From 7b40b58d92e692973165deb798b520bc2fce84d8 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Sat, 30 Dec 2023 14:12:56 -0700 Subject: [PATCH] Update README.html. --- README.html | 187 ++++++++++++++++++++++++++++------------------------ 1 file changed, 101 insertions(+), 86 deletions(-) diff --git a/README.html b/README.html index 4c88b27..78a6c4e 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -71,7 +71,7 @@ members off campus.
                 | |                                                 
 ============== Gate ================================================
                 |                                            Private
-                +----Ethernet switch                                
+                +----(Ethernet switch)                              
                         |                                           
                         +----Core                                   
                         +----Servers (NAS, DVR, etc.)               
@@ -902,15 +902,31 @@ replace {{ domain_name }} in the code with small.example.org<
 

 public/vars.yml
---
 domain_name: small.example.org
-domain_priv: small.private
 

 

 
 

-The private version of the institute's domain name should end with one
-of the top-level domains expected for this purpose: .intranet,
-.internal, .private, .corp, .home or .lan.1
+The institute's private domain is treated as sensitive information,
+and so is "tangled" into the example file private/vars.yml rather
+than public/vars.yml.  The example file is used for testing, and
+serves as the template for an actual, private, private/var.yml file
+that customizes this Ansible code for an actual, private, small
+institute.
+

+
+

+The institute's private domain name should end with one of the
+top-level domains set aside for this purpose: .intranet,
+.internal, .private, .corp, .home or .lan.1  It is
+hoped that doing so will increase that chances that some abomination
+like DNS-over-HTTPS will pass us by.
 

+
+

+private/vars.yml
---
+domain_priv: small.private
+

+

 
 
 

@@ -1014,7 +1030,7 @@ example result follows the code.
 

 
 
-

+

 

 => 10.62.17.0/24
 

@@ -1024,14 +1040,14 @@ example result follows the code.
 

 The four private networks are named and given example CIDRs in the
 code block below.  The small institute treats these addresses as
-sensitive information so the code block below "tangles" into
+sensitive information so again the code block below "tangles" into
 private/vars.yml rather than public/vars.yml.  Two of the
 addresses are in 192.168 subnets because they are part of a test
 configuration using mostly-default VirtualBoxes (described here).
 

 
 

-private/vars.yml
---
+private/vars.yml
 private_net_cidr:           192.168.56.0/24
 public_vpn_net_cidr:        10.177.86.0/24
 campus_vpn_net_cidr:        10.84.138.0/24
@@ -1429,7 +1445,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.
 
 
-
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1452,7 +1468,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

 
-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1624,8 +1640,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

 

-

-
6.1. Include Particulars

+

+
6.1. Include Particulars

 

 

 The front role's tasks contain references to several common
@@ -1657,8 +1673,8 @@ The code block below is the first to tangle into
 

 

 

-

-
6.2. Configure Hostname

+

+
6.2. Configure Hostname

 

 

 This task ensures that Front's /etc/hostname and /etc/mailname are
@@ -1782,8 +1798,8 @@ separate code block named enable-resolved.
 

 

-
-

-
6.6. Configure Monkey

+

+
6.6. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -1899,8 +1915,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 

 

 

-

-
6.8. Install Unattended Upgrades

+

+
6.8. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -1915,8 +1931,8 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-
-

-
6.10. Trust Institute Certificate Authority

+

+
6.10. Trust Institute Certificate Authority

 

 

 Front should recognize the institute's Certificate Authority as
@@ -1992,8 +2008,8 @@ X.509 certificates is available in Keys.
 

 

 

-

-
6.11. Install Server Certificate

+

+
6.11. Install Server Certificate

 

 

 The servers on Front use the same certificate (and key) to
@@ -2257,8 +2273,8 @@ created by a more specialized role.
 

 

 

-

-
6.14. Configure Dovecot IMAPd

+

+
6.14. Configure Dovecot IMAPd

 

 

 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2722,8 +2738,8 @@ the users' ~/Public/HTML/ directories.
 

 

 

-

-
6.16. Configure OpenVPN

+

+
6.16. Configure OpenVPN

 

 

 Front uses OpenVPN to provide the institute's public VPN service.  The
@@ -3047,8 +3063,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see The Core Machine.)
 

 

-

-
7.1. Include Particulars

+

+
7.1. Include Particulars

 

 

 The first task, as in The Front Role, is to include the institute
@@ -3070,8 +3086,8 @@ particulars and membership roll.
 

 

 

-

-
7.2. Configure Hostname

+

+
7.2. Configure Hostname

 

 

 This task ensures that Core's /etc/hostname and /etc/mailname are
@@ -3104,8 +3120,8 @@ proper email delivery.
 

 

 

-

-
7.3. Enable Systemd Resolved

+

+
7.3. Enable Systemd Resolved

 

 

 Core starts the systemd-networkd and systemd-resolved service
@@ -3149,8 +3165,8 @@ units on boot.  See Enable Systemd Resolved.
 

 

 

-

-
7.4. Configure Systemd Resolved

+

+
7.4. Configure Systemd Resolved

 

 

 Core runs the campus name server, so Resolved is configured to use it
@@ -3617,8 +3633,8 @@ craps up /var/log/ and the Systemd journal.
 

 

 

-

-
7.8. Add Administrator to System Groups

+

+
7.8. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -3638,8 +3654,8 @@ these groups speeds up debugging.
 

 

 

-

-
7.9. Configure Monkey

+

+
7.9. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -3739,8 +3755,8 @@ with Nextcloud on the command line.
 

 

 

-

-
7.12. Configure User Accounts

+

+
7.12. Configure User Accounts

 

 

 User accounts are created immediately so that backups can begin
@@ -3782,8 +3798,8 @@ describes the members and usernames variables.
 

 

 

-

-
7.13. Trust Institute Certificate Authority

+

+
7.13. Trust Institute Certificate Authority

 

 

 Core should recognize the institute's Certificate Authority as
@@ -3815,8 +3831,8 @@ X.509 certificates is available in Keys.
 

 

 

-

-
7.14. Install Server Certificate

+

+
7.14. Install Server Certificate

 

 

 The servers on Core use the same certificate (and key) to authenticate
@@ -4069,8 +4085,8 @@ installed by more specialized roles.
 

 

 

-

-
7.18. Configure Dovecot IMAPd

+

+
7.18. Configure Dovecot IMAPd

 

 

 Core uses Dovecot's IMAPd to store and serve member emails.  As on
@@ -5954,8 +5970,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 

 

-

-
8.1. Include Particulars

+

+
8.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -6329,8 +6345,8 @@ the daemon listens only on the Gate-WiFi network interface.
 

 

 

-

-
8.6. Install Server Certificate

+

+
8.6. Install Server Certificate

 

 

 The (OpenVPN) server on Gate uses an institute certificate (and key)
@@ -6357,8 +6373,8 @@ and Front) do.
 

 

 

-

-
8.7. Configure OpenVPN

+

+
8.7. Configure OpenVPN

 

 

 Gate uses OpenVPN to provide the institute's campus VPN service.  Its
@@ -6521,8 +6537,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
 

 

-

-
9.1. Include Particulars

+

+
9.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -6538,8 +6554,8 @@ The following should be familiar boilerplate by now.
 

 

 

-

-
9.2. Configure Hostname

+

+
9.2. Configure Hostname

 

 

 Clients should be using the expected host name.
@@ -6572,8 +6588,8 @@ Clients should be using the expected host name.
 

 

 

-

-
9.3. Enable Systemd Resolved

+

+
9.3. Enable Systemd Resolved

 

 

 Campus machines start the systemd-networkd and systemd-resolved
@@ -6617,8 +6633,8 @@ service units on boot.  See Enable Systemd Resolved.
 

 

 

-

-
9.4. Configure Systemd Resolved

+

+
9.4. Configure Systemd Resolved

 

 

 Campus machines use the campus name server on Core (or dns.google),
@@ -6689,8 +6705,8 @@ and file timestamps.
 

 

 

-

-
9.6. Add Administrator to System Groups

+

+
9.6. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -6710,8 +6726,8 @@ these groups speeds up debugging.
 

 

 

-

-
9.7. Trust Institute Certificate Authority

+

+
9.7. Trust Institute Certificate Authority

 

 

 Campus hosts should recognize the institute's Certificate Authority as
@@ -6743,8 +6759,8 @@ keys, certificates and passwords, see Keys.)
 

 

 

-

-
9.8. Install Unattended Upgrades

+

+
9.8. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -9434,19 +9450,18 @@ is lacking in a number of respects.
 The current network monitoring is rudimentary.  It could use some
 love, like intrusion detection via Snort or similar.  Services on
 Front are not monitored except that the webupdate script should be
-emailing sysadm whenever it cannot update Front.
+emailing sysadm whenever it cannot update Front (every 15 minutes!).
 

 
 

 Pro-active monitoring might include notifying root of any vandalism
 corrected by Monkey's quarter-hourly web update.  This is a
-non-trivial task that must ignore intentional changes and save suspect
-changes.
+non-trivial task that must ignore intentional changes.
 

 
 

-Monkey's cron jobs on Core should presumably become systemd.timer
-and .service units.
+Monkey's cron jobs on Core should be systemd.timer and .service
+units.
 

 
 

@@ -9467,19 +9482,19 @@ continue to work for some time.
 

 The ./inst client android dick-phone dick command generates .ovpn
 files that require the member to remember to check the "Use this
-connection only for resources on its network" box in the IPv4 tab of
-the Add VPN dialog.  The ./inst client command should include a
-setting in the Debian .ovpn files that NetworkManager will recognize
-as the desired setting.
+connection only for resources on its network" box in the IPv4 (and
+IPv6) tab(s) of the Add VPN dialog.  The command should include an
+OpenVPN setting that the NetworkManager file importer recognizes as
+the desired setting.
 

 
 

 The VPN service is overly complex.  The OpenVPN 2.4.7 clients allow
 multiple server addresses, but the openvpn(8) manual page suggests
-per connection parameters are a restricted set that does not include
-the essential verify-x509-name.  Use the same name on separate
-certificates for Gate and Front?  Use the same certificate and key on
-Gate and Front?
+per connection parameters are restricted to a set that does not
+include the essential verify-x509-name.  Use the same name on
+separate certificates for Gate and Front?  Use the same certificate
+and key on Gate and Front?
 

 
 

@@ -9687,7 +9702,7 @@ routes on Front and Gate, making the simulation less… similar.
 

 

 
Author: Matt Birkholz

-
Created: 2023-12-29 Fri 14:26

+
Created: 2023-12-30 Sat 14:12

 
Validate

 

 
-- 
2.25.1