From: Matt Birkholz Date: Tue, 27 Feb 2024 03:04:53 +0000 (-0700) Subject: Wordsmithing. Merge Institute. Fix bad syntax from 332654c. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=aa542331cec77cae1b19ed7ce6cda9c037fff815;p=Network Wordsmithing. Merge Institute. Fix bad syntax from 332654c. Update the Connect to Cloister VPN section per recent experience with a Raspberry Pi OS Bookworm desktop. --- diff --git a/Institute b/Institute index fc757e9..fca64b1 160000 --- a/Institute +++ b/Institute @@ -1 +1 @@ -Subproject commit fc757e938e48de0c563667a47c7a509eb31fb3ef +Subproject commit fca64b12defac256c824af647dfc0200d608aec6 diff --git a/README.org b/README.org index 79059b1..19555ee 100644 --- a/README.org +++ b/README.org @@ -793,7 +793,8 @@ In this abbey specific document, most abbey particulars are not replaced with variables, but specified in-line. Some, however, are private (e.g. database passwords), not to be published in this document, and so replaced with variables set in -=private/vars-abbey.yml=. +=private/vars-abbey.yml=. The file path is relative to the playbook's +directory, =playbooks/=. #+CAPTION: =roles_t/abbey-core/tasks/main.yml= #+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml :mkdirp yes @@ -802,9 +803,6 @@ document, and so replaced with variables set in include_vars: ../private/vars-abbey.yml #+END_SRC -The filename used above is interpreted relative to the playbook's -directory, =playbooks/=. - ** Install Additional Packages The scripts that maintain the abbey's web site and run the Weather @@ -815,8 +813,8 @@ Weather scripts use ~mit-scheme~ and ~gnuplot~ (in pseudonymous packages). #+CAPTION: =roles_t/abbey-core/tasks/main.yml= -#+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml :mkdirp yes ---- +#+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml + - name: Install additional packages. apt: pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ] @@ -1207,7 +1205,7 @@ define service { } #+END_SRC -*** NAGIOS Monitoring of Kamino +*** NAGIOS Monitoring of Kamino #+CAPTION: =roles_t/abbey-core/templates/nagios-kamino.cfg= #+BEGIN_SRC conf :tangle roles_t/abbey-core/templates/nagios-kamino.cfg @@ -2025,7 +2023,8 @@ described in the final section, [[*Configure Cameras][Configure Cameras]], below ** Include Abbey Variables Private variables in =private/vars-abbey.yml= are needed, and included -here, as in the ~abbey-core~ role. +here, as in the ~abbey-core~ role. The file path is relative to the +playbook's directory, =playbooks/=. #+CAPTION: =roles_t/abbey-dvr/tasks/main.yml= #+BEGIN_SRC conf :tangle roles_t/abbey-dvr/tasks/main.yml :mkdirp yes @@ -2034,9 +2033,6 @@ here, as in the ~abbey-core~ role. include_vars: ../private/vars-abbey.yml #+END_SRC -The relative filename should be found only in the playbook's -directory, =playbooks/=. - ** Install Zoneminder v1.34 The latest version of Zoneminder (1.36) was manually downloaded, built @@ -2375,7 +2371,8 @@ machine simply by adding it to the ~tvrs~ group. ** Include Abbey Variables Private variables in =private/vars-abbey.yml= are needed, as in the -~abbey-core~ role. +~abbey-core~ role. The file path is relative to the playbook's +directory, =playbooks/=. #+CAPTION: =roles_t/abbey-tvr/tasks/main.yml= #+BEGIN_SRC conf :tangle roles_t/abbey-tvr/tasks/main.yml :mkdirp yes @@ -2384,9 +2381,6 @@ Private variables in =private/vars-abbey.yml= are needed, as in the include_vars: ../private/vars-abbey.yml #+END_SRC -The relative filename should be found only in the playbook's -directory, =playbooks/=. - ** Install MythTV Build Requisites A number of developer packages are needed to build MythTV. The wiki @@ -3205,7 +3199,7 @@ institutional roles, then the liturgical roles. hosts: gate roles: [ gate ] -- name: Configure Campus +- name: Configure Cloister hosts: campus roles: [ campus, abbey-cloister ] @@ -3510,7 +3504,8 @@ given a private domain name as described in the following steps. - [[*Create Wired Domain Name][Create Wired Domain Name]] Wireless IoT devices are manually configured with the cloister Wi-Fi -password and may be given a private domain name as described here. +password and may be given a private domain name as described in the +last step: - [[*Create Wireless Domain Name][Create Wireless Domain Name]] @@ -3772,11 +3767,12 @@ ping -c1 192.168.10.225 ** Connect to Cloister VPN -Wireless devices connected to the cloister Wi-Fi will get an IP -address on the access point's local network and a default route to the -Internet, per the default configuration of a commodity cable modem -with Wi-Fi access point included. Access to further abbey resources, -however, is possible only via the cloister VPN. +Wireless devices (with the cloister Wi-Fi password) can get an IP +address and a default route to the Internet with no special +configuration. Neither said devices /nor/ the access point require +special configuration. Any Wi-Fi access point, e.g. as found in a +cable modem, will work with zero configuration. The abbey's networks, +however, are /not/ accessible except via the cloister VPN. Connections to the cloister VPN are authorized by OpenVPN configuration (=.ovpn=) files generated by the ~./abbey client...~ @@ -3790,26 +3786,27 @@ Wireless Debian servers (without NetworkManager) are connected to the cloister VPN via the following process. - Create a new client certificate and OpenVPN configuration for the - new campus server. - - Copy the =campus.ovpn= file to =/etc/openvpn/cloister.conf=. - - In a secure shell session on the new machine as ~sysadm~: - - Install the ~openvpn~ and ~openvpn-systemd-resolved~ software - packages. - - Start the SystemD service unit. - - Test the connection (and name resolution). - - Enable the SystemD service unit. - - Clean up secrets on the new machine. - - Clean up secrets on the administrator's machine. - -And these are the commands. + new abbey server. + - Copy the =campus.ovpn= file to the new machine. + - On the new machine: + - Install the ~openvpn-systemd-resolved~ package. + - Copy =campus.ovpn= to =/etc/openvpn/cloister.conf=. + - Start the OpenVPN service. + - Check that the cloister VPN was connected. + - Logout and unplug the cloister Ethernet. + - Test the cloister VPN connection (and private name resolution) + with ~ping -c1 core~. + +And these are the commands: #+BEGIN_SRC sh ./abbey client campus new scp campus.ovpn sysadm@new-w: ssh sysadm@new-w -sudo apt install openvpn openvpn-systemd-resolved -( cd; umask 077; sudo cp campus.ovpn /etc/openvpn/cloister.conf ) +sudo apt install openvpn-systemd-resolved +sudo cp campus.ovpn /etc/openvpn/cloister.conf sudo systemctl start openvpn@cloister +systemctl status openvpn@cloister ping -c1 core sudo systemctl enable openvpn@cloister rm campus.ovpn @@ -3817,50 +3814,110 @@ logout rm campus.ovpn #+END_SRC +It may be necessary to reboot before the final tests. + *** Debian Desktops -Wireless Debian desktop machines (both PCs and Pis, running -NetworkManager) and are connected to the cloister VPN via the -following process. Note that they do not appear in the set of -~campus~ hosts and are not configured by Ansible. They do not appear -in Ansible's host inventory at all unless the desktop owner is willing -to provide the password to a privileged account on their machine. +Wireless Debian desktops (with NetworkManager) include our 8GB Core i3 +NUC (Intel®'s Next Unit of Computing) and our 8GB Raspberry Pi 4. +They run the Pop!_OS and Raspberry Pi OS desktops respectively. They +are connected to the cloister VPN via the following process. - - Create a new client certificate and campus/public OpenVPN - configurations for the new abbey desktop. - - Copy the =campus.ovpn= and =public.ovpn= files to the new desktop. - - Install the ~openvpn~, ~openvpn-systemd-resolved~ and - ~network-manager-openvpn-gnome~ packages on the new desktop. + - Create a new client certificate and OpenVPN configuration for the + new abbey desktop, a =campus.ovpn= file. + - Create a =wifi= file that looks like this (assuming the wireless + network device is named ~wlan0~). + + : auto wlan0 + : iface wlan0 inet dhcp + : wpa-ssid "Birchwood Abbey" + : wpa-psk "PASSWORD" + + - Copy the =wifi= and =campus.ovpn= files to the new machine. + - On the new machine: + - Install the ~openvpn-systemd-resolved~ package. + - Copy =wifi= to =/etc/network/interfaces.d/=. + - Bring up the Wi-Fi interface. + - Copy =campus.ovpn= to =/etc/openvpn/cloister.conf=. + - Start the OpenVPN service. + - Check that the cloister VPN was connected. + - Logout and unplug the cloister Ethernet. + - Test the cloister VPN connection (and private name resolution) + with ~ping -c1 core~. + +And these are the commands: + +#+BEGIN_SRC sh +./abbey client campus new +scp wifi campus.ovpn sysadm@new-w: +ssh sysadm@new-w +sudo apt install openvpn-systemd-resolved +sudo cp wifi /etc/network/interfaces.d/ +sudo ifup wlan0 +sudo cp campus.ovpn /etc/openvpn/cloister.conf +sudo systemctl start openvpn@cloister +systemctl status openvpn@cloister +ping -c1 core +sudo systemctl enable openvpn@cloister +rm wifi campus.ovpn +logout +rm wifi campus.ovpn +#+END_SRC + +It may be necessary to reboot before the final tests. + +As configured above, the wireless Debian desktops make automatic, +persistent connections to the cloister Wi-Fi and VPN, and so can be +used much like a wired desktop machine. They are typically connected +to a large TV and auto-login to an unprivileged account named ~house~, +i.e. anyone in the house. + +*** Private Desktops + +Member notebooks are private machines not remotely administered by the +abbey. These machines roam, and so are authorized to connect to the +cloister VPN or the public VPN. This is how they are connected to the +VPNs: + + - Create a new client certificate and OpenVPN configurations for the + new abbey desktop, =campus.ovpn= and =public.ovnp= files. + - Copy the =campus.ovpn= and =public.ovpn= files to the new machine. + - On the new machine: + - Install the ~openvpn-systemd-resolved~ and + ~network-manager-openvpn-gnome~ packages. - Open the desktop Settings > Network > VPN + > Import from file... and choose =~/campus.ovpn=. - Open the Routes dialogues for both IPv4 and IPv6 and choose "Use this connection only for resources on its network.". - Save the new VPN. - Do the same with the =~/public.ovpn= file. - - Connected the cloister VPN and test it with ~ping -c1 core~. - - Expunge the =~/campus.ovpn= and =~/public.ovpn= just as the system - administrator will have already done. - -And these are the commands, assuming there is a privileged ~sysadm~ -account available on the new desktop machine. - -#+BEGIN_SRC sh -./abbey client debian dicks-notebook dick -scp campus.ovpn public.ovpn sysadm@dicks-notebook.lan: -rm campus.ovpn public.ovpn -ssh sysadm@dicks-notebook.lan -sudo apt install openvpn openvpn-systemd-resolved \ - network-manager-openvpn-gnome -ping -c1 core.small.private. -#+END_SRC - -Note that Dick's notebook does not need to connect to the cloister -Ethernet. It is authorized simply by copying the =.ovpn= files -securely (e.g. using ~ssh~) to a local domain name provided by the -Wi-Fi AP (~dicks-notebook.lan~). If the AP does not provide a local -domain name, the machine's Wi-Fi IP address, -e.g. ~sysadm@192.168.10.225~, can be used instead. (This IP address -is often revealed in the desktop network settings.) + - Connect the appropriate VPN and test it (and private name + resolution) with ~ping -c1 core~. + - Expunge (delete /and/ empty the trash) the =~/campus.ovpn= and + =~/public.ovpn= files. + +We assume the desktop is running NetworkManager, which is the case in +all our Debian desktops from Pop!_OS and Ubuntu to Mint and Raspberry +Pi OS. + +Note that a new member's notebook does not need to be patched to the +cloister Ethernet nor connected to the cloister Wi-Fi. It can be +authorized "remotely" simply by copying the =.ovpn= files securely, +e.g. using ~ssh~ to any "known host" on the Internet. + +The members of [[file:Institute/README.org][A Small Institute]] are peers, and enjoy complete, +individual privacy. The administrator does /not/ expect to have "root +access" to members' machines, their desktops, personal diaries and +photos. The monks of the abbey are brothers, and tolerate a little +less than complete individual privacy (still expecting all necessary +and appropriate privacy, being in a position to punish deviants). + +Our private notebooks are included in the Ansible inventory, mainly so +they can be included in the weekly (or more frequent!) network +upgrades. The ~campus~ and ~abbey-cloister~ roles are not applied +though their Postfix and other configurations are recommended. Remote +access by the administrator is authorized and the privileged account's +password is included in =Secret/become.yml=. *** Android diff --git a/playbooks/site.yml b/playbooks/site.yml index a1d9059..45daa90 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -11,7 +11,7 @@ hosts: gate roles: [ gate ] -- name: Configure Campus +- name: Configure Cloister hosts: campus roles: [ campus, abbey-cloister ] diff --git a/roles_t/abbey-core/tasks/main.yml b/roles_t/abbey-core/tasks/main.yml index eb9fcce..7e64635 100644 --- a/roles_t/abbey-core/tasks/main.yml +++ b/roles_t/abbey-core/tasks/main.yml @@ -1,4 +1,7 @@ --- +- name: Include private abbey variables. + include_vars: ../private/vars-abbey.yml + - name: Install additional packages. apt: pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]