From: Matt Birkholz Date: Sun, 1 Jun 2025 04:32:26 +0000 (-0600) Subject: Update README.html. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=55adefd53fc986ab21d2e023df06809a0ffe5f19;p=Network Update README.html. --- diff --git a/README.html b/README.html index 22e1f04..2e05e0c 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + Birchwood Abbey Networks @@ -24,8 +24,8 @@ idiosyncrasies. The roles herein are abbey specific, emphasized by the abbey- prefix on their names. These roles are applied after the generic institutional roles (again, documented here).

-
-

1. Overview

+
+

1. Overview

A Small Institute makes security and privacy top priorities but @@ -64,7 +64,7 @@ map is very similar, with differences mainly in terminology, philosophy, attitude.

-
+
                 |                                                   
                 =                                                   
               _|||_                                                 
@@ -103,8 +103,8 @@ philosophy, attitude.
-
-

2. The Abbey Particulars

+
+

2. The Abbey Particulars

The abbey's public particulars are included below. They are the @@ -112,13 +112,13 @@ public particulars of a small institute, nothing more.

-public/vars.yml
---
+public/vars.yml
---
 domain_name: birchwood-abbey.net
 
 full_name: Birchwood Abbey
 
 front_addr: 159.65.75.60
-

+

@@ -134,8 +134,8 @@ into private_ex/vars-abbey.yml.

-
-

3. The Abbey Front Role

+
+

3. The Abbey Front Role

Birchwood Abbey's front door is a Digital Ocean Droplet configured as @@ -144,24 +144,24 @@ with Apache2, spooling email with Postfix and serving it with Dovecot-IMAPd, and hosting a VPN with OpenVPN.

-
-

3.1. Install Emacs

+
+

3.1. Install Emacs

The monks of the abbey are masters of the staff (bo) and Emacs.

-roles_t/abbey-front/tasks/main.yml
---
+roles_t/abbey-front/tasks/main.yml
---
 - name: Install Emacs.
   become: yes
   apt: pkg=emacs
-

+
-
-

3.2. Configure Public Email Aliases

+
+

3.2. Configure Public Email Aliases

The abbey uses several additional email aliases. These are the public @@ -172,7 +172,7 @@ from there, forwarding sysadm to a real person.

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Install abbey email aliases.
   become: yes
   blockinfile:
@@ -188,20 +188,20 @@ from there, forwarding sysadm to a real person.
     dest: /etc/aliases
     marker: "# {mark} ABBEY MANAGED BLOCK"
   notify: New aliases.
-

+
-roles_t/abbey-front/handlers/main.yml
---
+roles_t/abbey-front/handlers/main.yml
---
 - name: New aliases.
   become: yes
   command: newaliases
-

+
-
-

3.3. Configure Git Daemon on Front

+
+

3.3. Configure Git Daemon on Front

The abbey publishes member Git repositories with git-daemon. If @@ -219,7 +219,6 @@ chmod -R o+r ~/foo/.git find ~/foo/.git -type d -print0 | xargs -0 chmod o+rx -

User repositories can be made available to the public at a URL like git://small.example.org/~dick/foo by copying it to the same path on @@ -231,7 +230,6 @@ creates or updates such a copy. rsync -av ~/foo/.git/ small.example.org:Public/Git/foo/ -

Note that Dick's Git repository, mirrored to Front (or Core), does not need to be backed up, assuming Dick's home directory (including @@ -244,7 +242,6 @@ There are no regular, system backups on Front. rsync -av --del small.institute.org:Public/foo/ ~/Public/foo/ -

With SystemD and the git-daemon-sysvinit package installed, SystemD supervises a git-daemon service unit launched with @@ -273,13 +270,13 @@ like git-tasks and git-handlers.

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 <<git-tasks>>
-

+
-git-tasks
- name: Install git daemon.
+git-tasks
- name: Install git daemon.
   become: yes
   apt: pkg=git-daemon-sysvinit
 
@@ -307,26 +304,26 @@ like git-tasks and git-handlers.
     state: directory
     group: staff
     mode: u=rwx,g=srwx,o=rx
-

+
-roles_t/abbey-front/handlers/main.yml
+roles_t/abbey-front/handlers/main.yml

 <<git-handlers>>
-

+
-git-handlers
+git-handlers

 - name: Restart git daemon.
   become: yes
   command: systemctl restart git-daemon
-

+
-
-

3.4. Configure Gitweb on Front

+
+

3.4. Configure Gitweb on Front

The abbey provides an HTML interface to members' public Git @@ -353,7 +350,7 @@ lists the repositories found in /var/www/git/.

-apache-gitweb
+apache-gitweb

 Alias /gitweb-static/ /usr/share/gitweb/static/
 <Directory "/usr/share/gitweb/static/">
     Options MultiViews
@@ -364,7 +361,7 @@ RewriteRule ^/git(/.*)?$ \
 RewriteRule ^/\~([^\/]+)/git(/.*)?$ \
             /cgi-bin/gitweb.cgi$2 \
             [QSA,E=GITWEB_PROJECTROOT:/home/$1/Public/Git/,L,PT]
-

+

@@ -387,8 +384,8 @@ or no rewriting will take place. The CGI script and RewriteRule require Apache's cgi and rewrite modules, which are not normally enabled on a small institute's public server. Thus they need to be enabled here. Note that Debian and --Ubuntu install different Apache MPMs (multi-processing modules) --requiring different CGI modules, turning two tasks into three. +Ubuntu install different Apache MPMs (multi-processing modules) +requiring different CGI modules, turning two tasks into three.

@@ -411,7 +408,7 @@ web site /favicon.ico.

-apache-gitweb-tasks
- name: Enable Apache2 rewrite module for Gitweb.
+apache-gitweb-tasks
- name: Enable Apache2 rewrite module for Gitweb.
   become: yes
   apache2_module: name=rewrite
   notify: Restart Apache2.
@@ -444,21 +441,21 @@ web site /favicon.ico.
       $javascript = "/gitweb-static/gitweb.js";
     dest: /etc/gitweb.conf
     mode: u=rw,g=r,o=r
-

+
-apache-gitweb-handlers
- name: Restart Apache2.
+apache-gitweb-handlers
- name: Restart Apache2.
   become: yes
   systemd:
     service: apache2
     state: restarted
-

+
-
-

3.5. Configure Apache for Abbey Documentation

+
+

3.5. Configure Apache for Abbey Documentation

Some of the directives added to the -vhost.conf file are needed by @@ -476,11 +473,11 @@ filename suffixes.

-apache-abbey
<Directory {{ docroot }}/Abbey/>
+apache-abbey
<Directory {{ docroot }}/Abbey/>
     AllowOverride Indexes FileInfo
     Options +Indexes +FollowSymLinks
 </Directory>
-

+

@@ -490,17 +487,17 @@ be plain text, so that they are displayed rather than downloaded.

-.htaccess
ReadmeName notfound.html
+.htaccess
ReadmeName notfound.html
 IndexIgnore README.org
 AddType text/plain attr campus_vpn cfg cnf conf crt daily_letsencrypt
 AddType text/plain domain el htaccess idx j2 key old org pack pem
 AddType text/plain private pub public_vpn req rev sample txt yml
-

+
-
-

3.6. Configure Photos URLs on Front

+
+

3.6. Configure Photos URLs on Front

Some of the directives added to the -vhost.conf file map the abbey's @@ -512,7 +509,7 @@ matching configurations for accurate previews and tests.

-apache-photos
+apache-photos

 RedirectMatch /Photos$ /Photos/
 RedirectMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])$ \
               /Photos/$1_$2_$3/
@@ -521,12 +518,12 @@ AliasMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])/(.+)$ \
 AliasMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])/$ \
            {{ docroot }}/Photos/$1/$2/$3/index.html
 AliasMatch /Photos/$ {{ docroot }}/Photos/index.html
-

+
-
-

3.7. Configure Apache on Front

+
+

3.7. Configure Apache on Front

The abbey needs to add some Apache2 configuration directives to the @@ -537,15 +534,15 @@ The abbey simply creates a birchwood-abbey.net-vhost.conf file in

-The following task adds the apache-abbey, apache-photos, and -apache-gitweb directives described above to the -vhost.conf file, +The following task adds the apache-abbey, apache-photos, and +apache-gitweb directives described above to the -vhost.conf file, and includes options-ssl-apache.conf from /etc/letsencrypt/. The rest of the Let's Encrypt configuration is discussed in the following -Install Let's Encrypt section. +Install Let's Encrypt section.

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Configure Apache.
   become: yes
   vars:
@@ -561,22 +558,22 @@ rest of the Let's Encrypt configuration is discussed in the following
   notify: Restart Apache2.
 
 <<apache-gitweb-tasks>>
-

+
-roles_t/abbey-front/handlers/main.yml
+roles_t/abbey-front/handlers/main.yml

 <<apache-gitweb-handlers>>
-

+
-
-

3.8. Configure Apache Log Archival

+
+

3.8. Configure Apache Log Archival

These tasks hack Apache's logrotate(8) configuration to rotate -weekly, keep the last 12 weeks, and email each week's log to root. +weekly, keep a couple weeks, and email each week's log to root. The logrotate(8) manual page explains the configuration options.

@@ -589,7 +586,7 @@ The replacement logrotate-mailer does, and includes it in a

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Configure Apache log archival.
   become: yes
   lineinfile:
@@ -598,7 +595,7 @@ The replacement logrotate-mailer does, and includes it in a
     line: "{{ item.line }}"
   loop:
   - { regexp: '^ *daily', line: "\tweekly" }
-  - { regexp: '^ *rotate', line: "\trotate 12" }
+  - { regexp: '^ *rotate', line: "\trotate 2" }
 
 - name: Configure Apache log email.
   become: yes
@@ -625,16 +622,16 @@ The replacement logrotate-mailer does, and includes it in a
     src: logrotate-mailer
     dest: /usr/local/sbin/logrotate-mailer
     mode: u=rwx,g=rx,o=rx
-

+
-roles_t/abbey-front/handlers/main.yml
+roles_t/abbey-front/handlers/main.yml

 - name: Reload systemd.
   become: yes
   systemd:
     daemon_reload: yes
-

+

@@ -646,12 +643,12 @@ page.)

-roles_t/abbey-front/files/logrotate-mailer.conf
[Service]
+roles_t/abbey-front/files/logrotate-mailer.conf
[Service]
 ExecStart=
 ExecStart=/usr/sbin/logrotate \
                 --mail /usr/local/sbin/logrotate-mailer \
                 /etc/logrotate.conf
-

+

@@ -664,7 +661,7 @@ encrypting and sending to sendmail.

-roles_t/abbey-front/files/logrotate-mailer
#!/bin/bash -e
+roles_t/abbey-front/files/logrotate-mailer
#!/bin/bash -e
 
 if [ "$#" != 3 -o "$1" != "-s" ]; then
     echo "usage: $0 -s subject recipient" 1>&2
@@ -700,12 +697,12 @@ encrypting and sending to sendmail.
         --trust-model always --recipient root@core ) \
 | sendmail root \
 || exit $?
-

+
-
-

3.9. Install Let's Encrypt

+
+

3.9. Install Let's Encrypt

The abbey uses a Let's Encrypt certificate to authenticate its public @@ -714,7 +711,7 @@ certificate is a terminal session affair (with prompts and lines entered as shown below).

-
+
 $ sudo apt install python3-certbot-apache
 $ sudo certbot --apache -d birchwood-abbey.net
 ...
@@ -775,7 +772,7 @@ package is installed and its live/ subdirectory is world readable.
 

 
 

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Install Certbot for Apache.
   become: yes
   apt: pkg=python3-certbot-apache
@@ -785,7 +782,7 @@ package is installed and its live/ subdirectory is world readable.
   file:
     mode: u=rwx,g=rx,o=rx
     path: /etc/letsencrypt/live
-

+

 

 
 

@@ -808,7 +805,7 @@ restarted manually.
 

 
 

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Use Let's Encrypt certificate&key.
   file:
     state: link
@@ -820,41 +817,41 @@ restarted manually.
     link: /etc/server.crt
   - target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem
     link: /etc/server.key
-

+
-
-

3.10. Rotate Let's Encrypt Log

+
+

3.10. Rotate Let's Encrypt Log

The following task arranges to rotate Certbot's logs files.

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Install Certbot logrotate configuration.
   become: yes
   copy:
     src: certbot_logrotate
     dest: /etc/logrotate.d/certbot
     mode: u=rw,g=r,o=r
-

+
-roles_t/abbey-front/files/certbot_logrotate
/var/log/letsencrypt/*.log {
+roles_t/abbey-front/files/certbot_logrotate
/var/log/letsencrypt/*.log {
     rotate 12
     weekly
     compress
     missingok
 }
-

+
-
-

3.11. Archive Let's Encrypt Data

+
+

3.11. Archive Let's Encrypt Data

A backup copy of Let's Encrypt's data (/etc/letsencrypt/) is sent to @@ -863,18 +860,18 @@ are detected by keeping a copy in /etc/letsencrypt~/ for comparison.

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Install Let's Encrypt archive script.
   become: yes
   copy:
     src: cron.daily_letsencrypt
     dest: /etc/cron.daily/letsencrypt
     mode: u=rwx,g=rx,o=rx
-

+
-roles_t/abbey-front/files/cron.daily_letsencrypt
#!/bin/bash -e
+roles_t/abbey-front/files/cron.daily_letsencrypt
#!/bin/bash -e
 
 cd /etc/
 
@@ -882,9 +879,20 @@ are detected by keeping a copy in /etc/letsencrypt~/ for comparison.
 && diff -rq letsencrypt/ letsencrypt~/ \
 && exit 0
 
+F=`date "+%Y%m%d"`.tar.gz
 ( echo "Subject: New /etc/letsencrypt/ on Droplet."
   echo ""
-  tar czf - letsencrypt/ \
+  ( echo "Content-Type: multipart/mixed; boundary=\"boundary\""
+    echo "MIME-Version: 1.0"
+    echo ""
+    echo "--boundary"
+    echo "Content-Type: application/gzip; name=\"$F\""
+    echo "Content-Disposition: attachment; filename=\"$F\""
+    echo "Content-Transfer-Encoding: base64"
+    echo ""
+    tar czf - letsencrypt/ | base64
+    echo ""
+    echo "--boundary--" ) \
   | gpg --encrypt --armor \
         --trust-model always --recipient root@core ) \
 | sendmail root \
@@ -892,7 +900,7 @@ are detected by keeping a copy in /etc/letsencrypt~/ for comparison.
 
 rm -rf letsencrypt~
 cp -a letsencrypt letsencrypt~
-

+

@@ -901,7 +909,7 @@ imported into root@front's GnuPG key file.

-roles_t/abbey-front/tasks/main.yml
+roles_t/abbey-front/tasks/main.yml

 - name: Copy root@core's public key.
   become: yes
   copy:
@@ -909,21 +917,21 @@ imported into root@front's GnuPG key file.
     dest: /root/.gnupg-root-pub.pem
     mode: u=r,g=r,o=r
   notify: Import root@core's public key.
-

+
-roles_t/abbey-front/handlers/main.yml
+roles_t/abbey-front/handlers/main.yml

 - name: Import root@core's public key.
   become: yes
   command: gpg --import ~/.gnupg-root-pub.pem
-

+
-
-

4. The Abbey Core Role

+
+

4. The Abbey Core Role

Birchwood Abbey's core is a mini-PC (System76 Meerkat) configured as A @@ -933,8 +941,8 @@ with Postfix and Dovecot, and providing essential localnet services: NTP, DNS and DHCP.

-
-

4.1. Include Abbey Variables

+
+

4.1. Include Abbey Variables

In this abbey specific document, most abbey particulars are not @@ -946,15 +954,15 @@ directory, playbooks/.

-roles_t/abbey-core/tasks/main.yml
---
+roles_t/abbey-core/tasks/main.yml
---
 - name: Include private abbey variables.
   include_vars: ../private/vars-abbey.yml
-

+
-
-

4.2. Install Additional Packages

+
+

4.2. Install Additional Packages

The scripts that maintain the abbey's web site use a number of @@ -964,16 +972,16 @@ The house task list uses JQuery.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Install additional packages.
   apt:
     pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]
-

+
-
-

4.3. Configure Private Email Aliases

+
+

4.3. Configure Private Email Aliases

The abbey uses several additional email aliases. These are the campus @@ -989,7 +997,7 @@ e.g. mythtv@mythtv.birchwood.private, locally.)

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Install abbey email aliases.
   become: yes
   blockinfile:
@@ -1001,52 +1009,52 @@ e.g. mythtv@mythtv.birchwood.private, locally.)
     dest: /etc/aliases
     marker: "# {mark} ABBEY MANAGED BLOCK"
   notify: New aliases.
-

+
-roles_t/abbey-core/handlers/main.yml
---
+roles_t/abbey-core/handlers/main.yml
---
 - name: New aliases.
   become: yes
   command: newaliases
-

+
-
-

4.4. Configure Git Daemon on Core

+
+

4.4. Configure Git Daemon on Core

These tasks are identical to those executed on Front, for similar Git -services on Front and Core. See 3.3 and -Configure Gitweb on Front for more information. +services on Front and Core. See 3.3 and +Configure Gitweb on Front for more information.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 <<git-tasks>>
-

+
-roles_t/abbey-core/handlers/main.yml
+roles_t/abbey-core/handlers/main.yml

 <<git-handlers>>
-

+
-
-

4.5. Configure Apache on Core

+
+

4.5. Configure Apache on Core

The Apache2 configuration on Core specifies three web sites (live, test, and campus). The live and test sites must operate just like the -site on Front. Their configurations include the same apache-abbey, -apache-photos, and apache-gitweb used on Front. +site on Front. Their configurations include the same apache-abbey, +apache-photos, and apache-gitweb used on Front.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Configure live website.
   become: yes
   vars:
@@ -1074,29 +1082,29 @@ site on Front.  Their configurations include the same 
+
-roles_t/abbey-core/handlers/main.yml
+roles_t/abbey-core/handlers/main.yml

 <<apache-gitweb-handlers>>
-

+
-
-

4.6. Configure Documentation URLs

+
+

4.6. Configure Documentation URLs

The institute serves its /usr/share/doc/ on the house (campus) web site. This is a debugging convenience, making some HTML documentation more accessible, especially the documentation of software installed on Core and not on typical desktop clients. Also included: the Apache2 -directives that enable user Git publishing with Gitweb (defined here). +directives that enable user Git publishing with Gitweb (defined here).

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Configure house website.
   become: yes
   copy:
@@ -1109,12 +1117,12 @@ directives that enable user Git publishing with Gitweb (defined mode: u=rw,g=r,o=r
   notify: Restart Apache2.
-

+
-
-

4.7. Install Apt Cacher

+ -
-

4.8. Use Cloister Apt Cache

+
+

4.8. Use Cloister Apt Cache

Core itself will benefit from using the package cache, but should @@ -1140,7 +1148,7 @@ so caching their packages is not a priority.)

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Use the local Apt package cache.
   become: yes
   copy:
@@ -1151,12 +1159,12 @@ so caching their packages is not a priority.)
       Acquire::https::Proxy "DIRECT";
     dest: /etc/apt/apt.conf.d/01proxy
     mode: u=rw,g=r,o=r
-

+
-
-

4.9. Configure NAGIOS

+
+

4.9. Configure NAGIOS

A small institute uses nagios4 to monitor the health of its network, @@ -1170,8 +1178,8 @@ customized check_sensors plugin (abbey_pisensors) in

-
-

4.10. Monitoring The Home Disk

+
+

4.10. Monitoring The Home Disk

The abbey adds monitoring of the space remaining on the volume at @@ -1180,7 +1188,7 @@ remaining on roots.)

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Configure NAGIOS monitoring for Core /home/.
   become: yes
   copy:
@@ -1193,22 +1201,22 @@ remaining on roots.)
       }
     dest: /etc/nagios4/conf.d/abbey.cfg
   notify: Reload NAGIOS4.
-

+
-roles_t/abbey-core/handlers/main.yml
+roles_t/abbey-core/handlers/main.yml

 - name: Reload NAGIOS4.
   become: yes
   systemd:
     service: nagios4
     state: reloaded
-

+
-
-

4.11. Custom NAGIOS Monitor abbey_pisensors

+
+

4.11. Custom NAGIOS Monitor abbey_pisensors

The check_sensors plugin is included in the package @@ -1221,7 +1229,7 @@ recognizable temperature in the sensors output.

-roles_t/abbey-core/files/abbey_pisensors
#!/bin/sh
+roles_t/abbey-core/files/abbey_pisensors
#!/bin/sh
 
 PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
 export PATH
@@ -1299,12 +1307,12 @@ recognizable temperature in the sensors output.
         exit $exit
         ;;
 esac
-

+
-
-

4.12. Monitoring The Cloister

+
+

4.12. Monitoring The Cloister

The abbey adds monitoring for more servers: Kamino, Kessel, and Ord @@ -1321,8 +1329,8 @@ Kessel is a wireless host while Kamino is wired. Ord Mantell, the Raspberry Pi OS (ARM64) machine, uses the abbey_pisensors monitor.

-
-

4.12.1. Cloister Network Addresses

+
+

4.12.1. Cloister Network Addresses

The IP addresses of all three hosts are nice to use in the NAGIOS @@ -1331,16 +1339,16 @@ included in private/vars-abbey.yml.

-private_ex/vars-abbey.yml
---
+private_ex/vars-abbey.yml
---
 kamino_addr:                192.168.56.14
 kessel_addr:                10.84.138.8
 ord_mantell_addr:           10.84.138.10
-

+
-
-

4.12.2. Installing NAGIOS Configurations

+
+

4.12.2. Installing NAGIOS Configurations

The following task installs each host's NAGIOS configuration. Note @@ -1349,7 +1357,7 @@ rarely powered up.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Configure cloister NAGIOS monitoring.
   become: yes
   template:
@@ -1357,15 +1365,15 @@ rarely powered up.
     dest: /etc/nagios4/conf.d/{{ item }}.cfg
   loop: [ ord-mantell, kessel ]
   notify: Reload NAGIOS4.
-

+
-
-

4.12.3. NAGIOS Monitoring of Ord-Mantell

+
+

4.12.3. NAGIOS Monitoring of Ord-Mantell

-roles_t/abbey-core/templates/nagios-ord-mantell.cfg
define host {
+roles_t/abbey-core/templates/nagios-ord-mantell.cfg
define host {
     use                     linux-server
     host_name               ord-mantell
     address                 {{ ord_mantell_addr }}
@@ -1412,15 +1420,15 @@ rarely powered up.
     service_description     Temperature Sensors
     check_command           check_nrpe!abbey_pisensors
 }
-

+
-
-

4.12.4. NAGIOS Monitoring of Kamino

+
+

4.12.4. NAGIOS Monitoring of Kamino

-roles_t/abbey-core/templates/nagios-kamino.cfg
define host {
+roles_t/abbey-core/templates/nagios-kamino.cfg
define host {
     use                     linux-server
     host_name               kamino
     address                 {{ kamino_addr }}
@@ -1467,15 +1475,15 @@ rarely powered up.
     service_description     Temperature Sensors
     check_command           check_nrpe!inst_sensors
 }
-

+
-
-

4.12.5. NAGIOS Monitoring of Kessel

+
+

4.12.5. NAGIOS Monitoring of Kessel

-roles_t/abbey-core/templates/nagios-kessel.cfg
define host {
+roles_t/abbey-core/templates/nagios-kessel.cfg
define host {
     use                     linux-server
     host_name               kessel
     address                 {{ kessel_addr }}
@@ -1522,13 +1530,13 @@ rarely powered up.
     service_description     Temperature Sensors
     check_command           check_nrpe!inst_sensors
 }
-

+
-
-

4.13. Install Munin

+
+

4.13. Install Munin

The abbey is experimenting with Munin. NAGIOS is all about notifying @@ -1537,7 +1545,7 @@ trends in resource usage.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Install Munin.
   become: yes
   apt: pkg=munin
@@ -1581,7 +1589,7 @@ trends in resource usage.
           address {{ ord_mantell_addr }}
     dest: /etc/munin/munin-conf.d/zzz-site.cfg
   notify: Restart Munin.
-

+

@@ -1590,7 +1598,7 @@ next task configures libsensors to ignore them.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Configure core sensors(1).
   become: yes
   copy:
@@ -1601,22 +1609,22 @@ next task configures libsensors to ignore them.
       chip "acpitz-acpi-0"
           ignore temp1
     dest: /etc/sensors.d/site.conf
-

+
-roles_t/abbey-core/handlers/main.yml
+roles_t/abbey-core/handlers/main.yml

 - name: Restart Munin.
   become: yes
   systemd:
     service: munin
     state: restarted
-

+
-
-

4.14. Install Analog

+
+

4.14. Install Analog

The abbey's public web site's access and error logs are emailed @@ -1626,7 +1634,7 @@ the campus as http://www/analog.html.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Install Analog.
   become: yes
   apt: pkg=analog
@@ -1666,12 +1674,12 @@ the campus as http://www/analog.html.
     owner: monkey
     group: staff
     mode: u=rwx,g=srwx,o=rx
-

+
-
-

4.15. Add Monkey to Web Server Group

+
+

4.15. Add Monkey to Web Server Group

Monkey needs to be in www-data so that it can run @@ -1682,19 +1690,19 @@ user cloud accounts, found in files owned by www-data, files like

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Add Monkey to Nextcloud group.
   become: yes
   user:
     name: monkey
     append: yes
     groups: www-data
-

+
-
-

4.16. Install netpbm For Photo Processing

+
+

4.16. Install netpbm For Photo Processing

Monkey's photo processing scripts use netpbm commands like @@ -1702,16 +1710,16 @@ Monkey's photo processing scripts use netpbm commands like

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Install netpbm.
   become: yes
   apt: pkg=netpbm
-

+
-
-

4.17. Install Samba

+
+

4.17. Install Samba

The abbey core provides NAS (Network Attached Storage) service to the @@ -1727,7 +1735,7 @@ permissions.

-roles_t/abbey-core/tasks/main.yml
+roles_t/abbey-core/tasks/main.yml

 - name: Install Samba.
   become: yes
   apt: pkg=samba
@@ -1774,55 +1782,57 @@ permissions.
     dest: /etc/samba/smb.conf
     marker: "# {mark} ABBEY MANAGED BLOCK"
   notify: New shares.
-

+
-roles_t/abbey-core/handlers/main.yml
+roles_t/abbey-core/handlers/main.yml

 - name: New shares.
   become: yes
   systemd:
     service: smbd
     state: reloaded
-

+
-
-

5. The Abbey Gate Role

+
+

5. The Abbey Gate Role

Birchwood Abbey's gate is a $110 µPC configured as A Small Institute Gate, thus providing a campus VPN on a campus Wi-Fi access point. It -routes network traffic from its wifi and lan interfaces to its +routes network traffic from its wild and lan interfaces to its isp interface (and back) with NAT. That is all the abbey requires of its gate, so there is no additional Ansible configuration in this chapter (yet).

-
-

5.1. The Abbey Gate's Network Interfaces

+
+

5.1. The Abbey Gate's Network Interfaces

The abbey gate's lan interface is the PC's built-in Ethernet interface, connected to the cloister Ethernet, a Gigabit Ethernet -switch. Its wifi interface is a USB3.0 Ethernet adapter connected -with a cross-over cable to the WAN interface of a Think Penguin -TPE-R1300 (and at one time a Linksys WRT1900AC). The isp interface -is another USB3.0 Ethernet adapter connected with a cross-over cable -to the Ethernet interface of a "cable modem" (a Starlink terminal). +switch. Its wild interface is a USB3.0 Ethernet adapter connected +to a 5-port Gigabit Ethernet switch into which are patched the WAN +interfaces of two Think Penguin TPE-R1300 (and sometimes a Linksys +WRT1900AC), as well as a couple IoT things like an Ecowitt hub and a +HomeAssistant Pi. The isp interface is another USB3.0 Ethernet +adapter connected with a cross-over cable to the Ethernet interface of +a "cable modem" (a Starlink terminal).

The MAC address of each interface is set in private/vars.yml (see Institute/private/vars.yml) as the values of the gate_lan_mac, -gate_wifi_mac and gate_isp_mac variables. +gate_wild_mac and gate_isp_mac variables.

-
-

5.2. The Abbey's Starlink Configuration

+
+

5.2. The Abbey's Starlink Configuration

The abbey connects to Starlink via Ethernet, and disables Starlink's @@ -1870,8 +1880,8 @@ at least our local network traffic out of view of our ISPs.

-
-

5.3. Alternate ISPs

+
+

5.3. Alternate ISPs

The abbey used to use a cell phone on a USB tether to get Internet @@ -1880,7 +1890,7 @@ following.

-
network:
+
network:
   ethernets:
     tether:
       match:
@@ -1889,7 +1899,7 @@ following.
       dhcp4: true
       dhcp4-overrides:
         use-dns: false
-

+

@@ -1898,7 +1908,7 @@ service, using a 60-isp.yaml file similar to the lines below.

-
network:
+
network:
   wifis:
     tether:
       match:
@@ -1911,13 +1921,13 @@ service, using a 60-isp.yaml file similar to the lines below.
         "AP with password":
           password: "password"
         "AP with no password": {}
-

+
-
-

6. The Abbey Cloister Role

+
+

6. The Abbey Cloister Role

Birchwood Abbey's cloister is a small institute campus. The campus @@ -1932,7 +1942,7 @@ tasks, namely configuration required on Raspberry Pi OS machines.

Wireless clients are issued keys for the cloister VPN by the ./abbey client command which is currently identical to the ./inst client -command (described in The Client Command). The wireless, cloistered +command (described in The Client Command). The wireless, cloistered hosts never roam, are not associated with a member, and so are "campus" clients, issued keys with commands like this:

@@ -1941,8 +1951,8 @@ hosts never roam, are not associated with a member, and so are ./abbey client campus new-host-name
-
-

6.1. Use Cloister Apt Cache

+
+

6.1. Use Cloister Apt Cache

The Apt-Cacher:TNG program does not work well on the frontier, so is @@ -1961,7 +1971,7 @@ local host.

-roles_t/abbey-cloister/tasks/main.yml
---
+roles_t/abbey-cloister/tasks/main.yml
---
 - name: Use the local Apt package cache.
   become: yes
   copy:
@@ -1972,24 +1982,24 @@ local host.
       Acquire::https::Proxy "DIRECT";
     dest: /etc/apt/apt.conf.d/01proxy
     mode: u=rw,g=r,o=r
-

+
-
-

6.2. Configure Cloister NRPE

+
+

6.2. Configure Cloister NRPE

Each cloistered host is a small institute campus host and thus is already running an NRPE server (a NAGIOS Remote Plugin Executor -server) with a custom inst_sensors monitor (described in Configure +server) with a custom inst_sensors monitor (described in Configure NRPE of A Small Institute). The abbey adds one complication: yet another check_sensors variant, abbey_pisensors, installed on Raspberry Pis (architecture aarch64) only.

-roles_t/abbey-cloister/tasks/main.yml
+roles_t/abbey-cloister/tasks/main.yml

 - name: Install abbey_pisensors NAGIOS plugin.
   become: yes
   copy:
@@ -2006,29 +2016,29 @@ Raspberry Pis (architecture aarch64) only.
     dest: /etc/nagios/nrpe.d/abbey.cfg
   when: ansible_architecture == 'aarch64'
   notify: Reload NRPE server.
-

+
-roles_t/abbey-cloister/handlers/main.yml
+roles_t/abbey-cloister/handlers/main.yml

 - name: Reload NRPE server.
   become: yes
   systemd:
     service: nagios-nrpe-server
     state: reloaded
-

+
-
-

6.3. Install Munin Node

+
+

6.3. Install Munin Node

Each cloistered host is a Munin node.

-roles_t/abbey-cloister/tasks/main.yml
+roles_t/abbey-cloister/tasks/main.yml

 - name: Install Munin Node.
   become: yes
   apt: pkg=munin-node
@@ -2039,7 +2049,7 @@ Each cloistered host is a Munin node.
     name: "{{ ansible_user }}"
     append: yes
     groups: munin
-

+

@@ -2049,7 +2059,7 @@ them.

-roles_t/abbey-cloister/tasks/main.yml
+roles_t/abbey-cloister/tasks/main.yml

 - name: Configure {{ inventory_hostname }} sensors(1).
   copy:
     content: |
@@ -2060,29 +2070,29 @@ them.
           ignore temp1
     dest: /etc/sensors.d/site.conf
   when: inventory_hostname == 'anoat'
-

+
-
-

6.4. Install Emacs

+
+

6.4. Install Emacs

The monks of the abbey are masters of the staff and Emacs.

-roles_t/abbey-cloister/tasks/main.yml
+roles_t/abbey-cloister/tasks/main.yml

 - name: Install monastic software.
   become: yes
   apt: pkg=emacs
-

+
-
-

7. The Abbey Weather Role

+
+

7. The Abbey Weather Role

Birchwood Abbey now uses Home Assistant to record and display weather @@ -2105,20 +2115,20 @@ The configuration of Home Assistant involved installing the Ecowitt "integration". This was accomplished by choosing "Settings", then "Devices & services", then "Add Integration", and searching for "Ecowitt". Once installed, the integration created dozens of weather -entities which were organized into an "Abbey" dashboard. +entities. These were labeled and organized on an "Abbey" dashboard.

-
-

8. The Abbey DVR Role

+
+

8. The Abbey DVR Role

The abbey uses AgentDVR to record video from PoE IP HD security cameras. It is installed and configured as described here.

-
-

8.1. AgentDVR Installation

+
+

8.1. AgentDVR Installation

AgentDVR is installed at the abbey according to the iSpy web site's @@ -2129,11 +2139,11 @@ second of which is broken across three lines).

-
sudo apt-get install curl
+
sudo apt-get install curl
 bash <(curl -s "https://raw.githubusercontent.com/\
 ispysoftware/agent-install-scripts/main/v2/\
 install.sh")
-

+

@@ -2141,8 +2151,8 @@ bash <(curl -s "https://raw.githubusercontent.com/\< preparations.

-
-

8.1.1. AgentDVR Installation Preparation

+
+

8.1.1. AgentDVR Installation Preparation

AgentDVR runs in the abbey as a system user, agentdvr, which @@ -2155,7 +2165,6 @@ a login shell, /bin/bash. This much Ansible can do in preparation. ./abbey config dvrs -

After the agentdvr account is created, it is temporarily authorized to run a handful of system commands (as root!). This small set is @@ -2168,18 +2177,18 @@ privileges until a "rescue" (involving a reboot) is performed.

-
echo "ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
+
echo "ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
      /sbin/adduser,/sbin/usermod" >~/01agentdvr
 sudo chown root:root ~/01agentdvr
 sudo chmod 440 ~/01agentdvr
 visudo --check --owner --perms ~/01agentdvr
 sudo mv ~/01agentdvr /etc/sudoers.d/
-

+
-
-

8.1.2. AgentDVR Installation Execution

+
+

8.1.2. AgentDVR Installation Execution

With the above preparations, the system administrator can get a shell @@ -2188,9 +2197,9 @@ in the empty /home/agentdvr/ directory.

-
sudo apt-get install curl
+
sudo apt-get install curl
 sudo -u agentdvr <(curl -s "https:.../install.sh")
-

+

@@ -2200,8 +2209,8 @@ Ansible is run again.

-
-

8.1.3. AgentDVR Installation Completion

+
+

8.1.3. AgentDVR Installation Completion

When Ansible is run a second time, after the installation script, it @@ -2213,7 +2222,6 @@ starts) the new system service. ./abbey config dvrs -

Also after the installation, the system administrator revokes the agentdvr account's authorizations to modify packages and accounts. @@ -2225,15 +2233,15 @@ sudo rm /etc/sudoers.d/01agentdvr

-
-

8.2. Create User agentdvr

+
+

8.2. Create User agentdvr

AgentDVR runs as the system user agentdvr, which is created here.

-roles_t/abbey-dvr/tasks/main.yml
---
+roles_t/abbey-dvr/tasks/main.yml
---
 - name: Create agentdvr.
   become: yes
   user:
@@ -2259,12 +2267,12 @@ AgentDVR runs as the system user agentdvr, which is created here.
     owner: agentdvr
     group: agentdvr
     mode: u=rwx,g=rwxs,o=rx
-

+
-
-

8.3. Test For AgentDVR/

+
+

8.3. Test For AgentDVR/

The following task probes for the /home/agentdvr/AgentDVR/ @@ -2275,7 +2283,7 @@ remaining installation steps are skipped unless

-roles_t/abbey-dvr/tasks/main.yml
+roles_t/abbey-dvr/tasks/main.yml

 - name: Test for AgentDVR directory.
   stat:
     path: /home/agentdvr/AgentDVR
@@ -2283,12 +2291,12 @@ remaining installation steps are skipped unless
 - debug:
     msg: "/home/agentdvr/AgentDVR/ does not yet exist"
   when: not agentdvr.stat.exists
-

+
-
-

8.4. Create AgentDVR Service

+
+

8.4. Create AgentDVR Service

This service definition came from the template downloaded (from here) @@ -2297,7 +2305,7 @@ by install.sh.

-roles_t/abbey-dvr/tasks/main.yml
+roles_t/abbey-dvr/tasks/main.yml

 - name: Install AgentDVR.service.
   become: yes
   copy:
@@ -2334,12 +2342,12 @@ by install.sh.
     enabled: yes
     state: started
   when: agentdvr.stat.exists
-

+
-
-

8.5. Create AgentDVR Storage

+
+

8.5. Create AgentDVR Storage

The abbey uses a separate volume to store surveillance recordings, @@ -2351,7 +2359,7 @@ location do not fail.

-roles_t/abbey-dvr/tasks/main.yml
+roles_t/abbey-dvr/tasks/main.yml

 - name: Create /DVR/AgentDVR/.
   become: yes
   file:
@@ -2369,15 +2377,15 @@ location do not fail.
     owner: agentdvr
     group: agentdvr
     mode: u=rwx,g=rxs,o=
-

+
-
-

8.6. Configure IP Cameras

+
+

8.6. Configure IP Cameras

-A new security camera is setup as described in Cloistering, after +A new security camera is setup as described in Cloistering, after which the camera should be accessible by name on the abbey networks. Assuming ping -c1 new works, the camera's web interface will be accessible at http://new/. @@ -2396,8 +2404,8 @@ long duration logs, thus fewer frames per second.

-
-

8.7. Configure AgentDVR's Cameras

+
+

8.7. Configure AgentDVR's Cameras

After Ansible has configured and started the AgentDVR service, its web @@ -2434,8 +2442,8 @@ AgentDVR's Live View.

-
-

8.8. Configure AgentDVR's Default Storage

+
+

8.8. Configure AgentDVR's Default Storage

AgentDVR's web interface is also used to configure a default storage @@ -2447,8 +2455,8 @@ pressed before the task is complete.

-
-

8.9. Configure AgentDVR's Recordings

+
+

8.9. Configure AgentDVR's Recordings

After a default storage location has been configured, AgentDVR's @@ -2480,8 +2488,8 @@ parameters are set (in the Recording and Storage tabs).

-
-

9. The Abbey TVR Role

+
+

9. The Abbey TVR Role

The abbey has a few TV tuners and a subscription to Schedules Direct @@ -2496,8 +2504,8 @@ interface on the master server. It configures the Apache web server to serve MythWeb pages at e.g. http://new/mythweb/.

-
-

9.1. Building MythTV and MythWeb

+
+

9.1. Building MythTV and MythWeb

Neither Debian nor the MythTV project provide binary packages of @@ -2528,19 +2536,19 @@ video source and capture card, after which the backend can be started.

-
-

9.2. TVR Machine Setup

+
+

9.2. TVR Machine Setup

-A new TVR machine needs only Cloistering to prepare it for +A new TVR machine needs only Cloistering to prepare it for Ansible. As part of that process, it should be added to the tvrs group in the hosts file. An existing server can become a TVR machine simply by adding it to the tvrs group.

-
-

9.3. Include Abbey Variables

+
+

9.3. Include Abbey Variables

Private variables in private/vars-abbey.yml are needed, as in the @@ -2549,15 +2557,15 @@ directory, playbooks/.

-roles_t/abbey-tvr/tasks/main.yml
---
+roles_t/abbey-tvr/tasks/main.yml
---
 - name: Include private abbey variables.
   include_vars: ../private/vars-abbey.yml
-

+
-
-

9.4. Install MythTV Build Requisites

+
+

9.4. Install MythTV Build Requisites

A number of developer packages are needed to build MythTV. The wiki @@ -2578,10 +2586,10 @@ be appropriate to download updates.)

-
git clone https://github.com/MythTV/ansible mythtv-ansible
+
git clone https://github.com/MythTV/ansible mythtv-ansible
 cd mythtv-ansible
 git checkout fixes/32
-

+

@@ -2593,7 +2601,7 @@ following.

-
diff --git a/roles/mythtv-deb/tasks/main.yml b/roles/mythtv-deb/tasks
+
diff --git a/roles/mythtv-deb/tasks/main.yml b/roles/mythtv-deb/tasks
 index 868c9b7..3dcf115 100644
 --- a/roles/mythtv-deb/tasks/main.yml
 +++ b/roles/mythtv-deb/tasks/main.yml
@@ -2617,11 +2625,11 @@ following.
    apt:
      name:
        '{{ lookup("flattened", deb_pkg_lst ) }}'
-

+
-roles_t/abbey-tvr/tasks/mains.yml
+roles_t/abbey-tvr/tasks/mains.yml

 - name: Install MythTV runtime requisites.
   become: yes
   apt:
@@ -2632,7 +2640,7 @@ following.
   loop:
   - ../mythtv-ansible/roles/mythtv-deb/tasks/main.yml
   - ../mythtv-ansible/roles/qt5/tasks/qt5-deb.yml
-

+

@@ -2643,8 +2651,8 @@ MythTV is built and installed.

-
-

9.5. Build and Install MythTV

+
+

9.5. Build and Install MythTV

After a successful "first" run of e.g. ./abbey config new, the @@ -2653,7 +2661,7 @@ following commands are used.

-
cd /usr/local/src/
+
cd /usr/local/src/
 git clone https://github.com/MythTV/mythtv
 cd mythtv/
 git checkout fixes/32
@@ -2661,7 +2669,7 @@ git checkout fixes/32
 ./configure
 make
 sudo make install
-

+

@@ -2680,7 +2688,7 @@ Several of the remaining installation steps are skipped unless

-roles_t/abbey-tvr/tasks/main.yml
+roles_t/abbey-tvr/tasks/main.yml

 - name: Test for MythTV binary packages.
   stat:
     path: /usr/local/bin/mythtv-setup
@@ -2688,30 +2696,30 @@ Several of the remaining installation steps are skipped unless
 - debug:
     msg: "/usr/local/bin/mythtv-setup does not yet exist"
   when: not mythtv.stat.exists
-

+
-
-

9.6. Create MythTV User

+
+

9.6. Create MythTV User

MythTV Backend needs to run as its own user: mythtv.

-roles_t/abbey-tvr/tasks/main.yml
+roles_t/abbey-tvr/tasks/main.yml

 - name: Create mythtv.
   become: yes
   user:
     name: mythtv
     system: yes
-

+
-
-

9.7. Create MythTV DB

+
+

9.7. Create MythTV DB

MythTV's MariaDB database is created by the following task, when the @@ -2719,7 +2727,7 @@ MythTV's MariaDB database is created by the following task, when the

-
+

 - name: Create MythTV DB.
   become: yes
   mysql_db:
@@ -2727,7 +2735,7 @@ MythTV's MariaDB database is created by the following task, when the
     name: mythconverg
     collation: utf8mb4_general_ci
     encoding: utf8mb4
-

+

@@ -2738,8 +2746,8 @@ privileged DB user, the mythconverg database is created manually

-
-

9.8. Create MythTV DB User

+
+

9.8. Create MythTV DB User

The DB user's password is taken from the mythtv_dbpass variable, @@ -2748,8 +2756,8 @@ kept in private/vars-abbey.yml, and generated e.g. with the apg -n

-private_ex/vars-abbey.yml
mythtv_dbpass:           daJkibpoJkag
-
+private_ex/vars-abbey.yml
mythtv_dbpass:           daJkibpoJkag
+

@@ -2759,7 +2767,7 @@ created above.

-
+

 - name: Create MythTV DB user.
   become: yes
   mysql_user:
@@ -2767,12 +2775,12 @@ created above.
     name: mythtv
     password: "{{ mythtv_dbpass }}"
     priv: "mythconverg.*:all"
-

+
-
-

9.9. Manually Create MythTV DB and DB User

+
+

9.9. Manually Create MythTV DB and DB User

The MythTV database and database user are created manually with the @@ -2782,7 +2790,7 @@ piped into the command.

-
create database mythconverg
+
create database mythconverg
     character set utf8mb4
     collate utf8mb4_general_ci;
 create user 'mythtv'@'%' identified by '{{ mythtv_dbpass }}';
@@ -2793,12 +2801,12 @@ piped into the command.
     to 'mythtv'@'localhost' with grant option;
 flush privileges;
 exit;
-

+
-
-

9.10. Load DB Timezone Info

+
+

9.10. Load DB Timezone Info

Starting with MythTV version 0.26, the time zone tables must be loaded @@ -2807,8 +2815,8 @@ too. The test SQL produced NULL.

-
SELECT CONVERT_TZ(NOW(), 'SYSTEM', 'Etc/UTC');
-
+
SELECT CONVERT_TZ(NOW(), 'SYSTEM', 'Etc/UTC');
+

@@ -2817,20 +2825,20 @@ e.g. 2022-09-13 20:15:41.

-
mysql_tzinfo_to_sql /usr/share/zoneinfo | sudo mysql mysql
-
+
mysql_tzinfo_to_sql /usr/share/zoneinfo | sudo mysql mysql
+
-
-

9.11. Create MythTV Backend Service

+
+

9.11. Create MythTV Backend Service

This task installs the mythtv-backend.service file.

-roles_t/abbey-tvr/tasks/mains.yml
+roles_t/abbey-tvr/tasks/mains.yml

 - name: Create mythtv-backend service.
   become: yes
   copy:
@@ -2855,20 +2863,20 @@ This task installs the mythtv-backend.service file.
     dest: /etc/systemd/system/mythtv-backend.service
   when: mythtv.stat.exists
   notify: Reload Systemd.
-

+
-roles_t/abbey-tvr/handlers/main.yml
---
+roles_t/abbey-tvr/handlers/main.yml
---
 - name: Reload Systemd.
   become: yes
   command: systemctl daemon-reload
-

+
-
-

9.12. Set PHP Timezone

+
+

9.12. Set PHP Timezone

This task checks PHP's timezone. If unset, MythTV's backend logs @@ -2876,34 +2884,39 @@ bitter complaints.

-roles_t/abbey-tvr/tasks/main.yml
+roles_t/abbey-tvr/tasks/main.yml

+- name: Get the local timezone.
+  shell: readlink /etc/localtime | sed 's,/usr/share/zoneinfo/,,'
+  delegate_to: localhost
+  register: timezone
+
 - name: Configure PHP date.timezone.
   become: yes
   lineinfile:
     regexp: date.timezone ?=
-    line: date.timezone = {{ lookup('file', '/etc/timezone') }}
+    line: date.timezone = {{ timezone.stdout }}
     path: "{{ item }}"
   loop:
   - /etc/php/8.2/cli/php.ini
   - /etc/php/8.2/apache2/php.ini
   when: mythtv.stat.exists
   notify: Restart Apache2.
-

+
-roles_t/abbey-tvr/handlers/main.yml
+roles_t/abbey-tvr/handlers/main.yml

 - name: Restart Apache2.
   become: yes
   systemd:
     service: apache2
     state: restarted
-

+
-
-

9.13. Create MythTV Storage Area

+
+

9.13. Create MythTV Storage Area

The backend does not have a default storage area for its recordings. @@ -2914,7 +2927,7 @@ creates that directory and ensures it has appropriate permissions.

-roles_t/abbey-tvr/tasks/main.yml
+roles_t/abbey-tvr/tasks/main.yml

 - name: Create MythTV storage area.
   become: yes
   file:
@@ -2923,12 +2936,12 @@ creates that directory and ensures it has appropriate permissions.
     owner: mythtv
     group: mythtv
     mode: u=rwx,g+rwx,o=rx
-

+
-
-

9.14. Configure MythTV Backend

+
+

9.14. Configure MythTV Backend

With MythTV built and installed, and the post-installation tasks @@ -2968,12 +2981,12 @@ directory: /home/mythtv/Recordings.

-
-

9.15. Configure Tuner

+
+

9.15. Configure Tuner

The abbey has a Silicon Dust Homerun HDTV Duo (with two tuners). It -is setup as described in Cloistering, after which the tuner is +is setup as described in Cloistering, after which the tuner is accessible by name (e.g. new) on the cloister network. Assuming ping -c1 new works, the tuner should be accessible via the hdhomerun_config_gui command, a graphical interface contributed to @@ -2984,8 +2997,8 @@ tuner's domain name or IP address can also be entered.

-
-

9.16. Add HDHomerun and Mr.Antenna

+
+

9.16. Add HDHomerun and Mr.Antenna

In MythTV Setup: @@ -3028,8 +3041,8 @@ any case, do not run mythfilldatabase.

-
-

9.17. Scan for New Channels

+
+

9.17. Scan for New Channels

In MythTV Setup: @@ -3050,8 +3063,8 @@ channels is presented. Delete All unused transports.

-
-

9.18. Configure XMLTV

+
+

9.18. Configure XMLTV

The xmltv package, specifically its tv_grab_zz_sdjson program, is @@ -3062,9 +3075,9 @@ option.

-
tv_grab_zz_sdjson --configure
+
tv_grab_zz_sdjson --configure
 cp ~/.xmltv/tv_grab_zz_sdjson.conf ~/.mythtv/Mr.Antenna.xmltv
-

+

@@ -3075,9 +3088,9 @@ Afterwards any re-configuration should use the following command.

-
tv_grab_zz_sdjson --configure \
+
tv_grab_zz_sdjson --configure \
         --config-file ~/.mythtv/Mr.Antenna.xmltv
-

+

@@ -3086,7 +3099,7 @@ the list of "inputs" available in a postal code typically ends with the OTA (over the air) broadcasts.

-
+
 $ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
 Cache file for lineups, schedules and programs.
 Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
@@ -3136,8 +3149,8 @@ backend is running, so it is not run until then.
-
-

9.19. Debug XMLTV

+
+

9.19. Debug XMLTV

If the mythfilldatabase command fails or expected listings do not @@ -3147,8 +3160,8 @@ option for "interactive configuration".

-
sudo -H -u mythtv mythfilldatabase --verbose
-
+
sudo -H -u mythtv mythfilldatabase --verbose
+

@@ -3157,10 +3170,10 @@ The command might, for example, show that it is failing to run a

-
nice tv_grab_zz_sdjson \
+
nice tv_grab_zz_sdjson \
         --config-file '/home/mythtv/.mythtv/Mr.Antenna.xmltv' \
         --output /tmp/myths5Sq35 --quiet
-

+

@@ -3168,16 +3181,16 @@ Running a similar command (without --quiet) might be more revealing

-
sudo -H -u mythtv \
+
sudo -H -u mythtv \
     tv_grab_zz_sdjson \
         --config-file '/home/mythtv/.mythtv/Mr.Antenna.xmltv' \
         --output /tmp/mythFUBAR
-

+
-
-

9.20. Configure MythTV Backend Logging

+
+

9.20. Configure MythTV Backend Logging

The abbey directs MythTV log messages to /var/log/mythtv.log (and @@ -3185,7 +3198,7 @@ away from /var/log/syslog) and rotates the log file.

-roles_t/abbey-tvr/tasks/main.yml
+roles_t/abbey-tvr/tasks/main.yml

 - name: Install =/etc/rsyslog.d/40-mythtv.conf.
   become: yes
   copy:
@@ -3210,12 +3223,12 @@ away from /var/log/syslog) and rotates the log file.
           endscript
       }
     dest: /etc/logrotate.d/mythtv
-

+
-
-

9.21. Start MythTV Backend

+
+

9.21. Start MythTV Backend

After configuring with mythtv-setup as discussed above, start and @@ -3223,16 +3236,16 @@ enable (at boot time) the mythtv-backend service.

-
sudo systemctl enable mythtv-backend
+
sudo systemctl enable mythtv-backend
 sudo systemctl start mythtv-backend
 systemctl status -l mythtv-backend
 sudo -u mythtv mythfilldatabase
-

+
-
-

9.22. Install MythWeb

+
+

9.22. Install MythWeb

MythWeb, like MythTV, is installed from a Git repository. The @@ -3242,11 +3255,11 @@ out the appropriate branch, and copying the appropriate portion.

-
cd /usr/local/src/
+
cd /usr/local/src/
 git clone https://github.com/MythTV/mythweb
 ( cd mythweb/; git checkout fixes/32 )
 rsync -C mythweb /usr/local/share/mythtv/
-

+

@@ -3254,7 +3267,7 @@ The following tasks take care of the rest of the installation.

-roles_t/abbey-tvr/tasks/main.yml
+roles_t/abbey-tvr/tasks/main.yml

 - name: Install MythWeb requisites.
   become: yes
   apt:
@@ -3286,11 +3299,11 @@ The following tasks take care of the rest of the installation.
     cmd: a2ensite -q mythweb
     creates: /etc/apache2/sites-enabled/mythweb.conf
   notify: Restart Apache2.
-

+
-roles_t/abbey-tvr/templates/mythweb.conf.j2
#
+roles_t/abbey-tvr/templates/mythweb.conf.j2
#
 # Apache configuration directives for MythWeb.
 #
 # Note that this file is maintained by the network administration.
@@ -3344,18 +3357,18 @@ The following tasks take care of the rest of the installation.
     </Files>
 
 </Directory>
-

+
-
-

9.23. Change Broadcast Area

+
+

9.23. Change Broadcast Area

The abbey changes location almost weekly, so its HDTV broadcast area changes frequently. At the start of a long stay the administrator uses the MythTV Setup program to scan for the new area's channels, as -described in Scan for New Channels. +described in Scan for New Channels.

@@ -3366,14 +3379,14 @@ program as user mythtv.

-
tv_grab_zz_sdjson --configure \
+
tv_grab_zz_sdjson --configure \
         --config-file ~/.mythtv/Mr.Antenna.xmltv
-

+

The program will prompt for the zip code and offer a list of "inputs" -available in that area, as described in Configure XMLTV. +available in that area, as described in Configure XMLTV.

@@ -3381,8 +3394,8 @@ Then the administrator can re-start the backend.

-
sudo systemctl start mythtv-backend
-
+
sudo systemctl start mythtv-backend
+

@@ -3390,14 +3403,14 @@ And the mythtv account can run mythfilldatabase.

-
mythfilldatabase
-
+
mythfilldatabase
+
-
-

10. The Ansible Configuration

+
+

10. The Ansible Configuration

The abbey's Ansible configuration, like that of A Small Institute, is @@ -3424,7 +3437,7 @@ specific versions.

-NOTE: if you have not read at least the Overview of A Small Institute +NOTE: if you have not read at least the Overview of A Small Institute you are lost.

@@ -3454,8 +3467,8 @@ rest are built up piecemeal by (tangled from) this document, README.org, and Institute/README.org.

-
-

10.1. ansible.cfg

+
+

10.1. ansible.cfg

This is much like the example (test) institutional configuration file, @@ -3463,20 +3476,20 @@ except the roles are found in Institute/roles/ as well as roles/.

-ansible.cfg
[defaults]
+ansible.cfg
[defaults]
 interpreter_python=/usr/bin/python3
 vault_password_file=Secret/vault-password
 inventory=hosts
 roles_path=roles:Institute/roles
-

+
-
-

10.2. hosts

+
+

10.2. hosts

-hosts
all:
+hosts
all:
   vars:
     ansible_user: sysadm
     ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa
@@ -3543,12 +3556,12 @@ except the roles are found in Institute/roles/ as well as roles/.
       hosts:
         sullust:
         kamino:
-

+
-
-

10.3. playbooks/site.yml

+
+

10.3. playbooks/site.yml

This playbook provisions the entire network by applying first the @@ -3556,7 +3569,7 @@ institutional roles, then the liturgical roles.

-playbooks/site.yml
---
+playbooks/site.yml
---
 - name: Configure All
   hosts: all
   roles: [ all ]
@@ -3584,22 +3597,22 @@ institutional roles, then the liturgical roles.
 - name: Configure TVRs
   hosts: tvrs
   roles: [ abbey-tvr ]
-

+
-
-

11. The Abbey Commands

+
+

11. The Abbey Commands

The ./abbey script encodes the abbey's canonical procedures. It -includes The Institute Commands and adds a few abbey-specific +includes The Institute Commands and adds a few abbey-specific sub-commands.

-
-

11.1. Abbey Command Overview

+
+

11.1. Abbey Command Overview

Institutional sub-commands: @@ -3628,15 +3641,15 @@ and _architecture for all hosts.

-
-

11.2. Abbey Command Script

+
+

11.2. Abbey Command Script

The script begins with the following prefix and trampolines.

-abbey
#!/usr/bin/perl -w
+abbey
#!/usr/bin/perl -w
 #
 # DO NOT EDIT.  This file was tangled from README.org.
 
@@ -3645,14 +3658,14 @@ The script begins with the following prefix and trampolines.
 if (grep { $_ eq $ARGV[0] } qw(CA config new old pass client)) {
   exec "./Institute/inst", @ARGV;
 }
-

+

The small institute's ./inst command expects to be running in Institute/, not ./, but it only references public/, private/, Secret/ and playbooks/check-inst-vars.yml, and will find the abbey -specific versions of these. The roles_path setting in ansible.cfg +specific versions of these. The roles_path setting in ansible.cfg effectively merges the institutional roles into the distinctly named abbey specific roles. The roles likewise reference files with relative names, and will find the abbey specific private/ @@ -3666,13 +3679,13 @@ code block "duplicates" the action of the institute's

-playbooks/check-inst-vars.yml
- import_playbook: ../Institute/playbooks/check-inst-vars.yml
-
+playbooks/check-inst-vars.yml
- import_playbook: ../Institute/playbooks/check-inst-vars.yml
+
-
-

11.3. The Upgrade Command

+
+

11.3. The Upgrade Command

The script implements an upgrade sub-command that runs apt update @@ -3690,9 +3703,8 @@ a limit pattern. For example: ./abbey upgrade '!front' -

-abbey
+abbey

 if ($ARGV[0] eq "upgrade") {
   shift;
   my @args = ( "-e", "\@Secret/become.yml" );
@@ -3709,11 +3721,11 @@ a limit pattern.  For example:
   }
   exec ("ansible-playbook", @args, "playbooks/upgrade.yml");
 }
-

+
-playbooks/upgrade.yml
- hosts: all
+playbooks/upgrade.yml
- hosts: all
   tasks:
 
   - name: Upgrade packages.
@@ -3734,12 +3746,12 @@ a limit pattern.  For example:
   - debug:
       msg: Reboot required.
     when: st.stat.exists
-

+
-
-

11.4. The Reboots Command

+
+

11.4. The Reboots Command

The script implements a reboots sub-command that looks for @@ -3747,15 +3759,15 @@ The script implements a reboots sub-command that looks for

-abbey
if ($ARGV[0] eq "reboots") {
+abbey
if ($ARGV[0] eq "reboots") {
   exec ("ansible-playbook", "-e", "\@Secret/become.yml",
         "playbooks/reboots.yml");
 }
-

+
-playbooks/reboots.yml
---
+playbooks/reboots.yml
---
 - hosts: all
   tasks:
 
@@ -3766,12 +3778,12 @@ The script implements a reboots sub-command that looks for
   - debug:
       msg: Reboot required.
     when: st.stat.exists
-

+
-
-

11.5. The Versions Command

+
+

11.5. The Versions Command

The script implements a versions sub-command that reports the @@ -3779,27 +3791,27 @@ operating system version of all abbey managed machines.

-abbey
if ($ARGV[0] eq "versions") {
+abbey
if ($ARGV[0] eq "versions") {
   exec ("ansible-playbook", "-e", "\@Secret/become.yml",
         "playbooks/versarch.yml");
 }
-

+
-playbooks/versarch.yml
- hosts: all
+playbooks/versarch.yml
- hosts: all
   tasks:
   - debug:
       msg: >-
         {{ ansible_distribution }}
         {{ ansible_distribution_version }}
         {{ ansible_architecture }}
-

+
-
-

11.6. The TZ Command

+
+

11.6. The TZ Command

The abbey changes location almost weekly, so its timezone changes @@ -3825,25 +3837,31 @@ last host in the previous play.

-abbey
if ($ARGV[0] eq "tz") {
-  my $city = `cat /etc/timezone`; chomp $city;
-  my $zone = `date +%Z`; chomp $zone;
-  print "Setting timezones to $city.\n";
+abbey
if ($ARGV[0] eq "tz") {
   exec ("ansible-playbook", "-e", "\@Secret/become.yml",
-        "-e", "zone=$zone", "-e", "city=$city",
         "playbooks/timezone.yml");
 }
-

+
-playbooks/timezone.yml
---
+playbooks/timezone.yml
---
 - hosts: core, dvrs, tvrs, webtvs
   tasks:
+  - name: Get timezone.
+    command: date '+%Z'
+    delegate_to: localhost
+    register: zone
+
+  - name: Get city.
+    shell: readlink /etc/localtime | sed 's,/usr/share/zoneinfo/,,'
+    delegate_to: localhost
+    register: city
+
   - name: Update timezone.
     become: yes
-    command: timedatectl set-timezone {{ city }}
-    when: ansible_date_time.tz != zone
+    command: timedatectl set-timezone {{ city.stdout }}
+    when: ansible_date_time.tz != zone.stdout
     register: new_tz
 
 - hosts: dvrs
@@ -3871,7 +3889,7 @@ last host in the previous play.
     become: yes
     lineinfile:
       regexp: date.timezone ?=
-      line: date.timezone = {{ city }}
+      line: date.timezone = {{ city.stdout }}
       path: "{{ item }}"
     loop:
     - /etc/php/8.2/cli/php.ini
@@ -3883,23 +3901,23 @@ last host in the previous play.
     systemd:
       service: apache2
       state: restarted
-

+
-
-

11.7. Abbey Command Help

+
+

11.7. Abbey Command Help

-abbey
my $ops = "config,new,old,pass,client,upgrade,reboots,versions,tz";
+abbey
my $ops = "config,new,old,pass,client,upgrade,reboots,versions,tz";
 die "usage: $0 [$ops]\n";
-

+
-
-

12. Cloistering

+
+

12. Cloistering

This is how a new machine is brought into the cloister. The process @@ -3908,8 +3926,8 @@ narrows down to the common preparation of all machines administered by Ansible.

-
-

12.1. IoT Devices

+
+

12.1. IoT Devices

A wireless IoT device (smart TV, Blu-ray deck, etc.) cannot install @@ -3925,8 +3943,8 @@ given a private domain name as described in the following steps.

@@ -3936,12 +3954,12 @@ last step:

-
-

12.2. Raspberry Pis

+
+

12.2. Raspberry Pis

The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an @@ -3960,8 +3978,8 @@ Ethernet, and power up.

  • new username: sysadm
  • new password: fubar
    • -
  • Add to Core DHCP
    • -
  • Create Wired Domain Name
    • +
  • Add to Core DHCP
    • +
  • Create Wired Domain Name
  • Log in as sysadm on the console.
  • Run sudo raspi-config and use the following menu items.
      @@ -3969,9 +3987,9 @@ Ethernet, and power up.
    • I1 SSH (Enable/disable remote command line access using SSH): enable
    • A1 Expand Filesystem (Ensures that all of the SD card is available)
    • -
  • Update From Cloister Apt Cache
    • -
  • Authorize Remote Administration
    • -
  • Configure with Ansible
    • +
  • Update From Cloister Apt Cache
    • +
  • Authorize Remote Administration
    • +
  • Configure with Ansible

    • @@ -3980,14 +3998,14 @@ steps are taken.

    -
    -

    12.3. PCs

    +
    +

    12.3. PCs

    Most of the abbey's machines, like Core and Gate, are general-purpose @@ -4007,18 +4025,18 @@ Ethernet, and power up. Choose to boot from the USB drive.

  • new username: sysadm
  • new password: fubar
    • -
  • Add to Core DHCP
    • -
  • Create Wired Domain Name
    • +
  • Add to Core DHCP
    • +
  • Create Wired Domain Name
  • Log in as sysadm on the console.
    • -
  • Update From Cloister Apt Cache
    • +
  • Update From Cloister Apt Cache

  • Install OpenSSH. Plain Debian does not come with OpenSSH installed. 

     sudo apt install openssh-server
    • -
  • Authorize Remote Administration
    • -
  • Configure with Ansible
    • +
  • Authorize Remote Administration
    • +
  • Configure with Ansible

    • @@ -4027,14 +4045,14 @@ steps are taken.

    -
    -

    12.4. Add to Core DHCP

    +
    +

    12.4. Add to Core DHCP

    When a new machine is connected to the cloister Ethernet, its MAC @@ -4052,8 +4070,8 @@ new device's MAC.

    -
    tail -100 /var/log/daemon.log | grep DISCOVER
-
    +
    tail -100 /var/log/daemon.log | grep DISCOVER
+

    @@ -4064,9 +4082,9 @@ entry is chosen.

    -
    host new {
+
    host new {
   hardware ethernet 08:00:27:f3:41:66; fixed-address 192.168.56.4; }
-
    
+

    @@ -4074,8 +4092,8 @@ The DHCP service is then restarted (not reloaded).

    -
    sudo systemctl restart isc-dhcp-server
-
    +
    sudo systemctl restart isc-dhcp-server
+

    @@ -4090,17 +4108,17 @@ reporting 1 packets transmitted, 1 received, 0% packet loss....

    -
    ping -c1 192.168.56.4
-
    +
    ping -c1 192.168.56.4
+
    -
    -

    12.5. Create Wired Domain Name

    +
    +

    12.5. Create Wired Domain Name

    A wired device is assigned an IP address when it is added to Core's -DHCP configuration (as in Add to Core DHCP). A private domain name is +DHCP configuration (as in Add to Core DHCP). A private domain name is then associated with this address. If the device is intended to operate wirelessly, the name for its address is modified with a -w suffix. Thus new-w.small.private would be the name of the new @@ -4116,8 +4134,8 @@ of the file.

    -
    new-w   IN      A       192.168.56.4
-
    +
    new-w   IN      A       192.168.56.4
+

    @@ -4127,8 +4145,8 @@ at the top of that file.

    -
    4       IN      PTR     new-w.small.private.
-
    +
    4       IN      PTR     new-w.small.private.
+

    @@ -4137,14 +4155,14 @@ name can be tested.

    -
    resolvectl query new-w.small.private.
+
    resolvectl query new-w.small.private.
 resolvectl query 192.168.56.4
-
    
+
    -
    -

    12.6. Update From Cloister Apt Cache

    +
    +

    12.6. Update From Cloister Apt Cache

    • Log in as sysadm on the console.
      • @@ -4167,8 +4185,8 @@ sudo reboot
    -
    -

    12.7. Authorize Remote Administration

    +
    +

    12.7. Authorize Remote Administration

    To remotely administer new-w, Ansible must be authorized to login as @@ -4177,8 +4195,8 @@ accomplished by copying Ansible's SSH public key to new-w.

    -
    scp Secret/ssh_admin/id_rsa.pub sysadm@new-w:admin_key
-
    +
    scp Secret/ssh_admin/id_rsa.pub sysadm@new-w:admin_key
+

    @@ -4187,8 +4205,8 @@ Then on new-w (logged in as sysadm) the public key is

    -
    ( cd; umask 077; mkdir .ssh; cp admin_key .ssh/authorized_keys )
-
    +
    ( cd; umask 077; mkdir .ssh; cp admin_key .ssh/authorized_keys )
+

    @@ -4197,16 +4215,16 @@ key.

    -
    ssh -i Secret/ssh_admin/id_rsa sysadm@new-w
-
    +
    ssh -i Secret/ssh_admin/id_rsa sysadm@new-w
+
    -
    -

    12.8. Configure with Ansible

    +
    +

    12.8. Configure with Ansible

    -With remote administration authorized and tested (as in Authorize +With remote administration authorized and tested (as in Authorize Remote Administration), and the machine connected to the cloister Ethernet, the configuration of new-w can be completed by Ansible. Note that if the machine is staying on the cloister Ethernet, its @@ -4214,7 +4232,7 @@ domain name will be new (having had no -w suffix added

    -First new-w is added to Ansible's inventory in hosts. A new-w +First new-w is added to Ansible's inventory in hosts. A new-w section is added to the list of all hosts, and an empty section of the same name is added to the list of campus hosts. If the machine uses the usual privileged account name, sysadm, the ansible_user key in @@ -4222,7 +4240,7 @@ not needed.

    -
    hosts:
+
    hosts:
   ...
   new-w:
     ansible_user: pi
@@ -4234,7 +4252,7 @@ children:
     hosts:
       ...
       new-w:
-
    
+

    @@ -4245,9 +4263,9 @@ shown below.

    -
    echo -n "become_new: " >>Secret/become.yml
+
    echo -n "become_new: " >>Secret/become.yml
 ansible-vault encrypt_string PASSWORD >>Secret/become.yml
-
    
+

    @@ -4257,13 +4275,13 @@ configuration files.

    -
    ./abbey config new-w
-
    +
    ./abbey config new-w
+
    -
    -

    12.9. Connect to Cloister Wi-Fi

    +
    +

    12.9. Connect to Cloister Wi-Fi

    On an IoT device, or a Debian or Android "desktop", the cloister Wi-Fi @@ -4280,11 +4298,11 @@ interface on new is named wlan0.

    -/etc/network/interfaces.d/wifi
    auto wlan0
+/etc/network/interfaces.d/wifi
    auto wlan0
 iface wlan0 inet dhcp
     wpa-ssid "Birchwood Abbey"
     wpa-psk "PASSWORD"
-
    
+

    @@ -4299,13 +4317,13 @@ desktop connected to the Wi-Fi using the following ping command.

    -
    ping -c1 192.168.10.225
-
    +
    ping -c1 192.168.10.225
+
    -
    -

    12.10. Connect to Cloister VPN

    +
    +

    12.10. Connect to Cloister VPN

    Wireless devices (with the cloister Wi-Fi password) can get an IP @@ -4319,13 +4337,13 @@ however, are not accessible except via the cloister VPN.

    Connections to the cloister VPN are authorized by OpenVPN configuration (.ovpn) files generated by the ./abbey client... -command (aka The Client Command). These are secret files, kept +command (aka The Client Command). These are secret files, kept readable only by their owners and are deleted after use. They are copied to new OpenVPN clients using secure (ssh) connections.

    -
    -

    12.10.1. Debian Servers

    +
    +

    12.10.1. Debian Servers

    Wireless Debian servers (without NetworkManager) are connected to the @@ -4351,7 +4369,7 @@ And these are the commands:

    -
    ./abbey client campus new
+
    ./abbey client campus new
 scp campus.ovpn sysadm@new-w:
 ssh sysadm@new-w
 sudo apt install openvpn-systemd-resolved
@@ -4363,7 +4381,7 @@ sudo systemctl enable openvpn@cloister
 rm campus.ovpn
 logout
 rm campus.ovpn
-
    
+

    @@ -4371,8 +4389,8 @@ It may be necessary to reboot before the final tests.

    -
    -

    12.10.2. Debian Desktops

    +
    +

    12.10.2. Debian Desktops

    Wireless Debian desktops (with NetworkManager) include our 8GB Core i3 @@ -4414,7 +4432,7 @@ And these are the commands:

    -
    ./abbey client campus new
+
    ./abbey client campus new
 scp wifi campus.ovpn sysadm@new-w:
 ssh sysadm@new-w
 sudo apt install openvpn-systemd-resolved
@@ -4428,7 +4446,7 @@ sudo systemctl enable openvpn@cloister
 rm wifi campus.ovpn
 logout
 rm wifi campus.ovpn
-
    
+

    @@ -4444,8 +4462,8 @@ i.e. anyone in the house.

    -
    -

    12.10.3. Private Desktops

    +
    +

    12.10.3. Private Desktops

    Member notebooks are private machines not remotely administered by the @@ -4505,8 +4523,8 @@ password is included in Secret/become.yml.

    -
    -

    12.10.4. Android

    +
    +

    12.10.4. Android

    Android phones and tablets are connected to the cloister VPN via the @@ -4539,16 +4557,16 @@ OpenVPN when a .ovpn file is opened.

    -
    ./abbey client android dicks-tablet dick
+
    ./abbey client android dicks-tablet dick
 cp campus.ovpn public.ovpn /media/sysadm/Transfers/
 rm campus.ovpn public.ovpn
-
    
+
    -
    -

    12.11. Create Wireless Domain Name

    +
    +

    12.11. Create Wireless Domain Name

    A wireless machine is assigned a Wi-Fi address when it connects to the @@ -4563,8 +4581,8 @@ file.

    -
    new     IN      A       10.84.138.7
-
    +
    new     IN      A       10.84.138.7
+

    @@ -4574,8 +4592,8 @@ serial number at the top of that file.

    -
    7       IN      PTR     new.small.private.
-
    +
    7       IN      PTR     new.small.private.
+

    @@ -4584,9 +4602,9 @@ resolution of the new name.

    -
    resolvectl query new.small.private.
+
    resolvectl query new.small.private.
 resolvectl query 10.84.138.7
-
    
+

    @@ -4605,7 +4623,7 @@ to private/db.campus_vpn.)

    Author: Matt Birkholz

    -

    Created: 2024-11-01 Fri 13:07

    +

    Created: 2025-05-31 Sat 22:27

    Validate