** Subnets
The small institute uses a private Ethernet, two VPNs, and an
-untrusted Ethernet (for the campus Wi-Fi access point). Each must
-have a unique private network address. Hosts using the VPNs are also
-using foreign private networks, e.g. a notebook on a hotel Wi-Fi. To
-better the chances that all of these networks get unique addresses,
-the small institute uses addresses in the IANA's (Internet Assigned
-Numbers Authority's) private network address ranges /except/ the
-~192.168~ address range already in widespread use. This still leaves
-69,632 8 bit networks (each addressing up to 254 hosts) from which to
-choose. The following table lists their CIDRs (subnet numbers in
-Classless Inter-Domain Routing notation) in abbreviated form (eliding
-69,624 rows).
+untrusted Ethernet for the campus Wi-Fi access point(s) and wired IoT
+appliances). Each must have a unique private network address. Hosts
+using the VPNs are also using foreign private networks, e.g. a
+notebook on a hotel Wi-Fi. To better the chances that all of these
+networks get unique addresses, the small institute uses addresses in
+the IANA's (Internet Assigned Numbers Authority's) private network
+address ranges /except/ the ~192.168~ address range already in
+widespread use. This still leaves 69,632 8 bit networks (each
+addressing up to 254 hosts) from which to choose. The following table
+lists their CIDRs (subnet numbers in Classless Inter-Domain Routing
+notation) in abbreviated form (eliding 69,624 rows).
# 10.0.0.0 -- 10.255.255.255 => (* 256 256) subnets
# 172.16.0.0 -- 172.31.255.255 => (* 16 256) subnets
# (+ (* 256 256) (* 16 256)) => 69632 subnets
Ethernet. The next two are Gate's and the campus Wi-Fi's addresses on
the "wild" subnet, the untrusted Ethernet (~wild_net~) between Gate
and the campus Wi-Fi access point(s) and IoT appliances. The last is
-Front's address on the public VPN, perversely called
-~front_private_addr~. The following code block picks the obvious IP
-addresses for Core (host 1) and Gate (host 2).
+Front's address on the public VPN, ~front_vpn_addr~. The following
+code block picks the obvious IP addresses for Core (host 1) and Gate
+(host 2) on the private Ethernet, Gate and a Wi-Fi access point on the
+wild Ethernet, and Front on the public VPN.
#+CAPTION: [[file:private/vars.yml][=private/vars.yml=]]
#+BEGIN_SRC conf :tangle private/vars.yml
gate_wild_addr_cidr:
"{{ wild_net_cidr | ansible.utils.ipaddr('1') }}"
wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}"
-front_private_addr_cidr:
+front_vpn_addr_cidr:
"{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}"
core_addr: "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}"
"{{ gate_wild_addr_cidr | ansible.utils.ipaddr('address') }}"
wifi_wan_addr:
"{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}"
-front_private_addr:
- "{{ front_private_addr_cidr | ansible.utils.ipaddr('address') }}"
+front_vpn_addr:
+ "{{ front_vpn_addr_cidr | ansible.utils.ipaddr('address') }}"
#+END_SRC
change of SSH identity. The following commands copied the host keys
in =Secret/ssh_front/= to the droplet and restarted the SSH server.
-: notebook$ scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@159.65.75.60:
+: notebook$ ( cd Secret/ssh_front/etc/ssh/;
+: notebook_ scp ssh_host_* sysadm@159.65.75.60: )
: notebook$ ssh sysadm@159.65.75.60
: sysadm@ubuntu$ chmod 600 ssh_host_*
: sysadm@ubuntu$ chmod 644 ssh_host_*.pub
abuse: root
webmaster: root
admin: root
- monkey: monkey@{{ front_private_addr }}
+ monkey: monkey@{{ front_vpn_addr }}
root: {{ ansible_user }}
path: /etc/aliases
marker: "# {mark} INSTITUTE MANAGED BLOCK"
The complete OpenVPN configuration for Front includes a ~server~
option, the ~client-config-dir~ option, the routes mentioned above,
-and the common options discussed in [[*The VPN Services][The VPN Service]].
+and the common options discussed in [[*The VPN Service][The VPN Service]].
#+NAME: openvpn-front
#+CAPTION: ~openvpn-front~
to listen /only/ on Front's public VPN. The private name
~sip.small.private~ resolves to this address for the convenience
of members configuring SIP clients. The server configuration
-specifies the actual IP, known here as ~front_private_addr~.
+specifies the actual IP, known here as ~front_vpn_addr~.
#+NAME: kamailio
#+CAPTION: ~kamailio~
#+BEGIN_SRC conf
-listen=udp:{{ front_private_addr }}:5060
+listen=udp:{{ front_vpn_addr }}:5060
#+END_SRC
The Ansible tasks that install and configure Kamailio follow, but
#+NAME: postfix-core-relayhost
#+CAPTION: ~postfix-core-relayhost~
#+BEGIN_SRC conf
-- { p: relayhost, v: "[{{ front_private_addr }}]" }
+- { p: relayhost, v: "[{{ front_vpn_addr }}]" }
#+END_SRC
Core uses a Postfix transport file, =/etc/postfix/transport=, to
set no syslog
#set logfile /home/{{ item }}/.fetchmail.log
-poll {{ front_private_addr }} protocol imap timeout 15
+poll {{ front_vpn_addr }} protocol imap timeout 15
username {{ item }}
password "{{ members[item].password_fetchmail }}" fetchall
ssl sslproto tls1.2+ sslcertck sslcommonname {{ domain_name }}
backrefs: yes
loop:
- { regexp: "^( *cfg_file *= *localhost.cfg)", line: "# \\1" }
- - { regexp: "^( *admin_email *= *)", line: "\\1{{ ansible_user }}@localhost" }
+ - { regexp: "^( *admin_email *= *)",
+ line: "\\1{{ ansible_user }}@localhost" }
notify: Reload NAGIOS4.
- name: Configure NAGIOS4 contacts.
echo ""
print_usage
echo ""
- echo "This plugin checks hardware status using the lm_sensors package."
+ echo -n "This plugin checks hardware status"
+ echo " using the lm_sensors package."
echo ""
support
exit $STATE_OK
die "usage: $0 client $type NAME USER\n" if @ARGV != 4;
die "$name: invalid host name\n" if $name !~ /^[a-z][-a-z0-9]+$/;
} else {
- die "usage: $0 client [debian|android|campus]\n" if @ARGV != 4;
+ die "usage: $0 client [debian|android|campus]\n";
}
my $yaml;
my $member;
projects / Institute / commitdiff