* The Services
The small institute's network is designed to provide a number of
-services. An understanding of how institute hosts co-operate is
-essential to understanding the configuration of specific hosts. This
-chapter covers institute services from a network wide perspective, and
-gets right down in its subsections to the Ansible code that enforces
-its policies. On first reading, those subsections should be skipped;
-they reference particulars first introduced in the following chapter.
+services. Understanding how institute hosts co-operate is essential
+to understanding the configuration of specific hosts. This chapter
+covers institute services from a network wide perspective, and gets
+right down in its subsections to the Ansible code that enforces its
+policies. On first reading, those subsections should be skipped; they
+reference particulars first introduced in the following chapter.
** The Name Service
to be the only legitimate sender of institute emails. Thus the
Internet sees the institute's outgoing email coming from a server at
an address matching the domain's SPF record. The institute does /not/
-sign outgoing emails per DKIM (Domain Keys Identified Mail), yet.
+sign outgoing emails per DKIM (Domain Keys Identified Mail) yet.
#+CAPTION: Example Small Institute SPF Record
#+BEGIN_SRC conf
volume is mounted (unlocked) at =Secret/=, none of the ~./inst~
commands will work.
-Chief among the institute's master secrets is the SSH key to the
-privileged accounts on /all/ of the institute servers. It is stored
-in =Secret/ssh_admin/id_rsa=. The institute uses several more SSH
-keys listed here:
+Chief among the institute's master secrets is the SSH key authorized
+to access privileged accounts on /all/ of the institute servers. It
+is stored in =Secret/ssh_admin/id_rsa=. The complete list of the
+institute's SSH keys:
- =Secret/ssh_admin/= :: The SSH key pair for A Small Institute
Administrator.
- =Secret/ssh_monkey/= :: The key pair used by Monkey to update the
website on Front (and other unprivileged tasks).
- =Secret/ssh_front/= :: The host key pair used by Front to
- authenticate itself.
+ authenticate itself. The automatically generated key pair is
+ /not/ used. (Thus Core's configuration does not depend on
+ Front's.)
The institute uses a number of X.509 certificates to authenticate VPN
clients and servers. They are created by the EasyRSA Certificate
Authority stored in =Secret/CA/=.
- - =Secret/CA/pki/ca.crt= :: The institute CA (certificate
- authority).
+ - =Secret/CA/pki/ca.crt= :: The institute CA certificate, used to
+ sign the other certificates.
- =Secret/CA/pki/issued/small.example.org.crt= :: The public Apache,
Postfix, and OpenVPN servers on Front.
- =Secret/CA/pki/issued/core.small.private.crt= :: The campus
Apache (thus Nextcloud), and Dovecot-IMAPd servers.
- - =Secret/CA/pki/issued/core.crt= :: Core's client certificate by
+ - =Secret/CA/pki/issued/core.crt= :: Core's client certificate, by
which it authenticates to Front.
The ~./inst client~ command creates client certificates and keys, and
#+END_SRC
The private version of the institute's domain name should end with one
-of the top-level domains expected for this purpose: =.intranet=,
-=.internal=, =.private=, =.corp=, =.home= or =.lan=.[fn:5]
+of the top-level domains expected for this purpose: ~.intranet~,
+~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:5]
** Subnets
copies the =campus.ovpn= file to =/etc/openvpn/campus.conf=.
The OpenVPN configurations generated for Debian hosts specify an ~up~
-script, =update-systemd-resolved=, installed in =/etc/openvpn/= by the
+script, ~update-systemd-resolved~, installed in =/etc/openvpn/= by the
~openvpn-systemd-resolved~ package. The following configuration lines
instruct the OpenVPN clients to run this script whenever the
connection is restarted.
The administrator will need a desktop system in the test campus
networks (using the campus name server). The test Nextcloud
configuration requires that it be accessed with the domain name
-=core.small.private=. The following sections describe how a client
+~core.small.private~. The following sections describe how a client
desktop is simulated and connected to the test VPNs (and test campus
-name server). Its browser can then connect to =core.small.private= to
+name server). Its browser can then connect to ~core.small.private~ to
exercise the test Nextcloud.
The process starts with enrolling the first member of the institute
projects / Institute / commitdiff