replaced with variables, but specified in-line. Some, however, are
private (e.g. database passwords), not to be published in this
document, and so replaced with variables set in
-=private/vars-abbey.yml=.
+=private/vars-abbey.yml=. The file path is relative to the playbook's
+directory, =playbooks/=.
#+CAPTION: =roles_t/abbey-core/tasks/main.yml=
#+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml :mkdirp yes
include_vars: ../private/vars-abbey.yml
#+END_SRC
-The filename used above is interpreted relative to the playbook's
-directory, =playbooks/=.
-
** Install Additional Packages
The scripts that maintain the abbey's web site and run the Weather
packages).
#+CAPTION: =roles_t/abbey-core/tasks/main.yml=
-#+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml :mkdirp yes
----
+#+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml
+
- name: Install additional packages.
apt:
pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]
}
#+END_SRC
-*** NAGIOS Monitoring of Kamino
+*** NAGIOS Monitoring of Kamino
#+CAPTION: =roles_t/abbey-core/templates/nagios-kamino.cfg=
#+BEGIN_SRC conf :tangle roles_t/abbey-core/templates/nagios-kamino.cfg
** Include Abbey Variables
Private variables in =private/vars-abbey.yml= are needed, and included
-here, as in the ~abbey-core~ role.
+here, as in the ~abbey-core~ role. The file path is relative to the
+playbook's directory, =playbooks/=.
#+CAPTION: =roles_t/abbey-dvr/tasks/main.yml=
#+BEGIN_SRC conf :tangle roles_t/abbey-dvr/tasks/main.yml :mkdirp yes
include_vars: ../private/vars-abbey.yml
#+END_SRC
-The relative filename should be found only in the playbook's
-directory, =playbooks/=.
-
** Install Zoneminder v1.34
The latest version of Zoneminder (1.36) was manually downloaded, built
** Include Abbey Variables
Private variables in =private/vars-abbey.yml= are needed, as in the
-~abbey-core~ role.
+~abbey-core~ role. The file path is relative to the playbook's
+directory, =playbooks/=.
#+CAPTION: =roles_t/abbey-tvr/tasks/main.yml=
#+BEGIN_SRC conf :tangle roles_t/abbey-tvr/tasks/main.yml :mkdirp yes
include_vars: ../private/vars-abbey.yml
#+END_SRC
-The relative filename should be found only in the playbook's
-directory, =playbooks/=.
-
** Install MythTV Build Requisites
A number of developer packages are needed to build MythTV. The wiki
hosts: gate
roles: [ gate ]
-- name: Configure Campus
+- name: Configure Cloister
hosts: campus
roles: [ campus, abbey-cloister ]
- [[*Create Wired Domain Name][Create Wired Domain Name]]
Wireless IoT devices are manually configured with the cloister Wi-Fi
-password and may be given a private domain name as described here.
+password and may be given a private domain name as described in the
+last step:
- [[*Create Wireless Domain Name][Create Wireless Domain Name]]
** Connect to Cloister VPN
-Wireless devices connected to the cloister Wi-Fi will get an IP
-address on the access point's local network and a default route to the
-Internet, per the default configuration of a commodity cable modem
-with Wi-Fi access point included. Access to further abbey resources,
-however, is possible only via the cloister VPN.
+Wireless devices (with the cloister Wi-Fi password) can get an IP
+address and a default route to the Internet with no special
+configuration. Neither said devices /nor/ the access point require
+special configuration. Any Wi-Fi access point, e.g. as found in a
+cable modem, will work with zero configuration. The abbey's networks,
+however, are /not/ accessible except via the cloister VPN.
Connections to the cloister VPN are authorized by OpenVPN
configuration (=.ovpn=) files generated by the ~./abbey client...~
cloister VPN via the following process.
- Create a new client certificate and OpenVPN configuration for the
- new campus server.
- - Copy the =campus.ovpn= file to =/etc/openvpn/cloister.conf=.
- - In a secure shell session on the new machine as ~sysadm~:
- - Install the ~openvpn~ and ~openvpn-systemd-resolved~ software
- packages.
- - Start the SystemD service unit.
- - Test the connection (and name resolution).
- - Enable the SystemD service unit.
- - Clean up secrets on the new machine.
- - Clean up secrets on the administrator's machine.
-
-And these are the commands.
+ new abbey server.
+ - Copy the =campus.ovpn= file to the new machine.
+ - On the new machine:
+ - Install the ~openvpn-systemd-resolved~ package.
+ - Copy =campus.ovpn= to =/etc/openvpn/cloister.conf=.
+ - Start the OpenVPN service.
+ - Check that the cloister VPN was connected.
+ - Logout and unplug the cloister Ethernet.
+ - Test the cloister VPN connection (and private name resolution)
+ with ~ping -c1 core~.
+
+And these are the commands:
#+BEGIN_SRC sh
./abbey client campus new
scp campus.ovpn sysadm@new-w:
ssh sysadm@new-w
-sudo apt install openvpn openvpn-systemd-resolved
-( cd; umask 077; sudo cp campus.ovpn /etc/openvpn/cloister.conf )
+sudo apt install openvpn-systemd-resolved
+sudo cp campus.ovpn /etc/openvpn/cloister.conf
sudo systemctl start openvpn@cloister
+systemctl status openvpn@cloister
ping -c1 core
sudo systemctl enable openvpn@cloister
rm campus.ovpn
rm campus.ovpn
#+END_SRC
+It may be necessary to reboot before the final tests.
+
*** Debian Desktops
-Wireless Debian desktop machines (both PCs and Pis, running
-NetworkManager) and are connected to the cloister VPN via the
-following process. Note that they do not appear in the set of
-~campus~ hosts and are not configured by Ansible. They do not appear
-in Ansible's host inventory at all unless the desktop owner is willing
-to provide the password to a privileged account on their machine.
+Wireless Debian desktops (with NetworkManager) include our 8GB Core i3
+NUC (IntelĀ®'s Next Unit of Computing) and our 8GB Raspberry Pi 4.
+They run the Pop!_OS and Raspberry Pi OS desktops respectively. They
+are connected to the cloister VPN via the following process.
- - Create a new client certificate and campus/public OpenVPN
- configurations for the new abbey desktop.
- - Copy the =campus.ovpn= and =public.ovpn= files to the new desktop.
- - Install the ~openvpn~, ~openvpn-systemd-resolved~ and
- ~network-manager-openvpn-gnome~ packages on the new desktop.
+ - Create a new client certificate and OpenVPN configuration for the
+ new abbey desktop, a =campus.ovpn= file.
+ - Create a =wifi= file that looks like this (assuming the wireless
+ network device is named ~wlan0~).
+
+ : auto wlan0
+ : iface wlan0 inet dhcp
+ : wpa-ssid "Birchwood Abbey"
+ : wpa-psk "PASSWORD"
+
+ - Copy the =wifi= and =campus.ovpn= files to the new machine.
+ - On the new machine:
+ - Install the ~openvpn-systemd-resolved~ package.
+ - Copy =wifi= to =/etc/network/interfaces.d/=.
+ - Bring up the Wi-Fi interface.
+ - Copy =campus.ovpn= to =/etc/openvpn/cloister.conf=.
+ - Start the OpenVPN service.
+ - Check that the cloister VPN was connected.
+ - Logout and unplug the cloister Ethernet.
+ - Test the cloister VPN connection (and private name resolution)
+ with ~ping -c1 core~.
+
+And these are the commands:
+
+#+BEGIN_SRC sh
+./abbey client campus new
+scp wifi campus.ovpn sysadm@new-w:
+ssh sysadm@new-w
+sudo apt install openvpn-systemd-resolved
+sudo cp wifi /etc/network/interfaces.d/
+sudo ifup wlan0
+sudo cp campus.ovpn /etc/openvpn/cloister.conf
+sudo systemctl start openvpn@cloister
+systemctl status openvpn@cloister
+ping -c1 core
+sudo systemctl enable openvpn@cloister
+rm wifi campus.ovpn
+logout
+rm wifi campus.ovpn
+#+END_SRC
+
+It may be necessary to reboot before the final tests.
+
+As configured above, the wireless Debian desktops make automatic,
+persistent connections to the cloister Wi-Fi and VPN, and so can be
+used much like a wired desktop machine. They are typically connected
+to a large TV and auto-login to an unprivileged account named ~house~,
+i.e. anyone in the house.
+
+*** Private Desktops
+
+Member notebooks are private machines not remotely administered by the
+abbey. These machines roam, and so are authorized to connect to the
+cloister VPN or the public VPN. This is how they are connected to the
+VPNs:
+
+ - Create a new client certificate and OpenVPN configurations for the
+ new abbey desktop, =campus.ovpn= and =public.ovnp= files.
+ - Copy the =campus.ovpn= and =public.ovpn= files to the new machine.
+ - On the new machine:
+ - Install the ~openvpn-systemd-resolved~ and
+ ~network-manager-openvpn-gnome~ packages.
- Open the desktop Settings > Network > VPN + > Import from
file... and choose =~/campus.ovpn=.
- Open the Routes dialogues for both IPv4 and IPv6 and choose
"Use this connection only for resources on its network.".
- Save the new VPN.
- Do the same with the =~/public.ovpn= file.
- - Connected the cloister VPN and test it with ~ping -c1 core~.
- - Expunge the =~/campus.ovpn= and =~/public.ovpn= just as the system
- administrator will have already done.
-
-And these are the commands, assuming there is a privileged ~sysadm~
-account available on the new desktop machine.
-
-#+BEGIN_SRC sh
-./abbey client debian dicks-notebook dick
-scp campus.ovpn public.ovpn sysadm@dicks-notebook.lan:
-rm campus.ovpn public.ovpn
-ssh sysadm@dicks-notebook.lan
-sudo apt install openvpn openvpn-systemd-resolved \
- network-manager-openvpn-gnome
-ping -c1 core.small.private.
-#+END_SRC
-
-Note that Dick's notebook does not need to connect to the cloister
-Ethernet. It is authorized simply by copying the =.ovpn= files
-securely (e.g. using ~ssh~) to a local domain name provided by the
-Wi-Fi AP (~dicks-notebook.lan~). If the AP does not provide a local
-domain name, the machine's Wi-Fi IP address,
-e.g. ~sysadm@192.168.10.225~, can be used instead. (This IP address
-is often revealed in the desktop network settings.)
+ - Connect the appropriate VPN and test it (and private name
+ resolution) with ~ping -c1 core~.
+ - Expunge (delete /and/ empty the trash) the =~/campus.ovpn= and
+ =~/public.ovpn= files.
+
+We assume the desktop is running NetworkManager, which is the case in
+all our Debian desktops from Pop!_OS and Ubuntu to Mint and Raspberry
+Pi OS.
+
+Note that a new member's notebook does not need to be patched to the
+cloister Ethernet nor connected to the cloister Wi-Fi. It can be
+authorized "remotely" simply by copying the =.ovpn= files securely,
+e.g. using ~ssh~ to any "known host" on the Internet.
+
+The members of [[file:Institute/README.org][A Small Institute]] are peers, and enjoy complete,
+individual privacy. The administrator does /not/ expect to have "root
+access" to members' machines, their desktops, personal diaries and
+photos. The monks of the abbey are brothers, and tolerate a little
+less than complete individual privacy (still expecting all necessary
+and appropriate privacy, being in a position to punish deviants).
+
+Our private notebooks are included in the Ansible inventory, mainly so
+they can be included in the weekly (or more frequent!) network
+upgrades. The ~campus~ and ~abbey-cloister~ roles are not applied
+though their Postfix and other configurations are recommended. Remote
+access by the administrator is authorized and the privileged account's
+password is included in =Secret/become.yml=.
*** Android
projects / Network / commitdiff