* The Abbey DVR Role
The abbey uses AgentDVR to record video from PoE IP HD security
-cameras. The "download" button on iSpy's Download page
+cameras. It is installed and configured as described here.
+
+** AgentDVR Installation
+
+AgentDVR is installed at the abbey according to the iSpy web site's
+latest(?) instructions. The "download" button on iSpy's Download page
([[https://www.ispyconnect.com/download]]), when "Agent DVR - Linux/
macOS/ RPi" is chosen, suggests the following command lines (the
second of which is broken across three lines).
install.sh")
#+END_SRC
-Ansible assists by creating the system user ~agentdvr~ and granting it
-enough ~sudo~ latitude to run the installer as instructed above.
-Though a system user, the account gets a home directory,
-=/home/agentdvr/= in which to do the installation. The rest of the
-DVR role, "phase two", waits until AgentDVR is installed.
+/Before/ executing these commands, Ansible is enlisted to make certain
+preparations.
+
+*** AgentDVR Installation Preparation
+
+AgentDVR runs in the abbey as a system user, ~agentdvr~, which
+installs and runs the service. Though a system user, the account gets
+a home directory, =/home/agentdvr/= in which to install AgentDVR, and
+a login shell, =/bin/bash=. This much Ansible can do in preparation.
+
+: ./abbey config dvrs
+
+After the ~agentdvr~ account is created, it is temporarily authorized
+to run a handful of system commands (as ~root~!). This small set is
+sufficient /if/ the offer to create the system service is declined.
+The following commands create this authorization in =~/01agentdvr=,
+validate and install it in =/etc/sudoers.d/01agentdvr=. Such caution
+is taken because a syntax error anywhere in =/etc/sudoers.d/= can make
+the ~sudo~ command inoperative, cutting off access to all elevated
+privileges until a "rescue" (involving a reboot) is performed.
+
+#+BEGIN_SRC sh
+echo "ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
+ /sbin/adduser,/sbin/usermod" >~/01agentdvr
+sudo chown root:root ~/01agentdvr
+sudo chmod 440 ~/01agentdvr
+visudo --check --owner --perms ~/01agentdvr
+sudo mv ~/01agentdvr /etc/sudoers.d/
+#+END_SRC
+
+*** AgentDVR Installation Execution
+
+With the above preparations, the system administrator can get a shell
+session under the ~agentdvr~ account to run iSpy's installation script
+in the empty =/home/agentdvr/= directory.
+
+#+BEGIN_SRC sh
+sudo apt-get install curl
+sudo -u agentdvr <(curl -s "https:.../install.sh")
+#+END_SRC
+
+The script creates the =/home/agentdvr/AgentDVR/= directory, and
+offers to install a system service. The offer is declined. Instead,
+Ansible is run again.
+
+*** AgentDVR Installation Completion
+
+When Ansible is run a second time, after the installation script, it
+sees the new =/home/agentdvr/AgentDVR/= directory and creates (and
+starts) the new system service.
-AgentDVR is installed, after Ansible has set things up, by running the
-command lines prescribed by iSpy while logged in as ~agentdvr~ with
-the current default directory =/home/agentdvr/=. The installer should
-create the =/home/agentdvr/AgentDVR/= directory. Its offer to install
-a system service is declined.
+: ./abbey config dvrs
-After AgentDVR is installed, when the =/home/agentdvr/AgentDVR/=
-directory exists, Ansible is run again to install the system service.
+Also after the installation, the system administrator revokes the
+~agentdvr~ account's authorizations to modify packages and accounts.
+
+: sudo rm /etc/sudoers.d/01agentdvr
** Create User ~agentdvr~
mode: u=rwx,g=rwxs,o=rx
#+END_SRC
-** Authorize User ~agentdvr~
-
-The AgentDVR installer is also run by ~agentdvr~, which is authorized
-to run a handful of system commands. This small set is sufficient
-/if/ the offer to create the system service is declined. In that
-case, the installer will run the program in the terminal.
-
-#+CAPTION: [[file:roles_t/abbey-dvr/tasks/main.yml][=roles_t/abbey-dvr/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/abbey-dvr/tasks/main.yml
-
-- name: Authorize agentdvr.
- copy:
- content: |
- ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
- /sbin/adduser,/sbin/usermod
- dest: /etc/sudoers.d/agentdvr
-#+END_SRC
-
** Test For =AgentDVR/=
The following task probes for the =/home/agentdvr/AgentDVR/=
projects / Network / commitdiff