From 49a63b8f9fcb7af5a3f8060343eaffb4debc702d Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Tue, 2 Jan 2024 13:38:41 -0700 Subject: [PATCH] Renumber (already sorted) footnotes. Update README.html. --- README.html | 135 ++++++++++++++++++++++++++-------------------------- README.org | 23 ++++----- 2 files changed, 80 insertions(+), 78 deletions(-) diff --git a/README.html b/README.html index ccb6f52..98664c6 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1030,7 +1030,7 @@ example result follows the code.
 
-
+

=> 10.62.17.0/24

@@ -1445,7 +1445,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a campground Wi-Fi access point, etc. -
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1468,7 +1468,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1640,8 +1640,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

-
-

6.1. Include Particulars

+
+

6.1. Include Particulars

The front role's tasks contain references to several common @@ -1673,8 +1673,8 @@ The code block below is the first to tangle into

-
-

6.2. Configure Hostname

+
+

6.2. Configure Hostname

This task ensures that Front's /etc/hostname and /etc/mailname are @@ -1798,8 +1798,8 @@ separate code block named enable-resolved.

- -
-

6.6. Configure Monkey

+
+

6.6. Configure Monkey

The small institute runs cron jobs and web scripts that generate @@ -1915,8 +1915,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.

-
-

6.8. Install Unattended Upgrades

+
+

6.8. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -1931,8 +1931,8 @@ The institute prefers to install security updates as soon as possible.

-
-
-

6.10. Trust Institute Certificate Authority

+
+

6.10. Trust Institute Certificate Authority

Front should recognize the institute's Certificate Authority as @@ -2008,8 +2008,8 @@ X.509 certificates is available in Keys.

-
-

6.11. Install Server Certificate

+
+

6.11. Install Server Certificate

The servers on Front use the same certificate (and key) to @@ -2273,8 +2273,8 @@ created by a more specialized role.

-
-

6.14. Configure Dovecot IMAPd

+
+

6.14. Configure Dovecot IMAPd

Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to @@ -2738,8 +2738,8 @@ the users' ~/Public/HTML/ directories.

-
-

6.16. Configure OpenVPN

+
+

6.16. Configure OpenVPN

Front uses OpenVPN to provide the institute's public VPN service. The @@ -3063,8 +3063,8 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)

-
-

7.1. Include Particulars

+
+

7.1. Include Particulars

The first task, as in The Front Role, is to include the institute @@ -3086,8 +3086,8 @@ particulars and membership roll.

-
-

7.2. Configure Hostname

+
+

7.2. Configure Hostname

This task ensures that Core's /etc/hostname and /etc/mailname are @@ -3120,8 +3120,8 @@ proper email delivery.

-
-

7.3. Enable Systemd Resolved

+
+

7.3. Enable Systemd Resolved

Core starts the systemd-networkd and systemd-resolved service @@ -3165,8 +3165,8 @@ units on boot. See Enable Systemd Resolved.

-
-

7.4. Configure Systemd Resolved

+
+

7.4. Configure Systemd Resolved

Core runs the campus name server, so Resolved is configured to use it @@ -3633,8 +3633,8 @@ craps up /var/log/ and the Systemd journal.

-
-

7.8. Add Administrator to System Groups

+
+

7.8. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -3654,8 +3654,8 @@ these groups speeds up debugging.

-
-

7.9. Configure Monkey

+
+

7.9. Configure Monkey

The small institute runs cron jobs and web scripts that generate @@ -3755,8 +3755,8 @@ with Nextcloud on the command line.

-
-

7.12. Configure User Accounts

+
+

7.12. Configure User Accounts

User accounts are created immediately so that backups can begin @@ -3798,8 +3798,8 @@ describes the members and usernames variables.

-
-

7.13. Trust Institute Certificate Authority

+
+

7.13. Trust Institute Certificate Authority

Core should recognize the institute's Certificate Authority as @@ -3831,8 +3831,8 @@ X.509 certificates is available in Keys.

-
-

7.14. Install Server Certificate

+
+

7.14. Install Server Certificate

The servers on Core use the same certificate (and key) to authenticate @@ -4085,8 +4085,8 @@ installed by more specialized roles.

-
-

7.18. Configure Dovecot IMAPd

+
+

7.18. Configure Dovecot IMAPd

Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -5970,8 +5970,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.

-
-

8.1. Include Particulars

+
+

8.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6345,8 +6345,8 @@ the daemon listens only on the Gate-WiFi network interface.

-
-

8.6. Install Server Certificate

+
+

8.6. Install Server Certificate

The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -6373,8 +6373,8 @@ and Front) do.

-
-

8.7. Configure OpenVPN

+
+

8.7. Configure OpenVPN

Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6537,8 +6537,8 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.

-
-

9.1. Include Particulars

+
+

9.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6554,8 +6554,8 @@ The following should be familiar boilerplate by now.

-
-

9.2. Configure Hostname

+
+

9.2. Configure Hostname

Clients should be using the expected host name. @@ -6582,8 +6582,8 @@ Clients should be using the expected host name.

-
-

9.3. Enable Systemd Resolved

+
+

9.3. Enable Systemd Resolved

Campus machines start the systemd-networkd and systemd-resolved @@ -6627,8 +6627,8 @@ service units on boot. See Enable Systemd Resolved.

-
-

9.4. Configure Systemd Resolved

+
+

9.4. Configure Systemd Resolved

Campus machines use the campus name server on Core (or dns.google), @@ -6699,8 +6699,8 @@ and file timestamps.

-
-

9.6. Add Administrator to System Groups

+
+

9.6. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -6720,8 +6720,8 @@ these groups speeds up debugging.

-
-

9.7. Trust Institute Certificate Authority

+
+

9.7. Trust Institute Certificate Authority

Campus hosts should recognize the institute's Certificate Authority as @@ -6753,8 +6753,8 @@ keys, certificates and passwords, see Keys.)

-
-

9.8. Install Unattended Upgrades

+
+

9.8. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -9660,7 +9660,8 @@ ansible-playbook -l gate -t base-install site.yml

1

The recommended private top-level domains are listed in -"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). link +"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast +DNS). https://www.rfc-editor.org/rfc/rfc6762#appendix-G

2

@@ -9693,7 +9694,7 @@ routes on Front and Gate, making the simulation less… similar.

Author: Matt Birkholz

-

Created: 2024-01-01 Mon 10:48

+

Created: 2024-01-02 Tue 13:37

Validate

diff --git a/README.org b/README.org index 256dee2..3e01f0d 100644 --- a/README.org +++ b/README.org @@ -745,7 +745,7 @@ institute. The institute's private domain name should end with one of the top-level domains set aside for this purpose: ~.intranet~, -~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:5] It is +~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:1] It is hoped that doing so will increase that chances that some abomination like DNS-over-HTTPS will pass us by. @@ -1327,7 +1327,7 @@ to enable "persistent logging", yet). In Debian 12 there is a ~systemd~ package). These tasks are included in all of the roles, and so are given in a -separate code block named ~enable-resolved~.[fn:1] +separate code block named ~enable-resolved~.[fn:2] #+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :noweb yes @@ -1842,7 +1842,7 @@ from Qualys SSL Labs ([[https://www.ssllabs.com/]]). The ~apache-ciphers~ block below is included last in the Apache2 configuration, so that its ~SSLCipherSuite~ directive can override (narrow) any list of ciphers set earlier (e.g. by Let's -Encrypt![fn:2]). The protocols and cipher suites specified here were +Encrypt![fn:3]). The protocols and cipher suites specified here were taken from [[https://www.ssllabs.com/projects/best-practices]] in 2022. #+NAME: apache-ciphers @@ -5976,7 +5976,7 @@ records. The mapping is stored among other things in A new member's record in the ~members~ mapping will have the ~status~ key value ~current~. That key gets value ~former~ when the member -leaves.[fn:3] Access by former members is revoked by invalidating the +leaves.[fn:4] Access by former members is revoked by invalidating the Unix account passwords, removing any authorized SSH keys from Front and Core, and disabling their VPN certificates. @@ -6781,7 +6781,7 @@ The networks used in the test: ~front~ is not accessible to the administrator's notebook (the host). To work around this restriction, ~front~ gets a second network interface connected to the ~vboxnet1~ network and used only - for ssh access from the host.[fn:4] + for ssh access from the host.[fn:5] As in [[*The Hardware][The Hardware]], all machines start with their primary Ethernet adapters attached to the NAT Network ~premises~ so that they can @@ -7652,22 +7652,23 @@ innocuous, disabled) default state. * Footnotes -[fn:5] The recommended private top-level domains are listed in -"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G][link]] +[fn:1] The recommended private top-level domains are listed in +"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast +DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G]] -[fn:1] Why not create a role named ~all~ and put these tasks that are +[fn:2] Why not create a role named ~all~ and put these tasks that are the same on all machines in that role? If there were more than a stable handful, and no tangling mechanism to do the duplication, a catch-all role would be a higher priority. -[fn:2] The cipher set specified by Let's Encrypt is large enough to +[fn:3] The cipher set specified by Let's Encrypt is large enough to turn orange many parts of an SSL Report from Qualys SSL Labs. -[fn:3] Presumably, eventually, a former member's home directories are +[fn:4] Presumably, eventually, a former member's home directories are archived to external storage, their other files are given new ownerships, and their Unix accounts are deleted. This has never been done, and is left as a manual exercise. -[fn:4] Front is accessible via Gate but routing from the host address +[fn:5] Front is accessible via Gate but routing from the host address on ~vboxnet0~ through Gate requires extensive interference with the routes on Front and Gate, making the simulation less... similar. -- 2.25.1