From 13f9490138e5a6629413d2ed55f1d46c804c830b Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Mon, 11 Mar 2024 17:26:06 -0500 Subject: [PATCH] Wordsmithing. Punt redundant mention of make-cadir. --- README.html | 128 ++++++++++++++++++++++++---------------------------- README.org | 6 --- 2 files changed, 60 insertions(+), 74 deletions(-) diff --git a/README.html b/README.html index fd9a8ef..2186573 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -703,14 +703,6 @@ e.g. root@core.small.private.
 
Secret/root-sec.pem
The ASCII armored OpenPGP secret key.

 
 
-

-When The CA Command sees an empty Secret/CA/ directory, as
-though just created by running the EasyRSA make-cadir command in
-Secret/ (a new, encrypted volume), the ./inst CA command creates
-all of the certificates and keys mentioned above.  It may prompt for
-the institute's full name.
-

-
 

 The institute administrator updates a couple encrypted copies of this
 drive after enrolling new members, changing a password, issuing VPN
@@ -1030,7 +1022,7 @@ example result follows the code.
 

 
 
-

+

 

 => 10.62.17.0/24
 

@@ -1483,7 +1475,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.
 
 
-
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1506,7 +1498,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

 
-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1659,8 +1651,8 @@ The all role contains tasks that are executed on all of the
 institute's servers.  At the moment there is just the one.
 

 

-

-
6.1. Include Particulars

+

+
6.1. Include Particulars

 

 

 The all role's task contains a reference to a common institute
@@ -1801,8 +1793,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

 

-

-
7.1. Include Particulars

+

+
7.1. Include Particulars

 

 

 The first task, as in The All Role, is to include the institute
@@ -1827,8 +1819,8 @@ membership roll, so these are included was well.
 

 

 

-

-
7.2. Configure Hostname

+

+
7.2. Configure Hostname

 

 

 This task ensures that Front's /etc/hostname and /etc/mailname are
@@ -1858,8 +1850,8 @@ delivery.
 

 

 

-

-
7.3. Add Administrator to System Groups

+

+
7.3. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -1918,8 +1910,8 @@ those stored in Secret/ssh_front/etc/ssh/
 

 

 

-

-
7.5. Configure Monkey

+

+
7.5. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -1975,8 +1967,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 

 

 

-

-
7.7. Install Unattended Upgrades

+

+
7.7. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -1991,8 +1983,8 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-
-

-
7.9. Install Server Certificate

+

+
7.9. Install Server Certificate

 

 

 The servers on Front use the same certificate (and key) to
@@ -2263,8 +2255,8 @@ created by a more specialized role.
 

 

 

-

-
7.12. Configure Dovecot IMAPd

+

+
7.12. Configure Dovecot IMAPd

 

 

 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2620,8 +2612,8 @@ the users' ~/Public/HTML/ directories.
 

 

 

-

-
7.14. Configure OpenVPN

+

+
7.14. Configure OpenVPN

 

 

 Front uses OpenVPN to provide the institute's public VPN service.  The
@@ -2904,8 +2896,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see The Core Machine.)
 

 

-

-
8.1. Include Particulars

+

+
8.1. Include Particulars

 

 

 The first task, as in The Front Role, is to include the institute
@@ -2927,8 +2919,8 @@ particulars and membership roll.
 

 

 

-

-
8.2. Configure Hostname

+

+
8.2. Configure Hostname

 

 

 This task ensures that Core's /etc/hostname and /etc/mailname are
@@ -2961,8 +2953,8 @@ proper email delivery.
 

 

 

-

-
8.3. Configure Systemd Resolved

+

+
8.3. Configure Systemd Resolved

 

 

 Core runs the campus name server, so Resolved is configured to use it
@@ -3385,8 +3377,8 @@ craps up /var/log/ and the Systemd journal.
 

 

 

-

-
8.7. Add Administrator to System Groups

+

+
8.7. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -3406,8 +3398,8 @@ these groups speeds up debugging.
 

 

 

-

-
8.8. Configure Monkey

+

+
8.8. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -3474,8 +3466,8 @@ described in *Configure Apache2).
 

 

 

-

-
8.9. Install Unattended Upgrades

+

+
8.9. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -3507,8 +3499,8 @@ with Nextcloud on the command line.
 

 

 

-

-
8.11. Configure User Accounts

+

+
8.11. Configure User Accounts

 

 

 User accounts are created immediately so that backups can begin
@@ -3550,8 +3542,8 @@ describes the members and usernames variables.
 

 

 

-

-
8.12. Install Server Certificate

+

+
8.12. Install Server Certificate

 

 

 The servers on Core use the same certificate (and key) to authenticate
@@ -3775,8 +3767,8 @@ installed by more specialized roles.
 

 

 

-

-
8.16. Configure Dovecot IMAPd

+

+
8.16. Configure Dovecot IMAPd

 

 

 Core uses Dovecot's IMAPd to store and serve member emails.  As on
@@ -5559,8 +5551,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 

 

-

-
9.1. Include Particulars

+

+
9.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -5929,8 +5921,8 @@ the daemon listens only on the Gate-WiFi network interface.
 

 

 

-

-
9.6. Install Server Certificate

+

+
9.6. Install Server Certificate

 

 

 The (OpenVPN) server on Gate uses an institute certificate (and key)
@@ -5957,8 +5949,8 @@ and Front) do.
 

 

 

-

-
9.7. Configure OpenVPN

+

+
9.7. Configure OpenVPN

 

 

 Gate uses OpenVPN to provide the institute's campus VPN service.  Its
@@ -6085,8 +6077,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
 

 

-

-
10.1. Include Particulars

+

+
10.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -6102,8 +6094,8 @@ The following should be familiar boilerplate by now.
 

 

 

-

-
10.2. Configure Hostname

+

+
10.2. Configure Hostname

 

 

 Clients should be using the expected host name.
@@ -6130,8 +6122,8 @@ Clients should be using the expected host name.
 

 

 

-

-
10.3. Configure Systemd Resolved

+

+
10.3. Configure Systemd Resolved

 

 

 Campus machines use the campus name server on Core (or dns.google),
@@ -6202,8 +6194,8 @@ and file timestamps.
 

 

 

-

-
10.5. Add Administrator to System Groups

+

+
10.5. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -6223,8 +6215,8 @@ these groups speeds up debugging.
 

 

 

-

-
10.6. Install Unattended Upgrades

+

+
10.6. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -9164,7 +9156,7 @@ routes on Front and Gate, making the simulation less… similar.
 

 

 
Author: Matt Birkholz

-
Created: 2024-03-09 Sat 10:34

+
Created: 2024-03-11 Mon 17:33

 
Validate

 

 
diff --git a/README.org b/README.org
index f0756e8..3a0dd1c 100644
--- a/README.org
+++ b/README.org
@@ -561,12 +561,6 @@ Finally, the institute uses an OpenPGP key to secure sensitive emails
     e.g. ~root@core.small.private~.
   - [[file:Secret/root-sec.pem][=Secret/root-sec.pem=]] :: The ASCII armored OpenPGP secret key.
 
-When [[*The CA Command][The CA Command]] sees an empty [[file:Secret/CA/][=Secret/CA/=]] directory, as
-though just created by running the EasyRSA ~make-cadir~ command in
-[[file:Secret/][=Secret/=]] (a new, encrypted volume), the ~./inst CA~ command creates
-all of the certificates and keys mentioned above.  It may prompt for
-the institute's full name.
-
 The institute administrator updates a couple encrypted copies of this
 drive after enrolling new members, changing a password, issuing VPN
 credentials, etc.
-- 
2.25.1