From 0b54f883ec50ace98e50a8989d732c3996c9c49f Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Mon, 26 Feb 2024 20:37:07 -0700 Subject: [PATCH] Move the Enable Systemd Resolved task(s) to the "all" role. --- README.org | 147 ++++++++++++++-------------------- roles_t/all/tasks/main.yml | 32 ++++++++ roles_t/campus/tasks/main.yml | 32 -------- roles_t/core/tasks/main.yml | 32 -------- roles_t/front/tasks/main.yml | 32 -------- 5 files changed, 90 insertions(+), 185 deletions(-) diff --git a/README.org b/README.org index f66bec6..16bd6cf 100644 --- a/README.org +++ b/README.org @@ -1287,6 +1287,58 @@ Particulars]]). The code block below is the first to tangle into tags: accounts #+END_SRC +** Enable Systemd Resolved + +The ~systemd-networkd~ and ~systemd-resolved~ service units are not +enabled by default in Debian, but /are/ the default in Ubuntu. The +institute attempts to make use of their link-local name resolution, so +they are enabled on all institute hosts. + +The =/usr/share/doc/systemd/README.Debian.gz= file recommends both +services be enabled /and/ =/etc/resolv.conf= be replaced with a +symbolic link to =/run/systemd/resolve/resolv.conf=. The institute +follows these recommendations (and /not/ the suggestion to enable +"persistent logging", yet). In Debian 12 there is a +~systemd-resolved~ package that symbolically links =/etc/resolv.conf= +(and provides =/lib/systemd/systemd-resolved=, formerly part of the +~systemd~ package). + +#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/all/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :noweb yes + +- name: Install systemd-resolved. + become: yes + apt: pkg=systemd-resolved + when: + - ansible_distribution == 'Debian' + - 11 < ansible_distribution_major_version|int + +- name: Enable/Start systemd-networkd. + become: yes + systemd: + service: systemd-networkd + enabled: yes + state: started + +- name: Enable/Start systemd-resolved. + become: yes + systemd: + service: systemd-resolved + enabled: yes + state: started + +- name: Link /etc/resolv.conf. + become: yes + file: + path: /etc/resolv.conf + src: /run/systemd/resolve/resolv.conf + state: link + force: yes + when: + - ansible_distribution == 'Debian' + - 12 > ansible_distribution_major_version|int +#+END_SRC + ** Trust Institute Certificate Authority All servers should recognize the institute's Certificate Authority as @@ -1388,64 +1440,6 @@ delivery. command: hostname -F /etc/hostname #+END_SRC -** Enable Systemd Resolved <> - -The ~systemd-networkd~ and ~systemd-resolved~ service units are not -enabled by default in Debian, but /are/ the default in Ubuntu, and -work with Netplan. The =/usr/share/doc/systemd/README.Debian.gz= file -recommends both services be enabled /and/ =/etc/resolv.conf= be -replaced with a symbolic link to =/run/systemd/resolve/resolv.conf=. -The institute follows these recommendations (and /not/ the suggestion -to enable "persistent logging", yet). In Debian 12 there is a -~systemd-resolved~ package that symbolically links =/etc/resolv.conf= -(and provides =/lib/systemd/systemd-resolved=, formerly part of the -~systemd~ package). - -These tasks are included in all of the roles, and so are given in a -separate code block named ~enable-resolved~.[fn:2] - -#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :noweb yes -<> -#+END_SRC - -#+NAME: enable-resolved -#+CAPTION: ~enable-resolved~ -#+BEGIN_SRC conf - -- name: Install systemd-resolved. - become: yes - apt: pkg=systemd-resolved - when: - - ansible_distribution == 'Debian' - - 11 < ansible_distribution_major_version|int - -- name: Enable/Start systemd-networkd. - become: yes - systemd: - service: systemd-networkd - enabled: yes - state: started - -- name: Enable/Start systemd-resolved. - become: yes - systemd: - service: systemd-resolved - enabled: yes - state: started - -- name: Link /etc/resolv.conf. - become: yes - file: - path: /etc/resolv.conf - src: /run/systemd/resolve/resolv.conf - state: link - force: yes - when: - - ansible_distribution == 'Debian' - - 12 > ansible_distribution_major_version|int -#+END_SRC - ** Add Administrator to System Groups The administrator often needs to read (directories of) log files owned @@ -1888,7 +1882,7 @@ from Qualys SSL Labs ([[https://www.ssllabs.com/]]). The ~apache-ciphers~ block below is included last in the Apache2 configuration, so that its ~SSLCipherSuite~ directive can override (narrow) any list of ciphers set earlier (e.g. by Let's -Encrypt![fn:3]). The protocols and cipher suites specified here were +Encrypt![fn:2]). The protocols and cipher suites specified here were taken from [[https://www.ssllabs.com/projects/best-practices]] in 2022. #+NAME: apache-ciphers @@ -2448,16 +2442,6 @@ proper email delivery. command: hostname -F /etc/hostname #+END_SRC -** Enable Systemd Resolved - -Core starts the ~systemd-networkd~ and ~systemd-resolved~ service -units on boot. See [[resolved-front][Enable Systemd Resolved]]. - -#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml :noweb yes -<> -#+END_SRC - ** Configure Systemd Resolved Core runs the campus name server, so Resolved is configured to use it @@ -5247,16 +5231,6 @@ Clients should be using the expected host name. when: inventory_hostname != ansible_hostname #+END_SRC -** Enable Systemd Resolved - -Campus machines start the ~systemd-networkd~ and ~systemd-resolved~ -service units on boot. See [[resolved-front][Enable Systemd Resolved]]. - -#+CAPTION: [[file:roles_t/campus/tasks/main.yml][=roles_t/campus/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/campus/tasks/main.yml :noweb yes -<> -#+END_SRC - ** Configure Systemd Resolved Campus machines use the campus name server on Core (or ~dns.google~), @@ -6000,7 +5974,7 @@ records. The mapping is stored among other things in A new member's record in the ~members~ mapping will have the ~status~ key value ~current~. That key gets value ~former~ when the member -leaves.[fn:4] Access by former members is revoked by invalidating the +leaves.[fn:3] Access by former members is revoked by invalidating the Unix account passwords, removing any authorized SSH keys from Front and Core, and disabling their VPN certificates. @@ -6804,7 +6778,7 @@ but a private address on the NAT network ~premises~. Thus ~front~ is not accessible to the administrator's notebook (the host). To work around this restriction, ~front~ gets a second network interface connected to the ~vboxnet1~ network and used only for ssh access from -the host.[fn:5] +the host.[fn:4] The networks described above are created and "started" with the following ~VBoxManage~ commands. @@ -7695,19 +7669,14 @@ innocuous, disabled) default state. "Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G]] -[fn:2] Why not create a role named ~all~ and put these tasks that are -the same on all machines in that role? If there were more than a -stable handful, and no tangling mechanism to do the duplication, a -catch-all role would be a higher priority. - -[fn:3] The cipher set specified by Let's Encrypt is large enough to +[fn:2] The cipher set specified by Let's Encrypt is large enough to turn orange many parts of an SSL Report from Qualys SSL Labs. -[fn:4] Presumably, eventually, a former member's home directories are +[fn:3] Presumably, eventually, a former member's home directories are archived to external storage, their other files are given new ownerships, and their Unix accounts are deleted. This has never been done, and is left as a manual exercise. -[fn:5] Front is accessible via Gate but routing from the host address +[fn:4] Front is accessible via Gate but routing from the host address on ~vboxnet0~ through Gate requires extensive interference with the routes on Front and Gate, making the simulation less... similar. diff --git a/roles_t/all/tasks/main.yml b/roles_t/all/tasks/main.yml index 16b0e95..a3871b3 100644 --- a/roles_t/all/tasks/main.yml +++ b/roles_t/all/tasks/main.yml @@ -3,6 +3,38 @@ include_vars: ../public/vars.yml tags: accounts +- name: Install systemd-resolved. + become: yes + apt: pkg=systemd-resolved + when: + - ansible_distribution == 'Debian' + - 11 < ansible_distribution_major_version|int + +- name: Enable/Start systemd-networkd. + become: yes + systemd: + service: systemd-networkd + enabled: yes + state: started + +- name: Enable/Start systemd-resolved. + become: yes + systemd: + service: systemd-resolved + enabled: yes + state: started + +- name: Link /etc/resolv.conf. + become: yes + file: + path: /etc/resolv.conf + src: /run/systemd/resolve/resolv.conf + state: link + force: yes + when: + - ansible_distribution == 'Debian' + - 12 > ansible_distribution_major_version|int + - name: Trust the institute CA. become: yes copy: diff --git a/roles_t/campus/tasks/main.yml b/roles_t/campus/tasks/main.yml index fa8e838..ee7d488 100644 --- a/roles_t/campus/tasks/main.yml +++ b/roles_t/campus/tasks/main.yml @@ -20,38 +20,6 @@ command: hostname -F /etc/hostname when: inventory_hostname != ansible_hostname -- name: Install systemd-resolved. - become: yes - apt: pkg=systemd-resolved - when: - - ansible_distribution == 'Debian' - - 11 < ansible_distribution_major_version|int - -- name: Enable/Start systemd-networkd. - become: yes - systemd: - service: systemd-networkd - enabled: yes - state: started - -- name: Enable/Start systemd-resolved. - become: yes - systemd: - service: systemd-resolved - enabled: yes - state: started - -- name: Link /etc/resolv.conf. - become: yes - file: - path: /etc/resolv.conf - src: /run/systemd/resolve/resolv.conf - state: link - force: yes - when: - - ansible_distribution == 'Debian' - - 12 > ansible_distribution_major_version|int - - name: Configure resolved. become: yes lineinfile: diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 6256e56..d36cea0 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -19,38 +19,6 @@ - { name: "{{ inventory_hostname }}", file: /etc/hostname } notify: Update hostname. -- name: Install systemd-resolved. - become: yes - apt: pkg=systemd-resolved - when: - - ansible_distribution == 'Debian' - - 11 < ansible_distribution_major_version|int - -- name: Enable/Start systemd-networkd. - become: yes - systemd: - service: systemd-networkd - enabled: yes - state: started - -- name: Enable/Start systemd-resolved. - become: yes - systemd: - service: systemd-resolved - enabled: yes - state: started - -- name: Link /etc/resolv.conf. - become: yes - file: - path: /etc/resolv.conf - src: /run/systemd/resolve/resolv.conf - state: link - force: yes - when: - - ansible_distribution == 'Debian' - - 12 > ansible_distribution_major_version|int - - name: Configure resolved. become: yes lineinfile: diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index b8b3a56..ec38821 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -21,38 +21,6 @@ - /etc/mailname notify: Update hostname. -- name: Install systemd-resolved. - become: yes - apt: pkg=systemd-resolved - when: - - ansible_distribution == 'Debian' - - 11 < ansible_distribution_major_version|int - -- name: Enable/Start systemd-networkd. - become: yes - systemd: - service: systemd-networkd - enabled: yes - state: started - -- name: Enable/Start systemd-resolved. - become: yes - systemd: - service: systemd-resolved - enabled: yes - state: started - -- name: Link /etc/resolv.conf. - become: yes - file: - path: /etc/resolv.conf - src: /run/systemd/resolve/resolv.conf - state: link - force: yes - when: - - ansible_distribution == 'Debian' - - 12 > ansible_distribution_major_version|int - - name: Add {{ ansible_user }} to system groups. become: yes user: -- 2.25.1