From: Matt Birkholz Date: Tue, 27 Feb 2024 18:55:44 +0000 (-0700) Subject: Update README.html. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=9d2a13981ada62cdaea97e9dbb82c811dbba2b14;p=Institute Update README.html. --- diff --git a/README.html b/README.html index 765c7fc..8ca8ec5 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1030,7 +1030,7 @@ example result follows the code.
 

 
 
-

+

 

 => 10.62.17.0/24
 

@@ -1483,7 +1483,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.
 
 
-
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1506,7 +1506,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

 
-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1659,8 +1659,8 @@ The all role contains tasks that are executed on all of the
 institute's servers.  At the moment there is just the one.
 

 

-

-
6.1. Include Particulars

+

+
6.1. Include Particulars

 

 

 The all role's task contains a reference to a common institute
@@ -1680,10 +1680,68 @@ Particulars).  The code block below is the first to tangle into
 

 

 

-

-
6.2. Trust Institute Certificate Authority

+

+
6.2. Enable Systemd Resolved

 

 

+The systemd-networkd and systemd-resolved service units are not
+enabled by default in Debian, but are the default in Ubuntu.  The
+institute attempts to make use of their link-local name resolution, so
+they are enabled on all institute hosts.
+

+
+

+The /usr/share/doc/systemd/README.Debian.gz file recommends both
+services be enabled and /etc/resolv.conf be replaced with a
+symbolic link to /run/systemd/resolve/resolv.conf.  The institute
+follows these recommendations (and not the suggestion to enable
+"persistent logging", yet).  In Debian 12 there is a
+systemd-resolved package that symbolically links /etc/resolv.conf
+(and provides /lib/systemd/systemd-resolved, formerly part of the
+systemd package).
+

+
+

+roles_t/all/tasks/main.yml
+- name: Install systemd-resolved.
+  become: yes
+  apt: pkg=systemd-resolved
+  when:
+  - ansible_distribution == 'Debian'
+  - 11 < ansible_distribution_major_version|int
+
+- name: Enable/Start systemd-networkd.
+  become: yes
+  systemd:
+    service: systemd-networkd
+    enabled: yes
+    state: started
+
+- name: Enable/Start systemd-resolved.
+  become: yes
+  systemd:
+    service: systemd-resolved
+    enabled: yes
+    state: started
+
+- name: Link /etc/resolv.conf.
+  become: yes
+  file:
+    path: /etc/resolv.conf
+    src: /run/systemd/resolve/resolv.conf
+    state: link
+    force: yes
+  when:
+  - ansible_distribution == 'Debian'
+  - 12 > ansible_distribution_major_version|int
+

+

+

+

+

+
6.3. Trust Institute Certificate Authority

+

+

 All servers should recognize the institute's Certificate Authority as
 trustworthy, so its certificate is added to the set of trusted CAs on
 each host.  More information about how the small institute manages its
@@ -1743,8 +1801,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

 

-

-
7.1. Include Particulars

+

+
7.1. Include Particulars

 

 

 The first task, as in The All Role, is to include the institute
@@ -1769,8 +1827,8 @@ membership roll, so these are included was well.
 

 

 

-

-
7.2. Configure Hostname

+

+
7.2. Configure Hostname

 

 

 This task ensures that Front's /etc/hostname and /etc/mailname are
@@ -1800,104 +1858,10 @@ delivery.
 

 

 

-

-
7.3. Enable Systemd Resolved 

+

+
7.3. Add Administrator to System Groups

 

 

-The systemd-networkd and systemd-resolved service units are not
-enabled by default in Debian, but are the default in Ubuntu, and
-work with Netplan.  The /usr/share/doc/systemd/README.Debian.gz file
-recommends both services be enabled and /etc/resolv.conf be
-replaced with a symbolic link to /run/systemd/resolve/resolv.conf.
-The institute follows these recommendations (and not the suggestion
-to enable "persistent logging", yet).  In Debian 12 there is a
-systemd-resolved package that symbolically links /etc/resolv.conf
-(and provides /lib/systemd/systemd-resolved, formerly part of the
-systemd package).
-

-
-

-These tasks are included in all of the roles, and so are given in a
-separate code block named enable-resolved.2
-

-
-

-roles_t/front/tasks/main.yml
-- name: Install systemd-resolved.
-  become: yes
-  apt: pkg=systemd-resolved
-  when:
-  - ansible_distribution == 'Debian'
-  - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
-  become: yes
-  systemd:
-    service: systemd-networkd
-    enabled: yes
-    state: started
-
-- name: Enable/Start systemd-resolved.
-  become: yes
-  systemd:
-    service: systemd-resolved
-    enabled: yes
-    state: started
-
-- name: Link /etc/resolv.conf.
-  become: yes
-  file:
-    path: /etc/resolv.conf
-    src: /run/systemd/resolve/resolv.conf
-    state: link
-    force: yes
-  when:
-  - ansible_distribution == 'Debian'
-  - 12 > ansible_distribution_major_version|int
-

-

-
-

-enable-resolved
-- name: Install systemd-resolved.
-  become: yes
-  apt: pkg=systemd-resolved
-  when:
-  - ansible_distribution == 'Debian'
-  - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
-  become: yes
-  systemd:
-    service: systemd-networkd
-    enabled: yes
-    state: started
-
-- name: Enable/Start systemd-resolved.
-  become: yes
-  systemd:
-    service: systemd-resolved
-    enabled: yes
-    state: started
-
-- name: Link /etc/resolv.conf.
-  become: yes
-  file:
-    path: /etc/resolv.conf
-    src: /run/systemd/resolve/resolv.conf
-    state: link
-    force: yes
-  when:
-  - ansible_distribution == 'Debian'
-  - 12 > ansible_distribution_major_version|int
-

-

-

-

-

-
7.4. Add Administrator to System Groups

-

-

 The administrator often needs to read (directories of) log files owned
 by groups root and adm.  Adding the administrator's account to
 these groups speeds up debugging.
@@ -1916,8 +1880,8 @@ these groups speeds up debugging.
 

 

 

-
7.5. Configure SSH

-

+
7.4. Configure SSH

+

 

 The SSH service on Front needs to be known to Monkey.  The following
 tasks ensure this by replacing the automatically generated keys with
@@ -1954,9 +1918,9 @@ those stored in Secret/ssh_front/etc/ssh/
 

 

 

-

-
7.6. Configure Monkey

-

+

+
7.5. Configure Monkey

+

 

 The small institute runs cron jobs and web scripts that generate
 reports and perform checks.  The un-privileged jobs are run by a
@@ -1996,8 +1960,8 @@ key on Core.
 

 

 

-
7.7. Install Rsync

-

+
7.6. Install Rsync

+

 

 Monkey uses Rsync to keep the institute's public web site up-to-date.
 

@@ -2011,9 +1975,9 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 

 

 

-

-
7.8. Install Unattended Upgrades

-

+

+
7.7. Install Unattended Upgrades

+

 

 The institute prefers to install security updates as soon as possible.
 

@@ -2027,9 +1991,9 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-

-
7.9. Configure User Accounts

-

+
 

-

-
7.10. Install Server Certificate

-

+

+
7.9. Install Server Certificate

+

 

 The servers on Front use the same certificate (and key) to
 authenticate themselves to institute clients.  They share the
@@ -2103,8 +2067,8 @@ readable by root.
 

 

 

-
7.11. Configure Postfix on Front

-

+
7.10. Configure Postfix on Front

+

 

 Front uses Postfix to provide the institute's public SMTP service, and
 uses the institute's domain name for its host name.  The default
@@ -2295,8 +2259,8 @@ start and enable the service.
 

 

 

-
7.12. Configure Public Email Aliases

-

+
7.11. Configure Public Email Aliases

+

 

 The institute's Front needs to deliver email addressed to a number of
 common aliases as well as those advertised on the web site.  System
@@ -2336,9 +2300,9 @@ created by a more specialized role.
 

 

 

-

-
7.13. Configure Dovecot IMAPd

-

+

+
7.12. Configure Dovecot IMAPd

+

 

 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
 pick up messages.  Front's Dovecot configuration is largely the Debian
@@ -2408,8 +2372,8 @@ and enables it to start at every reboot.
 

 

 

-
7.14. Configure Apache2 

-

+
7.13. Configure Apache2 

+

 

 This is the small institute's public web site.  It is simple, static,
 and thus (hopefully) difficult to subvert.  There are no server-side
@@ -2439,7 +2403,7 @@ from Qualys SSL Labs (https://www.ssllabs.com
 The apache-ciphers block below is included last in the Apache2
 configuration, so that its SSLCipherSuite directive can override
 (narrow) any list of ciphers set earlier (e.g. by Let's
-Encrypt!3).  The protocols and cipher suites specified here were
+Encrypt!2).  The protocols and cipher suites specified here were
 taken from https://www.ssllabs.com/projects/best-practices in 2022.
 

 
@@ -2801,9 +2765,9 @@ the users' ~/Public/HTML/ directories.
 

 

 

-

-
7.15. Configure OpenVPN

-

+

+
7.14. Configure OpenVPN

+

 

 Front uses OpenVPN to provide the institute's public VPN service.  The
 configuration is straightforward with one complication.  OpenVPN needs
@@ -3000,8 +2964,8 @@ configure the OpenVPN server on Front.
 

 

 

-
7.16. Configure Kamailio

-

+
7.15. Configure Kamailio

+

 

 Front uses Kamailio to provide a SIP service on the public VPN so that
 members abroad can chat privately.  This is a connection-less UDP
@@ -3126,8 +3090,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see The Core Machine.)
 

 

-

-
8.1. Include Particulars

+

+
8.1. Include Particulars

 

 

 The first task, as in The Front Role, is to include the institute
@@ -3149,8 +3113,8 @@ particulars and membership roll.
 

 

 

-

-
8.2. Configure Hostname

+

+
8.2. Configure Hostname

 

 

 This task ensures that Core's /etc/hostname and /etc/mailname are
@@ -3183,55 +3147,10 @@ proper email delivery.
 

 

 

-

-
8.3. Enable Systemd Resolved

+

+
8.3. Configure Systemd Resolved

 

 

-Core starts the systemd-networkd and systemd-resolved service
-units on boot.  See Enable Systemd Resolved.
-

-
-

-roles_t/core/tasks/main.yml
-- name: Install systemd-resolved.
-  become: yes
-  apt: pkg=systemd-resolved
-  when:
-  - ansible_distribution == 'Debian'
-  - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
-  become: yes
-  systemd:
-    service: systemd-networkd
-    enabled: yes
-    state: started
-
-- name: Enable/Start systemd-resolved.
-  become: yes
-  systemd:
-    service: systemd-resolved
-    enabled: yes
-    state: started
-
-- name: Link /etc/resolv.conf.
-  become: yes
-  file:
-    path: /etc/resolv.conf
-    src: /run/systemd/resolve/resolv.conf
-    state: link
-    force: yes
-  when:
-  - ansible_distribution == 'Debian'
-  - 12 > ansible_distribution_major_version|int
-

-

-

-

-

-
8.4. Configure Systemd Resolved

-

-

 Core runs the campus name server, so Resolved is configured to use it
 (or dns.google), to include the institute's domain in its search
 list, and to disable its cache and stub listener.
@@ -3273,8 +3192,8 @@ list, and to disable its cache and stub listener.
 

 

 

-
8.5. Configure Netplan

-

+
8.4. Configure Netplan

+

 

 Core's network interface is statically configured using Netplan and an
 /etc/netplan/60-core.yaml file.  That file provides Core's address
@@ -3333,8 +3252,8 @@ fact was an empty hash at first boot on a simulated campus Ethernet.)
 

 

 

-
8.6. Configure DHCP For the Private Ethernet

-

+
8.5. Configure DHCP For the Private Ethernet

+

 

 Core speaks DHCP (Dynamic Host Configuration Protocol) using the
 Internet Software Consortium's DHCP server.  The server assigns unique
@@ -3431,8 +3350,8 @@ with the real private/core-dhcpd.conf
 

 
-

-
8.8. Add Administrator to System Groups

-

+

+
8.7. Add Administrator to System Groups

+

 

 The administrator often needs to read (directories of) log files owned
 by groups root and adm.  Adding the administrator's account to
@@ -3729,9 +3648,9 @@ these groups speeds up debugging.
 

 

 

-

-
8.9. Configure Monkey

-

+

+
8.8. Configure Monkey

+

 

 The small institute runs cron jobs and web scripts that generate
 reports and perform checks.  The un-privileged jobs are run by a
@@ -3797,9 +3716,9 @@ described in *Configure Apache2).
 

 

 

-

-
8.10. Install Unattended Upgrades

-

+

+
8.9. Install Unattended Upgrades

+

 

 The institute prefers to install security updates as soon as possible.
 

@@ -3814,8 +3733,8 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-
8.11. Install Expect

-

+
8.10. Install Expect

+

 

 The expect program is used by The Institute Commands to interact
 with Nextcloud on the command line.
@@ -3830,9 +3749,9 @@ with Nextcloud on the command line.
 

 

 

-

-
8.12. Configure User Accounts

-

+

+
8.11. Configure User Accounts

+

 

 User accounts are created immediately so that backups can begin
 restoring as soon as possible.  The Account Management chapter
@@ -3873,9 +3792,9 @@ describes the members and usernames variables.
 

 

 

-

-
8.13. Install Server Certificate

-

+

+
8.12. Install Server Certificate

+

 

 The servers on Core use the same certificate (and key) to authenticate
 themselves to institute clients.  They share the /etc/server.crt and
@@ -3904,8 +3823,8 @@ themselves to institute clients.  They share the /etc/server.crt and
 

 

 

-
8.14. Install NTP

-

+
8.13. Install NTP

+

 

 Core uses NTP to provide a time synchronization service to the campus.
 The default daemon's default configuration is fine.
@@ -3921,8 +3840,8 @@ The default daemon's default configuration is fine.
 

 

 

-
8.15. Configure Postfix on Core

-

+
8.14. Configure Postfix on Core

+

 

 Core uses Postfix to provide SMTP service to the campus.  The default
 Debian configuration (for an "Internet Site") is nearly sufficient.
@@ -4090,8 +4009,8 @@ enable the service.  Whenever /etc/postfix/transport is changed, the
 

 

 

-
8.16. Configure Private Email Aliases

-

+
8.15. Configure Private Email Aliases

+

 

 The institute's Core needs to deliver email addressed to institute
 aliases including those advertised on the campus web site, in VPN
@@ -4127,9 +4046,9 @@ installed by more specialized roles.
 

 

 

-

-
8.17. Configure Dovecot IMAPd

-

+

+
8.16. Configure Dovecot IMAPd

+

 

 Core uses Dovecot's IMAPd to store and serve member emails.  As on
 Front, Core's Dovecot configuration is largely the Debian default with
@@ -4194,8 +4113,8 @@ and enables it to start at every reboot.
 

 

 

-
8.18. Configure Fetchmail

-

+
8.17. Configure Fetchmail

+

 

 Core runs a fetchmail for each member of the institute.  Individual
 fetchmail jobs can run with the --idle option and thus can
@@ -4372,8 +4291,8 @@ Otherwise the following task might be appropriate.
 

 

 

-
8.19. Configure Apache2 

-

+
8.18. Configure Apache2 

+

 

 This is the small institute's campus web server.  It hosts several web
 sites as described in The Web Services.
@@ -4723,8 +4642,8 @@ The a2ensite command enables them.
 

 

 

-
8.20. Configure Website Updates

-

+
8.19. Configure Website Updates

+

 

 Monkey on Core runs /usr/local/sbin/webupdate every 15 minutes via a
 cron job.  The example script mirrors /WWW/live/ on Core to
@@ -4774,8 +4693,8 @@ provided here.
 

 

 

-
8.21. Configure OpenVPN Connection to Front

-

+
8.20. Configure OpenVPN Connection to Front

+

 

 Core connects to Front's public VPN to provide members abroad with a
 route to the campus networks.  As described in the configuration of
@@ -4896,8 +4815,8 @@ for Core.
 

 

 

-
8.22. Configure NAGIOS

-

+
8.21. Configure NAGIOS

+

 

 Core runs a nagios4 server to monitor "services" on institute hosts.
 The following tasks install the necessary packages and configure the
@@ -4978,8 +4897,8 @@ Core and Campus (and thus Gate) machines.
 

 

 

-
8.22.1. Configure NAGIOS Monitors for Core

-

+
8.21.1. Configure NAGIOS Monitors for Core

+

 

 The first block in nagios.cfg specifies monitors for services on
 Core.  The monitors are simple, local plugins, and the block is very
@@ -5054,8 +4973,8 @@ used here may specify plugin arguments.
 

 

 

-
8.22.2. Custom NAGIOS Monitor inst_sensors

-

+
8.21.2. Custom NAGIOS Monitor inst_sensors

+

 

 The check_sensors plugin is included in the package
 monitoring-plugins-basic, but it does not report any readings.  The
@@ -5166,8 +5085,8 @@ Core.
 

 

 

-
8.22.3. Configure NAGIOS Monitors for Remote Hosts

-

+
8.21.3. Configure NAGIOS Monitors for Remote Hosts

+

 

 The following sections contain code blocks specifying monitors for
 services on other campus hosts.  The NAGIOS server on Core will
@@ -5188,8 +5107,8 @@ on each campus host by the campus role's Configure NRPE
 

 

-
8.22.4. Configure NAGIOS Monitors for Gate

-

+
8.21.4. Configure NAGIOS Monitors for Gate

+

 

 Define the monitored host, gate.  Monitor its response to network
 pings.
@@ -5320,8 +5239,8 @@ Monitor inst_sensors on Gate.
 

 

 

-
8.23. Configure Backups

-

+
8.22. Configure Backups

+

 

 The following task installs the backup script from private/.  An
 example script is provided in here.
@@ -5340,8 +5259,8 @@ example script is provided in here.
 

 

 

-
8.24. Configure Nextcloud

-

+
8.23. Configure Nextcloud

+

 

 Core runs Nextcloud to provide a private institute cloud, as described
 in The Cloud Service.  Installing, restoring (from backup), and
@@ -5352,8 +5271,8 @@ afterwards.
 

 

 

-
8.24.1. Prepare Core For Nextcloud

-

+
8.23.1. Prepare Core For Nextcloud

+

 

 The Ansible code contained herein prepares Core to run Nextcloud by
 installing required software packages, configuring the web server, and
@@ -5546,7 +5465,7 @@ created manually.
 The following task would work (mysql_user supports
 check_implicit_admin) but the nextcloud database was not created
 above.  Thus both database and user are created manually, with SQL
-given in the 8.24.5 subsection below, before occ
+given in the 8.23.5 subsection below, before occ
 maintenance:install can run.
 

 
@@ -5585,8 +5504,8 @@ its document root.
 

 

 

-
8.24.2. Configure PHP

-

+
8.23.2. Configure PHP

+

 

 The following tasks set a number of PHP parameters for better
 performance, as recommended by Nextcloud.
@@ -5640,8 +5559,8 @@ performance, as recommended by Nextcloud.
 

 

 

-
8.24.3. Create /Nextcloud/

-

+
8.23.3. Create /Nextcloud/

+

 

 The Ansible tasks up to this point have completed Core's LAMP stack
 and made Core ready to run Nextcloud, but they have not installed
@@ -5699,8 +5618,8 @@ sudo mount /Nextcloud
 

 

 

-
8.24.4. Restore Nextcloud

-

+
8.23.4. Restore Nextcloud

+

 

 Restoring Nextcloud in the newly created /Nextcloud/ presumably
 starts with plugging in the portable backup drive and unlocking it so
@@ -5751,8 +5670,8 @@ Overview web page.
 

 

 

-
8.24.5. Install Nextcloud

-

+
8.23.5. Install Nextcloud

+

 

 Installing Nextcloud in the newly created /Nextcloud/ starts with
 downloading and verifying a recent release tarball.  The following
@@ -5823,8 +5742,8 @@ Administration > Overview page.
 

 

 

-
8.24.6. Afterwards

-

+
8.23.6. Afterwards

+

 

 Whether Nextcloud was restored or installed, there are a few things
 Ansible can do to bolster reliability and security (aka privacy).
@@ -6034,8 +5953,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 

 

-

-
9.1. Include Particulars

+

+
9.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -6409,8 +6328,8 @@ the daemon listens only on the Gate-WiFi network interface.
 

 

 

-

-
9.6. Install Server Certificate

+

+
9.6. Install Server Certificate

 

 

 The (OpenVPN) server on Gate uses an institute certificate (and key)
@@ -6437,8 +6356,8 @@ and Front) do.
 

 

 

-

-
9.7. Configure OpenVPN

+

+
9.7. Configure OpenVPN

 

 

 Gate uses OpenVPN to provide the institute's campus VPN service.  Its
@@ -6601,8 +6520,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
 

 

-

-
10.1. Include Particulars

+

+
10.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -6618,8 +6537,8 @@ The following should be familiar boilerplate by now.
 

 

 

-

-
10.2. Configure Hostname

+

+
10.2. Configure Hostname

 

 

 Clients should be using the expected host name.
@@ -6646,55 +6565,10 @@ Clients should be using the expected host name.
 

 

 

-

-
10.3. Enable Systemd Resolved

+

+
10.3. Configure Systemd Resolved

 

 

-Campus machines start the systemd-networkd and systemd-resolved
-service units on boot.  See Enable Systemd Resolved.
-

-
-

-roles_t/campus/tasks/main.yml
-- name: Install systemd-resolved.
-  become: yes
-  apt: pkg=systemd-resolved
-  when:
-  - ansible_distribution == 'Debian'
-  - 11 < ansible_distribution_major_version|int
-
-- name: Enable/Start systemd-networkd.
-  become: yes
-  systemd:
-    service: systemd-networkd
-    enabled: yes
-    state: started
-
-- name: Enable/Start systemd-resolved.
-  become: yes
-  systemd:
-    service: systemd-resolved
-    enabled: yes
-    state: started
-
-- name: Link /etc/resolv.conf.
-  become: yes
-  file:
-    path: /etc/resolv.conf
-    src: /run/systemd/resolve/resolv.conf
-    state: link
-    force: yes
-  when:
-  - ansible_distribution == 'Debian'
-  - 12 > ansible_distribution_major_version|int
-

-

-

-

-

-
10.4. Configure Systemd Resolved

-

-

 Campus machines use the campus name server on Core (or dns.google),
 and include the institute's private domain in their search lists.
 

@@ -6733,8 +6607,8 @@ and include the institute's private domain in their search lists.
 

 

 

-
10.5. Configure Systemd Timesyncd

-

+
10.4. Configure Systemd Timesyncd

+

 

 The institute uses a common time reference throughout the campus.
 This is essential to campus security, improving the accuracy of log
@@ -6763,9 +6637,9 @@ and file timestamps.
 

 

 

-

-
10.6. Add Administrator to System Groups

-

+

+
10.5. Add Administrator to System Groups

+

 

 The administrator often needs to read (directories of) log files owned
 by groups root and adm.  Adding the administrator's account to
@@ -6784,9 +6658,9 @@ these groups speeds up debugging.
 

 

 

-

-
10.7. Install Unattended Upgrades

-

+

+
10.6. Install Unattended Upgrades

+

 

 The institute prefers to install security updates as soon as possible.
 

@@ -6801,8 +6675,8 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-
10.8. Configure Postfix on Campus

-

+
10.7. Configure Postfix on Campus

+

 

 The Postfix settings used by the campus include message size, queue
 times, and the relayhost Core.  The default Debian configuration
@@ -6866,8 +6740,8 @@ tasks below.
 

 

 

-
10.9. Hard-wire Important IP Addresses

-

+
10.8. Hard-wire Important IP Addresses

+

 

 For the edification of programs consulting the /etc/hosts file, the
 institute's domain name and public IP address are added.  The Debian
@@ -6895,8 +6769,8 @@ custom of translating the host name into 127.0.1.1 is also followed
 

 

 

-
10.10. Configure NRPE

-

+
10.9. Configure NRPE

+

 

 Each campus host runs an NRPE (a NAGIOS Remote Plugin Executor)
 server so that the NAGIOS4 server on Core can collect statistics.  The
@@ -7565,7 +7439,7 @@ records.  The mapping is stored among other things in
 

 A new member's record in the members mapping will have the status
 key value current.  That key gets value former when the member
-leaves.4  Access by former members is revoked by invalidating the
+leaves.3  Access by former members is revoked by invalidating the
 Unix account passwords, removing any authorized SSH keys from Front
 and Core, and disabling their VPN certificates.
 

@@ -8439,7 +8313,7 @@ but a private address on the NAT network premises.  Thus fron
 not accessible to the administrator's notebook (the host).  To work
 around this restriction, front gets a second network interface
 connected to the vboxnet1 network and used only for ssh access from
-the host.5
+the host.4
 

 
 

@@ -9243,7 +9117,7 @@ code skips parts of the Nextcloud configuration.  The same
 installation (or restoration) process used on Core is used on core
 to create /Nextcloud/.  The process starts with Create
 /Nextcloud/, involves Restore Nextcloud or Install Nextcloud,
-and runs ./inst config core again 8.24.6.  When the ./inst
+and runs ./inst config core again 8.23.6.  When the ./inst
 config core command is happy with the Nextcloud configuration on
 core, the administrator uses Dick's notebook to test it, performing
 the following tests on dick's desktop.
@@ -9712,25 +9586,18 @@ DNS). https://www.rf
 

 
 
2 

-Why not create a role named all and put these tasks that are
-the same on all machines in that role?  If there were more than a
-stable handful, and no tangling mechanism to do the duplication, a
-catch-all role would be a higher priority.
-

-
-
3 

 The cipher set specified by Let's Encrypt is large enough to
 turn orange many parts of an SSL Report from Qualys SSL Labs.
 

 
-
4 

+
3 

 Presumably, eventually, a former member's home directories are
 archived to external storage, their other files are given new
 ownerships, and their Unix accounts are deleted.  This has never been
 done, and is left as a manual exercise.
 

 
-
5 

+
4 

 Front is accessible via Gate but routing from the host address
 on vboxnet0 through Gate requires extensive interference with the
 routes on Front and Gate, making the simulation less… similar.
@@ -9741,7 +9608,7 @@ routes on Front and Gate, making the simulation less… similar.
 

 

 
Author: Matt Birkholz

-
Created: 2024-02-26 Mon 19:42

+
Created: 2024-02-26 Mon 21:58

 
Validate