configuration keeps them from even listening at the IMAP port
(e.g. for ~STARTTLS~ commands).
-#+CAPTION: ~dovecot-ports~
#+NAME: dovecot-ports
+#+CAPTION: ~dovecot-ports~
#+BEGIN_SRC conf
service imap-login {
inet_listener imap {
#+NAME: backup
#+CAPTION: [[file:private/backup][=private/backup=]]
-#+BEGIN_SRC sh :tangle private/backup :mkdirp yes :tangle-mode u=rw
+#+BEGIN_SRC sh :tangle private/backup :mkdirp yes :tangle-mode u=rwx,g=,o=
#!/bin/bash -e
#
# DO NOT EDIT.
like DNS-over-HTTPS will pass us by.
#+CAPTION: [[file:private/vars.yml][=private/vars.yml=]]
-#+BEGIN_SRC conf :tangle private/vars.yml :tangle-mode u=rw :mkdirp yes
+#+BEGIN_SRC conf :tangle private/vars.yml :tangle-mode u=rw,g=,o=
---
domain_priv: small.private
#+END_SRC
~systemd~ package).
#+CAPTION: [[file:roles_t/all/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :noweb no-export
+#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml
- name: Install systemd-resolved.
become: yes
#+NAME: apache-userdir-front
#+CAPTION: ~apache-userdir-front~
-#+BEGIN_SRC conf :noweb no-export
+#+BEGIN_SRC conf
UserDir /home/www-users
<Directory /home/www-users/>
Require all granted
service. Core has an interface on this VPN and is expected to forward
packets between it and the institute's other private networks.
-The following example [[=private/front-wg0.conf=][=private/front-wg0.conf=]] configuration recognizes
-Core by its public key and routes the institute's private networks to
-it. It also recognizes Dick's notebook and his (replacement) phone,
-assigning them host numbers 4 and 6 on the VPN.
+The example [[=private/front-wg0.conf=][=private/front-wg0.conf=]] below recognizes Core by its
+public key and routes the institute's private networks to it. It also
+recognizes Dick's notebook and his (replacement) phone, assigning them
+host numbers 4 and 6 on the VPN.
#+NAME: =private/front-wg0.conf=
-#+CAPTION: =private/front-wg0.conf=
-#+BEGIN_SRC conf
+#+CAPTION: [[file:private/front-wg0.conf][=private/front-wg0.conf=]]
+#+BEGIN_SRC conf :tangle private/front-wg0.conf :tangle-mode u=rw,g=,o=
[Interface]
Address = 10.177.87.1/24
ListenPort = 39608
The first step is to install Kamailio.
#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :noweb no-export
+#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
- name: Install Kamailio.
become: yes
RFC3442's extension to encode a second (non-default) static route.
The default route is through the campus ISP at Gate. A second route
directs campus traffic to the Front VPN through Core. This is just an
-example file, with MAC addresses chosen to (probably?) match
-VirtualBox test machines. In actual use =private/core-dhcpd.conf=
-refers to a replacement file.
+example file, with MAC addresses chosen to match VirtualBox test
+machines. In actual use =private/core-dhcpd.conf= refers to a
+replacement file.
#+CAPTION: [[file:private/core-dhcpd.conf][=private/core-dhcpd.conf=]]
-#+BEGIN_SRC conf :tangle private/core-dhcpd.conf :tangle-mode u=rw
+#+BEGIN_SRC conf :tangle private/core-dhcpd.conf :tangle-mode u=rw,g=,o=
option domain-name "small.private";
option domain-name-servers 192.168.56.1;
0, 192,168,56,2;
}
-host core {
- hardware ethernet 08:00:27:45:3b:a2; fixed-address 192.168.56.1; }
-host gate {
- hardware ethernet 08:00:27:e0:79:ab; fixed-address 192.168.56.2; }
-host server {
- hardware ethernet 08:00:27:f3:41:66; fixed-address 192.168.56.3; }
+host dick {
+ hardware ethernet 08:00:27:dc:54:b5; fixed-address 192.168.56.4; }
#+END_SRC
The following tasks install ISC's DHCP server and configure it with
#+END_SRC
#+CAPTION: [[file:private/db.domain][=private/db.domain=]]
-#+BEGIN_SRC conf :tangle private/db.domain :tangle-mode u=rw
+#+BEGIN_SRC conf :tangle private/db.domain :tangle-mode u=rw,g=,o=
;
; BIND data file for a small institute's PRIVATE domain names.
;
#+END_SRC
#+CAPTION: [[file:private/db.private][=private/db.private=]]
-#+BEGIN_SRC conf :tangle private/db.private :tangle-mode u=rw
+#+BEGIN_SRC conf :tangle private/db.private :tangle-mode u=rw,g=,o=
;
; BIND reverse data file for a small institute's private Ethernet.
;
#+END_SRC
#+CAPTION: [[file:private/db.public_vpn][=private/db.public_vpn=]]
-#+BEGIN_SRC conf :tangle private/db.public_vpn :tangle-mode u=rw
+#+BEGIN_SRC conf :tangle private/db.public_vpn :tangle-mode u=rw,g=,o=
;
; BIND reverse data file for a small institute's public VPN.
;
#+END_SRC
#+CAPTION: [[file:private/db.campus_vpn][=private/db.campus_vpn=]]
-#+BEGIN_SRC conf :tangle private/db.campus_vpn :tangle-mode u=rw
+#+BEGIN_SRC conf :tangle private/db.campus_vpn :tangle-mode u=rw,g=,o=
;
; BIND reverse data file for a small institute's campus VPN.
;
The default daemon's default configuration is fine.
#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml :noweb no-export
+#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml
- name: Install Chrony.
become: yes
#+END_SRC
#+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml :noweb no-export
+#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml
- name: Restart Chrony.
systemd:
#+NAME: apache-userdir-core
#+CAPTION: ~apache-userdir-core~
-#+BEGIN_SRC conf :noweb no-export
+#+BEGIN_SRC conf
UserDir Public/HTML
<Directory /home/*/Public/HTML/>
Require all granted
#+NAME: webupdate
#+CAPTION: [[file:private/webupdate][=private/webupdate=]]
-#+BEGIN_SRC sh
+#+BEGIN_SRC sh :tangle private/webupdate :tangle-mode u=rwx,g=,o=
#!/bin/bash -e
#
# DO NOT EDIT.
rsync -avz --delete --chmod=g-w \
--filter='exclude *~' \
--filter='exclude .git*' \
- ./ {{ domain_name }}:/home/www/
+ ./ small.example.org:/home/www/
#+END_SRC
The following tasks install the =webupdate= script from [[file:private/][=private/=]],
WireGuard™ Subnet]] for Front, Core is expected to forward packets from/to the
private networks.
-The following example [[file:private/core-wg0.conf][=private/core-wg0.conf=]] configuration recognizes
+The following example [[=private/core-wg0.conf=][=private/core-wg0.conf=]] configuration recognizes
Front by its public key, ~S+6HaT~, looking for it at the institute's
public IP address and a special port.
+#+NAME: =private/core-wg0.conf=
#+CAPTION: [[file:private/core-wg0.conf][=private/core-wg0.conf=]]
-#+BEGIN_SRC conf :tangle private/core-wg0.conf
+#+BEGIN_SRC conf :tangle private/core-wg0.conf :tangle-mode u=rw,g=,o=
[Interface]
Address = 10.177.87.2
PostUp = wg set %i private-key /etc/wireguard/private-key
AllowedIPs = 10.177.87.1
AllowedIPs = 10.177.87.0/24
#+END_SRC
-# TODO: Make this a template?
The following tasks install WireGuard™, configure it with
-[[file:private/core-wg0.conf][=private/core-wg0.conf=]], and enable the service.
+[[=private/core-wg0.conf=][=private/core-wg0.conf=]], and enable the service.
#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml
assigning them the host numbers 3, 4 and 6 respectively.
#+NAME: =private/gate-wg0.conf=
-#+CAPTION: =private/gate-wg0.conf=
-#+BEGIN_SRC conf
+#+CAPTION: [[file:private/gate-wg0.conf][=private/gate-wg0.conf=]]
+#+BEGIN_SRC conf :tangle private/gate-wg0.conf :tangle-mode u=rw,g=,o=
[Interface]
Address = 10.84.139.1/24
ListenPort = 51820
line.
#+CAPTION: [[file:Secret/become.yml][=Secret/become.yml=]]
-#+BEGIN_SRC conf :tangle Secret/become.yml :tangle-mode u=rw
+#+BEGIN_SRC conf :tangle Secret/become.yml :tangle-mode u=rw,g=,o=
become_front: !vault |
$ANSIBLE_VAULT;1.1;AES256
3563626131333733666466393166323135383838666338666131336335326
#+NAME: vault-password
#+CAPTION: [[file:Secret/vault-password][=Secret/vault-password=]]
-#+BEGIN_SRC conf :tangle Secret/vault-password :tangle-mode u=r :mkdirp yes
+#+BEGIN_SRC conf :tangle Secret/vault-password :mkdirp yes :tangle-mode u=rw,g=,o=
alitysortstagess
#+END_SRC
document and its tangle as a Git submodule, e.g. in =institute/=, and
thus safely merge updates while keeping public and private particulars
separate, in sibling subdirectories =public/= and =private/=.
-The following example commands create a new Git repo in =~/net/=
-and add an =Institute/= submodule.
+The following example commands create a new Git repo in =~/network/=
+and add an =institute/= submodule.
#+BEGIN_SRC sh
cd
mkdir network
cd network
git init
-git submodule add git://birchwood-abbey.net/~puck/Institute
-git add Institute
+git submodule add git://birchwood-abbey.net/~puck/institute
+git add institute
#+END_SRC
An institute administrator would then need to add several more files.
- A top-level Ansible configuration file, =ansible.cfg=, would be
- created by copying =Institute/ansible.cfg= and changing the
- ~roles_path~ to ~roles:Institute/roles~.
+ created by copying =institute/ansible.cfg= and changing the
+ ~roles_path~ to ~roles:institute/roles~.
- A host inventory, =hosts=, would be created, perhaps by copying
- =Institute/hosts= and changing its IP addresses.
+ =institute/hosts= and changing its IP addresses.
- A site playbook, =site.yml=, would be created in a new =playbooks/=
- subdirectory by copying =Institute/playbooks/site.yml= with
+ subdirectory by copying =institute/playbooks/site.yml= with
appropriate changes.
-- All of the files in =Institute/public/= and =Institute/private/=
+- All of the files in =institute/public/= and =institute/private/=
would be copied, with appropriate changes, into new subdirectories
=public/= and =private/=.
-- =~/net/Secret= would be a symbolic link to the (auto-mounted?)
+- =~/network/Secret= would be a symbolic link to the (auto-mounted?)
location of the administrator's encrypted USB drive, as described in
section [[*Keys][Keys]].
-The files in =Institute/roles_t/= were "tangled" from this document
-and must be copied to =Institute/roles/= for reasons discussed in the
+The files in =institute/roles_t/= were "tangled" from this document
+and must be copied to =institute/roles/= for reasons discussed in the
next section. This document does not "tangle" /directly/ into
=roles/= to avoid clobbering changes to a working (debugged!)
configuration.
The =playbooks/= directory must include the institutional playbooks,
which find their settings and templates relative to this directory,
e.g. in =../private/vars.yml=. Running institutional playbooks from
-=~/net/playbooks/= means they will use =~/net/private/= rather than
-the example =~/net/Institute/private/=.
+=~/network/playbooks/= means they will use =~/network/private/= rather
+than the example =~/network/institute/private/=.
#+BEGIN_SRC sh
-cp -r Institute/roles_t Institute/roles
-( cd playbooks; ln -s ../Institute/playbooks/* . )
+cp -r institute/roles_t institute/roles
+( cd playbooks; ln -s ../institute/playbooks/* . )
#+END_SRC
Given these preparations, the ~inst~ script should work in the
super-project's directory.
#+BEGIN_SRC sh
-./Institute/inst config -n
+./institute/inst config -n
#+END_SRC
** Maintaining A Working Ansible Configuration
The first code block is the header of the ~./inst~ script.
#+CAPTION: [[file:inst][=inst=]]
-#+BEGIN_SRC perl :tangle inst :tangle-mode u=rwx,g=rx
+#+BEGIN_SRC perl :tangle inst :tangle-mode u=rwx,g=rx,o=
#!/usr/bin/perl -w
#
# DO NOT EDIT.
Most of these settings are already in =private/vars.yml=. The
following few provide the servers' public keys and ports.
-#+CAPTION: [[file:private/vars.yml][=private/vars.yml]]
+#+CAPTION: [[file:private/vars.yml][=private/vars.yml=]]
#+BEGIN_SRC conf :tangle private/vars.yml
front_wg_pubkey: S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
public_wg_port: 39608
is used instead.
#+CAPTION: [[file:private/members-empty.yml][=private/members-empty.yml=]]
-#+BEGIN_SRC conf :tangle private/members-empty.yml :tangle-mode u=rw
+#+BEGIN_SRC conf :tangle private/members-empty.yml :tangle-mode u=rw,g=,o=
---
members:
usernames: []
in [[file:Secret/][=Secret/=]].
#+CAPTION: [[file:roles_t/core/templates/passwd][=roles_t/core/templates/passwd=]]
-#+BEGIN_SRC perl :tangle roles_t/core/templates/passwd :mkdirp yes
+#+BEGIN_SRC perl :tangle roles_t/core/templates/passwd
#!/bin/perl -wT
use strict;
the client (i.e. by the WireGuard for Android™ app) and never revealed
(i.e. sent in email, copied to a network drive, etc.).
-The generated configuration vary depending on the type of client,
+The generated configurations vary depending on the type of client,
which must be given as the first argument to the command. For most
types, two configuration files are generated. =campus.conf= contains
the client's campus VPN configuration, and =public.conf= the client's
better support in NetworkManager soon.)
#+CAPTION: [[file:inst][=inst=]]
-#+BEGIN_SRC perl :tangle inst :noweb no-export
+#+BEGIN_SRC perl :tangle inst
sub write_wg_server ($$$$$);
sub write_wg_client ($$$$$$);
sub hostnum_to_ipaddr ($$);
certificate authority and GnuPG key-ring in [[file:Secret/][=Secret/=]] (included in the
distribution), can be used to configure three VirtualBox VMs
simulating Core, Gate and Front in test networks simulating a private
-Ethernet, an untrusted Ethernet, the campus ISP, and a commercial
-cloud. With the test networks up and running, a simulated member's
-notebook can be created and alternately attached to the untrusted
+Ethernet, a wild (untrusted) Ethernet, the campus ISP, and a
+commercial cloud. With the test networks up and running, a simulated
+member's notebook can be created and alternately attached to the wild
Ethernet (as though it were on the campus Wi-Fi) or the Internet (as
though it were abroad). The administrator's notebook in this
simulation is the VirtualBox host.
projects / Institute.git / commitdiff