4">12.10.3.</span> Private Desktops</h4>
+<div class="outline-text-4" id="text-12-10-3">
+<p>
+Member notebooks are private machines not remotely administered by the
+abbey. These machines roam, and so are authorized to connect to the
+cloister VPN or the public VPN. This is how they are connected to the
+VPNs:
+</p>
+
+<ul class="org-ul">
+<li>Create a new client certificate and OpenVPN configurations for the
+new abbey desktop, <q>campus.ovpn</q> and <q>public.ovnp</q> files.</li>
+<li>Copy the <q>campus.ovpn</q> and <q>public.ovpn</q> files to the new machine.</li>
+<li>On the new machine:</li>
+<li>Install the <code>openvpn-systemd-resolved</code> and
+<code>network-manager-openvpn-gnome</code> packages.</li>
<li>Open the desktop Settings > Network > VPN + > Import from
file… and choose <q>~/campus.ovpn</q>.</li>
<li>Open the Routes dialogues for both IPv4 and IPv6 and choose
"Use this connection only for resources on its network.".</li>
<li>Save the new VPN.</li>
<li>Do the same with the <q>~/public.ovpn</q> file.</li>
-<li>Connected the cloister VPN and test it with <code>ping -c1 core</code>.</li>
-<li>Expunge the <q>~/campus.ovpn</q> and <q>~/public.ovpn</q> just as the system
-administrator will have already done.</li>
+<li>Connect the appropriate VPN and test it (and private name
+resolution) with <code>ping -c1 core</code>.</li>
+<li>Expunge (delete <i>and</i> empty the trash) the <q>~/campus.ovpn</q> and
+<q>~/public.ovpn</q> files.</li>
</ul>
<p>
-And these are the commands, assuming there is a privileged <code>sysadm</code>
-account available on the new desktop machine.
+We assume the desktop is running NetworkManager, which is the case in
+all our Debian desktops from Pop!<sub>OS</sub> and Ubuntu to Mint and Raspberry
+Pi OS.
</p>
-<div class="org-src-container">
-<pre class="src src-sh">./abbey client debian dicks-notebook dick
-scp campus.ovpn public.ovpn sysadm@dicks-notebook.lan:
-rm campus.ovpn public.ovpn
-ssh sysadm@dicks-notebook.lan
-sudo apt install openvpn openvpn-systemd-resolved <span class="org-sh-escaped-newline">\</span>
- network-manager-openvpn-gnome
-ping -c1 core.small.private.
-</pre>
-</div>
+<p>
+Note that a new member's notebook does not need to be patched to the
+cloister Ethernet nor connected to the cloister Wi-Fi. It can be
+authorized "remotely" simply by copying the <q>.ovpn</q> files securely,
+e.g. using <code>ssh</code> to any "known host" on the Internet.
+</p>
<p>
-Note that Dick's notebook does not need to connect to the cloister
-Ethernet. It is authorized simply by copying the <q>.ovpn</q> files
-securely (e.g. using <code>ssh</code>) to a local domain name provided by the
-Wi-Fi AP (<code>dicks-notebook.lan</code>). If the AP does not provide a local
-domain name, the machine's Wi-Fi IP address,
-e.g. <code>sysadm@192.168.10.225</code>, can be used instead. (This IP address
-is often revealed in the desktop network settings.)
+The members of <a href="Institute/README.html">A Small Institute</a> are peers, and enjoy complete,
+individual privacy. The administrator does <i>not</i> expect to have "root
+access" to members' machines, their desktops, personal diaries and
+photos. The monks of the abbey are brothers, and tolerate a little
+less than complete individual privacy (still expecting all necessary
+and appropriate privacy, being in a position to punish deviants).
+</p>
+
+<p>
+Our private notebooks are included in the Ansible inventory, mainly so
+they can be included in the weekly (or more frequent!) network
+upgrades. The <code>campus</code> and <code>abbey-cloister</code> roles are not applied
+though their Postfix and other configurations are recommended. Remote
+access by the administrator is authorized and the privileged account's
+password is included in <q>Secret/become.yml</q>.
</p>
</div>
</div>
<div id="outline-container-org4faba4c" class="outline-4">
-<h4 id="org4faba4c"><span class="section-number-4">12.10.3.</span> Android</h4>
-<div class="outline-text-4" id="text-12-10-3">
+<h4 id="org4faba4c"><span class="section-number-4">12.10.4.</span> Android</h4>
+<div class="outline-text-4" id="text-12-10-4">
<p>
Android phones and tablets are connected to the cloister VPN via the
following process. Note that they do not appear in the set of
</div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2024-01-01 Mon 10:48</p>
+<p class="date">Created: 2024-02-26 Mon 20:06</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Network / commitdiff