From 1d4e54a44cee72c34a0d28923da692e1502160f5 Mon Sep 17 00:00:00 2001
From: Matt Birkholz
+| = _|||_ @@ -136,8 +136,8 @@ with Apache2, spooling email with Postfix and serving it with Dovecot-IMAPd, and hosting a VPN with OpenVPN. --3.1. Install Emacs
++3.1. Install Emacs
-The monks of the abbey are masters of the staff (bo) and Emacs. @@ -789,7 +789,7 @@ certificate is a terminal session affair (with prompts and lines entered as shown below).
-+$ sudo apt install python3-certbot-apache $ sudo certbot --apache -d birchwood-abbey.net ... @@ -1008,10 +1008,30 @@ with Postfix and Dovecot, and providing essential localnet services: NTP, DNS and DHCP.-4.1. Install Additional Packages
+++4.1. Include Abbey Variables
++In this abbey specific document, most abbey particulars are not +replaced with variables, but specified in-line. Some, however, are +private (e.g. database passwords), not to be published in this +document, and so replaced with variables set in +
+ +private/vars-abbey.yml. The file path is relative to the playbook's +directory,playbooks/. +++roles_t/abbey-core/tasks/main.yml--- +- name: Include private abbey variables. + include_vars: ../private/vars-abbey.yml +++4.2. Install Additional Packages
++The scripts that maintain the abbey's web site and run the Weather project use a number of additional software packages. The
/WWW/live/Private/make-top-indexscript usesHTML::TreeBuilder
in @@ -1021,7 +1041,7 @@ packages).-roles_t/abbey-core/tasks/main.yml--- +roles_t/abbey-core/tasks/main.yml- name: Install additional packages. apt: pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ] @@ -1030,8 +1050,8 @@ packages).-4.2. Configure Private Email Aliases
-+4.3. Configure Private Email Aliases
+The abbey uses several additional email aliases. These are the campus mailboxes
@*.birchwood-abbey.net
. The institute already includes @@ -1071,8 +1091,8 @@ e.g.mythtv@mythtv.birchwood-abbey.net
, locally.)-4.3. Configure Git Daemon on Core
-+4.4. Configure Git Daemon on Core
+-4.4. Configure Apache on Core
-+4.5. Configure Apache on Core
+The Apache2 configuration on Core specifies three web sites (live, test, and campus). The live and test sites must operate just like the @@ -1257,8 +1277,8 @@ site on Front. Their configurations include the same
-4.5. Configure Documentation URLs
-+4.6. Configure Documentation URLs
+-The institute serves its
/usr/share/doc/on the house (campus) web site. This is a debugging convenience, making some HTML documentation @@ -1296,8 +1316,8 @@ directives that enable user Git publishing with Gitweb (defined -4.6. Install Apt Cacher
-+4.7. Install Apt Cacher
+The abbey uses the Apt-Cacher:TNG package cache on Core. The
apt-cacher
domain name is defined inprivate/db.domain. @@ -1312,9 +1332,9 @@ The abbey uses the Apt-Cacher:TNG package cache on Core. The-4.7. Use Cloister Apt Cache
-++4.8. Use Cloister Apt Cache
+Core itself will benefit from using the package cache.
@@ -1333,8 +1353,8 @@ Core itself will benefit from using the package cache.-4.8. Configure NAGIOS
-+4.9. Configure NAGIOS
+A small institute uses
nagios4
to monitor the health of its network, with an initial smattering of monitors adopted from the Debian @@ -1348,8 +1368,8 @@ customizedcheck_sensors
plugin (abbey_pisensors
) in-4.9. Monitoring The Home Disk
-+4.10. Monitoring The Home Disk
+The abbey adds monitoring of the space remaining on the volume at
/home/on Core. (The small institute only monitors the space @@ -1385,8 +1405,8 @@ remaining on roots.)-4.10. Custom NAGIOS Monitor
-abbey_pisensors
+4.11. Custom NAGIOS Monitor
+abbey_pisensors
The
check_sensors
plugin is included in the packagemonitoring-plugins-basic
, but it does not report any readings. The @@ -1479,8 +1499,8 @@ recognizable temperature in thesensors
output.-4.11. Monitoring The Cloister
-+4.12. Monitoring The Cloister
++The abbey adds monitoring for more servers: Kamino, Kessel and Devaron. They are
+abbey-cloister
servers, so they are configured as @@ -1495,9 +1515,31 @@ idiosyncratically in flux. In particular, Kamino does not irritate Kessel is a wireless host while Kamino is wired. Devaron, the Raspberry Pi OS (ARM64) machine, uses theabbey_pisensors
monitor.++4.12.1. Cloister Network Addresses
++++The IP addresses of all three hosts are nice to use in the NAGIOS +configuration (to avoid depending on name service) and so are +included in
+private/vars-abbey.yml. +++private/vars-abbey.ymldevaron_addr: 10.84.138.10 +kamino_addr: 192.168.56.14 +kessel_addr: 10.84.138.8 ++++4.12.2. Installing NAGIOS Configurations
++-Kamino is currently unmonitored as it is now rarely powered up. +The following task installs each host's NAGIOS configuration. Note +that Kamino is not included. It is currently unmonitored as it is now +rarely powered up.
@@ -1511,7 +1553,11 @@ Kamino is currently unmonitored as it is now rarely powered up. notify: Reload NAGIOS4.- +++4.12.3. NAGIOS Monitoring of Devaron
++- +roles_t/abbey-core/templates/nagios-devaron.cfgdefine host { use linux-server @@ -1562,7 +1608,11 @@ Kamino is currently unmonitored as it is now rarely powered up. }
++4.12.4. NAGIOS Monitoring of Kamino
++- +roles_t/abbey-core/templates/nagios-kamino.cfgdefine host { use linux-server @@ -1613,7 +1663,11 @@ Kamino is currently unmonitored as it is now rarely powered up. }
++4.12.5. NAGIOS Monitoring of Kessel
+roles_t/abbey-core/templates/nagios-kessel.cfgdefine host { use linux-server @@ -1666,9 +1720,10 @@ Kamino is currently unmonitored as it is now rarely powered up.
-4.12. Install Analog
-+4.13. Install Analog
+The abbey's public web site's access and error logs are emailed regularly to
webmaster
, who saves them in/Logs/apache2-public/@@ -1722,8 +1777,8 @@ the campus ashttp://www/analog.html
.-4.13. Add Monkey to Web Server Group
-+4.14. Add Monkey to Web Server Group
+Monkey needs to be in
www-data
so that it can run/WWW/live/Photos/Private/cronjobto publish photos from multiple @@ -1745,8 +1800,8 @@ user cloud accounts, found in files owned bywww-data
, files like-4.14. Install netpbm For Photo Processing
-+4.15. Install netpbm For Photo Processing
+Monkey's photo processing scripts use
netpbm
commands likejpegtopnm
. @@ -1762,8 +1817,8 @@ Monkey's photo processing scripts usenetpbm
commands like--4.15. Configure Weather Updates
-+@@ -1901,9 +1973,9 @@ service, using a4.16. Configure Weather Updates
+Monkey on Core runs
/WWW/campus/Weather/Private/cronjobevery 5 minutes andcronjob-midnightat midnight. @@ -1827,24 +1882,41 @@ on Gate. The adapters were then connected with a cross-over cable.-The abbey could have avoided buying a separate campus Wi-Fi access +The abbey could have avoided buying a separate cloister Wi-Fi access point, and used Starlink's Wi-Fi instead, with or without its add-on Ethernet interface. Instead, the abbey invested in a 2.4GHz-only Think Penguin access point, and connected it to a third Ethernet -interface on Gate. +interface on Gate. This was preferred for a number of reasons. +
+ ++The abbey uses ISPs other than Starlink, tethering to a cellphone when +under trees, or even limping along on campground Wi-Fi where the land +of woven trees has cut off even cell service. +
+ ++The abbey uses long and complex passwords, especially on public +facing services like Wi-Fi. Such a password has been laboriously +entered into several household IoT devices. Connecting them to a +dedicated, ISP-independent cloister Wi-Fi access point ensures a +reliable IoT with zero re-configuration.
-This was preferred for a number of reasons. Using the add-on Ethernet -interface allowed Starlink's Wi-Fi to be disabled, reducing the Wi-Fi -clutter in the campground ether. Starlink is not always available. -(It does not work well under trees.) A dedicated campus Wi-Fi is -always available. The password to the campus Wi-Fi is long and -complex and has been laboriously entered into several household IoT -devices. The Think Penguin access point is transparent, trustworthy -hardware that has earned a Respects Your Freedom certification (see -https://ryf.fsf.org/). And most importantly, a campus Wi-Fi keeps -campus network traffic out of the hands of the abbey's ISPs. +Using Starlink's add-on Ethernet interface allowed its Wi-Fi to be +disabled, reducing the Wi-Fi clutter in the campground ether. +
+ ++The Think Penguin access point is transparent, trustworthy hardware +that has earned a Respects Your Freedom certification (see +https://ryf.fsf.org/). +
+ ++And most importantly, a dedicated and trustworthy cloister Wi-Fi keeps +at least our local network traffic out of view of our ISPs.
60-isp.yamlfile similar to the lines below. Birchwood Abbey's cloister is a small institute campus. Thecampus
role configures all campus machines to trust the institute's CA, sync with the campus time server, and forward email to Core. The -cloister
role additionally configures cloistered machines to use the -cloister Apt cache, respond to Core's NAGIOS network monitor, and to -install Emacs. There are also a few OS specific tasks, namely +abbey-cloister
role additionally configures cloistered machines to +use the cloister Apt cache, respond to Core's NAGIOS network monitor, +and to install Emacs. There are also a few OS specific tasks, namely configuration required on Raspberry Pi OS machines. @@ -1915,8 +1987,8 @@ clients: Android, Debian and Campus. The last type never roams, and is not associated with a member of the small institute.--6.1. Use Cloister Apt Cache
++6.1. Use Cloister Apt Cache
The Apt-Cacher:TNG program does not work well on the frontier, so is @@ -1986,8 +2058,8 @@ Raspberry Pis (architecture
aarch64
) only.-6.3. Install Emacs
++-6.3. Install Emacs
The monks of the abbey are masters of the staff and Emacs. @@ -2054,7 +2126,7 @@ Listing them (e.g. running
-owdir /26.nnnnnnnn
orowdir below. A test session is shown below.
+monkey@new$ owdir ... /26.2153B6000000/ @@ -2490,15 +2562,13 @@ described in the final section, Configure Cameras, bel--8.4. Include Abbey Variables
++8.4. Include Abbey Variables
-In this abbey specific document, most abbey particulars are not -replaced with variables, but specified in-line. Some, however, are -not published (e.g. database passwords). The variables that replace -them are included from
private/vars-abbey.yml. Example values are -given in this document. +Private variables inprivate/vars-abbey.ymlare needed, and included +here, as in theabbey-core
role. The file path is relative to the +playbook's directory,playbooks/.@@ -2507,11 +2577,6 @@ given in this document. include_vars: ../private/vars-abbey.yml- --The relative filename should be found only in the playbook's -directory,
playbooks/. -@@ -2924,15 +2989,13 @@ machine simply by adding it to thetvrs
group.-9.3. Include Abbey Variables
++9.3. Include Abbey Variables
-In this abbey specific document, most abbey particulars are not -replaced with variables, but specified in-line. Some, however, are -not published (e.g. database passwords). The variables that replace -them are included from
private/vars-abbey.yml. Example values are -given in this document. +Private variables inprivate/vars-abbey.ymlare needed, as in the +abbey-core
role. The file path is relative to the playbook's +directory,playbooks/.@@ -2941,11 +3004,6 @@ given in this document. include_vars: ../private/vars-abbey.yml- --The relative filename should be found only in the playbook's -directory,
playbooks/. -@@ -3477,7 +3535,7 @@ the list of "inputs" available in a postal code typically ends with the OTA (over the air) broadcasts. -+$ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xmltv Cache file for lineups, schedules and programs. Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache] @@ -3938,7 +3996,7 @@ institutional roles, then the liturgical roles. hosts: gate roles: [ gate ] -- name: Configure Campus +- name: Configure Cloister hosts: campus roles: [ campus, abbey-cloister ] @@ -4302,7 +4360,8 @@ given a private domain name as described in the following steps.Wireless IoT devices are manually configured with the cloister Wi-Fi -password and may be given a private domain name as described here. +password and may be given a private domain name as described in the +last step:
@@ -4314,15 +4373,13 @@ password and may be given a private domain name as described here.
12.2. Raspberry Pis
-The abbey's Raspberry Pis run Raspberry Pi OS, either the desktop -(PIXEL) or the Lite version (for headless servers). The following was -the installation process with a wireless desktop Raspberry Pi OS -Bookworm (12) machine. +The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an +external, USB3.0 SSD. A fresh install should go something like this:
-
- Write the disk image,
+2023-10-10-raspios-bookworm-arm64.img.xz, to -a fast (U3 and/or A1) µSD card and insert it in the Pi.- Write the disk image,
2023-12-05-raspios-bookworm-arm64.img.xz, to +the SSD and plug it into the Pi. Leave the µSD card socket empty.- Attach an HDMI monitor, a USB keyboard/mouse, and the cloister Ethernet, and power up.
- Answer first-boot installation questions: @@ -4431,8 +4488,8 @@ new device's MAC.
With the new device's Ethernet MAC in hand, a stanza like the following is added to the bottom of
private/core-dhcpd.conf. The IP -address must be unique. Typically the next host number after the -last entry is chosen. +address must be unique. Typically the next host number after the last +entry is chosen.@@ -4442,7 +4499,7 @@ last entry is chosen.-The DHCP service is then restarted. +The DHCP service is then restarted (not reloaded).
@@ -4526,7 +4583,7 @@ Create/etc/apt/apt.conf.d/01proxy.D=apt-cacher.small.private. echo "Acquire::http::Proxy \"http://$D:3142\";" \ -> | sudo tee /etc/apt/apt.conf.d/01proxy +| sudo tee /etc/apt/apt.conf.d/01proxyUpdate the system and reboot. @@ -4680,11 +4737,12 @@ desktop connected to the Wi-Fi using the following
ping
command.12.10. Connect to Cloister VPN
-Wireless devices connected to the cloister Wi-Fi will get an IP -address on the access point's local network and a default route to the -Internet, per the default configuration of a commodity cable modem -with Wi-Fi access point included. Access to further abbey resources, -however, is possible only via the cloister VPN. +Wireless devices (with the cloister Wi-Fi password) can get an IP +address and a default route to the Internet with no special +configuration. Neither said devices nor the access point require +special configuration. Any Wi-Fi access point, e.g. as found in a +cable modem, will work with zero configuration. The abbey's networks, +however, are not accessible except via the cloister VPN.
@@ -4705,29 +4763,30 @@ cloister VPN via the following process.
- Create a new client certificate and OpenVPN configuration for the -new campus server.
-- Copy the
-campus.ovpnfile to/etc/openvpn/cloister.conf.- In a secure shell session on the new machine as
-sysadm
:- Install the
-openvpn
andopenvpn-systemd-resolved
software -packages.- Start the SystemD service unit.
-- Test the connection (and name resolution).
-- Enable the SystemD service unit.
-- Clean up secrets on the new machine.
-- Clean up secrets on the administrator's machine.
+new abbey server. +- Copy the
+campus.ovpnfile to the new machine.- On the new machine:
+- Install the
+openvpn-systemd-resolved
package.- Copy
+campus.ovpnto/etc/openvpn/cloister.conf.- Start the OpenVPN service.
+- Check that the cloister VPN was connected.
+- Logout and unplug the cloister Ethernet.
+- Test the cloister VPN connection (and private name resolution) +with
ping -c1 core
.-And these are the commands. +And these are the commands:
+ +./abbey client campus new scp campus.ovpn sysadm@new-w: ssh sysadm@new-w -sudo apt install openvpn openvpn-systemd-resolved -( cd; umask 077; sudo cp campus.ovpn /etc/openvpn/cloister.conf ) +sudo apt install openvpn-systemd-resolved +sudo cp campus.ovpn /etc/openvpn/cloister.conf sudo systemctl start openvpn@cloister +systemctl status openvpn@cloister ping -c1 core sudo systemctl enable openvpn@cloister rm campus.ovpn @@ -4735,67 +4794,149 @@ rm campus.ovpn rm campus.ovpn+It may be necessary to reboot before the final tests. +
+12.10.2. Debian Desktops
+-Wireless Debian desktop machines (both PCs and Pis, running -NetworkManager) and are connected to the cloister VPN via the -following process. Note that they do not appear in the set of -
campus
hosts and are not configured by Ansible. They do not appear -in Ansible's host inventory at all unless the desktop owner is willing -to provide the password to a privileged account on their machine. +Wireless Debian desktops (with NetworkManager) include our 8GB Core i3 +NUC (Intel®'s Next Unit of Computing) and our 8GB Raspberry Pi 4. +They run the Pop!OS and Raspberry Pi OS desktops respectively. They +are connected to the cloister VPN via the following process.-
+ +- Create a new client certificate and campus/public OpenVPN -configurations for the new abbey desktop.
-- Copy the
-campus.ovpnandpublic.ovpnfiles to the new desktop.- Install the
+openvpn
,openvpn-systemd-resolved
and -network-manager-openvpn-gnome
packages on the new desktop.- Create a new client certificate and OpenVPN configuration for the +new abbey desktop, a
+campus.ovpnfile.- + +
+Create a
+ +wififile that looks like this (assuming the wireless +network device is namedwlan0
). ++auto wlan0 +iface wlan0 inet dhcp + wpa-ssid "Birchwood Abbey" + wpa-psk "PASSWORD" +- Copy the
+wifiandcampus.ovpnfiles to the new machine.- On the new machine:
+- Install the
+openvpn-systemd-resolved
package.- Copy
+wifito/etc/network/interfaces.d/.- Bring up the Wi-Fi interface.
+- Copy
+campus.ovpnto/etc/openvpn/cloister.conf.- Start the OpenVPN service.
+- Check that the cloister VPN was connected.
+- Logout and unplug the cloister Ethernet.
+- Test the cloister VPN connection (and private name resolution) +with
+ping -c1 core
.+And these are the commands: +
+ +++ +./abbey client campus new +scp wifi campus.ovpn sysadm@new-w: +ssh sysadm@new-w +sudo apt install openvpn-systemd-resolved +sudo cp wifi /etc/network/interfaces.d/ +sudo ifup wlan0 +sudo cp campus.ovpn /etc/openvpn/cloister.conf +sudo systemctl start openvpn@cloister +systemctl status openvpn@cloister +ping -c1 core +sudo systemctl enable openvpn@cloister +rm wifi campus.ovpn +logout +rm wifi campus.ovpn +
++It may be necessary to reboot before the final tests. +
+ ++As configured above, the wireless Debian desktops make automatic, +persistent connections to the cloister Wi-Fi and VPN, and so can be +used much like a wired desktop machine. They are typically connected +to a large TV and auto-login to an unprivileged account named
+house
, +i.e. anyone in the house. ++12.10.3. Private Desktops
+++Member notebooks are private machines not remotely administered by the +abbey. These machines roam, and so are authorized to connect to the +cloister VPN or the public VPN. This is how they are connected to the +VPNs: +
+ ++
- Create a new client certificate and OpenVPN configurations for the +new abbey desktop,
+campus.ovpnandpublic.ovnpfiles.- Copy the
+campus.ovpnandpublic.ovpnfiles to the new machine.- On the new machine:
+- Install the
openvpn-systemd-resolved
and +network-manager-openvpn-gnome
packages.- Open the desktop Settings > Network > VPN + > Import from file… and choose
~/campus.ovpn.- Open the Routes dialogues for both IPv4 and IPv6 and choose "Use this connection only for resources on its network.".
- Save the new VPN.
- Do the same with the
-~/public.ovpnfile.- Connected the cloister VPN and test it with
-ping -c1 core
.- Expunge the
+~/campus.ovpnand~/public.ovpnjust as the system -administrator will have already done.- Connect the appropriate VPN and test it (and private name +resolution) with
+ping -c1 core
.- Expunge (delete and empty the trash) the
~/campus.ovpnand +~/public.ovpnfiles.-And these are the commands, assuming there is a privileged
-sysadm
-account available on the new desktop machine. +We assume the desktop is running NetworkManager, which is the case in +all our Debian desktops from Pop!OS and Ubuntu to Mint and Raspberry +Pi OS.-+./abbey client debian dicks-notebook dick -scp campus.ovpn public.ovpn sysadm@dicks-notebook.lan: -rm campus.ovpn public.ovpn -ssh sysadm@dicks-notebook.lan -sudo apt install openvpn openvpn-systemd-resolved \ - network-manager-openvpn-gnome -ping -c1 core.small.private. -
-+Note that a new member's notebook does not need to be patched to the +cloister Ethernet nor connected to the cloister Wi-Fi. It can be +authorized "remotely" simply by copying the
.ovpnfiles securely, +e.g. usingssh
to any "known host" on the Internet. +-Note that Dick's notebook does not need to connect to the cloister -Ethernet. It is authorized simply by copying the
+ +.ovpnfiles -securely (e.g. usingssh
) to a local domain name provided by the -Wi-Fi AP (dicks-notebook.lan
). If the AP does not provide a local -domain name, the machine's Wi-Fi IP address, -e.g.sysadm@192.168.10.225
, can be used instead. (This IP address -is often revealed in the desktop network settings.) +The members of A Small Institute are peers, and enjoy complete, +individual privacy. The administrator does not expect to have "root +access" to members' machines, their desktops, personal diaries and +photos. The monks of the abbey are brothers, and tolerate a little +less than complete individual privacy (still expecting all necessary +and appropriate privacy, being in a position to punish deviants). ++Our private notebooks are included in the Ansible inventory, mainly so +they can be included in the weekly (or more frequent!) network +upgrades. The
campus
andabbey-cloister
roles are not applied +though their Postfix and other configurations are recommended. Remote +access by the administrator is authorized and the privileged account's +password is included inSecret/become.yml.-12.10.3. Android
-+12.10.4. Android
+-- 2.25.1 -Android phones and tablets are connected to the cloister VPN via the following process. Note that they do not appear in the set of @@ -4893,7 +5034,7 @@ to
private/db.campus_vpn.)