From: Matt Birkholz
+= _|||_ =-The-Institute-= @@ -1014,7 +1014,7 @@ example result follows the code.-+-=> 10.62.17.0/24
@@ -1429,7 +1429,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a campground Wi-Fi access point, etc. -+=============== | ================================================== | Premises (Campus ISP) @@ -1452,7 +1452,7 @@ This avoids the need for a second Wi-Fi access point and leads to the following topology. -+=============== | ================================================== | Premises (House ISP) @@ -1624,8 +1624,8 @@ uses the institute's CA and server certificates, and expects client certificates signed by the institute CA.--6.1. Include Particulars
++6.1. Include Particulars
The
front
role's tasks contain references to several common @@ -1657,8 +1657,8 @@ The code block below is the first to tangle into-6.2. Configure Hostname
++-6.2. Configure Hostname
--6.4. Add Administrator to System Groups
++6.4. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -1842,8 +1842,8 @@ those stored in
Secret/ssh_front/etc/ssh/--6.6. Configure Monkey
++6.6. Configure Monkey
The small institute runs cron jobs and web scripts that generate @@ -1899,8 +1899,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
--6.8. Install Unattended Upgrades
++6.8. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -1915,8 +1915,8 @@ The institute prefers to install security updates as soon as possible.
--6.9. Configure User Accounts
++6.9. Configure User Accounts
User accounts are created immediately so that Postfix and Dovecot can @@ -1959,8 +1959,8 @@ recipient" replies. The Account Management chapter de
--6.10. Trust Institute Certificate Authority
++6.10. Trust Institute Certificate Authority
Front should recognize the institute's Certificate Authority as @@ -1992,8 +1992,8 @@ X.509 certificates is available in Keys.
--6.11. Install Server Certificate
++6.11. Install Server Certificate
The servers on Front use the same certificate (and key) to @@ -2257,8 +2257,8 @@ created by a more specialized role.
--6.14. Configure Dovecot IMAPd
++6.14. Configure Dovecot IMAPd
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to @@ -2722,8 +2722,8 @@ the users'
~/Public/HTML/directories.-6.16. Configure OpenVPN
++6.16. Configure OpenVPN
-Front uses OpenVPN to provide the institute's public VPN service. The @@ -3047,8 +3047,8 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)
--7.1. Include Particulars
++7.1. Include Particulars
The first task, as in The Front Role, is to include the institute @@ -3070,8 +3070,8 @@ particulars and membership roll.
--7.2. Configure Hostname
++7.2. Configure Hostname
This task ensures that Core's
/etc/hostnameand/etc/mailnameare @@ -3104,8 +3104,8 @@ proper email delivery.--7.3. Enable Systemd Resolved
++7.3. Enable Systemd Resolved
Core starts the
systemd-networkd
andsystemd-resolved
service @@ -3149,8 +3149,8 @@ units on boot. See Enable Systemd Resolved.--7.4. Configure Systemd Resolved
++7.4. Configure Systemd Resolved
Core runs the campus name server, so Resolved is configured to use it @@ -3617,8 +3617,8 @@ craps up
/var/log/and the Systemd journal.--7.8. Add Administrator to System Groups
++7.8. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -3638,8 +3638,8 @@ these groups speeds up debugging.
--7.9. Configure Monkey
++7.9. Configure Monkey
The small institute runs cron jobs and web scripts that generate @@ -3739,8 +3739,8 @@ with Nextcloud on the command line.
--7.12. Configure User Accounts
++7.12. Configure User Accounts
User accounts are created immediately so that backups can begin @@ -3782,8 +3782,8 @@ describes the
members
andusernames
variables.--7.13. Trust Institute Certificate Authority
++7.13. Trust Institute Certificate Authority
Core should recognize the institute's Certificate Authority as @@ -3815,8 +3815,8 @@ X.509 certificates is available in Keys.
--7.14. Install Server Certificate
++7.14. Install Server Certificate
The servers on Core use the same certificate (and key) to authenticate @@ -4069,8 +4069,8 @@ installed by more specialized roles.
-7.18. Configure Dovecot IMAPd
++7.18. Configure Dovecot IMAPd
-Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -5954,8 +5954,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.
--8.1. Include Particulars
++8.1. Include Particulars
The following should be familiar boilerplate by now. @@ -6329,8 +6329,8 @@ the daemon listens only on the Gate-WiFi network interface.
--8.6. Install Server Certificate
++8.6. Install Server Certificate
The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -6357,8 +6357,8 @@ and Front) do.
-8.7. Configure OpenVPN
++8.7. Configure OpenVPN
-Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6521,8 +6521,8 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.
--9.1. Include Particulars
++9.1. Include Particulars
The following should be familiar boilerplate by now. @@ -6538,8 +6538,8 @@ The following should be familiar boilerplate by now.
--9.2. Configure Hostname
++9.2. Configure Hostname
Clients should be using the expected host name. @@ -6572,8 +6572,8 @@ Clients should be using the expected host name.
--9.3. Enable Systemd Resolved
++9.3. Enable Systemd Resolved
Campus machines start the
systemd-networkd
andsystemd-resolved
@@ -6617,8 +6617,8 @@ service units on boot. See Enable Systemd Resolved.--9.4. Configure Systemd Resolved
++9.4. Configure Systemd Resolved
Campus machines use the campus name server on Core (or
dns.google
), @@ -6689,8 +6689,8 @@ and file timestamps.--9.6. Add Administrator to System Groups
++9.6. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -6710,8 +6710,8 @@ these groups speeds up debugging.
--9.7. Trust Institute Certificate Authority
++9.7. Trust Institute Certificate Authority
Campus hosts should recognize the institute's Certificate Authority as @@ -6743,8 +6743,8 @@ keys, certificates and passwords, see Keys.)
-9.8. Install Unattended Upgrades
++-9.8. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -9687,7 +9687,7 @@ routes on Front and Gate, making the simulation less… similar.