"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2024-04-03 Wed 11:00 -->
+<!-- 2024-04-21 Sun 14:40 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>A Small Institute</title>
members off campus.
</p>
-<pre class="example" id="orgf7cca3e">
+<pre class="example" id="org9c367ba">
=
_|||_
=-The-Institute-=
</pre>
</div>
-<div class="TEXT" id="org80ad917">
+<div class="TEXT" id="org10a0f5d">
<p>
=> 10.62.17.0/24
</p>
campground Wi-Fi access point, etc.</li>
</ol>
-<pre class="example" id="orgf915d51">
+<pre class="example" id="org68b3f43">
=============== | ==================================================
| Premises
(Campus ISP)
following topology.
</p>
-<pre class="example" id="org9bcafc4">
+<pre class="example" id="orgb83deda">
=============== | ==================================================
| Premises
(House ISP)
institute's servers. At the moment there is just the one.
</p>
</div>
-<div id="outline-container-org88e2a87" class="outline-3">
-<h3 id="org88e2a87"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-org0fcff87" class="outline-3">
+<h3 id="org0fcff87"><span class="section-number-3">6.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The <code>all</code> role's task contains a reference to a common institute
certificates signed by the institute CA.
</p>
</div>
-<div id="outline-container-org9ed2166" class="outline-3">
-<h3 id="org9ed2166"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-orgcbd54ab" class="outline-3">
+<h3 id="orgcbd54ab"><span class="section-number-3">7.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-7-1">
<p>
The first task, as in <a href="#orgd60dcd1">The All Role</a>, is to include the institute
</div>
</div>
</div>
-<div id="outline-container-org667399b" class="outline-3">
-<h3 id="org667399b"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-orgef26e47" class="outline-3">
+<h3 id="orgef26e47"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-7-2">
<p>
This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-orgbeed30e" class="outline-3">
-<h3 id="orgbeed30e"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org1d7831c" class="outline-3">
+<h3 id="org1d7831c"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-7-3">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-org2dfafe1" class="outline-3">
-<h3 id="org2dfafe1"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
+<div id="outline-container-orgf602306" class="outline-3">
+<h3 id="orgf602306"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-7-5">
<p>
The small institute runs cron jobs and web scripts that generate
</div>
</div>
</div>
-<div id="outline-container-orge76bee7" class="outline-3">
-<h3 id="orge76bee7"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-orgfb6d583" class="outline-3">
+<h3 id="orgfb6d583"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-7-7">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-orgb1bb413" class="outline-3">
-<h3 id="orgb1bb413"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
+<div id="outline-container-org9d61acb" class="outline-3">
+<h3 id="org9d61acb"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-7-8">
<p>
User accounts are created immediately so that Postfix and Dovecot can
</div>
</div>
</div>
-<div id="outline-container-orgf522cdf" class="outline-3">
-<h3 id="orgf522cdf"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
+<div id="outline-container-orgc30c758" class="outline-3">
+<h3 id="orgc30c758"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-7-9">
<p>
The servers on Front use the same certificate (and key) to
</div>
</div>
</div>
-<div id="outline-container-org2535c23" class="outline-3">
-<h3 id="org2535c23"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orgf01b935" class="outline-3">
+<h3 id="orgf01b935"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-7-12">
<p>
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
</div>
</div>
</div>
-<div id="outline-container-org03de61c" class="outline-3">
-<h3 id="org03de61c"><span class="section-number-3">7.14.</span> Configure OpenVPN</h3>
+<div id="outline-container-orgb967873" class="outline-3">
+<h3 id="orgb967873"><span class="section-number-3">7.14.</span> Configure OpenVPN</h3>
<div class="outline-text-3" id="text-7-14">
<p>
Front uses OpenVPN to provide the institute's public VPN service. The
account. (For details, see <a href="#org8d60b7b">The Core Machine</a>.)
</p>
</div>
-<div id="outline-container-orgbb393c3" class="outline-3">
-<h3 id="orgbb393c3"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org3b3706b" class="outline-3">
+<h3 id="org3b3706b"><span class="section-number-3">8.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-8-1">
<p>
The first task, as in <a href="#org9240129">The Front Role</a>, is to include the institute
</div>
</div>
</div>
-<div id="outline-container-org0fec6b7" class="outline-3">
-<h3 id="org0fec6b7"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
+<div id="outline-container-orgecf0c60" class="outline-3">
+<h3 id="orgecf0c60"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-8-2">
<p>
This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org48eccc5" class="outline-3">
-<h3 id="org48eccc5"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org64e4c11" class="outline-3">
+<h3 id="org64e4c11"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-8-3">
<p>
Core runs the campus name server, so Resolved is configured to use it
Examples of the necessary zone files, for the "Install BIND9
zonefiles." task above, are given below. If the campus ISP provided
one or more IP addresses for stable name servers, those should
-probably be used as forwarders rather than Google. And SecureDNS just
-craps up <q>/var/log/</q> and the Systemd journal.
+probably be used as forwarders rather than Google.
</p>
<div class="org-src-container">
<code>bind-options</code><pre class="src src-conf" id="orgd750f78"><span class="org-type">acl </span><span class="org-string"><span class="org-type">"trusted"</span></span> {
- {{ private_net_cidr }};
- {{ public_vpn_net_cidr }};
- {{ campus_vpn_net_cidr }};
- {{ gate_wifi_net_cidr }};
- localhost;
+ {{ private_net_cidr }};
+ {{ public_vpn_net_cidr }};
+ {{ campus_vpn_net_cidr }};
+ {{ gate_wifi_net_cidr }};
+ localhost;
};
<span class="org-type">options</span> {
allow-recursion { trusted; };
allow-query-cache { trusted; };
- <span class="org-variable-name">//</span>============================================================
- // If BIND logs error messages about the root key being
- // expired, you will need to update your keys.
- // See https://www.isc.org/bind-keys
- <span class="org-variable-name">//</span>============================================================
- //dnssec-validation auto;
- // If Secure DNS is too much of a headache...
- dnssec-enable no;
- dnssec-validation no;
-
- auth-nxdomain no; <span class="org-comment-delimiter"># </span><span class="org-comment">conform to RFC1035</span>
- //listen-on-v6 { any; };
- listen-on { {{ core_addr }}; };
+ <span class="org-type">listen-on</span> {
+ {{ core_addr }};
+ localhost;
+ };
};
</pre>
</div>
</div>
</div>
</div>
-<div id="outline-container-org4d265a3" class="outline-3">
-<h3 id="org4d265a3"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org5ed8d7b" class="outline-3">
+<h3 id="org5ed8d7b"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-8-7">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-orgf602306" class="outline-3">
-<h3 id="orgf602306"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
+<div id="outline-container-org7915c60" class="outline-3">
+<h3 id="org7915c60"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-8-8">
<p>
The small institute runs cron jobs and web scripts that generate
</div>
</div>
</div>
-<div id="outline-container-org4aa0705" class="outline-3">
-<h3 id="org4aa0705"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org15f2e66" class="outline-3">
+<h3 id="org15f2e66"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-8-9">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-org9d61acb" class="outline-3">
-<h3 id="org9d61acb"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
+<div id="outline-container-org257e089" class="outline-3">
+<h3 id="org257e089"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-8-11">
<p>
User accounts are created immediately so that backups can begin
</div>
</div>
</div>
-<div id="outline-container-org2157407" class="outline-3">
-<h3 id="org2157407"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
+<div id="outline-container-org76dff78" class="outline-3">
+<h3 id="org76dff78"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-8-12">
<p>
The servers on Core use the same certificate (and key) to authenticate
</div>
</div>
</div>
-<div id="outline-container-orgf01b935" class="outline-3">
-<h3 id="orgf01b935"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org8c230d4" class="outline-3">
+<h3 id="org8c230d4"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-8-16">
<p>
Core uses Dovecot's IMAPd to store and serve member emails. As on
configurations, etc.
</p>
</div>
-<div id="outline-container-org4d1b050" class="outline-3">
-<h3 id="org4d1b050"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-org665e760" class="outline-3">
+<h3 id="org665e760"><span class="section-number-3">9.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-9-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-orgc30c758" class="outline-3">
-<h3 id="orgc30c758"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
+<div id="outline-container-org5259a7b" class="outline-3">
+<h3 id="org5259a7b"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-9-6">
<p>
The (OpenVPN) server on Gate uses an institute certificate (and key)
</div>
</div>
</div>
-<div id="outline-container-orgb967873" class="outline-3">
-<h3 id="orgb967873"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
+<div id="outline-container-org19cf6c6" class="outline-3">
+<h3 id="org19cf6c6"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
<div class="outline-text-3" id="text-9-7">
<p>
Gate uses OpenVPN to provide the institute's campus VPN service. Its
configured manually.
</p>
</div>
-<div id="outline-container-org0fcff87" class="outline-3">
-<h3 id="org0fcff87"><span class="section-number-3">10.1.</span> Include Particulars</h3>
+<div id="outline-container-org4e74a72" class="outline-3">
+<h3 id="org4e74a72"><span class="section-number-3">10.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-10-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-orgef26e47" class="outline-3">
-<h3 id="orgef26e47"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
+<div id="outline-container-org6f97126" class="outline-3">
+<h3 id="org6f97126"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-10-2">
<p>
Clients should be using the expected host name.
</div>
</div>
</div>
-<div id="outline-container-org64e4c11" class="outline-3">
-<h3 id="org64e4c11"><span class="section-number-3">10.3.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org1fe8eef" class="outline-3">
+<h3 id="org1fe8eef"><span class="section-number-3">10.3.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-10-3">
<p>
Campus machines use the campus name server on Core (or <code>dns.google</code>),
</div>
</div>
</div>
-<div id="outline-container-org1d7831c" class="outline-3">
-<h3 id="org1d7831c"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgc133751" class="outline-3">
+<h3 id="orgc133751"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-10-5">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-orgfb6d583" class="outline-3">
-<h3 id="orgfb6d583"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org09cd0a8" class="outline-3">
+<h3 id="org09cd0a8"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-10-6">
<p>
The institute prefers to install security updates as soon as possible.
</div></div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2024-04-03 Wed 11:00</p>
+<p class="date">Created: 2024-04-21 Sun 14:40</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Institute / commitdiff