From: Matt Birkholz Date: Sun, 21 Apr 2024 20:40:43 +0000 (-0600) Subject: Update README.html. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=ad9028a5ec54fb571ab7d99254722c12a4dbaefc;p=Institute Update README.html. --- diff --git a/README.html b/README.html index 7208837..9368486 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1022,7 +1022,7 @@ example result follows the code.
 
-
+

=> 10.62.17.0/24

@@ -1475,7 +1475,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a campground Wi-Fi access point, etc. -
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1498,7 +1498,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1651,8 +1651,8 @@ The all role contains tasks that are executed on all of the
 institute's servers.  At the moment there is just the one.
 

-
-

6.1. Include Particulars

+
+

6.1. Include Particulars

The all role's task contains a reference to a common institute @@ -1793,8 +1793,8 @@ uses the institute's CA and server certificates, and expects client certificates signed by the institute CA.

-
-

7.1. Include Particulars

+
+

7.1. Include Particulars

The first task, as in The All Role, is to include the institute @@ -1819,8 +1819,8 @@ membership roll, so these are included was well.

-
-

7.2. Configure Hostname

+
+

7.2. Configure Hostname

This task ensures that Front's /etc/hostname and /etc/mailname are @@ -1850,8 +1850,8 @@ delivery.

-
-

7.3. Add Administrator to System Groups

+
+

7.3. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -1910,8 +1910,8 @@ those stored in Secret/ssh_front/etc/ssh/

-
-

7.5. Configure Monkey

+
+

7.5. Configure Monkey

The small institute runs cron jobs and web scripts that generate @@ -1967,8 +1967,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.

-
-

7.7. Install Unattended Upgrades

+
+

7.7. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -1983,8 +1983,8 @@ The institute prefers to install security updates as soon as possible.

-
-
-

7.9. Install Server Certificate

+
+

7.9. Install Server Certificate

The servers on Front use the same certificate (and key) to @@ -2255,8 +2255,8 @@ created by a more specialized role.

-
-

7.12. Configure Dovecot IMAPd

+
+

7.12. Configure Dovecot IMAPd

Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to @@ -2612,8 +2612,8 @@ the users' ~/Public/HTML/ directories.

-
-

7.14. Configure OpenVPN

+
+

7.14. Configure OpenVPN

Front uses OpenVPN to provide the institute's public VPN service. The @@ -2896,8 +2896,8 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)

-
-

8.1. Include Particulars

+
+

8.1. Include Particulars

The first task, as in The Front Role, is to include the institute @@ -2919,8 +2919,8 @@ particulars and membership roll.

-
-

8.2. Configure Hostname

+
+

8.2. Configure Hostname

This task ensures that Core's /etc/hostname and /etc/mailname are @@ -2953,8 +2953,8 @@ proper email delivery.

-
-

8.3. Configure Systemd Resolved

+
+

8.3. Configure Systemd Resolved

Core runs the campus name server, so Resolved is configured to use it @@ -3222,17 +3222,16 @@ The following tasks install and configure BIND9 on Core. Examples of the necessary zone files, for the "Install BIND9 zonefiles." task above, are given below. If the campus ISP provided one or more IP addresses for stable name servers, those should -probably be used as forwarders rather than Google. And SecureDNS just -craps up /var/log/ and the Systemd journal. +probably be used as forwarders rather than Google.

bind-options
acl "trusted" {
-    {{ private_net_cidr }};
-    {{ public_vpn_net_cidr }};
-    {{ campus_vpn_net_cidr }};
-    {{ gate_wifi_net_cidr }};
-    localhost;
+        {{ private_net_cidr }};
+        {{ public_vpn_net_cidr }};
+        {{ campus_vpn_net_cidr }};
+        {{ gate_wifi_net_cidr }};
+        localhost;
 };
 
 options {
@@ -3247,19 +3246,10 @@ craps up /var/log/ and the Systemd journal.
         allow-recursion { trusted; };
         allow-query-cache { trusted; };
 
-        //============================================================
-        // If BIND logs error messages about the root key being
-        // expired, you will need to update your keys.
-        // See https://www.isc.org/bind-keys
-        //============================================================
-        //dnssec-validation auto;
-        // If Secure DNS is too much of a headache...
-        dnssec-enable no;
-        dnssec-validation no;
-
-        auth-nxdomain no;    # conform to RFC1035
-        //listen-on-v6 { any; };
-        listen-on { {{ core_addr }}; };
+        listen-on {
+                {{ core_addr }};
+                localhost;
+        };
 };
 
@@ -3377,8 +3367,8 @@ craps up /var/log/ and the Systemd journal.
-
-

8.7. Add Administrator to System Groups

+
+

8.7. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -3398,8 +3388,8 @@ these groups speeds up debugging.

-
-

8.8. Configure Monkey

+
+

8.8. Configure Monkey

The small institute runs cron jobs and web scripts that generate @@ -3466,8 +3456,8 @@ described in *Configure Apache2).

-
-

8.9. Install Unattended Upgrades

+
+

8.9. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -3499,8 +3489,8 @@ with Nextcloud on the command line.

-
-

8.11. Configure User Accounts

+
+

8.11. Configure User Accounts

User accounts are created immediately so that backups can begin @@ -3542,8 +3532,8 @@ describes the members and usernames variables.

-
-

8.12. Install Server Certificate

+
+

8.12. Install Server Certificate

The servers on Core use the same certificate (and key) to authenticate @@ -3767,8 +3757,8 @@ installed by more specialized roles.

-
-

8.16. Configure Dovecot IMAPd

+
+

8.16. Configure Dovecot IMAPd

Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -5540,8 +5530,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.

-
-

9.1. Include Particulars

+
+

9.1. Include Particulars

The following should be familiar boilerplate by now. @@ -5910,8 +5900,8 @@ the daemon listens only on the Gate-WiFi network interface.

-
-

9.6. Install Server Certificate

+
+

9.6. Install Server Certificate

The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -5938,8 +5928,8 @@ and Front) do.

-
-

9.7. Configure OpenVPN

+
+

9.7. Configure OpenVPN

Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6066,8 +6056,8 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.

-
-

10.1. Include Particulars

+
+

10.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6083,8 +6073,8 @@ The following should be familiar boilerplate by now.

-
-

10.2. Configure Hostname

+
+

10.2. Configure Hostname

Clients should be using the expected host name. @@ -6111,8 +6101,8 @@ Clients should be using the expected host name.

-
-

10.3. Configure Systemd Resolved

+
+

10.3. Configure Systemd Resolved

Campus machines use the campus name server on Core (or dns.google), @@ -6183,8 +6173,8 @@ and file timestamps.

-
-

10.5. Add Administrator to System Groups

+
+

10.5. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -6204,8 +6194,8 @@ these groups speeds up debugging.

-
-

10.6. Install Unattended Upgrades

+
+

10.6. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -9140,7 +9130,7 @@ routes on Front and Gate, making the simulation less… similar.

Author: Matt Birkholz

-

Created: 2024-04-03 Wed 11:00

+

Created: 2024-04-21 Sun 14:40

Validate