From 49a63b8f9fcb7af5a3f8060343eaffb4debc702d Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Tue, 2 Jan 2024 13:38:41 -0700 Subject: [PATCH] Renumber (already sorted) footnotes. Update README.html. --- README.html | 135 ++++++++++++++++++++++++++-------------------------- README.org | 23 ++++----- 2 files changed, 80 insertions(+), 78 deletions(-) diff --git a/README.html b/README.html index ccb6f52..98664c6 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1030,7 +1030,7 @@ example result follows the code.
 

 
 
-

+

 

 => 10.62.17.0/24
 

@@ -1445,7 +1445,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.
 
 
-
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1468,7 +1468,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

 
-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1640,8 +1640,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

 

-

-
6.1. Include Particulars

+

+
6.1. Include Particulars

 

 

 The front role's tasks contain references to several common
@@ -1673,8 +1673,8 @@ The code block below is the first to tangle into
 

 

 

-

-
6.2. Configure Hostname

+

+
6.2. Configure Hostname

 

 

 This task ensures that Front's /etc/hostname and /etc/mailname are
@@ -1798,8 +1798,8 @@ separate code block named enable-resolved.
 

 

-
-

-
6.6. Configure Monkey

+

+
6.6. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -1915,8 +1915,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 

 

 

-

-
6.8. Install Unattended Upgrades

+

+
6.8. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -1931,8 +1931,8 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-
-

-
6.10. Trust Institute Certificate Authority

+

+
6.10. Trust Institute Certificate Authority

 

 

 Front should recognize the institute's Certificate Authority as
@@ -2008,8 +2008,8 @@ X.509 certificates is available in Keys.
 

 

 

-

-
6.11. Install Server Certificate

+

+
6.11. Install Server Certificate

 

 

 The servers on Front use the same certificate (and key) to
@@ -2273,8 +2273,8 @@ created by a more specialized role.
 

 

 

-

-
6.14. Configure Dovecot IMAPd

+

+
6.14. Configure Dovecot IMAPd

 

 

 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2738,8 +2738,8 @@ the users' ~/Public/HTML/ directories.
 

 

 

-

-
6.16. Configure OpenVPN

+

+
6.16. Configure OpenVPN

 

 

 Front uses OpenVPN to provide the institute's public VPN service.  The
@@ -3063,8 +3063,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see The Core Machine.)
 

 

-

-
7.1. Include Particulars

+

+
7.1. Include Particulars

 

 

 The first task, as in The Front Role, is to include the institute
@@ -3086,8 +3086,8 @@ particulars and membership roll.
 

 

 

-

-
7.2. Configure Hostname

+

+
7.2. Configure Hostname

 

 

 This task ensures that Core's /etc/hostname and /etc/mailname are
@@ -3120,8 +3120,8 @@ proper email delivery.
 

 

 

-

-
7.3. Enable Systemd Resolved

+

+
7.3. Enable Systemd Resolved

 

 

 Core starts the systemd-networkd and systemd-resolved service
@@ -3165,8 +3165,8 @@ units on boot.  See Enable Systemd Resolved.
 

 

 

-

-
7.4. Configure Systemd Resolved

+

+
7.4. Configure Systemd Resolved

 

 

 Core runs the campus name server, so Resolved is configured to use it
@@ -3633,8 +3633,8 @@ craps up /var/log/ and the Systemd journal.
 

 

 

-

-
7.8. Add Administrator to System Groups

+

+
7.8. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -3654,8 +3654,8 @@ these groups speeds up debugging.
 

 

 

-

-
7.9. Configure Monkey

+

+
7.9. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -3755,8 +3755,8 @@ with Nextcloud on the command line.
 

 

 

-

-
7.12. Configure User Accounts

+

+
7.12. Configure User Accounts

 

 

 User accounts are created immediately so that backups can begin
@@ -3798,8 +3798,8 @@ describes the members and usernames variables.
 

 

 

-

-
7.13. Trust Institute Certificate Authority

+

+
7.13. Trust Institute Certificate Authority

 

 

 Core should recognize the institute's Certificate Authority as
@@ -3831,8 +3831,8 @@ X.509 certificates is available in Keys.
 

 

 

-

-
7.14. Install Server Certificate

+

+
7.14. Install Server Certificate

 

 

 The servers on Core use the same certificate (and key) to authenticate
@@ -4085,8 +4085,8 @@ installed by more specialized roles.
 

 

 

-

-
7.18. Configure Dovecot IMAPd

+

+
7.18. Configure Dovecot IMAPd

 

 

 Core uses Dovecot's IMAPd to store and serve member emails.  As on
@@ -5970,8 +5970,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 

 

-

-
8.1. Include Particulars

+

+
8.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -6345,8 +6345,8 @@ the daemon listens only on the Gate-WiFi network interface.
 

 

 

-

-
8.6. Install Server Certificate

+

+
8.6. Install Server Certificate

 

 

 The (OpenVPN) server on Gate uses an institute certificate (and key)
@@ -6373,8 +6373,8 @@ and Front) do.
 

 

 

-

-
8.7. Configure OpenVPN

+

+
8.7. Configure OpenVPN

 

 

 Gate uses OpenVPN to provide the institute's campus VPN service.  Its
@@ -6537,8 +6537,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
 

 

-

-
9.1. Include Particulars

+

+
9.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -6554,8 +6554,8 @@ The following should be familiar boilerplate by now.
 

 

 

-

-
9.2. Configure Hostname

+

+
9.2. Configure Hostname

 

 

 Clients should be using the expected host name.
@@ -6582,8 +6582,8 @@ Clients should be using the expected host name.
 

 

 

-

-
9.3. Enable Systemd Resolved

+

+
9.3. Enable Systemd Resolved

 

 

 Campus machines start the systemd-networkd and systemd-resolved
@@ -6627,8 +6627,8 @@ service units on boot.  See Enable Systemd Resolved.
 

 

 

-

-
9.4. Configure Systemd Resolved

+

+
9.4. Configure Systemd Resolved

 

 

 Campus machines use the campus name server on Core (or dns.google),
@@ -6699,8 +6699,8 @@ and file timestamps.
 

 

 

-

-
9.6. Add Administrator to System Groups

+

+
9.6. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -6720,8 +6720,8 @@ these groups speeds up debugging.
 

 

 

-

-
9.7. Trust Institute Certificate Authority

+

+
9.7. Trust Institute Certificate Authority

 

 

 Campus hosts should recognize the institute's Certificate Authority as
@@ -6753,8 +6753,8 @@ keys, certificates and passwords, see Keys.)
 

 

 

-

-
9.8. Install Unattended Upgrades

+

+
9.8. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -9660,7 +9660,8 @@ ansible-playbook -l gate -t base-install site.yml
 
 
1 

 The recommended private top-level domains are listed in
-"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). link
+"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast
+DNS). https://www.rfc-editor.org/rfc/rfc6762#appendix-G
 

 
 
2 

@@ -9693,7 +9694,7 @@ routes on Front and Gate, making the simulation less… similar.
 

 

 
Author: Matt Birkholz

-
Created: 2024-01-01 Mon 10:48

+
Created: 2024-01-02 Tue 13:37

 
Validate

 

 
diff --git a/README.org b/README.org
index 256dee2..3e01f0d 100644
--- a/README.org
+++ b/README.org
@@ -745,7 +745,7 @@ institute.
 
 The institute's private domain name should end with one of the
 top-level domains set aside for this purpose: ~.intranet~,
-~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:5]  It is
+~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:1]  It is
 hoped that doing so will increase that chances that some abomination
 like DNS-over-HTTPS will pass us by.
 
@@ -1327,7 +1327,7 @@ to enable "persistent logging", yet).  In Debian 12 there is a
 ~systemd~ package).
 
 These tasks are included in all of the roles, and so are given in a
-separate code block named ~enable-resolved~.[fn:1]
+separate code block named ~enable-resolved~.[fn:2]
 
 #+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
 #+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :noweb yes
@@ -1842,7 +1842,7 @@ from Qualys SSL Labs ([[https://www.ssllabs.com/]]).
 The ~apache-ciphers~ block below is included last in the Apache2
 configuration, so that its ~SSLCipherSuite~ directive can override
 (narrow) any list of ciphers set earlier (e.g. by Let's
-Encrypt![fn:2]).  The protocols and cipher suites specified here were
+Encrypt![fn:3]).  The protocols and cipher suites specified here were
 taken from [[https://www.ssllabs.com/projects/best-practices]] in 2022.
 
 #+NAME: apache-ciphers
@@ -5976,7 +5976,7 @@ records.  The mapping is stored among other things in
 
 A new member's record in the ~members~ mapping will have the ~status~
 key value ~current~.  That key gets value ~former~ when the member
-leaves.[fn:3]  Access by former members is revoked by invalidating the
+leaves.[fn:4]  Access by former members is revoked by invalidating the
 Unix account passwords, removing any authorized SSH keys from Front
 and Core, and disabling their VPN certificates.
 
@@ -6781,7 +6781,7 @@ The networks used in the test:
   ~front~ is not accessible to the administrator's notebook (the
   host).  To work around this restriction, ~front~ gets a second
   network interface connected to the ~vboxnet1~ network and used only
-  for ssh access from the host.[fn:4]
+  for ssh access from the host.[fn:5]
 
 As in [[*The Hardware][The Hardware]], all machines start with their primary Ethernet
 adapters attached to the NAT Network ~premises~ so that they can
@@ -7652,22 +7652,23 @@ innocuous, disabled) default state.
 
 * Footnotes
 
-[fn:5] The recommended private top-level domains are listed in
-"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G][link]]
+[fn:1] The recommended private top-level domains are listed in
+"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast
+DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G]]
 
-[fn:1] Why not create a role named ~all~ and put these tasks that are
+[fn:2] Why not create a role named ~all~ and put these tasks that are
 the same on all machines in that role?  If there were more than a
 stable handful, and no tangling mechanism to do the duplication, a
 catch-all role would be a higher priority.
 
-[fn:2] The cipher set specified by Let's Encrypt is large enough to
+[fn:3] The cipher set specified by Let's Encrypt is large enough to
 turn orange many parts of an SSL Report from Qualys SSL Labs.
 
-[fn:3] Presumably, eventually, a former member's home directories are
+[fn:4] Presumably, eventually, a former member's home directories are
 archived to external storage, their other files are given new
 ownerships, and their Unix accounts are deleted.  This has never been
 done, and is left as a manual exercise.
 
-[fn:4] Front is accessible via Gate but routing from the host address
+[fn:5] Front is accessible via Gate but routing from the host address
 on ~vboxnet0~ through Gate requires extensive interference with the
 routes on Front and Gate, making the simulation less... similar.
-- 
2.25.1