"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
-<!-- 2025-06-28 Sat 10:20 -->
+<!-- 2025-09-18 Thu 20:56 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Birchwood Abbey Networks</title>
the <code>abbey-</code> prefix on their names. These roles are applied <i>after</i>
the generic institutional roles (again, documented <a href="Institute/README.html">here</a>).
</p>
-<div id="outline-container-org72f2a81" class="outline-2">
-<h2 id="org72f2a81"><span class="section-number-2">1.</span> Overview</h2>
+<div id="outline-container-org4473dd2" class="outline-2">
+<h2 id="org4473dd2"><span class="section-number-2">1.</span> Overview</h2>
<div class="outline-text-2" id="text-1">
<p>
A Small Institute makes security and privacy top priorities but
philosophy, attitude.
</p>
-<pre class="example" id="orgb282f17">
+<pre class="example" id="orgd31059d">
|
=
_|||_
</pre>
</div>
</div>
-<div id="outline-container-orgdb9bfe4" class="outline-2">
-<h2 id="orgdb9bfe4"><span class="section-number-2">2.</span> The Abbey Particulars</h2>
+<div id="outline-container-org554a74c" class="outline-2">
+<h2 id="org554a74c"><span class="section-number-2">2.</span> The Abbey Particulars</h2>
<div class="outline-text-2" id="text-2">
<p>
The abbey's public particulars are included below. They are the
</p>
</div>
</div>
-<div id="outline-container-org9beb2ff" class="outline-2">
-<h2 id="org9beb2ff"><span class="section-number-2">3.</span> The Abbey Front Role</h2>
+<div id="outline-container-org8cce038" class="outline-2">
+<h2 id="org8cce038"><span class="section-number-2">3.</span> The Abbey Front Role</h2>
<div class="outline-text-2" id="text-3">
<p>
Birchwood Abbey's front door is a Digital Ocean Droplet configured as
Dovecot-IMAPd, and hosting a VPN with WireGuard™.
</p>
</div>
-<div id="outline-container-org6908bc1" class="outline-3">
-<h3 id="org6908bc1"><span class="section-number-3">3.1.</span> Install Emacs</h3>
+<div id="outline-container-orgcbc817f" class="outline-3">
+<h3 id="orgcbc817f"><span class="section-number-3">3.1.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-3-1">
<p>
The monks of the abbey are masters of the staff (bo) and Emacs.
</div>
</div>
</div>
-<div id="outline-container-org20003f9" class="outline-3">
-<h3 id="org20003f9"><span class="section-number-3">3.2.</span> Configure Public Email Aliases</h3>
+<div id="outline-container-org4fe639d" class="outline-3">
+<h3 id="org4fe639d"><span class="section-number-3">3.2.</span> Configure Public Email Aliases</h3>
<div class="outline-text-3" id="text-3-2">
<p>
The abbey uses several additional email aliases. These are the public
- name: New aliases.
become: yes
command: newaliases
+ tags: actualizer
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orgf31d164" class="outline-3">
-<h3 id="orgf31d164"><span class="section-number-3">3.3.</span> Configure Git Daemon on Front</h3>
+<div id="outline-container-org7b066ef" class="outline-3">
+<h3 id="org7b066ef"><span class="section-number-3">3.3.</span> Configure Git Daemon on Front</h3>
<div class="outline-text-3" id="text-3-3">
<p>
The abbey publishes member Git repositories with <code>git-daemon</code>. If
</div>
<div class="org-src-container">
-<code>git-tasks</code><pre class="src src-conf" id="orgb6bf8d6"><code>- name: Install git daemon.
+<code>git-tasks</code><pre class="src src-conf" id="org4a1e541"><code>- name: Install git daemon.
become: yes
<span class="org-variable-name">apt: pkg</span>=git-daemon-sysvinit
</div>
<div class="org-src-container">
-<code>git-handlers</code><pre class="src src-conf" id="orgedf9619"><code>
+<code>git-handlers</code><pre class="src src-conf" id="orga6c05f5"><code>
- name: Restart git daemon.
become: yes
command: systemctl restart git-daemon
+ tags: actualizer
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org3676eb0" class="outline-3">
-<h3 id="org3676eb0"><span class="section-number-3">3.4.</span> Configure Gitweb on Front</h3>
+<div id="outline-container-orgea99651" class="outline-3">
+<h3 id="orgea99651"><span class="section-number-3">3.4.</span> Configure Gitweb on Front</h3>
<div class="outline-text-3" id="text-3-4">
<p>
The abbey provides an HTML interface to members' public Git
</p>
<div class="org-src-container">
-<code>apache-gitweb</code><pre class="src src-conf" id="org25b7a17"><code>
+<code>apache-gitweb</code><pre class="src src-conf" id="org502a184"><code>
Alias /gitweb-static/ /usr/share/gitweb/static/
<Directory <span class="org-string">"/usr/share/gitweb/static/"</span>>
Options MultiViews
</p>
<div class="org-src-container">
-<code>apache-gitweb-tasks</code><pre class="src src-conf" id="org2cd63c6"><code>- name: Enable Apache2 rewrite module for Gitweb.
+<code>apache-gitweb-tasks</code><pre class="src src-conf" id="org169cd13"><code>- name: Enable Apache2 rewrite module for Gitweb.
become: yes
<span class="org-variable-name">apache2_module: name</span>=rewrite
notify: Restart Apache2.
</div>
<div class="org-src-container">
-<code>apache-gitweb-handlers</code><pre class="src src-conf" id="org3c5b536"><code>- name: Restart Apache2.
+<code>apache-gitweb-handlers</code><pre class="src src-conf" id="org58e3352"><code>- name: Restart Apache2.
become: yes
systemd:
service: apache2
state: restarted
+ tags: actualizer
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org96d5438" class="outline-3">
-<h3 id="org96d5438"><span class="section-number-3">3.5.</span> Configure Apache for Abbey Documentation</h3>
+<div id="outline-container-orge66ade9" class="outline-3">
+<h3 id="orge66ade9"><span class="section-number-3">3.5.</span> Configure Apache for Abbey Documentation</h3>
<div class="outline-text-3" id="text-3-5">
<p>
Some of the directives added to the <q>-vhost.conf</q> file are needed by
</p>
<div class="org-src-container">
-<code>apache-abbey</code><pre class="src src-conf" id="org3a64015"><code><Directory {{ docroot }}/Abbey/>
+<code>apache-abbey</code><pre class="src src-conf" id="org97325b1"><code><Directory {{ docroot }}/Abbey/>
AllowOverride Indexes FileInfo
Options +Indexes +FollowSymLinks
</Directory>
</div>
</div>
</div>
-<div id="outline-container-orgd31779a" class="outline-3">
-<h3 id="orgd31779a"><span class="section-number-3">3.6.</span> Configure Photos URLs on Front</h3>
+<div id="outline-container-orgec18b5a" class="outline-3">
+<h3 id="orgec18b5a"><span class="section-number-3">3.6.</span> Configure Photos URLs on Front</h3>
<div class="outline-text-3" id="text-3-6">
<p>
Some of the directives added to the <q>-vhost.conf</q> file map the abbey's
</p>
<div class="org-src-container">
-<code>apache-photos</code><pre class="src src-conf" id="org5e8bcd5"><code>
+<code>apache-photos</code><pre class="src src-conf" id="org188aee2"><code>
RedirectMatch /Photos$ /Photos/
RedirectMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])$ \
/Photos/$1_$2_$3/
</div>
</div>
</div>
-<div id="outline-container-orge3def31" class="outline-3">
-<h3 id="orge3def31"><span class="section-number-3">3.7.</span> Configure Apache on Front</h3>
+<div id="outline-container-orgc5a33b8" class="outline-3">
+<h3 id="orgc5a33b8"><span class="section-number-3">3.7.</span> Configure Apache on Front</h3>
<div class="outline-text-3" id="text-3-7">
<p>
The abbey needs to add some Apache2 configuration directives to the
</p>
<p>
-The following task adds the <a href="#org3a64015"><code>apache-abbey</code></a>, <a href="#org5e8bcd5"><code>apache-photos</code></a>, and
-<a href="#org25b7a17"><code>apache-gitweb</code></a> directives described above to the <q>-vhost.conf</q> file,
+The following task adds the <a href="#org97325b1"><code>apache-abbey</code></a>, <a href="#org188aee2"><code>apache-photos</code></a>, and
+<a href="#org502a184"><code>apache-gitweb</code></a> directives described above to the <q>-vhost.conf</q> file,
and includes <q>options-ssl-apache.conf</q> from <q>/etc/letsencrypt/</q>. The
rest of the Let's Encrypt configuration is discussed in the following
-<a href="#org9321d16">Install Let's Encrypt</a> section.
+<a href="#org9d599a6">Install Let's Encrypt</a> section.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-orgbe9af35" class="outline-3">
-<h3 id="orgbe9af35"><span class="section-number-3">3.8.</span> Configure Apache Log Archival</h3>
+<div id="outline-container-orgc297912" class="outline-3">
+<h3 id="orgc297912"><span class="section-number-3">3.8.</span> Configure Apache Log Archival</h3>
<div class="outline-text-3" id="text-3-8">
<p>
These tasks hack Apache's <code>logrotate(8)</code> configuration to rotate
become: yes
systemd:
daemon_reload: yes
+ tags: actualizer
</code></pre>
</div>
</p>
<div class="org-src-container">
-<a href="roles_t/abbey-front/files/logrotate-mailer"><q>roles_t/abbey-front/files/logrotate-mailer</q></a><pre class="src src-sh"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e</span>
-
+<a href="roles_t/abbey-front/files/logrotate-mailer"><q>roles_t/abbey-front/files/logrotate-mailer</q></a><pre class="src src-sh"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e
+</span>
<span class="org-keyword">if</span> [ <span class="org-string">"$#"</span> != 3 -o <span class="org-string">"$1"</span> != <span class="org-string">"-s"</span> ]; <span class="org-keyword">then</span>
<span class="org-builtin">echo</span> <span class="org-string">"usage: $0 -s subject recipient"</span> 1>&2
<span class="org-keyword">exit</span> 1
</div>
</div>
</div>
-<div id="outline-container-org9321d16" class="outline-3">
-<h3 id="org9321d16"><span class="section-number-3">3.9.</span> Install Let's Encrypt</h3>
+<div id="outline-container-org9d599a6" class="outline-3">
+<h3 id="org9d599a6"><span class="section-number-3">3.9.</span> Install Let's Encrypt</h3>
<div class="outline-text-3" id="text-3-9">
<p>
The abbey uses a Let's Encrypt certificate to authenticate its public
entered as shown below).
</p>
-<pre class="example" id="org1e14258">
+<pre class="example" id="orge66af71">
$ sudo apt install python3-certbot-apache
$ sudo certbot --apache -d birchwood-abbey.net
...
become: yes
<span class="org-variable-name">apt: pkg</span>=python3-certbot-apache
-- name: Ensure Let<span class="org-string">'s Encrypt certificate is readable.</span>
-<span class="org-string"> become: yes</span>
-<span class="org-string"> file:</span>
-<span class="org-string"> mode: u=rwx,g=rx,o=rx</span>
-<span class="org-string"> path: /etc/letsencrypt/live</span>
+- name: Ensure Let<span class="org-string">'s Encrypt certificate is readable.
+ become: yes
+ file:
+ mode: u=rwx,g=rx,o=rx
+ path: /etc/letsencrypt/live</span>
</code></pre>
</div>
<div class="org-src-container">
<a href="roles_t/abbey-front/tasks/main.yml"><q>roles_t/abbey-front/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Use Let<span class="org-string">'s Encrypt certificate&key.</span>
-<span class="org-string"> file:</span>
-<span class="org-string"> state: link</span>
-<span class="org-string"> src: "{{ item.target }}"</span>
-<span class="org-string"> path: "{{ item.link }}"</span>
-<span class="org-string"> force: yes</span>
-<span class="org-string"> loop:</span>
-<span class="org-string"> - target: /etc/letsencrypt/live/birchwood-abbey.net/fullchain.pem</span>
-<span class="org-string"> link: /etc/server.crt</span>
-<span class="org-string"> - target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem</span>
-<span class="org-string"> link: /etc/server.key</span>
+- name: Use Let<span class="org-string">'s Encrypt certificate&key.
+ file:
+ state: link
+ src: "{{ item.target }}"
+ path: "{{ item.link }}"
+ force: yes
+ loop:
+ - target: /etc/letsencrypt/live/birchwood-abbey.net/fullchain.pem
+ link: /etc/server.crt
+ - target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem
+ link: /etc/server.key</span>
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org03732f1" class="outline-3">
-<h3 id="org03732f1"><span class="section-number-3">3.10.</span> Rotate Let's Encrypt Log</h3>
+<div id="outline-container-org61fc32d" class="outline-3">
+<h3 id="org61fc32d"><span class="section-number-3">3.10.</span> Rotate Let's Encrypt Log</h3>
<div class="outline-text-3" id="text-3-10">
<p>
The following task arranges to rotate Certbot's logs files.
</div>
</div>
</div>
-<div id="outline-container-org050dd82" class="outline-3">
-<h3 id="org050dd82"><span class="section-number-3">3.11.</span> Archive Let's Encrypt Data</h3>
+<div id="outline-container-org4ba9bf2" class="outline-3">
+<h3 id="org4ba9bf2"><span class="section-number-3">3.11.</span> Archive Let's Encrypt Data</h3>
<div class="outline-text-3" id="text-3-11">
<p>
A backup copy of Let's Encrypt's data (<q>/etc/letsencrypt/</q>) is sent to
<div class="org-src-container">
<a href="roles_t/abbey-front/tasks/main.yml"><q>roles_t/abbey-front/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Install Let<span class="org-string">'s Encrypt archive script.</span>
-<span class="org-string"> become: yes</span>
-<span class="org-string"> copy:</span>
-<span class="org-string"> src: cron.daily_letsencrypt</span>
-<span class="org-string"> dest: /etc/cron.daily/letsencrypt</span>
-<span class="org-string"> mode: u=rwx,g=rx,o=rx</span>
+- name: Install Let<span class="org-string">'s Encrypt archive script.
+ become: yes
+ copy:
+ src: cron.daily_letsencrypt
+ dest: /etc/cron.daily/letsencrypt
+ mode: u=rwx,g=rx,o=rx</span>
</code></pre>
</div>
<div class="org-src-container">
-<a href="roles_t/abbey-front/files/cron.daily_letsencrypt"><q>roles_t/abbey-front/files/cron.daily_letsencrypt</q></a><pre class="src src-sh"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e</span>
-
+<a href="roles_t/abbey-front/files/cron.daily_letsencrypt"><q>roles_t/abbey-front/files/cron.daily_letsencrypt</q></a><pre class="src src-sh"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">bash</span><span class="org-comment"> -e
+</span>
<span class="org-builtin">cd</span> /etc/
[ -d letsencrypt~ ] <span class="org-sh-escaped-newline">\</span>
<div class="org-src-container">
<a href="roles_t/abbey-front/tasks/main.yml"><q>roles_t/abbey-front/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Copy root@core<span class="org-string">'s public key.</span>
-<span class="org-string"> become: yes</span>
-<span class="org-string"> copy:</span>
-<span class="org-string"> src: ../Secret/root-pub.pem</span>
-<span class="org-string"> dest: /root/.gnupg-root-pub.pem</span>
-<span class="org-string"> mode: u=r,g=r,o=r</span>
-<span class="org-string"> notify: Import root@core'</span>s public key.
+- name: Copy root@core<span class="org-string">'s public key.
+ become: yes
+ copy:
+ src: ../Secret/root-pub.pem
+ dest: /root/.gnupg-root-pub.pem
+ mode: u=r,g=r,o=r
+ notify: Import root@core'</span>s public key.
</code></pre>
</div>
<div class="org-src-container">
<a href="roles_t/abbey-front/handlers/main.yml"><q>roles_t/abbey-front/handlers/main.yml</q></a><pre class="src src-conf"><code>
-- name: Import root@core<span class="org-string">'s public key.</span>
-<span class="org-string"> become: yes</span>
-<span class="org-string"> command: gpg --import ~/.gnupg-root-pub.pem</span>
+- name: Import root@core<span class="org-string">'s public key.
+ become: yes
+ command: gpg --import ~/.gnupg-root-pub.pem</span>
</code></pre>
</div>
</div>
</div>
</div>
-<div id="outline-container-orga42d8f6" class="outline-2">
-<h2 id="orga42d8f6"><span class="section-number-2">4.</span> The Abbey Core Role</h2>
+<div id="outline-container-orge1ede26" class="outline-2">
+<h2 id="orge1ede26"><span class="section-number-2">4.</span> The Abbey Core Role</h2>
<div class="outline-text-2" id="text-4">
<p>
Birchwood Abbey's core is a mini-PC (System76 Meerkat) configured as A
NTP, DNS and DHCP.
</p>
</div>
-<div id="outline-container-org7b811a3" class="outline-3">
-<h3 id="org7b811a3"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
+<div id="outline-container-org4370ec9" class="outline-3">
+<h3 id="org4370ec9"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
<div class="outline-text-3" id="text-4-1">
<p>
In this abbey specific document, most abbey particulars are not
</div>
</div>
</div>
-<div id="outline-container-org473d23f" class="outline-3">
-<h3 id="org473d23f"><span class="section-number-3">4.2.</span> Install Additional Packages</h3>
+<div id="outline-container-org5f355b2" class="outline-3">
+<h3 id="org5f355b2"><span class="section-number-3">4.2.</span> Install Additional Packages</h3>
<div class="outline-text-3" id="text-4-2">
<p>
The scripts that maintain the abbey's web site use a number of
<div class="org-src-container">
<a href="roles_t/abbey-core/tasks/main.yml"><q>roles_t/abbey-core/tasks/main.yml</q></a><pre class="src src-conf"><code>
- name: Install additional packages.
+ become: yes
apt:
- pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]
+ pkg: [ procmail, libhtml-tree-perl, libjs-jquery,
+ mit-scheme, gnuplot ]
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orgc7ba6be" class="outline-3">
-<h3 id="orgc7ba6be"><span class="section-number-3">4.3.</span> Configure Private Email Aliases</h3>
+<div id="outline-container-org165df37" class="outline-3">
+<h3 id="org165df37"><span class="section-number-3">4.3.</span> Configure Private Email Aliases</h3>
<div class="outline-text-3" id="text-4-3">
<p>
The abbey uses several additional email aliases. These are the campus
- name: New aliases.
become: yes
command: newaliases
+ tags: actualizer
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orgd429101" class="outline-3">
-<h3 id="orgd429101"><span class="section-number-3">4.4.</span> Configure Git Daemon on Core</h3>
+<div id="outline-container-org45227f9" class="outline-3">
+<h3 id="org45227f9"><span class="section-number-3">4.4.</span> Configure Git Daemon on Core</h3>
<div class="outline-text-3" id="text-4-4">
<p>
These tasks are identical to those executed on Front, for similar Git
-services on Front and Core. See <a href="#orgf31d164">3.3</a> and
-<a href="#org3676eb0">Configure Gitweb on Front</a> for more information.
+services on Front and Core. See <a href="#org7b066ef">3.3</a> and
+<a href="#orgea99651">Configure Gitweb on Front</a> for more information.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org410f9f6" class="outline-3">
-<h3 id="org410f9f6"><span class="section-number-3">4.5.</span> Configure Apache on Core</h3>
+<div id="outline-container-orga4b2945" class="outline-3">
+<h3 id="orga4b2945"><span class="section-number-3">4.5.</span> Configure Apache on Core</h3>
<div class="outline-text-3" id="text-4-5">
<p>
The Apache2 configuration on Core specifies three web sites (live,
test, and campus). The live and test sites must operate just like the
-site on Front. Their configurations include the same <a href="#org3a64015"><code>apache-abbey</code></a>,
-<a href="#org5e8bcd5"><code>apache-photos</code></a>, and <a href="#org25b7a17"><code>apache-gitweb</code></a> used on Front.
+site on Front. Their configurations include the same <a href="#org97325b1"><code>apache-abbey</code></a>,
+<a href="#org188aee2"><code>apache-photos</code></a>, and <a href="#org502a184"><code>apache-gitweb</code></a> used on Front.
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-orgca2be09" class="outline-3">
-<h3 id="orgca2be09"><span class="section-number-3">4.6.</span> Configure Documentation URLs</h3>
+<div id="outline-container-org24b30a1" class="outline-3">
+<h3 id="org24b30a1"><span class="section-number-3">4.6.</span> Configure Documentation URLs</h3>
<div class="outline-text-3" id="text-4-6">
<p>
The institute serves its <q>/usr/share/doc/</q> on the house (campus) web
site. This is a debugging convenience, making some HTML documentation
more accessible, especially the documentation of software installed on
Core and not on typical desktop clients. Also included: the Apache2
-directives that enable user Git publishing with Gitweb (defined <a href="#org25b7a17">here</a>).
+directives that enable user Git publishing with Gitweb (defined <a href="#org502a184">here</a>).
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-orgd60b480" class="outline-3">
-<h3 id="orgd60b480"><span class="section-number-3">4.7.</span> Install Apt Cacher</h3>
+<div id="outline-container-org6ab2686" class="outline-3">
+<h3 id="org6ab2686"><span class="section-number-3">4.7.</span> Install Apt Cacher</h3>
<div class="outline-text-3" id="text-4-7">
<p>
The abbey uses the Apt-Cacher:TNG package cache on Core. The
</div>
</div>
</div>
-<div id="outline-container-orgfa610b7" class="outline-3">
-<h3 id="orgfa610b7"><span class="section-number-3">4.8.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-orgd892afd" class="outline-3">
+<h3 id="orgd892afd"><span class="section-number-3">4.8.</span> Use Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-4-8">
<p>
Core itself will benefit from using the package cache, but should
</div>
</div>
</div>
-<div id="outline-container-orgdf4eb24" class="outline-3">
-<h3 id="orgdf4eb24"><span class="section-number-3">4.9.</span> Configure NAGIOS</h3>
+<div id="outline-container-orgba0ee47" class="outline-3">
+<h3 id="orgba0ee47"><span class="section-number-3">4.9.</span> Configure NAGIOS</h3>
<div class="outline-text-3" id="text-4-9">
<p>
A small institute uses <code>nagios4</code> to monitor the health of its network,
<q>/usr/local/sbin/</q> on the Raspberry Pis.
</p>
</div>
-</div>
-<div id="outline-container-org146dc9e" class="outline-3">
-<h3 id="org146dc9e"><span class="section-number-3">4.10.</span> Monitoring The Home Disk</h3>
-<div class="outline-text-3" id="text-4-10">
+<div id="outline-container-orge29fb41" class="outline-4">
+<h4 id="orge29fb41"><span class="section-number-4">4.9.1.</span> Monitoring The Home Disk</h4>
+<div class="outline-text-4" id="text-4-9-1">
<p>
The abbey adds monitoring of the space remaining on the volume at
<q>/home/</q> on Core. (The small institute only monitors the space
systemd:
service: nagios4
state: reloaded
+ tags: actualizer
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org5e1a346" class="outline-3">
-<h3 id="org5e1a346"><span class="section-number-3">4.11.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h3>
-<div class="outline-text-3" id="text-4-11">
+<div id="outline-container-org586cf48" class="outline-4">
+<h4 id="org586cf48"><span class="section-number-4">4.9.2.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h4>
+<div class="outline-text-4" id="text-4-9-2">
<p>
The <code>check_sensors</code> plugin is included in the package
<code>monitoring-plugins-basic</code>, but it does not report any readings. The
</p>
<div class="org-src-container">
-<a href="roles_t/abbey-core/files/abbey_pisensors"><q>roles_t/abbey-core/files/abbey_pisensors</q></a><pre class="src src-sh"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">sh</span>
-
+<a href="roles_t/abbey-core/files/abbey_pisensors"><q>roles_t/abbey-core/files/abbey_pisensors</q></a><pre class="src src-sh"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/bin/</span><span class="org-keyword">sh</span><span class="org-comment">
+</span>
<span class="org-variable-name">PATH</span>=<span class="org-string">"/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"</span>
<span class="org-builtin">export</span> PATH
<span class="org-variable-name">PROGNAME</span>=<span class="org-sh-quoted-exec">`basename $0`</span>
}
<span class="org-function-name">brief_data</span>() {
- <span class="org-builtin">echo</span> <span class="org-string">"$1"</span> | sed -n -E -e <span class="org-string">'</span>
-<span class="org-string"> /^temp[0-9]+: +[-+][0-9.]+.?C/ {</span>
-<span class="org-string"> s/^temp[0-9]+: +([-+][0-9.]+).?C.*/ \1/; H }</span>
-<span class="org-string"> $ { x; s/\n//g; p }'</span>
+ <span class="org-builtin">echo</span> <span class="org-string">"$1"</span> | sed -n -E -e <span class="org-string">'
+ /^temp[0-9]+: +[-+][0-9.]+.?C/ {
+ s/^temp[0-9]+: +([-+][0-9.]+).?C.*/ \1/; H }
+ $ { x; s/\n//g; p }'</span>
}
<span class="org-keyword">case</span> <span class="org-string">"$1"</span><span class="org-keyword"> in</span>
</div>
</div>
</div>
-<div id="outline-container-org2c09b2a" class="outline-3">
-<h3 id="org2c09b2a"><span class="section-number-3">4.12.</span> Monitoring The Cloister</h3>
-<div class="outline-text-3" id="text-4-12">
+<div id="outline-container-org5b4b9d5" class="outline-4">
+<h4 id="org5b4b9d5"><span class="section-number-4">4.9.3.</span> Configure NAGIOS Monitoring of The Cloister</h4>
+<div class="outline-text-4" id="text-4-9-3">
<p>
-The abbey adds monitoring for more servers: Kessel, and Ord Mantell.
+The abbey adds monitoring for more servers: Dantooine and Kessel.
They are <code>abbey-cloister</code> servers, so they are configured as small
institute <code>campus</code> servers, like Gate, with an NRPE (a NAGIOS Remote
Plugin Executor) server and an <code>inst_sensors</code> command.
</p>
<p>
-The configurations for the servers are very similar to Gate's, but are
-idiosyncratically in flux. For example Ord Mantell, the Raspberry Pi
-OS (ARM64) machine, uses the <code>abbey_pisensors</code> monitor.
+The configurations for these servers are very similar to Gate's, but
+are idiosyncratically in flux.
</p>
</div>
-<div id="outline-container-org63753cf" class="outline-4">
-<h4 id="org63753cf"><span class="section-number-4">4.12.1.</span> Cloister Network Addresses</h4>
-<div class="outline-text-4" id="text-4-12-1">
+<div id="outline-container-orge36ebf2" class="outline-5">
+<h5 id="orge36ebf2"><span class="section-number-5">4.9.3.1.</span> Cloister Network Addresses</h5>
+<div class="outline-text-5" id="text-4-9-3-1">
<p>
The IP addresses of all three hosts are nice to use in the NAGIOS
configuration (to avoid depending on name service) and so are
<div class="org-src-container">
<a href="private_ex/vars-abbey.yml"><q>private_ex/vars-abbey.yml</q></a><pre class="src src-conf"><code>---
-kessel_addr: 10.84.138.8
-ord_mantell_addr: 10.84.138.10
+dantooine_addr: 10.84.138.8
+kessel_addr: 10.84.138.10
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org35e5ab4" class="outline-4">
-<h4 id="org35e5ab4"><span class="section-number-4">4.12.2.</span> Installing NAGIOS Configurations</h4>
-<div class="outline-text-4" id="text-4-12-2">
+<div id="outline-container-orgafba9a0" class="outline-5">
+<h5 id="orgafba9a0"><span class="section-number-5">4.9.3.2.</span> Install NAGIOS Configurations</h5>
+<div class="outline-text-5" id="text-4-9-3-2">
<p>
The following task installs each host's NAGIOS configuration.
</p>
template:
src: nagios-{{ item }}.cfg
dest: /etc/nagios4/conf.d/{{ item }}.cfg
- loop: [ ord-mantell, kessel ]
+ loop: [ dantooine, kessel ]
notify: Reload NAGIOS4.
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org40c5228" class="outline-4">
-<h4 id="org40c5228"><span class="section-number-4">4.12.3.</span> NAGIOS Monitoring of Ord-Mantell</h4>
-<div class="outline-text-4" id="text-4-12-3">
+<div id="outline-container-org33bcf60" class="outline-5">
+<h5 id="org33bcf60"><span class="section-number-5">4.9.3.3.</span> NAGIOS Monitoring of Dantooine</h5>
+<div class="outline-text-5" id="text-4-9-3-3">
<div class="org-src-container">
-<a href="roles_t/abbey-core/templates/nagios-
ord-mantell.cfg"><q>roles_t/abbey-core/templates/nagios-ord-mantell.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
+<a href="roles_t/abbey-core/templates/nagios-
dantooine.cfg"><q>roles_t/abbey-core/templates/nagios-dantooine.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
use linux-server
- host_name ord-mantell
- address {{ ord_mantell_addr }}
+ host_name dantooine
+ address {{ dantooine_addr }}
}
<span class="org-type">define service</span> {
use generic-service
- host_name ord-mantell
+ host_name dantooine
service_description Root Partition
check_command check_nrpe!inst_root
}
-<span class="org-comment-delimiter"># </span><span class="org-comment">define service {</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">host_name ord-mantell</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">service_description Current Load</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_load</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">}</span>
+<span class="org-type">define service</span> {
+ use generic-service
+ host_name dantooine
+ service_description DVR Recordings
+ check_command check_nrpe!abbey_dvr
+}
+<span class="org-comment-delimiter"># </span><span class="org-comment">define service {
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">host_name dantooine
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">service_description Current Load
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_load
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">}
+</span>
<span class="org-type">define service</span> {
use generic-service
- host_name ord-mantell
+ host_name dantooine
service_description Zombie Processes
check_command check_nrpe!check_zombie_procs
}
-<span class="org-comment-delimiter"># </span><span class="org-comment">define service {</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">host_name ord-mantell</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">service_description Total Processes</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_total_procs</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">}</span>
-
+<span class="org-comment-delimiter"># </span><span class="org-comment">define service {
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">host_name dantooine
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">service_description Total Processes
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_total_procs
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">}
+</span>
<span class="org-type">define service</span> {
use generic-service
- host_name ord-mantell
+ host_name dantooine
service_description Swap Usage
check_command check_nrpe!inst_swap
}
<span class="org-type">define service</span> {
use generic-service
- host_name ord-mantell
+ host_name dantooine
service_description Temperature Sensors
- check_command check_nrpe!abbey_pisensors
+ check_command check_nrpe!inst_sensors
}
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orgeba04d3" class="outline-4">
-<h4 id="orgeba04d3"><span class="section-number-4">4.12.4.</span> NAGIOS Monitoring of Kessel</h4>
-<div class="outline-text-4" id="text-4-12-4">
+<div id="outline-container-org62eb731" class="outline-5">
+<h5 id="org62eb731"><span class="section-number-5">4.9.3.4.</span> NAGIOS Monitoring of Kessel</h5>
+<div class="outline-text-5" id="text-4-9-3-4">
<div class="org-src-container">
<a href="roles_t/abbey-core/templates/nagios-kessel.cfg"><q>roles_t/abbey-core/templates/nagios-kessel.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
use linux-server
check_command check_nrpe!inst_root
}
-<span class="org-comment-delimiter"># </span><span class="org-comment">define service {</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">host_name kessel</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">service_description Current Load</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_load</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">}</span>
-
+<span class="org-comment-delimiter"># </span><span class="org-comment">define service {
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">host_name kessel
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">service_description Current Load
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_load
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">}
+</span>
<span class="org-type">define service</span> {
use generic-service
host_name kessel
check_command check_nrpe!check_zombie_procs
}
-<span class="org-comment-delimiter"># </span><span class="org-comment">define service {</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">host_name kessel</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">service_description Total Processes</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_total_procs</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">}</span>
-
+<span class="org-comment-delimiter"># </span><span class="org-comment">define service {
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">use generic-service
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">host_name kessel
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">service_description Total Processes
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">check_command check_nrpe!check_total_procs
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">}
+</span>
<span class="org-type">define service</span> {
use generic-service
host_name kessel
</div>
</div>
</div>
-<div id="outline-container-orga125fd0" class="outline-3">
-<h3 id="orga125fd0"><span class="section-number-3">4.13.</span> Install Munin</h3>
-<div class="outline-text-3" id="text-4-13">
+</div>
+<div id="outline-container-org892c641" class="outline-3">
+<h3 id="org892c641"><span class="section-number-3">4.10.</span> Install Munin</h3>
+<div class="outline-text-3" id="text-4-10">
<p>
The abbey is experimenting with Munin. NAGIOS is all about notifying
the Sys. Admin. of failed services. Munin is more about tracking
- name: Punt default Munin node.
become: yes
- replace:
+ ini_file:
+ section: <span class="org-string">"[localhost.localdomain]"</span>
+ state: absent
path: /etc/munin/munin.conf
- regexp: <span class="org-string">'^\[localhost.*\n\n'</span>
- name: Configure actual Munin nodes.
become: yes
copy:
content: |
- [<span class="org-type">dantooine.birchwood.private</span>]
+ [<span class="org-type">malastare.birchwood.private</span>]
address 127.0.0.1
[<span class="org-type">anoat.birchwood.private</span>]
address {{ gate_addr }}
+ [<span class="org-type">dantooine.birchwood.private</span>]
+ address {{ dantooine_addr }}
+
[<span class="org-type">kessel.birchwood.private</span>]
address {{ kessel_addr }}
-
- [<span class="org-type">ord-mantell.birchwood.private</span>]
- address {{ ord_mantell_addr }}
dest: /etc/munin/munin-conf.d/zzz-site.cfg
notify: Restart Munin.
</code></pre>
systemd:
service: munin
state: restarted
+ tags: actualizer
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orgfd23d24" class="outline-3">
-<h3 id="orgfd23d24"><span class="section-number-3">4.14.</span> Install Analog</h3>
-<div class="outline-text-3" id="text-4-14">
+<div id="outline-container-org28d886b" class="outline-3">
+<h3 id="org28d886b"><span class="section-number-3">4.11.</span> Install Analog</h3>
+<div class="outline-text-3" id="text-4-11">
<p>
The abbey's public web site's access and error logs are emailed
regularly to <code>webmaster</code>, who saves them in <q>/Logs/apache2-public/</q>
</div>
</div>
</div>
-<div id="outline-container-org78c7f49" class="outline-3">
-<h3 id="org78c7f49"><span class="section-number-3">4.15.</span> Add Monkey to Web Server Group</h3>
-<div class="outline-text-3" id="text-4-15">
+<div id="outline-container-org5b6e9e5" class="outline-3">
+<h3 id="org5b6e9e5"><span class="section-number-3">4.12.</span> Add Monkey to Web Server Group</h3>
+<div class="outline-text-3" id="text-4-12">
<p>
Monkey needs to be in <code>www-data</code> so that it can run
<q>/WWW/live/Photos/Private/cronjob</q> to publish photos from multiple
</div>
</div>
</div>
-<div id="outline-container-org7db29f5" class="outline-3">
-<h3 id="org7db29f5"><span class="section-number-3">4.16.</span> Install netpbm For Photo Processing</h3>
-<div class="outline-text-3" id="text-4-16">
+<div id="outline-container-org7a65f75" class="outline-3">
+<h3 id="org7a65f75"><span class="section-number-3">4.13.</span> Install netpbm For Photo Processing</h3>
+<div class="outline-text-3" id="text-4-13">
<p>
Monkey's photo processing scripts use <code>netpbm</code> commands like
<code>jpegtopnm</code>.
</div>
</div>
</div>
-<div id="outline-container-orgd9b3314" class="outline-2">
-<h2 id="orgd9b3314"><span class="section-number-2">5.</span> The Abbey Gate Role</h2>
+<div id="outline-container-orgb50e66e" class="outline-2">
+<h2 id="orgb50e66e"><span class="section-number-2">5.</span> The Abbey Gate Role</h2>
<div class="outline-text-2" id="text-5">
<p>
Birchwood Abbey's gate is a $110 µPC configured as A Small Institute
Ecowitt hub.
</p>
</div>
-<div id="outline-container-org7f68c5d" class="outline-3">
-<h3 id="org7f68c5d"><span class="section-number-3">5.1.</span> The Abbey Gate's Network Interfaces</h3>
+<div id="outline-container-org3879c4d" class="outline-3">
+<h3 id="org3879c4d"><span class="section-number-3">5.1.</span> The Abbey Gate's Network Interfaces</h3>
<div class="outline-text-3" id="text-5-1">
<p>
The abbey gate's <code>lan</code> interface is the PC's built-in Ethernet
</p>
</div>
</div>
-<div id="outline-container-orgba0daab" class="outline-3">
-<h3 id="orgba0daab"><span class="section-number-3">5.2.</span> The Abbey's IoT Network</h3>
+<div id="outline-container-org0940619" class="outline-3">
+<h3 id="org0940619"><span class="section-number-3">5.2.</span> The Abbey's IoT Network</h3>
<div class="outline-text-3" id="text-5-2">
<p>
To allow masquerading between the private subnets and <code>wild</code>, the
following <code>iptables(8)</code> rules are added. They are very similar to the
<code>nat</code> and <code>filter</code> table rules used by a small institute to masquerade
-its <code>lan</code> to its <code>isp</code> (see the <a href="Institute/README.html#org3c354d1">UFW Rules</a> of a Small Institute).
+its <code>lan</code> to its <code>isp</code> (see the <a href="Institute/README.html#orgfca1bef">UFW Rules</a> of a Small Institute).
+The campus WireGuard™ subnet is not included because the campus Wi-Fi
+hosts should be routing to the wild subnet directly and are assumed to
+be masquerading as their access point(s).
</p>
<div class="org-src-container">
-<code>iot-nat</code><pre class="src src-conf" id="org01b3093"><code>-A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE
+<code>iot-nat</code><pre class="src src-conf" id="orgff7c718"><code>-A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE
-A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
--A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
</code></pre>
</div>
<div class="org-src-container">
-<code>iot-forward</code><pre class="src src-conf" id="org7629ee5"><code>-A ufw-user-forward -i lan -o wild -j ACCEPT
+<code>iot-forward</code><pre class="src src-conf" id="org83064bf"><code>-A ufw-user-forward -i lan -o wild -j ACCEPT
-A ufw-user-forward -i wg0 -o wild -j ACCEPT
</code></pre>
</div>
</p>
</div>
</div>
-<div id="outline-container-org266e6c0" class="outline-3">
-<h3 id="org266e6c0"><span class="section-number-3">5.3.</span> Configure UFW for IoT</h3>
+<div id="outline-container-orgda52587" class="outline-3">
+<h3 id="orgda52587"><span class="section-number-3">5.3.</span> Configure UFW for IoT</h3>
<div class="outline-text-3" id="text-5-3">
<p>
The following tasks install the additional rules in <q>before.rules</q>
-and <q>user.rules</q> (as in <a href="Institute/README.html#org2517da7">Configure UFW</a>).
+and <q>user.rules</q> (as in <a href="Institute/README.html#orga4b4df7">Configure UFW</a>).
</p>
<div class="org-src-container">
</div>
</div>
</div>
-<div id="outline-container-org5adf523" class="outline-3">
-<h3 id="org5adf523"><span class="section-number-3">5.4.</span> The Abbey's Starlink Configuration</h3>
+<div id="outline-container-orgea29914" class="outline-3">
+<h3 id="orgea29914"><span class="section-number-3">5.4.</span> The Abbey's Starlink Configuration</h3>
<div class="outline-text-3" id="text-5-4">
<p>
The abbey connects to Starlink via Ethernet, and disables Starlink's
</p>
</div>
</div>
-<div id="outline-container-orgd870162" class="outline-3">
-<h3 id="orgd870162"><span class="section-number-3">5.5.</span> Alternate ISPs</h3>
+<div id="outline-container-org87c6981" class="outline-3">
+<h3 id="org87c6981"><span class="section-number-3">5.5.</span> Alternate ISPs</h3>
<div class="outline-text-3" id="text-5-5">
<p>
The abbey used to use a cell phone on a USB tether to get Internet
</div>
</div>
</div>
-<div id="outline-container-org56e9c8b" class="outline-2">
-<h2 id="org56e9c8b"><span class="section-number-2">6.</span> The Abbey Cloister Role</h2>
+<div id="outline-container-org4335d7a" class="outline-2">
+<h2 id="org4335d7a"><span class="section-number-2">6.</span> The Abbey Cloister Role</h2>
<div class="outline-text-2" id="text-6">
<p>
Birchwood Abbey's cloister is a small institute campus. The <code>campus</code>
<p>
Wireless clients are issued keys for the cloister VPN by the <code>./abbey
client</code> command which is currently identical to the <code>./inst client</code>
-command (described in <a href="Institute/README.html#org5635191">The Client Command</a>). The wireless, cloistered
+command (described in <a href="Institute/README.html#org6edab5b">The Client Command</a>). The wireless, cloistered
hosts never roam, are not associated with a member, and so are
"campus" clients, issued keys with commands like this:
</p>
./abbey client campus new-host-name
</pre>
</div>
-<div id="outline-container-org08d8be3" class="outline-3">
-<h3 id="org08d8be3"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-org9bf6fd6" class="outline-3">
+<h3 id="org9bf6fd6"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-6-1">
<p>
The Apt-Cacher:TNG program does not work well on the frontier, so is
</div>
</div>
</div>
-<div id="outline-container-orgcd5b300" class="outline-3">
-<h3 id="orgcd5b300"><span class="section-number-3">6.2.</span> Configure Cloister NRPE</h3>
+<div id="outline-container-org28079e1" class="outline-3">
+<h3 id="org28079e1"><span class="section-number-3">6.2.</span> Configure Cloister NRPE</h3>
<div class="outline-text-3" id="text-6-2">
<p>
Each cloistered host is a small institute campus host and thus is
already running an NRPE server (a NAGIOS Remote Plugin Executor
-server) with a custom <code>inst_sensors</code> monitor (described in <a href="Institute/README.html#orgad950b0">Configure
+server) with a custom <code>inst_sensors</code> monitor (described in <a href="Institute/README.html#org8fbeb2b">Configure
NRPE</a> of <a href="Institute/README.html">A Small Institute</a>). The abbey adds one complication: yet
another <code>check_sensors</code> variant, <code>abbey_pisensors</code>, installed on
Raspberry Pis (architecture <code>aarch64</code>) only.
<span class="org-variable-name">mode: u</span>=rwx,g=rx,o=rx
<span class="org-variable-name">when: ansible_architecture</span> == <span class="org-string">'aarch64'</span>
-- name: Configure NAGIOS command.
+- name: Configure NAGIOS monitor abbey_pisensors.
become: yes
copy:
content: |
</div>
<div class="org-src-container">
-<a href="roles_t/abbey-cloister/handlers/main.yml"><q>roles_t/abbey-cloister/handlers/main.yml</q></a><pre class="src src-conf"><code>
+<a href="roles_t/abbey-cloister/handlers/main.yml"><q>roles_t/abbey-cloister/handlers/main.yml</q></a><pre class="src src-conf"><code>---
- name: Reload NRPE server.
become: yes
systemd:
service: nagios-nrpe-server
state: reloaded
+ tags: actualizer
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org545b965" class="outline-3">
-<h3 id="org545b965"><span class="section-number-3">6.3.</span> Install Munin Node</h3>
+<div id="outline-container-org172cb77" class="outline-3">
+<h3 id="org172cb77"><span class="section-number-3">6.3.</span> Install Munin Node</h3>
<div class="outline-text-3" id="text-6-3">
<p>
Each cloistered host is a Munin node.
become: yes
<span class="org-variable-name">apt: pkg</span>=munin-node
+- name: Configure Munin Node.
+ become: yes
+ lineinfile:
+ regexp: <span class="org-string">"^allow [^]{{ core_addr|regex_escape }}[$]$"</span>
+ line: <span class="org-string">"allow ^{{ core_addr|regex_escape }}$"</span>
+ path: /etc/munin/munin-node.conf
+ notify: Restart Munin node.
+
- name: Add {{ ansible_user }} to munin group.
become: yes
user:
</div>
</div>
</div>
-<div id="outline-container-orgf9a549d" class="outline-3">
-<h3 id="orgf9a549d"><span class="section-number-3">6.4.</span> Install Emacs</h3>
+<div id="outline-container-orgf3ab1a5" class="outline-3">
+<h3 id="orgf3ab1a5"><span class="section-number-3">6.4.</span> Install Emacs</h3>
<div class="outline-text-3" id="text-6-4">
<p>
The monks of the abbey are masters of the staff and Emacs.
</div>
</div>
</div>
-<div id="outline-container-org726d888" class="outline-2">
-<h2 id="org726d888"><span class="section-number-2">7.</span> The Abbey Weather Role</h2>
+<div id="outline-container-orgb872534" class="outline-2">
+<h2 id="orgb872534"><span class="section-number-2">7.</span> The Abbey Weather Role</h2>
<div class="outline-text-2" id="text-7">
<p>
Birchwood Abbey now uses Home Assistant to record and display weather
</p>
</div>
</div>
-<div id="outline-container-org402b1f9" class="outline-2">
-<h2 id="org402b1f9"><span class="section-number-2">8.</span> The Abbey DVR Role</h2>
+<div id="outline-container-orgc7793ee" class="outline-2">
+<h2 id="orgc7793ee"><span class="section-number-2">8.</span> The Abbey DVR Role</h2>
<div class="outline-text-2" id="text-8">
<p>
The abbey uses AgentDVR to record video from PoE IP HD security
-cameras. It is installed and configured as described here.
+cameras. It runs as user <code>agentdvr</code> and keeps all of its
+configuration and recordings in <q>/home/agentdvr/</q>.
</p>
</div>
-<div id="outline-container-org798fa96" class="outline-3">
-<h3 id="org798fa96"><span class="section-number-3">8.1.</span> AgentDVR Installation</h3>
+<div id="outline-container-org9ef33fa" class="outline-3">
+<h3 id="org9ef33fa"><span class="section-number-3">8.1.</span> Install AgentDVR</h3>
<div class="outline-text-3" id="text-8-1">
<p>
-AgentDVR is installed at the abbey according to the iSpy web site's
-latest(?) instructions. The "download" button on iSpy's Download page
+AgentDVR is installed according to the iSpy web site's latest
+instructions. The "download" button on iSpy's Download page
(<a href="https://www.ispyconnect.com/download">https://www.ispyconnect.com/download</a>), when "Agent DVR - Linux/
macOS/ RPi" is chosen, suggests the following command lines (the
second of which is broken across three lines).
<div class="org-src-container">
<pre class="src src-sh"><code>sudo apt-get install curl
-bash <(curl -s <span class="org-string">"https://raw.githubusercontent.com/\</span>
-<span class="org-string">ispysoftware/agent-install-scripts/main/v2/\</span>
-<span class="org-string">install.sh"</span>)
+bash <(curl -s <span class="org-string">"https://raw.githubusercontent.com/\
+ispysoftware/agent-install-scripts/main/v2/\
+install.sh"</span>)
</code></pre>
</div>
<p>
-<i>Before</i> executing these commands, Ansible is enlisted to make certain
-preparations.
+The second command fetches and runs an installation script that
+executes several <code>sudo</code> commands. These commands can be run by the
+<code>agentdvr</code> account if it has (temporary) authorization.
</p>
</div>
-<div id="outline-container-orgcd9f462" class="outline-4">
-<h4 id="orgcd9f462"><span class="section-number-4">8.1.1.</span> AgentDVR Installation Preparation</h4>
+<div id="outline-container-org413a17c" class="outline-4">
+<h4 id="org413a17c"><span class="section-number-4">8.1.1.</span> Prepare for AgentDVR Installation</h4>
<div class="outline-text-4" id="text-8-1-1">
<p>
-AgentDVR runs in the abbey as a system user, <code>agentdvr</code>, which
-installs and runs the service. Though a system user, the account gets
-a home directory, <q>/home/agentdvr/</q> in which to install AgentDVR, and
-a login shell, <q>/bin/bash</q>. This much Ansible can do in preparation.
+The following commands are manually executed to create the <code>agentdvr</code>
+account and authorize it to run a handful of system commands as
+<code>root</code>. This small set is sufficient to run the installation script
+<i>if</i> the offer to create the system service is declined.
</p>
-<pre class="example">
-./abbey config dvrs
-</pre>
-
<p>
-After the <code>agentdvr</code> account is created, it is temporarily authorized
-to run a handful of system commands (as <code>root</code>!). This small set is
-sufficient <i>if</i> the offer to create the system service is declined.
-The following commands create this authorization in <q>~/01agentdvr</q>,
-validate and install it in <q>/etc/sudoers.d/01agentdvr</q>. Such caution
-is taken because a syntax error anywhere in <q>/etc/sudoers.d/</q> can make
-the <code>sudo</code> command inoperative, cutting off access to all elevated
-privileges until a "rescue" (involving a reboot) is performed.
+The commands validate the config file, <q>01agentdvr</q>, before installing
+it because a syntax error can make the <code>sudo</code> command inoperative,
+cutting off access to all elevated privileges until a "rescue"
+(involving a reboot) is performed.
</p>
<div class="org-src-container">
-<pre class="src src-sh"><code><span class="org-builtin">echo</span> <span class="org-string">"ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\</span>
-<span class="org-string"> /sbin/adduser,/sbin/usermod"</span> >~/01agentdvr
+<pre class="src src-sh"><code>sudo adduser --disabled-password agentdvr
+<span class="org-builtin">echo</span> <span class="org-string">"ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
+ /sbin/adduser,/sbin/usermod"</span> >~/01agentdvr
sudo chown root:root ~/01agentdvr
sudo chmod 440 ~/01agentdvr
visudo --check --owner --perms ~/01agentdvr
</div>
</div>
</div>
-<div id="outline-container-orgfd81e48" class="outline-4">
-<h4 id="orgfd81e48"><span class="section-number-4">8.1.2.</span> AgentDVR Installation Execution</h4>
+<div id="outline-container-org55a4b35" class="outline-4">
+<h4 id="org55a4b35"><span class="section-number-4">8.1.2.</span> Execute AgentDVR Installation</h4>
<div class="outline-text-4" id="text-8-1-2">
<p>
With the above preparations, the system administrator can get a shell
-session under the <code>agentdvr</code> account to run iSpy's installation script
+session under the <code>agentdvr</code> account to run iSpy's installation script
in the empty <q>/home/agentdvr/</q> directory.
</p>
</p>
</div>
</div>
-<div id="outline-container-org63989cb" class="outline-4">
-<h4 id="org63989cb"><span class="section-number-4">8.1.3.</span> AgentDVR Installation Completion</h4>
+<div id="outline-container-org3b07882" class="outline-4">
+<h4 id="org3b07882"><span class="section-number-4">8.1.3.</span> Complete AgentDVR Installation</h4>
<div class="outline-text-4" id="text-8-1-3">
<p>
When Ansible is run a second time, after the installation script, it
</div>
</div>
</div>
-<div id="outline-container-org767decb" class="outline-3">
-<h3 id="org767decb"><span class="section-number-3">8.2.</span> Create User <code>agentdvr</code></h3>
+<div id="outline-container-orgec75086" class="outline-3">
+<h3 id="orgec75086"><span class="section-number-3">8.2.</span> Configure User <code>agentdvr</code></h3>
<div class="outline-text-3" id="text-8-2">
<p>
-AgentDVR runs as the system user <code>agentdvr</code>, which is created here.
+AgentDVR runs as the system user <code>agentdvr</code>, which is configured here.
+(The account should have been created by the installation or
+restoration of AgentDVR.)
</p>
<div class="org-src-container">
become: yes
user:
name: agentdvr
- system: yes
+ password: <span class="org-string">"!"</span>
home: /home/agentdvr
shell: /bin/bash
append: yes
</div>
</div>
</div>
-<div id="outline-container-org9375a62" class="outline-3">
-<h3 id="org9375a62"><span class="section-number-3">8.3.</span> Test For <q>AgentDVR/</q></h3>
+<div id="outline-container-org65ff904" class="outline-3">
+<h3 id="org65ff904"><span class="section-number-3">8.3.</span> Test For <q>AgentDVR/</q></h3>
<div class="outline-text-3" id="text-8-3">
<p>
The following task probes for the <q>/home/agentdvr/AgentDVR/</q>
</div>
</div>
</div>
-<div id="outline-container-orgbd4633b" class="outline-3">
-<h3 id="orgbd4633b"><span class="section-number-3">8.4.</span> Create AgentDVR Service</h3>
+<div id="outline-container-org7d9bbf8" class="outline-3">
+<h3 id="org7d9bbf8"><span class="section-number-3">8.4.</span> Create AgentDVR Service</h3>
<div class="outline-text-3" id="text-8-4">
<p>
This service definition came from the template downloaded (from <a href="https://raw.githubusercontent.com/ispysoftware/agent-install-scripts/main/v2/AgentDVR.service">here</a>)
<span class="org-variable-name">WorkingDirectory</span>=/home/agentdvr/AgentDVR
<span class="org-variable-name">ExecStart</span>=/home/agentdvr/AgentDVR/Agent
- <span class="org-comment-delimiter"># </span><span class="org-comment">fix memory management issue with dotnet core</span>
- <span class="org-variable-name">Environment</span>=<span class="org-string">"MALLOC_TRIM_THRESHOLD_=100000"</span>
+ <span class="org-comment-delimiter"># </span><span class="org-comment">fix memory management issue with dotnet core
+</span> <span class="org-variable-name">Environment</span>=<span class="org-string">"MALLOC_TRIM_THRESHOLD_=100000"</span>
- <span class="org-comment-delimiter"># </span><span class="org-comment">to query logs using journalctl, set a logical name here</span>
- <span class="org-variable-name">SyslogIdentifier</span>=AgentDVR
+ <span class="org-comment-delimiter"># </span><span class="org-comment">to query logs using journalctl, set a logical name here
+</span> <span class="org-variable-name">SyslogIdentifier</span>=AgentDVR
<span class="org-variable-name">User</span>=agentdvr
- <span class="org-comment-delimiter"># </span><span class="org-comment">ensure the service automatically restarts</span>
- <span class="org-variable-name">Restart</span>=always
- <span class="org-comment-delimiter"># </span><span class="org-comment">amount of time to wait before restarting the service</span>
- <span class="org-variable-name">RestartSec</span>=5
+ <span class="org-comment-delimiter"># </span><span class="org-comment">ensure the service automatically restarts
+</span> <span class="org-variable-name">Restart</span>=always
+ <span class="org-comment-delimiter"># </span><span class="org-comment">amount of time to wait before restarting the service
+</span> <span class="org-variable-name">RestartSec</span>=5
[<span class="org-type">Install</span>]
<span class="org-variable-name">WantedBy</span>=multi-user.target
dest: /etc/systemd/system/AgentDVR.service
+
+- name: Start AgentDVR.service.
+ become: yes
+ systemd:
+ service: AgentDVR
+ state: started
when: agentdvr.stat.exists
+ tags: actualizer
-- name: Enable/Start AgentDVR.service.
+- name: Enable AgentDVR.service.
become: yes
systemd:
service: AgentDVR
enabled: yes
- state: started
when: agentdvr.stat.exists
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orgd7a5628" class="outline-3">
-<h3 id="orgd7a5628"><span class="section-number-3">8.5.</span> Create AgentDVR Storage</h3>
+<div id="outline-container-org4fe5188" class="outline-3">
+<h3 id="org4fe5188"><span class="section-number-3">8.5.</span> Create AgentDVR Storage</h3>
<div class="outline-text-3" id="text-8-5">
<p>
The abbey uses a separate volume to store surveillance recordings,
</div>
</div>
</div>
-<div id="outline-container-org735770d" class="outline-3">
-<h3 id="org735770d"><span class="section-number-3">8.6.</span> Configure IP Cameras</h3>
+<div id="outline-container-orgb30d809" class="outline-3">
+<h3 id="orgb30d809"><span class="section-number-3">8.6.</span> Install Custom NAGIOS Monitor <code>abbey_dvr</code></h3>
<div class="outline-text-3" id="text-8-6">
<p>
-A new security camera is setup as described in <a href="#orgaf8047d">Cloistering</a>, after
+DVR hosts install a custom NRPE plugin named <code>abbey_dvr</code> to monitor
+the storage available on <q>/DVR/</q>.
+</p>
+
+<div class="org-src-container">
+<a href="roles_t/abbey-dvr/tasks/main.yml"><q>roles_t/abbey-dvr/tasks/main.yml</q></a><pre class="src src-conf"><code>
+- name: Configure NAGIOS command abbey_dvr.
+ become: yes
+ vars:
+ lib: /usr/lib/nagios/plugins
+ copy:
+ content: |
+ <span class="org-variable-name">command</span>[<span class="org-constant">abbey_dvr</span>]={{ lib }}/check_disk -w 20% -c 10% -p /DVR
+ dest: /etc/nagios/nrpe.d/abbey.cfg
+ notify: Reload NRPE server.
+</code></pre>
+</div>
+
+<div class="org-src-container">
+<a href="roles_t/abbey-dvr/handlers/main.yml"><q>roles_t/abbey-dvr/handlers/main.yml</q></a><pre class="src src-conf"><code>---
+- name: Reload NRPE server.
+ become: yes
+ systemd:
+ service: nagios-nrpe-server
+ state: reloaded
+ tags: actualizer
+</code></pre>
+</div>
+</div>
+</div>
+<div id="outline-container-org4605d83" class="outline-3">
+<h3 id="org4605d83"><span class="section-number-3">8.7.</span> Configure IP Cameras</h3>
+<div class="outline-text-3" id="text-8-7">
+<p>
+A new security camera is setup as described in <a href="#org5297011">Cloistering</a>, after
which the camera should be accessible by name on the abbey networks.
Assuming <code>ping -c1 new</code> works, the camera's web interface will be
accessible at <code>http://new/</code>.
<ul class="org-ul">
<li>Set a password on the administrative account.</li>
<li>Create an unprivileged user with a short password,
-e.g. <code>user:blah</code>.</li>
+e.g. <code>user:blah</code>. (Lately, user accounts are not supported!)</li>
<li>Set the frame rate to 5fps. The abbey prefers HD resolution and
long duration logs, thus fewer frames per second.</li>
+<li>Turn <i>off</i> on-screen displays (OSDs), motion detection, object
+recognition, etc.</li>
+<li>Configuring the timezone or the use of NTP (the network time
+protocol) is nice but optional.</li>
</ul>
</div>
</div>
-<div id="outline-container-orgb4b339b" class="outline-3">
-<h3 id="orgb4b339b"><span class="section-number-3">8.7.</span> Configure AgentDVR's Cameras</h3>
-<div class="outline-text-3" id="text-8-7">
+<div id="outline-container-org1e82e38" class="outline-3">
+<h3 id="org1e82e38"><span class="section-number-3">8.8.</span> Configure AgentDVR's Cameras</h3>
+<div class="outline-text-3" id="text-8-8">
<p>
After Ansible has configured and started the AgentDVR service, its web
UI will be available at <code>http://core:8090/</code>. The initial Live View
will be empty, overlayed with instructions to click the edit button.
-</p>
-
-
-<p>
-The wizard will ask for each device's general configuration
-parameters. The abbey uses SV3C IP cameras with a full HD stream as
-well as a standard definition "vice stream". AgentDVR wants both.
+A view must be created before devices can be added? Then the device
+wizard asks for each device's general configuration parameters. The
+abbey uses SV3C IP cameras with a full HD stream as well as a standard
+definition "vice stream". AgentDVR can use both, so the following
+settings are used on each device.
</p>
<ul class="org-ul">
<li>General:
<ul class="org-ul">
-<li>On: yes</li>
-<li>Name: Outside</li>
+<li>Name: Stern</li>
<li>Source Type: Network Camera
<ul class="org-ul">
<li>Username: user</li>
<li>Password: blah</li>
-<li>Live URL: rtsp://new.birchwood.private:554/12</li>
-<li>Record URL: rtsp://new.birchwood.private:554/11</li>
+<li>Live URL: rtsp://camera3.birchwood.private:554/12</li>
+<li>Record URL: rtsp://camera3.birchwood.private:554/11</li>
</ul></li>
</ul></li>
</ul>
+<p>
+Note that each device's recordings are also configured as described
+below.
+</p>
+
<p>
Additional cameras are added via the "New Device" item in the Server
Menu. This step is completed when all cameras are streaming to
</p>
</div>
</div>
-<div id="outline-container-org6e6ab7d" class="outline-3">
-<h3 id="org6e6ab7d"><span class="section-number-3">8.8.</span> Configure AgentDVR's Default Storage</h3>
-<div class="outline-text-3" id="text-8-8">
+<div id="outline-container-org0600d67" class="outline-3">
+<h3 id="org0600d67"><span class="section-number-3">8.9.</span> Configure AgentDVR's Default Storage</h3>
+<div class="outline-text-3" id="text-8-9">
<p>
AgentDVR's web interface is also used to configure a default storage
location. From the Server Menu (upper left), the administrator chooses
</p>
</div>
</div>
-<div id="outline-container-orge18b44c" class="outline-3">
-<h3 id="orge18b44c"><span class="section-number-3">8.9.</span> Configure AgentDVR's Recordings</h3>
-<div class="outline-text-3" id="text-8-9">
+<div id="outline-container-org8e4dbf1" class="outline-3">
+<h3 id="org8e4dbf1"><span class="section-number-3">8.10.</span> Configure AgentDVR's Recordings</h3>
+<div class="outline-text-3" id="text-8-10">
<p>
After a default storage location has been configured, AgentDVR's
cameras can begin recording. The "Edit Devices" dialog lists (via the
</ul>
</div>
</div>
-</div>
-<div id="outline-container-orgbfcfb39" class="outline-2">
-<h2 id="orgbfcfb39"><span class="section-number-2">9.</span> The Abbey TVR Role</h2>
-<div class="outline-text-2" id="text-9">
+<div id="outline-container-org7593f68" class="outline-3">
+<h3 id="org7593f68"><span class="section-number-3">8.11.</span> Restore AgentDVR</h3>
+<div class="outline-text-3" id="text-8-11">
<p>
-The abbey has a few TV tuners and a subscription to <a href="https://schedulesdirect.org/">Schedules Direct</a>
-for North American TV broadcast schedules. It uses one (master)
-MythTV server and its MythWeb interface to make and serve recordings
-of area broadcasts.
+When restoring <q>/home/</q> from a backup copy, the user accounts are
+presumably restored as well. Thus <q>/home/agentdvr/AgentDVR/</q> should
+be owned by <code>agentdvr</code>, a user account with disabled/locked password
+and a <code>bash</code> shell. Restoration is completed by Ansible when it
+installs the system service configuration file and starts the service.
</p>
-<p>
-The Abbey TVR Role installs the MythTV backend and the MythWeb web
-interface on the master server. It configures the Apache web server
-to serve MythWeb pages at e.g. <code>http://new/mythweb/</code>.
-</p>
+<pre class="example">
+./abbey config dvrs
+</pre>
</div>
-<div id="outline-container-orgdb30ee3" class="outline-3">
-<h3 id="orgdb30ee3"><span class="section-number-3">9.1.</span> Building MythTV and MythWeb</h3>
-<div class="outline-text-3" id="text-9-1">
+</div>
+</div>
+<div id="outline-container-org0063979" class="outline-2">
+<h2 id="org0063979"><span class="section-number-2">9.</span> The Abbey TVR Role</h2>
+<div class="outline-text-2" id="text-9">
<p>
-Neither Debian nor the MythTV project provide binary packages of
-MythTV and MythWeb. The project recommends building from source
-according to their <a href="https://www.mythtv.org/wiki/Build_from_Source">Build from Source</a> wiki page. To do this, the
-target host will need several dozen "developer" packages installed.
-Thus the abbey's TVR role proceeds in two phases.
+The abbey has a few TV tuners and a subscription to <a href="https://schedulesdirect.org/">Schedules Direct</a>
+for North American TV broadcast schedules. It uses one (master)
+MythTV server to make and serve recordings of area broadcasts.
</p>
<p>
-In the first phase, the MythTV project's Ansible code, in
-<q>mythtv-ansible/</q>, is used to assemble a list of packages needed
-during the build. The packages are installed and the rest of the
-role's tasks are skipped. This allows the administrator to manually
-build and install MythTV, creating <q>/usr/local/bin/mythtv-setup</q>.
-The administrator will also download and install MythWeb before
-running the TVR role again for its second phase. The administrator
-will <i>not</i> be able to run <code>mythtv-setup</code> before completing the second
-phase.
+The MythTV backend stores recordings in <q>/home/mythtv/Recordings/</q> and
+database dumps in <q>/home/mythtv/Backups/</q>. Apache is
+configured to serve MythTV pages at e.g. <code>http://new/mythweb/</code>.
</p>
<p>
-In the second phase, the role finds <q>mythtv-setup</q> has been installed
-on the target host and so proceeds with the "Post-installation tasks"
-section of the wiki page. This still leaves a number of manual steps
-to be performed with the <code>mythtv-setup</code> program, e.g. configuring a
-video source and capture card, after which the backend can be started.
-</p>
-</div>
-</div>
-<div id="outline-container-org4478cd6" class="outline-3">
-<h3 id="org4478cd6"><span class="section-number-3">9.2.</span> TVR Machine Setup</h3>
-<div class="outline-text-3" id="text-9-2">
-<p>
-A new TVR machine needs only <a href="#orgaf8047d">Cloistering</a> to prepare it for
+A new TVR machine needs only <a href="#org5297011">Cloistering</a> to prepare it for
Ansible. As part of that process, it should be added to the <code>tvrs</code>
group in the <q>hosts</q> file. An existing server can become a TVR
-machine simply by adding it to the <code>tvrs</code> group.
+machine by adding it to the <code>tvrs</code> group.
</p>
</div>
-</div>
-<div id="outline-container-org675e85b" class="outline-3">
-<h3 id="org675e85b"><span class="section-number-3">9.3.</span> Include Abbey Variables</h3>
-<div class="outline-text-3" id="text-9-3">
+<div id="outline-container-org2c4b2b7" class="outline-3">
+<h3 id="org2c4b2b7"><span class="section-number-3">9.1.</span> Include Abbey Variables</h3>
+<div class="outline-text-3" id="text-9-1">
<p>
Private variables in <q>private/vars-abbey.yml</q> are needed, as in the
<code>abbey-core</code> role. The file path is relative to the playbook's
</div>
</div>
</div>
-<div id="outline-container-org05c5301" class="outline-3">
-<h3 id="org05c5301"><span class="section-number-3">9.4.</span> Install MythTV Build Requisites</h3>
-<div class="outline-text-3" id="text-9-4">
-<p>
-A number of developer packages are needed to build MythTV. The wiki
-page recommends Ansible playbooks to assemble the appropriate list of
-package names (several dozen count) depending on the target OS
-version. The playbooks are in <a href="https://github.com/MythTV/ansible">https://github.com/MythTV/ansible</a> which
-contains a <q>README.md</q>.
-</p>
-
-<p>
-The instructions in the <q>README.md</q> are to clone the repository and
-run <code>sudo ansible-playbook -i hosts qt5.yml</code> on the build machine.
-However the abbey prefers to keep the Ansible code on an
-administrator's machine with the rest of the abbey's roles. The
-following commands were used to create a <q>mythtv-ansible/</q>
-subdirectory. (A <code>git pull origin</code> command in this subdirectory might
-be appropriate to download updates.)
-</p>
-
-<div class="org-src-container">
-<pre class="src src-sh"><code>git clone https://github.com/MythTV/ansible mythtv-ansible
-<span class="org-builtin">cd</span> mythtv-ansible
-git checkout fixes/32
-</code></pre>
-</div>
-
-<p>
-The <code>abbey-tvr</code> role uses a couple tasks files in <q>mythtv-ansible/</q>
-directly, bypassing the inventories, playbooks and roles, <i>after</i>
-"fixing" the final <code>apt</code> tasks by adding <code>become: yes</code>. After making
-these edits, the <code>git diff</code> command should produce something like the
-following.
-</p>
-
-<div class="org-src-container">
-<pre class="src src-diff"><code><span class="org-diff-header">diff --git a/roles/mythtv-deb/tasks/main.yml b/roles/mythtv-deb/tasks</span>
-<span class="org-diff-header">index 868c9b7..3dcf115 100644</span>
-<span class="org-diff-header">--- </span><span class="org-diff-header"><span class="org-diff-file-header">a/roles/mythtv-deb/tasks/main.yml</span></span>
-<span class="org-diff-header">+++ </span><span class="org-diff-header"><span class="org-diff-file-header">b/roles/mythtv-deb/tasks/main.yml</span></span>
-<span class="org-diff-hunk-header">@@ -366,6 +366,7 @@</span>
-<span class="org-diff-context"> '{{ lookup("flattened", deb_pkg_lst) }}'</span>
-
-<span class="org-diff-context"> - name: install packages</span>
-<span class="org-diff-indicator-added">+</span><span class="org-diff-added"> become: yes</span>
-<span class="org-diff-context"> apt:</span>
-<span class="org-diff-context"> name:</span>
-<span class="org-diff-context"> '{{ lookup("flattened", deb_pkg_lst ) }}'</span>
-<span class="org-diff-header">diff --git a/roles/qt5/tasks/qt5-deb.yml b/roles/qt5/tasks/qt5-deb.ym</span>
-<span class="org-diff-header">index 7a1a0bc..26ba782 100644</span>
-<span class="org-diff-header">--- </span><span class="org-diff-header"><span class="org-diff-file-header">a/roles/qt5/tasks/qt5-deb.yml</span></span>
-<span class="org-diff-header">+++ </span><span class="org-diff-header"><span class="org-diff-file-header">b/roles/qt5/tasks/qt5-deb.yml</span></span>
-<span class="org-diff-hunk-header">@@ -25,6 +25,7 @@</span>
-<span class="org-diff-context"> '{{ lookup("flattened", deb_pkg_lst) }}'</span>
-
-<span class="org-diff-context"> - name: install deb qt5 packages</span>
-<span class="org-diff-indicator-added">+</span><span class="org-diff-added"> become: yes</span>
-<span class="org-diff-context"> apt:</span>
-<span class="org-diff-context"> name:</span>
- '{{ lookup("flattened", deb_pkg_lst ) }}'
-</code></pre>
-</div>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/tasks/mains.yml"><q>roles_t/abbey-tvr/tasks/mains.yml</q></a><pre class="src src-conf"><code>
-- name: Install MythTV runtime requisites.
- become: yes
- apt:
- pkg: [ mariadb-server, xmltv ]
-
-- name: Install MythTV build requisites.
- include_tasks: <span class="org-string">"{{ item }}"</span>
- loop:
- - ../mythtv-ansible/roles/mythtv-deb/tasks/main.yml
- - ../mythtv-ansible/roles/qt5/tasks/qt5-deb.yml
-</code></pre>
-</div>
-
-<p>
-The tasks above install runtime and compile-time requisites during the
-"first" run of e.g. <code>./abbey config new</code>. The "first" run can be
-repeated until successful. The remaining tasks are skipped until
-MythTV is built and installed.
-</p>
-</div>
-</div>
-<div id="outline-container-org7f1bbd3" class="outline-3">
-<h3 id="org7f1bbd3"><span class="section-number-3">9.5.</span> Build and Install MythTV</h3>
-<div class="outline-text-3" id="text-9-5">
-<p>
-After a successful "first" run of e.g. <code>./abbey config new</code>, the
-target machine is prepared to build (and install) MythTV. The
-following commands are used.
-</p>
-
-<div class="org-src-container">
-<pre class="src src-sh"><code><span class="org-builtin">cd</span> /usr/local/src/
-git clone https://github.com/MythTV/mythtv
-<span class="org-builtin">cd</span> mythtv/
-git checkout fixes/32
-<span class="org-builtin">cd</span> mythtv/
-./configure
-make
-sudo make install
-</code></pre>
-</div>
-
-<p>
-The <code>make install</code> command does not need to be run as <code>root</code> if
-<q>bin/</q>, <q>lib/</q>, <q>include/</q>, <q>share/</q> in <q>/usr/local/</q> and
-<q>dist-packages/</q> in <q>/usr/local/lib/python3.9/</q> on the target machine
-are writable by the builder.
-</p>
-
-<p>
-The following task probes for the <q>mythtv-setup</q> program, installed in
-<q>/usr/local/bin/</q>, to detect that the build/install process has
-completed. It registers the results in the <code>mythtv</code> variable.
-Several of the remaining installation steps are skipped unless
-<code>mythtv.stat.exists</code>.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/tasks/main.yml"><q>roles_t/abbey-tvr/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Test for MythTV binary packages.
- stat:
- path: /usr/local/bin/mythtv-setup
- register: mythtv
-- debug:
- msg: <span class="org-string">"/usr/local/bin/mythtv-setup does not yet exist"</span>
- when: not mythtv.stat.exists
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-orga4363cd" class="outline-3">
-<h3 id="orga4363cd"><span class="section-number-3">9.6.</span> Create MythTV User</h3>
-<div class="outline-text-3" id="text-9-6">
+<div id="outline-container-org3ac7ce4" class="outline-3">
+<h3 id="org3ac7ce4"><span class="section-number-3">9.2.</span> Manually Build and Install MythTV</h3>
+<div class="outline-text-3" id="text-9-2">
<p>
-MythTV Backend needs to run as its own user: <code>mythtv</code>.
+Neither Debian nor the MythTV project provide binary packages of
+MythTV. Since PEP668 (<code>error: externally-managed-
+environment</code>) we install Debian packages built with the scripts in the
+MythTV distribution Packaging project.
</p>
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/tasks/main.yml"><q>roles_t/abbey-tvr/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Create mythtv.
- become: yes
- user:
- name: mythtv
- system: yes
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-org17c0560" class="outline-3">
-<h3 id="org17c0560"><span class="section-number-3">9.7.</span> Create MythTV DB</h3>
-<div class="outline-text-3" id="text-9-7">
<p>
-MythTV's MariaDB database is created by the following task, when the
-<code>mysql_db</code> Ansible module supports <code>check_implicit_admin</code>.
+It is assumed the build scripts will install any requisite developer
+packages.
</p>
<div class="org-src-container">
-<pre class="src src-conf"><code>
-- name: Create MythTV DB.
- become: yes
- mysql_db:
- check_implicit_admin: yes
- name: mythconverg
- collation: utf8mb4_general_ci
- encoding: utf8mb4
+<pre class="src src-sh"><code><span class="org-builtin">cd</span> $<span class="org-variable-name">top</span>
+git clone https://github.com/MythTV/packaging.git <span class="org-sh-escaped-newline">\</span>
+ -b fixes/35 mythtv-v35-packaging
+<span class="org-builtin">cd</span> mythtv-v35-packaging/deb/
+./build-debs.sh fixes/35
+dpkg-scanpackages . | gzip --best > Packages.gz
+<span class="org-builtin">echo</span> <span class="org-string">"deb [trusted=yes] file://$top/mythtv-v35-packaging/deb ./"</span> <span class="org-sh-escaped-newline">\</span>
+| sudo tee /etc/apt/sources.list.d/mythtv35.list
+sudo apt update
+sudo apt install mythtv-backend
</code></pre>
</div>
-
-<p>
-Unfortunately it does not currently, yet the institute prefers the
-more secure Unix socket authentication method. Rather than create a
-privileged DB user, the <code>mythconverg</code> database is created manually
-(below).
-</p>
</div>
</div>
-<div id="outline-container-orgc33913a" class="outline-3">
-<h3 id="orgc33913a"><span class="section-number-3">9.8.</span> Create MythTV DB User</h3>
-<div class="outline-text-3" id="text-9-8">
+<div id="outline-container-org6627b70" class="outline-3">
+<h3 id="org6627b70"><span class="section-number-3">9.3.</span> Restore MythTV</h3>
+<div class="outline-text-3" id="text-9-3">
<p>
-The DB user's password is taken from the <code>mythtv_dbpass</code> variable,
-kept in <q>private/vars-abbey.yml</q>, and generated e.g. with the <code>apg -n
-1 -x 12 -m 12</code> command.
+Restoring MythTV from a backup copy to a fresh TVR host:
</p>
-<div class="org-src-container">
-<a href="private_ex/vars-abbey.yml"><q>private_ex/vars-abbey.yml</q></a><pre class="src src-conf"><code>mythtv_dbpass: daJkibpoJkag
-</code></pre>
-</div>
-
-<p>
-The following task would create the DB user (<code>mysql_user</code> supports
-<code>check_implicit_admin</code>) <i>but</i> the <code>mythconverg</code> database was not
-created above.
+<ul class="org-ul">
+<li>Apply the TVR role to the new host thus installing build requisites.</li>
+<li>Manually load SQL timezone info.</li>
+<li>Manually build and install (as described above).</li>
+<li>Restore <q>/home/mythtv/</q>.</li>
+<li><p>
+Restore the database from backup.
</p>
-
-<div class="org-src-container">
-<pre class="src src-conf"><code>
-- name: Create MythTV DB user.
- become: yes
- mysql_user:
- check_implicit_admin: yes
- name: mythtv
- password: <span class="org-string">"{{ mythtv_dbpass }}"</span>
- priv: <span class="org-string">"mythconverg.*:all"</span>
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-orgce1c9e7" class="outline-3">
-<h3 id="orgce1c9e7"><span class="section-number-3">9.9.</span> Manually Create MythTV DB and DB User</h3>
-<div class="outline-text-3" id="text-9-9">
+<pre class="example">
+sudo -u mythtv -i
+cd /home/mythtv/
+/usr/share/mythtv/mythconverg_restore.pl
+</pre>
<p>
-The MythTV database and database user are created manually with the
-following SQL (with the <code>mythtv_dbpass</code> spliced in). The SQL commands
-are entered at the SQL prompt of the <code>sudo mysql</code> command, or perhaps
-piped into the command.
-</p>
-
-<div class="org-src-container">
-<pre class="src src-sql"><code><span class="org-keyword">create</span> database mythconverg
- <span class="org-type">character</span> <span class="org-keyword">set</span> utf8mb4
- <span class="org-keyword">collate</span> utf8mb4_general_ci;
-<span class="org-keyword">create</span> <span class="org-builtin">user</span> <span class="org-string">'mythtv'</span>@<span class="org-string">'%'</span> identified <span class="org-keyword">by</span> <span class="org-string">'{{ mythtv_dbpass }}'</span>;
-<span class="org-keyword">create</span> <span class="org-builtin">user</span> <span class="org-string">'mythtv'</span>@<span class="org-string">'localhost'</span> identified <span class="org-keyword">by</span> <span class="org-string">'{{ mythtv_dbpass }}'</span>;
-<span class="org-keyword">grant</span> <span class="org-keyword">all</span> <span class="org-keyword">privileges</span> <span class="org-keyword">on</span> mythconverg.*
- <span class="org-keyword">to</span> <span class="org-string">'mythtv'</span>@<span class="org-string">'%'</span> <span class="org-keyword">with</span> <span class="org-keyword">grant</span> <span class="org-keyword">option</span>;
-<span class="org-keyword">grant</span> <span class="org-keyword">all</span> <span class="org-keyword">privileges</span> <span class="org-keyword">on</span> mythconverg.*
- <span class="org-keyword">to</span> <span class="org-string">'mythtv'</span>@<span class="org-string">'localhost'</span> <span class="org-keyword">with</span> <span class="org-keyword">grant</span> <span class="org-keyword">option</span>;
-flush <span class="org-keyword">privileges</span>;
-exit;
-</code></pre>
-</div>
+The <q>.mythtv/config.xml</q> file should provide the DB particulars
+(name, user, password).
+</p></li>
+<li>Reboot or start the service.</li>
+<li>Configure the backend (as described below).</li>
+</ul>
</div>
</div>
-<div id="outline-container-org5e07621" class="outline-3">
-<h3 id="org5e07621"><span class="section-number-3">9.10.</span> Load DB Timezone Info</h3>
-<div class="outline-text-3" id="text-9-10">
+<div id="outline-container-orgd13e910" class="outline-3">
+<h3 id="orgd13e910"><span class="section-number-3">9.4.</span> Manually Load DB Timezone Info</h3>
+<div class="outline-text-3" id="text-9-4">
<p>
Starting with MythTV version 0.26, the time zone tables must be loaded
-into MySQL. The MariaDB installed by Debian 11 seems to need this
+into MySQL. The MariaDB installed by Debian 12 seems to need this
too. The test SQL produced <code>NULL</code>.
</p>
</div>
</div>
</div>
-<div id="outline-container-org08a6438" class="outline-3">
-<h3 id="org08a6438"><span class="section-number-3">9.11.</span> Create MythTV Backend Service</h3>
-<div class="outline-text-3" id="text-9-11">
-<p>
-This task installs the <q>mythtv-backend.service</q> file.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/tasks/mains.yml"><q>roles_t/abbey-tvr/tasks/mains.yml</q></a><pre class="src src-conf"><code>
-- name: Create mythtv-backend service.
- become: yes
- copy:
- content: |
- [<span class="org-type">Unit</span>]
- <span class="org-variable-name">Description</span>=MythTV Backend
- <span class="org-variable-name">Documentation</span>=https://www.mythtv.org/wiki/Mythbackend
- <span class="org-variable-name">After</span>=mysql.service network.target
-
- [<span class="org-type">Service</span>]
- <span class="org-variable-name">User</span>=mythtv
- <span class="org-variable-name">ExecStartPre</span>=/bin/sleep 30
- <span class="org-comment-delimiter">#</span><span class="org-comment">TimeoutStartSec=infinity</span>
- <span class="org-variable-name">ExecStart</span>=/usr/local/bin/mythbackend --quiet --syslog local7
- <span class="org-variable-name">StartLimitBurst</span>=10
- <span class="org-variable-name">StartLimitInterval</span>=10m
- <span class="org-variable-name">Restart</span>=on-failure
- <span class="org-variable-name">RestartSec</span>=1
-
- [<span class="org-type">Install</span>]
- <span class="org-variable-name">WantedBy</span>=multi-user.target
- dest: /etc/systemd/system/mythtv-backend.service
- when: mythtv.stat.exists
- notify: Reload Systemd.
-</code></pre>
-</div>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/handlers/main.yml"><q>roles_t/abbey-tvr/handlers/main.yml</q></a><pre class="src src-conf"><code>---
-- name: Reload Systemd.
- become: yes
- command: systemctl daemon-reload
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-org13b216f" class="outline-3">
-<h3 id="org13b216f"><span class="section-number-3">9.12.</span> Set PHP Timezone</h3>
-<div class="outline-text-3" id="text-9-12">
-<p>
-This task checks PHP's timezone. If unset, MythTV's backend logs
-bitter complaints.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/tasks/main.yml"><q>roles_t/abbey-tvr/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Get the local timezone.
- shell: readlink /etc/localtime | sed s,/usr/share/zoneinfo/,,
- delegate_to: localhost
- changed_when: false
- check_mode: false
- register: timezone
-
-- name: Configure PHP date.timezone.
- become: yes
- lineinfile:
- <span class="org-variable-name">regexp: date.timezone *</span>=
- <span class="org-variable-name">line: date.timezone</span> = {{ timezone.stdout }}
- path: <span class="org-string">"{{ item }}"</span>
- loop:
- - /etc/php/8.2/cli/php.ini
- - /etc/php/8.2/apache2/php.ini
- when: mythtv.stat.exists
- notify: Restart Apache2.
-</code></pre>
-</div>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/handlers/main.yml"><q>roles_t/abbey-tvr/handlers/main.yml</q></a><pre class="src src-conf"><code>
-- name: Restart Apache2.
- become: yes
- systemd:
- service: apache2
- state: restarted
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-orgd893d33" class="outline-3">
-<h3 id="orgd893d33"><span class="section-number-3">9.13.</span> Create MythTV Storage Area</h3>
-<div class="outline-text-3" id="text-9-13">
+<div id="outline-container-org037826b" class="outline-3">
+<h3 id="org037826b"><span class="section-number-3">9.5.</span> Create MythTV Storage Area</h3>
+<div class="outline-text-3" id="text-9-5">
<p>
The backend does not have a default storage area for its recordings.
A path to an appropriate directory must be set with the <code>mythtv-setup</code>
</div>
</div>
</div>
-<div id="outline-container-org8d853e0" class="outline-3">
-<h3 id="org8d853e0"><span class="section-number-3">9.14.</span> Configure MythTV Backend</h3>
-<div class="outline-text-3" id="text-9-14">
-<p>
-With MythTV built and installed, and the post-installation tasks
-addressed, MythTV Setup (the <code>mythtv-setup</code> program) can be run. It
-must be run by the <code>mythtv</code> user, whose home directory will contain
-the MythTV (and XMLTV) configuration files. The program is best run
-remotely (unless there is a graphical desktop on the server) by a
-command like <code>ssh -X mythtv@new mythtv-setup</code>.
-</p>
-
-<p>
-Patience is required. The <code>mythtv-setup</code> program was not written for
-X11 and the X11 adapter has a difficult job. It is often hard to
-determine what button is selected or how to proceed (sometimes simply
-with <code>ESC</code>!). Sticking to the arrow, enter and escape keys best
-emulates a TV remote (for which the interface was designed).
-</p>
-
+<div id="outline-container-org88336ba" class="outline-3">
+<h3 id="org88336ba"><span class="section-number-3">9.6.</span> Configure MythTV Backend</h3>
+<div class="outline-text-3" id="text-9-6">
<p>
-In MythTV Setup:
+With MythTV built and installed, the post-installation tasks
+addressed, and <code>mythtv-backend.service</code> started, go to the web page
+at <a href="http://new:6544">http://new:6544</a> and make the following selections.
</p>
<ul class="org-ul">
-<li>In the initial MythTV Startup Status ("Unable to connect to
-Database."), use the "Setup" button to get to "Database
-Configuration". Leave the default hostname (<code>localhost</code>), port
-(<code>3306</code>), database name (<code>mythconverg</code>) and user (<code>mythtv</code>). Enter
-the value of <code>mythtv_dbpass</code> (in <q>private/vars-abbey.yml</q>) for the
-password. Leave the rest of the settings at their default values.
-Leave "Database Configuration" by pressing Escape and confirming
-"Save and Exit".</li>
-
-<li>Once in MythTV Setup proper, you will see the main menu. Scroll
-down and choose "Storage Directories". In the Local Storage Groups
-dialog, add to the "Local 'Default' Storage Group Directories" a new
-directory: <q>/home/mythtv/Recordings</q>.</li>
+<li>Select MythTV Setup (gear icon in the left sidebar).</li>
+<li>Select "Storage Groups".</li>
+<li>Select "Default" and choose <q>/home/mythtv/Recordings/</q>.</li>
+<li>Select "DB Backups" and choose <q>/home/mythtv/Backups/</q>.</li>
</ul>
</div>
</div>
-<div id="outline-container-orgc447ffd" class="outline-3">
-<h3 id="orgc447ffd"><span class="section-number-3">9.15.</span> Configure Tuner</h3>
-<div class="outline-text-3" id="text-9-15">
+<div id="outline-container-org6fa95dc" class="outline-3">
+<h3 id="org6fa95dc"><span class="section-number-3">9.7.</span> Configure Tuner</h3>
+<div class="outline-text-3" id="text-9-7">
<p>
The abbey has a Silicon Dust Homerun HDTV Duo (with two tuners). It
-is setup as described in <a href="#orgaf8047d">Cloistering</a>, after which the tuner is
+is setup as described in <a href="#org5297011">Cloistering</a>, after which the tuner is
accessible by name (e.g. <code>new</code>) on the cloister network. Assuming
<code>ping -c1 new</code> works, the tuner should be accessible via the
<code>hdhomerun_config_gui</code> command, a graphical interface contributed to
</p>
</div>
</div>
-<div id="outline-container-orgd7f8e90" class="outline-3">
-<h3 id="orgd7f8e90"><span class="section-number-3">9.16.</span> Add HDHomerun and Mr.Antenna</h3>
-<div class="outline-text-3" id="text-9-16">
+<div id="outline-container-orgd83888e" class="outline-3">
+<h3 id="orgd83888e"><span class="section-number-3">9.8.</span> Add HDHomerun and Mr.Antenna</h3>
+<div class="outline-text-3" id="text-9-8">
<p>
In MythTV Setup:
</p>
</ul>
</div>
</div>
-<div id="outline-container-org174f052" class="outline-3">
-<h3 id="org174f052"><span class="section-number-3">9.17.</span> Scan for New Channels</h3>
-<div class="outline-text-3" id="text-9-17">
+<div id="outline-container-org5f4e693" class="outline-3">
+<h3 id="org5f4e693"><span class="section-number-3">9.9.</span> Scan for New Channels</h3>
+<div class="outline-text-3" id="text-9-9">
<p>
In MythTV Setup:
</p>
</ul>
</div>
</div>
-<div id="outline-container-org71383d1" class="outline-3">
-<h3 id="org71383d1"><span class="section-number-3">9.18.</span> Configure XMLTV</h3>
-<div class="outline-text-3" id="text-9-18">
+<div id="outline-container-orgc401691" class="outline-3">
+<h3 id="orgc401691"><span class="section-number-3">9.10.</span> Configure XMLTV</h3>
+<div class="outline-text-3" id="text-9-10">
<p>
The <code>xmltv</code> package, specifically its <code>tv_grab_zz_sdjson</code> program, is
used to download broadcast listings from Schedules Direct. The
the OTA (over the air) broadcasts.
</p>
-<pre class="example" id="org073418d">
+<pre class="example" id="orgea06bb9">
$ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
Cache file for lineups, schedules and programs.
Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
</p>
</div>
</div>
-<div id="outline-container-org55468c4" class="outline-3">
-<h3 id="org55468c4"><span class="section-number-3">9.19.</span> Debug XMLTV</h3>
-<div class="outline-text-3" id="text-9-19">
+<div id="outline-container-org0bd4e50" class="outline-3">
+<h3 id="org0bd4e50"><span class="section-number-3">9.11.</span> Debug XMLTV</h3>
+<div class="outline-text-3" id="text-9-11">
<p>
If the <code>mythfilldatabase</code> command fails or expected listings do not
appear, more information is available by adding the <code>--verbose</code>
</div>
</div>
</div>
-<div id="outline-container-org68719d0" class="outline-3">
-<h3 id="org68719d0"><span class="section-number-3">9.20.</span> Configure MythTV Backend Logging</h3>
-<div class="outline-text-3" id="text-9-20">
-<p>
-The abbey directs MythTV log messages to <q>/var/log/mythtv.log</q> (and
-away from <q>/var/log/syslog</q>) and rotates the log file.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/tasks/main.yml"><q>roles_t/abbey-tvr/tasks/main.yml</q></a><pre class="src src-conf"><code>
-<span class="org-variable-name">- name: Install</span> =/etc/rsyslog.d/40-mythtv.conf.
- become: yes
- copy:
- content: |
- :msg,startswith,<span class="org-string">" myth"</span> -/var/log/mythtv.log
- & stop
- dest: /etc/rsyslog.d/40-mythtv.conf
-
-<span class="org-variable-name">- name: Install</span> =/etc/logrotate.d/mythtv=.
- become: yes
- copy:
- content: |
- <span class="org-type">/var/log/mythtv.log</span> {
- daily
- <span class="org-variable-name">size</span>=10M
- rotate 7
- notifempty
- copytruncate
- missingok
- postrotate
- reload rsyslog >/dev/null 2>&1 || true
- endscript
- }
- dest: /etc/logrotate.d/mythtv
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-org6685a81" class="outline-3">
-<h3 id="org6685a81"><span class="section-number-3">9.21.</span> Start MythTV Backend</h3>
-<div class="outline-text-3" id="text-9-21">
-<p>
-After configuring with <code>mythtv-setup</code> as discussed above, start and
-enable (at boot time) the <code>mythtv-backend</code> service.
-</p>
-
-<div class="org-src-container">
-<pre class="src src-sh"><code>sudo systemctl enable mythtv-backend
-sudo systemctl start mythtv-backend
-systemctl status -l mythtv-backend
-sudo -u mythtv mythfilldatabase
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-org766f8b7" class="outline-3">
-<h3 id="org766f8b7"><span class="section-number-3">9.22.</span> Install MythWeb</h3>
-<div class="outline-text-3" id="text-9-22">
-<p>
-MythWeb, like MythTV, is installed from a Git repository. The
-following commands create <q>/usr/local/share/mythtv/mythweb/</q> by
-cloning the MythWeb repository in <q>/usr/local/src/mythweb/</q>, checking
-out the appropriate branch, and copying the appropriate portion.
-</p>
-
-<div class="org-src-container">
-<pre class="src src-sh"><code><span class="org-builtin">cd</span> /usr/local/src/
-git clone https://github.com/MythTV/mythweb
-( <span class="org-builtin">cd</span> mythweb/; git checkout fixes/32 )
-rsync -C mythweb /usr/local/share/mythtv/
-</code></pre>
-</div>
-
-<p>
-The following tasks take care of the rest of the installation.
-</p>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/tasks/main.yml"><q>roles_t/abbey-tvr/tasks/main.yml</q></a><pre class="src src-conf"><code>
-- name: Install MythWeb requisites.
- become: yes
- apt:
- pkg: [ apache2, php, php-mysql ]
-
-- name: Install MythWeb in web server DocumentRoot.
- file:
- state: link
- src: /usr/local/share/mythtv/mythweb
- dest: /var/www/html/mythweb
-
-- name: Configure MythWeb data directory.
- file:
- state: directory
- dest: /var/www/html/mythweb/data
- group: www-data
- <span class="org-variable-name">mode: u</span>=rwx,g+rwx,o=rx
-
-- name: Install MythWeb configuration.
- become: yes
- template:
- src: mythweb.conf.j2
- dest: /etc/apache2/sites-available/mythweb.conf
- notify: Restart Apache2.
-
-- name: Enable MythWeb configuration.
- become: yes
- command:
- cmd: a2ensite -q mythweb
- creates: /etc/apache2/sites-enabled/mythweb.conf
- notify: Restart Apache2.
-</code></pre>
-</div>
-
-<div class="org-src-container">
-<a href="roles_t/abbey-tvr/templates/mythweb.conf.j2"><q>roles_t/abbey-tvr/templates/mythweb.conf.j2</q></a><pre class="src src-conf"><code><span class="org-comment-delimiter">#</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">Apache configuration directives for MythWeb.</span>
-<span class="org-comment-delimiter">#</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">Note that this file is maintained by the network administration.</span>
-<Directory <span class="org-string">"/var/www/html/mythweb/data"</span>>
- <span class="org-comment-delimiter"># </span><span class="org-comment">For Apache 2.2</span>
- <span class="org-comment-delimiter">#</span><span class="org-comment">Options -All +FollowSymLinks +IncludesNoExec</span>
- <span class="org-comment-delimiter"># </span><span class="org-comment">For Apache 2.4+</span>
- Options +FollowSymLinks +IncludesNoExec
-</Directory>
-<Directory <span class="org-string">"/var/www/html/mythweb"</span> >
- <Files mythweb.*>
- setenv db_server <span class="org-string">"127.0.0.1"</span>
- setenv db_name <span class="org-string">"mythconverg"</span>
- setenv db_login <span class="org-string">"mythtv"</span>
- setenv db_password <span class="org-string">"{{ mythtv_dbpass }}"</span>
- </Files>
- <Files *.php>
- php_value file_uploads 0
- php_value allow_url_fopen On
- php_value zlib.output_handler Off
- php_value memory_limit 64M
- php_value max_execution_time 30
- php_value display_startup_errors On
- php_value display_errors On
- </Files>
- RewriteEngine on
- RewriteRule \
-^(css|data|images|js|themes|skins|README|INSTALL|[a-z_]+\.(php|pl))(/|$)\
- - [L]
- RewriteRule ^(pl(/.*)?)$ mythweb.pl/$1 [QSA,L]
- RewriteRule ^(.+)$ mythweb.php/$1 [QSA,L]
- RewriteRule ^(.*)$ mythweb.php [QSA,L]
- AllowOverride All
- Options FollowSymLinks
- AddType video/nuppelvideo .nuv
- AddType image/x-icon .ico
- <IfModule deflate_module>
- BrowserMatch ^Mozilla/4 gzip-only-text/html
- BrowserMatch ^Mozilla/4\.0[678] no-gzip
- BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
- AddOutputFilterByType DEFLATE text/html
- AddOutputFilterByType DEFLATE text/css
- AddOutputFilterByType DEFLATE application/x-javascript
- </IfModule>
- <IfModule headers_module>
- <span class="org-variable-name">Header append Vary User-Agent env</span>=!dont-vary
- </IfModule>
- <Files *.pl>
- SetHandler cgi-script
- Options +ExecCGI
- </Files>
-
-</Directory>
-</code></pre>
-</div>
-</div>
-</div>
-<div id="outline-container-orgc400edd" class="outline-3">
-<h3 id="orgc400edd"><span class="section-number-3">9.23.</span> Change Broadcast Area</h3>
-<div class="outline-text-3" id="text-9-23">
+<div id="outline-container-orgce0b621" class="outline-3">
+<h3 id="orgce0b621"><span class="section-number-3">9.12.</span> Change Broadcast Area</h3>
+<div class="outline-text-3" id="text-9-12">
<p>
The abbey changes location almost weekly, so its HDTV broadcast area
changes frequently. At the start of a long stay the administrator
uses the MythTV Setup program to scan for the new area's channels, as
-described in <a href="#org174f052">Scan for New Channels</a>.
+described in <a href="#org5f4e693">Scan for New Channels</a>.
</p>
<p>
<p>
The program will prompt for the zip code and offer a list of "inputs"
-available in that area, as described in <a href="#org71383d1">Configure XMLTV</a>.
+available in that area, as described in <a href="#orgc401691">Configure XMLTV</a>.
</p>
<p>
</div>
</div>
</div>
-<div id="outline-container-org0b14f1c" class="outline-2">
-<h2 id="org0b14f1c"><span class="section-number-2">10.</span> The Ansible Configuration</h2>
+<div id="outline-container-orgbf39a8b" class="outline-2">
+<h2 id="orgbf39a8b"><span class="section-number-2">10.</span> The Ansible Configuration</h2>
<div class="outline-text-2" id="text-10">
<p>
The abbey's Ansible configuration, like that of <a href="Institute/README.html">A Small Institute</a>, is
</p>
<p>
-NOTE: if you have not read at least the <a href="Institute/README.html#org
8c0e5a2">Overview</a> of <a href="Institute/README.html">A Small Institute</a>
+NOTE: if you have not read at least the <a href="Institute/README.html#org
05da664">Overview</a> of <a href="Institute/README.html">A Small Institute</a>
you are lost.
</p>
<q>README.org</q>, and <a href="Institute/README.html"><q>Institute/README.org</q></a>.
</p>
</div>
-<div id="outline-container-org699d371" class="outline-3">
-<h3 id="org699d371"><span class="section-number-3">10.1.</span> <q>ansible.cfg</q></h3>
+<div id="outline-container-org3f1039b" class="outline-3">
+<h3 id="org3f1039b"><span class="section-number-3">10.1.</span> <q>ansible.cfg</q></h3>
<div class="outline-text-3" id="text-10-1">
<p>
This is much like the example (test) institutional configuration file,
</div>
</div>
</div>
-<div id="outline-container-orgb1ba475" class="outline-3">
-<h3 id="orgb1ba475"><span class="section-number-3">10.2.</span> <q>hosts</q></h3>
+<div id="outline-container-org779a328" class="outline-3">
+<h3 id="org779a328"><span class="section-number-3">10.2.</span> <q>hosts</q></h3>
<div class="outline-text-3" id="text-10-2">
<div class="org-src-container">
-<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="org8f8ed31"><code>all:
+<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="org6aada87"><code>all:
vars:
ansible_user: sysadm
ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa
hosts:
- <span class="org-comment-delimiter"># </span><span class="org-comment">The Main Servers: Front, Gate and Core.</span>
- droplet:
+ <span class="org-comment-delimiter"># </span><span class="org-comment">The Main Servers: Front, Gate and Core.
+</span> droplet:
ansible_host: 159.65.75.60
ansible_become_password: <span class="org-string">"{{ become_droplet }}"</span>
anoat:
ansible_become_password: <span class="org-string">"{{ become_anoat }}"</span>
+ malastare:
+ ansible_become_password: <span class="org-string">"{{ become_malastare }}"</span>
+ <span class="org-comment-delimiter"># </span><span class="org-comment">Campus
+</span> kessel:
+ ansible_become_password: <span class="org-string">"{{ become_kessel }}"</span>
dantooine:
ansible_become_password: <span class="org-string">"{{ become_dantooine }}"</span>
- <span class="org-comment-delimiter"># </span><span class="org-comment">Campus</span>
- kessel:
- ansible_become_password: <span class="org-string">"{{ become_kessel }}"</span>
- ord-mantell:
- ansible_become_password: <span class="org-string">"{{ become_ord_mantell }}"</span>
- <span class="org-comment-delimiter"># </span><span class="org-comment">Notebooks</span>
- endor:
+ <span class="org-comment-delimiter"># </span><span class="org-comment">Notebooks
+</span> endor:
ansible_become_password: <span class="org-string">"{{ become_endor }}"</span>
sullust:
ansible_host: 127.0.0.1
anoat:
core:
hosts:
- dantooine:
+ malastare:
campus:
hosts:
anoat:
+ dantooine:
kessel:
- ord-mantell:
dvrs:
hosts:
dantooine:
tvrs:
hosts:
- dantooine:
+ malastare:
webtvs:
hosts:
+ dantooine:
kessel:
- ord-mantell:
notebooks:
hosts:
endor:
sullust:
builders:
hosts:
- sullust:
+ dantooine:
+ endor:
kessel:
+ sullust:
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-orga1fef67" class="outline-3">
-<h3 id="orga1fef67"><span class="section-number-3">10.3.</span> <q>playbooks/site.yml</q></h3>
+<div id="outline-container-orgf01c3f7" class="outline-3">
+<h3 id="orgf01c3f7"><span class="section-number-3">10.3.</span> <q>playbooks/site.yml</q></h3>
<div class="outline-text-3" id="text-10-3">
<p>
This playbook provisions the entire network by applying first the
</div>
</div>
</div>
-<div id="outline-container-org3e7c8a6" class="outline-2">
-<h2 id="org3e7c8a6"><span class="section-number-2">11.</span> The Abbey Commands</h2>
+<div id="outline-container-org587ce56" class="outline-2">
+<h2 id="org587ce56"><span class="section-number-2">11.</span> The Abbey Commands</h2>
<div class="outline-text-2" id="text-11">
<p>
The <code>./abbey</code> script encodes the abbey's canonical procedures. It
-includes <a href="Institute/README.html#orge18912d">The Institute Commands</a> and adds a few abbey-specific
+includes <a href="Institute/README.html#org79b145a">The Institute Commands</a> and adds a few abbey-specific
sub-commands.
</p>
</div>
-<div id="outline-container-org454bc3f" class="outline-3">
-<h3 id="org454bc3f"><span class="section-number-3">11.1.</span> Abbey Command Overview</h3>
+<div id="outline-container-org9244ae2" class="outline-3">
+<h3 id="org9244ae2"><span class="section-number-3">11.1.</span> Abbey Command Overview</h3>
<div class="outline-text-3" id="text-11-1">
<p>
Institutional sub-commands:
</dl>
</div>
</div>
-<div id="outline-container-orgafee4c1" class="outline-3">
-<h3 id="orgafee4c1"><span class="section-number-3">11.2.</span> Abbey Command Script</h3>
+<div id="outline-container-org980a95e" class="outline-3">
+<h3 id="org980a95e"><span class="section-number-3">11.2.</span> Abbey Command Script</h3>
<div class="outline-text-3" id="text-11-2">
<p>
The script begins with the following prefix and trampolines.
</p>
<div class="org-src-container">
-<a href="abbey"><q>abbey</q></a><pre class="src src-perl"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/usr/bin/perl -w</span>
-<span class="org-comment-delimiter">#</span>
-<span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT. This file was tangled from README.org.</span>
-
+<a href="abbey"><q>abbey</q></a><pre class="src src-perl"><code><span class="org-comment-delimiter">#</span><span class="org-comment">!/usr/bin/perl -w
+</span><span class="org-comment-delimiter">#</span><span class="org-comment">
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">DO NOT EDIT. This file was tangled from README.org.
+</span>
<span class="org-keyword">use</span> <span class="org-constant">strict</span>;
<span class="org-keyword">if</span> (grep { $<span class="org-variable-name">_</span> eq $<span class="org-variable-name">ARGV</span>[0] } qw<span class="org-string">(CA config new old pass client)</span>) {
The small institute's <code>./inst</code> command expects to be running in
<q>Institute/</q>, not <q>./</q>, but it only references <q>public/</q>, <q>private/</q>,
<q>Secret/</q> and <q>playbooks/check-inst-vars.yml</q>, and will find the abbey
-specific versions of these. The <code>roles_path</code> setting in <a href="#org699d371"><q>ansible.cfg</q></a>
+specific versions of these. The <code>roles_path</code> setting in <a href="#org3f1039b"><q>ansible.cfg</q></a>
effectively merges the institutional roles into the distinctly named
abbey specific roles. The roles likewise reference files with
relative names, and will find the abbey specific <q>private/</q>
</div>
</div>
</div>
-<div id="outline-container-orge4be621" class="outline-3">
-<h3 id="orge4be621"><span class="section-number-3">11.3.</span> The Upgrade Command</h3>
+<div id="outline-container-org9830ed9" class="outline-3">
+<h3 id="org9830ed9"><span class="section-number-3">11.3.</span> The Upgrade Command</h3>
<div class="outline-text-3" id="text-11-3">
<p>
The script implements an <code>upgrade</code> sub-command that runs <code>apt update</code>
</div>
</div>
</div>
-<div id="outline-container-org362188c" class="outline-3">
-<h3 id="org362188c"><span class="section-number-3">11.4.</span> The Reboots Command</h3>
+<div id="outline-container-orgcd9de7d" class="outline-3">
+<h3 id="orgcd9de7d"><span class="section-number-3">11.4.</span> The Reboots Command</h3>
<div class="outline-text-3" id="text-11-4">
<p>
The script implements a <code>reboots</code> sub-command that looks for
</div>
</div>
</div>
-<div id="outline-container-org64bd014" class="outline-3">
-<h3 id="org64bd014"><span class="section-number-3">11.5.</span> The Versions Command</h3>
+<div id="outline-container-org34c512a" class="outline-3">
+<h3 id="org34c512a"><span class="section-number-3">11.5.</span> The Versions Command</h3>
<div class="outline-text-3" id="text-11-5">
<p>
The script implements a <code>versions</code> sub-command that reports the
</div>
</div>
</div>
-<div id="outline-container-orge6be2f2" class="outline-3">
-<h3 id="orge6be2f2"><span class="section-number-3">11.6.</span> The TZ Command</h3>
+<div id="outline-container-org53987be" class="outline-3">
+<h3 id="org53987be"><span class="section-number-3">11.6.</span> The TZ Command</h3>
<div class="outline-text-3" id="text-11-6">
<p>
The abbey changes location almost weekly, so its timezone changes
state: restarted
loop: [ mysql, mythtv-backend ]
when: new_tz.changed
-
-- hosts: core
- tasks:
- - name: Update PHP date.timezone.
- become: yes
- lineinfile:
- <span class="org-variable-name">regexp: date.timezone *</span>=
- <span class="org-variable-name">line: date.timezone</span> = {{ city.stdout }}
- path: <span class="org-string">"{{ item }}"</span>
- loop:
- - /etc/php/8.2/cli/php.ini
- - /etc/php/8.2/apache2/php.ini
- notify: Restart Apache2.
- handlers:
- - name: Restart Apache2.
- become: yes
- systemd:
- service: apache2
- state: restarted
</code></pre>
</div>
</div>
</div>
-<div id="outline-container-org22cce8c" class="outline-3">
-<h3 id="org22cce8c"><span class="section-number-3">11.7.</span> Abbey Command Help</h3>
+<div id="outline-container-org9ba0ebf" class="outline-3">
+<h3 id="org9ba0ebf"><span class="section-number-3">11.7.</span> Abbey Command Help</h3>
<div class="outline-text-3" id="text-11-7">
<div class="org-src-container">
<a href="abbey"><q>abbey</q></a><pre class="src src-perl"><code><span class="org-keyword">my</span> $<span class="org-variable-name">ops</span> = <span class="org-string">"config,new,old,pass,client,upgrade,reboots,versions,tz"</span>;
</div>
</div>
</div>
-<div id="outline-container-orgaf8047d" class="outline-2">
-<h2 id="orgaf8047d"><span class="section-number-2">12.</span> Cloistering</h2>
+<div id="outline-container-org5297011" class="outline-2">
+<h2 id="org5297011"><span class="section-number-2">12.</span> Cloistering</h2>
<div class="outline-text-2" id="text-12">
<p>
This is how a new machine is brought into the cloister. The process
Ansible.
</p>
</div>
-<div id="outline-container-org9fd81aa" class="outline-3">
-<h3 id="org9fd81aa"><span class="section-number-3">12.1.</span> IoT Devices</h3>
+<div id="outline-container-orge22ab7b" class="outline-3">
+<h3 id="orge22ab7b"><span class="section-number-3">12.1.</span> IoT Devices</h3>
<div class="outline-text-3" id="text-12-1">
<p>
A wireless IoT device (smart TV, Blu-ray deck, etc.) cannot install
</p>
<ul class="org-ul">
-<li><a href="#orgaad3496">Add to Core DHCP</a></li>
-<li><a href="#orgfeeed76">Create Wired Domain Name</a></li>
+<li><a href="#org2687b52">Add to Core DHCP</a></li>
+<li><a href="#org7794ee2">Create Wired Domain Name</a></li>
</ul>
<p>
</p>
<ul class="org-ul">
-<li><a href="#org1c5945c">Create Wireless Domain Name</a></li>
+<li><a href="#orgdb2cd50">Create Wireless Domain Name</a></li>
</ul>
</div>
</div>
-<div id="outline-container-orgdca4106" class="outline-3">
-<h3 id="orgdca4106"><span class="section-number-3">12.2.</span> Raspberry Pis</h3>
+<div id="outline-container-org5d1a88f" class="outline-3">
+<h3 id="org5d1a88f"><span class="section-number-3">12.2.</span> Raspberry Pis</h3>
<div class="outline-text-3" id="text-12-2">
<p>
-The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an
-external, USB3.0 SSD. A fresh install should go something like this:
+The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an NVMe
+SSD. A fresh install should go something like this:
</p>
<ul class="org-ul">
<ul class="org-ul">
<li>Language: English (USA)</li>
<li>Keyboard: English (USA)</li>
+<li>root password: <blank></li>
+<li>new user name: System Administrator</li>
<li>new username: sysadm</li>
-<li>new password: fubar</li>
+<li>new password: <password></li>
</ul></li>
-<li><a href="#orgaad3496">Add to Core DHCP</a></li>
-<li><a href="#orgfeeed76">Create Wired Domain Name</a></li>
+<li><a href="#org2687b52">Add to Core DHCP</a></li>
+<li><a href="#org7794ee2">Create Wired Domain Name</a></li>
<li>Log in as <code>sysadm</code> on the console.</li>
<li>Run <code>sudo raspi-config</code> and use the following menu items.
<ul class="org-ul">
<li>I1 SSH (Enable/disable remote command line access using SSH): enable</li>
<li>A1 Expand Filesystem (Ensures that all of the SD card is available)</li>
</ul></li>
-<li><a href="#org916b3aa">Update From Cloister Apt Cache</a></li>
-<li><a href="#org891e891">Authorize Remote Administration</a></li>
-<li><a href="#org939b52a">Configure with Ansible</a></li>
+<li><a href="#orgb191a58">Update From Cloister Apt Cache</a></li>
+<li><a href="#org1c1c621">Authorize Remote Administration</a></li>
+<li><a href="#org05d8cf2">Configure with Ansible</a></li>
</ul>
<p>
</p>
<ul class="org-ul">
-<li><a href="#orgd2c13e6">Connect to Cloister Wi-Fi</a></li>
-<li><a href="#orgee9a234">Connect to Cloister VPN</a></li>
-<li><a href="#org1c5945c">Create Wireless Domain Name</a></li>
+<li><a href="#org189c049">Connect to Cloister Wi-Fi</a></li>
+<li><a href="#org3383af2">Connect to Cloister VPN</a></li>
+<li><a href="#orgdb2cd50">Create Wireless Domain Name</a></li>
</ul>
</div>
</div>
-<div id="outline-container-orgff66da8" class="outline-3">
-<h3 id="orgff66da8"><span class="section-number-3">12.3.</span> PCs</h3>
+<div id="outline-container-org9453201" class="outline-3">
+<h3 id="org9453201"><span class="section-number-3">12.3.</span> PCs</h3>
<div class="outline-text-3" id="text-12-3">
<p>
Most of the abbey's machines, like Core and Gate, are general-purpose
</p>
<ul class="org-ul">
-<li>Write the disk image, e.g. <q>debian-12.2.0-amd64-netinst.iso</q>, to a
-USB drive and insert it in the PC.</li>
-<li>Attach an HDMI monitor, a USB keyboard/mouse, and the cloister
+<li>Write the disk image, e.g. <q>debian-12.11.0-amd64-netinst.iso</q>, to a
+USB drive and connect it to the PC.</li>
+<li>Connect an HDMI monitor, a USB keyboard/mouse, and the cloister
Ethernet, and power up. Choose to boot from the USB drive.</li>
-<li>Answer first-boot installation questions:
-<ul class="org-ul">
-<li>Language: English (USA)</li>
-<li>Keyboard: English (USA)</li>
-<li>new username: sysadm</li>
-<li>new password: fubar</li>
-</ul></li>
-<li><a href="#orgaad3496">Add to Core DHCP</a></li>
-<li><a href="#orgfeeed76">Create Wired Domain Name</a></li>
+<li>Answer first-boot installation questions as detailed in the
+preparation of <a href="Institute/README.org*A Test Machine">A Test Machine</a> for a Small Institute.</li>
+<li><a href="#org2687b52">Add to Core DHCP</a></li>
+<li><a href="#org7794ee2">Create Wired Domain Name</a></li>
<li>Log in as <code>sysadm</code> on the console.</li>
-<li><a href="#org916b3aa">Update From Cloister Apt Cache</a></li>
+<li><a href="#orgb191a58">Update From Cloister Apt Cache</a></li>
<li><p>
-Install OpenSSH. Plain Debian does not come with OpenSSH installed.
+Install OpenSSH, unless it already was when included in the initial
+Software selection during the Debian installation. Run the
+following if unsure.
</p>
<pre class="example">
sudo apt install openssh-server
</pre></li>
-<li><a href="#org891e891">Authorize Remote Administration</a></li>
-<li><a href="#org939b52a">Configure with Ansible</a></li>
+<li><a href="#org1c1c621">Authorize Remote Administration</a></li>
+<li><a href="#org05d8cf2">Configure with Ansible</a></li>
</ul>
<p>
</p>
<ul class="org-ul">
-<li><a href="#orgd2c13e6">Connect to Cloister Wi-Fi</a></li>
-<li><a href="#orgee9a234">Connect to Cloister VPN</a></li>
-<li><a href="#org1c5945c">Create Wireless Domain Name</a></li>
+<li><a href="#org189c049">Connect to Cloister Wi-Fi</a></li>
+<li><a href="#org3383af2">Connect to Cloister VPN</a></li>
+<li><a href="#orgdb2cd50">Create Wireless Domain Name</a></li>
</ul>
</div>
</div>
-<div id="outline-container-orgaad3496" class="outline-3">
-<h3 id="orgaad3496"><span class="section-number-3">12.4.</span> Add to Core DHCP</h3>
+<div id="outline-container-org2687b52" class="outline-3">
+<h3 id="org2687b52"><span class="section-number-3">12.4.</span> Add to Core DHCP</h3>
<div class="outline-text-3" id="text-12-4">
<p>
When a new machine is connected to the cloister Ethernet, its MAC
</div>
</div>
</div>
-<div id="outline-container-orgfeeed76" class="outline-3">
-<h3 id="orgfeeed76"><span class="section-number-3">12.5.</span> Create Wired Domain Name</h3>
+<div id="outline-container-org7794ee2" class="outline-3">
+<h3 id="org7794ee2"><span class="section-number-3">12.5.</span> Create Wired Domain Name</h3>
<div class="outline-text-3" id="text-12-5">
<p>
A wired device is assigned an IP address when it is added to Core's
-DHCP configuration (as in <a href="#orgaad3496">Add to Core DHCP</a>). A private domain name is
+DHCP configuration (as in <a href="#org2687b52">Add to Core DHCP</a>). A private domain name is
then associated with this address. If the device is intended to
operate wirelessly, the name for its address is modified with a <code>-w</code>
suffix. Thus <code>new-w.small.private</code> would be the name of the new
</div>
</div>
</div>
-<div id="outline-container-org916b3aa" class="outline-3">
-<h3 id="org916b3aa"><span class="section-number-3">12.6.</span> Update From Cloister Apt Cache</h3>
+<div id="outline-container-orgb191a58" class="outline-3">
+<h3 id="orgb191a58"><span class="section-number-3">12.6.</span> Update From Cloister Apt Cache</h3>
<div class="outline-text-3" id="text-12-6">
<ul class="org-ul">
<li>Log in as <code>sysadm</code> on the console.</li>
</ul>
</div>
</div>
-<div id="outline-container-org891e891" class="outline-3">
-<h3 id="org891e891"><span class="section-number-3">12.7.</span> Authorize Remote Administration</h3>
+<div id="outline-container-org1c1c621" class="outline-3">
+<h3 id="org1c1c621"><span class="section-number-3">12.7.</span> Authorize Remote Administration</h3>
<div class="outline-text-3" id="text-12-7">
<p>
To remotely administer <code>new-w</code>, Ansible must be authorized to login as
</div>
</div>
</div>
-<div id="outline-container-org939b52a" class="outline-3">
-<h3 id="org939b52a"><span class="section-number-3">12.8.</span> Configure with Ansible</h3>
+<div id="outline-container-org05d8cf2" class="outline-3">
+<h3 id="org05d8cf2"><span class="section-number-3">12.8.</span> Configure with Ansible</h3>
<div class="outline-text-3" id="text-12-8">
<p>
-With remote administration authorized and tested (as in <a href="#org891e891">Authorize
+With remote administration authorized and tested (as in <a href="#org1c1c621">Authorize
Remote Administration</a>), and the machine connected to the cloister
Ethernet, the configuration of <code>new-w</code> can be completed by Ansible.
Note that if the machine is staying on the cloister Ethernet, its
</p>
<p>
-First <code>new-w</code> is added to Ansible's inventory in <a href="#orgb1ba475"><q>hosts</q></a>. A <code>new-w</code>
+First <code>new-w</code> is added to Ansible's inventory in <a href="#org779a328"><q>hosts</q></a>. A <code>new-w</code>
section is added to the list of all hosts, and an empty section of the
same name is added to the list of <code>campus</code> hosts. If the machine uses
-the usual privileged account name, <code>sysadm</code>, the <code>ansible_user</code> key in
+the usual privileged account name, <code>sysadm</code>, the <code>ansible_user</code> key is
not needed.
</p>
</div>
</div>
</div>
-<div id="outline-container-orgd2c13e6" class="outline-3">
-<h3 id="orgd2c13e6"><span class="section-number-3">12.9.</span> Connect to Cloister Wi-Fi</h3>
+<div id="outline-container-org189c049" class="outline-3">
+<h3 id="org189c049"><span class="section-number-3">12.9.</span> Connect to Cloister Wi-Fi</h3>
<div class="outline-text-3" id="text-12-9">
<p>
On an IoT device, or a Debian or Android "desktop", the cloister Wi-Fi
</div>
</div>
</div>
-<div id="outline-container-orgee9a234" class="outline-3">
-<h3 id="orgee9a234"><span class="section-number-3">12.10.</span> Connect to Cloister VPN</h3>
+<div id="outline-container-org3383af2" class="outline-3">
+<h3 id="org3383af2"><span class="section-number-3">12.10.</span> Connect to Cloister VPN</h3>
<div class="outline-text-3" id="text-12-10">
<p>
Wireless devices (with the cloister Wi-Fi password) can get an IP
<p>
Connections to the cloister VPN are authorized by the <code>./abbey
-client...</code> command (aka <a href="Institute/README.html#org5635191">The Client Command</a>), which registers a new
+client...</code> command (aka <a href="Institute/README.html#org6edab5b">The Client Command</a>), which registers a new
client's public key and installs new WireGuard™ configurations on the
servers. Private keys are kept on the clients (e.g. in
<q>/etc/wireguard/private-key</q>).
</p>
</div>
-<div id="outline-container-org85d0bd2" class="outline-4">
-<h4 id="org85d0bd2"><span class="section-number-4">12.10.1.</span> Campus Desktops and Servers</h4>
+<div id="outline-container-org1dcb630" class="outline-4">
+<h4 id="org1dcb630"><span class="section-number-4">12.10.1.</span> Campus Desktops and Servers</h4>
<div class="outline-text-4" id="text-12-10-1">
<p>
Wireless Debian desktops (with NetworkManager) as well as servers
</ul>
</div>
</div>
-<div id="outline-container-orgac0885d" class="outline-4">
-<h4 id="orgac0885d"><span class="section-number-4">12.10.2.</span> Private Desktops</h4>
+<div id="outline-container-org9fbf37c" class="outline-4">
+<h4 id="org9fbf37c"><span class="section-number-4">12.10.2.</span> Private Desktops</h4>
<div class="outline-text-4" id="text-12-10-2">
<p>
Member notebooks are private machines not remotely administered by the
</p>
</div>
</div>
-<div id="outline-container-org9e0c5a3" class="outline-4">
-<h4 id="org9e0c5a3"><span class="section-number-4">12.10.3.</span> Android</h4>
+<div id="outline-container-org0df72d4" class="outline-4">
+<h4 id="org0df72d4"><span class="section-number-4">12.10.3.</span> Android</h4>
<div class="outline-text-4" id="text-12-10-3">
<p>
Android phones and tablets are authorized to connect to the cloister
</div>
</div>
</div>
-<div id="outline-container-org1c5945c" class="outline-3">
-<h3 id="org1c5945c"><span class="section-number-3">12.11.</span> Create Wireless Domain Name</h3>
+<div id="outline-container-orgdb2cd50" class="outline-3">
+<h3 id="orgdb2cd50"><span class="section-number-3">12.11.</span> Create Wireless Domain Name</h3>
<div class="outline-text-3" id="text-12-11">
<p>
A wireless machine is assigned a Wi-Fi address when it connects to the
</div>
<div id="postamble" class="status">
<p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2025-06-28 Sat 10:20</p>
+<p class="date">Created: 2025-09-18 Thu 20:56</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
projects / Network.git / commitdiff