From 59702491f27786ab82b574aec454cbb44fb17c1e Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Sat, 30 Dec 2023 14:07:05 -0700 Subject: [PATCH] Move domain_priv to private/vars.yml. Wordsmith some too. --- README.org | 63 +++++++++++++++++++++++++++++------------------- private/vars.yml | 2 ++ public/vars.yml | 1 - 3 files changed, 40 insertions(+), 26 deletions(-) diff --git a/README.org b/README.org index 8484f52..bde9d6f 100644 --- a/README.org +++ b/README.org @@ -27,7 +27,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus. # Note that part of this diagram appears in The Gate Machine, which -# should be kept up-to-date with changes made to this diagram. +# should be kept up-to-date with any changes made here. #+BEGIN_EXAMPLE = @@ -52,7 +52,7 @@ members off campus. | | ============== Gate ================================================ | Private - +----Ethernet switch + +----(Ethernet switch) | +----Core +----Servers (NAS, DVR, etc.) @@ -734,12 +734,26 @@ replace ~{{ domain_name }}~ in the code with ~small.example.org~.) #+BEGIN_SRC conf :tangle public/vars.yml :mkdirp yes --- domain_name: small.example.org -domain_priv: small.private #+END_SRC -The private version of the institute's domain name should end with one -of the top-level domains expected for this purpose: ~.intranet~, -~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:5] +The institute's private domain is treated as sensitive information, +and so is "tangled" into the example file [[file:private/vars.yml][=private/vars.yml=]] rather +than [[file:public/vars.yml][=public/vars.yml=]]. The example file is used for testing, and +serves as the template for an actual, private, =private/var.yml= file +that customizes this Ansible code for an actual, private, small +institute. + +The institute's private domain name should end with one of the +top-level domains set aside for this purpose: ~.intranet~, +~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:5] It is +hoped that doing so will increase that chances that some abomination +like DNS-over-HTTPS will pass us by. + +#+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] +#+BEGIN_SRC conf :tangle private/vars.yml :tangle-mode u=rw :mkdirp yes +--- +domain_priv: small.private +#+END_SRC ** Subnets @@ -796,14 +810,14 @@ example result follows the code. The four private networks are named and given example CIDRs in the code block below. The small institute treats these addresses as -sensitive information so the code block below "tangles" into +sensitive information so again the code block below "tangles" into [[file:private/vars.yml][=private/vars.yml=]] rather than [[file:public/vars.yml][=public/vars.yml=]]. Two of the addresses are in ~192.168~ subnets because they are part of a test configuration using mostly-default VirtualBoxes (described [[*Testing][here]]). #+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] -#+BEGIN_SRC conf :tangle private/vars.yml :tangle-mode u=rw ---- +#+BEGIN_SRC conf :tangle private/vars.yml + private_net_cidr: 192.168.56.0/24 public_vpn_net_cidr: 10.177.86.0/24 campus_vpn_net_cidr: 10.84.138.0/24 @@ -7507,15 +7521,14 @@ is lacking in a number of respects. The current network monitoring is rudimentary. It could use some love, like intrusion detection via Snort or similar. Services on Front are not monitored except that the =webupdate= script should be -emailing ~sysadm~ whenever it cannot update Front. +emailing ~sysadm~ whenever it cannot update Front (every 15 minutes!). Pro-active monitoring might include notifying ~root~ of any vandalism corrected by Monkey's quarter-hourly web update. This is a -non-trivial task that must ignore intentional changes and save suspect -changes. +non-trivial task that must ignore intentional changes. -Monkey's ~cron~ jobs on Core should presumably become ~systemd.timer~ -and ~.service~ units. +Monkey's ~cron~ jobs on Core should be ~systemd.timer~ and ~.service~ +units. The institute's private domain names (e.g. ~www.small.private~) are not resolvable on Front. Reverse domains (~86.177.10.in-addr.arpa~) @@ -7530,17 +7543,17 @@ continue to work for some time. The ~./inst client android dick-phone dick~ command generates =.ovpn= files that require the member to remember to check the "Use this -connection only for resources on its network" box in the IPv4 tab of -the Add VPN dialog. The ~./inst client~ command should include a -setting in the Debian =.ovpn= files that NetworkManager will recognize -as the desired setting. +connection only for resources on its network" box in the IPv4 (and +IPv6) tab(s) of the Add VPN dialog. The command should include an +OpenVPN setting that the NetworkManager file importer recognizes as +the desired setting. The VPN service is overly complex. The OpenVPN 2.4.7 clients allow multiple server addresses, but the ~openvpn(8)~ manual page suggests -per connection parameters are a restricted set that does /not/ include -the essential ~verify-x509-name~. Use the same name on separate -certificates for Gate and Front? Use the same certificate and key on -Gate and Front? +per connection parameters are restricted to a set that does /not/ +include the essential ~verify-x509-name~. Use the same name on +separate certificates for Gate and Front? Use the same certificate +and key on Gate and Front? Nextcloud should really be found at ~https://CLOUD.small.private/~ rather than ~https://core.small.private/nextcloud/~, to ease @@ -7648,6 +7661,9 @@ innocuous, disabled) default state. * Footnotes +[fn:5] The recommended private top-level domains are listed in +"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G][link]] + [fn:1] Why not create a role named ~all~ and put these tasks that are the same on all machines in that role? If there were more than a stable handful, and no tangling mechanism to do the duplication, a @@ -7664,6 +7680,3 @@ done, and is left as a manual exercise. [fn:4] Front is accessible via Gate but routing from the host address on ~vboxnet0~ through Gate requires extensive interference with the routes on Front and Gate, making the simulation less... similar. - -[fn:5] The recommended private top-level domains are listed in -"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G][link]] diff --git a/private/vars.yml b/private/vars.yml index f67b971..a4a8e52 100644 --- a/private/vars.yml +++ b/private/vars.yml @@ -1,4 +1,6 @@ --- +domain_priv: small.private + private_net_cidr: 192.168.56.0/24 public_vpn_net_cidr: 10.177.86.0/24 campus_vpn_net_cidr: 10.84.138.0/24 diff --git a/public/vars.yml b/public/vars.yml index 3700461..f61b4af 100644 --- a/public/vars.yml +++ b/public/vars.yml @@ -1,6 +1,5 @@ --- domain_name: small.example.org -domain_priv: small.private front_addr: 192.168.15.5 -- 2.25.1