From 1d4e54a44cee72c34a0d28923da692e1502160f5 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Mon, 26 Feb 2024 20:15:28 -0700 Subject: [PATCH] Update README.html. --- README.html | 445 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 293 insertions(+), 152 deletions(-) diff --git a/README.html b/README.html index 18d5193..34c26f8 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + Birchwood Abbey Networks @@ -64,7 +64,7 @@ map is very similar, with differences mainly in terminology, philosophy, attitude.

-
+
                 |                                                   
                 =                                                   
               _|||_                                                 
@@ -136,8 +136,8 @@ with Apache2, spooling email with Postfix and serving it with
 Dovecot-IMAPd, and hosting a VPN with OpenVPN.
 

-
-

3.1. Install Emacs

+
+

3.1. Install Emacs

The monks of the abbey are masters of the staff (bo) and Emacs. @@ -789,7 +789,7 @@ certificate is a terminal session affair (with prompts and lines entered as shown below).

-
+
 $ sudo apt install python3-certbot-apache
 $ sudo certbot --apache -d birchwood-abbey.net
 ...
@@ -1008,10 +1008,30 @@ with Postfix and Dovecot, and providing essential localnet services:
 NTP, DNS and DHCP.
 

-
-

4.1. Install Additional Packages

+
+

4.1. Include Abbey Variables

+In this abbey specific document, most abbey particulars are not +replaced with variables, but specified in-line. Some, however, are +private (e.g. database passwords), not to be published in this +document, and so replaced with variables set in +private/vars-abbey.yml. The file path is relative to the playbook's +directory, playbooks/. +

+ +
+roles_t/abbey-core/tasks/main.yml
---
+- name: Include private abbey variables.
+  include_vars: ../private/vars-abbey.yml
+
+
+
+
+
+

4.2. Install Additional Packages

+
+

The scripts that maintain the abbey's web site and run the Weather project use a number of additional software packages. The /WWW/live/Private/make-top-index script uses HTML::TreeBuilder in @@ -1021,7 +1041,7 @@ packages).

-roles_t/abbey-core/tasks/main.yml
---
+roles_t/abbey-core/tasks/main.yml
 - name: Install additional packages.
   apt:
     pkg: [ libhtml-tree-perl, libjs-jquery, mit-scheme, gnuplot ]
@@ -1030,8 +1050,8 @@ packages).
 
-

4.2. Configure Private Email Aliases

-
+

4.3. Configure Private Email Aliases

+

The abbey uses several additional email aliases. These are the campus mailboxes @*.birchwood-abbey.net. The institute already includes @@ -1071,8 +1091,8 @@ e.g. mythtv@mythtv.birchwood-abbey.net, locally.)

-

4.3. Configure Git Daemon on Core

-
+

4.4. Configure Git Daemon on Core

+

These tasks are identical to those executed on Front, for similar Git services on Front and Core. See 3.3 and @@ -1123,8 +1143,8 @@ services on Front and Core. See 3.3 and

-

4.4. Configure Apache on Core

-
+

4.5. Configure Apache on Core

+

The Apache2 configuration on Core specifies three web sites (live, test, and campus). The live and test sites must operate just like the @@ -1257,8 +1277,8 @@ site on Front. Their configurations include the same

-

4.5. Configure Documentation URLs

-
+

4.6. Configure Documentation URLs

+
-
-

4.7. Use Cloister Apt Cache

-
+
+

4.8. Use Cloister Apt Cache

+

Core itself will benefit from using the package cache.

@@ -1333,8 +1353,8 @@ Core itself will benefit from using the package cache.
-

4.8. Configure NAGIOS

-
+

4.9. Configure NAGIOS

+

A small institute uses nagios4 to monitor the health of its network, with an initial smattering of monitors adopted from the Debian @@ -1348,8 +1368,8 @@ customized check_sensors plugin (abbey_pisensors) in

-

4.9. Monitoring The Home Disk

-
+

4.10. Monitoring The Home Disk

+

The abbey adds monitoring of the space remaining on the volume at /home/ on Core. (The small institute only monitors the space @@ -1385,8 +1405,8 @@ remaining on roots.)

-

4.10. Custom NAGIOS Monitor abbey_pisensors

-
+

4.11. Custom NAGIOS Monitor abbey_pisensors

+

The check_sensors plugin is included in the package monitoring-plugins-basic, but it does not report any readings. The @@ -1479,8 +1499,8 @@ recognizable temperature in the sensors output.

-

4.11. Monitoring The Cloister

-
+

4.12. Monitoring The Cloister

+

The abbey adds monitoring for more servers: Kamino, Kessel and Devaron. They are abbey-cloister servers, so they are configured as @@ -1495,9 +1515,31 @@ idiosyncratically in flux. In particular, Kamino does not irritate Kessel is a wireless host while Kamino is wired. Devaron, the Raspberry Pi OS (ARM64) machine, uses the abbey_pisensors monitor.

+
+
+

4.12.1. Cloister Network Addresses

+
+

+The IP addresses of all three hosts are nice to use in the NAGIOS +configuration (to avoid depending on name service) and so are +included in private/vars-abbey.yml. +

+
+private/vars-abbey.yml
devaron_addr:               10.84.138.10
+kamino_addr:                192.168.56.14
+kessel_addr:                10.84.138.8
+
+
+
+
+
+

4.12.2. Installing NAGIOS Configurations

+

-Kamino is currently unmonitored as it is now rarely powered up. +The following task installs each host's NAGIOS configuration. Note +that Kamino is not included. It is currently unmonitored as it is now +rarely powered up.

@@ -1511,7 +1553,11 @@ Kamino is currently unmonitored as it is now rarely powered up. notify: Reload NAGIOS4.
- + + +
+

4.12.3. NAGIOS Monitoring of Devaron

+
roles_t/abbey-core/templates/nagios-devaron.cfg
define host {
     use                     linux-server
@@ -1562,7 +1608,11 @@ Kamino is currently unmonitored as it is now rarely powered up.
 }
 
- +
+
+
+

4.12.4. NAGIOS Monitoring of Kamino

+
roles_t/abbey-core/templates/nagios-kamino.cfg
define host {
     use                     linux-server
@@ -1613,7 +1663,11 @@ Kamino is currently unmonitored as it is now rarely powered up.
 }
 
- +
+
+
+

4.12.5. NAGIOS Monitoring of Kessel

+
roles_t/abbey-core/templates/nagios-kessel.cfg
define host {
     use                     linux-server
@@ -1666,9 +1720,10 @@ Kamino is currently unmonitored as it is now rarely powered up.
 
+
-

4.12. Install Analog

-
+

4.13. Install Analog

+

The abbey's public web site's access and error logs are emailed regularly to webmaster, who saves them in /Logs/apache2-public/ @@ -1722,8 +1777,8 @@ the campus as http://www/analog.html.

-

4.13. Add Monkey to Web Server Group

-
+

4.14. Add Monkey to Web Server Group

+

Monkey needs to be in www-data so that it can run /WWW/live/Photos/Private/cronjob to publish photos from multiple @@ -1745,8 +1800,8 @@ user cloud accounts, found in files owned by www-data, files like

-

4.14. Install netpbm For Photo Processing

-
+

4.15. Install netpbm For Photo Processing

+

Monkey's photo processing scripts use netpbm commands like jpegtopnm. @@ -1762,8 +1817,8 @@ Monkey's photo processing scripts use netpbm commands like

-

4.15. Configure Weather Updates

-
+

4.16. Configure Weather Updates

+

Monkey on Core runs /WWW/campus/Weather/Private/cronjob every 5 minutes and cronjob-midnight at midnight. @@ -1827,24 +1882,41 @@ on Gate. The adapters were then connected with a cross-over cable.

-The abbey could have avoided buying a separate campus Wi-Fi access +The abbey could have avoided buying a separate cloister Wi-Fi access point, and used Starlink's Wi-Fi instead, with or without its add-on Ethernet interface. Instead, the abbey invested in a 2.4GHz-only Think Penguin access point, and connected it to a third Ethernet -interface on Gate. +interface on Gate. This was preferred for a number of reasons. +

+ +

+The abbey uses ISPs other than Starlink, tethering to a cellphone when +under trees, or even limping along on campground Wi-Fi where the land +of woven trees has cut off even cell service. +

+ +

+The abbey uses long and complex passwords, especially on public +facing services like Wi-Fi. Such a password has been laboriously +entered into several household IoT devices. Connecting them to a +dedicated, ISP-independent cloister Wi-Fi access point ensures a +reliable IoT with zero re-configuration.

-This was preferred for a number of reasons. Using the add-on Ethernet -interface allowed Starlink's Wi-Fi to be disabled, reducing the Wi-Fi -clutter in the campground ether. Starlink is not always available. -(It does not work well under trees.) A dedicated campus Wi-Fi is -always available. The password to the campus Wi-Fi is long and -complex and has been laboriously entered into several household IoT -devices. The Think Penguin access point is transparent, trustworthy -hardware that has earned a Respects Your Freedom certification (see -https://ryf.fsf.org/). And most importantly, a campus Wi-Fi keeps -campus network traffic out of the hands of the abbey's ISPs. +Using Starlink's add-on Ethernet interface allowed its Wi-Fi to be +disabled, reducing the Wi-Fi clutter in the campground ether. +

+ +

+The Think Penguin access point is transparent, trustworthy hardware +that has earned a Respects Your Freedom certification (see +https://ryf.fsf.org/). +

+ +

+And most importantly, a dedicated and trustworthy cloister Wi-Fi keeps +at least our local network traffic out of view of our ISPs.

@@ -1901,9 +1973,9 @@ service, using a 60-isp.yaml file similar to the lines below. Birchwood Abbey's cloister is a small institute campus. The campus role configures all campus machines to trust the institute's CA, sync with the campus time server, and forward email to Core. The -cloister role additionally configures cloistered machines to use the -cloister Apt cache, respond to Core's NAGIOS network monitor, and to -install Emacs. There are also a few OS specific tasks, namely +abbey-cloister role additionally configures cloistered machines to +use the cloister Apt cache, respond to Core's NAGIOS network monitor, +and to install Emacs. There are also a few OS specific tasks, namely configuration required on Raspberry Pi OS machines.

@@ -1915,8 +1987,8 @@ clients: Android, Debian and Campus. The last type never roams, and is not associated with a member of the small institute.

-
-

6.1. Use Cloister Apt Cache

+
+

6.1. Use Cloister Apt Cache

The Apt-Cacher:TNG program does not work well on the frontier, so is @@ -1986,8 +2058,8 @@ Raspberry Pis (architecture aarch64) only.

-
-

6.3. Install Emacs

+
+

6.3. Install Emacs

The monks of the abbey are masters of the staff and Emacs. @@ -2054,7 +2126,7 @@ Listing them (e.g. running owdir /26.nnnnnnnn or owdir below. A test session is shown below.

-
+
 monkey@new$ owdir
 ...
     /26.2153B6000000/
@@ -2490,15 +2562,13 @@ described in the final section, Configure Cameras, bel
 

-
-

8.4. Include Abbey Variables

+
+

8.4. Include Abbey Variables

-In this abbey specific document, most abbey particulars are not -replaced with variables, but specified in-line. Some, however, are -not published (e.g. database passwords). The variables that replace -them are included from private/vars-abbey.yml. Example values are -given in this document. +Private variables in private/vars-abbey.yml are needed, and included +here, as in the abbey-core role. The file path is relative to the +playbook's directory, playbooks/.

@@ -2507,11 +2577,6 @@ given in this document. include_vars: ../private/vars-abbey.yml
- -

-The relative filename should be found only in the playbook's -directory, playbooks/. -

@@ -2924,15 +2989,13 @@ machine simply by adding it to the tvrs group.

-
-

9.3. Include Abbey Variables

+
+

9.3. Include Abbey Variables

-In this abbey specific document, most abbey particulars are not -replaced with variables, but specified in-line. Some, however, are -not published (e.g. database passwords). The variables that replace -them are included from private/vars-abbey.yml. Example values are -given in this document. +Private variables in private/vars-abbey.yml are needed, as in the +abbey-core role. The file path is relative to the playbook's +directory, playbooks/.

@@ -2941,11 +3004,6 @@ given in this document. include_vars: ../private/vars-abbey.yml
- -

-The relative filename should be found only in the playbook's -directory, playbooks/. -

@@ -3477,7 +3535,7 @@ the list of "inputs" available in a postal code typically ends with the OTA (over the air) broadcasts.

-
+
 $ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xmltv
 Cache file for lineups, schedules and programs.
 Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
@@ -3938,7 +3996,7 @@ institutional roles, then the liturgical roles.
   hosts: gate
   roles: [ gate ]
 
-- name: Configure Campus
+- name: Configure Cloister
   hosts: campus
   roles: [ campus, abbey-cloister ]
 
@@ -4302,7 +4360,8 @@ given a private domain name as described in the following steps.
 
 

Wireless IoT devices are manually configured with the cloister Wi-Fi -password and may be given a private domain name as described here. +password and may be given a private domain name as described in the +last step:

    @@ -4314,15 +4373,13 @@ password and may be given a private domain name as described here.

    12.2. Raspberry Pis

    -The abbey's Raspberry Pis run Raspberry Pi OS, either the desktop -(PIXEL) or the Lite version (for headless servers). The following was -the installation process with a wireless desktop Raspberry Pi OS -Bookworm (12) machine. +The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an +external, USB3.0 SSD. A fresh install should go something like this:

      -
    • Write the disk image, 2023-10-10-raspios-bookworm-arm64.img.xz, to -a fast (U3 and/or A1) µSD card and insert it in the Pi.
    • +
    • Write the disk image, 2023-12-05-raspios-bookworm-arm64.img.xz, to +the SSD and plug it into the Pi. Leave the µSD card socket empty.
    • Attach an HDMI monitor, a USB keyboard/mouse, and the cloister Ethernet, and power up.
    • Answer first-boot installation questions: @@ -4431,8 +4488,8 @@ new device's MAC.

      With the new device's Ethernet MAC in hand, a stanza like the following is added to the bottom of private/core-dhcpd.conf. The IP -address must be unique. Typically the next host number after the -last entry is chosen. +address must be unique. Typically the next host number after the last +entry is chosen.

      @@ -4442,7 +4499,7 @@ last entry is chosen.

      -The DHCP service is then restarted. +The DHCP service is then restarted (not reloaded).

      @@ -4526,7 +4583,7 @@ Create /etc/apt/apt.conf.d/01proxy.
       D=apt-cacher.small.private.
       echo "Acquire::http::Proxy \"http://$D:3142\";" \
      -> | sudo tee /etc/apt/apt.conf.d/01proxy
      +| sudo tee /etc/apt/apt.conf.d/01proxy
       
    • Update the system and reboot. @@ -4680,11 +4737,12 @@ desktop connected to the Wi-Fi using the following ping command.

      12.10. Connect to Cloister VPN

      -Wireless devices connected to the cloister Wi-Fi will get an IP -address on the access point's local network and a default route to the -Internet, per the default configuration of a commodity cable modem -with Wi-Fi access point included. Access to further abbey resources, -however, is possible only via the cloister VPN. +Wireless devices (with the cloister Wi-Fi password) can get an IP +address and a default route to the Internet with no special +configuration. Neither said devices nor the access point require +special configuration. Any Wi-Fi access point, e.g. as found in a +cable modem, will work with zero configuration. The abbey's networks, +however, are not accessible except via the cloister VPN.

      @@ -4705,29 +4763,30 @@ cloister VPN via the following process.

      • Create a new client certificate and OpenVPN configuration for the -new campus server.
      • -
      • Copy the campus.ovpn file to /etc/openvpn/cloister.conf.
      • -
      • In a secure shell session on the new machine as sysadm:
      • -
      • Install the openvpn and openvpn-systemd-resolved software -packages.
      • -
      • Start the SystemD service unit.
      • -
      • Test the connection (and name resolution).
      • -
      • Enable the SystemD service unit.
      • -
      • Clean up secrets on the new machine.
      • -
      • Clean up secrets on the administrator's machine.
      • +new abbey server. +
      • Copy the campus.ovpn file to the new machine.
      • +
      • On the new machine:
      • +
      • Install the openvpn-systemd-resolved package.
      • +
      • Copy campus.ovpn to /etc/openvpn/cloister.conf.
      • +
      • Start the OpenVPN service.
      • +
      • Check that the cloister VPN was connected.
      • +
      • Logout and unplug the cloister Ethernet.
      • +
      • Test the cloister VPN connection (and private name resolution) +with ping -c1 core.

      -And these are the commands. +And these are the commands:

      ./abbey client campus new
       scp campus.ovpn sysadm@new-w:
       ssh sysadm@new-w
      -sudo apt install openvpn openvpn-systemd-resolved
      -( cd; umask 077; sudo cp campus.ovpn /etc/openvpn/cloister.conf )
      +sudo apt install openvpn-systemd-resolved
      +sudo cp campus.ovpn /etc/openvpn/cloister.conf
       sudo systemctl start openvpn@cloister
      +systemctl status openvpn@cloister
       ping -c1 core
       sudo systemctl enable openvpn@cloister
       rm campus.ovpn
      @@ -4735,67 +4794,149 @@ rm campus.ovpn
       rm campus.ovpn
       
      + +

      +It may be necessary to reboot before the final tests. +

    12.10.2. Debian Desktops

    -Wireless Debian desktop machines (both PCs and Pis, running -NetworkManager) and are connected to the cloister VPN via the -following process. Note that they do not appear in the set of -campus hosts and are not configured by Ansible. They do not appear -in Ansible's host inventory at all unless the desktop owner is willing -to provide the password to a privileged account on their machine. +Wireless Debian desktops (with NetworkManager) include our 8GB Core i3 +NUC (Intel®'s Next Unit of Computing) and our 8GB Raspberry Pi 4. +They run the Pop!OS and Raspberry Pi OS desktops respectively. They +are connected to the cloister VPN via the following process.

      -
    • Create a new client certificate and campus/public OpenVPN -configurations for the new abbey desktop.
    • -
    • Copy the campus.ovpn and public.ovpn files to the new desktop.
    • -
    • Install the openvpn, openvpn-systemd-resolved and -network-manager-openvpn-gnome packages on the new desktop.
    • +
    • Create a new client certificate and OpenVPN configuration for the +new abbey desktop, a campus.ovpn file.
    • +
    • +Create a wifi file that looks like this (assuming the wireless +network device is named wlan0). +

      + +
      +auto wlan0
      +iface wlan0 inet dhcp
      +    wpa-ssid "Birchwood Abbey"
      +    wpa-psk "PASSWORD"
      +
    • + +
    • Copy the wifi and campus.ovpn files to the new machine.
    • +
    • On the new machine:
    • +
    • Install the openvpn-systemd-resolved package.
    • +
    • Copy wifi to /etc/network/interfaces.d/.
    • +
    • Bring up the Wi-Fi interface.
    • +
    • Copy campus.ovpn to /etc/openvpn/cloister.conf.
    • +
    • Start the OpenVPN service.
    • +
    • Check that the cloister VPN was connected.
    • +
    • Logout and unplug the cloister Ethernet.
    • +
    • Test the cloister VPN connection (and private name resolution) +with ping -c1 core.
    • +
    + +

    +And these are the commands: +

    + +
    +
    ./abbey client campus new
    +scp wifi campus.ovpn sysadm@new-w:
    +ssh sysadm@new-w
    +sudo apt install openvpn-systemd-resolved
    +sudo cp wifi /etc/network/interfaces.d/
    +sudo ifup wlan0
    +sudo cp campus.ovpn /etc/openvpn/cloister.conf
    +sudo systemctl start openvpn@cloister
    +systemctl status openvpn@cloister
    +ping -c1 core
    +sudo systemctl enable openvpn@cloister
    +rm wifi campus.ovpn
    +logout
    +rm wifi campus.ovpn
    +
    +
    + +

    +It may be necessary to reboot before the final tests. +

    + +

    +As configured above, the wireless Debian desktops make automatic, +persistent connections to the cloister Wi-Fi and VPN, and so can be +used much like a wired desktop machine. They are typically connected +to a large TV and auto-login to an unprivileged account named house, +i.e. anyone in the house. +

    +
    +
    +
    +

    12.10.3. Private Desktops

    +
    +

    +Member notebooks are private machines not remotely administered by the +abbey. These machines roam, and so are authorized to connect to the +cloister VPN or the public VPN. This is how they are connected to the +VPNs: +

    + +
      +
    • Create a new client certificate and OpenVPN configurations for the +new abbey desktop, campus.ovpn and public.ovnp files.
    • +
    • Copy the campus.ovpn and public.ovpn files to the new machine.
    • +
    • On the new machine:
    • +
    • Install the openvpn-systemd-resolved and +network-manager-openvpn-gnome packages.
    • Open the desktop Settings > Network > VPN + > Import from file… and choose ~/campus.ovpn.
    • Open the Routes dialogues for both IPv4 and IPv6 and choose "Use this connection only for resources on its network.".
    • Save the new VPN.
    • Do the same with the ~/public.ovpn file.
    • -
    • Connected the cloister VPN and test it with ping -c1 core.
    • -
    • Expunge the ~/campus.ovpn and ~/public.ovpn just as the system -administrator will have already done.
    • +
    • Connect the appropriate VPN and test it (and private name +resolution) with ping -c1 core.
    • +
    • Expunge (delete and empty the trash) the ~/campus.ovpn and +~/public.ovpn files.

    -And these are the commands, assuming there is a privileged sysadm -account available on the new desktop machine. +We assume the desktop is running NetworkManager, which is the case in +all our Debian desktops from Pop!OS and Ubuntu to Mint and Raspberry +Pi OS.

    -
    -
    ./abbey client debian dicks-notebook dick
    -scp campus.ovpn public.ovpn sysadm@dicks-notebook.lan:
    -rm campus.ovpn public.ovpn
    -ssh sysadm@dicks-notebook.lan
    -sudo apt install openvpn openvpn-systemd-resolved \
    -                 network-manager-openvpn-gnome
    -ping -c1 core.small.private.
    -
    -
    +

    +Note that a new member's notebook does not need to be patched to the +cloister Ethernet nor connected to the cloister Wi-Fi. It can be +authorized "remotely" simply by copying the .ovpn files securely, +e.g. using ssh to any "known host" on the Internet. +

    -Note that Dick's notebook does not need to connect to the cloister -Ethernet. It is authorized simply by copying the .ovpn files -securely (e.g. using ssh) to a local domain name provided by the -Wi-Fi AP (dicks-notebook.lan). If the AP does not provide a local -domain name, the machine's Wi-Fi IP address, -e.g. sysadm@192.168.10.225, can be used instead. (This IP address -is often revealed in the desktop network settings.) +The members of A Small Institute are peers, and enjoy complete, +individual privacy. The administrator does not expect to have "root +access" to members' machines, their desktops, personal diaries and +photos. The monks of the abbey are brothers, and tolerate a little +less than complete individual privacy (still expecting all necessary +and appropriate privacy, being in a position to punish deviants). +

    + +

    +Our private notebooks are included in the Ansible inventory, mainly so +they can be included in the weekly (or more frequent!) network +upgrades. The campus and abbey-cloister roles are not applied +though their Postfix and other configurations are recommended. Remote +access by the administrator is authorized and the privileged account's +password is included in Secret/become.yml.

    -

    12.10.3. Android

    -
    +

    12.10.4. Android

    +

    Android phones and tablets are connected to the cloister VPN via the following process. Note that they do not appear in the set of @@ -4893,7 +5034,7 @@ to private/db.campus_vpn.)

    Author: Matt Birkholz

    -

    Created: 2024-01-01 Mon 10:48

    +

    Created: 2024-02-26 Mon 20:06

    Validate

    -- 2.25.1