"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2025-06-15 Sun 19:03 -->
+<!-- 2025-06-28 Sat 10:50 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>A Small Institute</title>
secure and private campus that can function with or without the
Internet.
</p>
-<div id="outline-container-org73a9925" class="outline-2">
-<h2 id="org73a9925"><span class="section-number-2">1.</span> Overview</h2>
+<div id="outline-container-orga920549" class="outline-2">
+<h2 id="orga920549"><span class="section-number-2">1.</span> Overview</h2>
<div class="outline-text-2" id="text-1">
<p>
This small institute has a public server on the Internet, Front, that
members off campus.
</p>
-<pre class="example" id="orge628b95">
+<pre class="example" id="orgc355f2d">
=
_|||_
=-The-Institute-=
</p>
</div>
</div>
-<div id="outline-container-orgf89fbc8" class="outline-2">
-<h2 id="orgf89fbc8"><span class="section-number-2">2.</span> Caveats</h2>
+<div id="outline-container-org4df80f6" class="outline-2">
+<h2 id="org4df80f6"><span class="section-number-2">2.</span> Caveats</h2>
<div class="outline-text-2" id="text-2">
<p>
This small institute prizes its privacy, so there is little or no
</p>
</div>
</div>
-<div id="outline-container-org08c5f02" class="outline-2">
-<h2 id="org08c5f02"><span class="section-number-2">3.</span> The Services</h2>
+<div id="outline-container-org432674e" class="outline-2">
+<h2 id="org432674e"><span class="section-number-2">3.</span> The Services</h2>
<div class="outline-text-2" id="text-3">
<p>
The small institute's network is designed to provide a number of
reference particulars first introduced in the following chapter.
</p>
</div>
-<div id="outline-container-org4cb1e87" class="outline-3">
-<h3 id="org4cb1e87"><span class="section-number-3">3.1.</span> The Name Service</h3>
+<div id="outline-container-org9f742c5" class="outline-3">
+<h3 id="org9f742c5"><span class="section-number-3">3.1.</span> The Name Service</h3>
<div class="outline-text-3" id="text-3-1">
<p>
The institute has a public domain, e.g. <code>small.example.org</code>, and a
</p>
</div>
</div>
-<div id="outline-container-orgb774d4b" class="outline-3">
-<h3 id="orgb774d4b"><span class="section-number-3">3.2.</span> The Email Service</h3>
+<div id="outline-container-org4f09259" class="outline-3">
+<h3 id="org4f09259"><span class="section-number-3">3.2.</span> The Email Service</h3>
<div class="outline-text-3" id="text-3-2">
<p>
Front provides the public SMTP (Simple Mail Transfer Protocol) service
configurations wherever <code><<postfix-message-size>></code> appears.
</p>
</div>
-<div id="outline-container-org01ff465" class="outline-4">
-<h4 id="org01ff465"><span class="section-number-4">3.2.1.</span> The Postfix Configurations</h4>
+<div id="outline-container-orgb203103" class="outline-4">
+<h4 id="orgb203103"><span class="section-number-4">3.2.1.</span> The Postfix Configurations</h4>
<div class="outline-text-4" id="text-3-2-1">
<p>
The institute aims to accommodate encrypted email containing short
</p>
<div class="org-src-container">
-<code>postfix-message-size</code><pre class="src src-conf" id="org6aaa91d"><code>- { p: message_size_limit, v: 104857600 }
+<code>postfix-message-size</code><pre class="src src-conf" id="orgd167b59"><code>- { p: message_size_limit, v: 104857600 }
</code></pre>
</div>
</p>
<div class="org-src-container">
-<code>postfix-queue-times</code><pre class="src src-conf" id="org17a070e"><code>- { p: delay_warning_time, v: 1h }
+<code>postfix-queue-times</code><pre class="src src-conf" id="orge4e4b57"><code>- { p: delay_warning_time, v: 1h }
- { p: maximal_queue_lifetime, v: 4h }
- { p: bounce_queue_lifetime, v: 4h }
</code></pre>
</p>
<div class="org-src-container">
-<code>postfix-relaying</code><pre class="src src-conf" id="org7840440"><code>- p: smtpd_relay_restrictions
+<code>postfix-relaying</code><pre class="src src-conf" id="org8b12cc4"><code>- p: smtpd_relay_restrictions
v: permit_mynetworks reject_unauth_destination
</code></pre>
</div>
</p>
<div class="org-src-container">
-<code>postfix-maildir</code><pre class="src src-conf" id="orgb1dfa57"><code>- { p: home_mailbox, v: Maildir/ }
+<code>postfix-maildir</code><pre class="src src-conf" id="org00b2a78"><code>- { p: home_mailbox, v: Maildir/ }
</code></pre>
</div>
</p>
</div>
</div>
-<div id="outline-container-orgf690bd8" class="outline-4">
-<h4 id="orgf690bd8"><span class="section-number-4">3.2.2.</span> The Dovecot Configurations</h4>
+<div id="outline-container-org2a7fadf" class="outline-4">
+<h4 id="org2a7fadf"><span class="section-number-4">3.2.2.</span> The Dovecot Configurations</h4>
<div class="outline-text-4" id="text-3-2-2">
<p>
The Dovecot settings on both Front and Core disable POP and require
</p>
<div class="org-src-container">
-<code>dovecot-tls</code><pre class="src src-conf" id="orgde619f1"><code><span class="org-variable-name">protocols</span> = imap
+<code>dovecot-tls</code><pre class="src src-conf" id="orgb729cac"><code><span class="org-variable-name">protocols</span> = imap
<span class="org-variable-name">ssl</span> = required
</code></pre>
</div>
</p>
<div class="org-src-container">
-<code>dovecot-ports</code><pre class="src src-conf" id="org2876880"><code><span class="org-type">service imap-login</span> {
+<code>dovecot-ports</code><pre class="src src-conf" id="org2abd345"><code><span class="org-type">service imap-login</span> {
<span class="org-type">inet_listener imap</span> {
<span class="org-variable-name">port</span> = 0
}
</p>
<div class="org-src-container">
-<code>dovecot-maildir</code><pre class="src src-conf" id="orgfe38c8c"><code><span class="org-variable-name">mail_location</span> = maildir:~/Maildir
+<code>dovecot-maildir</code><pre class="src src-conf" id="org962a3f5"><code><span class="org-variable-name">mail_location</span> = maildir:~/Maildir
</code></pre>
</div>
</div>
</div>
</div>
-<div id="outline-container-orgc339acf" class="outline-3">
-<h3 id="orgc339acf"><span class="section-number-3">3.3.</span> The Web Services</h3>
+<div id="outline-container-org194fc48" class="outline-3">
+<h3 id="org194fc48"><span class="section-number-3">3.3.</span> The Web Services</h3>
<div class="outline-text-3" id="text-3-3">
<p>
Front provides the public HTTP service that serves institute web pages
at e.g. <code>https://small.example.org/</code>. The small institute initially
runs with a self-signed, "snake oil" server certificate, causing
browsers to warn of possible fraud, but this certificate is easily
-replaced by one signed by a recognized authority, as discussed in <a href="#org2af3aff">The
+replaced by one signed by a recognized authority, as discussed in <a href="#org46971ff">The
Front Role</a>.
</p>
</p>
</div>
</div>
-<div id="outline-container-orgd7b5f5f" class="outline-3">
-<h3 id="orgd7b5f5f"><span class="section-number-3">3.4.</span> The Cloud Service</h3>
+<div id="outline-container-orgc812cfe" class="outline-3">
+<h3 id="orgc812cfe"><span class="section-number-3">3.4.</span> The Cloud Service</h3>
<div class="outline-text-3" id="text-3-4">
<p>
Core runs Nextcloud to provide a private institute cloud at
<code>https://core.small.private/nextcloud/</code>. It is managed manually per
<a href="https://docs.nextcloud.com/server/latest/admin_manual/">The Nextcloud Server Administration Guide</a>. The code <i>and</i> data,
including especially database dumps, are stored in <q>/Nextcloud/</q> which
-is included in Core's backup procedure as described in <a href="#orga93fae6">Backups</a>. The
+is included in Core's backup procedure as described in <a href="#orgb290c57">Backups</a>. The
default Apache2 configuration expects to find the web scripts in
<q>/var/www/nextcloud/</q>, so the institute symbolically links this to
<q>/Nextcloud/nextcloud/</q>.
</p>
</div>
</div>
-<div id="outline-container-orga7b19de" class="outline-3">
-<h3 id="orga7b19de"><span class="section-number-3">3.5.</span> Accounts</h3>
+<div id="outline-container-orge444ccb" class="outline-3">
+<h3 id="orge444ccb"><span class="section-number-3">3.5.</span> Accounts</h3>
<div class="outline-text-3" id="text-3-5">
<p>
A small institute has just a handful of members. For simplicity (and
thus security) static configuration files are preferred over complex
account management systems, LDAP, Active Directory, and the like. The
Ansible scripts configure the same set of user accounts on Core and
-Front. <a href="#org2c02c67">The Institute Commands</a> (e.g. <code>./inst new dick</code>) capture the
+Front. <a href="#org935ef4b">The Institute Commands</a> (e.g. <code>./inst new dick</code>) capture the
processes of enrolling, modifying and retiring members of the
institute. They update the administrator's membership roll, and run
Ansible to create (and disable) accounts on Core, Front, Nextcloud,
all be private (readable and writable only by the owner) by default.
</p>
</div>
-<div id="outline-container-org5c8cbab" class="outline-4">
-<h4 id="org5c8cbab"><span class="section-number-4">3.5.1.</span> The Administration Accounts</h4>
+<div id="outline-container-orgdd9cd27" class="outline-4">
+<h4 id="orgdd9cd27"><span class="section-number-4">3.5.1.</span> The Administration Accounts</h4>
<div class="outline-text-4" id="text-3-5-1">
<p>
The institute avoids the use of the <code>root</code> account (<code>uid 0</code>) because
and programs as <code>root</code>. When installation of a Debian OS leaves the
host with no user accounts, just the <code>root</code> account, the next step is
to create a system administrator's account named <code>sysadm</code> and to give
-it permission to use the <code>sudo</code> command (e.g. as described in <a href="#orgae44253">The
+it permission to use the <code>sudo</code> command (e.g. as described in <a href="#orgcb1ac80">The
Front Machine</a>). When installation prompts for the name of an
initial, privileged user account the same name is given (e.g. as
-described in <a href="#org7d250e4">The Core Machine</a>). Installation may <i>not</i> prompt and
+described in <a href="#org2342218">The Core Machine</a>). Installation may <i>not</i> prompt and
still create an initial user account with a distribution specific name
(e.g. <code>pi</code>). Any name can be used as long as it is provided as the
value of <code>ansible_user</code> in <a href="hosts"><q>hosts</q></a>. Its password is specified by a
vault-encrypted variable in the <a href="Secret/become.yml"><q>Secret/become.yml</q></a> file. (The
-<a href="hosts"><q>hosts</q></a> and <a href="Secret/become.yml"><q>Secret/become.yml</q></a> files are described in <a href="#orgb160646">The Ansible
+<a href="hosts"><q>hosts</q></a> and <a href="Secret/become.yml"><q>Secret/become.yml</q></a> files are described in <a href="#orgafb80a0">The Ansible
Configuration</a>.)
</p>
</div>
</div>
-<div id="outline-container-org9e4fd32" class="outline-4">
-<h4 id="org9e4fd32"><span class="section-number-4">3.5.2.</span> The Monkey Accounts</h4>
+<div id="outline-container-org09187c0" class="outline-4">
+<h4 id="org09187c0"><span class="section-number-4">3.5.2.</span> The Monkey Accounts</h4>
<div class="outline-text-4" id="text-3-5-2">
<p>
The institute's Core uses a special account named <code>monkey</code> to run
</div>
</div>
</div>
-<div id="outline-container-org1667c05" class="outline-3">
-<h3 id="org1667c05"><span class="section-number-3">3.6.</span> Keys</h3>
+<div id="outline-container-orgbd49b65" class="outline-3">
+<h3 id="orgbd49b65"><span class="section-number-3">3.6.</span> Keys</h3>
<div class="outline-text-3" id="text-3-6">
<p>
The institute keeps its "master secrets" in an encrypted
</p>
</div>
</div>
-<div id="outline-container-orga93fae6" class="outline-3">
-<h3 id="orga93fae6"><span class="section-number-3">3.7.</span> Backups</h3>
+<div id="outline-container-orgb290c57" class="outline-3">
+<h3 id="orgb290c57"><span class="section-number-3">3.7.</span> Backups</h3>
<div class="outline-text-3" id="text-3-7">
<p>
The small institute backs up its data, but not so much so that nothing
</p>
<div class="org-src-container">
-<a href="private/backup"><q>private/backup</q></a><pre class="src src-sh" id="orgb1c185c"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e</span>
+<a href="private/backup"><q>private/backup</q></a><pre class="src src-sh" id="org2146981"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e</span>
<span class="org-comment-delimiter">#</span>
<span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT. Maintained (will be replaced) by Ansible.</span>
<span class="org-comment-delimiter">#</span>
</div>
</div>
</div>
-<div id="outline-container-orgbd18255" class="outline-2">
-<h2 id="orgbd18255"><span class="section-number-2">4.</span> The Particulars</h2>
+<div id="outline-container-org72a1d7b" class="outline-2">
+<h2 id="org72a1d7b"><span class="section-number-2">4.</span> The Particulars</h2>
<div class="outline-text-2" id="text-4">
<p>
This chapter introduces Ansible variables intended to simplify
<p>
The example settings in this document configure VirtualBox VMs as
-described in the <a href="#orga8d5681">Testing</a> chapter. For more information about how a
+described in the <a href="#orgf67ef54">Testing</a> chapter. For more information about how a
small institute turns the example Ansible code into a working Ansible
-configuration, see chapter <a href="#orgb160646">The Ansible Configuration</a>.
+configuration, see chapter <a href="#orgafb80a0">The Ansible Configuration</a>.
</p>
</div>
-<div id="outline-container-org448e1ed" class="outline-3">
-<h3 id="org448e1ed"><span class="section-number-3">4.1.</span> Generic Particulars</h3>
+<div id="outline-container-orga0d17be" class="outline-3">
+<h3 id="orga0d17be"><span class="section-number-3">4.1.</span> Generic Particulars</h3>
<div class="outline-text-3" id="text-4-1">
<p>
The small institute's domain name is used quite frequently in the
</div>
</div>
</div>
-<div id="outline-container-org8539979" class="outline-3">
-<h3 id="org8539979"><span class="section-number-3">4.2.</span> Subnets</h3>
+<div id="outline-container-org97462d0" class="outline-3">
+<h3 id="org97462d0"><span class="section-number-3">4.2.</span> Subnets</h3>
<div class="outline-text-3" id="text-4-2">
<p>
The small institute uses a private Ethernet, two VPNs, and a "wild",
</code></pre>
</div>
-<div class="TEXT" id="org4a3420a">
+<div class="TEXT" id="org9bf0758">
<p>
=> 10.62.17.0/24
</p>
sensitive information so again the code block below "tangles" into
<a href="private/vars.yml"><q>private/vars.yml</q></a> rather than <a href="public/vars.yml"><q>public/vars.yml</q></a>. Two of the
addresses are in <code>192.168</code> subnets because they are part of a test
-configuration using mostly-default VirtualBoxes (described <a href="#orga8d5681">here</a>).
+configuration using mostly-default VirtualBoxes (described <a href="#orgf67ef54">here</a>).
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org57d3ea9" class="outline-2">
-<h2 id="org57d3ea9"><span class="section-number-2">5.</span> The Hardware</h2>
+<div id="outline-container-org962f0d4" class="outline-2">
+<h2 id="org962f0d4"><span class="section-number-2">5.</span> The Hardware</h2>
<div class="outline-text-2" id="text-5">
<p>
The small institute's network was built by its system administrator
using Ansible on a trusted notebook. The Ansible configuration and
scripts were generated by "tangling" the Ansible code included here.
-(<a href="#orgb160646">The Ansible Configuration</a> describes how to do this.) The following
+(<a href="#orgafb80a0">The Ansible Configuration</a> describes how to do this.) The following
sections describe how Front, Gate and Core were prepared for Ansible.
</p>
</div>
-<div id="outline-container-orgae44253" class="outline-3">
-<h3 id="orgae44253"><span class="section-number-3">5.1.</span> The Front Machine</h3>
+<div id="outline-container-orgcb1ac80" class="outline-3">
+<h3 id="orgcb1ac80"><span class="section-number-3">5.1.</span> The Front Machine</h3>
<div class="outline-text-3" id="text-5-1">
<p>
Front is the small institute's public facing server, a virtual machine
Internet café using just the administrator's notebook.
</p>
</div>
-<div id="outline-container-orgb970202" class="outline-4">
-<h4 id="orgb970202"><span class="section-number-4">5.1.1.</span> A Digital Ocean Droplet</h4>
+<div id="outline-container-org6a5d84e" class="outline-4">
+<h4 id="org6a5d84e"><span class="section-number-4">5.1.1.</span> A Digital Ocean Droplet</h4>
<div class="outline-text-4" id="text-5-1-1">
<p>
The following example prepared a new front on a Digital Ocean droplet.
<p>
The freshly created Digital Ocean droplet came with just one account,
<code>root</code>, but the small institute avoids remote access to the "super
-user" account (per the policy in <a href="#org5c8cbab">The Administration Accounts</a>), so the
+user" account (per the policy in <a href="#orgdd9cd27">The Administration Accounts</a>), so the
administrator created a <code>sysadm</code> account with the ability to request
escalated privileges via the <code>sudo</code> command.
</p>
The password was generated by <code>gpw</code>, saved in the administrator's
password keep, and later added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as shown below.
(Producing a working Ansible configuration with <a href="Secret/become.yml"><q>Secret/become.yml</q></a>
-file is described in <a href="#orgb160646">The Ansible Configuration</a>.)
+file is described in <a href="#orgafb80a0">The Ansible Configuration</a>.)
</p>
<pre class="example">
<p>
After creating the <code>sysadm</code> account on the droplet, the administrator
concatenated a personal public ssh key and the key found in
-<a href="Secret/ssh_admin/"><q>Secret/ssh_admin/</q></a> (created by <a href="#org6faffaf">The CA Command</a>) into an <q>admin_keys</q>
+<a href="Secret/ssh_admin/"><q>Secret/ssh_admin/</q></a> (created by <a href="#org2dc18d3">The CA Command</a>) into an <q>admin_keys</q>
file, copied it to the droplet, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
</div>
</div>
</div>
-<div id="outline-container-org7d250e4" class="outline-3">
-<h3 id="org7d250e4"><span class="section-number-3">5.2.</span> The Core Machine</h3>
+<div id="outline-container-org2342218" class="outline-3">
+<h3 id="org2342218"><span class="section-number-3">5.2.</span> The Core Machine</h3>
<div class="outline-text-3" id="text-5-2">
<p>
Core is the small institute's private file, email, cloud and whatnot
freshly installed. During installation, the machine was named <code>core</code>,
no desktop or server software was installed, no root password was set,
and a privileged account named <code>sysadm</code> was created (per the policy in
-<a href="#org5c8cbab">The Administration Accounts</a>).
+<a href="#orgdd9cd27">The Administration Accounts</a>).
</p>
<pre class="example">
The password was generated by <code>gpw</code>, saved in the administrator's
password keep, and later added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as shown below.
(Producing a working Ansible configuration with <a href="Secret/become.yml"><q>Secret/become.yml</q></a>
-file is described in <a href="#orgb160646">The Ansible Configuration</a>.)
+file is described in <a href="#orgafb80a0">The Ansible Configuration</a>.)
</p>
<pre class="example">
<p>
Next, the administrator concatenated a personal public ssh key and the
-key found in <a href="Secret/ssh_admin/"><q>Secret/ssh_admin/</q></a> (created by <a href="#org6faffaf">The CA Command</a>) into an
+key found in <a href="Secret/ssh_admin/"><q>Secret/ssh_admin/</q></a> (created by <a href="#org2dc18d3">The CA Command</a>) into an
<q>admin_keys</q> file, copied it to Core, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
<p>
In the example command lines below, the address <code>10.227.248.1</code> was
generated by the random subnet address picking procedure described in
-<a href="#org8539979">Subnets</a>, and is named <code>core_addr</code> in the Ansible code. The second
+<a href="#org97462d0">Subnets</a>, and is named <code>core_addr</code> in the Ansible code. The second
address, <code>10.227.248.2</code>, is the corresponding address for Gate's
Ethernet interface, and is named <code>gate_addr</code> in the Ansible
code.
</p>
</div>
</div>
-<div id="outline-container-orgdd1ef39" class="outline-3">
-<h3 id="orgdd1ef39"><span class="section-number-3">5.3.</span> The Gate Machine</h3>
+<div id="outline-container-org2e49760" class="outline-3">
+<h3 id="org2e49760"><span class="section-number-3">5.3.</span> The Gate Machine</h3>
<div class="outline-text-3" id="text-5-3">
<p>
Gate is the small institute's route to the Internet, and the campus
campground Wi-Fi access point, etc.</li>
</ol>
-<pre class="example" id="org5f55bc3">
+<pre class="example" id="org330aa5a">
=============== | ==================================================
| Premises
(Campus ISP)
+----Ethernet switch
</pre>
</div>
-<div id="outline-container-org93c4171" class="outline-4">
-<h4 id="org93c4171"><span class="section-number-4">5.3.1.</span> Alternate Gate Topology</h4>
+<div id="outline-container-org49b2787" class="outline-4">
+<h4 id="org49b2787"><span class="section-number-4">5.3.1.</span> Alternate Gate Topology</h4>
<div class="outline-text-4" id="text-5-3-1">
<p>
While Gate and Core really need to be separate machines for security
following topology.
</p>
-<pre class="example" id="orga0179e9">
+<pre class="example" id="orgb4e97c9">
=============== | ==================================================
| Premises
(House ISP)
</p>
</div>
</div>
-<div id="outline-container-orgd5a9815" class="outline-4">
-<h4 id="orgd5a9815"><span class="section-number-4">5.3.2.</span> Original Gate Topology</h4>
+<div id="outline-container-org59a2ee8" class="outline-4">
+<h4 id="org59a2ee8"><span class="section-number-4">5.3.2.</span> Original Gate Topology</h4>
<div class="outline-text-4" id="text-5-3-2">
<p>
The Ansible code in this document is somewhat dependent on the
-physical network shown in the <a href="#org73a9925">Overview</a> wherein Gate has three network
+physical network shown in the <a href="#orga920549">Overview</a> wherein Gate has three network
interfaces.
</p>
freshly installed. During installation, the machine was named <code>gate</code>,
no desktop or server software was installed, no root password was set,
and a privileged account named <code>sysadm</code> was created (per the policy in
-<a href="#org5c8cbab">The Administration Accounts</a>).
+<a href="#orgdd9cd27">The Administration Accounts</a>).
</p>
<pre class="example">
The password was generated by <code>gpw</code>, saved in the administrator's
password keep, and later added to <a href="Secret/become.yml"><q>Secret/become.yml</q></a> as shown below.
(Producing a working Ansible configuration with <a href="Secret/become.yml"><q>Secret/become.yml</q></a>
-file is described in <a href="#orgb160646">The Ansible Configuration</a>.)
+file is described in <a href="#orgafb80a0">The Ansible Configuration</a>.)
</p>
<pre class="example">
<p>
Next, the administrator concatenated a personal public ssh key and the
-key found in <a href="Secret/ssh_admin/"><q>Secret/ssh_admin/</q></a> (created by <a href="#org6faffaf">The CA Command</a>) into an
+key found in <a href="Secret/ssh_admin/"><q>Secret/ssh_admin/</q></a> (created by <a href="#org2dc18d3">The CA Command</a>) into an
<q>admin_keys</q> file, copied it to Gate, and installed it as the
<q>authorized_keys</q> for <code>sysadm</code>.
</p>
<p>
In the example command lines below, the address <code>10.227.248.2</code> was
generated by the random subnet address picking procedure described in
-<a href="#org8539979">Subnets</a>, and is named <code>gate_addr</code> in the Ansible code.
+<a href="#org97462d0">Subnets</a>, and is named <code>gate_addr</code> in the Ansible code.
</p>
<pre class="example">
campus Wi-Fi access point and the campus ISP. The three network
adapters are known by their MAC addresses, the values of the variables
<code>gate_lan_mac</code>, <code>gate_wild_mac</code>, and <code>gate_isp_mac</code>. (For more
-information, see the Gate role's <a href="#org203b47a">Configure Netplan</a> task.)
+information, see the Gate role's <a href="#orga9ce231">Configure Netplan</a> task.)
</p>
<p>
</div>
</div>
</div>
-<div id="outline-container-org5f53f41" class="outline-2">
-<h2 id="org5f53f41"><span class="section-number-2">6.</span> The All Role</h2>
+<div id="outline-container-orgb7fbc87" class="outline-2">
+<h2 id="orgb7fbc87"><span class="section-number-2">6.</span> The All Role</h2>
<div class="outline-text-2" id="text-6">
<p>
The <code>all</code> role contains tasks that are executed on all of the
institute's servers. At the moment there is just the one.
</p>
</div>
-<div id="outline-container-org9bf34fa" class="outline-3">
-<h3 id="org9bf34fa"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-org29a209e" class="outline-3">
+<h3 id="org29a209e"><span class="section-number-3">6.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The <code>all</code> role's task contains a reference to a common institute
particular, the institute's <code>domain_name</code>, a variable found in the
<q>public/vars.yml</q> file. Thus the first task of the <code>all</code> role is to
-include the variables defined in this file (described in <a href="#orgbd18255">The
+include the variables defined in this file (described in <a href="#org72a1d7b">The
Particulars</a>). The code block below is the first to tangle into
<a href="roles/all/tasks/main.yml"><q>roles/all/tasks/main.yml</q></a>.
</p>
</div>
</div>
</div>
-<div id="outline-container-org86fafdf" class="outline-3">
-<h3 id="org86fafdf"><span class="section-number-3">6.2.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-orgfb79aa0" class="outline-3">
+<h3 id="orgfb79aa0"><span class="section-number-3">6.2.</span> Enable Systemd Resolved</h3>
<div class="outline-text-3" id="text-6-2">
<p>
The <code>systemd-networkd</code> and <code>systemd-resolved</code> service units are not
</div>
</div>
</div>
-<div id="outline-container-org2932a31" class="outline-3">
-<h3 id="org2932a31"><span class="section-number-3">6.3.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-org7fb1e55" class="outline-3">
+<h3 id="org7fb1e55"><span class="section-number-3">6.3.</span> Trust Institute Certificate Authority</h3>
<div class="outline-text-3" id="text-6-3">
<p>
All servers should recognize the institute's Certificate Authority as
trustworthy, so its certificate is added to the set of trusted CAs on
each host. More information about how the small institute manages its
-X.509 certificates is available in <a href="#org1667c05">Keys</a>.
+X.509 certificates is available in <a href="#orgbd49b65">Keys</a>.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org2af3aff" class="outline-2">
-<h2 id="org2af3aff"><span class="section-number-2">7.</span> The Front Role</h2>
+<div id="outline-container-org46971ff" class="outline-2">
+<h2 id="org46971ff"><span class="section-number-2">7.</span> The Front Role</h2>
<div class="outline-text-2" id="text-7">
<p>
The <code>front</code> role installs and configures the services expected on the
institute's publicly accessible "front door": email, web, VPN. The
virtual machine is prepared with an Ubuntu Server install and remote
access to a privileged, administrator's account. (For details, see
-<a href="#orgae44253">The Front Machine</a>.)
+<a href="#orgcb1ac80">The Front Machine</a>.)
</p>
<p>
<q>/etc/letsencrypt/live/small.example.org/fullchain.pem</q>.
</p>
</div>
-<div id="outline-container-orge88e0ae" class="outline-3">
-<h3 id="orge88e0ae"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-org3f0c727" class="outline-3">
+<h3 id="org3f0c727"><span class="section-number-3">7.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-7-1">
<p>
-The first task, as in <a href="#org5f53f41">The All Role</a>, is to include the institute
+The first task, as in <a href="#orgb7fbc87">The All Role</a>, is to include the institute
particulars. The <code>front</code> role refers to private variables and the
membership roll, so these are included was well.
</p>
</div>
</div>
</div>
-<div id="outline-container-orgdd32104" class="outline-3">
-<h3 id="orgdd32104"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-orga0da7f4" class="outline-3">
+<h3 id="orga0da7f4"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-7-2">
<p>
This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org60f6774" class="outline-3">
-<h3 id="org60f6774"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org6e591a5" class="outline-3">
+<h3 id="org6e591a5"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-7-3">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-orgab79d5f" class="outline-3">
-<h3 id="orgab79d5f"><span class="section-number-3">7.4.</span> Configure SSH</h3>
+<div id="outline-container-org5251aab" class="outline-3">
+<h3 id="org5251aab"><span class="section-number-3">7.4.</span> Configure SSH</h3>
<div class="outline-text-3" id="text-7-4">
<p>
The SSH service on Front needs to be known to Monkey. The following
</div>
</div>
</div>
-<div id="outline-container-org21fcf33" class="outline-3">
-<h3 id="org21fcf33"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
+<div id="outline-container-org198f59a" class="outline-3">
+<h3 id="org198f59a"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-7-5">
<p>
The small institute runs cron jobs and web scripts that generate
system account named <code>monkey</code>. One of Monkey's more important jobs on
Core is to run <code>rsync</code> to update the public web site on Front. Monkey
on Core will login as <code>monkey</code> on Front to synchronize the files (as
-described in <a href="#orga7965d0">*Configure Apache2</a>). To do that without needing a
+described in <a href="#org9489aab">*Configure Apache2</a>). To do that without needing a
password, the <code>monkey</code> account on Front should authorize Monkey's SSH
key on Core.
</p>
</div>
</div>
</div>
-<div id="outline-container-orge91ddd7" class="outline-3">
-<h3 id="orge91ddd7"><span class="section-number-3">7.6.</span> Install Rsync</h3>
+<div id="outline-container-orgad58dcb" class="outline-3">
+<h3 id="orgad58dcb"><span class="section-number-3">7.6.</span> Install Rsync</h3>
<div class="outline-text-3" id="text-7-6">
<p>
Monkey uses Rsync to keep the institute's public web site up-to-date.
</div>
</div>
</div>
-<div id="outline-container-orgfd8b044" class="outline-3">
-<h3 id="orgfd8b044"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org09c9d06" class="outline-3">
+<h3 id="org09c9d06"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-7-7">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-org4aec1e4" class="outline-3">
-<h3 id="org4aec1e4"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
+<div id="outline-container-org1b26949" class="outline-3">
+<h3 id="org1b26949"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-7-8">
<p>
User accounts are created immediately so that Postfix and Dovecot can
start delivering email immediately, <i>without</i> returning "no such
-recipient" replies. The <a href="#org8caf547">Account Management</a> chapter describes the
+recipient" replies. The <a href="#org8ec1044">Account Management</a> chapter describes the
<code>members</code> and <code>usernames</code> variables used below.
</p>
</div>
</div>
</div>
-<div id="outline-container-orga1826b4" class="outline-3">
-<h3 id="orga1826b4"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
+<div id="outline-container-org6c317d3" class="outline-3">
+<h3 id="org6c317d3"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-7-9">
<p>
The servers on Front use the same certificate (and key) to
</div>
</div>
</div>
-<div id="outline-container-org397e34c" class="outline-3">
-<h3 id="org397e34c"><span class="section-number-3">7.10.</span> Configure Postfix on Front</h3>
+<div id="outline-container-org927cd17" class="outline-3">
+<h3 id="org927cd17"><span class="section-number-3">7.10.</span> Configure Postfix on Front</h3>
<div class="outline-text-3" id="text-7-10">
<p>
Front uses Postfix to provide the institute's public SMTP service, and
</ul>
<p>
-As discussed in <a href="#orgb774d4b">The Email Service</a> above, Front's Postfix configuration
+As discussed in <a href="#org4f09259">The Email Service</a> above, Front's Postfix configuration
includes site-wide support for larger message sizes, shorter queue
times, the relaying configuration, and the common path to incoming
emails. These and a few Front-specific Postfix configurations
</p>
<div class="org-src-container">
-<code>postfix-front-networks</code><pre class="src src-conf" id="org6f4d46a"><code>- p: mynetworks
+<code>postfix-front-networks</code><pre class="src src-conf" id="orga7a4c8d"><code>- p: mynetworks
v: >-
{{ public_wg_net_cidr }}
127.0.0.0/8
</p>
<div class="org-src-container">
-<code>postfix-front-restrictions</code><pre class="src src-conf" id="orgcee21d7"><code>- p: smtpd_recipient_restrictions
+<code>postfix-front-restrictions</code><pre class="src src-conf" id="org11445bc"><code>- p: smtpd_recipient_restrictions
v: >-
permit_mynetworks
reject_unauth_pipelining
</p>
<div class="org-src-container">
-<code>postfix-header-checks</code><pre class="src src-conf" id="org485e014"><code>- p: smtp_header_checks
+<code>postfix-header-checks</code><pre class="src src-conf" id="org596a497"><code>- p: smtp_header_checks
v: regexp:/etc/postfix/header_checks.cf
</code></pre>
</div>
<div class="org-src-container">
-<code>postfix-header-checks-content</code><pre class="src src-conf" id="org173a376"><code>/^Received:/ IGNORE
+<code>postfix-header-checks-content</code><pre class="src src-conf" id="org53f7b65"><code>/^Received:/ IGNORE
/^User-Agent:/ IGNORE
</code></pre>
</div>
</p>
<div class="org-src-container">
-<code>postfix-front</code><pre class="src src-conf" id="org57b8f75"><code>- { p: smtpd_tls_cert_file, v: /etc/server.crt }
+<code>postfix-front</code><pre class="src src-conf" id="org6ba4e17"><code>- { p: smtpd_tls_cert_file, v: /etc/server.crt }
- { p: smtpd_tls_key_file, v: /etc/server.key }
<<postfix-front-networks>>
<<postfix-front-restrictions>>
</div>
</div>
</div>
-<div id="outline-container-org5afc860" class="outline-3">
-<h3 id="org5afc860"><span class="section-number-3">7.11.</span> Configure Public Email Aliases</h3>
+<div id="outline-container-orge6123af" class="outline-3">
+<h3 id="orge6123af"><span class="section-number-3">7.11.</span> Configure Public Email Aliases</h3>
<div class="outline-text-3" id="text-7-11">
<p>
The institute's Front needs to deliver email addressed to a number of
</div>
</div>
</div>
-<div id="outline-container-org000d83a" class="outline-3">
-<h3 id="org000d83a"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orgd8027bb" class="outline-3">
+<h3 id="orgd8027bb"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-7-12">
<p>
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
bit "over the top" given that Core accesses Front via VPN, but helps
to ensure privacy even when members must, in extremis, access recent
email directly from their accounts on Front. For more information
-about Front's role in the institute's email services, see <a href="#orgb774d4b">The Email
+about Front's role in the institute's email services, see <a href="#org4f09259">The Email
Service</a>.
</p>
</div>
</div>
</div>
-<div id="outline-container-orgdca5207" class="outline-3">
-<h3 id="orgdca5207"><span class="section-number-3">7.13.</span> Configure Apache2 <a id="orga7965d0"></a></h3>
+<div id="outline-container-org97c8980" class="outline-3">
+<h3 id="org97c8980"><span class="section-number-3">7.13.</span> Configure Apache2 <a id="org9489aab"></a></h3>
<div class="outline-text-3" id="text-7-13">
<p>
This is the small institute's public web site. It is simple, static,
</p>
<div class="org-src-container">
-<code>apache-ciphers</code><pre class="src src-conf" id="org4cc4545"><code>SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+<code>apache-ciphers</code><pre class="src src-conf" id="org47e0bee"><code>SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
<span class="org-type">SSLCipherSuite {</span>{ [ <span class="org-string">'ECDHE-ECDSA-AES128-GCM-SHA256'</span>,
<span class="org-string">'ECDHE-ECDSA-AES256-GCM-SHA384'</span>,
</p>
<div class="org-src-container">
-<code>apache-userdir-front</code><pre class="src src-conf" id="org138a33a"><code>UserDir /home/www-users
+<code>apache-userdir-front</code><pre class="src src-conf" id="org99be9b0"><code>UserDir /home/www-users
<Directory /home/www-users/>
Require all granted
AllowOverride None
</p>
<div class="org-src-container">
-<code>apache-redirect-front</code><pre class="src src-conf" id="org39ad63e"><code><VirtualHost *:80>
+<code>apache-redirect-front</code><pre class="src src-conf" id="org65d4300"><code><VirtualHost *:80>
Redirect permanent / https://{{ domain_name }}/
</VirtualHost>
</code></pre>
</p>
<div class="org-src-container">
-<code>apache-front</code><pre class="src src-conf" id="orgdb5e114"><code>ServerName {{ domain_name }}
+<code>apache-front</code><pre class="src src-conf" id="org160cca6"><code>ServerName {{ domain_name }}
ServerAdmin webmaster@{{ domain_name }}
DocumentRoot /home/www
</div>
</div>
</div>
-<div id="outline-container-org30a1249" class="outline-3">
-<h3 id="org30a1249"><span class="section-number-3">7.14.</span> Configure Public WireGuard™ Subnet</h3>
+<div id="outline-container-org44edb94" class="outline-3">
+<h3 id="org44edb94"><span class="section-number-3">7.14.</span> Configure Public WireGuard™ Subnet</h3>
<div class="outline-text-3" id="text-7-14">
<p>
Front uses WireGuard™ to provide a public (Internet accessible) VPN
</p>
<p>
-The following example <a href="#orgcb211c0"><q>private/front-wg0.conf</q></a> configuration recognizes
+The following example <a href="#orgd684cc6"><q>private/front-wg0.conf</q></a> configuration recognizes
Core by its public key and routes the institute's private networks to
it. It also recognizes Dick's notebook and his (replacement) phone,
assigning them host numbers 4 and 6 on the VPN.
</p>
<div class="org-src-container">
-<q>private/front-wg0.conf</q><pre class="src src-conf" id="orgcb211c0"><code>[<span class="org-type">Interface</span>]
+<q>private/front-wg0.conf</q><pre class="src src-conf" id="orgd684cc6"><code>[<span class="org-type">Interface</span>]
<span class="org-variable-name">Address</span> = 10.177.87.1/24
<span class="org-variable-name">ListenPort</span> = 39608
<span class="org-variable-name">PostUp</span> = wg set %i private-key /etc/wireguard/private-key
<span class="org-variable-name">PublicKey</span> = lGhC51IBgZtlq4H2bsYFuKvPtV0VAEwUvVIn5fW7D0c=
<span class="org-variable-name">AllowedIPs</span> = 10.177.87.2
<span class="org-variable-name">AllowedIPs</span> = 192.168.56.0/24
+<span class="org-variable-name">AllowedIPs</span> = 192.168.57.0/24
<span class="org-variable-name">AllowedIPs</span> = 10.84.139.0/24
<span class="org-comment-delimiter"># </span><span class="org-comment">dick</span>
<span class="org-variable-name">PostUp</span> = resolvectl dns %i 192.168.56.1
<span class="org-variable-name">PostUp</span> = resolvectl domain %i small.private
-<span class="org-comment-delimiter"># </span><span class="org-comment">Front</span>
[<span class="org-type">Peer</span>]
+<span class="org-variable-name">EndPoint</span> = 192.168.15.5:39608
<span class="org-variable-name">PublicKey</span> = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
<span class="org-variable-name">AllowedIPs</span> = 10.177.87.1
-<span class="org-variable-name">AllowedIPs</span> = 10.177.87.0/24
<span class="org-variable-name">AllowedIPs</span> = 192.168.56.0/24
+<span class="org-variable-name">AllowedIPs</span> = 192.168.57.0/24
+<span class="org-variable-name">AllowedIPs</span> = 10.177.87.0/24
<span class="org-variable-name">AllowedIPs</span> = 10.84.139.0/24
</code></pre>
</div>
<p>
The following tasks install WireGuard™, configure it with
-<a href="#orgcb211c0"><q>private/front-wg0.conf</q></a>, and enable the service.
+<a href="#orgd684cc6"><q>private/front-wg0.conf</q></a>, and enable the service.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org878d997" class="outline-3">
-<h3 id="org878d997"><span class="section-number-3">7.15.</span> Configure Kamailio</h3>
+<div id="outline-container-org057fa25" class="outline-3">
+<h3 id="org057fa25"><span class="section-number-3">7.15.</span> Configure Kamailio</h3>
<div class="outline-text-3" id="text-7-15">
<p>
Front uses Kamailio to provide a SIP service on the public VPN so that
</p>
<div class="org-src-container">
-<code>kamailio</code><pre class="src src-conf" id="orgfeea59e"><code><span class="org-variable-name">listen</span>=udp:{{ front_wg_addr }}:5060
+<code>kamailio</code><pre class="src src-conf" id="org4f56f44"><code><span class="org-variable-name">listen</span>=udp:{{ front_wg_addr }}:5060
</code></pre>
</div>
</div>
</div>
</div>
-<div id="outline-container-orgd70a659" class="outline-2">
-<h2 id="orgd70a659"><span class="section-number-2">8.</span> The Core Role</h2>
+<div id="outline-container-orgfb09fcf" class="outline-2">
+<h2 id="orgfb09fcf"><span class="section-number-2">8.</span> The Core Role</h2>
<div class="outline-text-2" id="text-8">
<p>
The <code>core</code> role configures many essential campus network services as
well as the institute's private cloud, so the core machine has
horsepower (CPUs and RAM) and large disks and is prepared with a
Debian install and remote access to a privileged, administrator's
-account. (For details, see <a href="#org7d250e4">The Core Machine</a>.)
+account. (For details, see <a href="#org2342218">The Core Machine</a>.)
</p>
</div>
-<div id="outline-container-orgc3055db" class="outline-3">
-<h3 id="orgc3055db"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org1d54831" class="outline-3">
+<h3 id="org1d54831"><span class="section-number-3">8.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-8-1">
<p>
-The first task, as in <a href="#org2af3aff">The Front Role</a>, is to include the institute
+The first task, as in <a href="#org46971ff">The Front Role</a>, is to include the institute
particulars and membership roll.
</p>
</div>
</div>
</div>
-<div id="outline-container-orgd331aaf" class="outline-3">
-<h3 id="orgd331aaf"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
+<div id="outline-container-org0705762" class="outline-3">
+<h3 id="org0705762"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-8-2">
<p>
This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org6727a74" class="outline-3">
-<h3 id="org6727a74"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org282e2ea" class="outline-3">
+<h3 id="org282e2ea"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-8-3">
<p>
Core runs the campus name server, so Resolved is configured to use it
</div>
</div>
</div>
-<div id="outline-container-orge3b3278" class="outline-3">
-<h3 id="orge3b3278"><span class="section-number-3">8.4.</span> Configure Netplan</h3>
+<div id="outline-container-org8871f00" class="outline-3">
+<h3 id="org8871f00"><span class="section-number-3">8.4.</span> Configure Netplan</h3>
<div class="outline-text-3" id="text-8-4">
<p>
Core's network interface is statically configured using Netplan and an
</div>
</div>
</div>
-<div id="outline-container-org9f4c41a" class="outline-3">
-<h3 id="org9f4c41a"><span class="section-number-3">8.5.</span> Configure DHCP For the Private Ethernet</h3>
+<div id="outline-container-orgbd554c7" class="outline-3">
+<h3 id="orgbd554c7"><span class="section-number-3">8.5.</span> Configure DHCP For the Private Ethernet</h3>
<div class="outline-text-3" id="text-8-5">
<p>
Core speaks DHCP (Dynamic Host Configuration Protocol) using the
</div>
</div>
</div>
-<div id="outline-container-org3bbe588" class="outline-3">
-<h3 id="org3bbe588"><span class="section-number-3">8.6.</span> Configure BIND9</h3>
+<div id="outline-container-orgc91c899" class="outline-3">
+<h3 id="orgc91c899"><span class="section-number-3">8.6.</span> Configure BIND9</h3>
<div class="outline-text-3" id="text-8-6">
<p>
Core uses BIND9 to provide name service for the institute as described
-in <a href="#org4cb1e87">The Name Service</a>. The configuration supports reverse name lookups,
+in <a href="#org9f742c5">The Name Service</a>. The configuration supports reverse name lookups,
resolving many private network addresses to private domain names.
</p>
</p>
<div class="org-src-container">
-<code>bind-options</code><pre class="src src-conf" id="org3debd52"><code><span class="org-type">acl </span><span class="org-string"><span class="org-type">"trusted"</span></span> {
+<code>bind-options</code><pre class="src src-conf" id="org7b2ecfa"><code><span class="org-type">acl </span><span class="org-string"><span class="org-type">"trusted"</span></span> {
{{ private_net_cidr }};
{{ wild_net_cidr }};
{{ public_wg_net_cidr }};
</div>
<div class="org-src-container">
-<code>bind-local</code><pre class="src src-conf" id="orgb81ead6"><code>include <span class="org-string">"/etc/bind/zones.rfc1918"</span>;
+<code>bind-local</code><pre class="src src-conf" id="org6629fb3"><code>include <span class="org-string">"/etc/bind/zones.rfc1918"</span>;
<span class="org-type">zone </span><span class="org-string"><span class="org-type">"{{ domain_priv }}."</span></span> {
type master;
</div>
</div>
</div>
-<div id="outline-container-org47717dc" class="outline-3">
-<h3 id="org47717dc"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org17b7ca5" class="outline-3">
+<h3 id="org17b7ca5"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-8-7">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-org9be9d66" class="outline-3">
-<h3 id="org9be9d66"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
+<div id="outline-container-org970f5a0" class="outline-3">
+<h3 id="org970f5a0"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-8-8">
<p>
The small institute runs cron jobs and web scripts that generate
reports and perform checks. The un-privileged jobs are run by a
system account named <code>monkey</code>. One of Monkey's more important jobs on
Core is to run <code>rsync</code> to update the public web site on Front (as
-described in <a href="#orgcc32964">*Configure Apache2</a>).
+described in <a href="#orgb0912df">*Configure Apache2</a>).
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org38e9cf7" class="outline-3">
-<h3 id="org38e9cf7"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-orga84ea2e" class="outline-3">
+<h3 id="orga84ea2e"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-8-9">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-org231948e" class="outline-3">
-<h3 id="org231948e"><span class="section-number-3">8.10.</span> Install Expect</h3>
+<div id="outline-container-org354a73e" class="outline-3">
+<h3 id="org354a73e"><span class="section-number-3">8.10.</span> Install Expect</h3>
<div class="outline-text-3" id="text-8-10">
<p>
-The <code>expect</code> program is used by <a href="#org2c02c67">The Institute Commands</a> to interact
+The <code>expect</code> program is used by <a href="#org935ef4b">The Institute Commands</a> to interact
with Nextcloud on the command line.
</p>
</div>
</div>
</div>
-<div id="outline-container-org1601c03" class="outline-3">
-<h3 id="org1601c03"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
+<div id="outline-container-org88f4f96" class="outline-3">
+<h3 id="org88f4f96"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-8-11">
<p>
User accounts are created immediately so that backups can begin
-restoring as soon as possible. The <a href="#org8caf547">Account Management</a> chapter
+restoring as soon as possible. The <a href="#org8ec1044">Account Management</a> chapter
describes the <code>members</code> and <code>usernames</code> variables.
</p>
</div>
</div>
</div>
-<div id="outline-container-org47084d6" class="outline-3">
-<h3 id="org47084d6"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
+<div id="outline-container-orgf7bc7b8" class="outline-3">
+<h3 id="orgf7bc7b8"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-8-12">
<p>
The servers on Core use the same certificate (and key) to authenticate
</div>
</div>
</div>
-<div id="outline-container-org7806475" class="outline-3">
-<h3 id="org7806475"><span class="section-number-3">8.13.</span> Install NTP</h3>
+<div id="outline-container-org9a8bb55" class="outline-3">
+<h3 id="org9a8bb55"><span class="section-number-3">8.13.</span> Install NTP</h3>
<div class="outline-text-3" id="text-8-13">
<p>
Core uses NTP to provide a time synchronization service to the campus.
</div>
</div>
</div>
-<div id="outline-container-orgd4cee02" class="outline-3">
-<h3 id="orgd4cee02"><span class="section-number-3">8.14.</span> Configure Postfix on Core</h3>
+<div id="outline-container-org9a49c5b" class="outline-3">
+<h3 id="org9a49c5b"><span class="section-number-3">8.14.</span> Configure Postfix on Core</h3>
<div class="outline-text-3" id="text-8-14">
<p>
Core uses Postfix to provide SMTP service to the campus. The default
</ul>
<p>
-As discussed in <a href="#orgb774d4b">The Email Service</a> above, Core delivers email addressed
+As discussed in <a href="#org4f09259">The Email Service</a> above, Core delivers email addressed
to any internal domain name locally, and uses its smarthost Front to
relay the rest. Core is reachable only on institute networks, so
there is little benefit in enabling TLS, but it does need to handle
</p>
<div class="org-src-container">
-<code>postfix-core-networks</code><pre class="src src-conf" id="org9fd705f"><code>- p: mynetworks
+<code>postfix-core-networks</code><pre class="src src-conf" id="org28352b1"><code>- p: mynetworks
v: >-
{{ private_net_cidr }}
{{ public_wg_net_cidr }}
</p>
<div class="org-src-container">
-<code>postfix-core-relayhost</code><pre class="src src-conf" id="org57d37e9"><code>- { p: relayhost, v: <span class="org-string">"[{{ front_wg_addr }}]"</span> }
+<code>postfix-core-relayhost</code><pre class="src src-conf" id="orge298c5a"><code>- { p: relayhost, v: <span class="org-string">"[{{ front_wg_addr }}]"</span> }
</code></pre>
</div>
</p>
<div class="org-src-container">
-<code>postfix-transport</code><pre class="src src-conf" id="org8470e32"><code>.{{ domain_name }} local:$myhostname
+<code>postfix-transport</code><pre class="src src-conf" id="orgd07a1d6"><code>.{{ domain_name }} local:$myhostname
.{{ domain_priv }} local:$myhostname
</code></pre>
</div>
</p>
<div class="org-src-container">
-<code>postfix-core</code><pre class="src src-conf" id="orgeb3e95e"><code><<postfix-relaying>>
+<code>postfix-core</code><pre class="src src-conf" id="orgfa67fbd"><code><<postfix-relaying>>
- { p: smtpd_tls_security_level, v: none }
- { p: smtp_tls_security_level, v: none }
<<postfix-message-size>>
</div>
</div>
</div>
-<div id="outline-container-orgf500f71" class="outline-3">
-<h3 id="orgf500f71"><span class="section-number-3">8.15.</span> Configure Private Email Aliases</h3>
+<div id="outline-container-org9d33516" class="outline-3">
+<h3 id="org9d33516"><span class="section-number-3">8.15.</span> Configure Private Email Aliases</h3>
<div class="outline-text-3" id="text-8-15">
<p>
The institute's Core needs to deliver email addressed to institute
</div>
</div>
</div>
-<div id="outline-container-orgee8d6ac" class="outline-3">
-<h3 id="orgee8d6ac"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orgba6d47f" class="outline-3">
+<h3 id="orgba6d47f"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-8-16">
<p>
Core uses Dovecot's IMAPd to store and serve member emails. As on
networks, but helps to ensure privacy even when members accidentally
attempt connections from outside the private networks. For more
information about Core's role in the institute's email services, see
-<a href="#orgb774d4b">The Email Service</a>.
+<a href="#org4f09259">The Email Service</a>.
</p>
<p>
<q>README.Debian</q> (in <q>/usr/share/dovecot-core/</q>) but replaces the
default "snake oil" certificate with another, signed by the institute.
(For more information about the institute's X.509 certificates, see
-<a href="#org1667c05">Keys</a>.)
+<a href="#orgbd49b65">Keys</a>.)
</p>
<p>
</div>
</div>
</div>
-<div id="outline-container-org72974b3" class="outline-3">
-<h3 id="org72974b3"><span class="section-number-3">8.17.</span> Configure Fetchmail</h3>
+<div id="outline-container-orgfd6d1ed" class="outline-3">
+<h3 id="orgfd6d1ed"><span class="section-number-3">8.17.</span> Configure Fetchmail</h3>
<div class="outline-text-3" id="text-8-17">
<p>
Core runs a <code>fetchmail</code> for each member of the institute. Individual
</p>
<div class="org-src-container">
-<code>fetchmail-config</code><pre class="src src-conf" id="org2614790"><code><span class="org-comment-delimiter"># </span><span class="org-comment">Permissions on this file may be no greater than 0600.</span>
+<code>fetchmail-config</code><pre class="src src-conf" id="orgdba139a"><code><span class="org-comment-delimiter"># </span><span class="org-comment">Permissions on this file may be no greater than 0600.</span>
set no bouncemail
set no spambounce
</p>
<div class="org-src-container">
-<code>fetchmail-service</code><pre class="src src-conf" id="orga144c5b"><code>[<span class="org-type">Unit</span>]
+<code>fetchmail-service</code><pre class="src src-conf" id="org2fe43e7"><code>[<span class="org-type">Unit</span>]
<span class="org-variable-name">Description</span>=Fetchmail --idle task for {{ item }}.
<span class="org-variable-name">AssertPathExists</span>=/home/{{ item }}/.fetchmailrc
<span class="org-variable-name">After</span>=wg-quick@wg0.service
</div>
</div>
</div>
-<div id="outline-container-org9fae91d" class="outline-3">
-<h3 id="org9fae91d"><span class="section-number-3">8.18.</span> Configure Apache2 <a id="orgcc32964"></a></h3>
+<div id="outline-container-orgeadb684" class="outline-3">
+<h3 id="orgeadb684"><span class="section-number-3">8.18.</span> Configure Apache2 <a id="orgb0912df"></a></h3>
<div class="outline-text-3" id="text-8-18">
<p>
This is the small institute's campus web server. It hosts several web
-sites as described in <a href="#orgc339acf">The Web Services</a>.
+sites as described in <a href="#org194fc48">The Web Services</a>.
</p>
<table border="2" cellspacing="0" cellpadding="6" rules="groups" frame="hsides">
</p>
<div class="org-src-container">
-<code>apache-userdir-core</code><pre class="src src-conf" id="orgb386689"><code>UserDir Public/HTML
+<code>apache-userdir-core</code><pre class="src src-conf" id="org55d229f"><code>UserDir Public/HTML
<Directory /home/*/Public/HTML/>
Require all granted
AllowOverride None
</p>
<div class="org-src-container">
-<code>apache-live</code><pre class="src src-conf" id="org528a9bd"><code><VirtualHost *:80>
+<code>apache-live</code><pre class="src src-conf" id="org47e2a36"><code><VirtualHost *:80>
ServerName live
ServerAlias live.{{ domain_priv }}
ServerAdmin webmaster@core.{{ domain_priv }}
</p>
<div class="org-src-container">
-<code>apache-test</code><pre class="src src-conf" id="org691c9da"><code><VirtualHost *:80>
+<code>apache-test</code><pre class="src src-conf" id="org27d04d7"><code><VirtualHost *:80>
ServerName test
ServerAlias test.{{ domain_priv }}
ServerAdmin webmaster@core.{{ domain_priv }}
</p>
<div class="org-src-container">
-<code>apache-campus</code><pre class="src src-conf" id="orgc075498"><code><VirtualHost *:80>
+<code>apache-campus</code><pre class="src src-conf" id="org0ffca69"><code><VirtualHost *:80>
ServerName www
ServerAlias www.{{ domain_priv }}
ServerAdmin webmaster@core.{{ domain_priv }}
</div>
</div>
</div>
-<div id="outline-container-orgc1d1bef" class="outline-3">
-<h3 id="orgc1d1bef"><span class="section-number-3">8.19.</span> Configure Website Updates</h3>
+<div id="outline-container-org56357d8" class="outline-3">
+<h3 id="org56357d8"><span class="section-number-3">8.19.</span> Configure Website Updates</h3>
<div class="outline-text-3" id="text-8-19">
<p>
Monkey on Core runs <q>/usr/local/sbin/webupdate</q> every 15 minutes via a
</p>
<div class="org-src-container">
-<a href="private/webupdate"><q>private/webupdate</q></a><pre class="src src-sh" id="org0df602c"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e</span>
+<a href="private/webupdate"><q>private/webupdate</q></a><pre class="src src-sh" id="orgbd0a740"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e</span>
<span class="org-comment-delimiter">#</span>
<span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT. This file was tangled from institute.org.</span>
<p>
The following tasks install the <q>webupdate</q> script from <a href="private/"><q>private/</q></a>,
and create Monkey's <code>cron</code> job. An example <q>webupdate</q> script is
-provided <a href="#org0df602c">here</a>.
+provided <a href="#orgbd0a740">here</a>.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org4e39ffd" class="outline-3">
-<h3 id="org4e39ffd"><span class="section-number-3">8.20.</span> Configure Core WireGuard™ Interface</h3>
+<div id="outline-container-org081b4be" class="outline-3">
+<h3 id="org081b4be"><span class="section-number-3">8.20.</span> Configure Core WireGuard™ Interface</h3>
<div class="outline-text-3" id="text-8-20">
<p>
Core connects to Front's WireGuard™ service to provide members abroad
-with a route to the campus networks. As described in <a href="#org30a1249">Configure Public
+with a route to the campus networks. As described in <a href="#org44edb94">Configure Public
WireGuard™ Subnet</a> for Front, Core is expected to forward packets from/to the
private networks.
</p>
</div>
</div>
</div>
-<div id="outline-container-org8d965f3" class="outline-3">
-<h3 id="org8d965f3"><span class="section-number-3">8.21.</span> Configure NAGIOS</h3>
+<div id="outline-container-org4d7fa4b" class="outline-3">
+<h3 id="org4d7fa4b"><span class="section-number-3">8.21.</span> Configure NAGIOS</h3>
<div class="outline-text-3" id="text-8-21">
<p>
Core runs a <code>nagios4</code> server to monitor "services" on institute hosts.
</code></pre>
</div>
</div>
-<div id="outline-container-org012a85b" class="outline-4">
-<h4 id="org012a85b"><span class="section-number-4">8.21.1.</span> Configure NAGIOS Monitors for Core</h4>
+<div id="outline-container-org03215b5" class="outline-4">
+<h4 id="org03215b5"><span class="section-number-4">8.21.1.</span> Configure NAGIOS Monitors for Core</h4>
<div class="outline-text-4" id="text-8-21-1">
<p>
The first block in <q>nagios.cfg</q> specifies monitors for services on
</div>
</div>
</div>
-<div id="outline-container-org73320e9" class="outline-4">
-<h4 id="org73320e9"><span class="section-number-4">8.21.2.</span> Custom NAGIOS Monitor <code>inst_sensors</code></h4>
+<div id="outline-container-orgce0fe2c" class="outline-4">
+<h4 id="orgce0fe2c"><span class="section-number-4">8.21.2.</span> Custom NAGIOS Monitor <code>inst_sensors</code></h4>
<div class="outline-text-4" id="text-8-21-2">
<p>
The <code>check_sensors</code> plugin is included in the package
</div>
</div>
</div>
-<div id="outline-container-org98528fc" class="outline-4">
-<h4 id="org98528fc"><span class="section-number-4">8.21.3.</span> Configure NAGIOS Monitors for Remote Hosts</h4>
+<div id="outline-container-orgce11bb4" class="outline-4">
+<h4 id="orgce11bb4"><span class="section-number-4">8.21.3.</span> Configure NAGIOS Monitors for Remote Hosts</h4>
<div class="outline-text-4" id="text-8-21-3">
<p>
The following sections contain code blocks specifying monitors for
commands are defined in code blocks interleaved with the blocks that
monitor them. The command blocks are appended to <q>nrpe.cfg</q> and the
monitoring blocks to <q>nagios.cfg</q>. The <q>nrpe.cfg</q> file is installed
-on each campus host by the campus role's <a href="#org83a4801">Configure NRPE</a> tasks.
+on each campus host by the campus role's <a href="#orgb8fd0fc">Configure NRPE</a> tasks.
</p>
</div>
</div>
-<div id="outline-container-org85178dd" class="outline-4">
-<h4 id="org85178dd"><span class="section-number-4">8.21.4.</span> Configure NAGIOS Monitors for Gate</h4>
+<div id="outline-container-orgd224290" class="outline-4">
+<h4 id="orgd224290"><span class="section-number-4">8.21.4.</span> Configure NAGIOS Monitors for Gate</h4>
<div class="outline-text-4" id="text-8-21-4">
<p>
Define the monitored host, <code>gate</code>. Monitor its response to network
</div>
</div>
</div>
-<div id="outline-container-org0d4829d" class="outline-3">
-<h3 id="org0d4829d"><span class="section-number-3">8.22.</span> Configure Backups</h3>
+<div id="outline-container-org2ae0e40" class="outline-3">
+<h3 id="org2ae0e40"><span class="section-number-3">8.22.</span> Configure Backups</h3>
<div class="outline-text-3" id="text-8-22">
<p>
The following task installs the <q>backup</q> script from <a href="private/"><q>private/</q></a>. An
-example script is provided in <a href="#orgb1c185c">here</a>.
+example script is provided in <a href="#org2146981">here</a>.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org3111e22" class="outline-3">
-<h3 id="org3111e22"><span class="section-number-3">8.23.</span> Configure Nextcloud</h3>
+<div id="outline-container-org7addaa6" class="outline-3">
+<h3 id="org7addaa6"><span class="section-number-3">8.23.</span> Configure Nextcloud</h3>
<div class="outline-text-3" id="text-8-23">
<p>
Core runs Nextcloud to provide a private institute cloud, as described
-in <a href="#orgd7b5f5f">The Cloud Service</a>. Installing, restoring (from backup), and
+in <a href="#orgc812cfe">The Cloud Service</a>. Installing, restoring (from backup), and
upgrading Nextcloud are manual processes documented in <a href="https://docs.nextcloud.com/server/latest/admin_manual/maintenance/">The Nextcloud
Admin Manual, Maintenance</a>. However Ansible can help prepare Core
before an install or restore, and perform basic security checks
afterwards.
</p>
</div>
-<div id="outline-container-org4bae533" class="outline-4">
-<h4 id="org4bae533"><span class="section-number-4">8.23.1.</span> Prepare Core For Nextcloud</h4>
+<div id="outline-container-orgb35e9d1" class="outline-4">
+<h4 id="orgb35e9d1"><span class="section-number-4">8.23.1.</span> Prepare Core For Nextcloud</h4>
<div class="outline-text-4" id="text-8-23-1">
<p>
The Ansible code contained herein prepares Core to run Nextcloud by
The following task would work (<code>mysql_user</code> supports
<code>check_implicit_admin</code>) <i>but</i> the <code>nextcloud</code> database was not created
above. Thus both database and user are created manually, with SQL
-given in the <a href="#org853444f">8.23.5</a> subsection below, before <code>occ
+given in the <a href="#org8f9d1d3">8.23.5</a> subsection below, before <code>occ
maintenance:install</code> can run.
</p>
</div>
</div>
</div>
-<div id="outline-container-org0be9380" class="outline-4">
-<h4 id="org0be9380"><span class="section-number-4">8.23.2.</span> Configure PHP</h4>
+<div id="outline-container-org5646e22" class="outline-4">
+<h4 id="org5646e22"><span class="section-number-4">8.23.2.</span> Configure PHP</h4>
<div class="outline-text-4" id="text-8-23-2">
<p>
The following tasks set a number of PHP parameters for better
</div>
</div>
</div>
-<div id="outline-container-org1719aaf" class="outline-4">
-<h4 id="org1719aaf"><span class="section-number-4">8.23.3.</span> Create <q>/Nextcloud/</q></h4>
+<div id="outline-container-orgcb7a84e" class="outline-4">
+<h4 id="orgcb7a84e"><span class="section-number-4">8.23.3.</span> Create <q>/Nextcloud/</q></h4>
<div class="outline-text-4" id="text-8-23-3">
<p>
The Ansible tasks up to this point have completed Core's LAMP stack
</div>
</div>
</div>
-<div id="outline-container-org8faa166" class="outline-4">
-<h4 id="org8faa166"><span class="section-number-4">8.23.4.</span> Restore Nextcloud</h4>
+<div id="outline-container-org5825d2f" class="outline-4">
+<h4 id="org5825d2f"><span class="section-number-4">8.23.4.</span> Restore Nextcloud</h4>
<div class="outline-text-4" id="text-8-23-4">
<p>
Restoring Nextcloud in the newly created <q>/Nextcloud/</q> presumably
last dump was made February 20th 2022 and thus was saved in
<q>/Nextcloud/20220220.bak</q>. The database will need to be
created first as when installing Nextcloud. The appropriate SQL are
-given in <a href="#org853444f">Install Nextcloud</a> below.
+given in <a href="#org8f9d1d3">Install Nextcloud</a> below.
</p>
<div class="org-src-container">
</p>
</div>
</div>
-<div id="outline-container-org853444f" class="outline-4">
-<h4 id="org853444f"><span class="section-number-4">8.23.5.</span> Install Nextcloud</h4>
+<div id="outline-container-org8f9d1d3" class="outline-4">
+<h4 id="org8f9d1d3"><span class="section-number-4">8.23.5.</span> Install Nextcloud</h4>
<div class="outline-text-4" id="text-8-23-5">
<p>
Installing Nextcloud in the newly created <q>/Nextcloud/</q> starts with
</p>
</div>
</div>
-<div id="outline-container-org13ad5d8" class="outline-4">
-<h4 id="org13ad5d8"><span class="section-number-4">8.23.6.</span> Afterwards</h4>
+<div id="outline-container-org7bf8385" class="outline-4">
+<h4 id="org7bf8385"><span class="section-number-4">8.23.6.</span> Afterwards</h4>
<div class="outline-text-4" id="text-8-23-6">
<p>
Whether Nextcloud was restored or installed, there are a few things
</div>
</div>
</div>
-<div id="outline-container-org10b80d8" class="outline-2">
-<h2 id="org10b80d8"><span class="section-number-2">9.</span> The Gate Role</h2>
+<div id="outline-container-orge255857" class="outline-2">
+<h2 id="orge255857"><span class="section-number-2">9.</span> The Gate Role</h2>
<div class="outline-text-2" id="text-9">
<p>
The <code>gate</code> role configures the services expected at the campus gate:
access to the private Ethernet from the untrusted Ethernet (e.g. a
campus Wi-Fi AP) via VPN, and access to the Internet via NAT. The
-gate machine uses three network interfaces (see <a href="#orgdd1ef39">The Gate Machine</a>)
+gate machine uses three network interfaces (see <a href="#org2e49760">The Gate Machine</a>)
configured with persistent names used in its firewall rules.
</p>
configurations, etc.
</p>
</div>
-<div id="outline-container-org824ce8a" class="outline-3">
-<h3 id="org824ce8a"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-orgda5416e" class="outline-3">
+<h3 id="orgda5416e"><span class="section-number-3">9.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-9-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-org4f74500" class="outline-3">
-<h3 id="org4f74500"><span class="section-number-3">9.2.</span> Configure Netplan <a id="org203b47a"></a></h3>
+<div id="outline-container-orgc353634" class="outline-3">
+<h3 id="orgc353634"><span class="section-number-3">9.2.</span> Configure Netplan <a id="orga9ce231"></a></h3>
<div class="outline-text-3" id="text-9-2">
<p>
Gate's network interfaces are configured using Netplan and two files.
</p>
</div>
</div>
-<div id="outline-container-org680826e" class="outline-3">
-<h3 id="org680826e"><span class="section-number-3">9.3.</span> UFW Rules</h3>
+<div id="outline-container-orgde42811" class="outline-3">
+<h3 id="orgde42811"><span class="section-number-3">9.3.</span> UFW Rules</h3>
<div class="outline-text-3" id="text-9-3">
<p>
Gate uses the Uncomplicated FireWall (UFW) to install its packet
</p>
<div class="org-src-container">
-<code>ufw-nat</code><pre class="src src-conf" id="org3061f70"><code>-A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE
+<code>ufw-nat</code><pre class="src src-conf" id="orgbeaf2b7"><code>-A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE
-A POSTROUTING -s {{ wild_net_cidr }} -o isp -j MASQUERADE
</code></pre>
</div>
Forwarding rules are also needed. The <code>nat</code> table is a <i>post</i> routing
rule set, so the default routing policy (<code>DENY</code>) will drop packets
before NAT can translate them. The following rules are added to allow
-packets to be forwarded from the campus Ethernet or its wild subnet
-to an ISP on the <code>isp</code> interface, and back (if related to an outgoing
-packet).
+packets to be forwarded from the campus Ethernet or its wild subnet to
+an ISP on the <code>isp</code> interface. A generic routing rule in UFW accepts
+any related or established packet (according to the kernel's
+connection tracking).
</p>
<div class="org-src-container">
-<code>ufw-forward-nat</code><pre class="src src-conf" id="orgfb2de18"><code>-A FORWARD -i lan -o isp -j ACCEPT
--A FORWARD -i wild -o isp -j ACCEPT
--A FORWARD -i isp -o lan {{ ACCEPT_RELATED }}
--A FORWARD -i isp -o wild {{ ACCEPT_RELATED }}
+<code>ufw-forward-nat</code><pre class="src src-conf" id="org865d896"><code>-A ufw-user-forward -i lan -o isp -j ACCEPT
+-A ufw-user-forward -i wild -o isp -j ACCEPT
</code></pre>
</div>
-<p>
-To keep the above code lines short, the template references an
-<code>ACCEPT_RELATED</code> variable, provided by the task, whose value includes
-the following <code>iptables(8)</code> rule specification parameters.
-</p>
-
-<pre class="example">
--m state --state ESTABLISHED,RELATED -j ACCEPT
-</pre>
-
<p>
If "the standard <code>iptables-restore</code> syntax" as it is described in the
<code>ufw-framework</code> manual page, allows continuation lines, please let us
</p>
<div class="org-src-container">
-<code>ufw-forward-private</code><pre class="src src-conf" id="org11d8424"><code>-A FORWARD -i lan -o wg0 -j ACCEPT
--A FORWARD -i wg0 -o lan -j ACCEPT
+<code>ufw-forward-private</code><pre class="src src-conf" id="orgdd4db1f"><code>-A ufw-user-forward -i lan -o wg0 -j ACCEPT
+-A ufw-user-forward -i wg0 -o lan -j ACCEPT
+-A ufw-user-forward -i wg0 -o wg0 -j ACCEPT
</code></pre>
</div>
+<p>
+The third rule above may seem curious; it is. It short circuits
+filters in subsequent chains (e.g. <code>ufw-reject-forward</code>) that, by
+default, log and reject packets, even those from subnet to the same
+subnet (if it is a WireGuard™ subnet?).
+</p>
+
<p>
Note that there are no forwarding rules to allow packets to pass from
the <code>wild</code> device to the <code>lan</code> device, just the <code>wg0</code> device.
</p>
</div>
</div>
-<div id="outline-container-org50ccff5" class="outline-3">
-<h3 id="org50ccff5"><span class="section-number-3">9.4.</span> Install UFW</h3>
+<div id="outline-container-org98692b7" class="outline-3">
+<h3 id="org98692b7"><span class="section-number-3">9.4.</span> Configure UFW</h3>
<div class="outline-text-3" id="text-9-4">
<p>
The following tasks install the Uncomplicated Firewall (UFW), set its
-policy in <q>/etc/default/ufw</q>, and install the above rules in
-<q>/etc/ufw/before.rules</q>. When Gate is configured by <code>./abbey config
-gate</code> as in the example bootstrap, enabling the firewall should not be
-a problem. But when configuring a new gate with <code>./abbey config
-new-gate</code>, enabling the firewall could break Ansible's current and
-future ssh sessions. For this reason, Ansible <i>does not</i> enable the
-firewall. The administrator must login and execute the following
-command after Gate is configured or new gate is "in position"
-(connected to old Gate's <code>wild</code> and <code>isp</code> networks).
+policy in <q>/etc/default/ufw</q>, install the NAT rules in
+<q>/etc/ufw/before.rules</q>, and the Forward rules in
+<q>/etc/ufw/user.rules</q> (where the <code>ufw-user-forward</code> chain
+is… mentioned?).
+</p>
+
+<p>
+When Gate is configured by <code>./abbey config gate</code> as in the example
+bootstrap, enabling the firewall should not be a problem. But when
+configuring a new gate with <code>./abbey config new-gate</code>, enabling the
+firewall could break Ansible's current and future ssh sessions. For
+this reason, Ansible <i>does not</i> enable the firewall.
+</p>
+
+<p>
+The administrator must login and execute the following command after
+Gate is configured or new gate is "in position" (connected to old
+Gate's <code>wild</code> and <code>isp</code> networks).
</p>
<pre class="example">
<div class="org-src-container">
<a href="roles_t/gate/tasks/main.yml"><q>roles_t/gate/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Install UFW.
- become:
+ become: yes
<span class="org-variable-name">apt: pkg</span>=ufw
- name: Configure UFW policy.
<span class="org-type">-</span> { line: <span class="org-string">"DEFAULT_FORWARD_POLICY=\"DROP\""</span>,
regexp: <span class="org-string">"^DEFAULT_FORWARD_POLICY="</span> }
-- name: Configure UFW rules.
+- name: Configure UFW NAT rules.
become: yes
- vars:
- ACCEPT_RELATED: -m state --state ESTABLISHED,RELATED -j ACCEPT
blockinfile:
- path: /etc/ufw/before.rules
block: |
*nat
:POSTROUTING ACCEPT [0:0]
<<ufw-nat>>
COMMIT
+ dest: /etc/ufw/before.rules
+ insertafter: EOF
+ prepend_newline: yes
+- name: Configure UFW FORWARD rules.
+ become: yes
+ blockinfile:
+ block: |
*filter
<<ufw-forward-nat>>
<<ufw-forward-private>>
COMMIT
+ dest: /etc/ufw/user.rules
insertafter: EOF
+ prepend_newline: yes
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org00edfc2" class="outline-3">
-<h3 id="org00edfc2"><span class="section-number-3">9.5.</span> Configure DHCP For The Wild Ethernet</h3>
+<div id="outline-container-org3bc8c9a" class="outline-3">
+<h3 id="org3bc8c9a"><span class="section-number-3">9.5.</span> Configure DHCP For The Wild Ethernet</h3>
<div class="outline-text-3" id="text-9-5">
<p>
To accommodate commodity Wi-Fi access points, as well as wired IoT
</p>
</div>
</div>
-<div id="outline-container-org390a10a" class="outline-3">
-<h3 id="org390a10a"><span class="section-number-3">9.6.</span> Configure Campus WireGuard™ Subnet</h3>
+<div id="outline-container-orge0f6246" class="outline-3">
+<h3 id="orge0f6246"><span class="section-number-3">9.6.</span> Configure Campus WireGuard™ Subnet</h3>
<div class="outline-text-3" id="text-9-6">
<p>
Gate uses WireGuard™ to provide a campus VPN service. Gate's routes
</p>
<p>
-The following example <a href="#org1bce41a"><q>private/gate-wg0.conf</q></a> configuration recognizes
+The following example <a href="#org433e524"><q>private/gate-wg0.conf</q></a> configuration recognizes
a wired IoT appliance, Dick's notebook and his replacement phone,
assigning them the host numbers 3, 4 and 6 respectively.
</p>
<div class="org-src-container">
-<q>private/gate-wg0.conf</q><pre class="src src-conf" id="org1bce41a"><code>[<span class="org-type">Interface</span>]
+<q>private/gate-wg0.conf</q><pre class="src src-conf" id="org433e524"><code>[<span class="org-type">Interface</span>]
<span class="org-variable-name">Address</span> = 10.84.139.1/24
<span class="org-variable-name">ListenPort</span> = 51820
<span class="org-variable-name">PostUp</span> = wg set %i private-key /etc/wireguard/private-key
<div class="org-src-container">
WireGuard™ tunnel on an IoT appliance<pre class="src src-conf"><code>[<span class="org-type">Interface</span>]
<span class="org-variable-name">Address</span> = 10.84.139.2
-<span class="org-variable-name">PrivateKey</span> = KIwQT5eGOl9w1qOa5I+2xx5kJH3z4xdpmirS/eGdsXY=
+<span class="org-variable-name">PrivateKey</span> = <hidden>
+<span class="org-variable-name">PublicKey</span> = LdsCsgfjKCfd5+VKS+Q/dQhWO8NRNygByDO2VxbXlSQ=
+<span class="org-variable-name">DNS</span> = 192.168.56.1
+<span class="org-variable-name">Domain</span> = small.private
<span class="org-comment-delimiter"># </span><span class="org-comment">Gate</span>
[<span class="org-type">Peer</span>]
+<span class="org-variable-name">EndPoint</span> = 192.168.57.1:51820
<span class="org-variable-name">PublicKey</span> = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
<span class="org-variable-name">AllowedIPs</span> = 10.84.139.1
-<span class="org-variable-name">AllowedIPs</span> = 10.84.139.0/24
<span class="org-variable-name">AllowedIPs</span> = 192.168.56.0/24
<span class="org-variable-name">AllowedIPs</span> = 10.177.87.0/24
+<span class="org-variable-name">AllowedIPs</span> = 10.84.139.0/24
</code></pre>
</div>
<span class="org-comment-delimiter"># </span><span class="org-comment">Gate</span>
[<span class="org-type">Peer</span>]
+<span class="org-variable-name">EndPoint</span> = 192.168.57.1:51820
<span class="org-variable-name">PublicKey</span> = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
<span class="org-variable-name">AllowedIPs</span> = 10.84.139.1
-<span class="org-variable-name">AllowedIPs</span> = 10.84.139.0/24
<span class="org-variable-name">AllowedIPs</span> = 192.168.56.0/24
<span class="org-variable-name">AllowedIPs</span> = 10.177.87.0/24
+<span class="org-variable-name">AllowedIPs</span> = 10.84.139.0/24
</code></pre>
</div>
<p>
The following tasks install WireGuard™, configure it with
-<a href="#org1bce41a"><q>private/gate-wg0.conf</q></a>, and enable the service.
+<a href="#org433e524"><q>private/gate-wg0.conf</q></a>, and enable the service.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org536291a" class="outline-2">
-<h2 id="org536291a"><span class="section-number-2">10.</span> The Campus Role</h2>
+<div id="outline-container-org9e3146e" class="outline-2">
+<h2 id="org9e3146e"><span class="section-number-2">10.</span> The Campus Role</h2>
<div class="outline-text-2" id="text-10">
<p>
The <code>campus</code> role configures generic campus server machines: network
client</code> command which updates the WireGuard™ configuration on Gate.
</p>
</div>
-<div id="outline-container-org3b2731d" class="outline-3">
-<h3 id="org3b2731d"><span class="section-number-3">10.1.</span> Include Particulars</h3>
+<div id="outline-container-org327e633" class="outline-3">
+<h3 id="org327e633"><span class="section-number-3">10.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-10-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-org7535828" class="outline-3">
-<h3 id="org7535828"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
+<div id="outline-container-org10731bc" class="outline-3">
+<h3 id="org10731bc"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-10-2">
<p>
Clients should be using the expected host name.
</div>
</div>
</div>
-<div id="outline-container-orga2c231a" class="outline-3">
-<h3 id="orga2c231a"><span class="section-number-3">10.3.</span> Configure Systemd Timesyncd</h3>
+<div id="outline-container-org30b882e" class="outline-3">
+<h3 id="org30b882e"><span class="section-number-3">10.3.</span> Configure Systemd Timesyncd</h3>
<div class="outline-text-3" id="text-10-3">
<p>
The institute uses a common time reference throughout the campus.
</div>
</div>
</div>
-<div id="outline-container-org80ce144" class="outline-3">
-<h3 id="org80ce144"><span class="section-number-3">10.4.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org5189475" class="outline-3">
+<h3 id="org5189475"><span class="section-number-3">10.4.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-10-4">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-org91a0e53" class="outline-3">
-<h3 id="org91a0e53"><span class="section-number-3">10.5.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org15ed633" class="outline-3">
+<h3 id="org15ed633"><span class="section-number-3">10.5.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-10-5">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-org2500167" class="outline-3">
-<h3 id="org2500167"><span class="section-number-3">10.6.</span> Configure Postfix on Campus</h3>
+<div id="outline-container-orgf622be7" class="outline-3">
+<h3 id="orgf622be7"><span class="section-number-3">10.6.</span> Configure Postfix on Campus</h3>
<div class="outline-text-3" id="text-10-6">
<p>
The Postfix settings used by the campus include message size, queue
</div>
</div>
</div>
-<div id="outline-container-org0fb1201" class="outline-3">
-<h3 id="org0fb1201"><span class="section-number-3">10.7.</span> Set Domain Name</h3>
+<div id="outline-container-org1b69146" class="outline-3">
+<h3 id="org1b69146"><span class="section-number-3">10.7.</span> Set Domain Name</h3>
<div class="outline-text-3" id="text-10-7">
<p>
The host's fully qualified (private) domain name (FQDN) is set by an
</div>
</div>
</div>
-<div id="outline-container-org83a4801" class="outline-3">
-<h3 id="org83a4801"><span class="section-number-3">10.8.</span> Configure NRPE</h3>
+<div id="outline-container-orgb8fd0fc" class="outline-3">
+<h3 id="orgb8fd0fc"><span class="section-number-3">10.8.</span> Configure NRPE</h3>
<div class="outline-text-3" id="text-10-8">
<p>
Each campus host runs an NRPE (a NAGIOS Remote Plugin Executor)
server so that the NAGIOS4 server on Core can collect statistics. The
-NAGIOS service is discussed in the <a href="#org83a4801">Configure NRPE</a> section of <a href="#orgd70a659">The Core
+NAGIOS service is discussed in the <a href="#orgb8fd0fc">Configure NRPE</a> section of <a href="#orgfb09fcf">The Core
Role</a>.
</p>
</div>
</div>
</div>
-<div id="outline-container-orgb160646" class="outline-2">
-<h2 id="orgb160646"><span class="section-number-2">11.</span> The Ansible Configuration</h2>
+<div id="outline-container-orgafb80a0" class="outline-2">
+<h2 id="orgafb80a0"><span class="section-number-2">11.</span> The Ansible Configuration</h2>
<div class="outline-text-2" id="text-11">
<p>
The small institute uses Ansible to maintain the configuration of its
role(s) to each host. Examples of these files are included here, and
are used to test the roles. The example configuration applies the
institutional roles to VirtualBox machines prepared according to
-chapter <a href="#orga8d5681">Testing</a>.
+chapter <a href="#orgf67ef54">Testing</a>.
</p>
<p>
separate revision history.
</p>
</div>
-<div id="outline-container-orgf860543" class="outline-3">
-<h3 id="orgf860543"><span class="section-number-3">11.1.</span> <q>ansible.cfg</q></h3>
+<div id="outline-container-org7a6eff2" class="outline-3">
+<h3 id="org7a6eff2"><span class="section-number-3">11.1.</span> <q>ansible.cfg</q></h3>
<div class="outline-text-3" id="text-11-1">
<p>
The Ansible configuration file <a href="ansible.cfg"><q>ansible.cfg</q></a> contains just a handful
of settings, some included just to create a test jig as described in
-<a href="#orga8d5681">Testing</a>.
+<a href="#orgf67ef54">Testing</a>.
</p>
<ul class="org-ul">
that Python 3 can be expected on all institute hosts.</li>
<li><code>vault_password_file</code> is set to suppress prompts for the vault
password. The institute keeps its vault password in <a href="Secret/"><q>Secret/</q></a> (as
-described in <a href="#org1667c05">Keys</a>) and thus sets this parameter to
+described in <a href="#orgbd49b65">Keys</a>) and thus sets this parameter to
<a href="Secret/vault-password"><q>Secret/vault-password</q></a>.</li>
<li><code>inventory</code> is set to avoid specifying it on the command line.</li>
<li><code>roles_path</code> is set to the recently tangled roles files in
</div>
</div>
</div>
-<div id="outline-container-org96fb0a9" class="outline-3">
-<h3 id="org96fb0a9"><span class="section-number-3">11.2.</span> <q>hosts</q></h3>
+<div id="outline-container-orged29d65" class="outline-3">
+<h3 id="orged29d65"><span class="section-number-3">11.2.</span> <q>hosts</q></h3>
<div class="outline-text-3" id="text-11-2">
<p>
The Ansible inventory file <a href="hosts"><q>hosts</q></a> describes all of the institute's
</p>
<div class="org-src-container">
-<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="org440929a"><code>all:
+<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="org1906017"><code>all:
vars:
ansible_user: sysadm
ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa
</p>
</div>
</div>
-<div id="outline-container-org2b5ace0" class="outline-3">
-<h3 id="org2b5ace0"><span class="section-number-3">11.3.</span> <q>playbooks/site.yml</q></h3>
+<div id="outline-container-org11b7c97" class="outline-3">
+<h3 id="org11b7c97"><span class="section-number-3">11.3.</span> <q>playbooks/site.yml</q></h3>
<div class="outline-text-3" id="text-11-3">
<p>
The example <a href="playbooks/site.yml"><q>playbooks/site.yml</q></a> playbook (below) applies the
</div>
</div>
</div>
-<div id="outline-container-org321e0e4" class="outline-3">
-<h3 id="org321e0e4"><span class="section-number-3">11.4.</span> <q>Secret/vault-password</q></h3>
+<div id="outline-container-orge644910" class="outline-3">
+<h3 id="orge644910"><span class="section-number-3">11.4.</span> <q>Secret/vault-password</q></h3>
<div class="outline-text-3" id="text-11-4">
<p>
As already mentioned, the small institute keeps its Ansible vault
</p>
<div class="org-src-container">
-<a href="Secret/vault-password"><q>Secret/vault-password</q></a><pre class="src src-conf" id="org92e1929"><code>alitysortstagess
+<a href="Secret/vault-password"><q>Secret/vault-password</q></a><pre class="src src-conf" id="org9eaaa94"><code>alitysortstagess
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orge69cba4" class="outline-3">
-<h3 id="orge69cba4"><span class="section-number-3">11.5.</span> Creating A Working Ansible Configuration</h3>
+<div id="outline-container-orgc683a90" class="outline-3">
+<h3 id="orgc683a90"><span class="section-number-3">11.5.</span> Creating A Working Ansible Configuration</h3>
<div class="outline-text-3" id="text-11-5">
<p>
A working Ansible configuration can be "tangled" from this document to
-produce the test configuration described in the <a href="#orga8d5681">Testing</a> chapter. The
+produce the test configuration described in the <a href="#orgf67ef54">Testing</a> chapter. The
tangling is done by Emacs's <code>org-babel-tangle</code> function and has
already been performed with the resulting tangle included in the
distribution with this document.
<q>public/</q> and <q>private/</q>.</li>
<li><q>~/net/Secret</q> would be a symbolic link to the (auto-mounted?)
location of the administrator's encrypted USB drive, as described in
-section <a href="#org1667c05">Keys</a>.</li>
+section <a href="#orgbd49b65">Keys</a>.</li>
</ul>
<p>
</div>
</div>
</div>
-<div id="outline-container-orgcbde294" class="outline-3">
-<h3 id="orgcbde294"><span class="section-number-3">11.6.</span> Maintaining A Working Ansible Configuration</h3>
+<div id="outline-container-org38c4a10" class="outline-3">
+<h3 id="org38c4a10"><span class="section-number-3">11.6.</span> Maintaining A Working Ansible Configuration</h3>
<div class="outline-text-3" id="text-11-6">
<p>
The Ansible roles currently tangle into the <a href="roles_t/"><q>roles_t/</q></a> directory to
</div>
</div>
</div>
-<div id="outline-container-org2c02c67" class="outline-2">
-<h2 id="org2c02c67"><span class="section-number-2">12.</span> The Institute Commands</h2>
+<div id="outline-container-org935ef4b" class="outline-2">
+<h2 id="org935ef4b"><span class="section-number-2">12.</span> The Institute Commands</h2>
<div class="outline-text-2" id="text-12">
<p>
The institute's administrator uses a convenience script to reliably
to get their defaults from <q>./ansible.cfg</q>.
</p>
</div>
-<div id="outline-container-orgba28285" class="outline-3">
-<h3 id="orgba28285"><span class="section-number-3">12.1.</span> Sub-command Blocks</h3>
+<div id="outline-container-org475c61d" class="outline-3">
+<h3 id="org475c61d"><span class="section-number-3">12.1.</span> Sub-command Blocks</h3>
<div class="outline-text-3" id="text-12-1">
<p>
The code blocks in this chapter tangle into the <a href="inst"><q>inst</q></a> script. Each
</div>
</div>
</div>
-<div id="outline-container-org8c8d956" class="outline-3">
-<h3 id="org8c8d956"><span class="section-number-3">12.2.</span> Sanity Check</h3>
+<div id="outline-container-org888b543" class="outline-3">
+<h3 id="org888b543"><span class="section-number-3">12.2.</span> Sanity Check</h3>
<div class="outline-text-3" id="text-12-2">
<p>
The next code block does not implement a sub-command; it implements
</div>
</div>
</div>
-<div id="outline-container-orga6f1c7a" class="outline-3">
-<h3 id="orga6f1c7a"><span class="section-number-3">12.3.</span> Importing Ansible Variables</h3>
+<div id="outline-container-org6873e12" class="outline-3">
+<h3 id="org6873e12"><span class="section-number-3">12.3.</span> Importing Ansible Variables</h3>
<div class="outline-text-3" id="text-12-3">
<p>
To ensure that Ansible and <code>./inst</code> are sympatico vis-a-vi certain
mysystem <span class="org-string">"ansible-playbook playbooks/check-inst-vars.yml >/dev/null"</span>;
-our ($domain_name, $domain_priv, $private_net_cidr,
+our ($domain_name, $domain_priv,
$front_addr, $front_wg_pubkey,
$public_wg_net_cidr, $public_wg_port,
+ $private_net_cidr, $wild_net_cidr,
$gate_wild_addr, $gate_wg_pubkey,
$campus_wg_net_cidr, $campus_wg_port,
$core_addr, $core_wg_pubkey);
content: |
<span class="org-variable-name">$domain_name</span> = <span class="org-string">"{{ domain_name }}"</span>;
<span class="org-variable-name">$domain_priv</span> = <span class="org-string">"{{ domain_priv }}"</span>;
- <span class="org-variable-name">$private_net_cidr</span> = <span class="org-string">"{{ private_net_cidr }}"</span>;
<span class="org-variable-name">$front_addr</span> = <span class="org-string">"{{ front_addr }}"</span>;
<span class="org-variable-name">$front_wg_pubkey</span> = <span class="org-string">"{{ front_wg_pubkey }}"</span>;
<span class="org-variable-name">$public_wg_net_cidr</span> = <span class="org-string">"{{ public_wg_net_cidr }}"</span>;
-
<span class="org-variable-name">$public_wg_port</span> = <span class="org-string">"{{ public_wg_port }}"</span>;
+ <span class="org-variable-name">$private_net_cidr</span> = <span class="org-string">"{{ private_net_cidr }}"</span>;
+ <span class="org-variable-name">$wild_net_cidr</span> = <span class="org-string">"{{ wild_net_cidr }}"</span>;
+
<span class="org-variable-name">$gate_wild_addr</span> = <span class="org-string">"{{ gate_wild_addr }}"</span>;
<span class="org-variable-name">$gate_wg_pubkey</span> = <span class="org-string">"{{ gate_wg_pubkey }}"</span>;
</table>
</div>
</div>
-<div id="outline-container-org6faffaf" class="outline-3">
-<h3 id="org6faffaf"><span class="section-number-3">12.4.</span> The CA Command</h3>
+<div id="outline-container-org2dc18d3" class="outline-3">
+<h3 id="org2dc18d3"><span class="section-number-3">12.4.</span> The CA Command</h3>
<div class="outline-text-3" id="text-12-4">
<p>
The next code block implements the <code>CA</code> sub-command, which creates a
</div>
</div>
</div>
-<div id="outline-container-orgb44148b" class="outline-3">
-<h3 id="orgb44148b"><span class="section-number-3">12.5.</span> The Config Command</h3>
+<div id="outline-container-org93205f9" class="outline-3">
+<h3 id="org93205f9"><span class="section-number-3">12.5.</span> The Config Command</h3>
<div class="outline-text-3" id="text-12-5">
<p>
The next code block implements the <code>config</code> sub-command, which
</div>
</div>
</div>
-<div id="outline-container-org8caf547" class="outline-3">
-<h3 id="org8caf547"><span class="section-number-3">12.6.</span> Account Management</h3>
+<div id="outline-container-org8ec1044" class="outline-3">
+<h3 id="org8ec1044"><span class="section-number-3">12.6.</span> Account Management</h3>
<div class="outline-text-3" id="text-12-6">
<p>
For general information about members and their Unix accounts, see
-<a href="#orga7b19de">Accounts</a>. The account management sub-commands maintain a mapping
+<a href="#orge444ccb">Accounts</a>. The account management sub-commands maintain a mapping
associating member "usernames" (Unix account names) with their
records. The mapping is stored among other things in
<q>private/members.yml</q> as the value associated with the key <code>members</code>.
</div>
</div>
</div>
-<div id="outline-container-org9afdb25" class="outline-3">
-<h3 id="org9afdb25"><span class="section-number-3">12.7.</span> The New Command</h3>
+<div id="outline-container-org87951a6" class="outline-3">
+<h3 id="org87951a6"><span class="section-number-3">12.7.</span> The New Command</h3>
<div class="outline-text-3" id="text-12-7">
<p>
The next code block implements the <code>new</code> sub-command. It adds a new
</div>
</div>
</div>
-<div id="outline-container-orge22b2b5" class="outline-3">
-<h3 id="orge22b2b5"><span class="section-number-3">12.8.</span> The Pass Command</h3>
+<div id="outline-container-org9d93ecc" class="outline-3">
+<h3 id="org9d93ecc"><span class="section-number-3">12.8.</span> The Pass Command</h3>
<div class="outline-text-3" id="text-12-8">
<p>
The institute's <code>passwd</code> command on Core securely emails <code>root</code> with a
message is sent to <code>member@core</code>.
</p>
</div>
-<div id="outline-container-org4178b76" class="outline-4">
-<h4 id="org4178b76"><span class="section-number-4">12.8.1.</span> Less Aggressive passwd.</h4>
+<div id="outline-container-orgaed955e" class="outline-4">
+<h4 id="orgaed955e"><span class="section-number-4">12.8.1.</span> Less Aggressive passwd.</h4>
<div class="outline-text-4" id="text-12-8-1">
<p>
The next code block implements the less aggressive <code>passwd</code> command.
</div>
</div>
</div>
-<div id="outline-container-org5e48680" class="outline-4">
-<h4 id="org5e48680"><span class="section-number-4">12.8.2.</span> Less Aggressive Pass Command</h4>
+<div id="outline-container-orgc9aa9a5" class="outline-4">
+<h4 id="orgc9aa9a5"><span class="section-number-4">12.8.2.</span> Less Aggressive Pass Command</h4>
<div class="outline-text-4" id="text-12-8-2">
<p>
The following code block implements the <code>./inst pass</code> command, used by
</div>
</div>
</div>
-<div id="outline-container-orgb2fc403" class="outline-4">
-<h4 id="orgb2fc403"><span class="section-number-4">12.8.3.</span> Installing the Less Aggressive passwd</h4>
+<div id="outline-container-org4c2403c" class="outline-4">
+<h4 id="org4c2403c"><span class="section-number-4">12.8.3.</span> Installing the Less Aggressive passwd</h4>
<div class="outline-text-4" id="text-12-8-3">
<p>
The following Ansible tasks install the less aggressive <code>passwd</code>
</div>
</div>
</div>
-<div id="outline-container-orgc4082ec" class="outline-3">
-<h3 id="orgc4082ec"><span class="section-number-3">12.9.</span> The Old Command</h3>
+<div id="outline-container-orgc5d5072" class="outline-3">
+<h3 id="orgc5d5072"><span class="section-number-3">12.9.</span> The Old Command</h3>
<div class="outline-text-3" id="text-12-9">
<p>
The <code>old</code> command disables a member's account (and thus their clients).
</div>
</div>
</div>
-<div id="outline-container-orgd063a1d" class="outline-3">
-<h3 id="orgd063a1d"><span class="section-number-3">12.10.</span> The Client Command</h3>
+<div id="outline-container-org394328e" class="outline-3">
+<h3 id="org394328e"><span class="section-number-3">12.10.</span> The Client Command</h3>
<div class="outline-text-3" id="text-12-10">
<p>
The <code>client</code> command registers the public key of a client wishing to
<span class="org-string">PublicKey = $core_wg_pubkey</span>
<span class="org-string">AllowedIPs = $core_wg_addr</span>
<span class="org-string">AllowedIPs = $private_net_cidr</span>
+<span class="org-string">AllowedIPs = $wild_net_cidr</span>
<span class="org-string">AllowedIPs = $campus_wg_net_cidr\n"</span>;
write_wg_server (<span class="org-string">"private/front-wg0.conf"</span>, \@<span class="org-perl-non-scalar-variable">member_peers</span>,
<span class="org-keyword">sub</span> <span class="org-function-name">write_wg_client</span> ($$$$$$) {
<span class="org-keyword">my</span> ($<span class="org-variable-name">file</span>, $<span class="org-variable-name">addr</span>, $<span class="org-variable-name">type</span>, $<span class="org-variable-name">pubkey</span>, $<span class="org-variable-name">endpt</span>, $<span class="org-variable-name">server_addr</span>) = @<span class="org-perl-non-scalar-variable">_</span>;
+
<span class="org-keyword">my</span> $<span class="org-variable-name">O</span> = new IO::File;
+ open ($<span class="org-variable-name">O</span>, <span class="org-string">">$file.tmp"</span>) or <span class="org-keyword">die</span> <span class="org-string">"Could not open $file.tmp: $!\n"</span>;
+
<span class="org-keyword">my</span> $<span class="org-variable-name">DNS</span> = ($<span class="org-variable-name">type</span> eq <span class="org-string">"android"</span>
? <span class="org-string">"</span>
-<span class="org-string">DNS=$core_addr\nDomain=$domain_priv"</span>
+<span class="org-string">DNS = $core_addr</span>
+<span class="org-string">Domain = $domain_priv"</span>
: <span class="org-string">"</span>
+<span class="org-string">PostUp = wg set %i private-key /etc/wireguard/private-key</span>
<span class="org-string">PostUp = resolvectl dns %i $core_addr</span>
<span class="org-string">PostUp = resolvectl domain %i $domain_priv"</span>);
- open ($<span class="org-variable-name">O</span>, <span class="org-string">">$file.tmp"</span>) or <span class="org-keyword">die</span> <span class="org-string">"Could not open $file.tmp: $!\n"</span>;
+
+ <span class="org-keyword">my</span> $<span class="org-variable-name">WILD</span> = ($<span class="org-variable-name">file</span> eq <span class="org-string">"public.conf"</span>
+ ? <span class="org-string">"</span>
+<span class="org-string">AllowedIPs = $wild_net_cidr"</span>
+ : <span class="org-string">""</span>);
+
print $<span class="org-variable-name">O</span> <span class="org-string">"[Interface]</span>
-<span class="org-string">Address = $addr</span>
-<span class="org-string">PostUp = wg set %i private-key /etc/wireguard/private-key$DNS</span>
+<span class="org-string">Address = $addr$DNS</span>
<span class="org-string">[Peer]</span>
<span class="org-string">PublicKey = $pubkey</span>
<span class="org-string">EndPoint = $endpt</span>
<span class="org-string">AllowedIPs = $server_addr</span>
-<span class="org-string">AllowedIPs = $private_net_cidr</span>
+<span class="org-string">AllowedIPs = $private_net_cidr$WILD</span>
<span class="org-string">AllowedIPs = $public_wg_net_cidr</span>
<span class="org-string">AllowedIPs = $campus_wg_net_cidr\n"</span>;
close $<span class="org-variable-name">O</span> or <span class="org-keyword">die</span> <span class="org-string">"Could not close $file.tmp: $!\n"</span>;
</div>
</div>
</div>
-<div id="outline-container-org7d2fe25" class="outline-3">
-<h3 id="org7d2fe25"><span class="section-number-3">12.11.</span> Institute Command Help</h3>
+<div id="outline-container-orga55b3de" class="outline-3">
+<h3 id="orga55b3de"><span class="section-number-3">12.11.</span> Institute Command Help</h3>
<div class="outline-text-3" id="text-12-11">
<p>
This should be the last block tangled into the <a href="inst"><q>inst</q></a> script. It
</div>
</div>
</div>
-<div id="outline-container-orga8d5681" class="outline-2">
-<h2 id="orga8d5681"><span class="section-number-2">13.</span> Testing</h2>
+<div id="outline-container-orgf67ef54" class="outline-2">
+<h2 id="orgf67ef54"><span class="section-number-2">13.</span> Testing</h2>
<div class="outline-text-2" id="text-13">
<p>
The example files in this document, <a href="ansible.cfg"><q>ansible.cfg</q></a> and <a href="hosts"><q>hosts</q></a> as well
<p>
The next two sections list the steps taken to create the simulated
Core, Gate and Front machines, and connect them to their networks.
-The process is similar to that described in <a href="#org57d3ea9">The (Actual) Hardware</a>, but
+The process is similar to that described in <a href="#org962f0d4">The (Actual) Hardware</a>, but
is covered in detail here where the VirtualBox hypervisor can be
assumed and exact command lines can be given (and copied during
re-testing). The remaining sections describe the manual testing
site at <a href="https://www.virtualbox.org/manual/UserManual.html">https://www.virtualbox.org/manual/UserManual.html</a>.
</p>
</div>
-<div id="outline-container-orgcfc3e8c" class="outline-3">
-<h3 id="orgcfc3e8c"><span class="section-number-3">13.1.</span> The Test Networks</h3>
+<div id="outline-container-org3772900" class="outline-3">
+<h3 id="org3772900"><span class="section-number-3">13.1.</span> The Test Networks</h3>
<div class="outline-text-3" id="text-13-1">
<p>
The networks used in the test:
</p>
</div>
</div>
-<div id="outline-container-org89cd729" class="outline-3">
-<h3 id="org89cd729"><span class="section-number-3">13.2.</span> The Test Machines</h3>
+<div id="outline-container-org004874d" class="outline-3">
+<h3 id="org004874d"><span class="section-number-3">13.2.</span> The Test Machines</h3>
<div class="outline-text-3" id="text-13-2">
<p>
The virtual machines are created by <code>VBoxManage</code> command lines in the
following sub-sections. They each start with a recent Debian release
(e.g. <q>debian-12.5.0-amd64-netinst.iso</q>) in their simulated DVD
-drives. As in <a href="#org57d3ea9">The Hardware</a> preparation process being simulated, a few
-additional software packages are installed. Unlike in <a href="#org57d3ea9">The Hardware</a>
+drives. As in <a href="#org962f0d4">The Hardware</a> preparation process being simulated, a few
+additional software packages are installed. Unlike in <a href="#org962f0d4">The Hardware</a>
preparation, machines are moved to their final networks and <i>then</i>
remote access is authorized. (They are not accessible via <code>ssh</code> on
the VirtualBox NAT network where they first boot.)
configuration by Ansible.
</p>
</div>
-<div id="outline-container-org30680da" class="outline-4">
-<h4 id="org30680da"><span class="section-number-4">13.2.1.</span> A Test Machine</h4>
+<div id="outline-container-orgdf176b5" class="outline-4">
+<h4 id="orgdf176b5"><span class="section-number-4">13.2.1.</span> A Test Machine</h4>
<div class="outline-text-4" id="text-13-2-1">
<p>
The following shell function contains most of the <code>VBoxManage</code>
</p>
</div>
</div>
-<div id="outline-container-orgf1a67a4" class="outline-4">
-<h4 id="orgf1a67a4"><span class="section-number-4">13.2.2.</span> The Test Front Machine</h4>
+<div id="outline-container-org184f145" class="outline-4">
+<h4 id="org184f145"><span class="section-number-4">13.2.2.</span> The Test Front Machine</h4>
<div class="outline-text-4" id="text-13-2-2">
<p>
The <code>front</code> machine is created with 512MiB of RAM, 4GiB of disk, and
its primary network interface moved to the simulated Internet, the NAT
network <code>premises</code>. <code>front</code> also gets a second network interface, on
the host-only network <code>vboxnet1</code>, to make it directly accessible to
-the administrator's notebook (as described in <a href="#orgcfc3e8c">The Test Networks</a>).
+the administrator's notebook (as described in <a href="#org3772900">The Test Networks</a>).
</p>
<div class="org-src-container">
deployed on a frontier, always in the cloud. Additional Debian
packages are assumed to be readily available. Thus Ansible installs
them as necessary, but first the administrator authorizes remote
-access by following the instructions in the final section: <a href="#org3e563d7">Ansible
+access by following the instructions in the final section: <a href="#orgc72a8cc">Ansible
Test Authorization</a>.
</p>
</div>
</div>
-<div id="outline-container-org6235f19" class="outline-4">
-<h4 id="org6235f19"><span class="section-number-4">13.2.3.</span> The Test Gate Machine</h4>
+<div id="outline-container-org14b4591" class="outline-4">
+<h4 id="org14b4591"><span class="section-number-4">13.2.3.</span> The Test Gate Machine</h4>
<div class="outline-text-4" id="text-13-2-3">
<p>
The <code>gate</code> machine is created with the same amount of RAM and disk as
</div>
<p>
-After Debian is installed (as detailed in <a href="#org30680da">A Test Machine</a>) and the
+After Debian is installed (as detailed in <a href="#orgdf176b5">A Test Machine</a>) and the
machine rebooted, the administrator logs in and installs several
additional software packages.
</p>
<p>
Finally, the administrator authorizes remote access by following the
-instructions in the final section: <a href="#org3e563d7">Ansible Test Authorization</a>.
+instructions in the final section: <a href="#orgc72a8cc">Ansible Test Authorization</a>.
</p>
</div>
</div>
-<div id="outline-container-org0e7ee6b" class="outline-4">
-<h4 id="org0e7ee6b"><span class="section-number-4">13.2.4.</span> The Test Core Machine</h4>
+<div id="outline-container-org4ce7a4d" class="outline-4">
+<h4 id="org4ce7a4d"><span class="section-number-4">13.2.4.</span> The Test Core Machine</h4>
<div class="outline-text-4" id="text-13-2-4">
<p>
The <code>core</code> machine is created with 1GiB of RAM and 6GiB of disk.
</div>
<p>
-After Debian is installed (as detailed in <a href="#org30680da">A Test Machine</a>) and the
+After Debian is installed (as detailed in <a href="#orgdf176b5">A Test Machine</a>) and the
machine rebooted, the administrator logs in and installs several
additional software packages.
</p>
<p>
Finally, the administrator authorizes remote access by following the
-instructions in the next section: <a href="#org3e563d7">Ansible Test Authorization</a>.
+instructions in the next section: <a href="#orgc72a8cc">Ansible Test Authorization</a>.
</p>
</div>
</div>
-<div id="outline-container-org3e563d7" class="outline-4">
-<h4 id="org3e563d7"><span class="section-number-4">13.2.5.</span> Ansible Test Authorization</h4>
+<div id="outline-container-orgc72a8cc" class="outline-4">
+<h4 id="orgc72a8cc"><span class="section-number-4">13.2.5.</span> Ansible Test Authorization</h4>
<div class="outline-text-4" id="text-13-2-5">
<p>
To authorize Ansible's access to the three test machines, they must
</div>
</div>
</div>
-<div id="outline-container-org4e86447" class="outline-3">
-<h3 id="org4e86447"><span class="section-number-3">13.3.</span> Configure Test Machines</h3>
+<div id="outline-container-org317a41d" class="outline-3">
+<h3 id="org317a41d"><span class="section-number-3">13.3.</span> Configure Test Machines</h3>
<div class="outline-text-3" id="text-13-3">
<p>
At this point the three test machines <code>core</code>, <code>gate</code>, and <code>front</code> are
</p>
</div>
</div>
-<div id="outline-container-orgcb89ffe" class="outline-3">
-<h3 id="orgcb89ffe"><span class="section-number-3">13.4.</span> Test Basics</h3>
+<div id="outline-container-orgafd4ed0" class="outline-3">
+<h3 id="orgafd4ed0"><span class="section-number-3">13.4.</span> Test Basics</h3>
<div class="outline-text-3" id="text-13-4">
<p>
At this point the test institute is just <code>core</code>, <code>gate</code> and <code>front</code>,
</p>
</div>
</div>
-<div id="outline-container-org3b8e997" class="outline-3">
-<h3 id="org3b8e997"><span class="section-number-3">13.5.</span> The Test Nextcloud</h3>
+<div id="outline-container-org7b9faa6" class="outline-3">
+<h3 id="org7b9faa6"><span class="section-number-3">13.5.</span> The Test Nextcloud</h3>
<div class="outline-text-3" id="text-13-5">
<p>
Further tests involve Nextcloud account management. Nextcloud is
-installed on <code>core</code> as described in <a href="#org3111e22">Configure Nextcloud</a>. Once
+installed on <code>core</code> as described in <a href="#org7addaa6">Configure Nextcloud</a>. Once
<q>/Nextcloud/</q> is created, <code>./inst config core</code> will validate
or update its configuration files.
</p>
</p>
</div>
</div>
-<div id="outline-container-org0e1ad1f" class="outline-3">
-<h3 id="org0e1ad1f"><span class="section-number-3">13.6.</span> Test New Command</h3>
+<div id="outline-container-org9f3a7d2" class="outline-3">
+<h3 id="org9f3a7d2"><span class="section-number-3">13.6.</span> Test New Command</h3>
<div class="outline-text-3" id="text-13-6">
<p>
A member must be enrolled so that a member's client machine can be
</p>
</div>
</div>
-<div id="outline-container-orgdda6ed3" class="outline-3">
-<h3 id="orgdda6ed3"><span class="section-number-3">13.7.</span> The Test Member Notebook</h3>
+<div id="outline-container-org59da489" class="outline-3">
+<h3 id="org59da489"><span class="section-number-3">13.7.</span> The Test Member Notebook</h3>
<div class="outline-text-3" id="text-13-7">
<p>
A test member's notebook is created next, much like the servers,
</p>
<p>
-Debian is installed much as detailed in <a href="#org30680da">A Test Machine</a> <i>except</i> that
+Debian is installed much as detailed in <a href="#orgdf176b5">A Test Machine</a> <i>except</i> that
the SSH server option is <i>not</i> needed and the GNOME desktop option
<i>is</i>. When the machine reboots, the administrator logs into the
desktop and installs a couple additional software packages (which
</div>
</div>
</div>
-<div id="outline-container-org8280fc9" class="outline-3">
-<h3 id="org8280fc9"><span class="section-number-3">13.8.</span> Test Client Command</h3>
+<div id="outline-container-org2e42cab" class="outline-3">
+<h3 id="org2e42cab"><span class="section-number-3">13.8.</span> Test Client Command</h3>
<div class="outline-text-3" id="text-13-8">
<p>
The <code>./inst client</code> command is used to register the public key of a
</div>
</div>
</div>
-<div id="outline-container-orgd875b15" class="outline-3">
-<h3 id="orgd875b15"><span class="section-number-3">13.9.</span> Test Campus WireGuard™ Subnet</h3>
+<div id="outline-container-org749b7ef" class="outline-3">
+<h3 id="org749b7ef"><span class="section-number-3">13.9.</span> Test Campus WireGuard™ Subnet</h3>
<div class="outline-text-3" id="text-13-9">
<p>
-The <q>campus.conf</q> WireGuard™ configuration file (generated in <a href="#org8280fc9">Test
+The <q>campus.conf</q> WireGuard™ configuration file (generated in <a href="#org2e42cab">Test
Client Command</a>) is transferred to <code>dick</code>, which is at the Wi-Fi access
point's IP address, host 2 on the wild Ethernet.
</p>
</div>
</div>
</div>
-<div id="outline-container-org2b00513" class="outline-3">
-<h3 id="org2b00513"><span class="section-number-3">13.10.</span> Test Web Pages</h3>
+<div id="outline-container-orga2f0d71" class="outline-3">
+<h3 id="orga2f0d71"><span class="section-number-3">13.10.</span> Test Web Pages</h3>
<div class="outline-text-3" id="text-13-10">
<p>
Next, the administrator copies <a href="Backup/WWW/"><q>Backup/WWW/</q></a> (included in the
</p>
</div>
</div>
-<div id="outline-container-orgbebf323" class="outline-3">
-<h3 id="orgbebf323"><span class="section-number-3">13.11.</span> Test Web Update</h3>
+<div id="outline-container-orgacf8e99" class="outline-3">
+<h3 id="orgacf8e99"><span class="section-number-3">13.11.</span> Test Web Update</h3>
<div class="outline-text-3" id="text-13-11">
<p>
Modify <q>/WWW/live/index.html</q> on <code>core</code> and wait 15 minutes for it to
</p>
</div>
</div>
-<div id="outline-container-org4eae141" class="outline-3">
-<h3 id="org4eae141"><span class="section-number-3">13.12.</span> Test Nextcloud</h3>
+<div id="outline-container-orgdb60804" class="outline-3">
+<h3 id="orgdb60804"><span class="section-number-3">13.12.</span> Test Nextcloud</h3>
<div class="outline-text-3" id="text-13-12">
<p>
Nextcloud is typically installed and configured <i>after</i> the first
installation directory <q>/Nextcloud/nextcloud/</q> appears, the Ansible
code skips parts of the Nextcloud configuration. The same
installation (or restoration) process used on Core is used on <code>core</code>
-to create <q>/Nextcloud/</q>. The process starts with <a href="#org1719aaf">Create
-<q>/Nextcloud/</q></a>, involves <a href="#org8faa166">Restore Nextcloud</a> or <a href="#org853444f">Install Nextcloud</a>,
-and runs <code>./inst config core</code> again <a href="#org13ad5d8">8.23.6</a>. When the <code>./inst
+to create <q>/Nextcloud/</q>. The process starts with <a href="#orgcb7a84e">Create
+<q>/Nextcloud/</q></a>, involves <a href="#org5825d2f">Restore Nextcloud</a> or <a href="#org8f9d1d3">Install Nextcloud</a>,
+and runs <code>./inst config core</code> again <a href="#org7bf8385">8.23.6</a>. When the <code>./inst
config core</code> command is happy with the Nextcloud configuration on
<code>core</code>, the administrator uses Dick's notebook to test it, performing
the following tests on <code>dick</code>'s desktop.
</ul>
</div>
</div>
-<div id="outline-container-org0a29b08" class="outline-3">
-<h3 id="org0a29b08"><span class="section-number-3">13.13.</span> Test Email</h3>
+<div id="outline-container-org19dd1f6" class="outline-3">
+<h3 id="org19dd1f6"><span class="section-number-3">13.13.</span> Test Email</h3>
<div class="outline-text-3" id="text-13-13">
<p>
With Evolution running on the member notebook <code>dick</code>, one second email
</p>
</div>
</div>
-<div id="outline-container-orge312d2d" class="outline-3">
-<h3 id="orge312d2d"><span class="section-number-3">13.14.</span> Test Public VPN</h3>
+<div id="outline-container-orgdea634f" class="outline-3">
+<h3 id="orgdea634f"><span class="section-number-3">13.14.</span> Test Public VPN</h3>
<div class="outline-text-3" id="text-13-14">
<p>
At this point, <code>dick</code> can move abroad, from the campus Wi-Fi
</p>
</div>
</div>
-<div id="outline-container-org5ac3f0f" class="outline-3">
-<h3 id="org5ac3f0f"><span class="section-number-3">13.15.</span> Test Pass Command</h3>
+<div id="outline-container-org0df30af" class="outline-3">
+<h3 id="org0df30af"><span class="section-number-3">13.15.</span> Test Pass Command</h3>
<div class="outline-text-3" id="text-13-15">
<p>
To test the <code>./inst pass</code> command, the administrator logs in to <code>core</code>
</p>
</div>
</div>
-<div id="outline-container-orgb6bc3db" class="outline-3">
-<h3 id="orgb6bc3db"><span class="section-number-3">13.16.</span> Test Old Command</h3>
+<div id="outline-container-orgcba4b86" class="outline-3">
+<h3 id="orgcba4b86"><span class="section-number-3">13.16.</span> Test Old Command</h3>
<div class="outline-text-3" id="text-13-16">
<p>
One more institute command is left to exercise. The administrator
</div>
</div>
</div>
-<div id="outline-container-org0616bfd" class="outline-2">
-<h2 id="org0616bfd"><span class="section-number-2">14.</span> Future Work</h2>
+<div id="outline-container-org7cfe8df" class="outline-2">
+<h2 id="org7cfe8df"><span class="section-number-2">14.</span> Future Work</h2>
<div class="outline-text-2" id="text-14">
<p>
The small institute's network, as currently defined in this doocument,
is lacking in a number of respects.
</p>
</div>
-<div id="outline-container-org4857845" class="outline-3">
-<h3 id="org4857845"><span class="section-number-3">14.1.</span> Deficiencies</h3>
+<div id="outline-container-org93afc94" class="outline-3">
+<h3 id="org93afc94"><span class="section-number-3">14.1.</span> Deficiencies</h3>
<div class="outline-text-3" id="text-14-1">
<p>
The current network monitoring is rudimentary. It could use some
</p>
</div>
</div>
-<div id="outline-container-orgc2fbf21" class="outline-3">
-<h3 id="orgc2fbf21"><span class="section-number-3">14.2.</span> More Tests</h3>
+<div id="outline-container-org7c83950" class="outline-3">
+<h3 id="org7c83950"><span class="section-number-3">14.2.</span> More Tests</h3>
<div class="outline-text-3" id="text-14-2">
<p>
The testing process described in the previous chapter is far from
complete. Additional tests are needed.
</p>
</div>
-<div id="outline-container-orgcaade5f" class="outline-4">
-<h4 id="orgcaade5f"><span class="section-number-4">14.2.1.</span> Backup</h4>
+<div id="outline-container-org0ddb484" class="outline-4">
+<h4 id="org0ddb484"><span class="section-number-4">14.2.1.</span> Backup</h4>
<div class="outline-text-4" id="text-14-2-1">
<p>
The <code>backup</code> command has not been tested. It needs an encrypted
</p>
</div>
</div>
-<div id="outline-container-orgc12a837" class="outline-4">
-<h4 id="orgc12a837"><span class="section-number-4">14.2.2.</span> Restore</h4>
+<div id="outline-container-org2771684" class="outline-4">
+<h4 id="org2771684"><span class="section-number-4">14.2.2.</span> Restore</h4>
<div class="outline-text-4" id="text-14-2-2">
<p>
The restore process has not been tested. It might just copy <a href="Backup/"><q>Backup/</q></a>
</p>
</div>
</div>
-<div id="outline-container-org42eec2e" class="outline-4">
-<h4 id="org42eec2e"><span class="section-number-4">14.2.3.</span> Campus Disconnect</h4>
+<div id="outline-container-orgc7e73d4" class="outline-4">
+<h4 id="orgc7e73d4"><span class="section-number-4">14.2.3.</span> Campus Disconnect</h4>
<div class="outline-text-4" id="text-14-2-3">
<p>
Email access (IMAPS) on <code>front</code> is… difficult to test unless
</div>
</div>
</div>
-<div id="outline-container-org5c83290" class="outline-2">
-<h2 id="org5c83290"><span class="section-number-2">15.</span> Appendix: The Bootstrap</h2>
+<div id="outline-container-orgf04e6a8" class="outline-2">
+<h2 id="orgf04e6a8"><span class="section-number-2">15.</span> Appendix: The Bootstrap</h2>
<div class="outline-text-2" id="text-15">
<p>
Creating the private network from whole cloth (machines with recent
get to the additional packages.
</p>
</div>
-<div id="outline-container-org0d972ae" class="outline-3">
-<h3 id="org0d972ae"><span class="section-number-3">15.1.</span> The Current Strategy</h3>
+<div id="outline-container-org0f6bea1" class="outline-3">
+<h3 id="org0f6bea1"><span class="section-number-3">15.1.</span> The Current Strategy</h3>
<div class="outline-text-3" id="text-15-1">
<p>
-The strategy pursued in <a href="#org57d3ea9">The Hardware</a> is two phase: prepare the servers
+The strategy pursued in <a href="#org962f0d4">The Hardware</a> is two phase: prepare the servers
on the Internet where additional packages are accessible, then connect
them to the campus facilities (the private Ethernet switch, Wi-Fi AP,
ISP), manually configure IP addresses (while the DHCP client silently
</p>
</div>
</div>
-<div id="outline-container-org24f51b4" class="outline-3">
-<h3 id="org24f51b4"><span class="section-number-3">15.2.</span> Starting With Gate</h3>
+<div id="outline-container-orgb02e215" class="outline-3">
+<h3 id="orgb02e215"><span class="section-number-3">15.2.</span> Starting With Gate</h3>
<div class="outline-text-3" id="text-15-2">
<p>
The strategy of Starting With Gate concentrates on configuring Gate's
</ul>
</div>
</div>
-<div id="outline-container-org5f6329f" class="outline-3">
-<h3 id="org5f6329f"><span class="section-number-3">15.3.</span> Pre-provision With Ansible</h3>
+<div id="outline-container-orgc037db8" class="outline-3">
+<h3 id="orgc037db8"><span class="section-number-3">15.3.</span> Pre-provision With Ansible</h3>
<div class="outline-text-3" id="text-15-3">
<p>
A refinement of the current strategy might avoid the need to maintain
</div></div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2025-06-15 Sun 19:03</p>
+<p class="date">Created: 2025-06-28 Sat 10:50</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Institute / commitdiff