"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2024-02-26 Mon 19:42 -->
+<!-- 2024-02-26 Mon 21:58 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>A Small Institute</title>
members off campus.
</p>
-<pre class="example" id="org984133a">
+<pre class="example" id="org08ed86c">
=
_|||_
=-The-Institute-=
</pre>
</div>
-<div class="TEXT" id="org65edca1">
+<div class="TEXT" id="org6d1f744">
<p>
=> 10.62.17.0/24
</p>
campground Wi-Fi access point, etc.</li>
</ol>
-<pre class="example" id="orgba151ee">
+<pre class="example" id="org9575410">
=============== | ==================================================
| Premises
(Campus ISP)
following topology.
</p>
-<pre class="example" id="org20945a6">
+<pre class="example" id="org1a67bf1">
=============== | ==================================================
| Premises
(House ISP)
institute's servers. At the moment there is just the one.
</p>
</div>
-<div id="outline-container-orga1f8b11" class="outline-3">
-<h3 id="orga1f8b11"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-orga320cc8" class="outline-3">
+<h3 id="orga320cc8"><span class="section-number-3">6.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The <code>all</code> role's task contains a reference to a common institute
</div>
</div>
</div>
-<div id="outline-container-orgd3cb8ca" class="outline-3">
-<h3 id="orgd3cb8ca"><span class="section-number-3">6.2.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-orgf85cc27" class="outline-3">
+<h3 id="orgf85cc27"><span class="section-number-3">6.2.</span> Enable Systemd Resolved</h3>
<div class="outline-text-3" id="text-6-2">
<p>
+The <code>systemd-networkd</code> and <code>systemd-resolved</code> service units are not
+enabled by default in Debian, but <i>are</i> the default in Ubuntu. The
+institute attempts to make use of their link-local name resolution, so
+they are enabled on all institute hosts.
+</p>
+
+<p>
+The <q>/usr/share/doc/systemd/README.Debian.gz</q> file recommends both
+services be enabled <i>and</i> <q>/etc/resolv.conf</q> be replaced with a
+symbolic link to <q>/run/systemd/resolve/resolv.conf</q>. The institute
+follows these recommendations (and <i>not</i> the suggestion to enable
+"persistent logging", yet). In Debian 12 there is a
+<code>systemd-resolved</code> package that symbolically links <q>/etc/resolv.conf</q>
+(and provides <q>/lib/systemd/systemd-resolved</q>, formerly part of the
+<code>systemd</code> package).
+</p>
+
+<div class="org-src-container">
+<a href="roles_t/front/tasks/main.yml"><q>roles_t/all/tasks/main.yml</q></a><pre class="src src-conf">
+- name: Install systemd-resolved.
+ become: yes
+ <span class="org-variable-name">apt: pkg</span>=systemd-resolved
+ when:
+ <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
+ - 11 < ansible_distribution_major_version|int
+
+- name: Enable/Start systemd-networkd.
+ become: yes
+ systemd:
+ service: systemd-networkd
+ enabled: yes
+ state: started
+
+- name: Enable/Start systemd-resolved.
+ become: yes
+ systemd:
+ service: systemd-resolved
+ enabled: yes
+ state: started
+
+- name: Link /etc/resolv.conf.
+ become: yes
+ file:
+ path: /etc/resolv.conf
+ src: /run/systemd/resolve/resolv.conf
+ state: link
+ force: yes
+ when:
+ <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
+ - 12 > ansible_distribution_major_version|int
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-orgd3cb8ca" class="outline-3">
+<h3 id="orgd3cb8ca"><span class="section-number-3">6.3.</span> Trust Institute Certificate Authority</h3>
+<div class="outline-text-3" id="text-6-3">
+<p>
All servers should recognize the institute's Certificate Authority as
trustworthy, so its certificate is added to the set of trusted CAs on
each host. More information about how the small institute manages its
certificates signed by the institute CA.
</p>
</div>
-<div id="outline-container-orgc8a61a6" class="outline-3">
-<h3 id="orgc8a61a6"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-orga652c4f" class="outline-3">
+<h3 id="orga652c4f"><span class="section-number-3">7.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-7-1">
<p>
The first task, as in <a href="#orgd60dcd1">The All Role</a>, is to include the institute
</div>
</div>
</div>
-<div id="outline-container-orge2015ee" class="outline-3">
-<h3 id="orge2015ee"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-orgd3bbfbb" class="outline-3">
+<h3 id="orgd3bbfbb"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-7-2">
<p>
This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org6267a25" class="outline-3">
-<h3 id="org6267a25"><span class="section-number-3">7.3.</span> Enable Systemd Resolved <a id="org5738867"></a></h3>
+<div id="outline-container-org41f6c57" class="outline-3">
+<h3 id="org41f6c57"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-7-3">
<p>
-The <code>systemd-networkd</code> and <code>systemd-resolved</code> service units are not
-enabled by default in Debian, but <i>are</i> the default in Ubuntu, and
-work with Netplan. The <q>/usr/share/doc/systemd/README.Debian.gz</q> file
-recommends both services be enabled <i>and</i> <q>/etc/resolv.conf</q> be
-replaced with a symbolic link to <q>/run/systemd/resolve/resolv.conf</q>.
-The institute follows these recommendations (and <i>not</i> the suggestion
-to enable "persistent logging", yet). In Debian 12 there is a
-<code>systemd-resolved</code> package that symbolically links <q>/etc/resolv.conf</q>
-(and provides <q>/lib/systemd/systemd-resolved</q>, formerly part of the
-<code>systemd</code> package).
-</p>
-
-<p>
-These tasks are included in all of the roles, and so are given in a
-separate code block named <code>enable-resolved</code>.<sup><a id="fnr.2" class="footref" href="#fn.2" role="doc-backlink">2</a></sup>
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/front/tasks/main.yml"><q>roles_t/front/tasks/main.yml</q></a><pre class="src src-conf">
-- name: Install systemd-resolved.
- become: yes
- <span class="org-variable-name">apt: pkg</span>=systemd-resolved
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
- become: yes
- systemd:
- service: systemd-networkd
- enabled: yes
- state: started
-
-- name: Enable/Start systemd-resolved.
- become: yes
- systemd:
- service: systemd-resolved
- enabled: yes
- state: started
-
-- name: Link /etc/resolv.conf.
- become: yes
- file:
- path: /etc/resolv.conf
- src: /run/systemd/resolve/resolv.conf
- state: link
- force: yes
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 12 > ansible_distribution_major_version|int
-</pre>
-</div>
-
-<div class="org-src-container">
-<code>enable-resolved</code><pre class="src src-conf" id="orgd8bbfb0">
-- name: Install systemd-resolved.
- become: yes
- <span class="org-variable-name">apt: pkg</span>=systemd-resolved
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
- become: yes
- systemd:
- service: systemd-networkd
- enabled: yes
- state: started
-
-- name: Enable/Start systemd-resolved.
- become: yes
- systemd:
- service: systemd-resolved
- enabled: yes
- state: started
-
-- name: Link /etc/resolv.conf.
- become: yes
- file:
- path: /etc/resolv.conf
- src: /run/systemd/resolve/resolv.conf
- state: link
- force: yes
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 12 > ansible_distribution_major_version|int
-</pre>
-</div>
-</div>
-</div>
-<div id="outline-container-orga3ab592" class="outline-3">
-<h3 id="orga3ab592"><span class="section-number-3">7.4.</span> Add Administrator to System Groups</h3>
-<div class="outline-text-3" id="text-7-4">
-<p>
The administrator often needs to read (directories of) log files owned
by groups <code>root</code> and <code>adm</code>. Adding the administrator's account to
these groups speeds up debugging.
</div>
</div>
<div id="outline-container-org633cf3e" class="outline-3">
-<h3 id="org633cf3e"><span class="section-number-3">7.5.</span> Configure SSH</h3>
-<div class="outline-text-3" id="text-7-5">
+<h3 id="org633cf3e"><span class="section-number-3">7.4.</span> Configure SSH</h3>
+<div class="outline-text-3" id="text-7-4">
<p>
The SSH service on Front needs to be known to Monkey. The following
tasks ensure this by replacing the automatically generated keys with
</div>
</div>
</div>
-<div id="outline-container-orgc8386a2" class="outline-3">
-<h3 id="orgc8386a2"><span class="section-number-3">7.6.</span> Configure Monkey</h3>
-<div class="outline-text-3" id="text-7-6">
+<div id="outline-container-org14610e1" class="outline-3">
+<h3 id="org14610e1"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
+<div class="outline-text-3" id="text-7-5">
<p>
The small institute runs cron jobs and web scripts that generate
reports and perform checks. The un-privileged jobs are run by a
</div>
</div>
<div id="outline-container-orgd1c69a2" class="outline-3">
-<h3 id="orgd1c69a2"><span class="section-number-3">7.7.</span> Install Rsync</h3>
-<div class="outline-text-3" id="text-7-7">
+<h3 id="orgd1c69a2"><span class="section-number-3">7.6.</span> Install Rsync</h3>
+<div class="outline-text-3" id="text-7-6">
<p>
Monkey uses Rsync to keep the institute's public web site up-to-date.
</p>
</div>
</div>
</div>
-<div id="outline-container-orge530d98" class="outline-3">
-<h3 id="orge530d98"><span class="section-number-3">7.8.</span> Install Unattended Upgrades</h3>
-<div class="outline-text-3" id="text-7-8">
+<div id="outline-container-org8cd2060" class="outline-3">
+<h3 id="org8cd2060"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
+<div class="outline-text-3" id="text-7-7">
<p>
The institute prefers to install security updates as soon as possible.
</p>
</div>
</div>
</div>
-<div id="outline-container-org0f197d7" class="outline-3">
-<h3 id="org0f197d7"><span class="section-number-3">7.9.</span> Configure User Accounts</h3>
-<div class="outline-text-3" id="text-7-9">
+<div id="outline-container-org4c79c93" class="outline-3">
+<h3 id="org4c79c93"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
+<div class="outline-text-3" id="text-7-8">
<p>
User accounts are created immediately so that Postfix and Dovecot can
start delivering email immediately, <i>without</i> returning "no such
</div>
</div>
</div>
-<div id="outline-container-org357b596" class="outline-3">
-<h3 id="org357b596"><span class="section-number-3">7.10.</span> Install Server Certificate</h3>
-<div class="outline-text-3" id="text-7-10">
+<div id="outline-container-orge91063f" class="outline-3">
+<h3 id="orge91063f"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
+<div class="outline-text-3" id="text-7-9">
<p>
The servers on Front use the same certificate (and key) to
authenticate themselves to institute clients. They share the
</div>
</div>
<div id="outline-container-orgba341a6" class="outline-3">
-<h3 id="orgba341a6"><span class="section-number-3">7.11.</span> Configure Postfix on Front</h3>
-<div class="outline-text-3" id="text-7-11">
+<h3 id="orgba341a6"><span class="section-number-3">7.10.</span> Configure Postfix on Front</h3>
+<div class="outline-text-3" id="text-7-10">
<p>
Front uses Postfix to provide the institute's public SMTP service, and
uses the institute's domain name for its host name. The default
</div>
</div>
<div id="outline-container-orge52533b" class="outline-3">
-<h3 id="orge52533b"><span class="section-number-3">7.12.</span> Configure Public Email Aliases</h3>
-<div class="outline-text-3" id="text-7-12">
+<h3 id="orge52533b"><span class="section-number-3">7.11.</span> Configure Public Email Aliases</h3>
+<div class="outline-text-3" id="text-7-11">
<p>
The institute's Front needs to deliver email addressed to a number of
common aliases as well as those advertised on the web site. System
</div>
</div>
</div>
-<div id="outline-container-org62ed00b" class="outline-3">
-<h3 id="org62ed00b"><span class="section-number-3">7.13.</span> Configure Dovecot IMAPd</h3>
-<div class="outline-text-3" id="text-7-13">
+<div id="outline-container-org0b2a149" class="outline-3">
+<h3 id="org0b2a149"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
+<div class="outline-text-3" id="text-7-12">
<p>
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
pick up messages. Front's Dovecot configuration is largely the Debian
</div>
</div>
<div id="outline-container-orgae570f4" class="outline-3">
-<h3 id="orgae570f4"><span class="section-number-3">7.1
4.</span> Configure Apache2 <a id="orgf59dafb"></a></h3>
-<div class="outline-text-3" id="text-7-14">
+<h3 id="orgae570f4"><span class="section-number-3">7.1
3.</span> Configure Apache2 <a id="orgf59dafb"></a></h3>
+<div class="outline-text-3" id="text-7-13">
<p>
This is the small institute's public web site. It is simple, static,
and thus (hopefully) difficult to subvert. There are no server-side
The <code>apache-ciphers</code> block below is included last in the Apache2
configuration, so that its <code>SSLCipherSuite</code> directive can override
(narrow) any list of ciphers set earlier (e.g. by Let's
-Encrypt!<sup><a id="fnr.3" class="footref" href="#fn.3" role="doc-backlink">3</a></sup>). The protocols and cipher suites specified here were
+Encrypt!<sup><a id="fnr.2" class="footref" href="#fn.2" role="doc-backlink">2</a></sup>). The protocols and cipher suites specified here were
taken from <a href="https://www.ssllabs.com/projects/best-practices">https://www.ssllabs.com/projects/best-practices</a> in 2022.
</p>
</div>
</div>
</div>
-<div id="outline-container-org9f6de30" class="outline-3">
-<h3 id="org9f6de30"><span class="section-number-3">7.15.</span> Configure OpenVPN</h3>
-<div class="outline-text-3" id="text-7-15">
+<div id="outline-container-org0fb006b" class="outline-3">
+<h3 id="org0fb006b"><span class="section-number-3">7.14.</span> Configure OpenVPN</h3>
+<div class="outline-text-3" id="text-7-14">
<p>
Front uses OpenVPN to provide the institute's public VPN service. The
configuration is straightforward with one complication. OpenVPN needs
</div>
</div>
<div id="outline-container-orgc93df1f" class="outline-3">
-<h3 id="orgc93df1f"><span class="section-number-3">7.16.</span> Configure Kamailio</h3>
-<div class="outline-text-3" id="text-7-16">
+<h3 id="orgc93df1f"><span class="section-number-3">7.15.</span> Configure Kamailio</h3>
+<div class="outline-text-3" id="text-7-15">
<p>
Front uses Kamailio to provide a SIP service on the public VPN so that
members abroad can chat privately. This is a connection-less UDP
account. (For details, see <a href="#org8d60b7b">The Core Machine</a>.)
</p>
</div>
-<div id="outline-container-orgabb953b" class="outline-3">
-<h3 id="orgabb953b"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org27e3dcb" class="outline-3">
+<h3 id="org27e3dcb"><span class="section-number-3">8.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-8-1">
<p>
The first task, as in <a href="#org9240129">The Front Role</a>, is to include the institute
</div>
</div>
</div>
-<div id="outline-container-org7ee9fb1" class="outline-3">
-<h3 id="org7ee9fb1"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
+<div id="outline-container-org410e0b9" class="outline-3">
+<h3 id="org410e0b9"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-8-2">
<p>
This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-orgdcf7bec" class="outline-3">
-<h3 id="orgdcf7bec"><span class="section-number-3">8.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org2ba83cb" class="outline-3">
+<h3 id="org2ba83cb"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-8-3">
<p>
-Core starts the <code>systemd-networkd</code> and <code>systemd-resolved</code> service
-units on boot. See <a href="#org5738867">Enable Systemd Resolved</a>.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/core/tasks/main.yml"><q>roles_t/core/tasks/main.yml</q></a><pre class="src src-conf">
-- name: Install systemd-resolved.
- become: yes
- <span class="org-variable-name">apt: pkg</span>=systemd-resolved
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
- become: yes
- systemd:
- service: systemd-networkd
- enabled: yes
- state: started
-
-- name: Enable/Start systemd-resolved.
- become: yes
- systemd:
- service: systemd-resolved
- enabled: yes
- state: started
-
-- name: Link /etc/resolv.conf.
- become: yes
- file:
- path: /etc/resolv.conf
- src: /run/systemd/resolve/resolv.conf
- state: link
- force: yes
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 12 > ansible_distribution_major_version|int
-</pre>
-</div>
-</div>
-</div>
-<div id="outline-container-orgecf0743" class="outline-3">
-<h3 id="orgecf0743"><span class="section-number-3">8.4.</span> Configure Systemd Resolved</h3>
-<div class="outline-text-3" id="text-8-4">
-<p>
Core runs the campus name server, so Resolved is configured to use it
(or <code>dns.google</code>), to include the institute's domain in its search
list, and to disable its cache and stub listener.
</div>
</div>
<div id="outline-container-org2dec986" class="outline-3">
-<h3 id="org2dec986"><span class="section-number-3">8.5.</span> Configure Netplan</h3>
-<div class="outline-text-3" id="text-8-5">
+<h3 id="org2dec986"><span class="section-number-3">8.4.</span> Configure Netplan</h3>
+<div class="outline-text-3" id="text-8-4">
<p>
Core's network interface is statically configured using Netplan and an
<q>/etc/netplan/60-core.yaml</q> file. That file provides Core's address
</div>
</div>
<div id="outline-container-org404665f" class="outline-3">
-<h3 id="org404665f"><span class="section-number-3">8.6.</span> Configure DHCP For the Private Ethernet</h3>
-<div class="outline-text-3" id="text-8-6">
+<h3 id="org404665f"><span class="section-number-3">8.5.</span> Configure DHCP For the Private Ethernet</h3>
+<div class="outline-text-3" id="text-8-5">
<p>
Core speaks DHCP (Dynamic Host Configuration Protocol) using the
Internet Software Consortium's DHCP server. The server assigns unique
</div>
</div>
<div id="outline-container-org2134214" class="outline-3">
-<h3 id="org2134214"><span class="section-number-3">8.7.</span> Configure BIND9</h3>
-<div class="outline-text-3" id="text-8-7">
+<h3 id="org2134214"><span class="section-number-3">8.6.</span> Configure BIND9</h3>
+<div class="outline-text-3" id="text-8-6">
<p>
Core uses BIND9 to provide a private-view name service for the
institute as described in <a href="#org12ea1d0">The Name Service</a>. The configuration
</div>
</div>
</div>
-<div id="outline-container-orgef1243d" class="outline-3">
-<h3 id="orgef1243d"><span class="section-number-3">8.8.</span> Add Administrator to System Groups</h3>
-<div class="outline-text-3" id="text-8-8">
+<div id="outline-container-org31f8f68" class="outline-3">
+<h3 id="org31f8f68"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
+<div class="outline-text-3" id="text-8-7">
<p>
The administrator often needs to read (directories of) log files owned
by groups <code>root</code> and <code>adm</code>. Adding the administrator's account to
</div>
</div>
</div>
-<div id="outline-container-org14610e1" class="outline-3">
-<h3 id="org14610e1"><span class="section-number-3">8.9.</span> Configure Monkey</h3>
-<div class="outline-text-3" id="text-8-9">
+<div id="outline-container-org4690ba9" class="outline-3">
+<h3 id="org4690ba9"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
+<div class="outline-text-3" id="text-8-8">
<p>
The small institute runs cron jobs and web scripts that generate
reports and perform checks. The un-privileged jobs are run by a
</div>
</div>
</div>
-<div id="outline-container-org61d58b8" class="outline-3">
-<h3 id="org61d58b8"><span class="section-number-3">8.10.</span> Install Unattended Upgrades</h3>
-<div class="outline-text-3" id="text-8-10">
+<div id="outline-container-org51e48da" class="outline-3">
+<h3 id="org51e48da"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
+<div class="outline-text-3" id="text-8-9">
<p>
The institute prefers to install security updates as soon as possible.
</p>
</div>
</div>
<div id="outline-container-orgd919e4d" class="outline-3">
-<h3 id="orgd919e4d"><span class="section-number-3">8.11.</span> Install Expect</h3>
-<div class="outline-text-3" id="text-8-11">
+<h3 id="orgd919e4d"><span class="section-number-3">8.10.</span> Install Expect</h3>
+<div class="outline-text-3" id="text-8-10">
<p>
The <code>expect</code> program is used by <a href="#org1c6f4a8">The Institute Commands</a> to interact
with Nextcloud on the command line.
</div>
</div>
</div>
-<div id="outline-container-org4c79c93" class="outline-3">
-<h3 id="org4c79c93"><span class="section-number-3">8.12.</span> Configure User Accounts</h3>
-<div class="outline-text-3" id="text-8-12">
+<div id="outline-container-org3914dca" class="outline-3">
+<h3 id="org3914dca"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
+<div class="outline-text-3" id="text-8-11">
<p>
User accounts are created immediately so that backups can begin
restoring as soon as possible. The <a href="#orge7fe793">Account Management</a> chapter
</div>
</div>
</div>
-<div id="outline-container-org0bff045" class="outline-3">
-<h3 id="org0bff045"><span class="section-number-3">8.13.</span> Install Server Certificate</h3>
-<div class="outline-text-3" id="text-8-13">
+<div id="outline-container-org1d9e0cd" class="outline-3">
+<h3 id="org1d9e0cd"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
+<div class="outline-text-3" id="text-8-12">
<p>
The servers on Core use the same certificate (and key) to authenticate
themselves to institute clients. They share the <q>/etc/server.crt</q> and
</div>
</div>
<div id="outline-container-org1a74046" class="outline-3">
-<h3 id="org1a74046"><span class="section-number-3">8.14.</span> Install NTP</h3>
-<div class="outline-text-3" id="text-8-14">
+<h3 id="org1a74046"><span class="section-number-3">8.13.</span> Install NTP</h3>
+<div class="outline-text-3" id="text-8-13">
<p>
Core uses NTP to provide a time synchronization service to the campus.
The default daemon's default configuration is fine.
</div>
</div>
<div id="outline-container-org948efaa" class="outline-3">
-<h3 id="org948efaa"><span class="section-number-3">8.15.</span> Configure Postfix on Core</h3>
-<div class="outline-text-3" id="text-8-15">
+<h3 id="org948efaa"><span class="section-number-3">8.14.</span> Configure Postfix on Core</h3>
+<div class="outline-text-3" id="text-8-14">
<p>
Core uses Postfix to provide SMTP service to the campus. The default
Debian configuration (for an "Internet Site") is nearly sufficient.
</div>
</div>
<div id="outline-container-orgaf844fe" class="outline-3">
-<h3 id="orgaf844fe"><span class="section-number-3">8.16.</span> Configure Private Email Aliases</h3>
-<div class="outline-text-3" id="text-8-16">
+<h3 id="orgaf844fe"><span class="section-number-3">8.15.</span> Configure Private Email Aliases</h3>
+<div class="outline-text-3" id="text-8-15">
<p>
The institute's Core needs to deliver email addressed to institute
aliases including those advertised on the campus web site, in VPN
</div>
</div>
</div>
-<div id="outline-container-org0b2a149" class="outline-3">
-<h3 id="org0b2a149"><span class="section-number-3">8.17.</span> Configure Dovecot IMAPd</h3>
-<div class="outline-text-3" id="text-8-17">
+<div id="outline-container-org1e54e7f" class="outline-3">
+<h3 id="org1e54e7f"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
+<div class="outline-text-3" id="text-8-16">
<p>
Core uses Dovecot's IMAPd to store and serve member emails. As on
Front, Core's Dovecot configuration is largely the Debian default with
</div>
</div>
<div id="outline-container-org5a3cd75" class="outline-3">
-<h3 id="org5a3cd75"><span class="section-number-3">8.18.</span> Configure Fetchmail</h3>
-<div class="outline-text-3" id="text-8-18">
+<h3 id="org5a3cd75"><span class="section-number-3">8.17.</span> Configure Fetchmail</h3>
+<div class="outline-text-3" id="text-8-17">
<p>
Core runs a <code>fetchmail</code> for each member of the institute. Individual
<code>fetchmail</code> jobs can run with the <code>--idle</code> option and thus can
</div>
</div>
<div id="outline-container-org14de2c2" class="outline-3">
-<h3 id="org14de2c2"><span class="section-number-3">8.1
9.</span> Configure Apache2 <a id="org1ac6235"></a></h3>
-<div class="outline-text-3" id="text-8-19">
+<h3 id="org14de2c2"><span class="section-number-3">8.1
8.</span> Configure Apache2 <a id="org1ac6235"></a></h3>
+<div class="outline-text-3" id="text-8-18">
<p>
This is the small institute's campus web server. It hosts several web
sites as described in <a href="#org43cbe17">The Web Services</a>.
</div>
</div>
<div id="outline-container-org5eefe23" class="outline-3">
-<h3 id="org5eefe23"><span class="section-number-3">8.20.</span> Configure Website Updates</h3>
-<div class="outline-text-3" id="text-8-20">
+<h3 id="org5eefe23"><span class="section-number-3">8.19.</span> Configure Website Updates</h3>
+<div class="outline-text-3" id="text-8-19">
<p>
Monkey on Core runs <q>/usr/local/sbin/webupdate</q> every 15 minutes via a
<code>cron</code> job. The example script mirrors <q>/WWW/live/</q> on Core to
</div>
</div>
<div id="outline-container-org0eac7f7" class="outline-3">
-<h3 id="org0eac7f7"><span class="section-number-3">8.21.</span> Configure OpenVPN Connection to Front</h3>
-<div class="outline-text-3" id="text-8-21">
+<h3 id="org0eac7f7"><span class="section-number-3">8.20.</span> Configure OpenVPN Connection to Front</h3>
+<div class="outline-text-3" id="text-8-20">
<p>
Core connects to Front's public VPN to provide members abroad with a
route to the campus networks. As described in the configuration of
</div>
</div>
<div id="outline-container-org517dee3" class="outline-3">
-<h3 id="org517dee3"><span class="section-number-3">8.22.</span> Configure NAGIOS</h3>
-<div class="outline-text-3" id="text-8-22">
+<h3 id="org517dee3"><span class="section-number-3">8.21.</span> Configure NAGIOS</h3>
+<div class="outline-text-3" id="text-8-21">
<p>
Core runs a <code>nagios4</code> server to monitor "services" on institute hosts.
The following tasks install the necessary packages and configure the
</div>
</div>
<div id="outline-container-orgda831f7" class="outline-4">
-<h4 id="orgda831f7"><span class="section-number-4">8.22.1.</span> Configure NAGIOS Monitors for Core</h4>
-<div class="outline-text-4" id="text-8-22-1">
+<h4 id="orgda831f7"><span class="section-number-4">8.21.1.</span> Configure NAGIOS Monitors for Core</h4>
+<div class="outline-text-4" id="text-8-21-1">
<p>
The first block in <q>nagios.cfg</q> specifies monitors for services on
Core. The monitors are simple, local plugins, and the block is very
</div>
</div>
<div id="outline-container-org447bb4c" class="outline-4">
-<h4 id="org447bb4c"><span class="section-number-4">8.22.2.</span> Custom NAGIOS Monitor <code>inst_sensors</code></h4>
-<div class="outline-text-4" id="text-8-22-2">
+<h4 id="org447bb4c"><span class="section-number-4">8.21.2.</span> Custom NAGIOS Monitor <code>inst_sensors</code></h4>
+<div class="outline-text-4" id="text-8-21-2">
<p>
The <code>check_sensors</code> plugin is included in the package
<code>monitoring-plugins-basic</code>, but it does not report any readings. The
</div>
</div>
<div id="outline-container-orge20967c" class="outline-4">
-<h4 id="orge20967c"><span class="section-number-4">8.22.3.</span> Configure NAGIOS Monitors for Remote Hosts</h4>
-<div class="outline-text-4" id="text-8-22-3">
+<h4 id="orge20967c"><span class="section-number-4">8.21.3.</span> Configure NAGIOS Monitors for Remote Hosts</h4>
+<div class="outline-text-4" id="text-8-21-3">
<p>
The following sections contain code blocks specifying monitors for
services on other campus hosts. The NAGIOS server on Core will
</div>
</div>
<div id="outline-container-orgfe68c96" class="outline-4">
-<h4 id="orgfe68c96"><span class="section-number-4">8.22.4.</span> Configure NAGIOS Monitors for Gate</h4>
-<div class="outline-text-4" id="text-8-22-4">
+<h4 id="orgfe68c96"><span class="section-number-4">8.21.4.</span> Configure NAGIOS Monitors for Gate</h4>
+<div class="outline-text-4" id="text-8-21-4">
<p>
Define the monitored host, <code>gate</code>. Monitor its response to network
pings.
</div>
</div>
<div id="outline-container-org04cc272" class="outline-3">
-<h3 id="org04cc272"><span class="section-number-3">8.23.</span> Configure Backups</h3>
-<div class="outline-text-3" id="text-8-23">
+<h3 id="org04cc272"><span class="section-number-3">8.22.</span> Configure Backups</h3>
+<div class="outline-text-3" id="text-8-22">
<p>
The following task installs the <q>backup</q> script from <a href="private/"><q>private/</q></a>. An
example script is provided in <a href="#org9d5954c">here</a>.
</div>
</div>
<div id="outline-container-orgd97190a" class="outline-3">
-<h3 id="orgd97190a"><span class="section-number-3">8.24.</span> Configure Nextcloud</h3>
-<div class="outline-text-3" id="text-8-24">
+<h3 id="orgd97190a"><span class="section-number-3">8.23.</span> Configure Nextcloud</h3>
+<div class="outline-text-3" id="text-8-23">
<p>
Core runs Nextcloud to provide a private institute cloud, as described
in <a href="#org71fc0ac">The Cloud Service</a>. Installing, restoring (from backup), and
</p>
</div>
<div id="outline-container-orga7bf888" class="outline-4">
-<h4 id="orga7bf888"><span class="section-number-4">8.24.1.</span> Prepare Core For Nextcloud</h4>
-<div class="outline-text-4" id="text-8-24-1">
+<h4 id="orga7bf888"><span class="section-number-4">8.23.1.</span> Prepare Core For Nextcloud</h4>
+<div class="outline-text-4" id="text-8-23-1">
<p>
The Ansible code contained herein prepares Core to run Nextcloud by
installing required software packages, configuring the web server, and
The following task would work (<code>mysql_user</code> supports
<code>check_implicit_admin</code>) <i>but</i> the <code>nextcloud</code> database was not created
above. Thus both database and user are created manually, with SQL
-given in the <a href="#orga610911">8.24.5</a> subsection below, before <code>occ
+given in the <a href="#orga610911">8.23.5</a> subsection below, before <code>occ
maintenance:install</code> can run.
</p>
</div>
</div>
<div id="outline-container-org06f8ed1" class="outline-4">
-<h4 id="org06f8ed1"><span class="section-number-4">8.24.2.</span> Configure PHP</h4>
-<div class="outline-text-4" id="text-8-24-2">
+<h4 id="org06f8ed1"><span class="section-number-4">8.23.2.</span> Configure PHP</h4>
+<div class="outline-text-4" id="text-8-23-2">
<p>
The following tasks set a number of PHP parameters for better
performance, as recommended by Nextcloud.
</div>
</div>
<div id="outline-container-org45a4a2a" class="outline-4">
-<h4 id="org45a4a2a"><span class="section-number-4">8.24.3.</span> Create <q>/Nextcloud/</q></h4>
-<div class="outline-text-4" id="text-8-24-3">
+<h4 id="org45a4a2a"><span class="section-number-4">8.23.3.</span> Create <q>/Nextcloud/</q></h4>
+<div class="outline-text-4" id="text-8-23-3">
<p>
The Ansible tasks up to this point have completed Core's LAMP stack
and made Core ready to run Nextcloud, but they have <i>not</i> installed
</div>
</div>
<div id="outline-container-org0568172" class="outline-4">
-<h4 id="org0568172"><span class="section-number-4">8.24.4.</span> Restore Nextcloud</h4>
-<div class="outline-text-4" id="text-8-24-4">
+<h4 id="org0568172"><span class="section-number-4">8.23.4.</span> Restore Nextcloud</h4>
+<div class="outline-text-4" id="text-8-23-4">
<p>
Restoring Nextcloud in the newly created <q>/Nextcloud/</q> presumably
starts with plugging in the portable backup drive and unlocking it so
</div>
</div>
<div id="outline-container-orga610911" class="outline-4">
-<h4 id="orga610911"><span class="section-number-4">8.24.5.</span> Install Nextcloud</h4>
-<div class="outline-text-4" id="text-8-24-5">
+<h4 id="orga610911"><span class="section-number-4">8.23.5.</span> Install Nextcloud</h4>
+<div class="outline-text-4" id="text-8-23-5">
<p>
Installing Nextcloud in the newly created <q>/Nextcloud/</q> starts with
downloading and verifying a recent release tarball. The following
</div>
</div>
<div id="outline-container-org380598a" class="outline-4">
-<h4 id="org380598a"><span class="section-number-4">8.24.6.</span> Afterwards</h4>
-<div class="outline-text-4" id="text-8-24-6">
+<h4 id="org380598a"><span class="section-number-4">8.23.6.</span> Afterwards</h4>
+<div class="outline-text-4" id="text-8-23-6">
<p>
Whether Nextcloud was restored or installed, there are a few things
Ansible can do to bolster reliability and security (aka privacy).
configurations, etc.
</p>
</div>
-<div id="outline-container-orgb5d8866" class="outline-3">
-<h3 id="orgb5d8866"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-org50cbfd6" class="outline-3">
+<h3 id="org50cbfd6"><span class="section-number-3">9.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-9-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-orge91063f" class="outline-3">
-<h3 id="orge91063f"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
+<div id="outline-container-org4e379f9" class="outline-3">
+<h3 id="org4e379f9"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-9-6">
<p>
The (OpenVPN) server on Gate uses an institute certificate (and key)
</div>
</div>
</div>
-<div id="outline-container-org0fb006b" class="outline-3">
-<h3 id="org0fb006b"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
+<div id="outline-container-orgf00aa15" class="outline-3">
+<h3 id="orgf00aa15"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
<div class="outline-text-3" id="text-9-7">
<p>
Gate uses OpenVPN to provide the institute's campus VPN service. Its
configured manually.
</p>
</div>
-<div id="outline-container-orga320cc8" class="outline-3">
-<h3 id="orga320cc8"><span class="section-number-3">10.1.</span> Include Particulars</h3>
+<div id="outline-container-org8108a78" class="outline-3">
+<h3 id="org8108a78"><span class="section-number-3">10.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-10-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-orgd3bbfbb" class="outline-3">
-<h3 id="orgd3bbfbb"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
+<div id="outline-container-org2e7e75f" class="outline-3">
+<h3 id="org2e7e75f"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-10-2">
<p>
Clients should be using the expected host name.
</div>
</div>
</div>
-<div id="outline-container-orgf85cc27" class="outline-3">
-<h3 id="orgf85cc27"><span class="section-number-3">10.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org89c7cf2" class="outline-3">
+<h3 id="org89c7cf2"><span class="section-number-3">10.3.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-10-3">
<p>
-Campus machines start the <code>systemd-networkd</code> and <code>systemd-resolved</code>
-service units on boot. See <a href="#org5738867">Enable Systemd Resolved</a>.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/campus/tasks/main.yml"><q>roles_t/campus/tasks/main.yml</q></a><pre class="src src-conf">
-- name: Install systemd-resolved.
- become: yes
- <span class="org-variable-name">apt: pkg</span>=systemd-resolved
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
- become: yes
- systemd:
- service: systemd-networkd
- enabled: yes
- state: started
-
-- name: Enable/Start systemd-resolved.
- become: yes
- systemd:
- service: systemd-resolved
- enabled: yes
- state: started
-
-- name: Link /etc/resolv.conf.
- become: yes
- file:
- path: /etc/resolv.conf
- src: /run/systemd/resolve/resolv.conf
- state: link
- force: yes
- when:
- <span class="org-variable-name">- ansible_distribution</span> == <span class="org-string">'Debian'</span>
- - 12 > ansible_distribution_major_version|int
-</pre>
-</div>
-</div>
-</div>
-<div id="outline-container-org2ba83cb" class="outline-3">
-<h3 id="org2ba83cb"><span class="section-number-3">10.4.</span> Configure Systemd Resolved</h3>
-<div class="outline-text-3" id="text-10-4">
-<p>
Campus machines use the campus name server on Core (or <code>dns.google</code>),
and include the institute's private domain in their search lists.
</p>
</div>
</div>
<div id="outline-container-orge768e1b" class="outline-3">
-<h3 id="orge768e1b"><span class="section-number-3">10.5.</span> Configure Systemd Timesyncd</h3>
-<div class="outline-text-3" id="text-10-5">
+<h3 id="orge768e1b"><span class="section-number-3">10.4.</span> Configure Systemd Timesyncd</h3>
+<div class="outline-text-3" id="text-10-4">
<p>
The institute uses a common time reference throughout the campus.
This is essential to campus security, improving the accuracy of log
</div>
</div>
</div>
-<div id="outline-container-org41f6c57" class="outline-3">
-<h3 id="org41f6c57"><span class="section-number-3">10.6.</span> Add Administrator to System Groups</h3>
-<div class="outline-text-3" id="text-10-6">
+<div id="outline-container-org9767066" class="outline-3">
+<h3 id="org9767066"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
+<div class="outline-text-3" id="text-10-5">
<p>
The administrator often needs to read (directories of) log files owned
by groups <code>root</code> and <code>adm</code>. Adding the administrator's account to
</div>
</div>
</div>
-<div id="outline-container-org8cd2060" class="outline-3">
-<h3 id="org8cd2060"><span class="section-number-3">10.7.</span> Install Unattended Upgrades</h3>
-<div class="outline-text-3" id="text-10-7">
+<div id="outline-container-org1c243d8" class="outline-3">
+<h3 id="org1c243d8"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
+<div class="outline-text-3" id="text-10-6">
<p>
The institute prefers to install security updates as soon as possible.
</p>
</div>
</div>
<div id="outline-container-orgb964f6c" class="outline-3">
-<h3 id="orgb964f6c"><span class="section-number-3">10.8.</span> Configure Postfix on Campus</h3>
-<div class="outline-text-3" id="text-10-8">
+<h3 id="orgb964f6c"><span class="section-number-3">10.7.</span> Configure Postfix on Campus</h3>
+<div class="outline-text-3" id="text-10-7">
<p>
The Postfix settings used by the campus include message size, queue
times, and the <code>relayhost</code> Core. The default Debian configuration
</div>
</div>
<div id="outline-container-org546611a" class="outline-3">
-<h3 id="org546611a"><span class="section-number-3">10.9.</span> Hard-wire Important IP Addresses</h3>
-<div class="outline-text-3" id="text-10-9">
+<h3 id="org546611a"><span class="section-number-3">10.8.</span> Hard-wire Important IP Addresses</h3>
+<div class="outline-text-3" id="text-10-8">
<p>
For the edification of programs consulting the <q>/etc/hosts</q> file, the
institute's domain name and public IP address are added. The Debian
</div>
</div>
<div id="outline-container-orgbd0ce38" class="outline-3">
-<h3 id="orgbd0ce38"><span class="section-number-3">10.10.</span> Configure NRPE</h3>
-<div class="outline-text-3" id="text-10-10">
+<h3 id="orgbd0ce38"><span class="section-number-3">10.9.</span> Configure NRPE</h3>
+<div class="outline-text-3" id="text-10-9">
<p>
Each campus host runs an NRPE (a NAGIOS Remote Plugin Executor)
server so that the NAGIOS4 server on Core can collect statistics. The
<p>
A new member's record in the <code>members</code> mapping will have the <code>status</code>
key value <code>current</code>. That key gets value <code>former</code> when the member
-leaves.<sup><a id="fnr.4" class="footref" href="#fn.4" role="doc-backlink">4</a></sup> Access by former members is revoked by invalidating the
+leaves.<sup><a id="fnr.3" class="footref" href="#fn.3" role="doc-backlink">3</a></sup> Access by former members is revoked by invalidating the
Unix account passwords, removing any authorized SSH keys from Front
and Core, and disabling their VPN certificates.
</p>
not accessible to the administrator's notebook (the host). To work
around this restriction, <code>front</code> gets a second network interface
connected to the <code>vboxnet1</code> network and used only for ssh access from
-the host.<sup><a id="fnr.5" class="footref" href="#fn.5" role="doc-backlink">5</a></sup>
+the host.<sup><a id="fnr.4" class="footref" href="#fn.4" role="doc-backlink">4</a></sup>
</p>
<p>
installation (or restoration) process used on Core is used on <code>core</code>
to create <q>/Nextcloud/</q>. The process starts with <a href="#org45a4a2a">Create
<q>/Nextcloud/</q></a>, involves <a href="#org0568172">Restore Nextcloud</a> or <a href="#orga610911">Install Nextcloud</a>,
-and runs <code>./inst config core</code> again <a href="#org380598a">8.24.6</a>. When the <code>./inst
+and runs <code>./inst config core</code> again <a href="#org380598a">8.23.6</a>. When the <code>./inst
config core</code> command is happy with the Nextcloud configuration on
<code>core</code>, the administrator uses Dick's notebook to test it, performing
the following tests on <code>dick</code>'s desktop.
</p></div></div>
<div class="footdef"><sup><a id="fn.2" class="footnum" href="#fnr.2" role="doc-backlink">2</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
-Why not create a role named <code>all</code> and put these tasks that are
-the same on all machines in that role? If there were more than a
-stable handful, and no tangling mechanism to do the duplication, a
-catch-all role would be a higher priority.
-</p></div></div>
-
-<div class="footdef"><sup><a id="fn.3" class="footnum" href="#fnr.3" role="doc-backlink">3</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
The cipher set specified by Let's Encrypt is large enough to
turn orange many parts of an SSL Report from Qualys SSL Labs.
</p></div></div>
-<div class="footdef"><sup><a id="fn.
4" class="footnum" href="#fnr.4" role="doc-backlink">4</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
+<div class="footdef"><sup><a id="fn.
3" class="footnum" href="#fnr.3" role="doc-backlink">3</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
Presumably, eventually, a former member's home directories are
archived to external storage, their other files are given new
ownerships, and their Unix accounts are deleted. This has never been
done, and is left as a manual exercise.
</p></div></div>
-<div class="footdef"><sup><a id="fn.
5" class="footnum" href="#fnr.5" role="doc-backlink">5</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
+<div class="footdef"><sup><a id="fn.
4" class="footnum" href="#fnr.4" role="doc-backlink">4</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
Front is accessible via Gate but routing from the host address
on <code>vboxnet0</code> through Gate requires extensive interference with the
routes on Front and Gate, making the simulation less… similar.
</div></div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2024-02-26 Mon 19:42</p>
+<p class="date">Created: 2024-02-26 Mon 21:58</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Institute / commitdiff