From: Matt Birkholz Date: Sat, 30 Dec 2023 21:12:56 +0000 (-0700) Subject: Update README.html. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=7b40b58d92e692973165deb798b520bc2fce84d8;p=Institute Update README.html. --- diff --git a/README.html b/README.html index 4c88b27..78a6c4e 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -71,7 +71,7 @@ members off campus.
                 | |                                                 
 ============== Gate ================================================
                 |                                            Private
-                +----Ethernet switch                                
+                +----(Ethernet switch)                              
                         |                                           
                         +----Core                                   
                         +----Servers (NAS, DVR, etc.)               
@@ -902,15 +902,31 @@ replace {{ domain_name }} in the code with small.example.org<
 
public/vars.yml
---
 domain_name: small.example.org
-domain_priv: small.private
 

-The private version of the institute's domain name should end with one -of the top-level domains expected for this purpose: .intranet, -.internal, .private, .corp, .home or .lan.1 +The institute's private domain is treated as sensitive information, +and so is "tangled" into the example file private/vars.yml rather +than public/vars.yml. The example file is used for testing, and +serves as the template for an actual, private, private/var.yml file +that customizes this Ansible code for an actual, private, small +institute. +

+ +

+The institute's private domain name should end with one of the +top-level domains set aside for this purpose: .intranet, +.internal, .private, .corp, .home or .lan.1 It is +hoped that doing so will increase that chances that some abomination +like DNS-over-HTTPS will pass us by.

+ +
+private/vars.yml
---
+domain_priv: small.private
+
+
@@ -1014,7 +1030,7 @@ example result follows the code.
-
+

=> 10.62.17.0/24

@@ -1024,14 +1040,14 @@ example result follows the code.

The four private networks are named and given example CIDRs in the code block below. The small institute treats these addresses as -sensitive information so the code block below "tangles" into +sensitive information so again the code block below "tangles" into private/vars.yml rather than public/vars.yml. Two of the addresses are in 192.168 subnets because they are part of a test configuration using mostly-default VirtualBoxes (described here).

-private/vars.yml
---
+private/vars.yml
 private_net_cidr:           192.168.56.0/24
 public_vpn_net_cidr:        10.177.86.0/24
 campus_vpn_net_cidr:        10.84.138.0/24
@@ -1429,7 +1445,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.
 
 
-
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1452,7 +1468,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1624,8 +1640,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

-
-

6.1. Include Particulars

+
+

6.1. Include Particulars

The front role's tasks contain references to several common @@ -1657,8 +1673,8 @@ The code block below is the first to tangle into

-
-

6.2. Configure Hostname

+
+

6.2. Configure Hostname

This task ensures that Front's /etc/hostname and /etc/mailname are @@ -1782,8 +1798,8 @@ separate code block named enable-resolved.

- -
-

6.6. Configure Monkey

+
+

6.6. Configure Monkey

The small institute runs cron jobs and web scripts that generate @@ -1899,8 +1915,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.

-
-

6.8. Install Unattended Upgrades

+
+

6.8. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -1915,8 +1931,8 @@ The institute prefers to install security updates as soon as possible.

-
-
-

6.10. Trust Institute Certificate Authority

+
+

6.10. Trust Institute Certificate Authority

Front should recognize the institute's Certificate Authority as @@ -1992,8 +2008,8 @@ X.509 certificates is available in Keys.

-
-

6.11. Install Server Certificate

+
+

6.11. Install Server Certificate

The servers on Front use the same certificate (and key) to @@ -2257,8 +2273,8 @@ created by a more specialized role.

-
-

6.14. Configure Dovecot IMAPd

+
+

6.14. Configure Dovecot IMAPd

Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to @@ -2722,8 +2738,8 @@ the users' ~/Public/HTML/ directories.

-
-

6.16. Configure OpenVPN

+
+

6.16. Configure OpenVPN

Front uses OpenVPN to provide the institute's public VPN service. The @@ -3047,8 +3063,8 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)

-
-

7.1. Include Particulars

+
+

7.1. Include Particulars

The first task, as in The Front Role, is to include the institute @@ -3070,8 +3086,8 @@ particulars and membership roll.

-
-

7.2. Configure Hostname

+
+

7.2. Configure Hostname

This task ensures that Core's /etc/hostname and /etc/mailname are @@ -3104,8 +3120,8 @@ proper email delivery.

-
-

7.3. Enable Systemd Resolved

+
+

7.3. Enable Systemd Resolved

Core starts the systemd-networkd and systemd-resolved service @@ -3149,8 +3165,8 @@ units on boot. See Enable Systemd Resolved.

-
-

7.4. Configure Systemd Resolved

+
+

7.4. Configure Systemd Resolved

Core runs the campus name server, so Resolved is configured to use it @@ -3617,8 +3633,8 @@ craps up /var/log/ and the Systemd journal.

-
-

7.8. Add Administrator to System Groups

+
+

7.8. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -3638,8 +3654,8 @@ these groups speeds up debugging.

-
-

7.9. Configure Monkey

+
+

7.9. Configure Monkey

The small institute runs cron jobs and web scripts that generate @@ -3739,8 +3755,8 @@ with Nextcloud on the command line.

-
-

7.12. Configure User Accounts

+
+

7.12. Configure User Accounts

User accounts are created immediately so that backups can begin @@ -3782,8 +3798,8 @@ describes the members and usernames variables.

-
-

7.13. Trust Institute Certificate Authority

+
+

7.13. Trust Institute Certificate Authority

Core should recognize the institute's Certificate Authority as @@ -3815,8 +3831,8 @@ X.509 certificates is available in Keys.

-
-

7.14. Install Server Certificate

+
+

7.14. Install Server Certificate

The servers on Core use the same certificate (and key) to authenticate @@ -4069,8 +4085,8 @@ installed by more specialized roles.

-
-

7.18. Configure Dovecot IMAPd

+
+

7.18. Configure Dovecot IMAPd

Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -5954,8 +5970,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.

-
-

8.1. Include Particulars

+
+

8.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6329,8 +6345,8 @@ the daemon listens only on the Gate-WiFi network interface.

-
-

8.6. Install Server Certificate

+
+

8.6. Install Server Certificate

The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -6357,8 +6373,8 @@ and Front) do.

-
-

8.7. Configure OpenVPN

+
+

8.7. Configure OpenVPN

Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6521,8 +6537,8 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.

-
-

9.1. Include Particulars

+
+

9.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6538,8 +6554,8 @@ The following should be familiar boilerplate by now.

-
-

9.2. Configure Hostname

+
+

9.2. Configure Hostname

Clients should be using the expected host name. @@ -6572,8 +6588,8 @@ Clients should be using the expected host name.

-
-

9.3. Enable Systemd Resolved

+
+

9.3. Enable Systemd Resolved

Campus machines start the systemd-networkd and systemd-resolved @@ -6617,8 +6633,8 @@ service units on boot. See Enable Systemd Resolved.

-
-

9.4. Configure Systemd Resolved

+
+

9.4. Configure Systemd Resolved

Campus machines use the campus name server on Core (or dns.google), @@ -6689,8 +6705,8 @@ and file timestamps.

-
-

9.6. Add Administrator to System Groups

+
+

9.6. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -6710,8 +6726,8 @@ these groups speeds up debugging.

-
-

9.7. Trust Institute Certificate Authority

+
+

9.7. Trust Institute Certificate Authority

Campus hosts should recognize the institute's Certificate Authority as @@ -6743,8 +6759,8 @@ keys, certificates and passwords, see Keys.)

-
-

9.8. Install Unattended Upgrades

+
+

9.8. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -9434,19 +9450,18 @@ is lacking in a number of respects. The current network monitoring is rudimentary. It could use some love, like intrusion detection via Snort or similar. Services on Front are not monitored except that the webupdate script should be -emailing sysadm whenever it cannot update Front. +emailing sysadm whenever it cannot update Front (every 15 minutes!).

Pro-active monitoring might include notifying root of any vandalism corrected by Monkey's quarter-hourly web update. This is a -non-trivial task that must ignore intentional changes and save suspect -changes. +non-trivial task that must ignore intentional changes.

-Monkey's cron jobs on Core should presumably become systemd.timer -and .service units. +Monkey's cron jobs on Core should be systemd.timer and .service +units.

@@ -9467,19 +9482,19 @@ continue to work for some time.

The ./inst client android dick-phone dick command generates .ovpn files that require the member to remember to check the "Use this -connection only for resources on its network" box in the IPv4 tab of -the Add VPN dialog. The ./inst client command should include a -setting in the Debian .ovpn files that NetworkManager will recognize -as the desired setting. +connection only for resources on its network" box in the IPv4 (and +IPv6) tab(s) of the Add VPN dialog. The command should include an +OpenVPN setting that the NetworkManager file importer recognizes as +the desired setting.

The VPN service is overly complex. The OpenVPN 2.4.7 clients allow multiple server addresses, but the openvpn(8) manual page suggests -per connection parameters are a restricted set that does not include -the essential verify-x509-name. Use the same name on separate -certificates for Gate and Front? Use the same certificate and key on -Gate and Front? +per connection parameters are restricted to a set that does not +include the essential verify-x509-name. Use the same name on +separate certificates for Gate and Front? Use the same certificate +and key on Gate and Front?

@@ -9687,7 +9702,7 @@ routes on Front and Gate, making the simulation less… similar.

Author: Matt Birkholz

-

Created: 2023-12-29 Fri 14:26

+

Created: 2023-12-30 Sat 14:12

Validate