From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Sun, 21 Apr 2024 20:40:43 +0000 (-0600)
Subject: Update README.html.
X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=ad9028a5ec54fb571ab7d99254722c12a4dbaefc;p=Institute

Update README.html.
---

diff --git a/README.html b/README.html
index 7208837..9368486 100644
--- a/README.html
+++ b/README.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2024-04-03 Wed 11:00 -->
+<!-- 2024-04-21 Sun 14:40 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>A Small Institute</title>
@@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to
 members off campus.
 </p>
 
-<pre class="example" id="orgf7cca3e">
+<pre class="example" id="org9c367ba">
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1022,7 +1022,7 @@ example result follows the code.
 </pre>
 </div>
 
-<div class="TEXT" id="org80ad917">
+<div class="TEXT" id="org10a0f5d">
 <p>
 =&gt; 10.62.17.0/24
 </p>
@@ -1475,7 +1475,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.</li>
 </ol>
 
-<pre class="example" id="orgf915d51">
+<pre class="example" id="org68b3f43">
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1498,7 +1498,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 </p>
 
-<pre class="example" id="org9bcafc4">
+<pre class="example" id="orgb83deda">
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1651,8 +1651,8 @@ The <code>all</code> role contains tasks that are executed on all of the
 institute's servers.  At the moment there is just the one.
 </p>
 </div>
-<div id="outline-container-org88e2a87" class="outline-3">
-<h3 id="org88e2a87"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-org0fcff87" class="outline-3">
+<h3 id="org0fcff87"><span class="section-number-3">6.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-6-1">
 <p>
 The <code>all</code> role's task contains a reference to a common institute
@@ -1793,8 +1793,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 </p>
 </div>
-<div id="outline-container-org9ed2166" class="outline-3">
-<h3 id="org9ed2166"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-orgcbd54ab" class="outline-3">
+<h3 id="orgcbd54ab"><span class="section-number-3">7.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-7-1">
 <p>
 The first task, as in <a href="#orgd60dcd1">The All Role</a>, is to include the institute
@@ -1819,8 +1819,8 @@ membership roll, so these are included was well.
 </div>
 </div>
 </div>
-<div id="outline-container-org667399b" class="outline-3">
-<h3 id="org667399b"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-orgef26e47" class="outline-3">
+<h3 id="orgef26e47"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-7-2">
 <p>
 This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
@@ -1850,8 +1850,8 @@ delivery.
 </div>
 </div>
 </div>
-<div id="outline-container-orgbeed30e" class="outline-3">
-<h3 id="orgbeed30e"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org1d7831c" class="outline-3">
+<h3 id="org1d7831c"><span class="section-number-3">7.3.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-7-3">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -1910,8 +1910,8 @@ those stored in <a href="Secret/ssh_front/etc/ssh/"><q>Secret/ssh_front/etc/ssh/
 </div>
 </div>
 </div>
-<div id="outline-container-org2dfafe1" class="outline-3">
-<h3 id="org2dfafe1"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
+<div id="outline-container-orgf602306" class="outline-3">
+<h3 id="orgf602306"><span class="section-number-3">7.5.</span> Configure Monkey</h3>
 <div class="outline-text-3" id="text-7-5">
 <p>
 The small institute runs cron jobs and web scripts that generate
@@ -1967,8 +1967,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 </div>
 </div>
 </div>
-<div id="outline-container-orge76bee7" class="outline-3">
-<h3 id="orge76bee7"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-orgfb6d583" class="outline-3">
+<h3 id="orgfb6d583"><span class="section-number-3">7.7.</span> Install Unattended Upgrades</h3>
 <div class="outline-text-3" id="text-7-7">
 <p>
 The institute prefers to install security updates as soon as possible.
@@ -1983,8 +1983,8 @@ The institute prefers to install security updates as soon as possible.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb1bb413" class="outline-3">
-<h3 id="orgb1bb413"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
+<div id="outline-container-org9d61acb" class="outline-3">
+<h3 id="org9d61acb"><span class="section-number-3">7.8.</span> Configure User Accounts</h3>
 <div class="outline-text-3" id="text-7-8">
 <p>
 User accounts are created immediately so that Postfix and Dovecot can
@@ -2027,8 +2027,8 @@ recipient" replies.  The <a href="#orge7fe793">Account Management</a> chapter de
 </div>
 </div>
 </div>
-<div id="outline-container-orgf522cdf" class="outline-3">
-<h3 id="orgf522cdf"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
+<div id="outline-container-orgc30c758" class="outline-3">
+<h3 id="orgc30c758"><span class="section-number-3">7.9.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-7-9">
 <p>
 The servers on Front use the same certificate (and key) to
@@ -2255,8 +2255,8 @@ created by a more specialized role.
 </div>
 </div>
 </div>
-<div id="outline-container-org2535c23" class="outline-3">
-<h3 id="org2535c23"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orgf01b935" class="outline-3">
+<h3 id="orgf01b935"><span class="section-number-3">7.12.</span> Configure Dovecot IMAPd</h3>
 <div class="outline-text-3" id="text-7-12">
 <p>
 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2612,8 +2612,8 @@ the users' <q>~/Public/HTML/</q> directories.
 </div>
 </div>
 </div>
-<div id="outline-container-org03de61c" class="outline-3">
-<h3 id="org03de61c"><span class="section-number-3">7.14.</span> Configure OpenVPN</h3>
+<div id="outline-container-orgb967873" class="outline-3">
+<h3 id="orgb967873"><span class="section-number-3">7.14.</span> Configure OpenVPN</h3>
 <div class="outline-text-3" id="text-7-14">
 <p>
 Front uses OpenVPN to provide the institute's public VPN service.  The
@@ -2896,8 +2896,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see <a href="#org8d60b7b">The Core Machine</a>.)
 </p>
 </div>
-<div id="outline-container-orgbb393c3" class="outline-3">
-<h3 id="orgbb393c3"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org3b3706b" class="outline-3">
+<h3 id="org3b3706b"><span class="section-number-3">8.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-8-1">
 <p>
 The first task, as in <a href="#org9240129">The Front Role</a>, is to include the institute
@@ -2919,8 +2919,8 @@ particulars and membership roll.
 </div>
 </div>
 </div>
-<div id="outline-container-org0fec6b7" class="outline-3">
-<h3 id="org0fec6b7"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
+<div id="outline-container-orgecf0c60" class="outline-3">
+<h3 id="orgecf0c60"><span class="section-number-3">8.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-8-2">
 <p>
 This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
@@ -2953,8 +2953,8 @@ proper email delivery.
 </div>
 </div>
 </div>
-<div id="outline-container-org48eccc5" class="outline-3">
-<h3 id="org48eccc5"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org64e4c11" class="outline-3">
+<h3 id="org64e4c11"><span class="section-number-3">8.3.</span> Configure Systemd Resolved</h3>
 <div class="outline-text-3" id="text-8-3">
 <p>
 Core runs the campus name server, so Resolved is configured to use it
@@ -3222,17 +3222,16 @@ The following tasks install and configure BIND9 on Core.
 Examples of the necessary zone files, for the "Install BIND9
 zonefiles." task above, are given below.  If the campus ISP provided
 one or more IP addresses for stable name servers, those should
-probably be used as forwarders rather than Google.  And SecureDNS just
-craps up <q>/var/log/</q> and the Systemd journal.
+probably be used as forwarders rather than Google.
 </p>
 
 <div class="org-src-container">
 <code>bind-options</code><pre class="src src-conf" id="orgd750f78"><span class="org-type">acl </span><span class="org-string"><span class="org-type">"trusted"</span></span> {
-    {{ private_net_cidr }};
-    {{ public_vpn_net_cidr }};
-    {{ campus_vpn_net_cidr }};
-    {{ gate_wifi_net_cidr }};
-    localhost;
+        {{ private_net_cidr }};
+        {{ public_vpn_net_cidr }};
+        {{ campus_vpn_net_cidr }};
+        {{ gate_wifi_net_cidr }};
+        localhost;
 };
 
 <span class="org-type">options</span> {
@@ -3247,19 +3246,10 @@ craps up <q>/var/log/</q> and the Systemd journal.
         allow-recursion { trusted; };
         allow-query-cache { trusted; };
 
-        <span class="org-variable-name">//</span>============================================================
-        // If BIND logs error messages about the root key being
-        // expired, you will need to update your keys.
-        // See https://www.isc.org/bind-keys
-        <span class="org-variable-name">//</span>============================================================
-        //dnssec-validation auto;
-        // If Secure DNS is too much of a headache...
-        dnssec-enable no;
-        dnssec-validation no;
-
-        auth-nxdomain no;    <span class="org-comment-delimiter"># </span><span class="org-comment">conform to RFC1035</span>
-        //listen-on-v6 { any; };
-        listen-on { {{ core_addr }}; };
+        <span class="org-type">listen-on</span> {
+                {{ core_addr }};
+                localhost;
+        };
 };
 </pre>
 </div>
@@ -3377,8 +3367,8 @@ craps up <q>/var/log/</q> and the Systemd journal.
 </div>
 </div>
 </div>
-<div id="outline-container-org4d265a3" class="outline-3">
-<h3 id="org4d265a3"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org5ed8d7b" class="outline-3">
+<h3 id="org5ed8d7b"><span class="section-number-3">8.7.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-8-7">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -3398,8 +3388,8 @@ these groups speeds up debugging.
 </div>
 </div>
 </div>
-<div id="outline-container-orgf602306" class="outline-3">
-<h3 id="orgf602306"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
+<div id="outline-container-org7915c60" class="outline-3">
+<h3 id="org7915c60"><span class="section-number-3">8.8.</span> Configure Monkey</h3>
 <div class="outline-text-3" id="text-8-8">
 <p>
 The small institute runs cron jobs and web scripts that generate
@@ -3466,8 +3456,8 @@ described in <a href="#org1ac6235">*Configure Apache2</a>).
 </div>
 </div>
 </div>
-<div id="outline-container-org4aa0705" class="outline-3">
-<h3 id="org4aa0705"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org15f2e66" class="outline-3">
+<h3 id="org15f2e66"><span class="section-number-3">8.9.</span> Install Unattended Upgrades</h3>
 <div class="outline-text-3" id="text-8-9">
 <p>
 The institute prefers to install security updates as soon as possible.
@@ -3499,8 +3489,8 @@ with Nextcloud on the command line.
 </div>
 </div>
 </div>
-<div id="outline-container-org9d61acb" class="outline-3">
-<h3 id="org9d61acb"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
+<div id="outline-container-org257e089" class="outline-3">
+<h3 id="org257e089"><span class="section-number-3">8.11.</span> Configure User Accounts</h3>
 <div class="outline-text-3" id="text-8-11">
 <p>
 User accounts are created immediately so that backups can begin
@@ -3542,8 +3532,8 @@ describes the <code>members</code> and <code>usernames</code> variables.
 </div>
 </div>
 </div>
-<div id="outline-container-org2157407" class="outline-3">
-<h3 id="org2157407"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
+<div id="outline-container-org76dff78" class="outline-3">
+<h3 id="org76dff78"><span class="section-number-3">8.12.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-8-12">
 <p>
 The servers on Core use the same certificate (and key) to authenticate
@@ -3767,8 +3757,8 @@ installed by more specialized roles.
 </div>
 </div>
 </div>
-<div id="outline-container-orgf01b935" class="outline-3">
-<h3 id="orgf01b935"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org8c230d4" class="outline-3">
+<h3 id="org8c230d4"><span class="section-number-3">8.16.</span> Configure Dovecot IMAPd</h3>
 <div class="outline-text-3" id="text-8-16">
 <p>
 Core uses Dovecot's IMAPd to store and serve member emails.  As on
@@ -5540,8 +5530,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 </p>
 </div>
-<div id="outline-container-org4d1b050" class="outline-3">
-<h3 id="org4d1b050"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-org665e760" class="outline-3">
+<h3 id="org665e760"><span class="section-number-3">9.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-9-1">
 <p>
 The following should be familiar boilerplate by now.
@@ -5910,8 +5900,8 @@ the daemon listens <i>only</i> on the Gate-WiFi network interface.
 </div>
 </div>
 </div>
-<div id="outline-container-orgc30c758" class="outline-3">
-<h3 id="orgc30c758"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
+<div id="outline-container-org5259a7b" class="outline-3">
+<h3 id="org5259a7b"><span class="section-number-3">9.6.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-9-6">
 <p>
 The (OpenVPN) server on Gate uses an institute certificate (and key)
@@ -5938,8 +5928,8 @@ and Front) do.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb967873" class="outline-3">
-<h3 id="orgb967873"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
+<div id="outline-container-org19cf6c6" class="outline-3">
+<h3 id="org19cf6c6"><span class="section-number-3">9.7.</span> Configure OpenVPN</h3>
 <div class="outline-text-3" id="text-9-7">
 <p>
 Gate uses OpenVPN to provide the institute's campus VPN service.  Its
@@ -6066,8 +6056,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
 </p>
 </div>
-<div id="outline-container-org0fcff87" class="outline-3">
-<h3 id="org0fcff87"><span class="section-number-3">10.1.</span> Include Particulars</h3>
+<div id="outline-container-org4e74a72" class="outline-3">
+<h3 id="org4e74a72"><span class="section-number-3">10.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-10-1">
 <p>
 The following should be familiar boilerplate by now.
@@ -6083,8 +6073,8 @@ The following should be familiar boilerplate by now.
 </div>
 </div>
 </div>
-<div id="outline-container-orgef26e47" class="outline-3">
-<h3 id="orgef26e47"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
+<div id="outline-container-org6f97126" class="outline-3">
+<h3 id="org6f97126"><span class="section-number-3">10.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-10-2">
 <p>
 Clients should be using the expected host name.
@@ -6111,8 +6101,8 @@ Clients should be using the expected host name.
 </div>
 </div>
 </div>
-<div id="outline-container-org64e4c11" class="outline-3">
-<h3 id="org64e4c11"><span class="section-number-3">10.3.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org1fe8eef" class="outline-3">
+<h3 id="org1fe8eef"><span class="section-number-3">10.3.</span> Configure Systemd Resolved</h3>
 <div class="outline-text-3" id="text-10-3">
 <p>
 Campus machines use the campus name server on Core (or <code>dns.google</code>),
@@ -6183,8 +6173,8 @@ and file timestamps.
 </div>
 </div>
 </div>
-<div id="outline-container-org1d7831c" class="outline-3">
-<h3 id="org1d7831c"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgc133751" class="outline-3">
+<h3 id="orgc133751"><span class="section-number-3">10.5.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-10-5">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -6204,8 +6194,8 @@ these groups speeds up debugging.
 </div>
 </div>
 </div>
-<div id="outline-container-orgfb6d583" class="outline-3">
-<h3 id="orgfb6d583"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org09cd0a8" class="outline-3">
+<h3 id="org09cd0a8"><span class="section-number-3">10.6.</span> Install Unattended Upgrades</h3>
 <div class="outline-text-3" id="text-10-6">
 <p>
 The institute prefers to install security updates as soon as possible.
@@ -9140,7 +9130,7 @@ routes on Front and Gate, making the simulation less&#x2026; similar.
 </div></div>
 <div id="postamble" class="status">
 <p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2024-04-03 Wed 11:00</p>
+<p class="date">Created: 2024-04-21 Sun 14:40</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>