"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2023-12-30 Sat 14:12 -->
+<!-- 2024-01-01 Mon 10:48 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>A Small Institute</title>
members off campus.
</p>
-<pre class="example" id="orgee983ec">
+<pre class="example" id="org818b89f">
=
_|||_
=-The-Institute-=
</pre>
</div>
-<div class="TEXT" id="orgb3b7bab">
+<div class="TEXT" id="org979a726">
<p>
=> 10.62.17.0/24
</p>
sysadm@159.65.75.60's password: givitysticangout
notebook$ ssh sysadm@159.65.75.60
sysadm@159.65.75.60's password: givitysticangout
-sysadm@ubuntu$ ( mask 077; mkdir .ssh; \
+sysadm@ubuntu$ ( umask 077; mkdir .ssh; \
sysadm@ubuntu_ cp admin_keys .ssh/authorized_keys; \
sysadm@ubuntu_ rm admin_keys )
sysadm@ubuntu$ logout
sysadm@core.lan's password: oingstramextedil
notebook$ ssh sysadm@core.lan
sysadm@core.lan's password: oingstramextedil
-sysadm@core$ ( mask 077; mkdir .ssh; \
+sysadm@core$ ( umask 077; mkdir .ssh; \
sysadm@core_ cp admin_keys .ssh/authorized_keys )
sysadm@core$ rm admin_keys
sysadm@core$ logout
campground Wi-Fi access point, etc.</li>
</ol>
-<pre class="example" id="org1547ba5">
+<pre class="example" id="org654e520">
=============== | ==================================================
| Premises
(Campus ISP)
following topology.
</p>
-<pre class="example" id="org547d050">
+<pre class="example" id="orgd355647">
=============== | ==================================================
| Premises
(House ISP)
sysadm@gate.lan's password: icismassssadestm
notebook$ ssh sysadm@gate.lan
sysadm@gate.lan's password: icismassssadestm
-sysadm@gate$ ( mask 077; mkdir .ssh; \
+sysadm@gate$ ( umask 077; mkdir .ssh; \
sysadm@gate_ cp admin_keys .ssh/authorized_keys )
sysadm@core$ rm admin_keys
sysadm@core$ logout
certificates signed by the institute CA.
</p>
</div>
-<div id="outline-container-org0b6eaeb" class="outline-3">
-<h3 id="org0b6eaeb"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-orga19a7f7" class="outline-3">
+<h3 id="orga19a7f7"><span class="section-number-3">6.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The <code>front</code> role's tasks contain references to several common
</div>
</div>
</div>
-<div id="outline-container-org53f705c" class="outline-3">
-<h3 id="org53f705c"><span class="section-number-3">6.2.</span> Configure Hostname</h3>
+<div id="outline-container-org17efad4" class="outline-3">
+<h3 id="org17efad4"><span class="section-number-3">6.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-6-2">
<p>
This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org0432f89" class="outline-3">
-<h3 id="org0432f89"><span class="section-number-3">6.4.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgd9de325" class="outline-3">
+<h3 id="orgd9de325"><span class="section-number-3">6.4.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-6-4">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-org41d0afc" class="outline-3">
-<h3 id="org41d0afc"><span class="section-number-3">6.6.</span> Configure Monkey</h3>
+<div id="outline-container-orgcd7d36c" class="outline-3">
+<h3 id="orgcd7d36c"><span class="section-number-3">6.6.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-6-6">
<p>
The small institute runs cron jobs and web scripts that generate
</div>
</div>
</div>
-<div id="outline-container-org98f9cd5" class="outline-3">
-<h3 id="org98f9cd5"><span class="section-number-3">6.8.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org6e09cb9" class="outline-3">
+<h3 id="org6e09cb9"><span class="section-number-3">6.8.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-6-8">
<p>
The institute prefers to install security updates as soon as possible.
</div>
</div>
</div>
-<div id="outline-container-orged63f05" class="outline-3">
-<h3 id="orged63f05"><span class="section-number-3">6.9.</span> Configure User Accounts</h3>
+<div id="outline-container-orge46b03e" class="outline-3">
+<h3 id="orge46b03e"><span class="section-number-3">6.9.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-6-9">
<p>
User accounts are created immediately so that Postfix and Dovecot can
</div>
</div>
</div>
-<div id="outline-container-orge3e0d1d" class="outline-3">
-<h3 id="orge3e0d1d"><span class="section-number-3">6.10.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-org24c5c7d" class="outline-3">
+<h3 id="org24c5c7d"><span class="section-number-3">6.10.</span> Trust Institute Certificate Authority</h3>
<div class="outline-text-3" id="text-6-10">
<p>
Front should recognize the institute's Certificate Authority as
</div>
</div>
</div>
-<div id="outline-container-orgd63b568" class="outline-3">
-<h3 id="orgd63b568"><span class="section-number-3">6.11.</span> Install Server Certificate</h3>
+<div id="outline-container-orge1c2554" class="outline-3">
+<h3 id="orge1c2554"><span class="section-number-3">6.11.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-6-11">
<p>
The servers on Front use the same certificate (and key) to
</div>
</div>
</div>
-<div id="outline-container-orgeaf598f" class="outline-3">
-<h3 id="orgeaf598f"><span class="section-number-3">6.14.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org0bf70c2" class="outline-3">
+<h3 id="org0bf70c2"><span class="section-number-3">6.14.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-6-14">
<p>
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
</div>
</div>
</div>
-<div id="outline-container-orgb68db3f" class="outline-3">
-<h3 id="orgb68db3f"><span class="section-number-3">6.16.</span> Configure OpenVPN</h3>
+<div id="outline-container-orge8ed770" class="outline-3">
+<h3 id="orge8ed770"><span class="section-number-3">6.16.</span> Configure OpenVPN</h3>
<div class="outline-text-3" id="text-6-16">
<p>
Front uses OpenVPN to provide the institute's public VPN service. The
account. (For details, see <a href="#org8d60b7b">The Core Machine</a>.)
</p>
</div>
-<div id="outline-container-org271236c" class="outline-3">
-<h3 id="org271236c"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-org533be49" class="outline-3">
+<h3 id="org533be49"><span class="section-number-3">7.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-7-1">
<p>
The first task, as in <a href="#org9240129">The Front Role</a>, is to include the institute
</div>
</div>
</div>
-<div id="outline-container-org6602011" class="outline-3">
-<h3 id="org6602011"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-org07d9cd4" class="outline-3">
+<h3 id="org07d9cd4"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-7-2">
<p>
This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
</div>
</div>
</div>
-<div id="outline-container-org7dcd4cf" class="outline-3">
-<h3 id="org7dcd4cf"><span class="section-number-3">7.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org3d1f119" class="outline-3">
+<h3 id="org3d1f119"><span class="section-number-3">7.3.</span> Enable Systemd Resolved</h3>
<div class="outline-text-3" id="text-7-3">
<p>
Core starts the <code>systemd-networkd</code> and <code>systemd-resolved</code> service
</div>
</div>
</div>
-<div id="outline-container-org1951472" class="outline-3">
-<h3 id="org1951472"><span class="section-number-3">7.4.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org0612ed1" class="outline-3">
+<h3 id="org0612ed1"><span class="section-number-3">7.4.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-7-4">
<p>
Core runs the campus name server, so Resolved is configured to use it
</div>
</div>
</div>
-<div id="outline-container-org642538c" class="outline-3">
-<h3 id="org642538c"><span class="section-number-3">7.8.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org7708cdb" class="outline-3">
+<h3 id="org7708cdb"><span class="section-number-3">7.8.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-7-8">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-orgcd7d36c" class="outline-3">
-<h3 id="orgcd7d36c"><span class="section-number-3">7.9.</span> Configure Monkey</h3>
+<div id="outline-container-org63b4dba" class="outline-3">
+<h3 id="org63b4dba"><span class="section-number-3">7.9.</span> Configure Monkey</h3>
<div class="outline-text-3" id="text-7-9">
<p>
The small institute runs cron jobs and web scripts that generate
</div>
</div>
</div>
-<div id="outline-container-orge46b03e" class="outline-3">
-<h3 id="orge46b03e"><span class="section-number-3">7.12.</span> Configure User Accounts</h3>
+<div id="outline-container-orgae89ce8" class="outline-3">
+<h3 id="orgae89ce8"><span class="section-number-3">7.12.</span> Configure User Accounts</h3>
<div class="outline-text-3" id="text-7-12">
<p>
User accounts are created immediately so that backups can begin
</div>
</div>
</div>
-<div id="outline-container-orgee4deb9" class="outline-3">
-<h3 id="orgee4deb9"><span class="section-number-3">7.13.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-org13d2912" class="outline-3">
+<h3 id="org13d2912"><span class="section-number-3">7.13.</span> Trust Institute Certificate Authority</h3>
<div class="outline-text-3" id="text-7-13">
<p>
Core should recognize the institute's Certificate Authority as
</div>
</div>
</div>
-<div id="outline-container-orgcb67daf" class="outline-3">
-<h3 id="orgcb67daf"><span class="section-number-3">7.14.</span> Install Server Certificate</h3>
+<div id="outline-container-org5877f54" class="outline-3">
+<h3 id="org5877f54"><span class="section-number-3">7.14.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-7-14">
<p>
The servers on Core use the same certificate (and key) to authenticate
</div>
</div>
</div>
-<div id="outline-container-org0bf70c2" class="outline-3">
-<h3 id="org0bf70c2"><span class="section-number-3">7.18.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orgef69b4b" class="outline-3">
+<h3 id="orgef69b4b"><span class="section-number-3">7.18.</span> Configure Dovecot IMAPd</h3>
<div class="outline-text-3" id="text-7-18">
<p>
Core uses Dovecot's IMAPd to store and serve member emails. As on
configurations, etc.
</p>
</div>
-<div id="outline-container-org87223bf" class="outline-3">
-<h3 id="org87223bf"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org0b6416c" class="outline-3">
+<h3 id="org0b6416c"><span class="section-number-3">8.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-8-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-orge1c2554" class="outline-3">
-<h3 id="orge1c2554"><span class="section-number-3">8.6.</span> Install Server Certificate</h3>
+<div id="outline-container-org5d3587e" class="outline-3">
+<h3 id="org5d3587e"><span class="section-number-3">8.6.</span> Install Server Certificate</h3>
<div class="outline-text-3" id="text-8-6">
<p>
The (OpenVPN) server on Gate uses an institute certificate (and key)
</div>
</div>
</div>
-<div id="outline-container-orge8ed770" class="outline-3">
-<h3 id="orge8ed770"><span class="section-number-3">8.7.</span> Configure OpenVPN</h3>
+<div id="outline-container-org0c71d3a" class="outline-3">
+<h3 id="org0c71d3a"><span class="section-number-3">8.7.</span> Configure OpenVPN</h3>
<div class="outline-text-3" id="text-8-7">
<p>
Gate uses OpenVPN to provide the institute's campus VPN service. Its
configured manually.
</p>
</div>
-<div id="outline-container-orga19a7f7" class="outline-3">
-<h3 id="orga19a7f7"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-org3c15e11" class="outline-3">
+<h3 id="org3c15e11"><span class="section-number-3">9.1.</span> Include Particulars</h3>
<div class="outline-text-3" id="text-9-1">
<p>
The following should be familiar boilerplate by now.
</div>
</div>
</div>
-<div id="outline-container-org17efad4" class="outline-3">
-<h3 id="org17efad4"><span class="section-number-3">9.2.</span> Configure Hostname</h3>
+<div id="outline-container-org39d7e52" class="outline-3">
+<h3 id="org39d7e52"><span class="section-number-3">9.2.</span> Configure Hostname</h3>
<div class="outline-text-3" id="text-9-2">
<p>
Clients should be using the expected host name.
dest: <span class="org-string">"{{ item.file }}"</span>
loop:
<span class="org-type">-</span> { file: /etc/hostname,
- content: <span class="org-string">"{{ inventory_hostname }}"</span> }
+ content: <span class="org-string">"{{ inventory_hostname }}\n"</span> }
<span class="org-type">-</span> { file: /etc/mailname,
- content: <span class="org-string">"{{ inventory_hostname }}.{{ domain_priv }}"</span> }
- <span class="org-variable-name">when: inventory_hostname !</span>= ansible_hostname
- notify: Update hostname.
+ content: <span class="org-string">"{{ inventory_hostname }}.{{ domain_priv }}\n"</span> }
-</pre>
-</div>
-
-<div class="org-src-container">
-<a href="roles_t/campus/handlers/main.yml"><q>roles_t/campus/handlers/main.yml</q></a><pre class="src src-conf">---
- name: Update hostname.
become: yes
command: hostname -F /etc/hostname
+ <span class="org-variable-name">when: inventory_hostname !</span>= ansible_hostname
</pre>
</div>
</div>
</div>
-<div id="outline-container-org3d1f119" class="outline-3">
-<h3 id="org3d1f119"><span class="section-number-3">9.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org7ecb710" class="outline-3">
+<h3 id="org7ecb710"><span class="section-number-3">9.3.</span> Enable Systemd Resolved</h3>
<div class="outline-text-3" id="text-9-3">
<p>
Campus machines start the <code>systemd-networkd</code> and <code>systemd-resolved</code>
</div>
</div>
</div>
-<div id="outline-container-org0612ed1" class="outline-3">
-<h3 id="org0612ed1"><span class="section-number-3">9.4.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-orgd4cda12" class="outline-3">
+<h3 id="orgd4cda12"><span class="section-number-3">9.4.</span> Configure Systemd Resolved</h3>
<div class="outline-text-3" id="text-9-4">
<p>
Campus machines use the campus name server on Core (or <code>dns.google</code>),
</div>
<div class="org-src-container">
-<a href="roles_t/campus/handlers/main.yml"><q>roles_t/campus/handlers/main.yml</q></a><pre class="src src-conf">
+<a href="roles_t/campus/handlers/main.yml"><q>roles_t/campus/handlers/main.yml</q></a><pre class="src src-conf">---
- name: Reload Systemd.
become: yes
command: systemctl daemon-reload
</div>
</div>
</div>
-<div id="outline-container-orgd9de325" class="outline-3">
-<h3 id="orgd9de325"><span class="section-number-3">9.6.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org56dc8b5" class="outline-3">
+<h3 id="org56dc8b5"><span class="section-number-3">9.6.</span> Add Administrator to System Groups</h3>
<div class="outline-text-3" id="text-9-6">
<p>
The administrator often needs to read (directories of) log files owned
</div>
</div>
</div>
-<div id="outline-container-org24c5c7d" class="outline-3">
-<h3 id="org24c5c7d"><span class="section-number-3">9.7.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-org986ecf6" class="outline-3">
+<h3 id="org986ecf6"><span class="section-number-3">9.7.</span> Trust Institute Certificate Authority</h3>
<div class="outline-text-3" id="text-9-7">
<p>
Campus hosts should recognize the institute's Certificate Authority as
</div>
</div>
</div>
-<div id="outline-container-org6e09cb9" class="outline-3">
-<h3 id="org6e09cb9"><span class="section-number-3">9.8.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org59be0a3" class="outline-3">
+<h3 id="org59be0a3"><span class="section-number-3">9.8.</span> Install Unattended Upgrades</h3>
<div class="outline-text-3" id="text-9-8">
<p>
The institute prefers to install security updates as soon as possible.
<p>
The machine's console should soon show the installer's first prompt:
-to choose a system language. (The prompts might be answered by
-"preseeding" the Debian installer, but that process has yet to be
-debugged.) The appropriate responses to the installer's prompts are
-given in the list below.
+to choose a system language. The appropriate responses to the
+installer's prompts are given in the list below.
</p>
<ul class="org-ul">
<p>
Note that the Postfix installation may prompt for a couple settings.
-The defaults, listed below, are fine, but the system mail name should
-be the same as the institute's domain name.
+The defaults, listed below, are fine.
</p>
<ul class="org-ul">
</div></div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2023-12-30 Sat 14:12</p>
+<p class="date">Created: 2024-01-01 Mon 10:48</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>