From 05333e5ccdb0389135206015e5a03f7c2ee7d021 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Tue, 22 Oct 2024 10:12:15 -0700 Subject: [PATCH] Update README.html. --- README.html | 177 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 115 insertions(+), 62 deletions(-) diff --git a/README.html b/README.html index 2def347..23df883 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + Birchwood Abbey Networks @@ -64,7 +64,7 @@ map is very similar, with differences mainly in terminology, philosophy, attitude.

-
+
                 |                                                   
                 =                                                   
               _|||_                                                 
@@ -144,8 +144,8 @@ with Apache2, spooling email with Postfix and serving it with
 Dovecot-IMAPd, and hosting a VPN with OpenVPN.
 

 
-

-
3.1. Install Emacs

+

+
3.1. Install Emacs

 

 

 The monks of the abbey are masters of the staff (bo) and Emacs.
@@ -711,7 +711,7 @@ certificate is a terminal session affair (with prompts and lines
 entered as shown below).
 

 
-
+
 $ sudo apt install python3-certbot-apache
 $ sudo certbot --apache -d birchwood-abbey.net
 ...
@@ -930,8 +930,8 @@ with Postfix and Dovecot, and providing essential localnet services:
 NTP, DNS and DHCP.
 

 

-

-
4.1. Include Abbey Variables

+

+
4.1. Include Abbey Variables

 

 

 In this abbey specific document, most abbey particulars are not
@@ -1127,8 +1127,8 @@ The abbey uses the Apt-Cacher:TNG package cache on Core.  The
 

 

 

-

-
4.8. Use Cloister Apt Cache

+

+
4.8. Use Cloister Apt Cache

 

 

 Core itself will benefit from using the package cache, but should
@@ -1938,8 +1938,8 @@ hosts never roam, are not associated with a member, and so are
 ./abbey client campus new-host-name
 

 
-

-
6.1. Use Cloister Apt Cache

+

+
6.1. Use Cloister Apt Cache

 

 

 The Apt-Cacher:TNG program does not work well on the frontier, so is
@@ -2061,8 +2061,8 @@ them.
 

 

 

-

-
6.4. Install Emacs

+

+
6.4. Install Emacs

 

 

 The monks of the abbey are masters of the staff and Emacs.
@@ -2111,7 +2111,15 @@ entities which were organized into an "Abbey" dashboard.
 

 

 The abbey uses AgentDVR to record video from PoE IP HD security
-cameras.  The "download" button on iSpy's Download page
+cameras.  It is installed and configured as described here.
+

+

+

+
8.1. AgentDVR Installation

+

+

+AgentDVR is installed at the abbey according to the iSpy web site's
+latest(?) instructions.  The "download" button on iSpy's Download page
 (https://www.ispyconnect.com/download), when "Agent DVR - Linux/
 macOS/ RPi" is chosen, suggests the following command lines (the
 second of which is broken across three lines).
@@ -2126,29 +2134,97 @@ bash <(curl -s "https://raw.githubusercontent.com/\<
 

 
 

-Ansible assists by creating the system user agentdvr and granting it
-enough sudo latitude to run the installer as instructed above.
-Though a system user, the account gets a home directory,
-/home/agentdvr/ in which to do the installation.  The rest of the
-DVR role, "phase two", waits until AgentDVR is installed.
+Before executing these commands, Ansible is enlisted to make certain
+preparations.
+

+

+

+
8.1.1. AgentDVR Installation Preparation

+

+

+AgentDVR runs in the abbey as a system user, agentdvr, which
+installs and runs the service.  Though a system user, the account gets
+a home directory, /home/agentdvr/ in which to install AgentDVR, and
+a login shell, /bin/bash.  This much Ansible can do in preparation.
+

+
+
+./abbey config dvrs
+

+
+
+

+After the agentdvr account is created, it is temporarily authorized
+to run a handful of system commands (as root!).  This small set is
+sufficient if the offer to create the system service is declined.
+The following commands create this authorization in ~/01agentdvr,
+validate and install it in /etc/sudoers.d/01agentdvr.  Such caution
+is taken because a syntax error anywhere in /etc/sudoers.d/ can make
+the sudo command inoperative, cutting off access to all elevated
+privileges until a "rescue" (involving a reboot) is performed.
 

 
+

+
echo "ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
+     /sbin/adduser,/sbin/usermod" >~/01agentdvr
+sudo chown root:root ~/01agentdvr
+sudo chmod 440 ~/01agentdvr
+visudo --check --owner --perms ~/01agentdvr
+sudo mv ~/01agentdvr /etc/sudoers.d/
+

+

+

+

+

+
8.1.2. AgentDVR Installation Execution

+

+

+With the above preparations, the system administrator can get a shell
+session under the agentdvr account to run iSpy's installation script 
+in the empty /home/agentdvr/ directory.
+

+
+

+
sudo apt-get install curl
+sudo -u agentdvr <(curl -s "https:.../install.sh")
+

+

+
+

+The script creates the /home/agentdvr/AgentDVR/ directory, and
+offers to install a system service.  The offer is declined.  Instead,
+Ansible is run again.
+

+

+

+

+
8.1.3. AgentDVR Installation Completion

+

 

-AgentDVR is installed, after Ansible has set things up, by running the
-command lines prescribed by iSpy while logged in as agentdvr with
-the current default directory /home/agentdvr/.  The installer should
-create the /home/agentdvr/AgentDVR/ directory.  Its offer to install
-a system service is declined.
+When Ansible is run a second time, after the installation script, it
+sees the new /home/agentdvr/AgentDVR/ directory and creates (and
+starts) the new system service.
 

 
+
+./abbey config dvrs
+

+
+
 

-After AgentDVR is installed, when the /home/agentdvr/AgentDVR/
-directory exists, Ansible is run again to install the system service.
+Also after the installation, the system administrator revokes the
+agentdvr account's authorizations to modify packages and accounts.
 

+
+
+sudo rm /etc/sudoers.d/01agentdvr
+

+

+

 

 

-
8.1. Create User agentdvr

-

+
8.2. Create User agentdvr

+

 

 AgentDVR runs as the system user agentdvr, which is created here.
 

@@ -2184,28 +2260,6 @@ AgentDVR runs as the system user agentdvr, which is created here.
 

 

 

-

-
8.2. Authorize User agentdvr

-

-

-The AgentDVR installer is also run by agentdvr, which is authorized
-to run a handful of system commands.  This small set is sufficient
-if the offer to create the system service is declined.  In that
-case, the installer will run the program in the terminal.
-

-
-

-roles_t/abbey-dvr/tasks/main.yml
-- name: Authorize agentdvr.
-  copy:
-    content: |
-      ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\
-          /sbin/adduser,/sbin/usermod
-    dest: /etc/sudoers.d/agentdvr
-

-

-

-

 

 
8.3. Test For AgentDVR/

 

@@ -2482,8 +2536,8 @@ machine simply by adding it to the tvrs group.
 

 

 

-

-
9.3. Include Abbey Variables

+

+
9.3. Include Abbey Variables

 

 

 Private variables in private/vars-abbey.yml are needed, as in the
@@ -3029,7 +3083,7 @@ the list of "inputs" available in a postal code typically ends with
 the OTA (over the air) broadcasts.
 

 
-
+
 $ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
 Cache file for lineups, schedules and programs.
 Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
@@ -3424,14 +3478,13 @@ except the roles are found in Institute/roles/ as well as roles/.
     # Notebooks
     endor:
       ansible_become_password: "{{ become_endor }}"
-    geonosis:
+    sullust:
       ansible_host: 127.0.0.1
-      ansible_user: matt
-      ansible_become_password: "{{ become_geonosis }}"
+      ansible_become_password: "{{ become_sullust }}"
       postfix_mydestination: >-
-        geonosis.birchwood.private
-        geonosis
-        geonosis.localdomain
+        sullust.birchwood.private
+        sullust
+        sullust.localdomain
         localhost.localdomain
         localhost
   children:
@@ -3464,10 +3517,10 @@ except the roles are found in Institute/roles/ as well as roles/.
     notebooks:
       hosts:
         endor:
-        geonosis:
+        sullust:
     builders:
       hosts:
-        geonosis:
+        sullust:
         kamino:
 

 

@@ -4531,7 +4584,7 @@ to private/db.campus_vpn.)
 

 

 
Author: Matt Birkholz

-
Created: 2024-09-20 Fri 13:28

+
Created: 2024-10-22 Tue 10:04

 
Validate

 

 
-- 
2.25.1