From 1d4e54a44cee72c34a0d28923da692e1502160f5 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Mon, 26 Feb 2024 20:15:28 -0700 Subject: [PATCH] Update README.html. --- README.html | 445 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 293 insertions(+), 152 deletions(-) diff --git a/README.html b/README.html index 18d5193..34c26f8 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + Birchwood Abbey Networks @@ -64,7 +64,7 @@ map is very similar, with differences mainly in terminology, philosophy, attitude.

-
+
                 |                                                   
                 =                                                   
               _|||_                                                 
@@ -136,8 +136,8 @@ with Apache2, spooling email with Postfix and serving it with
 Dovecot-IMAPd, and hosting a VPN with OpenVPN.
 

 
-

-
3.1. Install Emacs

+

+
3.1. Install Emacs

 

 

 The monks of the abbey are masters of the staff (bo) and Emacs.
@@ -789,7 +789,7 @@ certificate is a terminal session affair (with prompts and lines
 entered as shown below).
 

 
-
+
 $ sudo apt install python3-certbot-apache
 $ sudo certbot --apache -d birchwood-abbey.net
 ...
@@ -1008,10 +1008,30 @@ with Postfix and Dovecot, and providing essential localnet services:
 NTP, DNS and DHCP.
 

 

-

-
4.1. Install Additional Packages

+

+
4.1. Include Abbey Variables

 

 

+In this abbey specific document, most abbey particulars are not
+replaced with variables, but specified in-line.  Some, however, are
+private (e.g. database passwords), not to be published in this
+document, and so replaced with variables set in
+private/vars-abbey.yml.  The file path is relative to the playbook's
+directory, playbooks/.
+

+
+

+roles_t/abbey-core/tasks/main.yml
---
+- name: Include private abbey variables.
+  include_vars: ../private/vars-abbey.yml
+

+

+

+

+

+
4.2. Install Additional Packages

+

+

 The scripts that maintain the abbey's web site and run the Weather
 project use a number of additional software packages.  The
 /WWW/live/Private/make-top-index script uses HTML::TreeBuilder in
@@ -1021,7 +1041,7 @@ packages).
 

 
 

-roles_t/abbey-core/tasks/main.yml
---
+roles_t/abbey-core/tasks/main.yml
 - name: Install additional packages.
   apt:
     pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]
@@ -1030,8 +1050,8 @@ packages).
 

 

 

-
4.2. Configure Private Email Aliases

-

+
4.3. Configure Private Email Aliases

+

 

 The abbey uses several additional email aliases.  These are the campus
 mailboxes @*.birchwood-abbey.net.  The institute already includes
@@ -1071,8 +1091,8 @@ e.g. mythtv@mythtv.birchwood-abbey.net, locally.)
 

 

 

-
4.3. Configure Git Daemon on Core

-

+
4.4. Configure Git Daemon on Core

+

 

 These tasks are identical to those executed on Front, for similar Git
 services on Front and Core.  See 3.3 and
@@ -1123,8 +1143,8 @@ services on Front and Core.  See 3.3 and
 

 

 

-
4.4. Configure Apache on Core

-

+
4.5. Configure Apache on Core

+

 

 The Apache2 configuration on Core specifies three web sites (live,
 test, and campus).  The live and test sites must operate just like the
@@ -1257,8 +1277,8 @@ site on Front.  Their configurations include the same 
 

 

-
4.5. Configure Documentation URLs

-

+
4.6. Configure Documentation URLs

+

 

 The institute serves its /usr/share/doc/ on the house (campus) web
 site.  This is a debugging convenience, making some HTML documentation
@@ -1296,8 +1316,8 @@ directives that enable user Git publishing with Gitweb (defined 
-
4.6. Install Apt Cacher

-

+
4.7. Install Apt Cacher

+

 

 The abbey uses the Apt-Cacher:TNG package cache on Core.  The
 apt-cacher domain name is defined in private/db.domain.
@@ -1312,9 +1332,9 @@ The abbey uses the Apt-Cacher:TNG package cache on Core.  The
 

 

 

-

-
4.7. Use Cloister Apt Cache

-

+

+
4.8. Use Cloister Apt Cache

+

 

 Core itself will benefit from using the package cache.
 

@@ -1333,8 +1353,8 @@ Core itself will benefit from using the package cache.
 

 

 

-
4.8. Configure NAGIOS

-

+
4.9. Configure NAGIOS

+

 

 A small institute uses nagios4 to monitor the health of its network,
 with an initial smattering of monitors adopted from the Debian
@@ -1348,8 +1368,8 @@ customized check_sensors plugin (abbey_pisensors) in
 

 

 

-
4.9. Monitoring The Home Disk

-

+
4.10. Monitoring The Home Disk

+

 

 The abbey adds monitoring of the space remaining on the volume at
 /home/ on Core.  (The small institute only monitors the space
@@ -1385,8 +1405,8 @@ remaining on roots.)
 

 

 

-
4.10. Custom NAGIOS Monitor abbey_pisensors

-

+
4.11. Custom NAGIOS Monitor abbey_pisensors

+

 

 The check_sensors plugin is included in the package
 monitoring-plugins-basic, but it does not report any readings.  The
@@ -1479,8 +1499,8 @@ recognizable temperature in the sensors output.
 

 

 

-
4.11. Monitoring The Cloister

-

+
4.12. Monitoring The Cloister

+

 

 The abbey adds monitoring for more servers: Kamino, Kessel and
 Devaron.  They are abbey-cloister servers, so they are configured as
@@ -1495,9 +1515,31 @@ idiosyncratically in flux.  In particular, Kamino does not irritate
 Kessel is a wireless host while Kamino is wired.  Devaron, the
 Raspberry Pi OS (ARM64) machine, uses the abbey_pisensors monitor.
 

+

+

+
4.12.1. Cloister Network Addresses

+

+

+The IP addresses of all three hosts are nice to use in the NAGIOS
+configuration (to avoid depending on name service) and so are
+included in private/vars-abbey.yml.
+

 
+

+private/vars-abbey.yml
devaron_addr:               10.84.138.10
+kamino_addr:                192.168.56.14
+kessel_addr:                10.84.138.8
+

+

+

+

+

+
4.12.2. Installing NAGIOS Configurations

+

 

-Kamino is currently unmonitored as it is now rarely powered up.
+The following task installs each host's NAGIOS configuration.  Note
+that Kamino is not included.  It is currently unmonitored as it is now
+rarely powered up.
 

 
 

@@ -1511,7 +1553,11 @@ Kamino is currently unmonitored as it is now rarely powered up.
   notify: Reload NAGIOS4.
 

 
-
+
+
+

+
4.12.3. NAGIOS Monitoring of Devaron

+

 

 roles_t/abbey-core/templates/nagios-devaron.cfg
define host {
     use                     linux-server
@@ -1562,7 +1608,11 @@ Kamino is currently unmonitored as it is now rarely powered up.
 }
 

 

-
+

+

+

+
4.12.4. NAGIOS Monitoring of Kamino

+

 

 roles_t/abbey-core/templates/nagios-kamino.cfg
define host {
     use                     linux-server
@@ -1613,7 +1663,11 @@ Kamino is currently unmonitored as it is now rarely powered up.
 }
 

 

-
+

+

+

+
4.12.5. NAGIOS Monitoring of Kessel

+

 

 roles_t/abbey-core/templates/nagios-kessel.cfg
define host {
     use                     linux-server
@@ -1666,9 +1720,10 @@ Kamino is currently unmonitored as it is now rarely powered up.
 

 

 

+
 

-
4.12. Install Analog

-

+
4.13. Install Analog

+

 

 The abbey's public web site's access and error logs are emailed
 regularly to webmaster, who saves them in /Logs/apache2-public/
@@ -1722,8 +1777,8 @@ the campus as http://www/analog.html.
 

 

 

-
4.13. Add Monkey to Web Server Group

-

+
4.14. Add Monkey to Web Server Group

+

 

 Monkey needs to be in www-data so that it can run
 /WWW/live/Photos/Private/cronjob to publish photos from multiple
@@ -1745,8 +1800,8 @@ user cloud accounts, found in files owned by www-data, files like
 

 

 

-
4.14. Install netpbm For Photo Processing

-

+
4.15. Install netpbm For Photo Processing

+

 

 Monkey's photo processing scripts use netpbm commands like
 jpegtopnm.
@@ -1762,8 +1817,8 @@ Monkey's photo processing scripts use netpbm commands like
 

 

 

-
4.15. Configure Weather Updates

-

+
4.16. Configure Weather Updates

+

 

 Monkey on Core runs /WWW/campus/Weather/Private/cronjob every 5
 minutes and cronjob-midnight at midnight.
@@ -1827,24 +1882,41 @@ on Gate.  The adapters were then connected with a cross-over cable.
 

 
 

-The abbey could have avoided buying a separate campus Wi-Fi access
+The abbey could have avoided buying a separate cloister Wi-Fi access
 point, and used Starlink's Wi-Fi instead, with or without its add-on
 Ethernet interface.  Instead, the abbey invested in a 2.4GHz-only
 Think Penguin access point, and connected it to a third Ethernet
-interface on Gate.
+interface on Gate.  This was preferred for a number of reasons.
+

+
+

+The abbey uses ISPs other than Starlink, tethering to a cellphone when
+under trees, or even limping along on campground Wi-Fi where the land
+of woven trees has cut off even cell service.
+

+
+

+The abbey uses long and complex passwords, especially on public
+facing services like Wi-Fi.  Such a password has been laboriously
+entered into several household IoT devices.  Connecting them to a
+dedicated, ISP-independent cloister Wi-Fi access point ensures a
+reliable IoT with zero re-configuration.
 

 
 

-This was preferred for a number of reasons.  Using the add-on Ethernet
-interface allowed Starlink's Wi-Fi to be disabled, reducing the Wi-Fi
-clutter in the campground ether.  Starlink is not always available.
-(It does not work well under trees.)  A dedicated campus Wi-Fi is
-always available.  The password to the campus Wi-Fi is long and
-complex and has been laboriously entered into several household IoT
-devices.  The Think Penguin access point is transparent, trustworthy
-hardware that has earned a Respects Your Freedom certification (see
-https://ryf.fsf.org/).  And most importantly, a campus Wi-Fi keeps
-campus network traffic out of the hands of the abbey's ISPs.
+Using Starlink's add-on Ethernet interface allowed its Wi-Fi to be
+disabled, reducing the Wi-Fi clutter in the campground ether.
+

+
+

+The Think Penguin access point is transparent, trustworthy hardware
+that has earned a Respects Your Freedom certification (see
+https://ryf.fsf.org/).
+

+
+

+And most importantly, a dedicated and trustworthy cloister Wi-Fi keeps
+at least our local network traffic out of view of our ISPs.
 

 

 

@@ -1901,9 +1973,9 @@ service, using a 60-isp.yaml file similar to the lines below.
 Birchwood Abbey's cloister is a small institute campus.  The campus
 role configures all campus machines to trust the institute's CA, sync
 with the campus time server, and forward email to Core.  The
-cloister role additionally configures cloistered machines to use the
-cloister Apt cache, respond to Core's NAGIOS network monitor, and to
-install Emacs.  There are also a few OS specific tasks, namely
+abbey-cloister role additionally configures cloistered machines to
+use the cloister Apt cache, respond to Core's NAGIOS network monitor,
+and to install Emacs.  There are also a few OS specific tasks, namely
 configuration required on Raspberry Pi OS machines.
 

 
@@ -1915,8 +1987,8 @@ clients: Android, Debian and Campus.  The last type never roams, and
 is not associated with a member of the small institute.
 

 

-

-
6.1. Use Cloister Apt Cache

+

+
6.1. Use Cloister Apt Cache

 

 

 The Apt-Cacher:TNG program does not work well on the frontier, so is
@@ -1986,8 +2058,8 @@ Raspberry Pis (architecture aarch64) only.
 

 

 

-

-
6.3. Install Emacs

+

+
6.3. Install Emacs

 

 

 The monks of the abbey are masters of the staff and Emacs.
@@ -2054,7 +2126,7 @@ Listing them (e.g. running owdir /26.nnnnnnnn or owdir
 below.  A test session is shown below.
 

 
-
+
 monkey@new$ owdir
 ...
     /26.2153B6000000/
@@ -2490,15 +2562,13 @@ described in the final section, Configure Cameras, bel
 

 

 

-

-
8.4. Include Abbey Variables

+

+
8.4. Include Abbey Variables

 

 

-In this abbey specific document, most abbey particulars are not
-replaced with variables, but specified in-line.  Some, however, are
-not published (e.g. database passwords).  The variables that replace
-them are included from private/vars-abbey.yml.  Example values are
-given in this document.
+Private variables in private/vars-abbey.yml are needed, and included
+here, as in the abbey-core role.  The file path is relative to the
+playbook's directory, playbooks/.
 

 
 

@@ -2507,11 +2577,6 @@ given in this document.
   include_vars: ../private/vars-abbey.yml
- -

-The relative filename should be found only in the playbook's -directory, playbooks/. -

@@ -2924,15 +2989,13 @@ machine simply by adding it to the tvrs group.

-
-

9.3. Include Abbey Variables

+
+

9.3. Include Abbey Variables

-In this abbey specific document, most abbey particulars are not -replaced with variables, but specified in-line. Some, however, are -not published (e.g. database passwords). The variables that replace -them are included from private/vars-abbey.yml. Example values are -given in this document. +Private variables in private/vars-abbey.yml are needed, as in the +abbey-core role. The file path is relative to the playbook's +directory, playbooks/.

@@ -2941,11 +3004,6 @@ given in this document. include_vars: ../private/vars-abbey.yml
- -

-The relative filename should be found only in the playbook's -directory, playbooks/. -

@@ -3477,7 +3535,7 @@ the list of "inputs" available in a postal code typically ends with the OTA (over the air) broadcasts.

-
+
 $ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xmltv
 Cache file for lineups, schedules and programs.
 Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
@@ -3938,7 +3996,7 @@ institutional roles, then the liturgical roles.
   hosts: gate
   roles: [ gate ]
 
-- name: Configure Campus
+- name: Configure Cloister
   hosts: campus
   roles: [ campus, abbey-cloister ]
 
@@ -4302,7 +4360,8 @@ given a private domain name as described in the following steps.
 
 

 Wireless IoT devices are manually configured with the cloister Wi-Fi
-password and may be given a private domain name as described here.
+password and may be given a private domain name as described in the
+last step:
 

 
 
    
@@ -4314,15 +4373,13 @@ password and may be given a private domain name as described here.
 
    12.2. Raspberry Pis
    
 
    
 
    
-The abbey's Raspberry Pis run Raspberry Pi OS, either the desktop
-(PIXEL) or the Lite version (for headless servers).  The following was
-the installation process with a wireless desktop Raspberry Pi OS
-Bookworm (12) machine.
+The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an
+external, USB3.0 SSD.  A fresh install should go something like this:
 
    
 
 
      
-
    • Write the disk image, 2023-10-10-raspios-bookworm-arm64.img.xz, to
-a fast (U3 and/or A1) µSD card and insert it in the Pi.
      • 
+
    • Write the disk image, 2023-12-05-raspios-bookworm-arm64.img.xz, to
+the SSD and plug it into the Pi.  Leave the µSD card socket empty.
      • 
 
    • Attach an HDMI monitor, a USB keyboard/mouse, and the cloister
 Ethernet, and power up.
      • 
 
    • Answer first-boot installation questions:
@@ -4431,8 +4488,8 @@ new device's MAC.
 
      
 With the new device's Ethernet MAC in hand, a stanza like the
 following is added to the bottom of private/core-dhcpd.conf.  The IP
-address must be unique.  Typically the next host number after the
-last entry is chosen.
+address must be unique.  Typically the next host number after the last
+entry is chosen.
 
      
 
 
      
@@ -4442,7 +4499,7 @@ last entry is chosen.
 
      
 
 
      
-The DHCP service is then restarted.
+The DHCP service is then restarted (not reloaded).
 
      
 
 
      
@@ -4526,7 +4583,7 @@ Create /etc/apt/apt.conf.d/01proxy.
 
       D=apt-cacher.small.private.
 echo "Acquire::http::Proxy \"http://$D:3142\";" \
-> | sudo tee /etc/apt/apt.conf.d/01proxy
+| sudo tee /etc/apt/apt.conf.d/01proxy
 
      • 
 
    • 
 Update the system and reboot.
@@ -4680,11 +4737,12 @@ desktop connected to the Wi-Fi using the following ping command.
 
      12.10. Connect to Cloister VPN
      
 
      
 
      
-Wireless devices connected to the cloister Wi-Fi will get an IP
-address on the access point's local network and a default route to the
-Internet, per the default configuration of a commodity cable modem
-with Wi-Fi access point included.  Access to further abbey resources,
-however, is possible only via the cloister VPN.
+Wireless devices (with the cloister Wi-Fi password) can get an IP
+address and a default route to the Internet with no special
+configuration.  Neither said devices nor the access point require
+special configuration.  Any Wi-Fi access point, e.g. as found in a
+cable modem, will work with zero configuration.  The abbey's networks,
+however, are not accessible except via the cloister VPN.
 
      
 
 
      
@@ -4705,29 +4763,30 @@ cloister VPN via the following process.
 
 
        
 
      • Create a new client certificate and OpenVPN configuration for the
-new campus server.
        • 
-
      • Copy the campus.ovpn file to /etc/openvpn/cloister.conf.
        • 
-
      • In a secure shell session on the new machine as sysadm:
        • 
-
      • Install the openvpn and openvpn-systemd-resolved software
-packages.
        • 
-
      • Start the SystemD service unit.
        • 
-
      • Test the connection (and name resolution).
        • 
-
      • Enable the SystemD service unit.
        • 
-
      • Clean up secrets on the new machine.
        • 
-
      • Clean up secrets on the administrator's machine.
        • 
+new abbey server.
+
      • Copy the campus.ovpn file to the new machine.
        • 
+
      • On the new machine:
        • 
+
      • Install the openvpn-systemd-resolved package.
        • 
+
      • Copy campus.ovpn to /etc/openvpn/cloister.conf.
        • 
+
      • Start the OpenVPN service.
        • 
+
      • Check that the cloister VPN was connected.
        • 
+
      • Logout and unplug the cloister Ethernet.
        • 
+
      • Test the cloister VPN connection (and private name resolution)
+with ping -c1 core.
        • 
 
      
 
 
      
-And these are the commands.
+And these are the commands:
 
      
 
 
      
 
      ./abbey client campus new
 scp campus.ovpn sysadm@new-w:
 ssh sysadm@new-w
-sudo apt install openvpn openvpn-systemd-resolved
-( cd; umask 077; sudo cp campus.ovpn /etc/openvpn/cloister.conf )
+sudo apt install openvpn-systemd-resolved
+sudo cp campus.ovpn /etc/openvpn/cloister.conf
 sudo systemctl start openvpn@cloister
+systemctl status openvpn@cloister
 ping -c1 core
 sudo systemctl enable openvpn@cloister
 rm campus.ovpn
@@ -4735,67 +4794,149 @@ rm campus.ovpn
 rm campus.ovpn
 
      
 
      
+
+
      
+It may be necessary to reboot before the final tests.
+
      
 
      
 
    
 
    
 
    12.10.2. Debian Desktops
    
 
    
 
    
-Wireless Debian desktop machines (both PCs and Pis, running
-NetworkManager) and are connected to the cloister VPN via the
-following process.  Note that they do not appear in the set of
-campus hosts and are not configured by Ansible.  They do not appear
-in Ansible's host inventory at all unless the desktop owner is willing
-to provide the password to a privileged account on their machine.
+Wireless Debian desktops (with NetworkManager) include our 8GB Core i3
+NUC (Intel®'s Next Unit of Computing) and our 8GB Raspberry Pi 4.
+They run the Pop!OS and Raspberry Pi OS desktops respectively.  They
+are connected to the cloister VPN via the following process.
 
    
 
 
      
-
    • Create a new client certificate and campus/public OpenVPN
-configurations for the new abbey desktop.
      • 
-
    • Copy the campus.ovpn and public.ovpn files to the new desktop.
      • 
-
    • Install the openvpn, openvpn-systemd-resolved and
-network-manager-openvpn-gnome packages on the new desktop.
      • 
+
    • Create a new client certificate and OpenVPN configuration for the
+new abbey desktop, a campus.ovpn file.
      • 
+
    • 
+Create a wifi file that looks like this (assuming the wireless
+network device is named wlan0).
+
      
+
+
      +auto wlan0
+iface wlan0 inet dhcp
+    wpa-ssid "Birchwood Abbey"
+    wpa-psk "PASSWORD"
+
      • 
+
+
    • Copy the wifi and campus.ovpn files to the new machine.
      • 
+
    • On the new machine:
      • 
+
    • Install the openvpn-systemd-resolved package.
      • 
+
    • Copy wifi to /etc/network/interfaces.d/.
      • 
+
    • Bring up the Wi-Fi interface.
      • 
+
    • Copy campus.ovpn to /etc/openvpn/cloister.conf.
      • 
+
    • Start the OpenVPN service.
      • 
+
    • Check that the cloister VPN was connected.
      • 
+
    • Logout and unplug the cloister Ethernet.
      • 
+
    • Test the cloister VPN connection (and private name resolution)
+with ping -c1 core.
      • 
+
    
+
+
    
+And these are the commands:
+
    
+
+
    
+
    ./abbey client campus new
+scp wifi campus.ovpn sysadm@new-w:
+ssh sysadm@new-w
+sudo apt install openvpn-systemd-resolved
+sudo cp wifi /etc/network/interfaces.d/
+sudo ifup wlan0
+sudo cp campus.ovpn /etc/openvpn/cloister.conf
+sudo systemctl start openvpn@cloister
+systemctl status openvpn@cloister
+ping -c1 core
+sudo systemctl enable openvpn@cloister
+rm wifi campus.ovpn
+logout
+rm wifi campus.ovpn
+
    
+
    
+
+
    
+It may be necessary to reboot before the final tests.
+
    
+
+
    
+As configured above, the wireless Debian desktops make automatic,
+persistent connections to the cloister Wi-Fi and VPN, and so can be
+used much like a wired desktop machine.  They are typically connected
+to a large TV and auto-login to an unprivileged account named house,
+i.e. anyone in the house.
+
    
+
    
+
    
+
    
+
    12.10.3. Private Desktops
    
+
    
+
    
+Member notebooks are private machines not remotely administered by the
+abbey.  These machines roam, and so are authorized to connect to the
+cloister VPN or the public VPN.  This is how they are connected to the
+VPNs:
+
    
+
+
      
+
    • Create a new client certificate and OpenVPN configurations for the
+new abbey desktop, campus.ovpn and public.ovnp files.
      • 
+
    • Copy the campus.ovpn and public.ovpn files to the new machine.
      • 
+
    • On the new machine:
      • 
+
    • Install the openvpn-systemd-resolved and
+network-manager-openvpn-gnome packages.
      • 
 
    • Open the desktop Settings > Network > VPN + > Import from
 file… and choose ~/campus.ovpn.
      • 
 
    • Open the Routes dialogues for both IPv4 and IPv6 and choose
 "Use this connection only for resources on its network.".
      • 
 
    • Save the new VPN.
      • 
 
    • Do the same with the ~/public.ovpn file.
      • 
-
    • Connected the cloister VPN and test it with ping -c1 core.
      • 
-
    • Expunge the ~/campus.ovpn and ~/public.ovpn just as the system
-administrator will have already done.
      • 
+
    • Connect the appropriate VPN and test it (and private name
+resolution) with ping -c1 core.
      • 
+
    • Expunge (delete and empty the trash) the ~/campus.ovpn and
+~/public.ovpn files.
      • 
 
    
 
 
    
-And these are the commands, assuming there is a privileged sysadm
-account available on the new desktop machine.
+We assume the desktop is running NetworkManager, which is the case in
+all our Debian desktops from Pop!OS and Ubuntu to Mint and Raspberry
+Pi OS.
 
    
 
-
    
-
    ./abbey client debian dicks-notebook dick
-scp campus.ovpn public.ovpn sysadm@dicks-notebook.lan:
-rm campus.ovpn public.ovpn
-ssh sysadm@dicks-notebook.lan
-sudo apt install openvpn openvpn-systemd-resolved \
-                 network-manager-openvpn-gnome
-ping -c1 core.small.private.
-
    
-
    
+
    
+Note that a new member's notebook does not need to be patched to the
+cloister Ethernet nor connected to the cloister Wi-Fi.  It can be
+authorized "remotely" simply by copying the .ovpn files securely,
+e.g. using ssh to any "known host" on the Internet.
+
    
 
 
    
-Note that Dick's notebook does not need to connect to the cloister
-Ethernet.  It is authorized simply by copying the .ovpn files
-securely (e.g. using ssh) to a local domain name provided by the
-Wi-Fi AP (dicks-notebook.lan).  If the AP does not provide a local
-domain name, the machine's Wi-Fi IP address,
-e.g. sysadm@192.168.10.225, can be used instead.  (This IP address
-is often revealed in the desktop network settings.)
+The members of A Small Institute are peers, and enjoy complete,
+individual privacy.  The administrator does not expect to have "root
+access" to members' machines, their desktops, personal diaries and
+photos.  The monks of the abbey are brothers, and tolerate a little
+less than complete individual privacy (still expecting all necessary
+and appropriate privacy, being in a position to punish deviants).
+
    
+
+
    
+Our private notebooks are included in the Ansible inventory, mainly so
+they can be included in the weekly (or more frequent!) network
+upgrades.  The campus and abbey-cloister roles are not applied
+though their Postfix and other configurations are recommended.  Remote
+access by the administrator is authorized and the privileged account's
+password is included in Secret/become.yml.
 
    
 
    
 
    
 
    
-
    12.10.3. Android
    
-
    
+
    12.10.4. Android
    
+
    
 
    
 Android phones and tablets are connected to the cloister VPN via the
 following process.  Note that they do not appear in the set of
@@ -4893,7 +5034,7 @@ to private/db.campus_vpn.)
 
    
 
    
 
    Author: Matt Birkholz
    
-
    Created: 2024-01-01 Mon 10:48
    
+
    Created: 2024-02-26 Mon 20:06
    
 
    Validate
    
 
    
 
-- 
2.25.1