reliable operation is Front's public IP address known to the world by
the institute's Internet domain name.
+#+NAME: front-addr
#+CAPTION: [[file:public/vars.yml][=public/vars.yml=]]
#+BEGIN_SRC conf :tangle public/vars.yml
front_addr: 192.168.15.4
on the Internets. It needs only as much disk as required by the
institute's public web site. Often the cheapest offering (4GB RAM, 1
core, 20GB disk) is sufficient. The provider should make it easy and
-fast to (re)initialize the machine to a factory fresh Debian Server,
+fast to (re)initialize the machine to a factory fresh Debian Server
and install additional Debian software packages. Indeed it should be
possible to quickly re-provision a new Front machine from a frontier
Internet café using just the administrator's notebook.
*** A Digital Ocean Droplet
-The following example prepared a new front on a Digital Ocean droplet.
+The following example prepared a Digital Ocean droplet to be Front.
The institute administrator opened an account at Digital Ocean,
registered an ssh key, and used a Digital Ocean control panel to
create a new machine (again, one of the cheapest, smallest available)
-with Ubuntu Server 20.04LTS installed. Once created, the machine and
-its IP address (~159.65.75.60~) appeared on the panel. Using that
+with Debian 13 installed. Once created, the machine and its IP
+address (~159.65.75.60~) appeared on the panel. Using that
address, the administrator logged into the new machine with ~ssh~.
-On the administrator's notebook (in a terminal):
-
-: notebook$ ssh root@159.65.75.60
-: root@ubuntu#
-
The freshly created Digital Ocean droplet came with just one account,
~root~, but the small institute avoids remote access to the "super
user" account (per the policy in [[*The Administration Accounts][The Administration Accounts]]), so the
-administrator created a ~sysadm~ account with the ability to request
-escalated privileges via the ~sudo~ command.
+first thing the administrator did was to create a ~sysadm~ account.
+
+The password for the ~sysadm~ account was generated by ~gpw~, saved in
+the administrator's password keep, and added to [[file:Secret/become.yml][=Secret/become.yml=]] as
+shown below. (Producing a working Ansible configuration with
+[[file:Secret/become.yml][=Secret/become.yml=]] file is described in [[*The Ansible Configuration][The Ansible Configuration]].)
+
+: notebook$ gpw 1 16
+: givitysticangout
+: notebook$ echo -n "become_front: " >>Secret/become.yml
+: notebook$ ansible-vault encrypt_string givitysticangout \
+: notebook_ >>Secret/become.yml
+: notebook$
+
+With the new ~sysadm~ password saved, the administrator logged in as
+~root~, created the ~sysadm~ account, and authorized it to request
+elevated privileges via the ~sudo~ command.
-: root@ubuntu# adduser sysadm
+On the administrator's notebook (in a terminal):
+: notebook$ H=159.65.75.60
+: notebook$ ssh root@$H
+: The authenticity of host '159.65.75.60' can't be established.
+: ....
+: Are you sure you want to continue connecting (...)? yes
+: root@front# adduser sysadm
: ...
: New password: givitysticangout
: Retype new password: givitysticangout
: Full Name []: System Administrator
: ...
: Is the information correct? [Y/n]
-: root@ubuntu# adduser sysadm sudo
-: root@ubuntu# logout
+: root@front# adduser sysadm sudo
+: root@front# logout
: notebook$
-The password was generated by ~gpw~, saved in the administrator's
-password keep, and later added to [[file:Secret/become.yml][=Secret/become.yml=]] as shown below.
-(Producing a working Ansible configuration with [[file:Secret/become.yml][=Secret/become.yml=]]
-file is described in [[*The Ansible Configuration][The Ansible Configuration]].)
-
-: notebook$ gpw 1 16
-: givitysticangout
-: notebook$ echo -n "become_front: " >>Secret/become.yml
-: notebook$ ansible-vault encrypt_string givitysticangout \
-: notebook_ >>Secret/become.yml
-
After creating the ~sysadm~ account on the droplet, the administrator
concatenated a personal public ssh key and the key found in
[[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] (created by [[*The CA Command][The CA Command]]) into an =admin_keys=
: notebook$ cat ~/.ssh/id_ed25519.pub \
: notebook_ Secret/ssh_admin/id_ed25519.pub \
: notebook_ > admin_keys
-: notebook$ scp admin_keys sysadm@159.65.75.60:
-: The authenticity of host '159.65.75.60' can't be established.
-: ....
-: Are you sure you want to continue connecting (...)? yes
-: ...
-: sysadm@159.65.75.60's password: givitysticangout
-: notebook$ ssh sysadm@159.65.75.60
-: sysadm@159.65.75.60's password: givitysticangout
-: sysadm@ubuntu$ ( umask 077; mkdir .ssh; \
-: sysadm@ubuntu_ cp admin_keys .ssh/authorized_keys; \
-: sysadm@ubuntu_ rm admin_keys )
-: sysadm@ubuntu$ logout
+: notebook$ scp admin_keys root@$H:
+: notebook$ ssh root@$H
+: root@front# mkdir ~sysadm/.ssh
+: root@front# mv admin_keys ~sysadm/.ssh/authorized_keys
+: root@front# chmod -R g=,o= ~sysadm/.ssh
+: root@front# chown -R sysadm:sysadm ~sysadm/.ssh
+: root@front# logout
: notebook$ rm admin_keys
: notebook$
+After installing authorized keys, the administrator verified that
+password-less ssh logins work, then disabled root logins and tested
+that they were indeed denied.
+
+: notebook$ ssh sysadm@$H
+: sysadm@front$ sudo rm -r /root/.ssh
+: sysadm@front$ logout
+: notebook$ ssh root@$H
+: root@159.65.75.60: Permission denied (publickey).
+: notebook$
The Droplet needed a couple additional software packages immediately.
The ~wireguard~ package was needed to generate the Droplet's private
# A similar list of packages is installed on "The Test Front Machine".
# That list should be kept in sync with this list!
-: notebook$ ssh sysadm@159.65.75.60
-: sysadm@ubuntu$ sudo apt install wireguard systemd-resolved \
+: notebook$ ssh sysadm@$H
+: sysadm@front$ sudo apt update
+: sysadm@front$ sudo apt full-upgrade --autoremove
+: sysadm@front$ sudo apt install wireguard systemd-resolved \
: unattended-upgrades postfix dovecot-imapd rsync apache2 kamailio
+: sysadm@front$
+
+Manual installation of Postfix prompted for configuration type and
+mail name. The answers given are listed here.
+
+- General type of mail configuration: 2 (Internet Site)
+- System mail name: small.example.org (i.e. ~domain_name~)
With WireGuard™ installed, the following commands generated a new
private key, and displayed its public key.
-: sysadm@ubuntu$ umask 077
-: susadm@ubuntu$ wg genkey \
-: sysadm@ubuntu_ | sudo tee /etc/wireguard/private-key \
-: sysadm@ubuntu_ | wg pubkey
+: sysadm@front$ umask 077
+: susadm@front$ wg genkey \
+: sysadm@front_ | sudo tee /etc/wireguard/private-key \
+: sysadm@front_ | wg pubkey
: S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
+: sysadm@front$ logout
+: notebook$
The public key is copied and pasted into [[file:private/vars.yml][=private/vars.yml=]] as the
value of ~front_wg_pubkey~ (as in the example [[pubkeys][here]]).
-/After/ collecting Front's public key, the administrator disabled root
-logins on the droplet. The last command below tested that root logins
-were indeed denied.
+The prospective IP address (~159.65.75.60~) is also pasted into
+[[file:public/vars.yml][=public/vars.yml=]] as the value of ~front_addr~ (as in the example
+[[front-addr][here]]).
-: sysadm@ubuntu$ sudo rm -r /root/.ssh
-: sysadm@ubuntu# logout
-: notebook$ ssh root@159.65.75.60
-: root@159.65.75.60: Permission denied (publickey).
-: notebook$
Finally, the new machine's ssh public host is copied to
=private/front_ed25519_key.pub=.
: notebook_ private/front_ed25519_key.pub
: notebook$
-At this point the droplet was ready for configuration by Ansible.
-Later, provisioned with all of Front's services /and/ tested, the
-institute's domain name was changed, making ~159.65.75.60~ its new
-address.
+At this point Front was prepared for provisioning with Ansible (and
+Ansible prepared for the droplet!).
** The Core Machine
: sysadm@core$ sudo ip address add 10.227.248.1 dev enp82s0
: sysadm@core$ sudo ip route add default via 10.227.248.2 dev enp82s0
-At this point Core was ready for provisioning with Ansible.
+At this point Core was prepared for provisioning with Ansible.
** The Gate Machine
dongles. (For more information, see the tasks in section [[Configure
Gate NetworkD]].)
-At this point Gate was ready for provisioning with Ansible.
+At this point Gate was prepared for provisioning with Ansible.
* The All Role
line.
#+CAPTION: [[file:Secret/become.yml][=Secret/become.yml=]]
-#+BEGIN_SRC conf :tangle Secret/become.yml :tangle-mode u=rw,g=,o=
+#+BEGIN_SRC conf :tangle Secret/become.yml :mkdirp yes :tangle-mode u=rw,g=,o=
become_front: !vault |
$ANSIBLE_VAULT;1.1;AES256
3563626131333733666466393166323135383838666338666131336335326
#+NAME: vault-password
#+CAPTION: [[file:Secret/vault-password][=Secret/vault-password=]]
-#+BEGIN_SRC conf :tangle Secret/vault-password :mkdirp yes :tangle-mode u=rw,g=,o=
+#+BEGIN_SRC conf :tangle Secret/vault-password :tangle-mode u=rw,g=,o=
alitysortstagess
#+END_SRC
Example command lines:
: ./inst config
: ./inst config -n
-: ./inst config HOST
-: ./inst config -n HOST
+: ./inst config LIMIT
+: ./inst config -n LIMIT
#+CAPTION: [[file:inst][=inst=]]
#+BEGIN_SRC perl :tangle inst
projects / Institute / commitdiff