#+BEGIN_SRC sh :tangle private/backup :mkdirp yes :tangle-mode u=rw
#!/bin/bash -e
#
-# DO NOT EDIT. Maintained (will be replaced) by Ansible.
+# DO NOT EDIT.
+#
+# Maintained (will be replaced) by Ansible.
#
# sudo backup [-n]
The institute's private domain name should end with one of the
top-level domains set aside for this purpose: ~.intranet~,
~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:1] It is
-hoped that doing so will increase that chances that some abomination
+hoped that doing so will increase the chances that some abomination
like DNS-over-HTTPS will pass us by.
#+CAPTION: [[file:private/vars.yml][=private/vars.yml=]]
modem and installed them as shown below.
: $ sudo apt install netplan.io systemd-resolved unattended-upgrades \
-: _ ntp isc-dhcp-server bind9 apache2 wireguard \
+: _ chrony isc-dhcp-server bind9 apache2 wireguard \
: _ postfix dovecot-imapd fetchmail expect rsync \
: _ gnupg openssh-server
-The Nextcloud configuration requires Apache2, MariaDB and a number of
+Manual installation of Postfix prompted for configuration type and
+mail name. The answers given are listed here.
+
+- General type of mail configuration: Internet Site
+- System mail name: core.small.private
+
+The host then needed to be rebooted to get its name service working
+again after ~systemd-resolved~ was installed. (Any help with this
+will be welcome!) After rebooting and re-logging in, yet more
+software packages were installed.
+
+The Nextcloud configuration required Apache2, MariaDB and a number of
PHP modules. Installing them while Core was on a cable modem sped up
final configuration "in position" (on a frontier).
: _ php-{json,mysql,mbstring,intl,imagick,xml,zip} \
: _ libapache2-mod-php
-Similarly, the NAGIOS configuration requires a handful of packages
+Similarly, the NAGIOS configuration required a handful of packages
that were pre-loaded via cable modem (to test a frontier deployment).
: $ sudo apt install nagios4 monitoring-plugins-basic lm-sensors \
Note that the name ~core.lan~ should be known to the cable modem's DNS
service. An IP address might be used instead, discovered with an ~ip
-a~ on Core.
+-4 a~ command on Core.
Now Core no longer needed the Internets so it was disconnected from
the cable modem and connected to the campus Ethernet switch. Its
point(s).
3. ~isp~ is its third network interface, connected to the campus
ISP. This could be an Ethernet device connected to a cable
- modem. It could be a USB port tethered to a phone, a
- USB-Ethernet adapter, or a wireless adapter connected to a
- campground Wi-Fi access point, etc.
+ modem, a USB port tethered to a phone, a wireless adapter
+ connected to a campground Wi-Fi access point, etc.
#+BEGIN_EXAMPLE
=============== | ==================================================
: _ ufw isc-dhcp-server postfix wireguard \
: _ openssh-server
+The host then needed to be rebooted to get its name service working
+again after ~systemd-resolved~ was installed. (Any help with this will
+be welcome!) After rebooting and re-logging in, the administrator was
+ready to proceed.
+
Next, the administrator concatenated a personal public ssh key and the
key found in [[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] (created by [[*The CA Command][The CA Command]]) into an
=admin_keys= file, copied it to Gate, and installed it as the
: $ sudo ip address add 10.227.248.2 dev eth0
Gate was also connected to the USB Ethernet dongles cabled to the
-campus Wi-Fi access point and the campus ISP. The three network
-adapters are known by their MAC addresses, the values of the variables
-~gate_lan_mac~, ~gate_wild_mac~, and ~gate_isp_mac~. (For more
-information, see the Gate role's [[netplan-gate][Configure Netplan]] task.)
+campus Wi-Fi access point and the campus ISP and the values of three
+variables (~gate_lan_mac~, ~gate_wild_mac~, and ~gate_isp_mac~ in
+[[file:private/vars.yml][=private/vars.yml=]]) match the actual hardware MAC addresses of the
+dongles. (For more information, see the Gate role's [[netplan-gate][Configure Netplan]]
+task.)
At this point Gate was ready for provisioning with Ansible.
#+BEGIN_SRC sh
#!/bin/bash -e
#
-# DO NOT EDIT. This file was tangled from institute.org.
+# DO NOT EDIT.
+#
+# This file was tangled from a small institute's README.org.
cd /WWW/live/
such a user, the ~nextcloud~ database and ~nextclouduser~ user are
created manually.
-The following task would work (~mysql_user~ supports
-~check_implicit_admin~) /but/ the ~nextcloud~ database was not created
-above. Thus both database and user are created manually, with SQL
-given in the [[Install Nextcloud]] subsection below, before ~occ
-maintenance:install~ can run.
-
#+BEGIN_SRC conf
- name: Create Nextcloud DB user.
priv: 'nextcloud.*:all'
#+END_SRC
+The task above would work (~mysql_user~ supports
+~check_implicit_admin~) /but/ the ~nextcloud~ database was not created
+first. Thus both database and user are created manually, with the
+following SQL, before ~occ maintenance:install~ can run.
+
+#+BEGIN_SRC sql
+create database nextcloud
+ character set utf8mb4
+ collate utf8mb4_general_ci;
+grant all on nextcloud.*
+ to 'nextclouduser'@'localhost'
+ identified by 'ippAgmaygyobwyt5';
+flush privileges;
+#+END_SRC
+
Finally, a symbolic link positions =/Nextcloud/nextcloud/= at
=/var/www/nextcloud/= as expected by the Apache2 configuration above.
Nextcloud itself should always believe that =/var/www/nextcloud/= is
The database is restored with the following commands, which assume the
last dump was made February 20th 2022 and thus was saved in
=/Nextcloud/20220220.bak=. The database will need to be
-created first as when installing Nextcloud. The appropriate SQL are
-given in [[*Install Nextcloud][Install Nextcloud]] below.
+created first as when installing Nextcloud.
#+BEGIN_SRC sh
cd /Nextcloud/
+sudo mysql
+create database nextcloud
+ character set utf8mb4
+ collate utf8mb4_general_ci;
+grant all on nextcloud.*
+ to 'nextclouduser'@'localhost'
+ identified by 'ippAgmaygyobwyt5';
+flush privileges;
+exit;
sudo mysql --defaults-file=dbbackup.cnf nextcloud < 20220220.bak
cd nextcloud/
sudo -u www-data php occ maintenance:data-fingerprint
#+END_SRC
Note that the =60-isp.yaml= file is only updated (created) if it does
-not already exists, so that it can be easily modified to debug a new
+not already exist so that it can be easily modified to debug a new
campus ISP without interference from Ansible.
** UFW Rules
#+BEGIN_SRC perl :tangle inst :tangle-mode u=rwx,g=rx
#!/usr/bin/perl -w
#
-# DO NOT EDIT. This file was tangled from an institute.org file.
+# DO NOT EDIT.
+#
+# This file was tangled from a small institute's README.org.
use strict;
use IO::File;
projects / Institute / commitdiff