From: Matt Birkholz Date: Fri, 19 Sep 2025 00:01:31 +0000 (-0600) Subject: Update README.html. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;ds=inline;p=Network.git Update README.html. --- diff --git a/README.html b/README.html index df943f3..349d6c4 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + Birchwood Abbey Networks @@ -24,8 +24,8 @@ idiosyncrasies. The roles herein are abbey specific, emphasized by the abbey- prefix on their names. These roles are applied after the generic institutional roles (again, documented here).

-
-

1. Overview

+
+

1. Overview

A Small Institute makes security and privacy top priorities but @@ -64,7 +64,7 @@ map is very similar, with differences mainly in terminology, philosophy, attitude.

-
+
                 |                                                   
                 =                                                   
               _|||_                                                 
@@ -103,8 +103,8 @@ philosophy, attitude.
-
-

2. The Abbey Particulars

+
+

2. The Abbey Particulars

The abbey's public particulars are included below. They are the @@ -134,8 +134,8 @@ into private_ex/vars-abbey.yml.

-
-

3. The Abbey Front Role

+
+

3. The Abbey Front Role

Birchwood Abbey's front door is a Digital Ocean Droplet configured as @@ -144,8 +144,8 @@ with Apache2, spooling email with Postfix and serving it with Dovecot-IMAPd, and hosting a VPN with WireGuard™.

-
-

3.1. Install Emacs

+
+

3.1. Install Emacs

The monks of the abbey are masters of the staff (bo) and Emacs. @@ -160,8 +160,8 @@ The monks of the abbey are masters of the staff (bo) and Emacs.

-
-

3.2. Configure Public Email Aliases

+
+

3.2. Configure Public Email Aliases

The abbey uses several additional email aliases. These are the public @@ -196,12 +196,13 @@ from there, forwarding sysadm to a real person. - name: New aliases. become: yes command: newaliases + tags: actualizer

-
-

3.3. Configure Git Daemon on Front

+
+

3.3. Configure Git Daemon on Front

The abbey publishes member Git repositories with git-daemon. If @@ -276,7 +277,7 @@ like git-tasks and git-handlers.

-git-tasks
- name: Install git daemon.
+git-tasks
- name: Install git daemon.
   become: yes
   apt: pkg=git-daemon-sysvinit
 
@@ -314,16 +315,17 @@ like git-tasks and git-handlers.
-git-handlers

+git-handlers

 - name: Restart git daemon.
   become: yes
   command: systemctl restart git-daemon
+  tags: actualizer
-
-

3.4. Configure Gitweb on Front

+
+

3.4. Configure Gitweb on Front

The abbey provides an HTML interface to members' public Git @@ -350,7 +352,7 @@ lists the repositories found in /var/www/git/.

-apache-gitweb

+apache-gitweb

 Alias /gitweb-static/ /usr/share/gitweb/static/
 <Directory "/usr/share/gitweb/static/">
     Options MultiViews
@@ -408,7 +410,7 @@ web site /favicon.ico.
 

 
 

-apache-gitweb-tasks
- name: Enable Apache2 rewrite module for Gitweb.
+apache-gitweb-tasks
- name: Enable Apache2 rewrite module for Gitweb.
   become: yes
   apache2_module: name=rewrite
   notify: Restart Apache2.
@@ -445,17 +447,18 @@ web site /favicon.ico.
 

 
 

-apache-gitweb-handlers
- name: Restart Apache2.
+apache-gitweb-handlers
- name: Restart Apache2.
   become: yes
   systemd:
     service: apache2
     state: restarted
+  tags: actualizer
-
-

3.5. Configure Apache for Abbey Documentation

+
+

3.5. Configure Apache for Abbey Documentation

Some of the directives added to the -vhost.conf file are needed by @@ -473,7 +476,7 @@ filename suffixes.

-apache-abbey
<Directory {{ docroot }}/Abbey/>
+apache-abbey
<Directory {{ docroot }}/Abbey/>
     AllowOverride Indexes FileInfo
     Options +Indexes +FollowSymLinks
 </Directory>
@@ -496,8 +499,8 @@ AddType text/plain private pub public_vpn req rev sample txt yml
-
-

3.6. Configure Photos URLs on Front

+
+

3.6. Configure Photos URLs on Front

Some of the directives added to the -vhost.conf file map the abbey's @@ -509,7 +512,7 @@ matching configurations for accurate previews and tests.

-apache-photos

+apache-photos

 RedirectMatch /Photos$ /Photos/
 RedirectMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])$ \
               /Photos/$1_$2_$3/
@@ -522,8 +525,8 @@ AliasMatch /Photos/$ {{ docroot }}/Photos/index.html
-
-

3.7. Configure Apache on Front

+
+

3.7. Configure Apache on Front

The abbey needs to add some Apache2 configuration directives to the @@ -534,11 +537,11 @@ The abbey simply creates a birchwood-abbey.net-vhost.conf file in

-The following task adds the apache-abbey, apache-photos, and -apache-gitweb directives described above to the -vhost.conf file, +The following task adds the apache-abbey, apache-photos, and +apache-gitweb directives described above to the -vhost.conf file, and includes options-ssl-apache.conf from /etc/letsencrypt/. The rest of the Let's Encrypt configuration is discussed in the following -Install Let's Encrypt section. +Install Let's Encrypt section.

@@ -568,8 +571,8 @@ rest of the Let's Encrypt configuration is discussed in the following
-
-

3.8. Configure Apache Log Archival

+
+

3.8. Configure Apache Log Archival

These tasks hack Apache's logrotate(8) configuration to rotate @@ -631,6 +634,7 @@ The replacement logrotate-mailer does, and includes it in a become: yes systemd: daemon_reload: yes + tags: actualizer

@@ -661,8 +665,8 @@ encrypting and sending to sendmail.

-roles_t/abbey-front/files/logrotate-mailer
#!/bin/bash -e
-
+roles_t/abbey-front/files/logrotate-mailer
#!/bin/bash -e
+
 if [ "$#" != 3 -o "$1" != "-s" ]; then
     echo "usage: $0 -s subject recipient" 1>&2
     exit 1
@@ -701,8 +705,8 @@ encrypting and sending to sendmail.
-
-

3.9. Install Let's Encrypt

+
+

3.9. Install Let's Encrypt

The abbey uses a Let's Encrypt certificate to authenticate its public @@ -711,7 +715,7 @@ certificate is a terminal session affair (with prompts and lines entered as shown below).

-
+
 $ sudo apt install python3-certbot-apache
 $ sudo certbot --apache -d birchwood-abbey.net
 ...
@@ -777,11 +781,11 @@ package is installed and its live/ subdirectory is world readable.
   become: yes
   apt: pkg=python3-certbot-apache
 
-- name: Ensure Let's Encrypt certificate is readable.
-  become: yes
-  file:
-    mode: u=rwx,g=rx,o=rx
-    path: /etc/letsencrypt/live
+- name: Ensure Let's Encrypt certificate is readable.
+  become: yes
+  file:
+    mode: u=rwx,g=rx,o=rx
+    path: /etc/letsencrypt/live
@@ -806,23 +810,23 @@ restarted manually.
roles_t/abbey-front/tasks/main.yml

-- name: Use Let's Encrypt certificate&key.
-  file:
-    state: link
-    src: "{{ item.target }}"
-    path: "{{ item.link }}"
-    force: yes
-  loop:
-  - target: /etc/letsencrypt/live/birchwood-abbey.net/fullchain.pem
-    link: /etc/server.crt
-  - target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem
-    link: /etc/server.key
+- name: Use Let's Encrypt certificate&key.
+  file:
+    state: link
+    src: "{{ item.target }}"
+    path: "{{ item.link }}"
+    force: yes
+  loop:
+  - target: /etc/letsencrypt/live/birchwood-abbey.net/fullchain.pem
+    link: /etc/server.crt
+  - target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem
+    link: /etc/server.key
-
-

3.10. Rotate Let's Encrypt Log

+
+

3.10. Rotate Let's Encrypt Log

The following task arranges to rotate Certbot's logs files. @@ -850,8 +854,8 @@ The following task arranges to rotate Certbot's logs files.

-
-

3.11. Archive Let's Encrypt Data

+
+

3.11. Archive Let's Encrypt Data

A backup copy of Let's Encrypt's data (/etc/letsencrypt/) is sent to @@ -861,18 +865,18 @@ are detected by keeping a copy in /etc/letsencrypt~/ for comparison.

roles_t/abbey-front/tasks/main.yml

-- name: Install Let's Encrypt archive script.
-  become: yes
-  copy:
-    src: cron.daily_letsencrypt
-    dest: /etc/cron.daily/letsencrypt
-    mode: u=rwx,g=rx,o=rx
+- name: Install Let's Encrypt archive script.
+  become: yes
+  copy:
+    src: cron.daily_letsencrypt
+    dest: /etc/cron.daily/letsencrypt
+    mode: u=rwx,g=rx,o=rx
-roles_t/abbey-front/files/cron.daily_letsencrypt
#!/bin/bash -e
-
+roles_t/abbey-front/files/cron.daily_letsencrypt
#!/bin/bash -e
+
 cd /etc/
 
 [ -d letsencrypt~ ] \
@@ -910,28 +914,28 @@ imported into root@front's GnuPG key file.
 
 

 roles_t/abbey-front/tasks/main.yml

-- name: Copy root@core's public key.
-  become: yes
-  copy:
-    src: ../Secret/root-pub.pem
-    dest: /root/.gnupg-root-pub.pem
-    mode: u=r,g=r,o=r
-  notify: Import root@core's public key.
+- name: Copy root@core's public key.
+  become: yes
+  copy:
+    src: ../Secret/root-pub.pem
+    dest: /root/.gnupg-root-pub.pem
+    mode: u=r,g=r,o=r
+  notify: Import root@core's public key.
 

 

 
 

 roles_t/abbey-front/handlers/main.yml

-- name: Import root@core's public key.
-  become: yes
-  command: gpg --import ~/.gnupg-root-pub.pem
+- name: Import root@core's public key.
+  become: yes
+  command: gpg --import ~/.gnupg-root-pub.pem
-
-

4. The Abbey Core Role

+
+

4. The Abbey Core Role

Birchwood Abbey's core is a mini-PC (System76 Meerkat) configured as A @@ -941,8 +945,8 @@ with Postfix and Dovecot, and providing essential localnet services: NTP, DNS and DHCP.

-
-

4.1. Include Abbey Variables

+
+

4.1. Include Abbey Variables

In this abbey specific document, most abbey particulars are not @@ -961,8 +965,8 @@ directory, playbooks/.

-
-

4.2. Install Additional Packages

+
+

4.2. Install Additional Packages

The scripts that maintain the abbey's web site use a number of @@ -974,14 +978,16 @@ The house task list uses JQuery.

roles_t/abbey-core/tasks/main.yml

 - name: Install additional packages.
+  become: yes
   apt:
-    pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]
+    pkg: [ procmail, libhtml-tree-perl, libjs-jquery,
+           mit-scheme, gnuplot ]
-
-

4.3. Configure Private Email Aliases

+
+

4.3. Configure Private Email Aliases

The abbey uses several additional email aliases. These are the campus @@ -1017,17 +1023,18 @@ e.g. mythtv@mythtv.birchwood.private, locally.) - name: New aliases. become: yes command: newaliases + tags: actualizer

-
-

4.4. Configure Git Daemon on Core

+
+

4.4. Configure Git Daemon on Core

These tasks are identical to those executed on Front, for similar Git -services on Front and Core. See 3.3 and -Configure Gitweb on Front for more information. +services on Front and Core. See 3.3 and +Configure Gitweb on Front for more information.

@@ -1043,14 +1050,14 @@ services on Front and Core. See 3.3 and
-
-

4.5. Configure Apache on Core

+
+

4.5. Configure Apache on Core

The Apache2 configuration on Core specifies three web sites (live, test, and campus). The live and test sites must operate just like the -site on Front. Their configurations include the same apache-abbey, -apache-photos, and apache-gitweb used on Front. +site on Front. Their configurations include the same apache-abbey, +apache-photos, and apache-gitweb used on Front.

@@ -1092,15 +1099,15 @@ site on Front. Their configurations include the same
-
-

4.6. Configure Documentation URLs

+
+

4.6. Configure Documentation URLs

The institute serves its /usr/share/doc/ on the house (campus) web site. This is a debugging convenience, making some HTML documentation more accessible, especially the documentation of software installed on Core and not on typical desktop clients. Also included: the Apache2 -directives that enable user Git publishing with Gitweb (defined here). +directives that enable user Git publishing with Gitweb (defined here).

@@ -1121,8 +1128,8 @@ directives that enable user Git publishing with Gitweb (defined -

4.7. Install Apt Cacher

+
+

4.7. Install Apt Cacher

The abbey uses the Apt-Cacher:TNG package cache on Core. The @@ -1138,8 +1145,8 @@ The abbey uses the Apt-Cacher:TNG package cache on Core. The

-
-

4.8. Use Cloister Apt Cache

+
+

4.8. Use Cloister Apt Cache

Core itself will benefit from using the package cache, but should @@ -1163,8 +1170,8 @@ so caching their packages is not a priority.)

-
-

4.9. Configure NAGIOS

+
+

4.9. Configure NAGIOS

A small institute uses nagios4 to monitor the health of its network, @@ -1177,10 +1184,9 @@ customized check_sensors plugin (abbey_pisensors) in /usr/local/sbin/ on the Raspberry Pis.

-
-
-

4.10. Monitoring The Home Disk

-
+
+

4.9.1. Monitoring The Home Disk

+

The abbey adds monitoring of the space remaining on the volume at /home/ on Core. (The small institute only monitors the space @@ -1211,13 +1217,14 @@ remaining on roots.) systemd: service: nagios4 state: reloaded + tags: actualizer

-
-

4.11. Custom NAGIOS Monitor abbey_pisensors

-
+
+

4.9.2. Custom NAGIOS Monitor abbey_pisensors

+

The check_sensors plugin is included in the package monitoring-plugins-basic, but it does not report any readings. The @@ -1229,8 +1236,8 @@ recognizable temperature in the sensors output.

-roles_t/abbey-core/files/abbey_pisensors
#!/bin/sh
-
+roles_t/abbey-core/files/abbey_pisensors
#!/bin/sh
+
 PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
 export PATH
 PROGNAME=`basename $0`
@@ -1255,10 +1262,10 @@ recognizable temperature in the sensors output.
 }
 
 brief_data() {
-    echo "$1" | sed -n -E -e '
-  /^temp[0-9]+: +[-+][0-9.]+.?C/ {
-    s/^temp[0-9]+: +([-+][0-9.]+).?C.*/ \1/; H }
-  $ { x; s/\n//g; p }'
+    echo "$1" | sed -n -E -e '
+  /^temp[0-9]+: +[-+][0-9.]+.?C/ {
+    s/^temp[0-9]+: +([-+][0-9.]+).?C.*/ \1/; H }
+  $ { x; s/\n//g; p }'
 }
 
 case "$1" in
@@ -1311,25 +1318,24 @@ recognizable temperature in the sensors output.
-
-

4.12. Monitoring The Cloister

-
+
+

4.9.3. Configure NAGIOS Monitoring of The Cloister

+

-The abbey adds monitoring for more servers: Kessel, and Ord Mantell. +The abbey adds monitoring for more servers: Dantooine and Kessel. They are abbey-cloister servers, so they are configured as small institute campus servers, like Gate, with an NRPE (a NAGIOS Remote Plugin Executor) server and an inst_sensors command.

-The configurations for the servers are very similar to Gate's, but are -idiosyncratically in flux. For example Ord Mantell, the Raspberry Pi -OS (ARM64) machine, uses the abbey_pisensors monitor. +The configurations for these servers are very similar to Gate's, but +are idiosyncratically in flux.

-
-

4.12.1. Cloister Network Addresses

-
+
+
4.9.3.1. Cloister Network Addresses
+

The IP addresses of all three hosts are nice to use in the NAGIOS configuration (to avoid depending on name service) and so are @@ -1338,15 +1344,15 @@ included in private/vars-abbey.yml.

private_ex/vars-abbey.yml
---
-kessel_addr:                10.84.138.8
-ord_mantell_addr:           10.84.138.10
+dantooine_addr:             10.84.138.8
+kessel_addr:                10.84.138.10
-
-

4.12.2. Installing NAGIOS Configurations

-
+
+
4.9.3.2. Install NAGIOS Configurations
+

The following task installs each host's NAGIOS configuration.

@@ -1358,70 +1364,77 @@ The following task installs each host's NAGIOS configuration. template: src: nagios-{{ item }}.cfg dest: /etc/nagios4/conf.d/{{ item }}.cfg - loop: [ ord-mantell, kessel ] + loop: [ dantooine, kessel ] notify: Reload NAGIOS4.
-
-

4.12.3. NAGIOS Monitoring of Ord-Mantell

-
+
+
4.9.3.3. NAGIOS Monitoring of Dantooine
+
-roles_t/abbey-core/templates/nagios-ord-mantell.cfg
define host {
+roles_t/abbey-core/templates/nagios-dantooine.cfg
define host {
     use                     linux-server
-    host_name               ord-mantell
-    address                 {{ ord_mantell_addr }}
+    host_name               dantooine
+    address                 {{ dantooine_addr }}
 }
 
 define service {
     use                     generic-service
-    host_name               ord-mantell
+    host_name               dantooine
     service_description     Root Partition
     check_command           check_nrpe!inst_root
 }
 
-# define service {
-#     use                     generic-service
-#     host_name               ord-mantell
-#     service_description     Current Load
-#     check_command           check_nrpe!check_load
-# }
+define service {
+    use                     generic-service
+    host_name               dantooine
+    service_description     DVR Recordings
+    check_command           check_nrpe!abbey_dvr
+}
 
+# define service {
+#     use                     generic-service
+#     host_name               dantooine
+#     service_description     Current Load
+#     check_command           check_nrpe!check_load
+# }
+
 define service {
     use                     generic-service
-    host_name               ord-mantell
+    host_name               dantooine
     service_description     Zombie Processes
     check_command           check_nrpe!check_zombie_procs
 }
 
-# define service {
-#     use                     generic-service
-#     host_name               ord-mantell
-#     service_description     Total Processes
-#     check_command           check_nrpe!check_total_procs
-# }
-
+# define service {
+#     use                     generic-service
+#     host_name               dantooine
+#     service_description     Total Processes
+#     check_command           check_nrpe!check_total_procs
+# }
+
 define service {
     use                     generic-service
-    host_name               ord-mantell
+    host_name               dantooine
     service_description     Swap Usage
     check_command           check_nrpe!inst_swap
 }
 
 define service {
     use                     generic-service
-    host_name               ord-mantell
+    host_name               dantooine
     service_description     Temperature Sensors
-    check_command           check_nrpe!abbey_pisensors
+    check_command           check_nrpe!inst_sensors
 }
-
-

4.12.4. NAGIOS Monitoring of Kessel

-
+
+
4.9.3.4. NAGIOS Monitoring of Kessel
+
roles_t/abbey-core/templates/nagios-kessel.cfg
define host {
     use                     linux-server
@@ -1436,13 +1449,13 @@ The following task installs each host's NAGIOS configuration.
     check_command           check_nrpe!inst_root
 }
 
-# define service {
-#     use                     generic-service
-#     host_name               kessel
-#     service_description     Current Load
-#     check_command           check_nrpe!check_load
-# }
-
+# define service {
+#     use                     generic-service
+#     host_name               kessel
+#     service_description     Current Load
+#     check_command           check_nrpe!check_load
+# }
+
 define service {
     use                     generic-service
     host_name               kessel
@@ -1450,13 +1463,13 @@ The following task installs each host's NAGIOS configuration.
     check_command           check_nrpe!check_zombie_procs
 }
 
-# define service {
-#     use                     generic-service
-#     host_name               kessel
-#     service_description     Total Processes
-#     check_command           check_nrpe!check_total_procs
-# }
-
+# define service {
+#     use                     generic-service
+#     host_name               kessel
+#     service_description     Total Processes
+#     check_command           check_nrpe!check_total_procs
+# }
+
 define service {
     use                     generic-service
     host_name               kessel
@@ -1475,9 +1488,10 @@ The following task installs each host's NAGIOS configuration.
-
-

4.13. Install Munin

-
+
+
+

4.10. Install Munin

+

The abbey is experimenting with Munin. NAGIOS is all about notifying the Sys. Admin. of failed services. Munin is more about tracking @@ -1508,25 +1522,26 @@ trends in resource usage. - name: Punt default Munin node. become: yes - replace: + ini_file: + section: "[localhost.localdomain]" + state: absent path: /etc/munin/munin.conf - regexp: '^\[localhost.*\n\n' - name: Configure actual Munin nodes. become: yes copy: content: | - [dantooine.birchwood.private] + [malastare.birchwood.private] address 127.0.0.1 [anoat.birchwood.private] address {{ gate_addr }} + [dantooine.birchwood.private] + address {{ dantooine_addr }} + [kessel.birchwood.private] address {{ kessel_addr }} - - [ord-mantell.birchwood.private] - address {{ ord_mantell_addr }} dest: /etc/munin/munin-conf.d/zzz-site.cfg notify: Restart Munin. @@ -1559,13 +1574,14 @@ next task configures libsensors to ignore them. systemd: service: munin state: restarted + tags: actualizer

-
-

4.14. Install Analog

-
+
+

4.11. Install Analog

+

The abbey's public web site's access and error logs are emailed regularly to webmaster, who saves them in /Logs/apache2-public/ @@ -1618,9 +1634,9 @@ the campus as http://www/analog.html.

-
-

4.15. Add Monkey to Web Server Group

-
+
+

4.12. Add Monkey to Web Server Group

+

Monkey needs to be in www-data so that it can run /WWW/live/Photos/Private/cronjob to publish photos from multiple @@ -1641,9 +1657,9 @@ user cloud accounts, found in files owned by www-data, files like

-
-

4.16. Install netpbm For Photo Processing

-
+
+

4.13. Install netpbm For Photo Processing

+

Monkey's photo processing scripts use netpbm commands like jpegtopnm. @@ -1659,8 +1675,8 @@ Monkey's photo processing scripts use netpbm commands like

-
-

5. The Abbey Gate Role

+
+

5. The Abbey Gate Role

Birchwood Abbey's gate is a $110 µPC configured as A Small Institute @@ -1672,8 +1688,8 @@ allows access to the Abbey's IoT appliances: a HomeAssistant and an Ecowitt hub.

-
-

5.1. The Abbey Gate's Network Interfaces

+
+

5.1. The Abbey Gate's Network Interfaces

The abbey gate's lan interface is the PC's built-in Ethernet @@ -1694,25 +1710,27 @@ The MAC address of each interface is set in private/vars.yml (see

-
-

5.2. The Abbey's IoT Network

+
+

5.2. The Abbey's IoT Network

To allow masquerading between the private subnets and wild, the following iptables(8) rules are added. They are very similar to the nat and filter table rules used by a small institute to masquerade -its lan to its isp (see the UFW Rules of a Small Institute). +its lan to its isp (see the UFW Rules of a Small Institute). +The campus WireGuard™ subnet is not included because the campus Wi-Fi +hosts should be routing to the wild subnet directly and are assumed to +be masquerading as their access point(s).

-iot-nat
-A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
+iot-nat
-A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
 -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
--A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
-iot-forward
-A ufw-user-forward -i lan -o wild -j ACCEPT
+iot-forward
-A ufw-user-forward -i lan -o wild -j ACCEPT
 -A ufw-user-forward -i wg0 -o wild -j ACCEPT
@@ -1723,12 +1741,12 @@ The second rule includes the campus VPN.

-
-

5.3. Configure UFW for IoT

+
+

5.3. Configure UFW for IoT

The following tasks install the additional rules in before.rules -and user.rules (as in Configure UFW). +and user.rules (as in Configure UFW).

@@ -1760,8 +1778,8 @@ and user.rules (as in Configur
-
-

5.4. The Abbey's Starlink Configuration

+
+

5.4. The Abbey's Starlink Configuration

The abbey connects to Starlink via Ethernet, and disables Starlink's @@ -1809,8 +1827,8 @@ at least our local network traffic out of view of our ISPs.

-
-

5.5. Alternate ISPs

+
+

5.5. Alternate ISPs

The abbey used to use a cell phone on a USB tether to get Internet @@ -1855,8 +1873,8 @@ service, using a 60-isp.yaml file similar to the lines below.

-
-

6. The Abbey Cloister Role

+
+

6. The Abbey Cloister Role

Birchwood Abbey's cloister is a small institute campus. The campus @@ -1871,7 +1889,7 @@ tasks, namely configuration required on Raspberry Pi OS machines.

Wireless clients are issued keys for the cloister VPN by the ./abbey client command which is currently identical to the ./inst client -command (described in The Client Command). The wireless, cloistered +command (described in The Client Command). The wireless, cloistered hosts never roam, are not associated with a member, and so are "campus" clients, issued keys with commands like this:

@@ -1880,8 +1898,8 @@ hosts never roam, are not associated with a member, and so are ./abbey client campus new-host-name
-
-

6.1. Use Cloister Apt Cache

+
+

6.1. Use Cloister Apt Cache

The Apt-Cacher:TNG program does not work well on the frontier, so is @@ -1915,13 +1933,13 @@ local host.

-
-

6.2. Configure Cloister NRPE

+
+

6.2. Configure Cloister NRPE

Each cloistered host is a small institute campus host and thus is already running an NRPE server (a NAGIOS Remote Plugin Executor -server) with a custom inst_sensors monitor (described in Configure +server) with a custom inst_sensors monitor (described in Configure NRPE of A Small Institute). The abbey adds one complication: yet another check_sensors variant, abbey_pisensors, installed on Raspberry Pis (architecture aarch64) only. @@ -1937,7 +1955,7 @@ Raspberry Pis (architecture aarch64) only. mode: u=rwx,g=rx,o=rx when: ansible_architecture == 'aarch64' -- name: Configure NAGIOS command. +- name: Configure NAGIOS monitor abbey_pisensors. become: yes copy: content: | @@ -1949,18 +1967,19 @@ Raspberry Pis (architecture aarch64) only.

-roles_t/abbey-cloister/handlers/main.yml

+roles_t/abbey-cloister/handlers/main.yml
---
 - name: Reload NRPE server.
   become: yes
   systemd:
     service: nagios-nrpe-server
     state: reloaded
+  tags: actualizer
-
-

6.3. Install Munin Node

+
+

6.3. Install Munin Node

Each cloistered host is a Munin node. @@ -1972,6 +1991,14 @@ Each cloistered host is a Munin node. become: yes apt: pkg=munin-node +- name: Configure Munin Node. + become: yes + lineinfile: + regexp: "^allow [^]{{ core_addr|regex_escape }}[$]$" + line: "allow ^{{ core_addr|regex_escape }}$" + path: /etc/munin/munin-node.conf + notify: Restart Munin node. + - name: Add {{ ansible_user }} to munin group. become: yes user: @@ -2003,8 +2030,8 @@ them.

-
-

6.4. Install Emacs

+
+

6.4. Install Emacs

The monks of the abbey are masters of the staff and Emacs. @@ -2020,8 +2047,8 @@ The monks of the abbey are masters of the staff and Emacs.

-
-

7. The Abbey Weather Role

+
+

7. The Abbey Weather Role

Birchwood Abbey now uses Home Assistant to record and display weather @@ -2048,20 +2075,21 @@ entities. These were labeled and organized on an "Abbey" dashboard.

-
-

8. The Abbey DVR Role

+
+

8. The Abbey DVR Role

The abbey uses AgentDVR to record video from PoE IP HD security -cameras. It is installed and configured as described here. +cameras. It runs as user agentdvr and keeps all of its +configuration and recordings in /home/agentdvr/.

-
-

8.1. AgentDVR Installation

+
+

8.1. Install AgentDVR

-AgentDVR is installed at the abbey according to the iSpy web site's -latest(?) instructions. The "download" button on iSpy's Download page +AgentDVR is installed according to the iSpy web site's latest +instructions. The "download" button on iSpy's Download page (https://www.ispyconnect.com/download), when "Agent DVR - Linux/ macOS/ RPi" is chosen, suggests the following command lines (the second of which is broken across three lines). @@ -2069,45 +2097,39 @@ second of which is broken across three lines). 

sudo apt-get install curl
-bash <(curl -s "https://raw.githubusercontent.com/\
-ispysoftware/agent-install-scripts/main/v2/\
-install.sh")
+bash <(curl -s "https://raw.githubusercontent.com/\
+ispysoftware/agent-install-scripts/main/v2/\
+install.sh")

-Before executing these commands, Ansible is enlisted to make certain -preparations. +The second command fetches and runs an installation script that +executes several sudo commands. These commands can be run by the +agentdvr account if it has (temporary) authorization.

-
-

8.1.1. AgentDVR Installation Preparation

+
+

8.1.1. Prepare for AgentDVR Installation

-AgentDVR runs in the abbey as a system user, agentdvr, which -installs and runs the service. Though a system user, the account gets -a home directory, /home/agentdvr/ in which to install AgentDVR, and -a login shell, /bin/bash. This much Ansible can do in preparation. +The following commands are manually executed to create the agentdvr +account and authorize it to run a handful of system commands as +root. This small set is sufficient to run the installation script +if the offer to create the system service is declined.

-
-./abbey config dvrs
-
-

-After the agentdvr account is created, it is temporarily authorized -to run a handful of system commands (as root!). This small set is -sufficient if the offer to create the system service is declined. -The following commands create this authorization in ~/01agentdvr, -validate and install it in /etc/sudoers.d/01agentdvr. Such caution -is taken because a syntax error anywhere in /etc/sudoers.d/ can make -the sudo command inoperative, cutting off access to all elevated -privileges until a "rescue" (involving a reboot) is performed. +The commands validate the config file, 01agentdvr, before installing +it because a syntax error can make the sudo command inoperative, +cutting off access to all elevated privileges until a "rescue" +(involving a reboot) is performed.

-
echo "ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
-     /sbin/adduser,/sbin/usermod" >~/01agentdvr
+
sudo adduser --disabled-password agentdvr
+echo "ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
+     /sbin/adduser,/sbin/usermod" >~/01agentdvr
 sudo chown root:root ~/01agentdvr
 sudo chmod 440 ~/01agentdvr
 visudo --check --owner --perms ~/01agentdvr
@@ -2116,12 +2138,12 @@ sudo mv ~/01agentdvr /etc/sudoers.d/
-
-

8.1.2. AgentDVR Installation Execution

+
+

8.1.2. Execute AgentDVR Installation

With the above preparations, the system administrator can get a shell -session under the agentdvr account to run iSpy's installation script +session under the agentdvr account to run iSpy's installation script in the empty /home/agentdvr/ directory.

@@ -2138,8 +2160,8 @@ Ansible is run again.

-
-

8.1.3. AgentDVR Installation Completion

+
+

8.1.3. Complete AgentDVR Installation

When Ansible is run a second time, after the installation script, it @@ -2162,11 +2184,13 @@ sudo rm /etc/sudoers.d/01agentdvr

-
-

8.2. Create User agentdvr

+
+

8.2. Configure User agentdvr

-AgentDVR runs as the system user agentdvr, which is created here. +AgentDVR runs as the system user agentdvr, which is configured here. +(The account should have been created by the installation or +restoration of AgentDVR.)

@@ -2175,7 +2199,7 @@ AgentDVR runs as the system user agentdvr, which is created here. become: yes user: name: agentdvr - system: yes + password: "!" home: /home/agentdvr shell: /bin/bash append: yes @@ -2200,8 +2224,8 @@ AgentDVR runs as the system user agentdvr, which is created here.
-
-

8.3. Test For AgentDVR/

+
+

8.3. Test For AgentDVR/

The following task probes for the /home/agentdvr/AgentDVR/ @@ -2224,8 +2248,8 @@ remaining installation steps are skipped unless

-
-

8.4. Create AgentDVR Service

+
+

8.4. Create AgentDVR Service

This service definition came from the template downloaded (from here) @@ -2246,37 +2270,43 @@ by install.sh. WorkingDirectory=/home/agentdvr/AgentDVR ExecStart=/home/agentdvr/AgentDVR/Agent - # fix memory management issue with dotnet core - Environment="MALLOC_TRIM_THRESHOLD_=100000" + # fix memory management issue with dotnet core + Environment="MALLOC_TRIM_THRESHOLD_=100000" - # to query logs using journalctl, set a logical name here - SyslogIdentifier=AgentDVR + # to query logs using journalctl, set a logical name here + SyslogIdentifier=AgentDVR User=agentdvr - # ensure the service automatically restarts - Restart=always - # amount of time to wait before restarting the service - RestartSec=5 + # ensure the service automatically restarts + Restart=always + # amount of time to wait before restarting the service + RestartSec=5 [Install] WantedBy=multi-user.target dest: /etc/systemd/system/AgentDVR.service + +- name: Start AgentDVR.service. + become: yes + systemd: + service: AgentDVR + state: started when: agentdvr.stat.exists + tags: actualizer -- name: Enable/Start AgentDVR.service. +- name: Enable AgentDVR.service. become: yes systemd: service: AgentDVR enabled: yes - state: started when: agentdvr.stat.exists

-
-

8.5. Create AgentDVR Storage

+
+

8.5. Create AgentDVR Storage

The abbey uses a separate volume to store surveillance recordings, @@ -2310,11 +2340,45 @@ location do not fail.

-
-

8.6. Configure IP Cameras

+
+

8.6. Install Custom NAGIOS Monitor abbey_dvr

-A new security camera is setup as described in Cloistering, after +DVR hosts install a custom NRPE plugin named abbey_dvr to monitor +the storage available on /DVR/. +

+ +
+roles_t/abbey-dvr/tasks/main.yml

+- name: Configure NAGIOS command abbey_dvr.
+  become: yes
+  vars:
+    lib: /usr/lib/nagios/plugins
+  copy:
+    content: |
+      command[abbey_dvr]={{ lib }}/check_disk -w 20% -c 10% -p /DVR
+    dest: /etc/nagios/nrpe.d/abbey.cfg
+  notify: Reload NRPE server.
+
+
+ +
+roles_t/abbey-dvr/handlers/main.yml
---
+- name: Reload NRPE server.
+  become: yes
+  systemd:
+    service: nagios-nrpe-server
+    state: reloaded
+  tags: actualizer
+
+
+
+
+
+

8.7. Configure IP Cameras

+
+

+A new security camera is setup as described in Cloistering, after which the camera should be accessible by name on the abbey networks. Assuming ping -c1 new works, the camera's web interface will be accessible at http://new/. @@ -2327,43 +2391,49 @@ The administrator uses this to make the following changes.

  • Set a password on the administrative account.
  • Create an unprivileged user with a short password, -e.g. user:blah.
    • +e.g. user:blah. (Lately, user accounts are not supported!)
  • Set the frame rate to 5fps. The abbey prefers HD resolution and long duration logs, thus fewer frames per second.
    • +
  • Turn off on-screen displays (OSDs), motion detection, object +recognition, etc.
    • +
  • Configuring the timezone or the use of NTP (the network time +protocol) is nice but optional.
-
-

8.7. Configure AgentDVR's Cameras

-
+
+

8.8. Configure AgentDVR's Cameras

+

After Ansible has configured and started the AgentDVR service, its web UI will be available at http://core:8090/. The initial Live View will be empty, overlayed with instructions to click the edit button. -

- - -

-The wizard will ask for each device's general configuration -parameters. The abbey uses SV3C IP cameras with a full HD stream as -well as a standard definition "vice stream". AgentDVR wants both. +A view must be created before devices can be added? Then the device +wizard asks for each device's general configuration parameters. The +abbey uses SV3C IP cameras with a full HD stream as well as a standard +definition "vice stream". AgentDVR can use both, so the following +settings are used on each device.

  • General:
      -
    • On: yes
      • -
    • Name: Outside
      • +
    • Name: Stern
    • Source Type: Network Camera
      • Username: user
      • Password: blah
        • -
      • Live URL: rtsp://new.birchwood.private:554/12
        • -
      • Record URL: rtsp://new.birchwood.private:554/11
        • +
      • Live URL: rtsp://camera3.birchwood.private:554/12
        • +
      • Record URL: rtsp://camera3.birchwood.private:554/11
+

+Note that each device's recordings are also configured as described +below. +

+

Additional cameras are added via the "New Device" item in the Server Menu. This step is completed when all cameras are streaming to @@ -2371,9 +2441,9 @@ AgentDVR's Live View.

-
-

8.8. Configure AgentDVR's Default Storage

-
+
+

8.9. Configure AgentDVR's Default Storage

+

AgentDVR's web interface is also used to configure a default storage location. From the Server Menu (upper left), the administrator chooses @@ -2384,9 +2454,9 @@ pressed before the task is complete.

-
-

8.9. Configure AgentDVR's Recordings

-
+
+

8.10. Configure AgentDVR's Recordings

+

After a default storage location has been configured, AgentDVR's cameras can begin recording. The "Edit Devices" dialog lists (via the @@ -2416,69 +2486,48 @@ parameters are set (in the Recording and Storage tabs).

-
-
-

9. The Abbey TVR Role

-
+
+

8.11. Restore AgentDVR

+

-The abbey has a few TV tuners and a subscription to Schedules Direct -for North American TV broadcast schedules. It uses one (master) -MythTV server and its MythWeb interface to make and serve recordings -of area broadcasts. +When restoring /home/ from a backup copy, the user accounts are +presumably restored as well. Thus /home/agentdvr/AgentDVR/ should +be owned by agentdvr, a user account with disabled/locked password +and a bash shell. Restoration is completed by Ansible when it +installs the system service configuration file and starts the service.

-

-The Abbey TVR Role installs the MythTV backend and the MythWeb web -interface on the master server. It configures the Apache web server -to serve MythWeb pages at e.g. http://new/mythweb/. -

+
+./abbey config dvrs
+
-
-

9.1. Building MythTV and MythWeb

-
+
+
+
+

9. The Abbey TVR Role

+

-Neither Debian nor the MythTV project provide binary packages of -MythTV and MythWeb. The project recommends building from source -according to their Build from Source wiki page. To do this, the -target host will need several dozen "developer" packages installed. -Thus the abbey's TVR role proceeds in two phases. +The abbey has a few TV tuners and a subscription to Schedules Direct +for North American TV broadcast schedules. It uses one (master) +MythTV server to make and serve recordings of area broadcasts.

-In the first phase, the MythTV project's Ansible code, in -mythtv-ansible/, is used to assemble a list of packages needed -during the build. The packages are installed and the rest of the -role's tasks are skipped. This allows the administrator to manually -build and install MythTV, creating /usr/local/bin/mythtv-setup. -The administrator will also download and install MythWeb before -running the TVR role again for its second phase. The administrator -will not be able to run mythtv-setup before completing the second -phase. +The MythTV backend stores recordings in /home/mythtv/Recordings/ and +database dumps in /home/mythtv/Backups/. Apache is +configured to serve MythTV pages at e.g. http://new/mythweb/.

-In the second phase, the role finds mythtv-setup has been installed -on the target host and so proceeds with the "Post-installation tasks" -section of the wiki page. This still leaves a number of manual steps -to be performed with the mythtv-setup program, e.g. configuring a -video source and capture card, after which the backend can be started. -

-
-
-
-

9.2. TVR Machine Setup

-
-

-A new TVR machine needs only Cloistering to prepare it for +A new TVR machine needs only Cloistering to prepare it for Ansible. As part of that process, it should be added to the tvrs group in the hosts file. An existing server can become a TVR -machine simply by adding it to the tvrs group. +machine by adding it to the tvrs group.

-
-
-

9.3. Include Abbey Variables

-
+
+

9.1. Include Abbey Variables

+

Private variables in private/vars-abbey.yml are needed, as in the abbey-core role. The file path is relative to the playbook's @@ -2493,253 +2542,71 @@ directory, playbooks/.

-
-

9.4. Install MythTV Build Requisites

-
-

-A number of developer packages are needed to build MythTV. The wiki -page recommends Ansible playbooks to assemble the appropriate list of -package names (several dozen count) depending on the target OS -version. The playbooks are in https://github.com/MythTV/ansible which -contains a README.md. -

- -

-The instructions in the README.md are to clone the repository and -run sudo ansible-playbook -i hosts qt5.yml on the build machine. -However the abbey prefers to keep the Ansible code on an -administrator's machine with the rest of the abbey's roles. The -following commands were used to create a mythtv-ansible/ -subdirectory. (A git pull origin command in this subdirectory might -be appropriate to download updates.) -

- -
-
git clone https://github.com/MythTV/ansible mythtv-ansible
-cd mythtv-ansible
-git checkout fixes/32
-
-
- -

-The abbey-tvr role uses a couple tasks files in mythtv-ansible/ -directly, bypassing the inventories, playbooks and roles, after -"fixing" the final apt tasks by adding become: yes. After making -these edits, the git diff command should produce something like the -following. -

- -
-
diff --git a/roles/mythtv-deb/tasks/main.yml b/roles/mythtv-deb/tasks
-index 868c9b7..3dcf115 100644
---- a/roles/mythtv-deb/tasks/main.yml
-+++ b/roles/mythtv-deb/tasks/main.yml
-@@ -366,6 +366,7 @@
-       '{{ lookup("flattened", deb_pkg_lst) }}'
-
- - name: install packages
-+  become: yes
-   apt:
-     name:
-       '{{ lookup("flattened", deb_pkg_lst ) }}'
-diff --git a/roles/qt5/tasks/qt5-deb.yml b/roles/qt5/tasks/qt5-deb.ym
-index 7a1a0bc..26ba782 100644
---- a/roles/qt5/tasks/qt5-deb.yml
-+++ b/roles/qt5/tasks/qt5-deb.yml
-@@ -25,6 +25,7 @@
-       '{{ lookup("flattened", deb_pkg_lst) }}'
-
- - name: install deb qt5 packages
-+  become: yes
-   apt:
-     name:
-       '{{ lookup("flattened", deb_pkg_lst ) }}'
-
-
- -
-roles_t/abbey-tvr/tasks/mains.yml

-- name: Install MythTV runtime requisites.
-  become: yes
-  apt:
-    pkg: [ mariadb-server, xmltv ]
-
-- name: Install MythTV build requisites.
-  include_tasks: "{{ item }}"
-  loop:
-  - ../mythtv-ansible/roles/mythtv-deb/tasks/main.yml
-  - ../mythtv-ansible/roles/qt5/tasks/qt5-deb.yml
-
-
- -

-The tasks above install runtime and compile-time requisites during the -"first" run of e.g. ./abbey config new. The "first" run can be -repeated until successful. The remaining tasks are skipped until -MythTV is built and installed. -

-
-
-
-

9.5. Build and Install MythTV

-
-

-After a successful "first" run of e.g. ./abbey config new, the -target machine is prepared to build (and install) MythTV. The -following commands are used. -

- -
-
cd /usr/local/src/
-git clone https://github.com/MythTV/mythtv
-cd mythtv/
-git checkout fixes/32
-cd mythtv/
-./configure
-make
-sudo make install
-
-
- -

-The make install command does not need to be run as root if -bin/, lib/, include/, share/ in /usr/local/ and -dist-packages/ in /usr/local/lib/python3.9/ on the target machine -are writable by the builder. -

- -

-The following task probes for the mythtv-setup program, installed in -/usr/local/bin/, to detect that the build/install process has -completed. It registers the results in the mythtv variable. -Several of the remaining installation steps are skipped unless -mythtv.stat.exists. -

- -
-roles_t/abbey-tvr/tasks/main.yml

-- name: Test for MythTV binary packages.
-  stat:
-    path: /usr/local/bin/mythtv-setup
-  register: mythtv
-- debug:
-    msg: "/usr/local/bin/mythtv-setup does not yet exist"
-  when: not mythtv.stat.exists
-
-
-
-
-
-

9.6. Create MythTV User

-
+
+

9.2. Manually Build and Install MythTV

+

-MythTV Backend needs to run as its own user: mythtv. +Neither Debian nor the MythTV project provide binary packages of +MythTV. Since PEP668 (error: externally-managed- +environment) we install Debian packages built with the scripts in the +MythTV distribution Packaging project.

-
-roles_t/abbey-tvr/tasks/main.yml

-- name: Create mythtv.
-  become: yes
-  user:
-    name: mythtv
-    system: yes
-
-
-
-
-
-

9.7. Create MythTV DB

-

-MythTV's MariaDB database is created by the following task, when the -mysql_db Ansible module supports check_implicit_admin. +It is assumed the build scripts will install any requisite developer +packages.

-

-- name: Create MythTV DB.
-  become: yes
-  mysql_db:
-    check_implicit_admin: yes
-    name: mythconverg
-    collation: utf8mb4_general_ci
-    encoding: utf8mb4
+
cd $top
+git clone https://github.com/MythTV/packaging.git \
+          -b fixes/35 mythtv-v35-packaging
+cd mythtv-v35-packaging/deb/
+./build-debs.sh fixes/35
+dpkg-scanpackages . | gzip --best > Packages.gz
+echo "deb [trusted=yes] file://$top/mythtv-v35-packaging/deb ./" \
+| sudo tee /etc/apt/sources.list.d/mythtv35.list
+sudo apt update
+sudo apt install mythtv-backend
- -

-Unfortunately it does not currently, yet the institute prefers the -more secure Unix socket authentication method. Rather than create a -privileged DB user, the mythconverg database is created manually -(below). -

-
-

9.8. Create MythTV DB User

-
+
+

9.3. Restore MythTV

+

-The DB user's password is taken from the mythtv_dbpass variable, -kept in private/vars-abbey.yml, and generated e.g. with the apg -n -1 -x 12 -m 12 command. +Restoring MythTV from a backup copy to a fresh TVR host:

-
-private_ex/vars-abbey.yml
mythtv_dbpass:           daJkibpoJkag
-
-
- -

-The following task would create the DB user (mysql_user supports -check_implicit_admin) but the mythconverg database was not -created above. +

    +
  • Apply the TVR role to the new host thus installing build requisites.
    • +
  • Manually load SQL timezone info.
    • +
  • Manually build and install (as described above).
    • +
  • Restore /home/mythtv/.
    • +

  • +Restore the database from backup.

    - -
    -
    
-- name: Create MythTV DB user.
-  become: yes
-  mysql_user:
-    check_implicit_admin: yes
-    name: mythtv
-    password: "{{ mythtv_dbpass }}"
-    priv: "mythconverg.*:all"
-
    -
    -
-
-
-

9.9. Manually Create MythTV DB and DB User

-
+
+sudo -u mythtv -i
+cd /home/mythtv/
+/usr/share/mythtv/mythconverg_restore.pl
+

-The MythTV database and database user are created manually with the -following SQL (with the mythtv_dbpass spliced in). The SQL commands -are entered at the SQL prompt of the sudo mysql command, or perhaps -piped into the command. -

- -
-
create database mythconverg
-    character set utf8mb4
-    collate utf8mb4_general_ci;
-create user 'mythtv'@'%' identified by '{{ mythtv_dbpass }}';
-create user 'mythtv'@'localhost' identified by '{{ mythtv_dbpass }}';
-grant all privileges on mythconverg.*
-    to 'mythtv'@'%' with grant option;
-grant all privileges on mythconverg.*
-    to 'mythtv'@'localhost' with grant option;
-flush privileges;
-exit;
-
-
+The .mythtv/config.xml file should provide the DB particulars +(name, user, password). +

+
  • Reboot or start the service.
    • +
  • Configure the backend (as described below).
    • +
    -
    -

    9.10. Load DB Timezone Info

    -
    +
    +

    9.4. Manually Load DB Timezone Info

    +

    Starting with MythTV version 0.26, the time zone tables must be loaded -into MySQL. The MariaDB installed by Debian 11 seems to need this +into MySQL. The MariaDB installed by Debian 12 seems to need this too. The test SQL produced NULL.

    @@ -2759,96 +2626,9 @@ e.g. 2022-09-13 20:15:41.
    -
    -

    9.11. Create MythTV Backend Service

    -
    -

    -This task installs the mythtv-backend.service file. -

    - -
    -roles_t/abbey-tvr/tasks/mains.yml
    
-- name: Create mythtv-backend service.
-  become: yes
-  copy:
-    content: |
-      [Unit]
-      Description=MythTV Backend
-      Documentation=https://www.mythtv.org/wiki/Mythbackend
-      After=mysql.service network.target
-
-      [Service]
-      User=mythtv
-      ExecStartPre=/bin/sleep 30
-      #TimeoutStartSec=infinity
-      ExecStart=/usr/local/bin/mythbackend --quiet --syslog local7
-      StartLimitBurst=10
-      StartLimitInterval=10m
-      Restart=on-failure
-      RestartSec=1
-
-      [Install]
-      WantedBy=multi-user.target
-    dest: /etc/systemd/system/mythtv-backend.service
-  when: mythtv.stat.exists
-  notify: Reload Systemd.
-
    -
    - -
    -roles_t/abbey-tvr/handlers/main.yml
    ---
-- name: Reload Systemd.
-  become: yes
-  command: systemctl daemon-reload
-
    -
    -
    -
    -
    -

    9.12. Set PHP Timezone

    -
    -

    -This task checks PHP's timezone. If unset, MythTV's backend logs -bitter complaints. -

    - -
    -roles_t/abbey-tvr/tasks/main.yml
    
-- name: Get the local timezone.
-  shell: readlink /etc/localtime | sed s,/usr/share/zoneinfo/,,
-  delegate_to: localhost
-  changed_when: false
-  check_mode: false
-  register: timezone
-
-- name: Configure PHP date.timezone.
-  become: yes
-  lineinfile:
-    regexp: date.timezone *=
-    line: date.timezone = {{ timezone.stdout }}
-    path: "{{ item }}"
-  loop:
-  - /etc/php/8.2/cli/php.ini
-  - /etc/php/8.2/apache2/php.ini
-  when: mythtv.stat.exists
-  notify: Restart Apache2.
-
    -
    - -
    -roles_t/abbey-tvr/handlers/main.yml
    
-- name: Restart Apache2.
-  become: yes
-  systemd:
-    service: apache2
-    state: restarted
-
    -
    -
    -
    -
    -

    9.13. Create MythTV Storage Area

    -
    +
    +

    9.5. Create MythTV Storage Area

    +

    The backend does not have a default storage area for its recordings. A path to an appropriate directory must be set with the mythtv-setup @@ -2871,53 +2651,29 @@ creates that directory and ensures it has appropriate permissions.

    -
    -

    9.14. Configure MythTV Backend

    -
    -

    -With MythTV built and installed, and the post-installation tasks -addressed, MythTV Setup (the mythtv-setup program) can be run. It -must be run by the mythtv user, whose home directory will contain -the MythTV (and XMLTV) configuration files. The program is best run -remotely (unless there is a graphical desktop on the server) by a -command like ssh -X mythtv@new mythtv-setup. -

    - -

    -Patience is required. The mythtv-setup program was not written for -X11 and the X11 adapter has a difficult job. It is often hard to -determine what button is selected or how to proceed (sometimes simply -with ESC!). Sticking to the arrow, enter and escape keys best -emulates a TV remote (for which the interface was designed). -

    - +
    +

    9.6. Configure MythTV Backend

    +

    -In MythTV Setup: +With MythTV built and installed, the post-installation tasks +addressed, and mythtv-backend.service started, go to the web page +at http://new:6544 and make the following selections.

      -
    • In the initial MythTV Startup Status ("Unable to connect to -Database."), use the "Setup" button to get to "Database -Configuration". Leave the default hostname (localhost), port -(3306), database name (mythconverg) and user (mythtv). Enter -the value of mythtv_dbpass (in private/vars-abbey.yml) for the -password. Leave the rest of the settings at their default values. -Leave "Database Configuration" by pressing Escape and confirming -"Save and Exit".
      • - -
    • Once in MythTV Setup proper, you will see the main menu. Scroll -down and choose "Storage Directories". In the Local Storage Groups -dialog, add to the "Local 'Default' Storage Group Directories" a new -directory: /home/mythtv/Recordings.
      • +
    • Select MythTV Setup (gear icon in the left sidebar).
      • +
    • Select "Storage Groups".
      • +
    • Select "Default" and choose /home/mythtv/Recordings/.
      • +
    • Select "DB Backups" and choose /home/mythtv/Backups/.
    -
    -

    9.15. Configure Tuner

    -
    +
    +

    9.7. Configure Tuner

    +

    The abbey has a Silicon Dust Homerun HDTV Duo (with two tuners). It -is setup as described in Cloistering, after which the tuner is +is setup as described in Cloistering, after which the tuner is accessible by name (e.g. new) on the cloister network. Assuming ping -c1 new works, the tuner should be accessible via the hdhomerun_config_gui command, a graphical interface contributed to @@ -2928,9 +2684,9 @@ tuner's domain name or IP address can also be entered.

    -
    -

    9.16. Add HDHomerun and Mr.Antenna

    -
    +
    +

    9.8. Add HDHomerun and Mr.Antenna

    +

    In MythTV Setup:

    @@ -2972,9 +2728,9 @@ any case, do not run mythfilldatabase.
    -
    -

    9.17. Scan for New Channels

    -
    +
    +

    9.9. Scan for New Channels

    +

    In MythTV Setup:

    @@ -2994,9 +2750,9 @@ channels is presented. Delete All unused transports.
    -
    -

    9.18. Configure XMLTV

    -
    +
    +

    9.10. Configure XMLTV

    +

    The xmltv package, specifically its tv_grab_zz_sdjson program, is used to download broadcast listings from Schedules Direct. The @@ -3030,7 +2786,7 @@ the list of "inputs" available in a postal code typically ends with the OTA (over the air) broadcasts.

    -
    +
     $ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
 Cache file for lineups, schedules and programs.
 Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
@@ -3080,9 +2836,9 @@ backend is running, so it is not run until then.
    -
    -

    9.19. Debug XMLTV

    -
    +
    +

    9.11. Debug XMLTV

    +

    If the mythfilldatabase command fails or expected listings do not appear, more information is available by adding the --verbose @@ -3120,186 +2876,14 @@ Running a similar command (without --quiet) might be more revealing

    -
    -

    9.20. Configure MythTV Backend Logging

    -
    -

    -The abbey directs MythTV log messages to /var/log/mythtv.log (and -away from /var/log/syslog) and rotates the log file. -

    - -
    -roles_t/abbey-tvr/tasks/main.yml
    
-- name: Install =/etc/rsyslog.d/40-mythtv.conf.
-  become: yes
-  copy:
-    content: |
-      :msg,startswith," myth" -/var/log/mythtv.log
-      & stop
-    dest: /etc/rsyslog.d/40-mythtv.conf
-
-- name: Install =/etc/logrotate.d/mythtv=.
-  become: yes
-  copy:
-    content: |
-      /var/log/mythtv.log {
-          daily
-          size=10M
-          rotate 7
-          notifempty
-          copytruncate
-          missingok
-          postrotate
-              reload rsyslog >/dev/null 2>&1 || true
-          endscript
-      }
-    dest: /etc/logrotate.d/mythtv
-
    -
    -
    -
    -
    -

    9.21. Start MythTV Backend

    -
    -

    -After configuring with mythtv-setup as discussed above, start and -enable (at boot time) the mythtv-backend service. -

    - -
    -
    sudo systemctl enable mythtv-backend
-sudo systemctl start mythtv-backend
-systemctl status -l mythtv-backend
-sudo -u mythtv mythfilldatabase
-
    -
    -
    -
    -
    -

    9.22. Install MythWeb

    -
    -

    -MythWeb, like MythTV, is installed from a Git repository. The -following commands create /usr/local/share/mythtv/mythweb/ by -cloning the MythWeb repository in /usr/local/src/mythweb/, checking -out the appropriate branch, and copying the appropriate portion. -

    - -
    -
    cd /usr/local/src/
-git clone https://github.com/MythTV/mythweb
-( cd mythweb/; git checkout fixes/32 )
-rsync -C mythweb /usr/local/share/mythtv/
-
    -
    - -

    -The following tasks take care of the rest of the installation. -

    - -
    -roles_t/abbey-tvr/tasks/main.yml
    
-- name: Install MythWeb requisites.
-  become: yes
-  apt:
-    pkg: [ apache2, php, php-mysql ]
-
-- name: Install MythWeb in web server DocumentRoot.
-  file:
-    state: link
-    src: /usr/local/share/mythtv/mythweb
-    dest: /var/www/html/mythweb
-
-- name: Configure MythWeb data directory.
-  file:
-    state: directory
-    dest: /var/www/html/mythweb/data
-    group: www-data
-    mode: u=rwx,g+rwx,o=rx
-
-- name: Install MythWeb configuration.
-  become: yes
-  template:
-    src: mythweb.conf.j2
-    dest: /etc/apache2/sites-available/mythweb.conf
-  notify: Restart Apache2.
-
-- name: Enable MythWeb configuration.
-  become: yes
-  command:
-    cmd: a2ensite -q mythweb
-    creates: /etc/apache2/sites-enabled/mythweb.conf
-  notify: Restart Apache2.
-
    -
    - -
    -roles_t/abbey-tvr/templates/mythweb.conf.j2
    #
-# Apache configuration directives for MythWeb.
-#
-# Note that this file is maintained by the network administration.
-<Directory "/var/www/html/mythweb/data">
-    # For Apache 2.2
-    #Options -All +FollowSymLinks +IncludesNoExec
-    # For Apache 2.4+
-    Options +FollowSymLinks +IncludesNoExec
-</Directory>
-<Directory "/var/www/html/mythweb" >
-    <Files mythweb.*>
-    setenv db_server "127.0.0.1"
-    setenv db_name "mythconverg"
-    setenv db_login "mythtv"
-    setenv db_password "{{ mythtv_dbpass }}"
-    </Files>
-    <Files *.php>
-        php_value file_uploads                  0
-        php_value allow_url_fopen               On
-        php_value zlib.output_handler           Off
-        php_value memory_limit                  64M
-        php_value max_execution_time 30
-        php_value display_startup_errors        On
-        php_value display_errors                On
-    </Files>
-    RewriteEngine  on
-    RewriteRule \
-^(css|data|images|js|themes|skins|README|INSTALL|[a-z_]+\.(php|pl))(/|$)\
-        - [L]
-    RewriteRule ^(pl(/.*)?)$            mythweb.pl/$1  [QSA,L]
-    RewriteRule ^(.+)$                  mythweb.php/$1 [QSA,L]
-    RewriteRule ^(.*)$                  mythweb.php    [QSA,L]
-    AllowOverride All
-    Options         FollowSymLinks
-    AddType video/nuppelvideo   .nuv
-    AddType image/x-icon        .ico
-    <IfModule deflate_module>
-        BrowserMatch ^Mozilla/4 gzip-only-text/html
-        BrowserMatch ^Mozilla/4\.0[678] no-gzip
-        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-        AddOutputFilterByType DEFLATE text/html
-        AddOutputFilterByType DEFLATE text/css
-        AddOutputFilterByType DEFLATE application/x-javascript
-    </IfModule>
-    <IfModule headers_module>
-        Header append Vary User-Agent env=!dont-vary
-    </IfModule>
-    <Files *.pl>
-        SetHandler cgi-script
-        Options +ExecCGI
-    </Files>
-
-</Directory>
-
    -
    -
    -
    -
    -

    9.23. Change Broadcast Area

    -
    +
    +

    9.12. Change Broadcast Area

    +

    The abbey changes location almost weekly, so its HDTV broadcast area changes frequently. At the start of a long stay the administrator uses the MythTV Setup program to scan for the new area's channels, as -described in Scan for New Channels. +described in Scan for New Channels.

    @@ -3317,7 +2901,7 @@ program as user mythtv.

    The program will prompt for the zip code and offer a list of "inputs" -available in that area, as described in Configure XMLTV. +available in that area, as described in Configure XMLTV.

    @@ -3340,8 +2924,8 @@ And the mythtv account can run mythfilldatabase.

    -
    -

    10. The Ansible Configuration

    +
    +

    10. The Ansible Configuration

    The abbey's Ansible configuration, like that of A Small Institute, is @@ -3368,7 +2952,7 @@ specific versions.

    -NOTE: if you have not read at least the Overview of A Small Institute +NOTE: if you have not read at least the Overview of A Small Institute you are lost.

    @@ -3398,8 +2982,8 @@ rest are built up piecemeal by (tangled from) this document, README.org, and Institute/README.org.

    -
    -

    10.1. ansible.cfg

    +
    +

    10.1. ansible.cfg

    This is much like the example (test) institutional configuration file, @@ -3416,30 +3000,30 @@ except the roles are found in Institute/roles/ as well as roles/.

    -
    -

    10.2. hosts

    +
    +

    10.2. hosts

    -hosts
    all:
+hosts
    all:
   vars:
     ansible_user: sysadm
     ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa
   hosts:
-    # The Main Servers: Front, Gate and Core.
-    droplet:
+    # The Main Servers: Front, Gate and Core.
+    droplet:
       ansible_host: 159.65.75.60
       ansible_become_password: "{{ become_droplet }}"
     anoat:
       ansible_become_password: "{{ become_anoat }}"
+    malastare:
+      ansible_become_password: "{{ become_malastare }}"
+    # Campus
+    kessel:
+      ansible_become_password: "{{ become_kessel }}"
     dantooine:
       ansible_become_password: "{{ become_dantooine }}"
-    # Campus
-    kessel:
-      ansible_become_password: "{{ become_kessel }}"
-    ord-mantell:
-      ansible_become_password: "{{ become_ord_mantell }}"
-    # Notebooks
-    endor:
+    # Notebooks
+    endor:
       ansible_become_password: "{{ become_endor }}"
     sullust:
       ansible_host: 127.0.0.1
@@ -3459,36 +3043,38 @@ except the roles are found in Institute/roles/ as well as roles/.
         anoat:
     core:
       hosts:
-        dantooine:
+        malastare:
     campus:
       hosts:
         anoat:
+        dantooine:
         kessel:
-        ord-mantell:
     dvrs:
       hosts:
         dantooine:
     tvrs:
       hosts:
-        dantooine:
+        malastare:
     webtvs:
       hosts:
+        dantooine:
         kessel:
-        ord-mantell:
     notebooks:
       hosts:
         endor:
         sullust:
     builders:
       hosts:
-        sullust:
+        dantooine:
+        endor:
         kessel:
+        sullust:
    -
    -

    10.3. playbooks/site.yml

    +
    +

    10.3. playbooks/site.yml

    This playbook provisions the entire network by applying first the @@ -3529,17 +3115,17 @@ institutional roles, then the liturgical roles.

    -
    -

    11. The Abbey Commands

    +
    +

    11. The Abbey Commands

    The ./abbey script encodes the abbey's canonical procedures. It -includes The Institute Commands and adds a few abbey-specific +includes The Institute Commands and adds a few abbey-specific sub-commands.

    -
    -

    11.1. Abbey Command Overview

    +
    +

    11.1. Abbey Command Overview

    Institutional sub-commands: @@ -3567,18 +3153,18 @@ and _architecture for all hosts.

    -
    -

    11.2. Abbey Command Script

    +
    +

    11.2. Abbey Command Script

    The script begins with the following prefix and trampolines.

    -abbey
    #!/usr/bin/perl -w
-#
-# DO NOT EDIT.  This file was tangled from README.org.
-
+abbey
    #!/usr/bin/perl -w
+#
+# DO NOT EDIT.  This file was tangled from README.org.
+
 use strict;
 
 if (grep { $_ eq $ARGV[0] } qw(CA config new old pass client)) {
@@ -3591,7 +3177,7 @@ The script begins with the following prefix and trampolines.
 The small institute's ./inst command expects to be running in
 Institute/, not ./, but it only references public/, private/,
 Secret/ and playbooks/check-inst-vars.yml, and will find the abbey
-specific versions of these.  The roles_path setting in ansible.cfg
+specific versions of these.  The roles_path setting in ansible.cfg
 effectively merges the institutional roles into the distinctly named
 abbey specific roles.  The roles likewise reference files with
 relative names, and will find the abbey specific private/
@@ -3610,8 +3196,8 @@ code block "duplicates" the action of the institute's
    -
    -

    11.3. The Upgrade Command

    +
    +

    11.3. The Upgrade Command

    The script implements an upgrade sub-command that runs apt update @@ -3676,8 +3262,8 @@ a limit pattern. For example:

    -
    -

    11.4. The Reboots Command

    +
    +

    11.4. The Reboots Command

    The script implements a reboots sub-command that looks for @@ -3708,8 +3294,8 @@ The script implements a reboots sub-command that looks for

    -
    -

    11.5. The Versions Command

    +
    +

    11.5. The Versions Command

    The script implements a versions sub-command that reports the @@ -3736,8 +3322,8 @@ operating system version of all abbey managed machines.

    -
    -

    11.6. The TZ Command

    +
    +

    11.6. The TZ Command

    The abbey changes location almost weekly, so its timezone changes @@ -3812,31 +3398,12 @@ last host in the previous play. state: restarted loop: [ mysql, mythtv-backend ] when: new_tz.changed - -- hosts: core - tasks: - - name: Update PHP date.timezone. - become: yes - lineinfile: - regexp: date.timezone *= - line: date.timezone = {{ city.stdout }} - path: "{{ item }}" - loop: - - /etc/php/8.2/cli/php.ini - - /etc/php/8.2/apache2/php.ini - notify: Restart Apache2. - handlers: - - name: Restart Apache2. - become: yes - systemd: - service: apache2 - state: restarted

    -
    -

    11.7. Abbey Command Help

    +
    +

    11.7. Abbey Command Help

    abbey
    my $ops = "config,new,old,pass,client,upgrade,reboots,versions,tz";
@@ -3846,8 +3413,8 @@ last host in the previous play.
    -
    -

    12. Cloistering

    +
    +

    12. Cloistering

    This is how a new machine is brought into the cloister. The process @@ -3856,8 +3423,8 @@ narrows down to the common preparation of all machines administered by Ansible.

    -
    -

    12.1. IoT Devices

    +
    +

    12.1. IoT Devices

    A wireless IoT device (smart TV, Blu-ray deck, etc.) cannot install @@ -3873,8 +3440,8 @@ given a private domain name as described in the following steps.

    @@ -3884,16 +3451,16 @@ last step:

    -
    -

    12.2. Raspberry Pis

    +
    +

    12.2. Raspberry Pis

    -The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an -external, USB3.0 SSD. A fresh install should go something like this: +The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an NVMe +SSD. A fresh install should go something like this:

    @@ -3928,14 +3497,14 @@ steps are taken.

    -
    -

    12.3. PCs

    +
    +

    12.3. PCs

    Most of the abbey's machines, like Core and Gate, are general-purpose @@ -3944,29 +3513,26 @@ follows.

    @@ -3975,14 +3541,14 @@ steps are taken.

    -
    -

    12.4. Add to Core DHCP

    +
    +

    12.4. Add to Core DHCP

    When a new machine is connected to the cloister Ethernet, its MAC @@ -4043,12 +3609,12 @@ reporting 1 packets transmitted, 1 received, 0% packet loss....

    -
    -

    12.5. Create Wired Domain Name

    +
    +

    12.5. Create Wired Domain Name

    A wired device is assigned an IP address when it is added to Core's -DHCP configuration (as in Add to Core DHCP). A private domain name is +DHCP configuration (as in Add to Core DHCP). A private domain name is then associated with this address. If the device is intended to operate wirelessly, the name for its address is modified with a -w suffix. Thus new-w.small.private would be the name of the new @@ -4091,8 +3657,8 @@ resolvectl query 192.168.56.4

    -
    -

    12.6. Update From Cloister Apt Cache

    +
    +

    12.6. Update From Cloister Apt Cache

    • Log in as sysadm on the console.
      • @@ -4115,8 +3681,8 @@ sudo reboot
    -
    -

    12.7. Authorize Remote Administration

    +
    +

    12.7. Authorize Remote Administration

    To remotely administer new-w, Ansible must be authorized to login as @@ -4150,11 +3716,11 @@ key.

    -
    -

    12.8. Configure with Ansible

    +
    +

    12.8. Configure with Ansible

    -With remote administration authorized and tested (as in Authorize +With remote administration authorized and tested (as in Authorize Remote Administration), and the machine connected to the cloister Ethernet, the configuration of new-w can be completed by Ansible. Note that if the machine is staying on the cloister Ethernet, its @@ -4162,10 +3728,10 @@ domain name will be new (having had no -w suffix added

    -First new-w is added to Ansible's inventory in hosts. A new-w +First new-w is added to Ansible's inventory in hosts. A new-w section is added to the list of all hosts, and an empty section of the same name is added to the list of campus hosts. If the machine uses -the usual privileged account name, sysadm, the ansible_user key in +the usual privileged account name, sysadm, the ansible_user key is not needed.

    @@ -4210,8 +3776,8 @@ configuration files.
    -
    -

    12.9. Connect to Cloister Wi-Fi

    +
    +

    12.9. Connect to Cloister Wi-Fi

    On an IoT device, or a Debian or Android "desktop", the cloister Wi-Fi @@ -4252,8 +3818,8 @@ desktop connected to the Wi-Fi using the following ping command.

    -
    -

    12.10. Connect to Cloister VPN

    +
    +

    12.10. Connect to Cloister VPN

    Wireless devices (with the cloister Wi-Fi password) can get an IP @@ -4266,14 +3832,14 @@ however, are not accessible except via the cloister VPN.

    Connections to the cloister VPN are authorized by the ./abbey -client... command (aka The Client Command), which registers a new +client... command (aka The Client Command), which registers a new client's public key and installs new WireGuard™ configurations on the servers. Private keys are kept on the clients (e.g. in /etc/wireguard/private-key).

    -
    -

    12.10.1. Campus Desktops and Servers

    +
    +

    12.10.1. Campus Desktops and Servers

    Wireless Debian desktops (with NetworkManager) as well as servers @@ -4359,8 +3925,8 @@ sudo systemctl enable wg-quick@wg0

    -
    -

    12.10.2. Private Desktops

    +
    +

    12.10.2. Private Desktops

    Member notebooks are private machines not remotely administered by the @@ -4472,8 +4038,8 @@ password is included in Secret/become.yml.

    -
    -

    12.10.3. Android

    +
    +

    12.10.3. Android

    Android phones and tablets are authorized to connect to the cloister @@ -4510,8 +4076,8 @@ public VPN.

    -
    -

    12.11. Create Wireless Domain Name

    +
    +

    12.11. Create Wireless Domain Name

    A wireless machine is assigned a Wi-Fi address when it connects to the @@ -4566,7 +4132,7 @@ be added to private/db.campus_vpn.)

    Author: Matt Birkholz

    -

    Created: 2025-06-28 Sat 10:20

    +

    Created: 2025-09-18 Thu 20:56

    Validate