From: Matt Birkholz
+= _|||_ =-The-Institute-= @@ -1022,7 +1022,7 @@ example result follows the code.-+-=> 10.62.17.0/24
@@ -1475,7 +1475,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a campground Wi-Fi access point, etc. -+=============== | ================================================== | Premises (Campus ISP) @@ -1498,7 +1498,7 @@ This avoids the need for a second Wi-Fi access point and leads to the following topology. -+=============== | ================================================== | Premises (House ISP) @@ -1651,8 +1651,8 @@ Theall
role contains tasks that are executed on all of the institute's servers. At the moment there is just the one.-6.1. Include Particulars
++6.1. Include Particulars
-The
all
role's task contains a reference to a common institute @@ -1793,8 +1793,8 @@ uses the institute's CA and server certificates, and expects client certificates signed by the institute CA.--7.1. Include Particulars
++7.1. Include Particulars
The first task, as in The All Role, is to include the institute @@ -1819,8 +1819,8 @@ membership roll, so these are included was well.
--7.2. Configure Hostname
++7.2. Configure Hostname
This task ensures that Front's
/etc/hostnameand/etc/mailnameare @@ -1850,8 +1850,8 @@ delivery.--7.3. Add Administrator to System Groups
++7.3. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -1910,8 +1910,8 @@ those stored in
Secret/ssh_front/etc/ssh/--7.5. Configure Monkey
++7.5. Configure Monkey
The small institute runs cron jobs and web scripts that generate @@ -1967,8 +1967,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
--7.7. Install Unattended Upgrades
++7.7. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -1983,8 +1983,8 @@ The institute prefers to install security updates as soon as possible.
--7.8. Configure User Accounts
++7.8. Configure User Accounts
User accounts are created immediately so that Postfix and Dovecot can @@ -2027,8 +2027,8 @@ recipient" replies. The Account Management chapter de
--7.9. Install Server Certificate
++7.9. Install Server Certificate
The servers on Front use the same certificate (and key) to @@ -2255,8 +2255,8 @@ created by a more specialized role.
--7.12. Configure Dovecot IMAPd
++7.12. Configure Dovecot IMAPd
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to @@ -2612,8 +2612,8 @@ the users'
~/Public/HTML/directories.-7.14. Configure OpenVPN
++7.14. Configure OpenVPN
-Front uses OpenVPN to provide the institute's public VPN service. The @@ -2896,8 +2896,8 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)
--8.1. Include Particulars
++8.1. Include Particulars
The first task, as in The Front Role, is to include the institute @@ -2919,8 +2919,8 @@ particulars and membership roll.
--8.2. Configure Hostname
++8.2. Configure Hostname
This task ensures that Core's
/etc/hostnameand/etc/mailnameare @@ -2953,8 +2953,8 @@ proper email delivery.--8.3. Configure Systemd Resolved
++8.3. Configure Systemd Resolved
Core runs the campus name server, so Resolved is configured to use it @@ -3222,17 +3222,16 @@ The following tasks install and configure BIND9 on Core. Examples of the necessary zone files, for the "Install BIND9 zonefiles." task above, are given below. If the campus ISP provided one or more IP addresses for stable name servers, those should -probably be used as forwarders rather than Google. And SecureDNS just -craps up
/var/log/and the Systemd journal. +probably be used as forwarders rather than Google.@@ -3377,8 +3367,8 @@ craps upbind-options
acl "trusted" { - {{ private_net_cidr }}; - {{ public_vpn_net_cidr }}; - {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; - localhost; + {{ private_net_cidr }}; + {{ public_vpn_net_cidr }}; + {{ campus_vpn_net_cidr }}; + {{ gate_wifi_net_cidr }}; + localhost; }; options { @@ -3247,19 +3246,10 @@ craps up/var/log/and the Systemd journal. allow-recursion { trusted; }; allow-query-cache { trusted; }; - //============================================================ - // If BIND logs error messages about the root key being - // expired, you will need to update your keys. - // See https://www.isc.org/bind-keys - //============================================================ - //dnssec-validation auto; - // If Secure DNS is too much of a headache... - dnssec-enable no; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { any; }; - listen-on { {{ core_addr }}; }; + listen-on { + {{ core_addr }}; + localhost; + }; };/var/log/and the Systemd journal.--8.7. Add Administrator to System Groups
++8.7. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -3398,8 +3388,8 @@ these groups speeds up debugging.
--8.8. Configure Monkey
++8.8. Configure Monkey
The small institute runs cron jobs and web scripts that generate @@ -3466,8 +3456,8 @@ described in *Configure Apache2).
--8.9. Install Unattended Upgrades
++8.9. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -3499,8 +3489,8 @@ with Nextcloud on the command line.
--8.11. Configure User Accounts
++8.11. Configure User Accounts
User accounts are created immediately so that backups can begin @@ -3542,8 +3532,8 @@ describes the
members
andusernames
variables.--8.12. Install Server Certificate
++8.12. Install Server Certificate
The servers on Core use the same certificate (and key) to authenticate @@ -3767,8 +3757,8 @@ installed by more specialized roles.
-8.16. Configure Dovecot IMAPd
++8.16. Configure Dovecot IMAPd
-Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -5540,8 +5530,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.
--9.1. Include Particulars
++9.1. Include Particulars
The following should be familiar boilerplate by now. @@ -5910,8 +5900,8 @@ the daemon listens only on the Gate-WiFi network interface.
--9.6. Install Server Certificate
++9.6. Install Server Certificate
The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -5938,8 +5928,8 @@ and Front) do.
-9.7. Configure OpenVPN
++9.7. Configure OpenVPN
-Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6066,8 +6056,8 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.
--10.1. Include Particulars
++10.1. Include Particulars
The following should be familiar boilerplate by now. @@ -6083,8 +6073,8 @@ The following should be familiar boilerplate by now.
--10.2. Configure Hostname
++10.2. Configure Hostname
Clients should be using the expected host name. @@ -6111,8 +6101,8 @@ Clients should be using the expected host name.
--10.3. Configure Systemd Resolved
++10.3. Configure Systemd Resolved
Campus machines use the campus name server on Core (or
dns.google
), @@ -6183,8 +6173,8 @@ and file timestamps.--10.5. Add Administrator to System Groups
++10.5. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -6204,8 +6194,8 @@ these groups speeds up debugging.
-10.6. Install Unattended Upgrades
++-10.6. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible. @@ -9140,7 +9130,7 @@ routes on Front and Gate, making the simulation less… similar.