From 80ee9d47901c2dc93c1e9bb46102b7189c5a607a Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Fri, 2 Jan 2026 15:09:08 -0700 Subject: [PATCH] Update README.html. --- README.html | 1008 ++++++++++++++++++++++++++++++--------------------- 1 file changed, 592 insertions(+), 416 deletions(-) diff --git a/README.html b/README.html index 88be3f2..bba7d67 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + Birchwood Abbey Networks @@ -24,8 +24,8 @@ idiosyncrasies. The roles herein are abbey specific, emphasized by the abbey- prefix on their names. These roles are applied after the generic institutional roles (again, documented here).

-
-

1. Overview

+
+

1. Overview

A Small Institute makes security and privacy top priorities but @@ -64,7 +64,7 @@ map is very similar, with differences mainly in terminology, philosophy, attitude.

-
+
                 |                                                   
                 =                                                   
               _|||_                                                 
@@ -103,8 +103,8 @@ philosophy, attitude.
-
-

2. The Abbey Particulars

+
+

2. The Abbey Particulars

The abbey's public particulars are included below. They are the @@ -134,8 +134,8 @@ into private_ex/vars-abbey.yml.

-
-

3. The Abbey Front Role

+
+

3. The Abbey Front Role

Birchwood Abbey's front door is a Digital Ocean Droplet configured as @@ -144,8 +144,8 @@ with Apache2, spooling email with Postfix and serving it with Dovecot-IMAPd, and hosting a VPN with WireGuard™.

-
-

3.1. Install Emacs

+
+

3.1. Install Emacs

The monks of the abbey are masters of the staff (bo) and Emacs. @@ -160,8 +160,8 @@ The monks of the abbey are masters of the staff (bo) and Emacs.

-
-

3.2. Configure Public Email Aliases

+
+

3.2. Configure Public Email Aliases

The abbey uses several additional email aliases. These are the public @@ -201,11 +201,11 @@ from there, forwarding sysadm to a real person.

-
-

3.3. Configure Git Daemon on Front

+
+

3.3. Configure Git Daemon on Front

-The abbey publishes member Git repositories with git-daemon. If +The abbey publishes member Git repositories with git daemon. If Dick (a member of A Small Institute) builds a Foo project Git repository in ~/foo/, he can publish it to the campus by symbolically linking its .git/ into ~/Public/Git/ on Core. If the @@ -244,59 +244,45 @@ rsync -av --del small.institute.org:Public/foo/ ~/Public/foo/

-With SystemD and the git-daemon-sysvinit package installed, SystemD -supervises a git-daemon service unit launched with -/etc/init.d/git-daemon. The old SysV init script gets its -configuration from the customary /etc/default/git-daemon file. The -script then constructs the appropriate git-daemon command. The -git-daemon(1) manual page explains the command options in detail. -As explained in /usr/share/doc/git-daemon-sysvinit/README.Debian, -the service must be enabled by setting GIT_DAEMON_ENABLE to true. -The base path is also changed to agree with gitweb.cgi. +The git daemon is run by SystemD per the git-daemon.service file. +The git-daemon(1) manual page explains the options in detail. The +--base-path option should agree with $projectroot in the +/etc/gitweb.conf file installed here.

-User repositories are enabled by adding a user-path option and -disabling the default whitelist. To specify an empty whitelist, the -default (a list of one directory: /var/lib/git) must be avoided by -setting GIT_DAEMON_DIRECTORY to a blank (not empty) string. +User repositories are enabled by adding a --user-path option and +specifying an empty whitelist (i.e., no directories listed on the +command line). +

+ +

+The git daemon is run as an unprivileged system user: gitd. Thus +it has access to anything world readable. However git must be +willing to forgive the fact that gitd does not own any of the +repositories it is serving. To accomplish this, gitd gets a home +directory, /home/gitd/, in which is installed a .gitconfig created +by a git config --global --add safe.directory \* command.

The code below is included in both Front and Core configurations, -which should be nearly identical for testing purposes. Rather than +which should be (nearly) identical for testing purposes. Rather than factor out small roles like abbey-git-server, Emacs Org Mode's Noweb support does the duplication, by multiple references to code blocks -like git-tasks and git-handlers. +like gitd-tasks and gitd-handlers.

roles_t/abbey-front/tasks/main.yml

-<<git-tasks>>
+<<gitd-tasks>>
-git-tasks
- name: Install git daemon.
+gitd-tasks
- name: Install git.
   become: yes
-  apt: pkg=git-daemon-sysvinit
-
-- name: Configure git daemon.
-  become: yes
-  lineinfile:
-    path: /etc/default/git-daemon
-    regexp: "{{ item.patt }}"
-    line: "{{ item.line }}"
-  loop:
-  - patt: '^GIT_DAEMON_ENABLE *='
-    line: 'GIT_DAEMON_ENABLE=true'
-  - patt: '^GIT_DAEMON_OPTIONS *='
-    line: 'GIT_DAEMON_OPTIONS="--user-path=Public/Git"'
-  - patt: '^GIT_DAEMON_BASE_PATH *='
-    line: 'GIT_DAEMON_BASE_PATH="/var/www/git"'
-  - patt: '^GIT_DAEMON_DIRECTORY *='
-    line: 'GIT_DAEMON_DIRECTORY=" "'
-  notify: Restart git daemon.
+  apt: pkg=git
 
 - name: Create /var/www/git/.
   become: yes
@@ -305,27 +291,90 @@ like git-tasks and git-handlers.
     state: directory
     group: staff
     mode: u=rwx,g=srwx,o=rx
+
+- name: Create user gitd.
+  become: yes
+  user:
+    name: gitd
+    password: "!"
+    home: /home/gitd
+    shell: /usr/bin/git-shell
+
+- name: Create /home/gitd/.gitconfig.
+  become: yes
+  copy:
+    content: |
+      [safe]
+        directory = *
+    dest: /home/gitd/.gitconfig
+    owner: gitd
+    group: gitd
+    mode: u=rw,g=r,o=r
+
+- name: Configure git-daemon.
+  become: yes
+  copy:
+    content: |
+        [Unit]
+        Description=Git Daemon
+        After=network.target
+
+        [Service]
+        ExecStart=/usr/bin/git daemon \
+                        --reuseaddr --verbose \
+                        --user-path=Public/Git \
+                        --base-path=/var/www/git
+
+        Restart=always
+        RestartSec=5
+
+        StandardOutput=journal
+        StandardError=journal
+        SyslogIdentifier=git-daemon
+
+        User=gitd
+        Group=gitd
+
+        [Install]
+        WantedBy=multi-user.target
+    dest: /etc/systemd/system/git-daemon.service
+  notify:
+  - Reload systemd.
+  - Restart git-daemon.
+
+- name: Enable git-daemon.
+  become: yes
+  systemd:
+    service: git-daemon
+    enabled: yes
roles_t/abbey-front/handlers/main.yml

-<<git-handlers>>
+<<gitd-handlers>>
-git-handlers

-- name: Restart git daemon.
+gitd-handlers

+- name: Reload systemd.
+  become: yes
+  systemd:
+    daemon-reload: yes
+
+- name: Restart git-daemon.
   become: yes
-  command: systemctl restart git-daemon
+  systemd:
+    service: git-daemon
+    state: restarted
   tags: actualizer
-
-

3.4. Configure Gitweb on Front

+
+

3.4. Configure Gitweb on Front

The abbey provides an HTML interface to members' public Git @@ -346,13 +395,13 @@ page, the second RewriteRule specifies the root directory of the user's public Git repositories via the GITWEB_PROJECTROOT environment variable. It makes http://www/~dick/git run Gitweb with the project root ~dick/Public/Git/, the same directory -the git-daemon makes available. The first RewriteRule directs +the git daemon makes available. The first RewriteRule directs URLs with no user name to the default. Thus http://www/git lists the repositories found in /var/www/git/.

-apache-gitweb

+apache-gitweb

 Alias /gitweb-static/ /usr/share/gitweb/static/
 <Directory "/usr/share/gitweb/static/">
     Options MultiViews
@@ -410,7 +459,13 @@ web site /favicon.ico.
 

 
 

-apache-gitweb-tasks
- name: Enable Apache2 rewrite module for Gitweb.
+roles_t/abbey-front/tasks/main.yml

+<<gitweb-tasks>>
+

+

+
+

+gitweb-tasks
- name: Enable Apache2 rewrite module for Gitweb.
   become: yes
   apache2_module: name=rewrite
   notify: Restart Apache2.
@@ -447,7 +502,13 @@ web site /favicon.ico.
 

 
 

-apache-gitweb-handlers
- name: Restart Apache2.
+roles_t/abbey-front/handlers/main.yml

+<<gitweb-handlers>>
+

+

+
+

+gitweb-handlers
- name: Restart Apache2.
   become: yes
   systemd:
     service: apache2
@@ -457,8 +518,8 @@ web site /favicon.ico.
-
-

3.5. Configure Apache for Abbey Documentation

+
+

3.5. Configure Apache for Abbey Documentation

Some of the directives added to the -vhost.conf file are needed by @@ -476,7 +537,7 @@ filename suffixes.

-apache-abbey
<Directory {{ docroot }}/Abbey/>
+apache-abbey
<Directory {{ docroot }}/Abbey/>
     AllowOverride Indexes FileInfo
     Options +Indexes +FollowSymLinks
 </Directory>
@@ -499,8 +560,8 @@ AddType text/plain private pub public_vpn req rev sample txt yml
-
-

3.6. Configure Photos URLs on Front

+
+

3.6. Configure Photos URLs on Front

Some of the directives added to the -vhost.conf file map the abbey's @@ -512,7 +573,7 @@ matching configurations for accurate previews and tests.

-apache-photos

+apache-photos

 RedirectMatch /Photos$ /Photos/
 RedirectMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])$ \
               /Photos/$1_$2_$3/
@@ -525,8 +586,8 @@ AliasMatch /Photos/$ {{ docroot }}/Photos/index.html
-
-

3.7. Configure Apache on Front

+
+

3.7. Configure Apache on Front

The abbey needs to add some Apache2 configuration directives to the @@ -537,11 +598,11 @@ The abbey simply creates a birchwood-abbey.net-vhost.conf file in

-The following task adds the apache-abbey, apache-photos, and -apache-gitweb directives described above to the -vhost.conf file, +The following task adds the apache-abbey, apache-photos, and +apache-gitweb directives described above to the -vhost.conf file, and includes options-ssl-apache.conf from /etc/letsencrypt/. The rest of the Let's Encrypt configuration is discussed in the following -Install Let's Encrypt section. +Install Let's Encrypt section.

@@ -559,20 +620,12 @@ rest of the Let's Encrypt configuration is discussed in the following IncludeOptional /etc/letsencrypt/options-ssl-apache.conf dest: /etc/apache2/sites-available/birchwood-abbey.net-vhost.conf notify: Restart Apache2. - -<<apache-gitweb-tasks>> - -
- -
-roles_t/abbey-front/handlers/main.yml

-<<apache-gitweb-handlers>>
-
-

3.8. Configure Apache Log Archival

+
+

3.8. Configure Apache Log Archival

These tasks hack Apache's logrotate(8) configuration to rotate @@ -612,29 +665,30 @@ The replacement logrotate-mailer does, and includes it in a - { regexp: "^\tmail ", line: "\tmail webmaster" } - { regexp: "^\tmailfirst", line: "\tmailfirst" } -- name: Configure logrotate. - become: yes - copy: - src: logrotate-mailer.conf - dest: /etc/systemd/system/logrotate.service.d/mailer.conf - notify: Reload systemd. - - name: Install logrotate mailer. become: yes copy: src: logrotate-mailer dest: /usr/local/sbin/logrotate-mailer mode: u=rwx,g=rx,o=rx - -

-
-roles_t/abbey-front/handlers/main.yml

-- name: Reload systemd.
+- name: Install logrotate.
   become: yes
-  systemd:
-    daemon_reload: yes
-  tags: actualizer
+  apt: pkg=logrotate
+
+- name: Create logrotate drop-in configuration directory.
+  become: yes
+  file:
+    path: /etc/systemd/system/logrotate.service.d
+    state: directory
+    mode: u=rwx,g=rx,o=rx
+
+- name: Configure logrotate.
+  become: yes
+  copy:
+    src: logrotate-mailer.conf
+    dest: /etc/systemd/system/logrotate.service.d/mailer.conf
+  notify: Reload systemd.
@@ -705,8 +759,8 @@ encrypting and sending to sendmail.
-
-

3.9. Install Let's Encrypt

+
+

3.9. Install Let's Encrypt

The abbey uses a Let's Encrypt certificate to authenticate its public @@ -715,7 +769,7 @@ certificate is a terminal session affair (with prompts and lines entered as shown below).

-
+
 $ sudo apt install python3-certbot-apache
 $ sudo certbot --apache -d birchwood-abbey.net
 ...
@@ -781,11 +835,20 @@ package is installed and its live/ subdirectory is world readable.
   become: yes
   apt: pkg=python3-certbot-apache
 
-- name: Ensure Let's Encrypt certificate is readable.
+- name: Look for /etc/letsencrypt/live/.
+  stat:
+    path: /etc/letsencrypt/live
+  register: letsencrypt
+- debug:
+    msg: "/etc/letsencrypt/live/ does not (yet) exist"
+  when: not letsencrypt.stat.exists
+
+- name: "Ensure Let's Encrypt certificate is readable."
   become: yes
   file:
-    mode: u=rwx,g=rx,o=rx
-    path: /etc/letsencrypt/live
+    mode: u=rwx,g=rx,o=rx
+    path: /etc/letsencrypt/live
+  when: letsencrypt.stat.exists
@@ -798,36 +861,72 @@ links keep the window for a mismatch extremely small.

-With the institutional configuration, Postfix, Dovecot and Apache -servers get their certificate&key from /etc/server.crt&.key. The -institutional roles check that they exist, but will not create them. -In this abbey specific role, /etc/server.crt&key are ours to frob. -The following tasks ensure they are symbolic links to -/etc/letsencrypt/live/birchwood-abbey.net/fullchain&privkey.pem. If -/etc/letsencrypt/ was restored from a backup, the servers should be -restarted manually. +A small institute configures its Postfix, Dovecot and Apache servers +use the certificate in /etc/server.crt. Ansible copies the small +institute's self-signed (private) certificate there, but only if the +file does not exist. This abbey specific role is free to symbolically +link this file (and the corresponding /etc/server.key file) to +/etc/letsencrypt/live/birchwood-abbey.net/fullchain.pem (and +privkey.pem). +

+ +

+If /etc/letsencrypt/ was restored from a backup, the servers should +be restarted manually.

roles_t/abbey-front/tasks/main.yml

-- name: Use Let's Encrypt certificate&key.
+- name: "Use Let's Encrypt certificate&key."
+  become: yes
   file:
     state: link
-    src: "{{ item.target }}"
-    path: "{{ item.link }}"
+    src: "{{ item.target }}"
+    path: "{{ item.link }}"
     force: yes
   loop:
   - target: /etc/letsencrypt/live/birchwood-abbey.net/fullchain.pem
     link: /etc/server.crt
   - target: /etc/letsencrypt/live/birchwood-abbey.net/privkey.pem
-    link: /etc/server.key
+    link: /etc/server.key
+  when: letsencrypt.stat.exists
-
-

3.10. Rotate Let's Encrypt Log

+
+

3.10. Restart servers caching the Let's Encrypt certificate.

+
+roles_t/abbey-front/tasks/main.yml

+- name: Install Certbot hook.
+  become: yes
+  copy:
+    src: certbot_hook
+    dest: /etc/letsencrypt/renewal-hooks/post/restart-abbey-servers
+    mode: u=rwx,g=rx,o=rx
+  when: letsencrypt.stat.exists
+
+
+ +

+The Dovecot IMAP server seems to cache the Let's Encrypt certificate. +Whenever it runs for more than 3 months (i.e. every 3 months), email +stops flowing because fetchmail notices the server certificate has +expired. The Postfix and Apache2 servers seem not to cache their +server certificate. +

+ +
+roles_t/abbey-front/files/certbot_hook
#!/bin/bash
+systemctl reload dovecot
+
+
+
+
+
+

3.11. Rotate Let's Encrypt Log

+

The following task arranges to rotate Certbot's logs files.

@@ -854,9 +953,9 @@ The following task arranges to rotate Certbot's logs files.
-
-

3.11. Archive Let's Encrypt Data

-
+
+

3.12. Archive Let's Encrypt Data

+

A backup copy of Let's Encrypt's data (/etc/letsencrypt/) is sent to root@core in OpenPGP encrypted email every time it changes. Changes @@ -865,12 +964,12 @@ are detected by keeping a copy in /etc/letsencrypt~/ for comparison.

roles_t/abbey-front/tasks/main.yml

-- name: Install Let's Encrypt archive script.
+- name: "Install Let's Encrypt archive script."
   become: yes
   copy:
     src: cron.daily_letsencrypt
     dest: /etc/cron.daily/letsencrypt
-    mode: u=rwx,g=rx,o=rx
+    mode: u=rwx,g=rx,o=rx
@@ -934,8 +1033,8 @@ imported into root@front's GnuPG key file.
-
-

4. The Abbey Core Role

+
+

4. The Abbey Core Role

Birchwood Abbey's core is a mini-PC (System76 Meerkat) configured as A @@ -945,8 +1044,8 @@ with Postfix and Dovecot, and providing essential localnet services: NTP, DNS and DHCP.

-
-

4.1. Include Abbey Variables

+
+

4.1. Include Abbey Variables

In this abbey specific document, most abbey particulars are not @@ -965,8 +1064,8 @@ directory, playbooks/.

-
-

4.2. Install Additional Packages

+
+

4.2. Install Additional Packages

The scripts that maintain the abbey's web site use a number of @@ -986,8 +1085,8 @@ The house task list uses JQuery.

-
-

4.3. Configure Private Email Aliases

+
+

4.3. Configure Private Email Aliases

The abbey uses several additional email aliases. These are the campus @@ -1028,36 +1127,60 @@ e.g. mythtv@mythtv.birchwood.private, locally.)

-
-

4.4. Configure Git Daemon on Core

+
+

4.4. Configure Git Daemon on Core

These tasks are identical to those executed on Front, for similar Git -services on Front and Core. See 3.3 and -Configure Gitweb on Front for more information. +services on Front and Core. This allows changes to be tested on Core +before they are pushed to Front. See 3.3 +for more information.

roles_t/abbey-core/tasks/main.yml

-<<git-tasks>>
+<<gitd-tasks>>
roles_t/abbey-core/handlers/main.yml

-<<git-handlers>>
+<<gitd-handlers>>
-
-

4.5. Configure Apache on Core

+
+

4.5. Configure Gitweb on Core

+These tasks are identical to those executed on Front, for similar +Gitweb services on Front and Core. This allows changes to be tested +on Core before they are pushed to Front. See Configure Gitweb on +Front for more information. +

+ +
+roles_t/abbey-core/tasks/main.yml

+<<gitweb-tasks>>
+
+
+ +
+roles_t/abbey-core/handlers/main.yml

+<<gitweb-handlers>>
+
+
+
+
+
+

4.6. Configure Apache on Core

+
+

The Apache2 configuration on Core specifies three web sites (live, test, and campus). The live and test sites must operate just like the -site on Front. Their configurations include the same apache-abbey, -apache-photos, and apache-gitweb used on Front. +site on Front. Their configurations include the same apache-abbey, +apache-photos, and apache-gitweb used on Front.

@@ -1087,27 +1210,19 @@ site on Front. Their configurations include the same mode: u=rw,g=r,o=r notify: Restart Apache2. - -<<apache-gitweb-tasks>> - -
- -
-roles_t/abbey-core/handlers/main.yml

-<<apache-gitweb-handlers>>
-
-

4.6. Configure Documentation URLs

-
+
+

4.7. Configure Documentation URLs

+

The institute serves its /usr/share/doc/ on the house (campus) web site. This is a debugging convenience, making some HTML documentation more accessible, especially the documentation of software installed on Core and not on typical desktop clients. Also included: the Apache2 -directives that enable user Git publishing with Gitweb (defined here). +directives that enable user Git publishing with Gitweb (defined here).

@@ -1128,9 +1243,9 @@ directives that enable user Git publishing with Gitweb (defined -

4.7. Install Apt Cacher

-
+
+

4.8. Install Apt Cacher

+

The abbey uses the Apt-Cacher:TNG package cache on Core. The apt-cacher domain name is defined in private/db.domain. @@ -1145,9 +1260,9 @@ The abbey uses the Apt-Cacher:TNG package cache on Core. The

-
-

4.8. Use Cloister Apt Cache

-
+
+

4.9. Use Cloister Apt Cache

+

Core itself will benefit from using the package cache, but should contact https repositories directly. (There are few such cretins @@ -1159,10 +1274,8 @@ so caching their packages is not a priority.) - name: Use the local Apt package cache. become: yes copy: - content: > - Acquire::http::Proxy - "http://apt-cacher.birchwood.private.:3142"; - + content: | + Acquire::http::Proxy "http://{{ core_addr }}:3142"; Acquire::https::Proxy "DIRECT"; dest: /etc/apt/apt.conf.d/01proxy mode: u=rw,g=r,o=r @@ -1170,9 +1283,9 @@ so caching their packages is not a priority.)

-
-

4.9. Configure NAGIOS

-
+
+

4.10. Configure NAGIOS

+

A small institute uses nagios4 to monitor the health of its network, with an initial smattering of monitors adopted from the Debian @@ -1185,9 +1298,9 @@ another customized check_sensors plugin (abbey_pisensors

-
-

4.9.1. Monitoring The Home Disk

-
+
+

4.10.1. Monitoring The Home Disk

+

The abbey adds monitoring of the space remaining on the volume at /home/ on Core. (The small institute only monitors the space @@ -1241,9 +1354,9 @@ RAID-5 array under /home/.

-
-

4.9.2. Custom NAGIOS Monitor abbey_pisensors

-
+
+

4.10.2. Custom NAGIOS Monitor abbey_pisensors

+

The check_sensors plugin is included in the package monitoring-plugins-basic, but it does not report any readings. The @@ -1337,9 +1450,9 @@ recognizable temperature in the sensors output.

-
-

4.9.3. Stolen NAGIOS Monitor check_mdstat

-
+
+

4.10.3. Stolen NAGIOS Monitor check_mdstat

+

This check_mdstat plugin was copied from the NAGIOS Exchange (here). It detects a failing disk in a multi-disk array. @@ -1425,9 +1538,9 @@ EOE

-
-

4.9.4. Configure NAGIOS Monitoring of The Cloister

-
+
+

4.10.4. Configure NAGIOS Monitoring of The Cloister

+

The abbey adds monitoring for more servers: Dantooine and Kessel. They are abbey-cloister servers, so they are configured as small @@ -1440,9 +1553,9 @@ The configurations for these servers are very similar to Gate's, but are idiosyncratically in flux.

-
-
4.9.4.1. Cloister Network Addresses
-
+
+
4.10.4.1. Cloister Network Addresses
+

The IP addresses of all three hosts are nice to use in the NAGIOS configuration (to avoid depending on name service) and so are @@ -1457,9 +1570,9 @@ kessel_addr: 10.84.138.10

-
-
4.9.4.2. Install NAGIOS Configurations
-
+
+
4.10.4.2. Install NAGIOS Configurations
+

The following task installs each host's NAGIOS configuration.

@@ -1477,9 +1590,9 @@ The following task installs each host's NAGIOS configuration.
-
-
4.9.4.3. NAGIOS Monitoring of Dantooine
-
+ -
-
4.9.4.4. NAGIOS Monitoring of Kessel
-
+
+
4.10.4.4. NAGIOS Monitoring of Kessel
+
roles_t/abbey-core/templates/nagios-kessel.cfg
define host {
     use                     linux-server
@@ -1596,9 +1709,9 @@ The following task installs each host's NAGIOS configuration.
-
-

4.10. Install Munin

-
+
+

4.11. Install Munin

+

The abbey is experimenting with Munin. NAGIOS is all about notifying the Sys. Admin. of failed services. Munin is more about tracking @@ -1653,6 +1766,19 @@ trends in resource usage. address {{ kessel_addr }} dest: /etc/munin/munin-conf.d/zzz-site.cfg notify: Restart Munin. + +- name: Start Munin. + become: yes + systemd: + service: munin + state: started + tags: actualizer + +- name: Enable Munin + become: yes + systemd: + service: munin + enabled: yes

@@ -1688,9 +1814,9 @@ next task configures libsensors to ignore them.
-
-

4.11. Install Analog

-
+
+

4.12. Install Analog

+

The abbey's public web site's access and error logs are emailed regularly to webmaster, who saves them in /Logs/apache2-public/ @@ -1765,9 +1891,9 @@ at http://www/doc/analog/.

-
-

4.12. Add Monkey to Web Server Group

-
+
+

4.13. Add Monkey to Web Server Group

+

Monkey needs to be in www-data so that it can run /WWW/live/Photos/Private/cronjob to publish photos from multiple @@ -1788,9 +1914,9 @@ user cloud accounts, found in files owned by www-data, files like

-
-

4.13. Install netpbm For Photo Processing

-
+
+

4.14. Install netpbm For Photo Processing

+

Monkey's photo processing scripts use netpbm commands like jpegtopnm. @@ -1806,8 +1932,8 @@ Monkey's photo processing scripts use netpbm commands like

-
-

5. The Abbey Gate Role

+
+

5. The Abbey Gate Role

Birchwood Abbey's gate is a $110 µPC configured as A Small Institute @@ -1819,8 +1945,8 @@ allows access to the Abbey's IoT appliances: a HomeAssistant and an Ecowitt hub.

-
-

5.1. The Abbey Gate's Network Interfaces

+
+

5.1. The Abbey Gate's Network Interfaces

The abbey gate's lan interface is the PC's built-in Ethernet @@ -1841,27 +1967,27 @@ The MAC address of each interface is set in private/vars.yml (see

-
-

5.2. The Abbey's IoT Network

+
+

5.2. The Abbey's IoT Network

To allow masquerading between the private subnets and wild, the following iptables(8) rules are added. They are very similar to the nat and filter table rules used by a small institute to masquerade -its lan to its isp (see the UFW Rules of a Small Institute). +its lan to its isp (see the UFW Rules of a Small Institute). The campus WireGuard™ subnet is not included because the campus Wi-Fi hosts should be routing to the wild subnet directly and are assumed to be masquerading as their access point(s).

-iot-nat
-A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
+iot-nat
-A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
 -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
-iot-forward
-A ufw-user-forward -i lan -o wild -j ACCEPT
+iot-forward
-A ufw-user-forward -i lan -o wild -j ACCEPT
 -A ufw-user-forward -i wg0 -o wild -j ACCEPT
@@ -1872,12 +1998,12 @@ The second rule includes the campus VPN.

-
-

5.3. Configure UFW for IoT

+
+

5.3. Configure UFW for IoT

The following tasks install the additional rules in before.rules -and user.rules (as in Configure UFW). +and user.rules (as in Configure UFW).

@@ -1909,8 +2035,8 @@ and user.rules (as in Configur
-
-

5.4. The Abbey's Starlink Configuration

+
+

5.4. The Abbey's Starlink Configuration

The abbey connects to Starlink via Ethernet, and disables Starlink's @@ -1958,8 +2084,8 @@ at least our local network traffic out of view of our ISPs.

-
-

5.5. Alternate ISPs

+
+

5.5. Alternate ISPs

The abbey used to use a cell phone on a USB tether to get Internet @@ -2004,8 +2130,8 @@ service, using a 60-isp.yaml file similar to the lines below.

-
-

6. The Abbey Cloister Role

+
+

6. The Abbey Cloister Role

Birchwood Abbey's cloister is a small institute campus. The campus @@ -2020,7 +2146,7 @@ tasks, namely configuration required on Raspberry Pi OS machines.

Wireless clients are issued keys for the cloister VPN by the ./abbey client command which is currently identical to the ./inst client -command (described in The Client Command). The wireless, cloistered +command (described in The Client Command). The wireless, cloistered hosts never roam, are not associated with a member, and so are "campus" clients, issued keys with commands like this:

@@ -2030,8 +2156,8 @@ hosts never roam, are not associated with a member, and so are S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
-
-

6.1. Use Cloister Apt Cache

+
+

6.1. Use Cloister Apt Cache

The Apt-Cacher:TNG program does not work well on the frontier, so is @@ -2054,10 +2180,8 @@ local host. - name: Use the local Apt package cache. become: yes copy: - content: > - Acquire::http::Proxy - "http://apt-cacher.birchwood.private.:3142"; - + content: | + Acquire::http::Proxy "http://{{ core_addr }}:3142"; Acquire::https::Proxy "DIRECT"; dest: /etc/apt/apt.conf.d/01proxy mode: u=rw,g=r,o=r @@ -2065,13 +2189,13 @@ local host.

-
-

6.2. Configure Cloister NRPE

+
+

6.2. Configure Cloister NRPE

Each cloistered host is a small institute campus host and thus is already running an NRPE server (a NAGIOS Remote Plugin Executor -server) with a custom inst_sensors monitor (described in Configure +server) with a custom inst_sensors monitor (described in Configure NRPE of A Small Institute). The abbey adds one complication: yet another check_sensors variant, abbey_pisensors, installed on Raspberry Pis (architecture aarch64) only. @@ -2110,8 +2234,8 @@ Raspberry Pis (architecture aarch64) only.

-
-

6.3. Install Munin Node

+
+

6.3. Install Munin Node

Each cloistered host is a Munin node. @@ -2129,7 +2253,7 @@ Each cloistered host is a Munin node. regexp: "^allow [^]{{ core_addr|regex_escape }}[$]$" line: "allow ^{{ core_addr|regex_escape }}$" path: /etc/munin/munin-node.conf - notify: Restart Munin node. + notify: Restart Munin Node. - name: Add {{ ansible_user }} to munin group. become: yes @@ -2137,6 +2261,30 @@ Each cloistered host is a Munin node. name: "{{ ansible_user }}" append: yes groups: munin + +- name: Start Munin Node. + become: yes + systemd: + service: munin-node + state: started + tags: actualizer + +- name: Enable Munin Node. + become: yes + systemd: + service: munin-node + enabled: yes + +

+ +
+roles_t/abbey-cloister/handlers/main.yml

+- name: Restart Munin Node.
+  become: yes
+  systemd:
+    service: munin-node
+    state: restarted
+  tags: actualizer
@@ -2162,8 +2310,8 @@ them.
-
-

6.4. Install Emacs

+
+

6.4. Install Emacs

The monks of the abbey are masters of the staff and Emacs. @@ -2179,8 +2327,8 @@ The monks of the abbey are masters of the staff and Emacs.

-
-

7. The Abbey Weather Role

+
+

7. The Abbey Weather Role

Birchwood Abbey now uses Home Assistant to record and display weather @@ -2207,8 +2355,8 @@ entities. These were labeled and organized on an "Abbey" dashboard.

-
-

8. The Abbey DVR Role

+
+

8. The Abbey DVR Role

The abbey uses AgentDVR to record video from PoE IP HD security @@ -2216,8 +2364,8 @@ cameras. It runs as user agentdvr and keeps all of its configuration and recordings in /home/agentdvr/.

-
-

8.1. Install AgentDVR

+
+

8.1. Install AgentDVR

AgentDVR is installed according to the iSpy web site's latest @@ -2241,8 +2389,8 @@ executes several sudo commands. These commands can be run by the agentdvr account if it has (temporary) authorization.

-
-

8.1.1. Prepare for AgentDVR Installation

+
+

8.1.1. Prepare for AgentDVR Installation

The following commands are manually executed to create the agentdvr @@ -2270,8 +2418,8 @@ sudo mv ~/01agentdvr /etc/sudoers.d/

-
-

8.1.2. Execute AgentDVR Installation

+
+

8.1.2. Execute AgentDVR Installation

With the above preparations, the system administrator can get a shell @@ -2292,8 +2440,8 @@ Ansible is run again.

-
-

8.1.3. Complete AgentDVR Installation

+
+

8.1.3. Complete AgentDVR Installation

When Ansible is run a second time, after the installation script, it @@ -2316,8 +2464,8 @@ sudo rm /etc/sudoers.d/01agentdvr

-
-

8.2. Configure User agentdvr

+
+

8.2. Configure User agentdvr

AgentDVR runs as the system user agentdvr, which is configured here. @@ -2356,8 +2504,8 @@ restoration of AgentDVR.)

-
-

8.3. Test For AgentDVR/

+
+

8.3. Test For AgentDVR/

The following task probes for the /home/agentdvr/AgentDVR/ @@ -2380,8 +2528,8 @@ remaining installation steps are skipped unless

-
-

8.4. Create AgentDVR Service

+
+

8.4. Create AgentDVR Service

This service definition came from the template downloaded (from here) @@ -2418,27 +2566,34 @@ by install.sh. [Install] WantedBy=multi-user.target dest: /etc/systemd/system/AgentDVR.service + notify: + - Reload systemd. + - Restart AgentDVR. -- name: Start AgentDVR.service. +- name: Enable AgentDVR.service. become: yes systemd: service: AgentDVR - state: started + enabled: yes when: agentdvr.stat.exists - tags: actualizer + +

-- name: Enable AgentDVR.service. +
+roles_t/abbey-front/handlers/main.yml

+- name: Restart AgentDVR.
   become: yes
   systemd:
     service: AgentDVR
-    enabled: yes
+    state: restarted
   when: agentdvr.stat.exists
+  tags: actualizer
-
-

8.5. Create AgentDVR Storage

+
+

8.5. Create AgentDVR Storage

The abbey uses a separate volume to store surveillance recordings, @@ -2472,8 +2627,8 @@ location do not fail.

-
-

8.6. Install Custom NAGIOS Monitor abbey_dvr

+
+

8.6. Install Custom NAGIOS Monitor abbey_dvr

DVR hosts install a custom NRPE plugin named abbey_dvr to monitor @@ -2506,11 +2661,11 @@ the storage available on /DVR/.

-
-

8.7. Configure IP Cameras

+
+

8.7. Configure IP Cameras

-A new security camera is setup as described in Cloistering, after +A new security camera is setup as described in Cloistering, after which the camera should be accessible by name on the abbey networks. Assuming ping -c1 new works, the camera's web interface will be accessible at http://new/. @@ -2533,8 +2688,8 @@ protocol) is nice but optional.

-
-

8.8. Configure AgentDVR's Cameras

+
+

8.8. Configure AgentDVR's Cameras

After Ansible has configured and started the AgentDVR service, its web @@ -2573,8 +2728,8 @@ AgentDVR's Live View.

-
-

8.9. Configure AgentDVR's Default Storage

+
+

8.9. Configure AgentDVR's Default Storage

AgentDVR's web interface is also used to configure a default storage @@ -2586,8 +2741,8 @@ pressed before the task is complete.

-
-

8.10. Configure AgentDVR's Recordings

+
+

8.10. Configure AgentDVR's Recordings

After a default storage location has been configured, AgentDVR's @@ -2618,8 +2773,8 @@ parameters are set (in the Recording and Storage tabs).

-
-

8.11. Restore AgentDVR

+
+

8.11. Restore AgentDVR

When restoring /home/ from a backup copy, the user accounts are @@ -2635,8 +2790,8 @@ installs the system service configuration file and starts the service.

-
-

9. The Abbey TVR Role

+
+

9. The Abbey TVR Role

The abbey has a few TV tuners and a subscription to Schedules Direct @@ -2651,14 +2806,14 @@ configured to serve MythTV pages at e.g. http://new/mythweb/.

-A new TVR machine needs only Cloistering to prepare it for +A new TVR machine needs only Cloistering to prepare it for Ansible. As part of that process, it should be added to the tvrs group in the hosts file. An existing server can become a TVR machine by adding it to the tvrs group.

-
-

9.1. Include Abbey Variables

+
+

9.1. Include Abbey Variables

Private variables in private/vars-abbey.yml are needed, as in the @@ -2674,8 +2829,8 @@ directory, playbooks/.

-
-

9.2. Manually Build and Install MythTV

+
+

9.2. Manually Build and Install MythTV

Neither Debian nor the MythTV project provide binary packages of @@ -2704,8 +2859,8 @@ sudo apt install mythtv-backend

-
-

9.3. Restore MythTV

+
+

9.3. Restore MythTV

Restoring MythTV from a backup copy to a fresh TVR host: @@ -2733,8 +2888,8 @@ The .mythtv/config.xml file should provide the DB particulars

-
-

9.4. Manually Load DB Timezone Info

+
+

9.4. Manually Load DB Timezone Info

Starting with MythTV version 0.26, the time zone tables must be loaded @@ -2758,8 +2913,8 @@ e.g. 2022-09-13 20:15:41.

-
-

9.5. Create MythTV Storage Area

+
+

9.5. Create MythTV Storage Area

The backend does not have a default storage area for its recordings. @@ -2783,8 +2938,8 @@ creates that directory and ensures it has appropriate permissions.

-
-

9.6. Configure MythTV Backend

+
+

9.6. Configure MythTV Backend

With MythTV built and installed, the post-installation tasks @@ -2800,12 +2955,12 @@ at http://new:6544 and make the following selections.

-
-

9.7. Configure Tuner

+
+

9.7. Configure Tuner

The abbey has a Silicon Dust Homerun HDTV Duo (with two tuners). It -is setup as described in Cloistering, after which the tuner is +is setup as described in Cloistering, after which the tuner is accessible by name (e.g. new) on the cloister network. Assuming ping -c1 new works, the tuner should be accessible via the hdhomerun_config_gui command, a graphical interface contributed to @@ -2816,8 +2971,8 @@ tuner's domain name or IP address can also be entered.

-
-

9.8. Add HDHomerun and Mr.Antenna

+
+

9.8. Add HDHomerun and Mr.Antenna

In MythTV Setup: @@ -2860,8 +3015,8 @@ any case, do not run mythfilldatabase.

-
-

9.9. Scan for New Channels

+
+

9.9. Scan for New Channels

In MythTV Backend, the website on Core's port 6544, e.g. @@ -2882,8 +3037,8 @@ In MythTV Backend, the website on Core's port 6544, e.g.

-
-

9.10. Configure XMLTV

+
+

9.10. Configure XMLTV

The xmltv package, specifically its tv_grab_zz_sdjson program, is @@ -2918,7 +3073,7 @@ the list of "inputs" available in a postal code typically ends with the OTA (over the air) broadcasts.

-
+
 $ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
 Cache file for lineups, schedules and programs.
 Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
@@ -2968,8 +3123,8 @@ backend is running, so it is not run until then.
-
-

9.11. Debug XMLTV

+
+

9.11. Debug XMLTV

If the mythfilldatabase command fails or expected listings do not @@ -3008,14 +3163,14 @@ Running a similar command (without --quiet) might be more revealing

-
-

9.12. Change Broadcast Area

+
+

9.12. Change Broadcast Area

The abbey changes location almost weekly, so its HDTV broadcast area changes frequently. At the start of a long stay the administrator uses the MythTV Setup program to scan for the new area's channels, as -described in Scan for New Channels. +described in Scan for New Channels.

@@ -3033,7 +3188,7 @@ program as user mythtv.

The program will prompt for the zip code and offer a list of "inputs" -available in that area, as described in Configure XMLTV. +available in that area, as described in Configure XMLTV.

@@ -3047,14 +3202,14 @@ Lastly, the administrator runs an immediate update (again as the

-If the command fails, consult Debug XMLTV. Else, the listings appear +If the command fails, consult Debug XMLTV. Else, the listings appear in MythTV Backend's "Program Guide" page.

-
-

10. The Ansible Configuration

+
+

10. The Ansible Configuration

The abbey's Ansible configuration, like that of A Small Institute, is @@ -3081,7 +3236,7 @@ specific versions.

-NOTE: if you have not read at least the Overview of A Small Institute +NOTE: if you have not read at least the Overview of A Small Institute you are lost.

@@ -3111,8 +3266,8 @@ rest are built up piecemeal by (tangled from) this document, README.org, and Institute/README.org.

-
-

10.1. ansible.cfg

+
+

10.1. ansible.cfg

This is much like the example (test) institutional configuration file, @@ -3129,11 +3284,11 @@ except the roles are found in Institute/roles/ as well as roles/.

-
-

10.2. hosts

+
+

10.2. hosts

-hosts
all:
+hosts
all:
   vars:
     ansible_user: sysadm
     ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa
@@ -3142,6 +3297,9 @@ except the roles are found in Institute/roles/ as well as roles/.
     droplet:
       ansible_host: 159.65.75.60
       ansible_become_password: "{{ become_droplet }}"
+    debdrop:
+      ansible_host: 138.68.252.171
+      ansible_become_password: "{{ become_debdrop }}"
     anoat:
       ansible_host: anoat.birchwood.private
       ansible_become_password: "{{ become_anoat }}"
@@ -3155,10 +3313,13 @@ except the roles are found in Institute/roles/ as well as roles/.
     dantooine:
       ansible_host: dantooine.birchwood.private
       ansible_become_password: "{{ become_dantooine }}"
+    ord-mantell:
+      ansible_host: ord-mantell-w.birchwood.private
+      ansible_become_password: "{{ become_ord_mantell }}"
     # Notebooks
-    endor:
-      ansible_host: endor.birchwood.private
-      ansible_become_password: "{{ become_endor }}"
+    felucia:
+      ansible_host: felucia.birchwood.private
+      ansible_become_password: "{{ become_felucia }}"
     sullust:
       ansible_host: 127.0.0.1
       ansible_become_password: "{{ become_sullust }}"
@@ -3172,6 +3333,7 @@ except the roles are found in Institute/roles/ as well as roles/.
     front:
       hosts:
         droplet:
+        debdrop:
     gate:
       hosts:
         anoat:
@@ -3183,6 +3345,7 @@ except the roles are found in Institute/roles/ as well as roles/.
         anoat:
         dantooine:
         kessel:
+        ord-mantell:
     dvrs:
       hosts:
         dantooine:
@@ -3193,22 +3356,24 @@ except the roles are found in Institute/roles/ as well as roles/.
       hosts:
         dantooine:
         kessel:
+        ord-mantell:
     notebooks:
       hosts:
-        endor:
+        felucia:
         sullust:
     builders:
       hosts:
         dantooine:
-        endor:
+        felucia:
         kessel:
+        ord-mantell:
         sullust:
-
-

10.3. playbooks/site.yml

+
+

10.3. playbooks/site.yml

This playbook provisions the entire network by applying first the @@ -3249,17 +3414,17 @@ institutional roles, then the liturgical roles.

-
-

11. The Abbey Commands

+
+

11. The Abbey Commands

The ./abbey script encodes the abbey's canonical procedures. It -includes The Institute Commands and adds a few abbey-specific +includes The Institute Commands and adds a few abbey-specific sub-commands.

-
-

11.1. Abbey Command Overview

+
+

11.1. Abbey Command Overview

Institutional sub-commands: @@ -3288,8 +3453,8 @@ and _architecture for all hosts.

-
-

11.2. Abbey Command Script

+
+

11.2. Abbey Command Script

The script begins with the following prefix and trampolines. @@ -3302,7 +3467,8 @@ The script begins with the following prefix and trampolines. use strict; -if (grep { $_ eq $ARGV[0] } qw(CA config new old pass client)) { +if (defined $ARGV[0] + && grep { $_ eq $ARGV[0] } qw(CA config new old pass client)) { exec "./Institute/inst", @ARGV; } @@ -3312,7 +3478,7 @@ The script begins with the following prefix and trampolines. The small institute's ./inst command expects to be running in Institute/, not ./, but it only references public/, private/, Secret/ and playbooks/check-inst-vars.yml, and will find the abbey -specific versions of these. The roles_path setting in ansible.cfg +specific versions of these. The roles_path setting in ansible.cfg effectively merges the institutional roles into the distinctly named abbey specific roles. The roles likewise reference files with relative names, and will find the abbey specific private/ @@ -3326,13 +3492,17 @@ code block "duplicates" the action of the institute's

-playbooks/check-inst-vars.yml
- import_playbook: ../Institute/playbooks/check-inst-vars.yml
+playbooks/check-inst-vars.yml
- hosts: localhost
+  gather_facts: no
+  tasks:
+  - import_role:
+      name: check-inst-vars
-
-

11.3. The Upgrade Command

+
+

11.3. The Upgrade Command

The script implements an upgrade sub-command that runs apt update @@ -3352,7 +3522,7 @@ a limit pattern. For example:

abbey

-if ($ARGV[0] eq "upgrade") {
+if (defined $ARGV[0] && $ARGV[0] eq "upgrade") {
   shift;
   my @args = ( "-e", "\@Secret/become.yml" );
   if (defined $ARGV[0] && $ARGV[0] eq "-n") {
@@ -3397,8 +3567,8 @@ a limit pattern.  For example:
-
-

11.4. The Reboots Command

+
+

11.4. The Reboots Command

The script implements a reboots sub-command that looks for @@ -3406,7 +3576,7 @@ The script implements a reboots sub-command that looks for

-abbey
if ($ARGV[0] eq "reboots") {
+abbey
if (defined $ARGV[0] && $ARGV[0] eq "reboots") {
   exec ("ansible-playbook", "-e", "\@Secret/become.yml",
         "playbooks/reboots.yml");
 }
@@ -3429,8 +3599,8 @@ The script implements a reboots sub-command that looks for
-
-

11.5. The Versions Command

+
+

11.5. The Versions Command

The script implements a versions sub-command that reports the @@ -3438,7 +3608,7 @@ operating system version of all abbey managed machines.

-abbey
if ($ARGV[0] eq "versions") {
+abbey
if (defined $ARGV[0] && $ARGV[0] eq "versions") {
   exec ("ansible-playbook", "-e", "\@Secret/become.yml",
         "playbooks/versarch.yml");
 }
@@ -3457,8 +3627,8 @@ operating system version of all abbey managed machines.
-
-

11.6. The Facts Command

+
+

11.6. The Facts Command

The script implements a facts sub-command to collect the Ansible @@ -3466,7 +3636,7 @@ The script implements a facts sub-command to collect the Ansible

-abbey
if ($ARGV[0] eq "facts") {
+abbey
if (defined $ARGV[0] && $ARGV[0] eq "facts") {
   my $line = ("ansible all -m gather_facts -e \@Secret/become.yml"
               . " >facts");
   print "$line\n";
@@ -3478,8 +3648,8 @@ The script implements a facts sub-command to collect the Ansible
-
-

11.7. The TZ Command

+
+

11.7. The TZ Command

The abbey changes location almost weekly, so its timezone changes @@ -3505,7 +3675,7 @@ last host in the previous play.

-abbey
if ($ARGV[0] eq "tz") {
+abbey
if (defined $ARGV[0] && $ARGV[0] eq "tz") {
   exec ("ansible-playbook", "-e", "\@Secret/become.yml",
         "playbooks/timezone.yml");
 }
@@ -3558,8 +3728,8 @@ last host in the previous play.
-
-

11.8. Abbey Command Help

+
+

11.8. Abbey Command Help

abbey
my $ops = ("config,new,old,pass,client,"
@@ -3570,8 +3740,8 @@ last host in the previous play.
-
-

12. Cloistering

+
+

12. Cloistering

This is how a new machine is brought into the cloister. The process @@ -3580,8 +3750,8 @@ narrows down to the common preparation of all machines administered by Ansible.

-
-

12.1. IoT Devices

+
+

12.1. IoT Devices

A wireless IoT device (smart TV, Blu-ray deck, etc.) cannot install @@ -3597,8 +3767,8 @@ given a private domain name as described in the following steps.

@@ -3608,12 +3778,12 @@ last step:

-
-

12.2. Raspberry Pis

+
+

12.2. Raspberry Pis

The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an NVMe @@ -3621,31 +3791,40 @@ SSD. A fresh install should go something like this:

    -
  • Write the disk image, 2023-12-05-raspios-bookworm-arm64.img.xz, to -the SSD and plug it into the Pi. Leave the µSD card socket empty.
    • +
  • Write the disk image, 2025-12-04-raspios-trixie-arm64-full.img.xz, +to the SSD and plug it into the Pi. If the SSD is not readily +accessible, write the disk image to a USB HD (thumb drive) or µSD +card and insert it.
  • Attach an HDMI monitor, a USB keyboard/mouse, and the cloister Ethernet, and power up.
  • Answer first-boot installation questions:
    • Language: English (USA)
    • Keyboard: English (USA)
      • -
    • root password: <blank>
      • -
    • new user name: System Administrator
    • new username: sysadm
    • new password: <password>
    • -
  • Add to Core DHCP
    • -
  • Create Wired Domain Name
    • -
  • Log in as sysadm on the console.
    • +
  • Add to Core DHCP
    • +
  • Create Wired Domain Name
    • +
  • Launch the desktop.
    • +
  • If the desktop is running on a USB HD (thumb drive) or μSD card, use +the Raspberry Pi Imager app in Accessories in the main menu. Choose +to install the 64-bit OS on the inaccessible SSD. Rebooted without +the USB HD or μSD card inserted and then answer the first-boot +installation questions again.
    • +
  • Right click on the desktop (background) and choose Preferences. In +the Control Centre choose Interfaces in the left side bar and toggle +SSH on.
    • +
  • Run sudo raspi-config and use the following menu items.
    • S4 Hostname (Set name for this computer on a network): new
    • I1 SSH (Enable/disable remote command line access using SSH): enable
    • A1 Expand Filesystem (Ensures that all of the SD card is available)
    • -
  • Update From Cloister Apt Cache
    • -
  • Authorize Remote Administration
    • -
  • Configure with Ansible
    • +
  • Update From Cloister Apt Cache
    • +
  • Authorize Remote Administration
    • +
  • Configure with Ansible

@@ -3654,14 +3833,14 @@ steps are taken.

-
-

12.3. PCs

+
+

12.3. PCs

Most of the abbey's machines, like Core and Gate, are general-purpose @@ -3670,26 +3849,25 @@ follows.

@@ -3698,14 +3876,14 @@ steps are taken.

-
-

12.4. Add to Core DHCP

+
+

12.4. Add to Core DHCP

When a new machine is connected to the cloister Ethernet, its MAC @@ -3716,14 +3894,13 @@ provide network addresses to new devices automatically.

IoT devices (IP cameras, HDTV tuners, etc.) often have their MAC address printed on their case or mentioned in a configuration page. -The MAC address must also appear in the device's DHCP Discover -broadcasts, which are logged to /var/log/daemon.log on Core. As a -last (or first!) resort, the following command line should reveal the -new device's MAC. +The MAC address will also appear in the device's DHCP Discover +broadcasts. The following command displays the last 5 messages logged +by the DHCP daemon and then waits for more.

-
tail -100 /var/log/daemon.log | grep DISCOVER
+
journalctl -t dhcpd -n 5 -f
@@ -3766,12 +3943,12 @@ reporting 1 packets transmitted, 1 received, 0% packet loss....
-
-

12.5. Create Wired Domain Name

+
+

12.5. Create Wired Domain Name

A wired device is assigned an IP address when it is added to Core's -DHCP configuration (as in Add to Core DHCP). A private domain name is +DHCP configuration (as in Add to Core DHCP). A private domain name is then associated with this address. If the device is intended to operate wirelessly, the name for its address is modified with a -w suffix. Thus new-w.small.private would be the name of the new @@ -3814,8 +3991,8 @@ resolvectl query 192.168.56.4

-
-

12.6. Update From Cloister Apt Cache

+
+

12.6. Update From Cloister Apt Cache

  • Log in as sysadm on the console.
    • @@ -3823,8 +4000,7 @@ resolvectl query 192.168.56.4 Create /etc/apt/apt.conf.d/01proxy. 

    -D=apt-cacher.small.private.
-echo "Acquire::http::Proxy \"http://$D:3142\";" \
+echo "Acquire::http::Proxy \"http://192.168.56.1:3142\";" \
 | sudo tee /etc/apt/apt.conf.d/01proxy

  • @@ -3838,8 +4014,8 @@ sudo reboot

-
-

12.7. Authorize Remote Administration

+
+

12.7. Authorize Remote Administration

To remotely administer new-w, Ansible must be authorized to login as @@ -3873,11 +4049,11 @@ key.

-
-

12.8. Configure with Ansible

+
+

12.8. Configure with Ansible

-With remote administration authorized and tested (as in Authorize +With remote administration authorized and tested (as in Authorize Remote Administration), and the machine connected to the cloister Ethernet, the configuration of new-w can be completed by Ansible. Note that if the machine is staying on the cloister Ethernet, its @@ -3885,7 +4061,7 @@ domain name will be new (having had no -w suffix added

-First new-w is added to Ansible's inventory in hosts. A new-w +First new-w is added to Ansible's inventory in hosts. A new-w section is added to the list of all hosts, and an empty section of the same name is added to the list of campus hosts. If the machine uses the usual privileged account name, sysadm, the ansible_user key is @@ -3933,8 +4109,8 @@ configuration files.

-
-

12.9. Connect to Cloister Wi-Fi

+
+

12.9. Connect to Cloister Wi-Fi

On an IoT device, or a Debian or Android "desktop", the cloister Wi-Fi @@ -3975,8 +4151,8 @@ desktop connected to the Wi-Fi using the following ping command.

-
-

12.10. Connect to Cloister VPN

+
+

12.10. Connect to Cloister VPN

Wireless devices (with the cloister Wi-Fi password) can get an IP @@ -3989,14 +4165,14 @@ however, are not accessible except via the cloister VPN.

Connections to the cloister VPN are authorized by the ./abbey -client... command (aka The Client Command), which registers a new +client... command (aka The Client Command), which registers a new client's public key and installs new WireGuard™ configurations on the servers. Private keys are kept on the clients (e.g. in /etc/wireguard/private-key).

-
-

12.10.1. Campus Desktops and Servers

+
+

12.10.1. Campus Desktops and Servers

Wireless Debian desktops (with NetworkManager) as well as servers @@ -4082,8 +4258,8 @@ sudo systemctl enable wg-quick@wg0

-
-

12.10.2. Private Desktops

+
+

12.10.2. Private Desktops

Member notebooks are private machines not remotely administered by the @@ -4195,8 +4371,8 @@ password is included in Secret/become.yml.

-
-

12.10.3. Android

+
+

12.10.3. Android

Android phones and tablets are authorized to connect to the cloister @@ -4233,8 +4409,8 @@ public VPN.

-
-

12.11. Create Wireless Domain Name

+
+

12.11. Create Wireless Domain Name

A wireless machine is assigned a Wi-Fi address when it connects to the @@ -4289,7 +4465,7 @@ be added to private/db.campus_vpn.)

Author: Matt Birkholz

-

Created: 2025-11-23 Sun 13:07

+

Created: 2026-01-02 Fri 15:07

Validate

-- 2.47.3