From: Matt Birkholz
+= _|||_ =-The-Institute-= @@ -1030,7 +1030,7 @@ example result follows the code.-+-=> 10.62.17.0/24
@@ -1483,7 +1483,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a campground Wi-Fi access point, etc. -+=============== | ================================================== | Premises (Campus ISP) @@ -1506,7 +1506,7 @@ This avoids the need for a second Wi-Fi access point and leads to the following topology. -+=============== | ================================================== | Premises (House ISP) @@ -1659,8 +1659,8 @@ Theall
role contains tasks that are executed on all of the institute's servers. At the moment there is just the one.-6.1. Include Particulars
++6.1. Include Particulars
-The
all
role's task contains a reference to a common institute @@ -1801,8 +1801,8 @@ uses the institute's CA and server certificates, and expects client certificates signed by the institute CA.--7.1. Include Particulars
++7.1. Include Particulars
The first task, as in The All Role, is to include the institute @@ -1827,8 +1827,8 @@ membership roll, so these are included was well.
--7.2. Configure Hostname
++7.2. Configure Hostname
This task ensures that Front's
/etc/hostnameand/etc/mailnameare @@ -1858,8 +1858,8 @@ delivery.--7.3. Add Administrator to System Groups
++7.3. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -1918,8 +1918,8 @@ those stored in
Secret/ssh_front/etc/ssh/--7.5. Configure Monkey
++7.5. Configure Monkey
The small institute runs cron jobs and web scripts that generate @@ -1975,8 +1975,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
--7.7. Install Unattended Upgrades
++7.7. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -1991,8 +1991,8 @@ The institute prefers to install security updates as soon as possible.
--7.8. Configure User Accounts
++7.8. Configure User Accounts
User accounts are created immediately so that Postfix and Dovecot can @@ -2035,8 +2035,8 @@ recipient" replies. The Account Management chapter de
--7.9. Install Server Certificate
++7.9. Install Server Certificate
The servers on Front use the same certificate (and key) to @@ -2154,27 +2154,13 @@ Debian default for
inet_interfaces
.@@ -2197,37 +2183,14 @@ start and enable the service. regexp: "^ *{{ item.p }} *=" line: "{{ item.p }} = {{ item.v }}" loop: - - { p: smtpd_tls_cert_file, v: /etc/server.crt } - - { p: smtpd_tls_key_file, v: /etc/server.key } - - p: mynetworks - v: >- - {{ public_vpn_net_cidr }} - 127.0.0.0/8 - [::ffff:127.0.0.0]/104 - [::1]/128 - - p: smtpd_recipient_restrictions - v: >- - permit_mynetworks - reject_unauth_pipelining - reject_unauth_destination - reject_unknown_sender_domain - - p: smtpd_relay_restrictions - v: permit_mynetworks reject_unauth_destination - - { p: message_size_limit, v: 104857600 } - - { p: delay_warning_time, v: 1h } - - { p: maximal_queue_lifetime, v: 4h } - - { p: bounce_queue_lifetime, v: 4h } - - { p: home_mailbox, v: Maildir/ } - - p: smtp_header_checks - v: regexp:/etc/postfix/header_checks.cf + <<postfix-front>> notify: Restart Postfix. - name: Install Postfix header_checks. become: yes copy: content: | - /^Received:/ IGNORE - /^User-Agent:/ IGNORE + <<postfix-header-checks-content>> dest: /etc/postfix/header_checks.cf notify: Postmap header checks. @@ -2300,8 +2263,8 @@ created by a more specialized role.postfix-front
- { p: smtpd_tls_cert_file, v: /etc/server.crt } - { p: smtpd_tls_key_file, v: /etc/server.key } -- p: mynetworks - v: >- - {{ public_vpn_net_cidr }} - 127.0.0.0/8 - [::ffff:127.0.0.0]/104 - [::1]/128 -- p: smtpd_recipient_restrictions - v: >- - permit_mynetworks - reject_unauth_pipelining - reject_unauth_destination - reject_unknown_sender_domain -- p: smtpd_relay_restrictions - v: permit_mynetworks reject_unauth_destination -- { p: message_size_limit, v: 104857600 } -- { p: delay_warning_time, v: 1h } -- { p: maximal_queue_lifetime, v: 4h } -- { p: bounce_queue_lifetime, v: 4h } -- { p: home_mailbox, v: Maildir/ } -- p: smtp_header_checks - v: regexp:/etc/postfix/header_checks.cf +<<postfix-front-networks>> +<<postfix-front-restrictions>> +<<postfix-relaying>> +<<postfix-message-size>> +<<postfix-queue-times>> +<<postfix-maildir>> +<<postfix-header-checks>>--7.12. Configure Dovecot IMAPd
++7.12. Configure Dovecot IMAPd
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to @@ -2338,16 +2301,11 @@ and enables it to start at every reboot. become: yes copy: content: | - protocols = imap - ssl = required + <<dovecot-tls>> ssl_cert = </etc/server.crt ssl_key = </etc/server.key - service imap-login { - inet_listener imap { - port = 0 - } - } - mail_location = maildir:~/Maildir + <<dovecot-ports>> + <<dovecot-maildir>> dest: /etc/dovecot/local.conf notify: Restart Dovecot. @@ -2457,12 +2415,9 @@ below create or remove the symbolic links.
The following are the necessary Apache2 directives: a
UserDir
-directive naming/home/www-users/, a matchingDirectory
block that -allows the server to follow the symbol links, and aDirectory
block -that matches the user directories and includes the standardRequire
-andAllowOverride
directives used on all of the institute's static -web sites (https://small.example.org/
,http://live/
, and -http://test/
). +directive naming/home/www-users/and matchingDirectory
block +that includes the standardRequire
andAllowOverride
directives +used on all of the institute's web sites.@@ -2474,12 +2429,6 @@ web sites (-https://small.example.org/
,http://live/
, a--apache-userdir-directory
Require all granted -AllowOverride None --The institute requires the use of HTTPS on Front, so its default HTTP virtual host permanently redirects requests to their corresponding @@ -2508,7 +2457,7 @@ The
DocumentRoot
directive is accompanied by aDirectory.htaccess files within the tree are disabled for speed and security. This and most of Front's Apache2 directives (below) are intended for the top level, not -inside a
VirtualHost
block, to apply globally. +the inside of aVirtualHost
block. They should apply globally.@@ -2521,18 +2470,12 @@ DocumentRoot /home/www AllowOverride None </Directory> -UserDir /home/www-users -<Directory /home/www-users/> - Require all granted - AllowOverride None -</Directory> +<<apache-userdir-front>> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined -<VirtualHost *:80> - Redirect permanent / https://{{ domain_name }}/ -</VirtualHost> +<<apache-redirect-front>> <VirtualHost *:443> SSLEngine on @@ -2542,36 +2485,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined /etc/apache2/sites-available/{{ domain_name }}-vhost.conf </VirtualHost> -SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -SSLHonorCipherOrder on -SSLCipherSuite {{ [ 'ECDHE-ECDSA-AES128-GCM-SHA256', - 'ECDHE-ECDSA-AES256-GCM-SHA384', - 'ECDHE-ECDSA-AES128-SHA', - 'ECDHE-ECDSA-AES256-SHA', - 'ECDHE-ECDSA-AES128-SHA256', - 'ECDHE-ECDSA-AES256-SHA384', - 'ECDHE-RSA-AES128-GCM-SHA256', - 'ECDHE-RSA-AES256-GCM-SHA384', - 'ECDHE-RSA-AES128-SHA', - 'ECDHE-RSA-AES256-SHA', - 'ECDHE-RSA-AES128-SHA256', - 'ECDHE-RSA-AES256-SHA384', - 'DHE-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES128-SHA', - 'DHE-RSA-AES256-SHA', - 'DHE-RSA-AES128-SHA256', - 'DHE-RSA-AES256-SHA256', - '!aNULL', - '!eNULL', - '!LOW', - '!3DES', - '!MD5', - '!EXP', - '!PSK', - '!SRP', - '!DSS', - '!RC4' ] |join(":") }} +<<apache-ciphers>>@@ -2606,66 +2520,7 @@ e.g./etc/apache2/sites-available/small.example.org.confand runs become: yes copy: content: | - ServerName {{ domain_name }} - ServerAdmin webmaster@{{ domain_name }} - - DocumentRoot /home/www - <Directory /home/www/> - Require all granted - AllowOverride None - </Directory> - - UserDir /home/www-users - <Directory /home/www-users/> - Require all granted - AllowOverride None - </Directory> - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - <VirtualHost *:80> - Redirect permanent / https://{{ domain_name }}/ - </VirtualHost> - - <VirtualHost *:443> - SSLEngine on - SSLCertificateFile /etc/server.crt - SSLCertificateKeyFile /etc/server.key - IncludeOptional \ - /etc/apache2/sites-available/{{ domain_name }}-vhost.conf - </VirtualHost> - - SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 - SSLHonorCipherOrder on - SSLCipherSuite {{ [ 'ECDHE-ECDSA-AES128-GCM-SHA256', - 'ECDHE-ECDSA-AES256-GCM-SHA384', - 'ECDHE-ECDSA-AES128-SHA', - 'ECDHE-ECDSA-AES256-SHA', - 'ECDHE-ECDSA-AES128-SHA256', - 'ECDHE-ECDSA-AES256-SHA384', - 'ECDHE-RSA-AES128-GCM-SHA256', - 'ECDHE-RSA-AES256-GCM-SHA384', - 'ECDHE-RSA-AES128-SHA', - 'ECDHE-RSA-AES256-SHA', - 'ECDHE-RSA-AES128-SHA256', - 'ECDHE-RSA-AES256-SHA384', - 'DHE-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES128-SHA', - 'DHE-RSA-AES256-SHA', - 'DHE-RSA-AES128-SHA256', - 'DHE-RSA-AES256-SHA256', - '!aNULL', - '!eNULL', - '!LOW', - '!3DES', - '!MD5', - '!EXP', - '!PSK', - '!SRP', - '!DSS', - '!RC4' ] |join(":") }} + <<apache-front>> dest: /etc/apache2/sites-available/{{ domain_name }}.conf notify: Restart Apache2. @@ -2765,8 +2620,8 @@ the users'~/Public/HTML/directories.-7.14. Configure OpenVPN
++7.14. Configure OpenVPN
Front uses OpenVPN to provide the institute's public VPN service. The @@ -2812,27 +2667,14 @@ and the common options discussed in The VPN Service.
-openvpn-front
server {{ public_vpn_net_and_mask }} client-config-dir /etc/openvpn/ccd -route {{ private_net_and_mask }} -route {{ campus_vpn_net_and_mask }} -push "route {{ private_net_and_mask }}" -push "route {{ campus_vpn_net_and_mask }}" -dev-type tun -dev ovpn -topology subnet -client-to-client -keepalive 10 120 -push "dhcp-option DOMAIN {{ domain_priv }}" -push "dhcp-option DNS {{ core_addr }}" -user nobody -group nogroup -persist-key -persist-tun -cipher AES-256-GCM -auth SHA256 -max-clients 20 -ifconfig-pool-persist ipp.txt -status openvpn-status.log -verb 3 +<<openvpn-front-routes>> +<<openvpn-dev-mode>> +<<openvpn-keepalive>> +<<openvpn-dns>> +<<openvpn-drop-priv>> +<<openvpn-crypt>> +<<openvpn-max>> +<<openvpn-debug>> ca /usr/local/share/ca-certificates/{{ domain_name }}.crt cert server.crt key server.key @@ -2870,8 +2712,7 @@ configure the OpenVPN server on Front. become: yes copy: content: | - iroute {{ private_net_and_mask }} - iroute {{ campus_vpn_net_and_mask }} + <<openvpn-ccd-core>> dest: /etc/openvpn/ccd/core notify: Restart OpenVPN. @@ -2911,34 +2752,7 @@ configure the OpenVPN server on Front. become: yes copy: content: | - server {{ public_vpn_net_and_mask }} - client-config-dir /etc/openvpn/ccd - route {{ private_net_and_mask }} - route {{ campus_vpn_net_and_mask }} - push "route {{ private_net_and_mask }}" - push "route {{ campus_vpn_net_and_mask }}" - dev-type tun - dev ovpn - topology subnet - client-to-client - keepalive 10 120 - push "dhcp-option DOMAIN {{ domain_priv }}" - push "dhcp-option DNS {{ core_addr }}" - user nobody - group nogroup - persist-key - persist-tun - cipher AES-256-GCM - auth SHA256 - max-clients 20 - ifconfig-pool-persist ipp.txt - status openvpn-status.log - verb 3 - ca /usr/local/share/ca-certificates/{{ domain_name }}.crt - cert server.crt - key server.key - dh dh2048.pem - tls-auth ta.key 0 + <<openvpn-front>> dest: /etc/openvpn/server.conf mode: u=r,g=r,o= notify: Restart OpenVPN. @@ -3054,7 +2868,7 @@ Finally, Kamailio can be configured and started. become: yes copy: content: | - listen=udp:{{ front_private_addr }}:5060 + <<kamailio>> dest: /etc/kamailio/kamailio-local.cfg notify: Restart Kamailio. @@ -3090,8 +2904,8 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)--8.1. Include Particulars
++8.1. Include Particulars
The first task, as in The Front Role, is to include the institute @@ -3113,8 +2927,8 @@ particulars and membership roll.
--8.2. Configure Hostname
++8.2. Configure Hostname
This task ensures that Core's
/etc/hostnameand/etc/mailnameare @@ -3147,8 +2961,8 @@ proper email delivery.--8.3. Configure Systemd Resolved
++8.3. Configure Systemd Resolved
Core runs the campus name server, so Resolved is configured to use it @@ -3373,40 +3187,7 @@ The following tasks install and configure BIND9 on Core. become: yes copy: content: | - acl "trusted" { - {{ private_net_cidr }}; - {{ public_vpn_net_cidr }}; - {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; - localhost; - }; - - options { - directory "/var/cache/bind"; - - forwarders { - 8.8.4.4; - 8.8.8.8; - }; - - allow-query { any; }; - allow-recursion { trusted; }; - allow-query-cache { trusted; }; - - //============================================================ - // If BIND logs error messages about the root key being - // expired, you will need to update your keys. - // See https://www.isc.org/bind-keys - //============================================================ - //dnssec-validation auto; - // If Secure DNS is too much of a headache... - dnssec-enable no; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { any; }; - listen-on { {{ core_addr }}; }; - }; + <<bind-options>> dest: /etc/bind/named.conf.options notify: Reload BIND9. @@ -3414,30 +3195,7 @@ The following tasks install and configure BIND9 on Core. become: yes copy: content: | - include "/etc/bind/zones.rfc1918"; - - zone "{{ domain_priv }}." { - type master; - file "/etc/bind/db.domain"; - }; - - zone "{{ private_net_cidr | ipaddr('revdns') - | regex_replace('^0\.','') }}" { - type master; - file "/etc/bind/db.private"; - }; - - zone "{{ public_vpn_net_cidr | ipaddr('revdns') - | regex_replace('^0\.','') }}" { - type master; - file "/etc/bind/db.public_vpn"; - }; - - zone "{{ campus_vpn_net_cidr | ipaddr('revdns') - | regex_replace('^0\.','') }}" { - type master; - file "/etc/bind/db.campus_vpn"; - }; + <<bind-local>> dest: /etc/bind/named.conf.local notify: Reload BIND9. @@ -3627,8 +3385,8 @@ craps up
/var/log/and the Systemd journal.--8.7. Add Administrator to System Groups
++8.7. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -3648,8 +3406,8 @@ these groups speeds up debugging.
--8.8. Configure Monkey
++8.8. Configure Monkey
The small institute runs cron jobs and web scripts that generate @@ -3716,8 +3474,8 @@ described in *Configure Apache2).
--8.9. Install Unattended Upgrades
++8.9. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -3749,8 +3507,8 @@ with Nextcloud on the command line.
--8.11. Configure User Accounts
++8.11. Configure User Accounts
User accounts are created immediately so that backups can begin @@ -3792,8 +3550,8 @@ describes the
members
andusernames
variables.--8.12. Install Server Certificate
++8.12. Install Server Certificate
The servers on Core use the same certificate (and key) to authenticate @@ -3908,24 +3666,14 @@ The complete list of Core's Postfix settings for
-@@ -3950,25 +3698,7 @@ enable the service. Wheneverpostfix-core
- p: smtpd_relay_restrictions - v: permit_mynetworks reject_unauth_destination +postfix-core
<<postfix-relaying>> - { p: smtpd_tls_security_level, v: none } - { p: smtp_tls_security_level, v: none } -- { p: message_size_limit, v: 104857600 } -- { p: delay_warning_time, v: 1h } -- { p: maximal_queue_lifetime, v: 4h } -- { p: bounce_queue_lifetime, v: 4h } -- { p: home_mailbox, v: Maildir/ } -- p: mynetworks - v: >- - {{ private_net_cidr }} - {{ public_vpn_net_cidr }} - {{ campus_vpn_net_cidr }} - 127.0.0.0/8 - [::ffff:127.0.0.0]/104 - [::1]/128 -- { p: relayhost, v: "[{{ front_private_addr }}]" } +<<postfix-message-size>> +<<postfix-queue-times>> +<<postfix-maildir>> +<<postfix-core-networks>> +<<postfix-core-relayhost>> - { p: inet_interfaces, v: "127.0.0.1 {{ core_addr }}" }/etc/postfix/transportis changed, the regexp: "^ *{{ item.p }} *=" line: "{{ item.p }} = {{ item.v }}" loop: - - p: smtpd_relay_restrictions - v: permit_mynetworks reject_unauth_destination - - { p: smtpd_tls_security_level, v: none } - - { p: smtp_tls_security_level, v: none } - - { p: message_size_limit, v: 104857600 } - - { p: delay_warning_time, v: 1h } - - { p: maximal_queue_lifetime, v: 4h } - - { p: bounce_queue_lifetime, v: 4h } - - { p: home_mailbox, v: Maildir/ } - - p: mynetworks - v: >- - {{ private_net_cidr }} - {{ public_vpn_net_cidr }} - {{ campus_vpn_net_cidr }} - 127.0.0.0/8 - [::ffff:127.0.0.0]/104 - [::1]/128 - - { p: relayhost, v: "[{{ front_private_addr }}]" } - - { p: inet_interfaces, v: "127.0.0.1 {{ core_addr }}" } + <<postfix-core>> - { p: transport_maps, v: "hash:/etc/postfix/transport" } notify: Restart Postfix. @@ -3976,8 +3706,7 @@ enable the service. Whenever/etc/postfix/transportis changed, the become: yes copy: content: | - .{{ domain_name }} local:$myhostname - .{{ domain_priv }} local:$myhostname + <<postfix-transport>> dest: /etc/postfix/transport notify: Postmap transport. @@ -4046,8 +3775,8 @@ installed by more specialized roles.-8.16. Configure Dovecot IMAPd
++8.16. Configure Dovecot IMAPd
-Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -4084,11 +3813,10 @@ and enables it to start at every reboot. become: yes copy: content: | - protocols = imap - ssl = required + <<dovecot-tls>> ssl_cert = </etc/server.crt ssl_key = </etc/server.key - mail_location = maildir:~/Maildir + <<dovecot-maildir>> dest: /etc/dovecot/local.conf notify: Restart Dovecot. @@ -4152,8 +3880,8 @@ The Systemd service description.
fetchmail-service
[Unit] Description=Fetchmail --idle task for {{ item }}. AssertPathExists=/home/{{ item }}/.fetchmailrc -Requires=sys-devices-virtual-net-ovpn.device -After=sys-devices-virtual-net-ovpn.device +After=openvpn@front.service +Wants=sys-devices-virtual-net-ovpn.device [Service] User={{ item }} @@ -4186,17 +3914,7 @@ provided the Core service. become: yes copy: content: | - # Permissions on this file may be no greater than 0600. - - set no bouncemail - set no spambounce - set no syslog - #set logfile /home/{{ item }}/.fetchmail.log - - poll {{ front_private_addr }} protocol imap timeout 15 - username {{ item }} - password "{{ members[item].password_fetchmail }}" fetchall - ssl sslproto tls1.2+ sslcertck sslcommonname {{ domain_name }} + <<fetchmail-config>> dest: /home/{{ item }}/.fetchmailrc owner: "{{ item }}" group: "{{ item }}" @@ -4211,21 +3929,7 @@ provided the Core service. become: yes copy: content: | - [Unit] - Description=Fetchmail --idle task for {{ item }}. - AssertPathExists=/home/{{ item }}/.fetchmailrc - Requires=sys-devices-virtual-net-ovpn.device - After=sys-devices-virtual-net-ovpn.device - - [Service] - User={{ item }} - ExecStart=/usr/bin/fetchmail --idle - Restart=always - RestartSec=1m - NoNewPrivileges=true - - [Install] - WantedBy=default.target + <<fetchmail-service>> dest: /etc/systemd/system/fetchmail-{{ item }}.service loop: "{{ usernames }}" when: @@ -4392,11 +4096,7 @@ redirect, the encryption ciphers and certificates. AllowOverride None </Directory> - UserDir Public/HTML - <Directory /home/*/Public/HTML/> - Require all granted - AllowOverride None - </Directory> + <<apache-userdir-core>> ErrorLog ${APACHE_LOG_DIR}/live-error.log CustomLog ${APACHE_LOG_DIR}/live-access.log combined @@ -4423,11 +4123,7 @@ familiar. AllowOverride None </Directory> - UserDir Public/HTML - <Directory /home/*/Public/HTML/> - Require all granted - AllowOverride None - </Directory> + <<apache-userdir-core>> ErrorLog ${APACHE_LOG_DIR}/test-error.log CustomLog ${APACHE_LOG_DIR}/test-access.log combined @@ -4458,11 +4154,7 @@ trained staffers, monitored by a revision control system, etc. AllowOverride None </Directory> - UserDir Public/HTML - <Directory /home/*/Public/HTML/> - Require all granted - AllowOverride None - </Directory> + <<apache-userdir-core>> ErrorLog ${APACHE_LOG_DIR}/campus-error.log CustomLog ${APACHE_LOG_DIR}/campus-access.log combined @@ -4525,28 +4217,7 @@ Thea2ensite
command enables them. become: yes copy: content: | - <VirtualHost *:80> - ServerName live - ServerAlias live.{{ domain_priv }} - ServerAdmin webmaster@core.{{ domain_priv }} - - DocumentRoot /WWW/live - <Directory /WWW/live/> - Require all granted - AllowOverride None - </Directory> - - UserDir Public/HTML - <Directory /home/*/Public/HTML/> - Require all granted - AllowOverride None - </Directory> - - ErrorLog ${APACHE_LOG_DIR}/live-error.log - CustomLog ${APACHE_LOG_DIR}/live-access.log combined - - IncludeOptional /etc/apache2/sites-available/live-vhost.conf - </VirtualHost> + <<apache-live>> dest: /etc/apache2/sites-available/live.conf mode: u=rw,g=r,o=r notify: Restart Apache2. @@ -4555,28 +4226,7 @@ Thea2ensite
command enables them. become: yes copy: content: | - <VirtualHost *:80> - ServerName test - ServerAlias test.{{ domain_priv }} - ServerAdmin webmaster@core.{{ domain_priv }} - - DocumentRoot /WWW/test - <Directory /WWW/test/> - Require all granted - AllowOverride None - </Directory> - - UserDir Public/HTML - <Directory /home/*/Public/HTML/> - Require all granted - AllowOverride None - </Directory> - - ErrorLog ${APACHE_LOG_DIR}/test-error.log - CustomLog ${APACHE_LOG_DIR}/test-access.log combined - - IncludeOptional /etc/apache2/sites-available/test-vhost.conf - </VirtualHost> + <<apache-test>> dest: /etc/apache2/sites-available/test.conf mode: u=rw,g=r,o=r notify: Restart Apache2. @@ -4585,30 +4235,7 @@ Thea2ensite
command enables them. become: yes copy: content: | - <VirtualHost *:80> - ServerName www - ServerAlias www.{{ domain_priv }} - ServerAdmin webmaster@core.{{ domain_priv }} - - DocumentRoot /WWW/campus - <Directory /WWW/campus/> - Options Indexes FollowSymLinks MultiViews ExecCGI - AddHandler cgi-script .cgi - Require all granted - AllowOverride None - </Directory> - - UserDir Public/HTML - <Directory /home/*/Public/HTML/> - Require all granted - AllowOverride None - </Directory> - - ErrorLog ${APACHE_LOG_DIR}/campus-error.log - CustomLog ${APACHE_LOG_DIR}/campus-access.log combined - - IncludeOptional /etc/apache2/sites-available/www-vhost.conf - </VirtualHost> + <<apache-campus>> dest: /etc/apache2/sites-available/www.conf mode: u=rw,g=r,o=r notify: Restart Apache2. @@ -4715,12 +4342,8 @@ dev-type tun dev ovpn remote {{ front_addr }} nobind -user nobody -group nogroup -persist-key -persist-tun -cipher AES-256-GCM -auth SHA256 +<<openvpn-drop-priv>> +<<openvpn-crypt>> remote-cert-tls server verify-x509-name {{ domain_name }} name verb 3 @@ -4772,24 +4395,7 @@ for Core. become: yes copy: content: | - client - dev-type tun - dev ovpn - remote {{ front_addr }} - nobind - user nobody - group nogroup - persist-key - persist-tun - cipher AES-256-GCM - auth SHA256 - remote-cert-tls server - verify-x509-name {{ domain_name }} name - verb 3 - ca /usr/local/share/ca-certificates/{{ domain_name }}.crt - cert client.crt - key client.key - tls-auth ta.key 1 + <<openvpn-core>> dest: /etc/openvpn/front.conf mode: u=r,g=r,o= notify: Restart OpenVPN. @@ -5953,8 +5559,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.--9.1. Include Particulars
++9.1. Include Particulars
The following should be familiar boilerplate by now. @@ -6206,17 +5812,12 @@ sudo ufw enable block: | *nat :POSTROUTING ACCEPT [0:0] - -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE - -A POSTROUTING -s {{ gate_wifi_net_cidr }} -o isp -j MASQUERADE + <<ufw-nat>> COMMIT *filter - -A FORWARD -i lan -o isp -j ACCEPT - -A FORWARD -i wifi -o isp -j ACCEPT - -A FORWARD -i isp -o lan {{ ACCEPT_RELATED }} - -A FORWARD -i isp -o wifi {{ ACCEPT_RELATED }} - -A FORWARD -i lan -o ovpn -j ACCEPT - -A FORWARD -i ovpn -o lan -j ACCEPT + <<ufw-forward-nat>> + <<ufw-forward-private>> COMMIT insertafter: EOF @@ -6328,8 +5929,8 @@ the daemon listens only on the Gate-WiFi network interface.
--9.6. Install Server Certificate
++9.6. Install Server Certificate
The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -6356,8 +5957,8 @@ and Front) do.
-9.7. Configure OpenVPN
++9.7. Configure OpenVPN
Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6382,25 +5983,14 @@ discussed in The VPN Services.
-openvpn-gate
server {{ campus_vpn_net_and_mask }} client-config-dir /etc/openvpn/ccd -push "route {{ private_net_and_mask }}" -push "route {{ public_vpn_net_and_mask }}" -dev-type tun -dev ovpn -topology subnet -client-to-client -keepalive 10 120 -push "dhcp-option DOMAIN {{ domain_priv }}" -push "dhcp-option DNS {{ core_addr }}" -user nobody -group nogroup -persist-key -persist-tun -cipher AES-256-GCM -auth SHA256 -max-clients 20 -ifconfig-pool-persist ipp.txt -status openvpn-status.log -verb 3 +<<openvpn-gate-routes>> +<<openvpn-dev-mode>> +<<openvpn-keepalive>> +<<openvpn-dns>> +<<openvpn-drop-priv>> +<<openvpn-crypt>> +<<openvpn-max>> +<<openvpn-debug>> ca /usr/local/share/ca-certificates/{{ domain_name }}.crt cert /etc/server.crt key /etc/server.key @@ -6458,32 +6048,7 @@ configure the OpenVPN server on Gate. become: yes copy: content: | - server {{ campus_vpn_net_and_mask }} - client-config-dir /etc/openvpn/ccd - push "route {{ private_net_and_mask }}" - push "route {{ public_vpn_net_and_mask }}" - dev-type tun - dev ovpn - topology subnet - client-to-client - keepalive 10 120 - push "dhcp-option DOMAIN {{ domain_priv }}" - push "dhcp-option DNS {{ core_addr }}" - user nobody - group nogroup - persist-key - persist-tun - cipher AES-256-GCM - auth SHA256 - max-clients 20 - ifconfig-pool-persist ipp.txt - status openvpn-status.log - verb 3 - ca /usr/local/share/ca-certificates/{{ domain_name }}.crt - cert /etc/server.crt - key /etc/server.key - dh dh2048.pem - tls-auth ta.key 0 + <<openvpn-gate>> dest: /etc/openvpn/server.conf mode: u=r,g=r,o= notify: Restart OpenVPN. @@ -6520,8 +6085,8 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.--10.1. Include Particulars
++10.1. Include Particulars
The following should be familiar boilerplate by now. @@ -6537,8 +6102,8 @@ The following should be familiar boilerplate by now.
--10.2. Configure Hostname
++10.2. Configure Hostname
Clients should be using the expected host name. @@ -6565,8 +6130,8 @@ Clients should be using the expected host name.
--10.3. Configure Systemd Resolved
++10.3. Configure Systemd Resolved
Campus machines use the campus name server on Core (or
dns.google
), @@ -6637,8 +6202,8 @@ and file timestamps.--10.5. Add Administrator to System Groups
++10.5. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -6658,8 +6223,8 @@ these groups speeds up debugging.
-10.6. Install Unattended Upgrades
++diff --git a/README.org b/README.org index da9e560..f0756e8 100644 --- a/README.org +++ b/README.org @@ -3893,7 +3893,7 @@ small institute substitutes a slightly modified version, ~inst_sensors~, that reports core CPU temperatures. #+CAPTION: [[file:roles_t/core/files/inst_sensors][=roles_t/core/files/inst_sensors=]] -#+BEGIN_SRC sh :tangle roles_t/core/files/inst_sensors +#+BEGIN_SRC sh :tangle roles_t/core/files/inst_sensors :mkdirp yes #!/bin/sh PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" -10.6. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -6704,13 +6269,10 @@ tasks below. regexp: "^ *{{ item.p }} *=" line: "{{ item.p }} = {{ item.v }}" loop: - - p: smtpd_relay_restrictions - v: permit_mynetworks reject_unauth_destination - - { p: message_size_limit, v: 104857600 } - - { p: delay_warning_time, v: 1h } - - { p: maximal_queue_lifetime, v: 4h } - - { p: bounce_queue_lifetime, v: 4h } - - { p: home_mailbox, v: Maildir/ } + <<postfix-relaying>> + <<postfix-message-size>> + <<postfix-queue-times>> + <<postfix-maildir>> - { p: myhostname, v: "{{ inventory_hostname }}.{{ domain_priv }}" } - { p: mydestination, @@ -8172,9 +7734,7 @@ up-restart my $CRT = read_file "Secret/CA/pki/issued/$name.crt"; my $KEY = read_file "Secret/CA/pki/private/$name.key"; my $UP = $type eq "android" ? "" : " -script-security 2 -up /etc/openvpn/update-systemd-resolved -up-restart"; +<<openvpn-up>>"; if ($type ne "campus") { my $TA = read_file "Secret/front-ta.key"; @@ -8199,14 +7759,10 @@ up-restart dev $DEV remote $ADDR nobind -user nobody -group nogroup -persist-key -persist-tun +<<openvpn-drop-priv>> remote-cert-tls server verify-x509-name $NAME name -cipher AES-256-GCM -auth SHA256$UP +<<openvpn-crypt>>$UP verb 3 key-direction 1 <ca>\n$CA</ca> @@ -9608,7 +9164,7 @@ routes on Front and Gate, making the simulation less… similar.