From 07607b9a071a812daf99d3972a51ef8069ca91a4 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Sat, 9 Mar 2024 10:37:29 -0600 Subject: [PATCH] Update README.html, after fixing core/files/ src block to mkdirp. --- README.html | 714 ++++++++++------------------------------------------ README.org | 2 +- 2 files changed, 136 insertions(+), 580 deletions(-) diff --git a/README.html b/README.html index 8ca8ec5..fd9a8ef 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1030,7 +1030,7 @@ example result follows the code.
 

 
 
-

+

 

 => 10.62.17.0/24
 

@@ -1483,7 +1483,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.
 
 
-
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1506,7 +1506,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

 
-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1659,8 +1659,8 @@ The all role contains tasks that are executed on all of the
 institute's servers.  At the moment there is just the one.
 

 

-

-
6.1. Include Particulars

+

+
6.1. Include Particulars

 

 

 The all role's task contains a reference to a common institute
@@ -1801,8 +1801,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

 

-

-
7.1. Include Particulars

+

+
7.1. Include Particulars

 

 

 The first task, as in The All Role, is to include the institute
@@ -1827,8 +1827,8 @@ membership roll, so these are included was well.
 

 

 

-

-
7.2. Configure Hostname

+

+
7.2. Configure Hostname

 

 

 This task ensures that Front's /etc/hostname and /etc/mailname are
@@ -1858,8 +1858,8 @@ delivery.
 

 

 

-

-
7.3. Add Administrator to System Groups

+

+
7.3. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -1918,8 +1918,8 @@ those stored in Secret/ssh_front/etc/ssh/
 

 

 

-

-
7.5. Configure Monkey

+

+
7.5. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -1975,8 +1975,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 

 

 

-

-
7.7. Install Unattended Upgrades

+

+
7.7. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -1991,8 +1991,8 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-
-

-
7.9. Install Server Certificate

+

+
7.9. Install Server Certificate

 

 

 The servers on Front use the same certificate (and key) to
@@ -2154,27 +2154,13 @@ Debian default for inet_interfaces.
 

 postfix-front
- { p: smtpd_tls_cert_file, v: /etc/server.crt }
 - { p: smtpd_tls_key_file, v: /etc/server.key }
-- p: mynetworks
-  v: >-
-     {{ public_vpn_net_cidr }}
-     127.0.0.0/8
-     [::ffff:127.0.0.0]/104
-     [::1]/128
-- p: smtpd_recipient_restrictions
-  v: >-
-     permit_mynetworks
-     reject_unauth_pipelining
-     reject_unauth_destination
-     reject_unknown_sender_domain
-- p: smtpd_relay_restrictions
-  v: permit_mynetworks reject_unauth_destination
-- { p: message_size_limit, v: 104857600 }
-- { p: delay_warning_time, v: 1h }
-- { p: maximal_queue_lifetime, v: 4h }
-- { p: bounce_queue_lifetime, v: 4h }
-- { p: home_mailbox, v: Maildir/ }
-- p: smtp_header_checks
-  v: regexp:/etc/postfix/header_checks.cf
+<<postfix-front-networks>>
+<<postfix-front-restrictions>>
+<<postfix-relaying>>
+<<postfix-message-size>>
+<<postfix-queue-times>>
+<<postfix-maildir>>
+<<postfix-header-checks>>
 

 

 
@@ -2197,37 +2183,14 @@ start and enable the service.
     regexp: "^ *{{ item.p }} *="
     line: "{{ item.p }} = {{ item.v }}"
   loop:
-  - { p: smtpd_tls_cert_file, v: /etc/server.crt }
-  - { p: smtpd_tls_key_file, v: /etc/server.key }
-  - p: mynetworks
-    v: >-
-       {{ public_vpn_net_cidr }}
-       127.0.0.0/8
-       [::ffff:127.0.0.0]/104
-       [::1]/128
-  - p: smtpd_recipient_restrictions
-    v: >-
-       permit_mynetworks
-       reject_unauth_pipelining
-       reject_unauth_destination
-       reject_unknown_sender_domain
-  - p: smtpd_relay_restrictions
-    v: permit_mynetworks reject_unauth_destination
-  - { p: message_size_limit, v: 104857600 }
-  - { p: delay_warning_time, v: 1h }
-  - { p: maximal_queue_lifetime, v: 4h }
-  - { p: bounce_queue_lifetime, v: 4h }
-  - { p: home_mailbox, v: Maildir/ }
-  - p: smtp_header_checks
-    v: regexp:/etc/postfix/header_checks.cf
+  <<postfix-front>>
   notify: Restart Postfix.
 
 - name: Install Postfix header_checks.
   become: yes
   copy:
     content: |
-      /^Received:/      IGNORE
-      /^User-Agent:/    IGNORE
+      <<postfix-header-checks-content>>
     dest: /etc/postfix/header_checks.cf
   notify: Postmap header checks.
 
@@ -2300,8 +2263,8 @@ created by a more specialized role.
 

 

 

-

-
7.12. Configure Dovecot IMAPd

+

+
7.12. Configure Dovecot IMAPd

 

 

 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2338,16 +2301,11 @@ and enables it to start at every reboot.
   become: yes
   copy:
     content: |
-      protocols = imap
-      ssl = required
+      <<dovecot-tls>>
       ssl_cert = </etc/server.crt
       ssl_key = </etc/server.key
-      service imap-login {
-        inet_listener imap {
-          port = 0
-        }
-      }
-      mail_location = maildir:~/Maildir
+      <<dovecot-ports>>
+      <<dovecot-maildir>>
     dest: /etc/dovecot/local.conf
   notify: Restart Dovecot.
 
@@ -2457,12 +2415,9 @@ below create or remove the symbolic links.
 
 

 The following are the necessary Apache2 directives: a UserDir
-directive naming /home/www-users/, a matching Directory block that
-allows the server to follow the symbol links, and a Directory block
-that matches the user directories and includes the standard Require
-and AllowOverride directives used on all of the institute's static
-web sites (https://small.example.org/, http://live/, and
-http://test/).
+directive naming /home/www-users/ and matching Directory block
+that includes the standard Require and AllowOverride directives
+used on all of the institute's web sites.
 

 
 

@@ -2474,12 +2429,6 @@ web sites (https://small.example.org/, http://live/, a
-
-apache-userdir-directory
Require all granted
-AllowOverride None
-
-
-

The institute requires the use of HTTPS on Front, so its default HTTP virtual host permanently redirects requests to their corresponding @@ -2508,7 +2457,7 @@ The DocumentRoot directive is accompanied by a Directory.htaccess files within the tree are disabled for speed and security. This and most of Front's Apache2 directives (below) are intended for the top level, not -inside a VirtualHost block, to apply globally. +the inside of a VirtualHost block. They should apply globally.

@@ -2521,18 +2470,12 @@ DocumentRoot /home/www AllowOverride None </Directory> -UserDir /home/www-users -<Directory /home/www-users/> - Require all granted - AllowOverride None -</Directory> +<<apache-userdir-front>> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined -<VirtualHost *:80> - Redirect permanent / https://{{ domain_name }}/ -</VirtualHost> +<<apache-redirect-front>> <VirtualHost *:443> SSLEngine on @@ -2542,36 +2485,7 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined /etc/apache2/sites-available/{{ domain_name }}-vhost.conf </VirtualHost> -SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -SSLHonorCipherOrder on -SSLCipherSuite {{ [ 'ECDHE-ECDSA-AES128-GCM-SHA256', - 'ECDHE-ECDSA-AES256-GCM-SHA384', - 'ECDHE-ECDSA-AES128-SHA', - 'ECDHE-ECDSA-AES256-SHA', - 'ECDHE-ECDSA-AES128-SHA256', - 'ECDHE-ECDSA-AES256-SHA384', - 'ECDHE-RSA-AES128-GCM-SHA256', - 'ECDHE-RSA-AES256-GCM-SHA384', - 'ECDHE-RSA-AES128-SHA', - 'ECDHE-RSA-AES256-SHA', - 'ECDHE-RSA-AES128-SHA256', - 'ECDHE-RSA-AES256-SHA384', - 'DHE-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES128-SHA', - 'DHE-RSA-AES256-SHA', - 'DHE-RSA-AES128-SHA256', - 'DHE-RSA-AES256-SHA256', - '!aNULL', - '!eNULL', - '!LOW', - '!3DES', - '!MD5', - '!EXP', - '!PSK', - '!SRP', - '!DSS', - '!RC4' ] |join(":") }} +<<apache-ciphers>>
@@ -2606,66 +2520,7 @@ e.g. /etc/apache2/sites-available/small.example.org.conf and runs become: yes copy: content: | - ServerName {{ domain_name }} - ServerAdmin webmaster@{{ domain_name }} - - DocumentRoot /home/www - <Directory /home/www/> - Require all granted - AllowOverride None - </Directory> - - UserDir /home/www-users - <Directory /home/www-users/> - Require all granted - AllowOverride None - </Directory> - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - <VirtualHost *:80> - Redirect permanent / https://{{ domain_name }}/ - </VirtualHost> - - <VirtualHost *:443> - SSLEngine on - SSLCertificateFile /etc/server.crt - SSLCertificateKeyFile /etc/server.key - IncludeOptional \ - /etc/apache2/sites-available/{{ domain_name }}-vhost.conf - </VirtualHost> - - SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 - SSLHonorCipherOrder on - SSLCipherSuite {{ [ 'ECDHE-ECDSA-AES128-GCM-SHA256', - 'ECDHE-ECDSA-AES256-GCM-SHA384', - 'ECDHE-ECDSA-AES128-SHA', - 'ECDHE-ECDSA-AES256-SHA', - 'ECDHE-ECDSA-AES128-SHA256', - 'ECDHE-ECDSA-AES256-SHA384', - 'ECDHE-RSA-AES128-GCM-SHA256', - 'ECDHE-RSA-AES256-GCM-SHA384', - 'ECDHE-RSA-AES128-SHA', - 'ECDHE-RSA-AES256-SHA', - 'ECDHE-RSA-AES128-SHA256', - 'ECDHE-RSA-AES256-SHA384', - 'DHE-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES128-SHA', - 'DHE-RSA-AES256-SHA', - 'DHE-RSA-AES128-SHA256', - 'DHE-RSA-AES256-SHA256', - '!aNULL', - '!eNULL', - '!LOW', - '!3DES', - '!MD5', - '!EXP', - '!PSK', - '!SRP', - '!DSS', - '!RC4' ] |join(":") }} + <<apache-front>> dest: /etc/apache2/sites-available/{{ domain_name }}.conf notify: Restart Apache2. @@ -2765,8 +2620,8 @@ the users' ~/Public/HTML/ directories. -
-

7.14. Configure OpenVPN

+
+

7.14. Configure OpenVPN

Front uses OpenVPN to provide the institute's public VPN service. The @@ -2812,27 +2667,14 @@ and the common options discussed in The VPN Service.

openvpn-front
server {{ public_vpn_net_and_mask }}
 client-config-dir /etc/openvpn/ccd
-route {{ private_net_and_mask }}
-route {{ campus_vpn_net_and_mask }}
-push "route {{ private_net_and_mask }}"
-push "route {{ campus_vpn_net_and_mask }}"
-dev-type tun
-dev ovpn
-topology subnet
-client-to-client
-keepalive 10 120
-push "dhcp-option DOMAIN {{ domain_priv }}"
-push "dhcp-option DNS {{ core_addr }}"
-user nobody
-group nogroup
-persist-key
-persist-tun
-cipher AES-256-GCM
-auth SHA256
-max-clients 20
-ifconfig-pool-persist ipp.txt
-status openvpn-status.log
-verb 3
+<<openvpn-front-routes>>
+<<openvpn-dev-mode>>
+<<openvpn-keepalive>>
+<<openvpn-dns>>
+<<openvpn-drop-priv>>
+<<openvpn-crypt>>
+<<openvpn-max>>
+<<openvpn-debug>>
 ca /usr/local/share/ca-certificates/{{ domain_name }}.crt
 cert server.crt
 key server.key
@@ -2870,8 +2712,7 @@ configure the OpenVPN server on Front.
   become: yes
   copy:
     content: |
-      iroute {{ private_net_and_mask }}
-      iroute {{ campus_vpn_net_and_mask }}
+      <<openvpn-ccd-core>>
     dest: /etc/openvpn/ccd/core
   notify: Restart OpenVPN.
 
@@ -2911,34 +2752,7 @@ configure the OpenVPN server on Front.
   become: yes
   copy:
     content: |
-      server {{ public_vpn_net_and_mask }}
-      client-config-dir /etc/openvpn/ccd
-      route {{ private_net_and_mask }}
-      route {{ campus_vpn_net_and_mask }}
-      push "route {{ private_net_and_mask }}"
-      push "route {{ campus_vpn_net_and_mask }}"
-      dev-type tun
-      dev ovpn
-      topology subnet
-      client-to-client
-      keepalive 10 120
-      push "dhcp-option DOMAIN {{ domain_priv }}"
-      push "dhcp-option DNS {{ core_addr }}"
-      user nobody
-      group nogroup
-      persist-key
-      persist-tun
-      cipher AES-256-GCM
-      auth SHA256
-      max-clients 20
-      ifconfig-pool-persist ipp.txt
-      status openvpn-status.log
-      verb 3
-      ca /usr/local/share/ca-certificates/{{ domain_name }}.crt
-      cert server.crt
-      key server.key
-      dh dh2048.pem
-      tls-auth ta.key 0
+      <<openvpn-front>>
     dest: /etc/openvpn/server.conf
     mode: u=r,g=r,o=
   notify: Restart OpenVPN.
@@ -3054,7 +2868,7 @@ Finally, Kamailio can be configured and started.
   become: yes
   copy:
     content: |
-      listen=udp:{{ front_private_addr }}:5060
+      <<kamailio>>
     dest: /etc/kamailio/kamailio-local.cfg
   notify: Restart Kamailio.
 
@@ -3090,8 +2904,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see The Core Machine.)
-
-

8.1. Include Particulars

+
+

8.1. Include Particulars

The first task, as in The Front Role, is to include the institute @@ -3113,8 +2927,8 @@ particulars and membership roll.

-
-

8.2. Configure Hostname

+
+

8.2. Configure Hostname

This task ensures that Core's /etc/hostname and /etc/mailname are @@ -3147,8 +2961,8 @@ proper email delivery.

-
-

8.3. Configure Systemd Resolved

+
+

8.3. Configure Systemd Resolved

Core runs the campus name server, so Resolved is configured to use it @@ -3373,40 +3187,7 @@ The following tasks install and configure BIND9 on Core. become: yes copy: content: | - acl "trusted" { - {{ private_net_cidr }}; - {{ public_vpn_net_cidr }}; - {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; - localhost; - }; - - options { - directory "/var/cache/bind"; - - forwarders { - 8.8.4.4; - 8.8.8.8; - }; - - allow-query { any; }; - allow-recursion { trusted; }; - allow-query-cache { trusted; }; - - //============================================================ - // If BIND logs error messages about the root key being - // expired, you will need to update your keys. - // See https://www.isc.org/bind-keys - //============================================================ - //dnssec-validation auto; - // If Secure DNS is too much of a headache... - dnssec-enable no; - dnssec-validation no; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { any; }; - listen-on { {{ core_addr }}; }; - }; + <<bind-options>> dest: /etc/bind/named.conf.options notify: Reload BIND9. @@ -3414,30 +3195,7 @@ The following tasks install and configure BIND9 on Core. become: yes copy: content: | - include "/etc/bind/zones.rfc1918"; - - zone "{{ domain_priv }}." { - type master; - file "/etc/bind/db.domain"; - }; - - zone "{{ private_net_cidr | ipaddr('revdns') - | regex_replace('^0\.','') }}" { - type master; - file "/etc/bind/db.private"; - }; - - zone "{{ public_vpn_net_cidr | ipaddr('revdns') - | regex_replace('^0\.','') }}" { - type master; - file "/etc/bind/db.public_vpn"; - }; - - zone "{{ campus_vpn_net_cidr | ipaddr('revdns') - | regex_replace('^0\.','') }}" { - type master; - file "/etc/bind/db.campus_vpn"; - }; + <<bind-local>> dest: /etc/bind/named.conf.local notify: Reload BIND9. @@ -3627,8 +3385,8 @@ craps up /var/log/ and the Systemd journal.

-
-

8.7. Add Administrator to System Groups

+
+

8.7. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -3648,8 +3406,8 @@ these groups speeds up debugging.

-
-

8.8. Configure Monkey

+
+

8.8. Configure Monkey

The small institute runs cron jobs and web scripts that generate @@ -3716,8 +3474,8 @@ described in *Configure Apache2).

-
-

8.9. Install Unattended Upgrades

+
+

8.9. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -3749,8 +3507,8 @@ with Nextcloud on the command line.

-
-

8.11. Configure User Accounts

+
+

8.11. Configure User Accounts

User accounts are created immediately so that backups can begin @@ -3792,8 +3550,8 @@ describes the members and usernames variables.

-
-

8.12. Install Server Certificate

+
+

8.12. Install Server Certificate

The servers on Core use the same certificate (and key) to authenticate @@ -3908,24 +3666,14 @@ The complete list of Core's Postfix settings for

-postfix-core
- p: smtpd_relay_restrictions
-  v: permit_mynetworks reject_unauth_destination
+postfix-core
<<postfix-relaying>>
 - { p: smtpd_tls_security_level, v: none }
 - { p: smtp_tls_security_level, v: none }
-- { p: message_size_limit, v: 104857600 }
-- { p: delay_warning_time, v: 1h }
-- { p: maximal_queue_lifetime, v: 4h }
-- { p: bounce_queue_lifetime, v: 4h }
-- { p: home_mailbox, v: Maildir/ }
-- p: mynetworks
-  v: >-
-     {{ private_net_cidr }}
-     {{ public_vpn_net_cidr }}
-     {{ campus_vpn_net_cidr }}
-     127.0.0.0/8
-     [::ffff:127.0.0.0]/104
-     [::1]/128
-- { p: relayhost, v: "[{{ front_private_addr }}]" }
+<<postfix-message-size>>
+<<postfix-queue-times>>
+<<postfix-maildir>>
+<<postfix-core-networks>>
+<<postfix-core-relayhost>>
 - { p: inet_interfaces, v: "127.0.0.1 {{ core_addr }}" }
@@ -3950,25 +3698,7 @@ enable the service. Whenever /etc/postfix/transport is changed, the regexp: "^ *{{ item.p }} *=" line: "{{ item.p }} = {{ item.v }}" loop: - - p: smtpd_relay_restrictions - v: permit_mynetworks reject_unauth_destination - - { p: smtpd_tls_security_level, v: none } - - { p: smtp_tls_security_level, v: none } - - { p: message_size_limit, v: 104857600 } - - { p: delay_warning_time, v: 1h } - - { p: maximal_queue_lifetime, v: 4h } - - { p: bounce_queue_lifetime, v: 4h } - - { p: home_mailbox, v: Maildir/ } - - p: mynetworks - v: >- - {{ private_net_cidr }} - {{ public_vpn_net_cidr }} - {{ campus_vpn_net_cidr }} - 127.0.0.0/8 - [::ffff:127.0.0.0]/104 - [::1]/128 - - { p: relayhost, v: "[{{ front_private_addr }}]" } - - { p: inet_interfaces, v: "127.0.0.1 {{ core_addr }}" } + <<postfix-core>> - { p: transport_maps, v: "hash:/etc/postfix/transport" } notify: Restart Postfix. @@ -3976,8 +3706,7 @@ enable the service. Whenever /etc/postfix/transport is changed, the become: yes copy: content: | - .{{ domain_name }} local:$myhostname - .{{ domain_priv }} local:$myhostname + <<postfix-transport>> dest: /etc/postfix/transport notify: Postmap transport. @@ -4046,8 +3775,8 @@ installed by more specialized roles.
-
-

8.16. Configure Dovecot IMAPd

+
+

8.16. Configure Dovecot IMAPd

Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -4084,11 +3813,10 @@ and enables it to start at every reboot. become: yes copy: content: | - protocols = imap - ssl = required + <<dovecot-tls>> ssl_cert = </etc/server.crt ssl_key = </etc/server.key - mail_location = maildir:~/Maildir + <<dovecot-maildir>> dest: /etc/dovecot/local.conf notify: Restart Dovecot. @@ -4152,8 +3880,8 @@ The Systemd service description. fetchmail-service

[Unit]
 Description=Fetchmail --idle task for {{ item }}.
 AssertPathExists=/home/{{ item }}/.fetchmailrc
-Requires=sys-devices-virtual-net-ovpn.device
-After=sys-devices-virtual-net-ovpn.device
+After=openvpn@front.service
+Wants=sys-devices-virtual-net-ovpn.device
 
 [Service]
 User={{ item }}
@@ -4186,17 +3914,7 @@ provided the Core service.
   become: yes
   copy:
     content: |
-      # Permissions on this file may be no greater than 0600.
-
-      set no bouncemail
-      set no spambounce
-      set no syslog
-      #set logfile /home/{{ item }}/.fetchmail.log
-
-      poll {{ front_private_addr }} protocol imap timeout 15
-          username {{ item }}
-          password "{{ members[item].password_fetchmail }}" fetchall
-          ssl sslproto tls1.2+ sslcertck sslcommonname {{ domain_name }}
+      <<fetchmail-config>>
     dest: /home/{{ item }}/.fetchmailrc
     owner: "{{ item }}"
     group: "{{ item }}"
@@ -4211,21 +3929,7 @@ provided the Core service.
   become: yes
   copy:
     content: |
-      [Unit]
-      Description=Fetchmail --idle task for {{ item }}.
-      AssertPathExists=/home/{{ item }}/.fetchmailrc
-      Requires=sys-devices-virtual-net-ovpn.device
-      After=sys-devices-virtual-net-ovpn.device
-
-      [Service]
-      User={{ item }}
-      ExecStart=/usr/bin/fetchmail --idle
-      Restart=always
-      RestartSec=1m
-      NoNewPrivileges=true
-
-      [Install]
-      WantedBy=default.target
+      <<fetchmail-service>>
     dest: /etc/systemd/system/fetchmail-{{ item }}.service
   loop: "{{ usernames }}"
   when:
@@ -4392,11 +4096,7 @@ redirect, the encryption ciphers and certificates.
                 AllowOverride None
         </Directory>
 
-        UserDir Public/HTML
-        <Directory /home/*/Public/HTML/>
-                Require all granted
-                AllowOverride None
-        </Directory>
+        <<apache-userdir-core>>
 
         ErrorLog ${APACHE_LOG_DIR}/live-error.log
         CustomLog ${APACHE_LOG_DIR}/live-access.log combined
@@ -4423,11 +4123,7 @@ familiar.
                 AllowOverride None
         </Directory>
 
-        UserDir Public/HTML
-        <Directory /home/*/Public/HTML/>
-                Require all granted
-                AllowOverride None
-        </Directory>
+        <<apache-userdir-core>>
 
         ErrorLog ${APACHE_LOG_DIR}/test-error.log
         CustomLog ${APACHE_LOG_DIR}/test-access.log combined
@@ -4458,11 +4154,7 @@ trained staffers, monitored by a revision control system, etc.
                 AllowOverride None
         </Directory>
 
-        UserDir Public/HTML
-        <Directory /home/*/Public/HTML/>
-                Require all granted
-                AllowOverride None
-        </Directory>
+        <<apache-userdir-core>>
 
         ErrorLog ${APACHE_LOG_DIR}/campus-error.log
         CustomLog ${APACHE_LOG_DIR}/campus-access.log combined
@@ -4525,28 +4217,7 @@ The a2ensite command enables them.
   become: yes
   copy:
     content: |
-      <VirtualHost *:80>
-        ServerName live
-        ServerAlias live.{{ domain_priv }}
-        ServerAdmin webmaster@core.{{ domain_priv }}
-
-        DocumentRoot /WWW/live
-        <Directory /WWW/live/>
-                Require all granted
-                AllowOverride None
-        </Directory>
-
-        UserDir Public/HTML
-        <Directory /home/*/Public/HTML/>
-                Require all granted
-                AllowOverride None
-        </Directory>
-
-        ErrorLog ${APACHE_LOG_DIR}/live-error.log
-        CustomLog ${APACHE_LOG_DIR}/live-access.log combined
-
-        IncludeOptional /etc/apache2/sites-available/live-vhost.conf
-      </VirtualHost>
+      <<apache-live>>
     dest: /etc/apache2/sites-available/live.conf
     mode: u=rw,g=r,o=r
   notify: Restart Apache2.
@@ -4555,28 +4226,7 @@ The a2ensite command enables them.
   become: yes
   copy:
     content: |
-      <VirtualHost *:80>
-        ServerName test
-        ServerAlias test.{{ domain_priv }}
-        ServerAdmin webmaster@core.{{ domain_priv }}
-
-        DocumentRoot /WWW/test
-        <Directory /WWW/test/>
-                Require all granted
-                AllowOverride None
-        </Directory>
-
-        UserDir Public/HTML
-        <Directory /home/*/Public/HTML/>
-                Require all granted
-                AllowOverride None
-        </Directory>
-
-        ErrorLog ${APACHE_LOG_DIR}/test-error.log
-        CustomLog ${APACHE_LOG_DIR}/test-access.log combined
-
-        IncludeOptional /etc/apache2/sites-available/test-vhost.conf
-      </VirtualHost>
+      <<apache-test>>
     dest: /etc/apache2/sites-available/test.conf
     mode: u=rw,g=r,o=r
   notify: Restart Apache2.
@@ -4585,30 +4235,7 @@ The a2ensite command enables them.
   become: yes
   copy:
     content: |
-      <VirtualHost *:80>
-        ServerName www
-        ServerAlias www.{{ domain_priv }}
-        ServerAdmin webmaster@core.{{ domain_priv }}
-
-        DocumentRoot /WWW/campus
-        <Directory /WWW/campus/>
-                Options Indexes FollowSymLinks MultiViews ExecCGI
-                AddHandler cgi-script .cgi
-                Require all granted
-                AllowOverride None
-        </Directory>
-
-        UserDir Public/HTML
-        <Directory /home/*/Public/HTML/>
-                Require all granted
-                AllowOverride None
-        </Directory>
-
-        ErrorLog ${APACHE_LOG_DIR}/campus-error.log
-        CustomLog ${APACHE_LOG_DIR}/campus-access.log combined
-
-        IncludeOptional /etc/apache2/sites-available/www-vhost.conf
-      </VirtualHost>
+      <<apache-campus>>
     dest: /etc/apache2/sites-available/www.conf
     mode: u=rw,g=r,o=r
   notify: Restart Apache2.
@@ -4715,12 +4342,8 @@ dev-type tun
 dev ovpn
 remote {{ front_addr }}
 nobind
-user nobody
-group nogroup
-persist-key
-persist-tun
-cipher AES-256-GCM
-auth SHA256
+<<openvpn-drop-priv>>
+<<openvpn-crypt>>
 remote-cert-tls server
 verify-x509-name {{ domain_name }} name
 verb 3
@@ -4772,24 +4395,7 @@ for Core.
   become: yes
   copy:
     content: |
-      client
-      dev-type tun
-      dev ovpn
-      remote {{ front_addr }}
-      nobind
-      user nobody
-      group nogroup
-      persist-key
-      persist-tun
-      cipher AES-256-GCM
-      auth SHA256
-      remote-cert-tls server
-      verify-x509-name {{ domain_name }} name
-      verb 3
-      ca /usr/local/share/ca-certificates/{{ domain_name }}.crt
-      cert client.crt
-      key client.key
-      tls-auth ta.key 1
+      <<openvpn-core>>
     dest: /etc/openvpn/front.conf
     mode: u=r,g=r,o=
   notify: Restart OpenVPN.
@@ -5953,8 +5559,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
-
-

9.1. Include Particulars

+
+

9.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6206,17 +5812,12 @@ sudo ufw enable block: | *nat :POSTROUTING ACCEPT [0:0] - -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE - -A POSTROUTING -s {{ gate_wifi_net_cidr }} -o isp -j MASQUERADE + <<ufw-nat>> COMMIT *filter - -A FORWARD -i lan -o isp -j ACCEPT - -A FORWARD -i wifi -o isp -j ACCEPT - -A FORWARD -i isp -o lan {{ ACCEPT_RELATED }} - -A FORWARD -i isp -o wifi {{ ACCEPT_RELATED }} - -A FORWARD -i lan -o ovpn -j ACCEPT - -A FORWARD -i ovpn -o lan -j ACCEPT + <<ufw-forward-nat>> + <<ufw-forward-private>> COMMIT insertafter: EOF @@ -6328,8 +5929,8 @@ the daemon listens only on the Gate-WiFi network interface.

-
-

9.6. Install Server Certificate

+
+

9.6. Install Server Certificate

The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -6356,8 +5957,8 @@ and Front) do.

-
-

9.7. Configure OpenVPN

+
+

9.7. Configure OpenVPN

Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6382,25 +5983,14 @@ discussed in The VPN Services.

openvpn-gate
server {{ campus_vpn_net_and_mask }}
 client-config-dir /etc/openvpn/ccd
-push "route {{ private_net_and_mask }}"
-push "route {{ public_vpn_net_and_mask }}"
-dev-type tun
-dev ovpn
-topology subnet
-client-to-client
-keepalive 10 120
-push "dhcp-option DOMAIN {{ domain_priv }}"
-push "dhcp-option DNS {{ core_addr }}"
-user nobody
-group nogroup
-persist-key
-persist-tun
-cipher AES-256-GCM
-auth SHA256
-max-clients 20
-ifconfig-pool-persist ipp.txt
-status openvpn-status.log
-verb 3
+<<openvpn-gate-routes>>
+<<openvpn-dev-mode>>
+<<openvpn-keepalive>>
+<<openvpn-dns>>
+<<openvpn-drop-priv>>
+<<openvpn-crypt>>
+<<openvpn-max>>
+<<openvpn-debug>>
 ca /usr/local/share/ca-certificates/{{ domain_name }}.crt
 cert /etc/server.crt
 key /etc/server.key
@@ -6458,32 +6048,7 @@ configure the OpenVPN server on Gate.
   become: yes
   copy:
     content: |
-      server {{ campus_vpn_net_and_mask }}
-      client-config-dir /etc/openvpn/ccd
-      push "route {{ private_net_and_mask }}"
-      push "route {{ public_vpn_net_and_mask }}"
-      dev-type tun
-      dev ovpn
-      topology subnet
-      client-to-client
-      keepalive 10 120
-      push "dhcp-option DOMAIN {{ domain_priv }}"
-      push "dhcp-option DNS {{ core_addr }}"
-      user nobody
-      group nogroup
-      persist-key
-      persist-tun
-      cipher AES-256-GCM
-      auth SHA256
-      max-clients 20
-      ifconfig-pool-persist ipp.txt
-      status openvpn-status.log
-      verb 3
-      ca /usr/local/share/ca-certificates/{{ domain_name }}.crt
-      cert /etc/server.crt
-      key /etc/server.key
-      dh dh2048.pem
-      tls-auth ta.key 0
+      <<openvpn-gate>>
     dest: /etc/openvpn/server.conf
     mode: u=r,g=r,o=
   notify: Restart OpenVPN.
@@ -6520,8 +6085,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
-
-

10.1. Include Particulars

+
+

10.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6537,8 +6102,8 @@ The following should be familiar boilerplate by now.

-
-

10.2. Configure Hostname

+
+

10.2. Configure Hostname

Clients should be using the expected host name. @@ -6565,8 +6130,8 @@ Clients should be using the expected host name.

-
-

10.3. Configure Systemd Resolved

+
+

10.3. Configure Systemd Resolved

Campus machines use the campus name server on Core (or dns.google), @@ -6637,8 +6202,8 @@ and file timestamps.

-
-

10.5. Add Administrator to System Groups

+
+

10.5. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -6658,8 +6223,8 @@ these groups speeds up debugging.

-
-

10.6. Install Unattended Upgrades

+
+

10.6. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -6704,13 +6269,10 @@ tasks below. regexp: "^ *{{ item.p }} *=" line: "{{ item.p }} = {{ item.v }}" loop: - - p: smtpd_relay_restrictions - v: permit_mynetworks reject_unauth_destination - - { p: message_size_limit, v: 104857600 } - - { p: delay_warning_time, v: 1h } - - { p: maximal_queue_lifetime, v: 4h } - - { p: bounce_queue_lifetime, v: 4h } - - { p: home_mailbox, v: Maildir/ } + <<postfix-relaying>> + <<postfix-message-size>> + <<postfix-queue-times>> + <<postfix-maildir>> - { p: myhostname, v: "{{ inventory_hostname }}.{{ domain_priv }}" } - { p: mydestination, @@ -8172,9 +7734,7 @@ up-restart my $CRT = read_file "Secret/CA/pki/issued/$name.crt"; my $KEY = read_file "Secret/CA/pki/private/$name.key"; my $UP = $type eq "android" ? "" : " -script-security 2 -up /etc/openvpn/update-systemd-resolved -up-restart"; +<<openvpn-up>>"; if ($type ne "campus") { my $TA = read_file "Secret/front-ta.key"; @@ -8199,14 +7759,10 @@ up-restart dev $DEV remote $ADDR nobind -user nobody -group nogroup -persist-key -persist-tun +<<openvpn-drop-priv>> remote-cert-tls server verify-x509-name $NAME name -cipher AES-256-GCM -auth SHA256$UP +<<openvpn-crypt>>$UP verb 3 key-direction 1 <ca>\n$CA</ca> @@ -9608,7 +9164,7 @@ routes on Front and Gate, making the simulation less… similar.

Author: Matt Birkholz

-

Created: 2024-02-26 Mon 21:58

+

Created: 2024-03-09 Sat 10:34

Validate

diff --git a/README.org b/README.org index da9e560..f0756e8 100644 --- a/README.org +++ b/README.org @@ -3893,7 +3893,7 @@ small institute substitutes a slightly modified version, ~inst_sensors~, that reports core CPU temperatures. #+CAPTION: [[file:roles_t/core/files/inst_sensors][=roles_t/core/files/inst_sensors=]] -#+BEGIN_SRC sh :tangle roles_t/core/files/inst_sensors +#+BEGIN_SRC sh :tangle roles_t/core/files/inst_sensors :mkdirp yes #!/bin/sh PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" -- 2.25.1