"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2025-06-15 Sun 19:03 -->
+<!-- 2025-06-28 Sat 10:20 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Birchwood Abbey Networks</title>
the <code>abbey-</code> prefix on their names. These roles are applied <i>after</i>
the generic institutional roles (again, documented <a href="Institute/README.html">here</a>).
</p>
-<div id="outline-container-orga6df532" class="outline-2">
-<h2 id="orga6df532"><span class="section-number-2">1.</span> Overview</h2>
+<div id="outline-container-org72f2a81" class="outline-2">
+<h2 id="org72f2a81"><span class="section-number-2">1.</span> Overview</h2>
<div class="outline-text-2" id="text-1">
<p>
A Small Institute makes security and privacy top priorities but
philosophy, attitude.
</p>
-<pre class="example" id="org7d85411">
+<pre class="example" id="orgb282f17">
|
=
_|||_
</pre>
</div>
</div>
-<div id="outline-container-org79594b3" class="outline-2">
-<h2 id="org79594b3"><span class="section-number-2">2.</span> The Abbey Particulars</h2>
+<div id="outline-container-orgdb9bfe4" class="outline-2">
+<h2 id="orgdb9bfe4"><span class="section-number-2">2.</span> The Abbey Particulars</h2>
<div class="outline-text-2" id="text-2">
<p>
The abbey's public particulars are included below. They are the
</p>
</div>
</div>
-<div id="outline-container-orgcc08dbd" class="outline-2">
-<h2 id="orgcc08dbd"><span class="section-number-2">3.</span> The Abbey Front Role</h2>
+<div id="outline-container-org9beb2ff" class="outline-2">
+<h2 id="org9beb2ff"><span class="section-number-2">3.</span> The Abbey Front Role</h2>
<div class="outline-text-2" id="text-3">
<p>
Birchwood Abbey's front door is a Digital Ocean Droplet configured as
Dovecot-IMAPd, and hosting a VPN with WireGuard™.
</p>
</div>
-<div id="outline-container-orgd6430fd" class="outline-3">
-<h3 id="orgd6430fd"><span class="section-number-3">3.1.</span> Install Emacs</h3>
+<div id="outline-container-org6908bc1" class="outline-3">
+<h3 id="org6908bc1"><span class="section-number-3">3.1.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-3-1">
<p>
The monks of the abbey are masters of the staff (bo) and Emacs.
</div>
</div>
</div>
-<div id="outline-container-org66bcea1" class="outline-3">
-<h3 id="org66bcea1"><span class="section-number-3">3.2.</span> Configure Public Email Aliases</h3>
+<div id="outline-container-org20003f9" class="outline-3">
+<h3 id="org20003f9"><span class="section-number-3">3.2.</span> Configure Public Email Aliases</h3>
<div class="outline-text-3" id="text-3-2">
<p>
The abbey uses several additional email aliases. These are the public
</div>
</div>
</div>
-<div id="outline-container-orgeda97e9" class="outline-3">
-<h3 id="orgeda97e9"><span class="section-number-3">3.3.</span> Configure Git Daemon on Front</h3>
+<div id="outline-container-orgf31d164" class="outline-3">
+<h3 id="orgf31d164"><span class="section-number-3">3.3.</span> Configure Git Daemon on Front</h3>
<div class="outline-text-3" id="text-3-3">
<p>
The abbey publishes member Git repositories with <code>git-daemon</code>. If
</div>
<div class="org-src-container">
-<code>git-tasks</code><pre class="src src-conf" id="org9fbb6b9"><code>- name: Install git daemon.
+<code>git-tasks</code><pre class="src src-conf" id="orgb6bf8d6"><code>- name: Install git daemon.
become: yes
<span class="org-variable-name">apt: pkg</span>=git-daemon-sysvinit
</div>
<div class="org-src-container">
-<code>git-handlers</code><pre class="src src-conf" id="org5bfdb88"><code>
+<code>git-handlers</code><pre class="src src-conf" id="orgedf9619"><code>
- name: Restart git daemon.
become: yes
command: systemctl restart git-daemon
</div>
</div>
</div>
-<div id="outline-container-orgd473c7b" class="outline-3">
-<h3 id="orgd473c7b"><span class="section-number-3">3.4.</span> Configure Gitweb on Front</h3>
+<div id="outline-container-org3676eb0" class="outline-3">
+<h3 id="org3676eb0"><span class="section-number-3">3.4.</span> Configure Gitweb on Front</h3>
<div class="outline-text-3" id="text-3-4">
<p>
The abbey provides an HTML interface to members' public Git
</p>
<div class="org-src-container">
-<code>apache-gitweb</code><pre class="src src-conf" id="orgba5d06a"><code>
+<code>apache-gitweb</code><pre class="src src-conf" id="org25b7a17"><code>
Alias /gitweb-static/ /usr/share/gitweb/static/
<Directory <span class="org-string">"/usr/share/gitweb/static/"</span>>
Options MultiViews
</p>
<div class="org-src-container">
-<code>apache-gitweb-tasks</code><pre class="src src-conf" id="orgb0b9652"><code>- name: Enable Apache2 rewrite module for Gitweb.
+<code>apache-gitweb-tasks</code><pre class="src src-conf" id="org2cd63c6"><code>- name: Enable Apache2 rewrite module for Gitweb.
become: yes
<span class="org-variable-name">apache2_module: name</span>=rewrite
notify: Restart Apache2.
</div>
<div class="org-src-container">
-<code>apache-gitweb-handlers</code><pre class="src src-conf" id="orgaa60cf9"><code>- name: Restart Apache2.
+<code>apache-gitweb-handlers</code><pre class="src src-conf" id="org3c5b536"><code>- name: Restart Apache2.
become: yes
systemd:
service: apache2
</div>
</div>
</div>
-<div id="outline-container-orgedf57d5" class="outline-3">
-<h3 id="orgedf57d5"><span class="section-number-3">3.5.</span> Configure Apache for Abbey Documentation</h3>
+<div id="outline-container-org96d5438" class="outline-3">
+<h3 id="org96d5438"><span class="section-number-3">3.5.</span> Configure Apache for Abbey Documentation</h3>
<div class="outline-text-3" id="text-3-5">
<p>
Some of the directives added to the <q>-vhost.conf</q> file are needed by
</p>
<div class="org-src-container">
-<code>apache-abbey</code><pre class="src src-conf" id="org9b93181"><code><Directory {{ docroot }}/Abbey/>
+<code>apache-abbey</code><pre class="src src-conf" id="org3a64015"><code><Directory {{ docroot }}/Abbey/>
AllowOverride Indexes FileInfo
Options +Indexes +FollowSymLinks
</Directory>
</div>
</div>
</div>
-<div id="outline-container-orgfb00830" class="outline-3">
-<h3 id="orgfb00830"><span class="section-number-3">3.6.</span> Configure Photos URLs on Front</h3>
+<div id="outline-container-orgd31779a" class="outline-3">
+<h3 id="orgd31779a"><span class="section-number-3">3.6.</span> Configure Photos URLs on Front</h3>
<div class="outline-text-3" id="text-3-6">
<p>
Some of the directives added to the <q>-vhost.conf</q> file map the abbey's
</p>
<div class="org-src-container">
-<code>apache-photos</code><pre class="src src-conf" id="orge3ab136"><code>
+<code>apache-photos</code><pre class="src src-conf" id="org5e8bcd5"><code>
RedirectMatch /Photos$ /Photos/
RedirectMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])$ \
/Photos/$1_$2_$3/
</div>
</div>
</div>
-<div id="outline-container-org68934ac" class="outline-3">
-<h3 id="org68934ac"><span class="section-number-3">3.7.</span> Configure Apache on Front</h3>
+<div id="outline-container-orge3def31" class="outline-3">
+<h3 id="orge3def31"><span class="section-number-3">3.7.</span> Configure Apache on Front</h3>
<div class="outline-text-3" id="text-3-7">
<p>
The abbey needs to add some Apache2 configuration directives to the
</p>
<p>
-The following task adds the <a href="#org9b93181"><code>apache-abbey</code></a>, <a href="#orge3ab136"><code>apache-photos</code></a>, and
-<a href="#orgba5d06a"><code>apache-gitweb</code></a> directives described above to the <q>-vhost.conf</q> file,
+The following task adds the <a href="#org3a64015"><code>apache-abbey</code></a>, <a href="#org5e8bcd5"><code>apache-photos</code></a>, and
+<a href="#org25b7a17"><code>apache-gitweb</code></a> directives described above to the <q>-vhost.conf</q> file,
and includes <q>options-ssl-apache.conf</q> from <q>/etc/letsencrypt/</q>. The
rest of the Let's Encrypt configuration is discussed in the following
-<a href="#org53412cf">Install Let's Encrypt</a> section.
+<a href="#org9321d16">Install Let's Encrypt</a> section.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org09125a0" class="outline-3">
-<h3 id="org09125a0"><span class="section-number-3">3.8.</span> Configure Apache Log Archival</h3>
+<div id="outline-container-orgbe9af35" class="outline-3">
+<h3 id="orgbe9af35"><span class="section-number-3">3.8.</span> Configure Apache Log Archival</h3>
<div class="outline-text-3" id="text-3-8">
<p>
These tasks hack Apache's <code>logrotate(8)</code> configuration to rotate
</div>
</div>
</div>
-<div id="outline-container-org53412cf" class="outline-3">
-<h3 id="org53412cf"><span class="section-number-3">3.9.</span> Install Let's Encrypt</h3>
+<div id="outline-container-org9321d16" class="outline-3">
+<h3 id="org9321d16"><span class="section-number-3">3.9.</span> Install Let's Encrypt</h3>
<div class="outline-text-3" id="text-3-9">
<p>
The abbey uses a Let's Encrypt certificate to authenticate its public
entered as shown below).
</p>
-<pre class="example" id="org0401ab6">
+<pre class="example" id="org1e14258">
$ sudo apt install python3-certbot-apache
$ sudo certbot --apache -d birchwood-abbey.net
...
</div>
</div>
</div>
-<div id="outline-container-org68bbd4b" class="outline-3">
-<h3 id="org68bbd4b"><span class="section-number-3">3.10.</span> Rotate Let's Encrypt Log</h3>
+<div id="outline-container-org03732f1" class="outline-3">
+<h3 id="org03732f1"><span class="section-number-3">3.10.</span> Rotate Let's Encrypt Log</h3>
<div class="outline-text-3" id="text-3-10">
<p>
The following task arranges to rotate Certbot's logs files.
</div>
</div>
</div>
-<div id="outline-container-orgaee4bf6" class="outline-3">
-<h3 id="orgaee4bf6"><span class="section-number-3">3.11.</span> Archive Let's Encrypt Data</h3>
+<div id="outline-container-org050dd82" class="outline-3">
+<h3 id="org050dd82"><span class="section-number-3">3.11.</span> Archive Let's Encrypt Data</h3>
<div class="outline-text-3" id="text-3-11">
<p>
A backup copy of Let's Encrypt's data (<q>/etc/letsencrypt/</q>) is sent to
</div>
</div>
</div>
-<div id="outline-container-org8fe73e2" class="outline-2">
-<h2 id="org8fe73e2"><span class="section-number-2">4.</span> The Abbey Core Role</h2>
+<div id="outline-container-orga42d8f6" class="outline-2">
+<h2 id="orga42d8f6"><span class="section-number-2">4.</span> The Abbey Core Role</h2>
<div class="outline-text-2" id="text-4">
<p>
Birchwood Abbey's core is a mini-PC (System76 Meerkat) configured as A
NTP, DNS and DHCP.
</p>
</div>
-<div id="outline-container-orge341d62" class="outline-3">
-<h3 id="orge341d62"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
+<div id="outline-container-org7b811a3" class="outline-3">
+<h3 id="org7b811a3"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-4-1">
<p>
In this abbey specific document, most abbey particulars are not
</div>
</div>
</div>
-<div id="outline-container-org2531fd3" class="outline-3">
-<h3 id="org2531fd3"><span class="section-number-3">4.2.</span> Install Additional Packages</h3>
+<div id="outline-container-org473d23f" class="outline-3">
+<h3 id="org473d23f"><span class="section-number-3">4.2.</span> Install Additional Packages</h3>
<div class="outline-text-3" id="text-4-2">
<p>
The scripts that maintain the abbey's web site use a number of
</div>
</div>
</div>
-<div id="outline-container-org8570a37" class="outline-3">
-<h3 id="org8570a37"><span class="section-number-3">4.3.</span> Configure Private Email Aliases</h3>
+<div id="outline-container-orgc7ba6be" class="outline-3">
+<h3 id="orgc7ba6be"><span class="section-number-3">4.3.</span> Configure Private Email Aliases</h3>
<div class="outline-text-3" id="text-4-3">
<p>
The abbey uses several additional email aliases. These are the campus
</div>
</div>
</div>
-<div id="outline-container-org3db8645" class="outline-3">
-<h3 id="org3db8645"><span class="section-number-3">4.4.</span> Configure Git Daemon on Core</h3>
+<div id="outline-container-orgd429101" class="outline-3">
+<h3 id="orgd429101"><span class="section-number-3">4.4.</span> Configure Git Daemon on Core</h3>
<div class="outline-text-3" id="text-4-4">
<p>
These tasks are identical to those executed on Front, for similar Git
-services on Front and Core. See <a href="#orgeda97e9">3.3</a> and
-<a href="#orgd473c7b">Configure Gitweb on Front</a> for more information.
+services on Front and Core. See <a href="#orgf31d164">3.3</a> and
+<a href="#org3676eb0">Configure Gitweb on Front</a> for more information.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org5d8b13e" class="outline-3">
-<h3 id="org5d8b13e"><span class="section-number-3">4.5.</span> Configure Apache on Core</h3>
+<div id="outline-container-org410f9f6" class="outline-3">
+<h3 id="org410f9f6"><span class="section-number-3">4.5.</span> Configure Apache on Core</h3>
<div class="outline-text-3" id="text-4-5">
<p>
The Apache2 configuration on Core specifies three web sites (live,
test, and campus). The live and test sites must operate just like the
-site on Front. Their configurations include the same <a href="#org9b93181"><code>apache-abbey</code></a>,
-<a href="#orge3ab136"><code>apache-photos</code></a>, and <a href="#orgba5d06a"><code>apache-gitweb</code></a> used on Front.
+site on Front. Their configurations include the same <a href="#org3a64015"><code>apache-abbey</code></a>,
+<a href="#org5e8bcd5"><code>apache-photos</code></a>, and <a href="#org25b7a17"><code>apache-gitweb</code></a> used on Front.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org9eb5aff" class="outline-3">
-<h3 id="org9eb5aff"><span class="section-number-3">4.6.</span> Configure Documentation URLs</h3>
+<div id="outline-container-orgca2be09" class="outline-3">
+<h3 id="orgca2be09"><span class="section-number-3">4.6.</span> Configure Documentation URLs</h3>
<div class="outline-text-3" id="text-4-6">
<p>
The institute serves its <q>/usr/share/doc/</q> on the house (campus) web
site. This is a debugging convenience, making some HTML documentation
more accessible, especially the documentation of software installed on
Core and not on typical desktop clients. Also included: the Apache2
-directives that enable user Git publishing with Gitweb (defined <a href="#orgba5d06a">here</a>).
+directives that enable user Git publishing with Gitweb (defined <a href="#org25b7a17">here</a>).
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org528d61f" class="outline-3">
-<h3 id="org528d61f"><span class="section-number-3">4.7.</span> Install Apt Cacher</h3>
+<div id="outline-container-orgd60b480" class="outline-3">
+<h3 id="orgd60b480"><span class="section-number-3">4.7.</span> Install Apt Cacher</h3>
<div class="outline-text-3" id="text-4-7">
<p>
The abbey uses the Apt-Cacher:TNG package cache on Core. The
</div>
</div>
</div>
-<div id="outline-container-org58e2e8c" class="outline-3">
-<h3 id="org58e2e8c"><span class="section-number-3">4.8.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-orgfa610b7" class="outline-3">
+<h3 id="orgfa610b7"><span class="section-number-3">4.8.</span> Use Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-4-8">
<p>
Core itself will benefit from using the package cache, but should
</div>
</div>
</div>
-<div id="outline-container-org34a50b0" class="outline-3">
-<h3 id="org34a50b0"><span class="section-number-3">4.9.</span> Configure NAGIOS</h3>
+<div id="outline-container-orgdf4eb24" class="outline-3">
+<h3 id="orgdf4eb24"><span class="section-number-3">4.9.</span> Configure NAGIOS</h3>
<div class="outline-text-3" id="text-4-9">
<p>
A small institute uses <code>nagios4</code> to monitor the health of its network,
</p>
</div>
</div>
-<div id="outline-container-orgb2990be" class="outline-3">
-<h3 id="orgb2990be"><span class="section-number-3">4.10.</span> Monitoring The Home Disk</h3>
+<div id="outline-container-org146dc9e" class="outline-3">
+<h3 id="org146dc9e"><span class="section-number-3">4.10.</span> Monitoring The Home Disk</h3>
<div class="outline-text-3" id="text-4-10">
<p>
The abbey adds monitoring of the space remaining on the volume at
</div>
</div>
</div>
-<div id="outline-container-orgc2b9051" class="outline-3">
-<h3 id="orgc2b9051"><span class="section-number-3">4.11.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h3>
+<div id="outline-container-org5e1a346" class="outline-3">
+<h3 id="org5e1a346"><span class="section-number-3">4.11.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h3>
<div class="outline-text-3" id="text-4-11">
<p>
The <code>check_sensors</code> plugin is included in the package
</div>
</div>
</div>
-<div id="outline-container-org642d0e3" class="outline-3">
-<h3 id="org642d0e3"><span class="section-number-3">4.12.</span> Monitoring The Cloister</h3>
+<div id="outline-container-org2c09b2a" class="outline-3">
+<h3 id="org2c09b2a"><span class="section-number-3">4.12.</span> Monitoring The Cloister</h3>
<div class="outline-text-3" id="text-4-12">
<p>
-The abbey adds monitoring for more servers: Kamino, Kessel, and Ord
-Mantell. They are <code>abbey-cloister</code> servers, so they are configured as
-small institute <code>campus</code> servers, like Gate, with an NRPE (a NAGIOS
-Remote Plugin Executor) server and an <code>inst_sensors</code> command.
+The abbey adds monitoring for more servers: Kessel, and Ord Mantell.
+They are <code>abbey-cloister</code> servers, so they are configured as small
+institute <code>campus</code> servers, like Gate, with an NRPE (a NAGIOS Remote
+Plugin Executor) server and an <code>inst_sensors</code> command.
</p>
<p>
The configurations for the servers are very similar to Gate's, but are
-idiosyncratically in flux. In particular, Kamino does not irritate
-<code>check_total_procs</code>, yet Kessel does. Both are Pop!_OS 22.04, but
-Kessel is a wireless host while Kamino is wired. Ord Mantell, the
-Raspberry Pi OS (ARM64) machine, uses the <code>abbey_pisensors</code> monitor.
+idiosyncratically in flux. For example Ord Mantell, the Raspberry Pi
+OS (ARM64) machine, uses the <code>abbey_pisensors</code> monitor.
</p>
</div>
-<div id="outline-container-org6795d73" class="outline-4">
-<h4 id="org6795d73"><span class="section-number-4">4.12.1.</span> Cloister Network Addresses</h4>
+<div id="outline-container-org63753cf" class="outline-4">
+<h4 id="org63753cf"><span class="section-number-4">4.12.1.</span> Cloister Network Addresses</h4>
<div class="outline-text-4" id="text-4-12-1">
<p>
The IP addresses of all three hosts are nice to use in the NAGIOS
<div class="org-src-container">
<a href="private_ex/vars-abbey.yml"><q>private_ex/vars-abbey.yml</q></a><pre class="src src-conf"><code>---
-kamino_addr: 192.168.56.14
kessel_addr: 10.84.138.8
ord_mantell_addr: 10.84.138.10
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org6668a38" class="outline-4">
-<h4 id="org6668a38"><span class="section-number-4">4.12.2.</span> Installing NAGIOS Configurations</h4>
+<div id="outline-container-org35e5ab4" class="outline-4">
+<h4 id="org35e5ab4"><span class="section-number-4">4.12.2.</span> Installing NAGIOS Configurations</h4>
<div class="outline-text-4" id="text-4-12-2">
<p>
-The following task installs each host's NAGIOS configuration. Note
-that Kamino is not included. It is currently unmonitored as it is now
-rarely powered up.
+The following task installs each host's NAGIOS configuration.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org295bf62" class="outline-4">
-<h4 id="org295bf62"><span class="section-number-4">4.12.3.</span> NAGIOS Monitoring of Ord-Mantell</h4>
+<div id="outline-container-org40c5228" class="outline-4">
+<h4 id="org40c5228"><span class="section-number-4">4.12.3.</span> NAGIOS Monitoring of Ord-Mantell</h4>
<div class="outline-text-4" id="text-4-12-3">
<div class="org-src-container">
<a href="roles_t/abbey-core/templates/nagios-ord-mantell.cfg"><q>roles_t/abbey-core/templates/nagios-ord-mantell.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
</div>
</div>
</div>
-<div id="outline-container-org90c4b01" class="outline-4">
-<h4 id="org90c4b01"><span class="section-number-4">4.12.4.</span> NAGIOS Monitoring of Kamino</h4>
+<div id="outline-container-orgeba04d3" class="outline-4">
+<h4 id="orgeba04d3"><span class="section-number-4">4.12.4.</span> NAGIOS Monitoring of Kessel</h4>
<div class="outline-text-4" id="text-4-12-4">
<div class="org-src-container">
-<a href="roles_t/abbey-core/templates/nagios-kamino.cfg"><q>roles_t/abbey-core/templates/nagios-kamino.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
- use linux-server
- host_name kamino
- address {{ kamino_addr }}
-}
-
-<span class="org-type">define service</span> {
- use generic-service
- host_name kamino
- service_description Root Partition
- check_command check_nrpe!inst_root
-}
-
-<span class="org-type">define service</span> {
- use generic-service
- host_name kamino
- service_description Current Load
- check_command check_nrpe!check_load
-}
-
-<span class="org-type">define service</span> {
- use generic-service
- host_name kamino
- service_description Zombie Processes
- check_command check_nrpe!check_zombie_procs
-}
-
-<span class="org-comment-delimiter"># </span><span class="org-comment">define service {</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">host_name kamino</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">service_description Total Processes</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_total_procs</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">}</span>
-
-<span class="org-type">define service</span> {
- use generic-service
- host_name kamino
- service_description Swap Usage
- check_command check_nrpe!inst_swap
-}
-
-<span class="org-type">define service</span> {
- use generic-service
- host_name kamino
- service_description Temperature Sensors
- check_command check_nrpe!inst_sensors
-}
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-orga2e0dec" class="outline-4">
-<h4 id="orga2e0dec"><span class="section-number-4">4.12.5.</span> NAGIOS Monitoring of Kessel</h4>
-<div class="outline-text-4" id="text-4-12-5">
-<div class="org-src-container">
<a href="roles_t/abbey-core/templates/nagios-kessel.cfg"><q>roles_t/abbey-core/templates/nagios-kessel.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
use linux-server
host_name kessel
</div>
</div>
</div>
-<div id="outline-container-org1df2352" class="outline-3">
-<h3 id="org1df2352"><span class="section-number-3">4.13.</span> Install Munin</h3>
+<div id="outline-container-orga125fd0" class="outline-3">
+<h3 id="orga125fd0"><span class="section-number-3">4.13.</span> Install Munin</h3>
<div class="outline-text-3" id="text-4-13">
<p>
The abbey is experimenting with Munin. NAGIOS is all about notifying
</div>
</div>
</div>
-<div id="outline-container-orgda2a76d" class="outline-3">
-<h3 id="orgda2a76d"><span class="section-number-3">4.14.</span> Install Analog</h3>
+<div id="outline-container-orgfd23d24" class="outline-3">
+<h3 id="orgfd23d24"><span class="section-number-3">4.14.</span> Install Analog</h3>
<div class="outline-text-3" id="text-4-14">
<p>
The abbey's public web site's access and error logs are emailed
</div>
</div>
</div>
-<div id="outline-container-orge08fc0f" class="outline-3">
-<h3 id="orge08fc0f"><span class="section-number-3">4.15.</span> Add Monkey to Web Server Group</h3>
+<div id="outline-container-org78c7f49" class="outline-3">
+<h3 id="org78c7f49"><span class="section-number-3">4.15.</span> Add Monkey to Web Server Group</h3>
<div class="outline-text-3" id="text-4-15">
<p>
Monkey needs to be in <code>www-data</code> so that it can run
</div>
</div>
</div>
-<div id="outline-container-org7b13124" class="outline-3">
-<h3 id="org7b13124"><span class="section-number-3">4.16.</span> Install netpbm For Photo Processing</h3>
+<div id="outline-container-org7db29f5" class="outline-3">
+<h3 id="org7db29f5"><span class="section-number-3">4.16.</span> Install netpbm For Photo Processing</h3>
<div class="outline-text-3" id="text-4-16">
<p>
Monkey's photo processing scripts use <code>netpbm</code> commands like
</div>
</div>
</div>
-<div id="outline-container-org5e89497" class="outline-3">
-<h3 id="org5e89497"><span class="section-number-3">4.17.</span> Install Samba</h3>
-<div class="outline-text-3" id="text-4-17">
-<p>
-The abbey core provides NAS (Network Attached Storage) service to the
-cloister network. It also provides writable shares for a Home
-Assistant appliance (Raspberry Pi).
-</p>
-
-<ul class="org-ul">
-<li>Install <code>samba</code>.</li>
-<li>Create system user <code>hass</code>.</li>
-<li>Create <q>/home/hass/{media,backup,share}/</q> with appropriate
-permissions.</li>
-</ul>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-core/tasks/main.yml"><q>roles_t/abbey-core/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Install Samba.
- become: yes
- <span class="org-variable-name">apt: pkg</span>=samba
-
-- name: Add system user hass.
- become: yes
- user:
- name: hass
- system: yes
-
-- name: Add {{ ansible_user }} to hass group.
- become: yes
- user:
- name: <span class="org-string">"{{ ansible_user }}"</span>
- append: yes
- groups: hass
-
-- name: Configure shares.
- become: yes
- blockinfile:
- block: |
- [<span class="org-type">Shared</span>]
- <span class="org-variable-name">path</span> = /Shared
- <span class="org-variable-name">guest ok</span> = yes
- <span class="org-variable-name">read only</span> = yes
-
- [<span class="org-type">HASS-backup</span>]
- <span class="org-variable-name">comment</span> = Home Assistant backup
- <span class="org-variable-name">path</span> = /home/hass/backup
- <span class="org-variable-name">valid users</span> = hass
- <span class="org-variable-name">read only</span> = no
-
- [<span class="org-type">HASS-media</span>]
- <span class="org-variable-name">comment</span> = Home Assistant media
- <span class="org-variable-name">path</span> = /home/hass/media
- <span class="org-variable-name">valid users</span> = hass
- <span class="org-variable-name">read only</span> = yes
-
- [<span class="org-type">HASS-share</span>]
- <span class="org-variable-name">comment</span> = Home Assistant share
- <span class="org-variable-name">path</span> = /home/hass/share
- <span class="org-variable-name">valid users</span> = hass
- <span class="org-variable-name">read only</span> = no
- dest: /etc/samba/smb.conf
- marker: <span class="org-string">"# {mark} ABBEY MANAGED BLOCK"</span>
- notify: New shares.
-</code></pre>
-</div>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-core/handlers/main.yml"><q>roles_t/abbey-core/handlers/main.yml</q></a><pre class="src src-conf"><code>
-- name: New shares.
- become: yes
- systemd:
- service: smbd
- state: reloaded
-</code></pre>
-</div>
-</div>
</div>
-</div>
-<div id="outline-container-orgf05d620" class="outline-2">
-<h2 id="orgf05d620"><span class="section-number-2">5.</span> The Abbey Gate Role</h2>
+<div id="outline-container-orgd9b3314" class="outline-2">
+<h2 id="orgd9b3314"><span class="section-number-2">5.</span> The Abbey Gate Role</h2>
<div class="outline-text-2" id="text-5">
<p>
Birchwood Abbey's gate is a $110 µPC configured as A Small Institute
Gate, thus providing a campus VPN on a campus Wi-Fi access point. It
routes network traffic from its <code>wild</code> and <code>lan</code> interfaces to its
-<code>isp</code> interface (and back) with NAT. That is all the abbey requires
-of its gate, so there is no additional Ansible configuration in this
-chapter (yet).
+<code>isp</code> interface (and back) with NAT. The abbey adds masquerading
+between its private interfaces (<code>lan</code> and <code>wg0</code>) and <code>wild</code>. This
+allows access to the Abbey's IoT appliances: a HomeAssistant and an
+Ecowitt hub.
</p>
</div>
-<div id="outline-container-orgf1ff6da" class="outline-3">
-<h3 id="orgf1ff6da"><span class="section-number-3">5.1.</span> The Abbey Gate's Network Interfaces</h3>
+<div id="outline-container-org7f68c5d" class="outline-3">
+<h3 id="org7f68c5d"><span class="section-number-3">5.1.</span> The Abbey Gate's Network Interfaces</h3>
<div class="outline-text-3" id="text-5-1">
<p>
The abbey gate's <code>lan</code> interface is the PC's built-in Ethernet
</p>
</div>
</div>
-<div id="outline-container-orgb6abbb1" class="outline-3">
-<h3 id="orgb6abbb1"><span class="section-number-3">5.2.</span> The Abbey's Starlink Configuration</h3>
+<div id="outline-container-orgba0daab" class="outline-3">
+<h3 id="orgba0daab"><span class="section-number-3">5.2.</span> The Abbey's IoT Network</h3>
<div class="outline-text-3" id="text-5-2">
<p>
+To allow masquerading between the private subnets and <code>wild</code>, the
+following <code>iptables(8)</code> rules are added. They are very similar to the
+<code>nat</code> and <code>filter</code> table rules used by a small institute to masquerade
+its <code>lan</code> to its <code>isp</code> (see the <a href="Institute/README.html#org3c354d1">UFW Rules</a> of a Small Institute).
+</p>
+
+<div class="org-src-container">
+<code>iot-nat</code><pre class="src src-conf" id="org01b3093"><code>-A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE
+-A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
+-A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
+</code></pre>
+</div>
+
+<div class="org-src-container">
+<code>iot-forward</code><pre class="src src-conf" id="org7629ee5"><code>-A ufw-user-forward -i lan -o wild -j ACCEPT
+-A ufw-user-forward -i wg0 -o wild -j ACCEPT
+</code></pre>
+</div>
+
+<p>
+The <code>lan</code> interface encompasses the private LAN and the public VPN.
+The second rule includes the campus VPN.
+</p>
+</div>
+</div>
+<div id="outline-container-org266e6c0" class="outline-3">
+<h3 id="org266e6c0"><span class="section-number-3">5.3.</span> Configure UFW for IoT</h3>
+<div class="outline-text-3" id="text-5-3">
+<p>
+The following tasks install the additional rules in <q>before.rules</q>
+and <q>user.rules</q> (as in <a href="Institute/README.html#org2517da7">Configure UFW</a>).
+</p>
+
+<div class="org-src-container">
+<a href="roles_t/abbey-gate/tasks/main.yml"><q>roles_t/abbey-gate/tasks/main.yml</q></a><pre class="src src-conf"><code>---
+- name: Configure UFW NAT rules for IoT.
+ become: yes
+ blockinfile:
+ block: |
+ *nat
+ <<iot-nat>>
+ COMMIT
+ dest: /etc/ufw/before.rules
+ marker: <span class="org-string">"# {mark} ABBEY MANAGED BLOCK"</span>
+ insertafter: EOF
+ prepend_newline: yes
+
+- name: Configure UFW FORWARD rules for IoT.
+ become: yes
+ blockinfile:
+ block: |
+ *filter
+ <<iot-forward>>
+ COMMIT
+ dest: /etc/ufw/user.rules
+ marker: <span class="org-string">"# {mark} ABBEY MANAGED BLOCK"</span>
+ insertafter: EOF
+ prepend_newline: yes
+</code></pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org5adf523" class="outline-3">
+<h3 id="org5adf523"><span class="section-number-3">5.4.</span> The Abbey's Starlink Configuration</h3>
+<div class="outline-text-3" id="text-5-4">
+<p>
The abbey connects to Starlink via Ethernet, and disables Starlink's
Wi-Fi access point. An Ethernet adapter add-on (ordered separately)
was installed on the Starlink cable, and a second USB-Ethernet dongle
</p>
</div>
</div>
-<div id="outline-container-org6994b9d" class="outline-3">
-<h3 id="org6994b9d"><span class="section-number-3">5.3.</span> Alternate ISPs</h3>
-<div class="outline-text-3" id="text-5-3">
+<div id="outline-container-orgd870162" class="outline-3">
+<h3 id="orgd870162"><span class="section-number-3">5.5.</span> Alternate ISPs</h3>
+<div class="outline-text-3" id="text-5-5">
<p>
The abbey used to use a cell phone on a USB tether to get Internet
service. At that time, Gate's <q>/etc/netplan/60-isp.yaml</q> file was the
</div>
</div>
</div>
-<div id="outline-container-org77dc2b3" class="outline-2">
-<h2 id="org77dc2b3"><span class="section-number-2">6.</span> The Abbey Cloister Role</h2>
+<div id="outline-container-org56e9c8b" class="outline-2">
+<h2 id="org56e9c8b"><span class="section-number-2">6.</span> The Abbey Cloister Role</h2>
<div class="outline-text-2" id="text-6">
<p>
Birchwood Abbey's cloister is a small institute campus. The <code>campus</code>
<p>
Wireless clients are issued keys for the cloister VPN by the <code>./abbey
client</code> command which is currently identical to the <code>./inst client</code>
-command (described in <a href="Institute/README.html#orgd063a1d">The Client Command</a>). The wireless, cloistered
+command (described in <a href="Institute/README.html#org5635191">The Client Command</a>). The wireless, cloistered
hosts never roam, are not associated with a member, and so are
"campus" clients, issued keys with commands like this:
</p>
./abbey client campus new-host-name
</pre>
</div>
-<div id="outline-container-org77767d4" class="outline-3">
-<h3 id="org77767d4"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-org08d8be3" class="outline-3">
+<h3 id="org08d8be3"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The Apt-Cacher:TNG program does not work well on the frontier, so is
</div>
</div>
</div>
-<div id="outline-container-org7df80e3" class="outline-3">
-<h3 id="org7df80e3"><span class="section-number-3">6.2.</span> Configure Cloister NRPE</h3>
+<div id="outline-container-orgcd5b300" class="outline-3">
+<h3 id="orgcd5b300"><span class="section-number-3">6.2.</span> Configure Cloister NRPE</h3>
<div class="outline-text-3" id="text-6-2">
<p>
Each cloistered host is a small institute campus host and thus is
already running an NRPE server (a NAGIOS Remote Plugin Executor
-server) with a custom <code>inst_sensors</code> monitor (described in <a href="Institute/README.html#org83a4801">Configure
+server) with a custom <code>inst_sensors</code> monitor (described in <a href="Institute/README.html#orgad950b0">Configure
NRPE</a> of <a href="Institute/README.html">A Small Institute</a>). The abbey adds one complication: yet
another <code>check_sensors</code> variant, <code>abbey_pisensors</code>, installed on
Raspberry Pis (architecture <code>aarch64</code>) only.
</div>
</div>
</div>
-<div id="outline-container-org76e6ceb" class="outline-3">
-<h3 id="org76e6ceb"><span class="section-number-3">6.3.</span> Install Munin Node</h3>
+<div id="outline-container-org545b965" class="outline-3">
+<h3 id="org545b965"><span class="section-number-3">6.3.</span> Install Munin Node</h3>
<div class="outline-text-3" id="text-6-3">
<p>
Each cloistered host is a Munin node.
</div>
</div>
</div>
-<div id="outline-container-org63c8ca2" class="outline-3">
-<h3 id="org63c8ca2"><span class="section-number-3">6.4.</span> Install Emacs</h3>
+<div id="outline-container-orgf9a549d" class="outline-3">
+<h3 id="orgf9a549d"><span class="section-number-3">6.4.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-6-4">
<p>
The monks of the abbey are masters of the staff and Emacs.
</div>
</div>
</div>
-<div id="outline-container-org00bce0a" class="outline-2">
-<h2 id="org00bce0a"><span class="section-number-2">7.</span> The Abbey Weather Role</h2>
+<div id="outline-container-org726d888" class="outline-2">
+<h2 id="org726d888"><span class="section-number-2">7.</span> The Abbey Weather Role</h2>
<div class="outline-text-2" id="text-7">
<p>
Birchwood Abbey now uses Home Assistant to record and display weather
</p>
</div>
</div>
-<div id="outline-container-org0863125" class="outline-2">
-<h2 id="org0863125"><span class="section-number-2">8.</span> The Abbey DVR Role</h2>
+<div id="outline-container-org402b1f9" class="outline-2">
+<h2 id="org402b1f9"><span class="section-number-2">8.</span> The Abbey DVR Role</h2>
<div class="outline-text-2" id="text-8">
<p>
The abbey uses AgentDVR to record video from PoE IP HD security
cameras. It is installed and configured as described here.
</p>
</div>
-<div id="outline-container-orgc100380" class="outline-3">
-<h3 id="orgc100380"><span class="section-number-3">8.1.</span> AgentDVR Installation</h3>
+<div id="outline-container-org798fa96" class="outline-3">
+<h3 id="org798fa96"><span class="section-number-3">8.1.</span> AgentDVR Installation</h3>
<div class="outline-text-3" id="text-8-1">
<p>
AgentDVR is installed at the abbey according to the iSpy web site's
preparations.
</p>
</div>
-<div id="outline-container-org8d95cf0" class="outline-4">
-<h4 id="org8d95cf0"><span class="section-number-4">8.1.1.</span> AgentDVR Installation Preparation</h4>
+<div id="outline-container-orgcd9f462" class="outline-4">
+<h4 id="orgcd9f462"><span class="section-number-4">8.1.1.</span> AgentDVR Installation Preparation</h4>
<div class="outline-text-4" id="text-8-1-1">
<p>
AgentDVR runs in the abbey as a system user, <code>agentdvr</code>, which
</div>
</div>
</div>
-<div id="outline-container-org85f33a0" class="outline-4">
-<h4 id="org85f33a0"><span class="section-number-4">8.1.2.</span> AgentDVR Installation Execution</h4>
+<div id="outline-container-orgfd81e48" class="outline-4">
+<h4 id="orgfd81e48"><span class="section-number-4">8.1.2.</span> AgentDVR Installation Execution</h4>
<div class="outline-text-4" id="text-8-1-2">
<p>
With the above preparations, the system administrator can get a shell
</p>
</div>
</div>
-<div id="outline-container-org710e104" class="outline-4">
-<h4 id="org710e104"><span class="section-number-4">8.1.3.</span> AgentDVR Installation Completion</h4>
+<div id="outline-container-org63989cb" class="outline-4">
+<h4 id="org63989cb"><span class="section-number-4">8.1.3.</span> AgentDVR Installation Completion</h4>
<div class="outline-text-4" id="text-8-1-3">
<p>
When Ansible is run a second time, after the installation script, it
</div>
</div>
</div>
-<div id="outline-container-org79332d5" class="outline-3">
-<h3 id="org79332d5"><span class="section-number-3">8.2.</span> Create User <code>agentdvr</code></h3>
+<div id="outline-container-org767decb" class="outline-3">
+<h3 id="org767decb"><span class="section-number-3">8.2.</span> Create User <code>agentdvr</code></h3>
<div class="outline-text-3" id="text-8-2">
<p>
AgentDVR runs as the system user <code>agentdvr</code>, which is created here.
</div>
</div>
</div>
-<div id="outline-container-orgee91eeb" class="outline-3">
-<h3 id="orgee91eeb"><span class="section-number-3">8.3.</span> Test For <q>AgentDVR/</q></h3>
+<div id="outline-container-org9375a62" class="outline-3">
+<h3 id="org9375a62"><span class="section-number-3">8.3.</span> Test For <q>AgentDVR/</q></h3>
<div class="outline-text-3" id="text-8-3">
<p>
The following task probes for the <q>/home/agentdvr/AgentDVR/</q>
</div>
</div>
</div>
-<div id="outline-container-org167a4f4" class="outline-3">
-<h3 id="org167a4f4"><span class="section-number-3">8.4.</span> Create AgentDVR Service</h3>
+<div id="outline-container-orgbd4633b" class="outline-3">
+<h3 id="orgbd4633b"><span class="section-number-3">8.4.</span> Create AgentDVR Service</h3>
<div class="outline-text-3" id="text-8-4">
<p>
This service definition came from the template downloaded (from <a href="https://raw.githubusercontent.com/ispysoftware/agent-install-scripts/main/v2/AgentDVR.service">here</a>)
</div>
</div>
</div>
-<div id="outline-container-orga2a3821" class="outline-3">
-<h3 id="orga2a3821"><span class="section-number-3">8.5.</span> Create AgentDVR Storage</h3>
+<div id="outline-container-orgd7a5628" class="outline-3">
+<h3 id="orgd7a5628"><span class="section-number-3">8.5.</span> Create AgentDVR Storage</h3>
<div class="outline-text-3" id="text-8-5">
<p>
The abbey uses a separate volume to store surveillance recordings,
</div>
</div>
</div>
-<div id="outline-container-orgaf6ac6d" class="outline-3">
-<h3 id="orgaf6ac6d"><span class="section-number-3">8.6.</span> Configure IP Cameras</h3>
+<div id="outline-container-org735770d" class="outline-3">
+<h3 id="org735770d"><span class="section-number-3">8.6.</span> Configure IP Cameras</h3>
<div class="outline-text-3" id="text-8-6">
<p>
-A new security camera is setup as described in <a href="#orge54fc33">Cloistering</a>, after
+A new security camera is setup as described in <a href="#orgaf8047d">Cloistering</a>, after
which the camera should be accessible by name on the abbey networks.
Assuming <code>ping -c1 new</code> works, the camera's web interface will be
accessible at <code>http://new/</code>.
</ul>
</div>
</div>
-<div id="outline-container-org53206ec" class="outline-3">
-<h3 id="org53206ec"><span class="section-number-3">8.7.</span> Configure AgentDVR's Cameras</h3>
+<div id="outline-container-orgb4b339b" class="outline-3">
+<h3 id="orgb4b339b"><span class="section-number-3">8.7.</span> Configure AgentDVR's Cameras</h3>
<div class="outline-text-3" id="text-8-7">
<p>
After Ansible has configured and started the AgentDVR service, its web
</p>
</div>
</div>
-<div id="outline-container-org7115391" class="outline-3">
-<h3 id="org7115391"><span class="section-number-3">8.8.</span> Configure AgentDVR's Default Storage</h3>
+<div id="outline-container-org6e6ab7d" class="outline-3">
+<h3 id="org6e6ab7d"><span class="section-number-3">8.8.</span> Configure AgentDVR's Default Storage</h3>
<div class="outline-text-3" id="text-8-8">
<p>
AgentDVR's web interface is also used to configure a default storage
</p>
</div>
</div>
-<div id="outline-container-orgf7d79ab" class="outline-3">
-<h3 id="orgf7d79ab"><span class="section-number-3">8.9.</span> Configure AgentDVR's Recordings</h3>
+<div id="outline-container-orge18b44c" class="outline-3">
+<h3 id="orge18b44c"><span class="section-number-3">8.9.</span> Configure AgentDVR's Recordings</h3>
<div class="outline-text-3" id="text-8-9">
<p>
After a default storage location has been configured, AgentDVR's
</div>
</div>
</div>
-<div id="outline-container-orga2af172" class="outline-2">
-<h2 id="orga2af172"><span class="section-number-2">9.</span> The Abbey TVR Role</h2>
+<div id="outline-container-orgbfcfb39" class="outline-2">
+<h2 id="orgbfcfb39"><span class="section-number-2">9.</span> The Abbey TVR Role</h2>
<div class="outline-text-2" id="text-9">
<p>
The abbey has a few TV tuners and a subscription to <a href="https://schedulesdirect.org/">Schedules Direct</a>
to serve MythWeb pages at e.g. <code>http://new/mythweb/</code>.
</p>
</div>
-<div id="outline-container-org2fb4ef8" class="outline-3">
-<h3 id="org2fb4ef8"><span class="section-number-3">9.1.</span> Building MythTV and MythWeb</h3>
+<div id="outline-container-orgdb30ee3" class="outline-3">
+<h3 id="orgdb30ee3"><span class="section-number-3">9.1.</span> Building MythTV and MythWeb</h3>
<div class="outline-text-3" id="text-9-1">
<p>
Neither Debian nor the MythTV project provide binary packages of
</p>
</div>
</div>
-<div id="outline-container-org726b88a" class="outline-3">
-<h3 id="org726b88a"><span class="section-number-3">9.2.</span> TVR Machine Setup</h3>
+<div id="outline-container-org4478cd6" class="outline-3">
+<h3 id="org4478cd6"><span class="section-number-3">9.2.</span> TVR Machine Setup</h3>
<div class="outline-text-3" id="text-9-2">
<p>
-A new TVR machine needs only <a href="#orge54fc33">Cloistering</a> to prepare it for
+A new TVR machine needs only <a href="#orgaf8047d">Cloistering</a> to prepare it for
Ansible. As part of that process, it should be added to the <code>tvrs</code>
group in the <q>hosts</q> file. An existing server can become a TVR
machine simply by adding it to the <code>tvrs</code> group.
</p>
</div>
</div>
-<div id="outline-container-orgc39c4ca" class="outline-3">
-<h3 id="orgc39c4ca"><span class="section-number-3">9.3.</span> Include Abbey Variables</h3>
+<div id="outline-container-org675e85b" class="outline-3">
+<h3 id="org675e85b"><span class="section-number-3">9.3.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-9-3">
<p>
Private variables in <q>private/vars-abbey.yml</q> are needed, as in the
</div>
</div>
</div>
-<div id="outline-container-org7354ae1" class="outline-3">
-<h3 id="org7354ae1"><span class="section-number-3">9.4.</span> Install MythTV Build Requisites</h3>
+<div id="outline-container-org05c5301" class="outline-3">
+<h3 id="org05c5301"><span class="section-number-3">9.4.</span> Install MythTV Build Requisites</h3>
<div class="outline-text-3" id="text-9-4">
<p>
A number of developer packages are needed to build MythTV. The wiki
</p>
</div>
</div>
-<div id="outline-container-orgf6b80dc" class="outline-3">
-<h3 id="orgf6b80dc"><span class="section-number-3">9.5.</span> Build and Install MythTV</h3>
+<div id="outline-container-org7f1bbd3" class="outline-3">
+<h3 id="org7f1bbd3"><span class="section-number-3">9.5.</span> Build and Install MythTV</h3>
<div class="outline-text-3" id="text-9-5">
<p>
After a successful "first" run of e.g. <code>./abbey config new</code>, the
</div>
</div>
</div>
-<div id="outline-container-org81a33f9" class="outline-3">
-<h3 id="org81a33f9"><span class="section-number-3">9.6.</span> Create MythTV User</h3>
+<div id="outline-container-orga4363cd" class="outline-3">
+<h3 id="orga4363cd"><span class="section-number-3">9.6.</span> Create MythTV User</h3>
<div class="outline-text-3" id="text-9-6">
<p>
MythTV Backend needs to run as its own user: <code>mythtv</code>.
</div>
</div>
</div>
-<div id="outline-container-orgf93ec30" class="outline-3">
-<h3 id="orgf93ec30"><span class="section-number-3">9.7.</span> Create MythTV DB</h3>
+<div id="outline-container-org17c0560" class="outline-3">
+<h3 id="org17c0560"><span class="section-number-3">9.7.</span> Create MythTV DB</h3>
<div class="outline-text-3" id="text-9-7">
<p>
MythTV's MariaDB database is created by the following task, when the
</p>
</div>
</div>
-<div id="outline-container-org7a9cd2e" class="outline-3">
-<h3 id="org7a9cd2e"><span class="section-number-3">9.8.</span> Create MythTV DB User</h3>
+<div id="outline-container-orgc33913a" class="outline-3">
+<h3 id="orgc33913a"><span class="section-number-3">9.8.</span> Create MythTV DB User</h3>
<div class="outline-text-3" id="text-9-8">
<p>
The DB user's password is taken from the <code>mythtv_dbpass</code> variable,
</div>
</div>
</div>
-<div id="outline-container-orga39e48a" class="outline-3">
-<h3 id="orga39e48a"><span class="section-number-3">9.9.</span> Manually Create MythTV DB and DB User</h3>
+<div id="outline-container-orgce1c9e7" class="outline-3">
+<h3 id="orgce1c9e7"><span class="section-number-3">9.9.</span> Manually Create MythTV DB and DB User</h3>
<div class="outline-text-3" id="text-9-9">
<p>
The MythTV database and database user are created manually with the
</div>
</div>
</div>
-<div id="outline-container-org9302b33" class="outline-3">
-<h3 id="org9302b33"><span class="section-number-3">9.10.</span> Load DB Timezone Info</h3>
+<div id="outline-container-org5e07621" class="outline-3">
+<h3 id="org5e07621"><span class="section-number-3">9.10.</span> Load DB Timezone Info</h3>
<div class="outline-text-3" id="text-9-10">
<p>
Starting with MythTV version 0.26, the time zone tables must be loaded
</div>
</div>
</div>
-<div id="outline-container-orgccbba96" class="outline-3">
-<h3 id="orgccbba96"><span class="section-number-3">9.11.</span> Create MythTV Backend Service</h3>
+<div id="outline-container-org08a6438" class="outline-3">
+<h3 id="org08a6438"><span class="section-number-3">9.11.</span> Create MythTV Backend Service</h3>
<div class="outline-text-3" id="text-9-11">
<p>
This task installs the <q>mythtv-backend.service</q> file.
</div>
</div>
</div>
-<div id="outline-container-org3307131" class="outline-3">
-<h3 id="org3307131"><span class="section-number-3">9.12.</span> Set PHP Timezone</h3>
+<div id="outline-container-org13b216f" class="outline-3">
+<h3 id="org13b216f"><span class="section-number-3">9.12.</span> Set PHP Timezone</h3>
<div class="outline-text-3" id="text-9-12">
<p>
This task checks PHP's timezone. If unset, MythTV's backend logs
</div>
</div>
</div>
-<div id="outline-container-org0d2eb5a" class="outline-3">
-<h3 id="org0d2eb5a"><span class="section-number-3">9.13.</span> Create MythTV Storage Area</h3>
+<div id="outline-container-orgd893d33" class="outline-3">
+<h3 id="orgd893d33"><span class="section-number-3">9.13.</span> Create MythTV Storage Area</h3>
<div class="outline-text-3" id="text-9-13">
<p>
The backend does not have a default storage area for its recordings.
</div>
</div>
</div>
-<div id="outline-container-org0fba7a6" class="outline-3">
-<h3 id="org0fba7a6"><span class="section-number-3">9.14.</span> Configure MythTV Backend</h3>
+<div id="outline-container-org8d853e0" class="outline-3">
+<h3 id="org8d853e0"><span class="section-number-3">9.14.</span> Configure MythTV Backend</h3>
<div class="outline-text-3" id="text-9-14">
<p>
With MythTV built and installed, and the post-installation tasks
</ul>
</div>
</div>
-<div id="outline-container-orgfe735ba" class="outline-3">
-<h3 id="orgfe735ba"><span class="section-number-3">9.15.</span> Configure Tuner</h3>
+<div id="outline-container-orgc447ffd" class="outline-3">
+<h3 id="orgc447ffd"><span class="section-number-3">9.15.</span> Configure Tuner</h3>
<div class="outline-text-3" id="text-9-15">
<p>
The abbey has a Silicon Dust Homerun HDTV Duo (with two tuners). It
-is setup as described in <a href="#orge54fc33">Cloistering</a>, after which the tuner is
+is setup as described in <a href="#orgaf8047d">Cloistering</a>, after which the tuner is
accessible by name (e.g. <code>new</code>) on the cloister network. Assuming
<code>ping -c1 new</code> works, the tuner should be accessible via the
<code>hdhomerun_config_gui</code> command, a graphical interface contributed to
</p>
</div>
</div>
-<div id="outline-container-org5f58bcd" class="outline-3">
-<h3 id="org5f58bcd"><span class="section-number-3">9.16.</span> Add HDHomerun and Mr.Antenna</h3>
+<div id="outline-container-orgd7f8e90" class="outline-3">
+<h3 id="orgd7f8e90"><span class="section-number-3">9.16.</span> Add HDHomerun and Mr.Antenna</h3>
<div class="outline-text-3" id="text-9-16">
<p>
In MythTV Setup:
</ul>
</div>
</div>
-<div id="outline-container-org5946f99" class="outline-3">
-<h3 id="org5946f99"><span class="section-number-3">9.17.</span> Scan for New Channels</h3>
+<div id="outline-container-org174f052" class="outline-3">
+<h3 id="org174f052"><span class="section-number-3">9.17.</span> Scan for New Channels</h3>
<div class="outline-text-3" id="text-9-17">
<p>
In MythTV Setup:
</ul>
</div>
</div>
-<div id="outline-container-org47ed313" class="outline-3">
-<h3 id="org47ed313"><span class="section-number-3">9.18.</span> Configure XMLTV</h3>
+<div id="outline-container-org71383d1" class="outline-3">
+<h3 id="org71383d1"><span class="section-number-3">9.18.</span> Configure XMLTV</h3>
<div class="outline-text-3" id="text-9-18">
<p>
The <code>xmltv</code> package, specifically its <code>tv_grab_zz_sdjson</code> program, is
the OTA (over the air) broadcasts.
</p>
-<pre class="example" id="orgae6d63c">
+<pre class="example" id="org073418d">
$ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
Cache file for lineups, schedules and programs.
Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
</p>
</div>
</div>
-<div id="outline-container-org8b7fe65" class="outline-3">
-<h3 id="org8b7fe65"><span class="section-number-3">9.19.</span> Debug XMLTV</h3>
+<div id="outline-container-org55468c4" class="outline-3">
+<h3 id="org55468c4"><span class="section-number-3">9.19.</span> Debug XMLTV</h3>
<div class="outline-text-3" id="text-9-19">
<p>
If the <code>mythfilldatabase</code> command fails or expected listings do not
</div>
</div>
</div>
-<div id="outline-container-org050202e" class="outline-3">
-<h3 id="org050202e"><span class="section-number-3">9.20.</span> Configure MythTV Backend Logging</h3>
+<div id="outline-container-org68719d0" class="outline-3">
+<h3 id="org68719d0"><span class="section-number-3">9.20.</span> Configure MythTV Backend Logging</h3>
<div class="outline-text-3" id="text-9-20">
<p>
The abbey directs MythTV log messages to <q>/var/log/mythtv.log</q> (and
</div>
</div>
</div>
-<div id="outline-container-org0a560c7" class="outline-3">
-<h3 id="org0a560c7"><span class="section-number-3">9.21.</span> Start MythTV Backend</h3>
+<div id="outline-container-org6685a81" class="outline-3">
+<h3 id="org6685a81"><span class="section-number-3">9.21.</span> Start MythTV Backend</h3>
<div class="outline-text-3" id="text-9-21">
<p>
After configuring with <code>mythtv-setup</code> as discussed above, start and
</div>
</div>
</div>
-<div id="outline-container-orgc93912e" class="outline-3">
-<h3 id="orgc93912e"><span class="section-number-3">9.22.</span> Install MythWeb</h3>
+<div id="outline-container-org766f8b7" class="outline-3">
+<h3 id="org766f8b7"><span class="section-number-3">9.22.</span> Install MythWeb</h3>
<div class="outline-text-3" id="text-9-22">
<p>
MythWeb, like MythTV, is installed from a Git repository. The
</div>
</div>
</div>
-<div id="outline-container-org0d2c2da" class="outline-3">
-<h3 id="org0d2c2da"><span class="section-number-3">9.23.</span> Change Broadcast Area</h3>
+<div id="outline-container-orgc400edd" class="outline-3">
+<h3 id="orgc400edd"><span class="section-number-3">9.23.</span> Change Broadcast Area</h3>
<div class="outline-text-3" id="text-9-23">
<p>
The abbey changes location almost weekly, so its HDTV broadcast area
changes frequently. At the start of a long stay the administrator
uses the MythTV Setup program to scan for the new area's channels, as
-described in <a href="#org5946f99">Scan for New Channels</a>.
+described in <a href="#org174f052">Scan for New Channels</a>.
</p>
<p>
<p>
The program will prompt for the zip code and offer a list of "inputs"
-available in that area, as described in <a href="#org47ed313">Configure XMLTV</a>.
+available in that area, as described in <a href="#org71383d1">Configure XMLTV</a>.
</p>
<p>
</div>
</div>
</div>
-<div id="outline-container-org1eb02ae" class="outline-2">
-<h2 id="org1eb02ae"><span class="section-number-2">10.</span> The Ansible Configuration</h2>
+<div id="outline-container-org0b14f1c" class="outline-2">
+<h2 id="org0b14f1c"><span class="section-number-2">10.</span> The Ansible Configuration</h2>
<div class="outline-text-2" id="text-10">
<p>
The abbey's Ansible configuration, like that of <a href="Institute/README.html">A Small Institute</a>, is
</p>
<p>
-NOTE: if you have not read at least the <a href="Institute/README.html#org
73a9925">Overview</a> of <a href="Institute/README.html">A Small Institute</a>
+NOTE: if you have not read at least the <a href="Institute/README.html#org
8c0e5a2">Overview</a> of <a href="Institute/README.html">A Small Institute</a>
you are lost.
</p>
<q>README.org</q>, and <a href="Institute/README.html"><q>Institute/README.org</q></a>.
</p>
</div>
-<div id="outline-container-org042b7f9" class="outline-3">
-<h3 id="org042b7f9"><span class="section-number-3">10.1.</span> <q>ansible.cfg</q></h3>
+<div id="outline-container-org699d371" class="outline-3">
+<h3 id="org699d371"><span class="section-number-3">10.1.</span> <q>ansible.cfg</q></h3>
<div class="outline-text-3" id="text-10-1">
<p>
This is much like the example (test) institutional configuration file,
</div>
</div>
</div>
-<div id="outline-container-orgfb630f0" class="outline-3">
-<h3 id="orgfb630f0"><span class="section-number-3">10.2.</span> <q>hosts</q></h3>
+<div id="outline-container-orgb1ba475" class="outline-3">
+<h3 id="orgb1ba475"><span class="section-number-3">10.2.</span> <q>hosts</q></h3>
<div class="outline-text-3" id="text-10-2">
<div class="org-src-container">
-<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="org1112b46"><code>all:
+<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="org8f8ed31"><code>all:
vars:
ansible_user: sysadm
ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa
dantooine:
ansible_become_password: <span class="org-string">"{{ become_dantooine }}"</span>
<span class="org-comment-delimiter"># </span><span class="org-comment">Campus</span>
- kamino:
- ansible_become_password: <span class="org-string">"{{ become_kamino }}"</span>
kessel:
ansible_become_password: <span class="org-string">"{{ become_kessel }}"</span>
ord-mantell:
campus:
hosts:
anoat:
- kamino:
kessel:
ord-mantell:
dvrs:
dantooine:
webtvs:
hosts:
- kamino:
kessel:
ord-mantell:
notebooks:
builders:
hosts:
sullust:
- kamino:
+ kessel:
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org28351e5" class="outline-3">
-<h3 id="org28351e5"><span class="section-number-3">10.3.</span> <q>playbooks/site.yml</q></h3>
+<div id="outline-container-orga1fef67" class="outline-3">
+<h3 id="orga1fef67"><span class="section-number-3">10.3.</span> <q>playbooks/site.yml</q></h3>
<div class="outline-text-3" id="text-10-3">
<p>
This playbook provisions the entire network by applying first the
- name: Configure Gate
hosts: gate
- roles: [ gate ]
+ roles: [ gate, abbey-gate ]
- name: Configure Core
hosts: core
</div>
</div>
</div>
-<div id="outline-container-orgc01ecf2" class="outline-2">
-<h2 id="orgc01ecf2"><span class="section-number-2">11.</span> The Abbey Commands</h2>
+<div id="outline-container-org3e7c8a6" class="outline-2">
+<h2 id="org3e7c8a6"><span class="section-number-2">11.</span> The Abbey Commands</h2>
<div class="outline-text-2" id="text-11">
<p>
The <code>./abbey</code> script encodes the abbey's canonical procedures. It
-includes <a href="Institute/README.html#org2c02c67">The Institute Commands</a> and adds a few abbey-specific
+includes <a href="Institute/README.html#orge18912d">The Institute Commands</a> and adds a few abbey-specific
sub-commands.
</p>
</div>
-<div id="outline-container-org7231e49" class="outline-3">
-<h3 id="org7231e49"><span class="section-number-3">11.1.</span> Abbey Command Overview</h3>
+<div id="outline-container-org454bc3f" class="outline-3">
+<h3 id="org454bc3f"><span class="section-number-3">11.1.</span> Abbey Command Overview</h3>
<div class="outline-text-3" id="text-11-1">
<p>
Institutional sub-commands:
</dl>
</div>
</div>
-<div id="outline-container-orgfeedee0" class="outline-3">
-<h3 id="orgfeedee0"><span class="section-number-3">11.2.</span> Abbey Command Script</h3>
+<div id="outline-container-orgafee4c1" class="outline-3">
+<h3 id="orgafee4c1"><span class="section-number-3">11.2.</span> Abbey Command Script</h3>
<div class="outline-text-3" id="text-11-2">
<p>
The script begins with the following prefix and trampolines.
The small institute's <code>./inst</code> command expects to be running in
<q>Institute/</q>, not <q>./</q>, but it only references <q>public/</q>, <q>private/</q>,
<q>Secret/</q> and <q>playbooks/check-inst-vars.yml</q>, and will find the abbey
-specific versions of these. The <code>roles_path</code> setting in <a href="#org042b7f9"><q>ansible.cfg</q></a>
+specific versions of these. The <code>roles_path</code> setting in <a href="#org699d371"><q>ansible.cfg</q></a>
effectively merges the institutional roles into the distinctly named
abbey specific roles. The roles likewise reference files with
relative names, and will find the abbey specific <q>private/</q>
</div>
</div>
</div>
-<div id="outline-container-org1a5942a" class="outline-3">
-<h3 id="org1a5942a"><span class="section-number-3">11.3.</span> The Upgrade Command</h3>
+<div id="outline-container-orge4be621" class="outline-3">
+<h3 id="orge4be621"><span class="section-number-3">11.3.</span> The Upgrade Command</h3>
<div class="outline-text-3" id="text-11-3">
<p>
The script implements an <code>upgrade</code> sub-command that runs <code>apt update</code>
</div>
</div>
</div>
-<div id="outline-container-orgd3554de" class="outline-3">
-<h3 id="orgd3554de"><span class="section-number-3">11.4.</span> The Reboots Command</h3>
+<div id="outline-container-org362188c" class="outline-3">
+<h3 id="org362188c"><span class="section-number-3">11.4.</span> The Reboots Command</h3>
<div class="outline-text-3" id="text-11-4">
<p>
The script implements a <code>reboots</code> sub-command that looks for
</div>
</div>
</div>
-<div id="outline-container-org383f1a9" class="outline-3">
-<h3 id="org383f1a9"><span class="section-number-3">11.5.</span> The Versions Command</h3>
+<div id="outline-container-org64bd014" class="outline-3">
+<h3 id="org64bd014"><span class="section-number-3">11.5.</span> The Versions Command</h3>
<div class="outline-text-3" id="text-11-5">
<p>
The script implements a <code>versions</code> sub-command that reports the
</div>
</div>
</div>
-<div id="outline-container-org2ec6e6b" class="outline-3">
-<h3 id="org2ec6e6b"><span class="section-number-3">11.6.</span> The TZ Command</h3>
+<div id="outline-container-orge6be2f2" class="outline-3">
+<h3 id="orge6be2f2"><span class="section-number-3">11.6.</span> The TZ Command</h3>
<div class="outline-text-3" id="text-11-6">
<p>
The abbey changes location almost weekly, so its timezone changes
</div>
</div>
</div>
-<div id="outline-container-orge534754" class="outline-3">
-<h3 id="orge534754"><span class="section-number-3">11.7.</span> Abbey Command Help</h3>
+<div id="outline-container-org22cce8c" class="outline-3">
+<h3 id="org22cce8c"><span class="section-number-3">11.7.</span> Abbey Command Help</h3>
<div class="outline-text-3" id="text-11-7">
<div class="org-src-container">
<a href="abbey"><q>abbey</q></a><pre class="src src-perl"><code><span class="org-keyword">my</span> $<span class="org-variable-name">ops</span> = <span class="org-string">"config,new,old,pass,client,upgrade,reboots,versions,tz"</span>;
</div>
</div>
</div>
-<div id="outline-container-orge54fc33" class="outline-2">
-<h2 id="orge54fc33"><span class="section-number-2">12.</span> Cloistering</h2>
+<div id="outline-container-orgaf8047d" class="outline-2">
+<h2 id="orgaf8047d"><span class="section-number-2">12.</span> Cloistering</h2>
<div class="outline-text-2" id="text-12">
<p>
This is how a new machine is brought into the cloister. The process
Ansible.
</p>
</div>
-<div id="outline-container-org4d38aa1" class="outline-3">
-<h3 id="org4d38aa1"><span class="section-number-3">12.1.</span> IoT Devices</h3>
+<div id="outline-container-org9fd81aa" class="outline-3">
+<h3 id="org9fd81aa"><span class="section-number-3">12.1.</span> IoT Devices</h3>
<div class="outline-text-3" id="text-12-1">
<p>
A wireless IoT device (smart TV, Blu-ray deck, etc.) cannot install
</p>
<ul class="org-ul">
-<li><a href="#orgb616952">Add to Core DHCP</a></li>
-<li><a href="#org37c70cf">Create Wired Domain Name</a></li>
+<li><a href="#orgaad3496">Add to Core DHCP</a></li>
+<li><a href="#orgfeeed76">Create Wired Domain Name</a></li>
</ul>
<p>
</p>
<ul class="org-ul">
-<li><a href="#orga3c3c7e">Create Wireless Domain Name</a></li>
+<li><a href="#org1c5945c">Create Wireless Domain Name</a></li>
</ul>
</div>
</div>
-<div id="outline-container-orgeed6c08" class="outline-3">
-<h3 id="orgeed6c08"><span class="section-number-3">12.2.</span> Raspberry Pis</h3>
+<div id="outline-container-orgdca4106" class="outline-3">
+<h3 id="orgdca4106"><span class="section-number-3">12.2.</span> Raspberry Pis</h3>
<div class="outline-text-3" id="text-12-2">
<p>
The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an
<li>new username: sysadm</li>
<li>new password: fubar</li>
</ul></li>
-<li><a href="#orgb616952">Add to Core DHCP</a></li>
-<li><a href="#org37c70cf">Create Wired Domain Name</a></li>
+<li><a href="#orgaad3496">Add to Core DHCP</a></li>
+<li><a href="#orgfeeed76">Create Wired Domain Name</a></li>
<li>Log in as <code>sysadm</code> on the console.</li>
<li>Run <code>sudo raspi-config</code> and use the following menu items.
<ul class="org-ul">
<li>I1 SSH (Enable/disable remote command line access using SSH): enable</li>
<li>A1 Expand Filesystem (Ensures that all of the SD card is available)</li>
</ul></li>
-<li><a href="#org388b5c4">Update From Cloister Apt Cache</a></li>
-<li><a href="#org941d364">Authorize Remote Administration</a></li>
-<li><a href="#orge671fd1">Configure with Ansible</a></li>
+<li><a href="#org916b3aa">Update From Cloister Apt Cache</a></li>
+<li><a href="#org891e891">Authorize Remote Administration</a></li>
+<li><a href="#org939b52a">Configure with Ansible</a></li>
</ul>
<p>
</p>
<ul class="org-ul">
-<li><a href="#orgb16a9f2">Connect to Cloister Wi-Fi</a></li>
-<li><a href="#orgfcc55e8">Connect to Cloister VPN</a></li>
-<li><a href="#orga3c3c7e">Create Wireless Domain Name</a></li>
+<li><a href="#orgd2c13e6">Connect to Cloister Wi-Fi</a></li>
+<li><a href="#orgee9a234">Connect to Cloister VPN</a></li>
+<li><a href="#org1c5945c">Create Wireless Domain Name</a></li>
</ul>
</div>
</div>
-<div id="outline-container-org17e1c80" class="outline-3">
-<h3 id="org17e1c80"><span class="section-number-3">12.3.</span> PCs</h3>
+<div id="outline-container-orgff66da8" class="outline-3">
+<h3 id="orgff66da8"><span class="section-number-3">12.3.</span> PCs</h3>
<div class="outline-text-3" id="text-12-3">
<p>
Most of the abbey's machines, like Core and Gate, are general-purpose
<li>new username: sysadm</li>
<li>new password: fubar</li>
</ul></li>
-<li><a href="#orgb616952">Add to Core DHCP</a></li>
-<li><a href="#org37c70cf">Create Wired Domain Name</a></li>
+<li><a href="#orgaad3496">Add to Core DHCP</a></li>
+<li><a href="#orgfeeed76">Create Wired Domain Name</a></li>
<li>Log in as <code>sysadm</code> on the console.</li>
-<li><a href="#org388b5c4">Update From Cloister Apt Cache</a></li>
+<li><a href="#org916b3aa">Update From Cloister Apt Cache</a></li>
<li><p>
Install OpenSSH. Plain Debian does not come with OpenSSH installed.
</p>
<pre class="example">
sudo apt install openssh-server
</pre></li>
-<li><a href="#org941d364">Authorize Remote Administration</a></li>
-<li><a href="#orge671fd1">Configure with Ansible</a></li>
+<li><a href="#org891e891">Authorize Remote Administration</a></li>
+<li><a href="#org939b52a">Configure with Ansible</a></li>
</ul>
<p>
</p>
<ul class="org-ul">
-<li><a href="#orgb16a9f2">Connect to Cloister Wi-Fi</a></li>
-<li><a href="#orgfcc55e8">Connect to Cloister VPN</a></li>
-<li><a href="#orga3c3c7e">Create Wireless Domain Name</a></li>
+<li><a href="#orgd2c13e6">Connect to Cloister Wi-Fi</a></li>
+<li><a href="#orgee9a234">Connect to Cloister VPN</a></li>
+<li><a href="#org1c5945c">Create Wireless Domain Name</a></li>
</ul>
</div>
</div>
-<div id="outline-container-orgb616952" class="outline-3">
-<h3 id="orgb616952"><span class="section-number-3">12.4.</span> Add to Core DHCP</h3>
+<div id="outline-container-orgaad3496" class="outline-3">
+<h3 id="orgaad3496"><span class="section-number-3">12.4.</span> Add to Core DHCP</h3>
<div class="outline-text-3" id="text-12-4">
<p>
When a new machine is connected to the cloister Ethernet, its MAC
</div>
</div>
</div>
-<div id="outline-container-org37c70cf" class="outline-3">
-<h3 id="org37c70cf"><span class="section-number-3">12.5.</span> Create Wired Domain Name</h3>
+<div id="outline-container-orgfeeed76" class="outline-3">
+<h3 id="orgfeeed76"><span class="section-number-3">12.5.</span> Create Wired Domain Name</h3>
<div class="outline-text-3" id="text-12-5">
<p>
A wired device is assigned an IP address when it is added to Core's
-DHCP configuration (as in <a href="#orgb616952">Add to Core DHCP</a>). A private domain name is
+DHCP configuration (as in <a href="#orgaad3496">Add to Core DHCP</a>). A private domain name is
then associated with this address. If the device is intended to
operate wirelessly, the name for its address is modified with a <code>-w</code>
suffix. Thus <code>new-w.small.private</code> would be the name of the new
</div>
</div>
</div>
-<div id="outline-container-org388b5c4" class="outline-3">
-<h3 id="org388b5c4"><span class="section-number-3">12.6.</span> Update From Cloister Apt Cache</h3>
+<div id="outline-container-org916b3aa" class="outline-3">
+<h3 id="org916b3aa"><span class="section-number-3">12.6.</span> Update From Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-12-6">
<ul class="org-ul">
<li>Log in as <code>sysadm</code> on the console.</li>
</ul>
</div>
</div>
-<div id="outline-container-org941d364" class="outline-3">
-<h3 id="org941d364"><span class="section-number-3">12.7.</span> Authorize Remote Administration</h3>
+<div id="outline-container-org891e891" class="outline-3">
+<h3 id="org891e891"><span class="section-number-3">12.7.</span> Authorize Remote Administration</h3>
<div class="outline-text-3" id="text-12-7">
<p>
To remotely administer <code>new-w</code>, Ansible must be authorized to login as
</div>
</div>
</div>
-<div id="outline-container-orge671fd1" class="outline-3">
-<h3 id="orge671fd1"><span class="section-number-3">12.8.</span> Configure with Ansible</h3>
+<div id="outline-container-org939b52a" class="outline-3">
+<h3 id="org939b52a"><span class="section-number-3">12.8.</span> Configure with Ansible</h3>
<div class="outline-text-3" id="text-12-8">
<p>
-With remote administration authorized and tested (as in <a href="#org941d364">Authorize
+With remote administration authorized and tested (as in <a href="#org891e891">Authorize
Remote Administration</a>), and the machine connected to the cloister
Ethernet, the configuration of <code>new-w</code> can be completed by Ansible.
Note that if the machine is staying on the cloister Ethernet, its
</p>
<p>
-First <code>new-w</code> is added to Ansible's inventory in <a href="#orgfb630f0"><q>hosts</q></a>. A <code>new-w</code>
+First <code>new-w</code> is added to Ansible's inventory in <a href="#orgb1ba475"><q>hosts</q></a>. A <code>new-w</code>
section is added to the list of all hosts, and an empty section of the
same name is added to the list of <code>campus</code> hosts. If the machine uses
the usual privileged account name, <code>sysadm</code>, the <code>ansible_user</code> key in
</div>
</div>
</div>
-<div id="outline-container-orgb16a9f2" class="outline-3">
-<h3 id="orgb16a9f2"><span class="section-number-3">12.9.</span> Connect to Cloister Wi-Fi</h3>
+<div id="outline-container-orgd2c13e6" class="outline-3">
+<h3 id="orgd2c13e6"><span class="section-number-3">12.9.</span> Connect to Cloister Wi-Fi</h3>
<div class="outline-text-3" id="text-12-9">
<p>
On an IoT device, or a Debian or Android "desktop", the cloister Wi-Fi
</div>
</div>
</div>
-<div id="outline-container-orgfcc55e8" class="outline-3">
-<h3 id="orgfcc55e8"><span class="section-number-3">12.10.</span> Connect to Cloister VPN</h3>
+<div id="outline-container-orgee9a234" class="outline-3">
+<h3 id="orgee9a234"><span class="section-number-3">12.10.</span> Connect to Cloister VPN</h3>
<div class="outline-text-3" id="text-12-10">
<p>
Wireless devices (with the cloister Wi-Fi password) can get an IP
<p>
Connections to the cloister VPN are authorized by the <code>./abbey
-client...</code> command (aka <a href="Institute/README.html#orgd063a1d">The Client Command</a>), which registers a new
+client...</code> command (aka <a href="Institute/README.html#org5635191">The Client Command</a>), which registers a new
client's public key and installs new WireGuard™ configurations on the
servers. Private keys are kept on the clients (e.g. in
<q>/etc/wireguard/private-key</q>).
</p>
</div>
-<div id="outline-container-orgf3c5544" class="outline-4">
-<h4 id="orgf3c5544"><span class="section-number-4">12.10.1.</span> Campus Desktops and Servers</h4>
+<div id="outline-container-org85d0bd2" class="outline-4">
+<h4 id="org85d0bd2"><span class="section-number-4">12.10.1.</span> Campus Desktops and Servers</h4>
<div class="outline-text-4" id="text-12-10-1">
<p>
Wireless Debian desktops (with NetworkManager) as well as servers
</ul>
</div>
</div>
-<div id="outline-container-org447a642" class="outline-4">
-<h4 id="org447a642"><span class="section-number-4">12.10.2.</span> Private Desktops</h4>
+<div id="outline-container-orgac0885d" class="outline-4">
+<h4 id="orgac0885d"><span class="section-number-4">12.10.2.</span> Private Desktops</h4>
<div class="outline-text-4" id="text-12-10-2">
<p>
Member notebooks are private machines not remotely administered by the
</p>
</div>
</div>
-<div id="outline-container-orgc4584cc" class="outline-4">
-<h4 id="orgc4584cc"><span class="section-number-4">12.10.3.</span> Android</h4>
+<div id="outline-container-org9e0c5a3" class="outline-4">
+<h4 id="org9e0c5a3"><span class="section-number-4">12.10.3.</span> Android</h4>
<div class="outline-text-4" id="text-12-10-3">
<p>
Android phones and tablets are authorized to connect to the cloister
</div>
</div>
</div>
-<div id="outline-container-orga3c3c7e" class="outline-3">
-<h3 id="orga3c3c7e"><span class="section-number-3">12.11.</span> Create Wireless Domain Name</h3>
+<div id="outline-container-org1c5945c" class="outline-3">
+<h3 id="org1c5945c"><span class="section-number-3">12.11.</span> Create Wireless Domain Name</h3>
<div class="outline-text-3" id="text-12-11">
<p>
A wireless machine is assigned a Wi-Fi address when it connects to the
</div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2025-06-15 Sun 19:03</p>
+<p class="date">Created: 2025-06-28 Sat 10:20</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Network / commitdiff