From 86964fe9486c73c726b8ae0eb537d7956e17f81d Mon Sep 17 00:00:00 2001
From: Matt Birkholz
+= _|||_ =-The-Institute-= @@ -149,12 +149,12 @@ month) because of this assumption.The small institute's network is designed to provide a number of -services. An understanding of how institute hosts co-operate is -essential to understanding the configuration of specific hosts. This -chapter covers institute services from a network wide perspective, and -gets right down in its subsections to the Ansible code that enforces -its policies. On first reading, those subsections should be skipped; -they reference particulars first introduced in the following chapter. +services. Understanding how institute hosts co-operate is essential +to understanding the configuration of specific hosts. This chapter +covers institute services from a network wide perspective, and gets +right down in its subsections to the Ansible code that enforces its +policies. On first reading, those subsections should be skipped; they +reference particulars first introduced in the following chapter.
@@ -227,7 +227,7 @@ declared by the institute's SPF (Sender Policy Framework) DNS record to be the only legitimate sender of institute emails. Thus the Internet sees the institute's outgoing email coming from a server at an address matching the domain's SPF record. The institute does not -sign outgoing emails per DKIM (Domain Keys Identified Mail), yet. +sign outgoing emails per DKIM (Domain Keys Identified Mail) yet.+@@ -398,8 +398,8 @@ PHP) stack. Core provides a campus HTTP service with several virtual hosts. These web sites can only be accessed via the campus Ethernet or an institute VPN. In either situation Core's many private domain names -become available, e.g.@@ -632,49 +632,51 @@ account is created on Front as well.www.small.private. In many cases these -domain names can be shortened e.g. towww. Thus the campus home +become available, e.g.www.small.private
. In many cases these +domain names can be shortened e.g. towww
. Thus the campus home page is accessible in a dozen keystrokes:http://www/
(plus Enter). @@ -607,9 +607,9 @@ initial, privileged user account the same name is given (e.g. as described in The Core Machine). Installation may not prompt and still create an initial user account with a distribution specific name (e.g.pi
). Any name can be used as long as it is provided as the -value ofansible_user
inhosts. Its password is specified by a -vault-encrypted variable in theSecret/become.ymlfile. (The -hostsandSecret/become.ymlfiles are described in The Ansible +value ofansible_user
inhosts. Its password is specified by a +vault-encrypted variable in theSecret/become.ymlfile. (The +hostsandSecret/become.ymlfiles are described in The Ansible Configuration.)The institute keeps its "master secrets" in an encrypted volume on an off-line hard drive, e.g. a LUKS (Linux Unified Key -Setup) format partition on a USB pen/stick. The
Secret/+Setup) format partition on a USB pen/stick. TheSecret/sub-directory is actually a symbolic link to this partition's automatic mount point, e.g./media/sysadm/ADE7-F866/. Unless this -volume is mounted (unlocked) atSecret/, none of the./inst
+volume is mounted (unlocked) atSecret/, none of the./inst
commands will work.-Chief among the institute's master secrets is the SSH key to the -privileged accounts on all of the institute servers. It is stored -in
Secret/ssh_admin/id_rsa. The institute uses several more SSH -keys listed here: +Chief among the institute's master secrets is the SSH key authorized +to access privileged accounts on all of the institute servers. It +is stored inSecret/ssh_admin/id_rsa. The complete list of the +institute's SSH keys:-
Secret/ssh_admin/- The SSH key pair for A Small Institute +
Secret/ssh_admin/- The SSH key pair for A Small Institute Administrator.
- Secret/ssh_monkey/- The key pair used by Monkey to update the +
Secret/ssh_monkey/- The key pair used by Monkey to update the website on Front (and other unprivileged tasks).
- Secret/ssh_front/- The host key pair used by Front to -authenticate itself.
+ Secret/ssh_front/- The host key pair used by Front to +authenticate itself. The automatically generated key pair is +not used. (Thus Core's configuration does not depend on +Front's.)
The institute uses a number of X.509 certificates to authenticate VPN clients and servers. They are created by the EasyRSA Certificate -Authority stored in
Secret/CA/. +Authority stored inSecret/CA/.-
@@ -694,17 +696,17 @@ Finally, the institute uses an OpenPGP key to secure sensitive emails Secret/CA/pki/ca.crt- The institute CA (certificate -authority).
+ Secret/CA/pki/ca.crt- The institute CA certificate, used to +sign the other certificates.
- Secret/CA/pki/issued/small.example.org.crt- The public Apache, +
Secret/CA/pki/issued/small.example.org.crt- The public Apache, Postfix, and OpenVPN servers on Front.
- Secret/CA/pki/issued/gate.small.private.crt- The campus +
Secret/CA/pki/issued/gate.small.private.crt- The campus OpenVPN server on Gate.
- Secret/CA/pki/issued/core.small.private.crt- The campus +
Secret/CA/pki/issued/core.small.private.crt- The campus Apache (thus Nextcloud), and Dovecot-IMAPd servers.
- Secret/CA/pki/issued/core.crt- Core's client certificate by +
Secret/CA/pki/issued/core.crt- Core's client certificate, by which it authenticates to Front.
-
Secret/root.gnupg/- The "home directory" used to create the +
Secret/root.gnupg/- The "home directory" used to create the public/secret key pair.
- Secret/root-pub.pem- The ASCII armored OpenPGP public key for +
Secret/root-pub.pem- The ASCII armored OpenPGP public key for e.g.
-root@core.small.private
. Secret/root-sec.pem- The ASCII armored OpenPGP secret key.
+ Secret/root-sec.pem- The ASCII armored OpenPGP secret key.
-When The CA Command sees an empty
@@ -766,7 +768,7 @@ files mentioned in the Nextcloud database dump).Secret/CA/directory, as +When The CA Command sees an emptySecret/CA/directory, as though just created by running the EasyRSAmake-cadir
command in -Secret/(a new, encrypted volume), the./inst CA
command creates +Secret/(a new, encrypted volume), the./inst CA
command creates all of the certificates and keys mentioned above. It may prompt for the institute's full name.-@@ -1012,17 +1014,24 @@ example result follows the code.private/backup#!/bin/bash -e +private/backup#!/bin/bash -e # # DO NOT EDIT. Maintained (will be replaced) by Ansible. # @@ -877,7 +879,7 @@ This chapter introduces Ansible variables intended to simplify changes, like customization for another institute's particulars. The variables are separated into public information (e.g. an institute's name) or private information (e.g. a network interface address), and -stored in separate files:public/vars.ymlandprivate/vars.yml. +stored in separate files:public/vars.ymlandprivate/vars.yml.@@ -898,7 +900,7 @@ replace
{{ domain_name }}
in the code withsmall.example.org<
-public/vars.yml--- +public/vars.yml--- domain_name: small.example.org domain_priv: small.private@@ -906,8 +908,8 @@ domain_priv: small.privateThe private version of the institute's domain name should end with one -of the top-level domains expected for this purpose:
.intranet, -.internal,.private,.corp,.homeor.lan.1 +of the top-level domains expected for this purpose:.intranet
, +.internal
,.private
,.corp
,.home
or.lan
.1+++=> 10.62.17.0/24 +
+ +The four private networks are named and given example CIDRs in the code block below. The small institute treats these addresses as sensitive information so the code block below "tangles" into -
private/vars.ymlrather thanpublic/vars.yml. Two of the +private/vars.ymlrather thanpublic/vars.yml. Two of the addresses are in192.168
subnets because they are part of a test configuration using mostly-default VirtualBoxes (described here).-private/vars.yml--- +private/vars.yml--- private_net_cidr: 192.168.56.0/24 public_vpn_net_cidr: 10.177.86.0/24 campus_vpn_net_cidr: 10.84.138.0/24 @@ -1039,7 +1048,7 @@ e.g._net_and_mask
rather than_net_cidr
.-private/vars.ymlprivate_net: "{{ private_net_cidr | ipaddr('network') }}" +private/vars.ymlprivate_net: "{{ private_net_cidr | ipaddr('network') }}" private_net_mask: "{{ private_net_cidr | ipaddr('netmask') }}" private_net_and_mask: "{{ private_net }} {{ private_net_mask }}" public_vpn_net: "{{ public_vpn_net_cidr | ipaddr('network') }}" @@ -1066,7 +1075,7 @@ the institute's Internet domain name.-@@ -1090,7 +1099,7 @@ The following code block picks the obvious IP addresses for Corepublic/vars.ymlfront_addr: 192.168.15.5 +public/vars.ymlfront_addr: 192.168.15.5--private/vars.ymlcore_addr_cidr: "{{ private_net_cidr | ipaddr('1') }}" +private/vars.ymlcore_addr_cidr: "{{ private_net_cidr | ipaddr('1') }}" gate_addr_cidr: "{{ private_net_cidr | ipaddr('2') }}" gate_wifi_addr_cidr: "{{ gate_wifi_net_cidr | ipaddr('1') }}" wifi_wan_addr_cidr: "{{ gate_wifi_net_cidr | ipaddr('2') }}" @@ -1180,8 +1189,8 @@ notebook$The password was generated by
@@ -1197,7 +1206,7 @@ notebook_ >>Secret/become.ymlgpw
, saved in the administrator's -password keep, and later added toSecret/become.ymlas shown below. -(Producing a working Ansible configuration withSecret/become.yml+password keep, and later added toSecret/become.ymlas shown below. +(Producing a working Ansible configuration withSecret/become.ymlfile is described in The Ansible Configuration.)After creating the
@@ -1299,8 +1308,8 @@ Is the information correct? [Y/n]sysadm
account on the droplet, the administrator concatenated a personal public ssh key and the key found in -Secret/ssh_admin/(created by The CA Command) into anadmin_keys+Secret/ssh_admin/(created by The CA Command) into anadmin_keysfile, copied it to the droplet, and installed it as theauthorized_keysforsysadm
.The password was generated by
@@ -1340,7 +1349,7 @@ _ libapache2-mod-phpgpw
, saved in the administrator's -password keep, and later added toSecret/become.ymlas shown below. -(Producing a working Ansible configuration withSecret/become.yml+password keep, and later added toSecret/become.ymlas shown below. +(Producing a working Ansible configuration withSecret/become.ymlfile is described in The Ansible Configuration.)Next, the administrator concatenated a personal public ssh key and the -key found in
@@ -1420,7 +1429,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a campground Wi-Fi access point, etc. -Secret/ssh_admin/(created by The CA Command) into an +key found inSecret/ssh_admin/(created by The CA Command) into anadmin_keysfile, copied it to Core, and installed it as theauthorized_keysforsysadm
.+=============== | ================================================== | Premises (Campus ISP) @@ -1443,7 +1452,7 @@ This avoids the need for a second Wi-Fi access point and leads to the following topology. -+=============== | ================================================== | Premises (House ISP) @@ -1495,8 +1504,8 @@ Is the information correct? [Y/n]The password was generated by
@@ -1522,7 +1531,7 @@ $ sudo apt install openssh-server isc-dhcp-server netplan.iogpw
, saved in the administrator's -password keep, and later added toSecret/become.ymlas shown below. -(Producing a working Ansible configuration withSecret/become.yml+password keep, and later added toSecret/become.ymlas shown below. +(Producing a working Ansible configuration withSecret/become.ymlfile is described in The Ansible Configuration.)Next, the administrator concatenated a personal public ssh key and the -key found in
@@ -1615,8 +1624,8 @@ uses the institute's CA and server certificates, and expects client certificates signed by the institute CA.Secret/ssh_admin/(created by The CA Command) into an +key found inSecret/ssh_admin/(created by The CA Command) into anadmin_keysfile, copied it to Gate, and installed it as theauthorized_keysforsysadm
.-6.1. Include Particulars
++-6.1. Include Particulars
The
front
role's tasks contain references to several common @@ -1628,11 +1637,11 @@ Particulars and Account Management).The code block below is the first to tangle into -
roles/front/tasks/main.yml. +roles/front/tasks/main.yml.-roles/front/tasks/main.yml--- +roles/front/tasks/main.yml--- - name: Include public variables. include_vars: ../public/vars.yml tags: accounts @@ -1648,8 +1657,8 @@ The code block below is the first to tangle into-6.2. Configure Hostname
++6.2. Configure Hostname
This task ensures that Front's
/etc/hostnameand/etc/mailnameare @@ -1658,7 +1667,7 @@ delivery.-roles_t/front/tasks/main.yml- name: Configure hostname. +roles_t/front/tasks/main.yml- name: Configure hostname. become: yes copy: content: "{{ domain_name }}\n" @@ -1671,7 +1680,7 @@ delivery.
--roles_t/front/handlers/main.yml--- +roles_t/front/handlers/main.yml--- - name: Update hostname. become: yes command: hostname -F /etc/hostname @@ -1701,7 +1710,7 @@ separate code block namedenable-resolved
.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install systemd-resolved. become: yes apt: pkg=systemd-resolved @@ -1773,8 +1782,8 @@ separate code block namedenable-resolved
.-6.4. Add Administrator to System Groups
++6.4. Add Administrator to System Groups
-The administrator often needs to read (directories of) log files owned @@ -1783,7 +1792,7 @@ these groups speeds up debugging.
-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Add {{ ansible_user }} to system groups. become: yes user: @@ -1800,11 +1809,11 @@ these groups speeds up debugging.The SSH service on Front needs to be known to Monkey. The following tasks ensure this by replacing the automatically generated keys with -those stored in
Secret/ssh_front/etc/ssh/and restarting the server. +those stored inSecret/ssh_front/etc/ssh/and restarting the server.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install SSH host keys. become: yes copy: @@ -1823,7 +1832,7 @@ those stored inSecret/ssh_front/etc/ssh/and restarting the server.-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Reload SSH server. become: yes systemd: @@ -1833,8 +1842,8 @@ those stored inSecret/ssh_front/etc/ssh/and restarting the server.-6.6. Configure Monkey
++6.6. Configure Monkey
-The small institute runs cron jobs and web scripts that generate @@ -1848,7 +1857,7 @@ key on Core.
-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Create monkey. become: yes user: @@ -1882,7 +1891,7 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install rsync. become: yes apt: pkg=rsync @@ -1890,15 +1899,15 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
-6.8. Install Unattended Upgrades
++-6.8. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible.
-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install basic software. become: yes apt: pkg=unattended-upgrades @@ -1906,8 +1915,8 @@ The institute prefers to install security updates as soon as possible.
-6.9. Configure User Accounts
++-6.9. Configure User Accounts
User accounts are created immediately so that Postfix and Dovecot can @@ -1917,7 +1926,7 @@ recipient" replies. The Account Management chapter de
-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Create user accounts. become: yes user: @@ -1950,8 +1959,8 @@ recipient" replies. The Account Management chapter de-6.10. Trust Institute Certificate Authority
++-6.10. Trust Institute Certificate Authority
Front should recognize the institute's Certificate Authority as @@ -1961,7 +1970,7 @@ X.509 certificates is available in Keys.
-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Trust the institute CA. become: yes copy: @@ -1975,7 +1984,7 @@ X.509 certificates is available in Keys.-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Update CAs. become: yes command: update-ca-certificates @@ -1983,8 +1992,8 @@ X.509 certificates is available in Keys.-6.11. Install Server Certificate
++6.11. Install Server Certificate
The servers on Front use the same certificate (and key) to @@ -1994,7 +2003,7 @@ readable by
root
.--roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install server certificate/key. become: yes copy: @@ -2133,7 +2142,7 @@ start and enable the service.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install Postfix. become: yes apt: pkg=postfix @@ -2189,7 +2198,7 @@ start and enable the service.
-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Restart Postfix. become: yes systemd: @@ -2224,7 +2233,7 @@ created by a more specialized role.-roles_t/front/tasks/main.yml- name: Install institute email aliases. +roles_t/front/tasks/main.yml- name: Install institute email aliases. become: yes blockinfile: block: | @@ -2240,7 +2249,7 @@ created by a more specialized role.-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: New aliases. become: yes command: newaliases @@ -2248,8 +2257,8 @@ created by a more specialized role.-6.14. Configure Dovecot IMAPd
++6.14. Configure Dovecot IMAPd
Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to @@ -2277,7 +2286,7 @@ and enables it to start at every reboot.
-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install Dovecot IMAPd. become: yes apt: pkg=dovecot-imapd @@ -2309,7 +2318,7 @@ and enables it to start at every reboot.
-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Restart Dovecot. become: yes systemd: @@ -2530,7 +2539,7 @@ e.g./etc/apache2/sites-available/small.example.org.confand runs-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install Apache2. become: yes apt: pkg=apache2 @@ -2634,7 +2643,7 @@ e.g./etc/apache2/sites-available/small.example.org.confand runs-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Restart Apache2. become: yes systemd: @@ -2649,7 +2658,7 @@ that it does not interfere with its replacement.--roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Disable default vhosts. become: yes file: @@ -2667,7 +2676,7 @@ same records asaccess.log.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Disable other-vhosts-access-log option. become: yes file: @@ -2683,7 +2692,7 @@ the users'~/Public/HTML/directories.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Create UserDir. become: yes file: @@ -2713,8 +2722,8 @@ the users'~/Public/HTML/directories.-6.16. Configure OpenVPN
++6.16. Configure OpenVPN
Front uses OpenVPN to provide the institute's public VPN service. The @@ -2795,7 +2804,7 @@ configure the OpenVPN server on Front.
-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install OpenVPN. become: yes apt: pkg=openvpn @@ -2901,7 +2910,7 @@ configure the OpenVPN server on Front.
-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Restart OpenVPN. become: yes systemd: @@ -2950,7 +2959,7 @@ The first step is to install Kamailio.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Install Kamailio. become: yes apt: pkg=kamailio @@ -2965,7 +2974,7 @@ be started before thetun
device has appeared.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Create Kamailio/Systemd configuration drop. become: yes file: @@ -2985,7 +2994,7 @@ be started before thetun
device has appeared.-roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Reload Systemd. become: yes command: systemctl daemon-reload @@ -2997,7 +3006,7 @@ Finally, Kamailio can be configured and started.-roles_t/front/tasks/main.yml+roles_t/front/tasks/main.yml- name: Configure Kamailio. become: yes copy: @@ -3016,7 +3025,7 @@ Finally, Kamailio can be configured and started.--roles_t/front/handlers/main.yml+roles_t/front/handlers/main.yml- name: Restart Kamailio. become: yes systemd: @@ -3038,8 +3047,8 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)-7.1. Include Particulars
++-7.1. Include Particulars
The first task, as in The Front Role, is to include the institute @@ -3047,7 +3056,7 @@ particulars and membership roll.
-roles_t/core/tasks/main.yml--- +roles_t/core/tasks/main.yml--- - name: Include public variables. include_vars: ../public/vars.yml tags: accounts @@ -3061,8 +3070,8 @@ particulars and membership roll.-7.2. Configure Hostname
++-7.2. Configure Hostname
This task ensures that Core's
/etc/hostnameand/etc/mailnameare @@ -3073,7 +3082,7 @@ proper email delivery.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Configure hostname. become: yes copy: @@ -3087,7 +3096,7 @@ proper email delivery.-roles_t/core/handlers/main.yml--- +roles_t/core/handlers/main.yml--- - name: Update hostname. become: yes command: hostname -F /etc/hostname @@ -3095,8 +3104,8 @@ proper email delivery.-7.3. Enable Systemd Resolved
++-7.3. Enable Systemd Resolved
Core starts the
systemd-networkd
andsystemd-resolved
service @@ -3104,7 +3113,7 @@ units on boot. See Enable Systemd Resolved.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install systemd-resolved. become: yes apt: pkg=systemd-resolved @@ -3140,8 +3149,8 @@ units on boot. See Enable Systemd Resolved.-7.4. Configure Systemd Resolved
++7.4. Configure Systemd Resolved
Core runs the campus name server, so Resolved is configured to use it @@ -3150,7 +3159,7 @@ list, and to disable its cache and stub listener.
-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Configure resolved. become: yes lineinfile: @@ -3170,7 +3179,7 @@ list, and to disable its cache and stub listener.-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Reload Systemd. become: yes command: systemctl daemon-reload @@ -3198,7 +3207,7 @@ VPN.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install netplan. become: yes apt: pkg=netplan.io @@ -3224,7 +3233,7 @@ VPN.
-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Apply netplan. become: yes command: netplan apply @@ -3244,16 +3253,16 @@ Service.-The example configuration file,
private/core-dhcpd.conf, uses +The example configuration file,private/core-dhcpd.conf, uses RFC3442's extension to encode a second (non-default) static route. The default route is through the campus ISP at Gate. A second route directs campus traffic to the Front VPN through Core. This is just an example file. The administrator adds and removes actual machines from -the actualprivate/core-dhcpd.conffile. +the actualprivate/core-dhcpd.conffile.--private/core-dhcpd.confoption domain-name "small.private"; +private/core-dhcpd.confoption domain-name "small.private"; option domain-name-servers 192.168.56.1; default-lease-time 3600; @@ -3286,11 +3295,11 @@ log-facility daemon;The following tasks install the ISC's DHCP server and configure it -with the real
private/core-dhcpd.conf(not the example above). +with the realprivate/core-dhcpd.conf(not the example above).-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install DHCP server. become: yes apt: pkg=isc-dhcp-server @@ -3320,7 +3329,7 @@ with the realprivate/core-dhcpd.conf(not the example above).-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Restart DHCP server. become: yes systemd: @@ -3345,7 +3354,7 @@ The following tasks install and configure BIND9 on Core.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install BIND9. become: yes apt: pkg=bind9 @@ -3440,7 +3449,7 @@ The following tasks install and configure BIND9 on Core.
-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Reload BIND9. become: yes systemd: @@ -3524,7 +3533,7 @@ craps up/var/log/and the Systemd journal.-private/db.domain; +private/db.domain; ; BIND data file for a small institute's PRIVATE domain names. ; $TTL 604800 @@ -3552,7 +3561,7 @@ craps up/var/log/and the Systemd journal.-private/db.private; +private/db.private; ; BIND reverse data file for a small institute's private Ethernet. ; $TTL 604800 @@ -3571,7 +3580,7 @@ craps up/var/log/and the Systemd journal.-private/db.public_vpn; +private/db.public_vpn; ; BIND reverse data file for a small institute's public VPN. ; $TTL 604800 @@ -3590,7 +3599,7 @@ craps up/var/log/and the Systemd journal.-private/db.campus_vpn; +private/db.campus_vpn; ; BIND reverse data file for a small institute's campus VPN. ; $TTL 604800 @@ -3608,8 +3617,8 @@ craps up/var/log/and the Systemd journal.-7.8. Add Administrator to System Groups
++-7.8. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -3618,7 +3627,7 @@ these groups speeds up debugging.
-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Add {{ ansible_user }} to system groups. become: yes user: @@ -3629,8 +3638,8 @@ these groups speeds up debugging.-7.9. Configure Monkey
++7.9. Configure Monkey
The small institute runs cron jobs and web scripts that generate @@ -3641,7 +3650,7 @@ described in *Configure Apache2).
--roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Create monkey. become: yes user: @@ -3705,7 +3714,7 @@ The institute prefers to install security updates as soon as possible.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install basic software. become: yes apt: pkg=unattended-upgrades @@ -3722,7 +3731,7 @@ with Nextcloud on the command line.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install expect. become: yes apt: pkg=expect @@ -3730,8 +3739,8 @@ with Nextcloud on the command line.
-7.12. Configure User Accounts
++-7.12. Configure User Accounts
User accounts are created immediately so that backups can begin @@ -3740,7 +3749,7 @@ describes the
members
andusernames
variables.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Create user accounts. become: yes user: @@ -3773,8 +3782,8 @@ describes themembers
andusernames
variables.-7.13. Trust Institute Certificate Authority
++-7.13. Trust Institute Certificate Authority
Core should recognize the institute's Certificate Authority as @@ -3784,7 +3793,7 @@ X.509 certificates is available in Keys.
-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Trust the institute CA. become: yes copy: @@ -3798,7 +3807,7 @@ X.509 certificates is available in Keys.-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Update CAs. become: yes command: update-ca-certificates @@ -3806,8 +3815,8 @@ X.509 certificates is available in Keys.-7.14. Install Server Certificate
++7.14. Install Server Certificate
The servers on Core use the same certificate (and key) to authenticate @@ -3816,7 +3825,7 @@ themselves to institute clients. They share the
/etc/server.crtand-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install server certificate/key. become: yes copy: @@ -3845,7 +3854,7 @@ The default daemon's default configuration is fine.--roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install NTP. become: yes apt: pkg=ntp @@ -3952,7 +3961,7 @@ enable the service. Whenever/etc/postfix/transportis changed, the-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install Postfix. become: yes apt: pkg=postfix @@ -4005,7 +4014,7 @@ enable the service. Whenever/etc/postfix/transportis changed, the-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Restart Postfix. become: yes systemd: @@ -4035,7 +4044,7 @@ installed by more specialized roles.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install institute email aliases. become: yes blockinfile: @@ -4052,7 +4061,7 @@ installed by more specialized roles.-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: New aliases. become: yes command: newaliases @@ -4060,8 +4069,8 @@ installed by more specialized roles.-7.18. Configure Dovecot IMAPd
++7.18. Configure Dovecot IMAPd
Core uses Dovecot's IMAPd to store and serve member emails. As on @@ -4089,7 +4098,7 @@ and enables it to start at every reboot.
-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install Dovecot IMAPd. become: yes apt: pkg=dovecot-imapd @@ -4116,7 +4125,7 @@ and enables it to start at every reboot.
-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Restart Dovecot. become: yes systemd: @@ -4191,7 +4200,7 @@ provided the Core service.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install fetchmail. become: yes apt: pkg=fetchmail @@ -4267,7 +4276,7 @@ stopped and disabled from restarting at boot, deleted even.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Stop former user fetchmail services. become: yes systemd: @@ -4493,7 +4502,7 @@ interfere with mapping URLs to the correct virtual host.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install Apache2. become: yes apt: pkg=apache2 @@ -4523,7 +4532,7 @@ Thea2ensite
command enables them.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install live web site. become: yes copy: @@ -4634,7 +4643,7 @@ Thea2ensite
command enables them.-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Restart Apache2. become: yes systemd: @@ -4654,7 +4663,7 @@ Monkey on Core runs/usr/local/sbin/webupdateevery 15 minutes via a-private/webupdate#!/bin/bash -e +private/webupdate#!/bin/bash -e # # DO NOT EDIT. This file was tangled from institute.org. @@ -4668,13 +4677,13 @@ rsync -avz --delete --chmod=g-w \-The following tasks install the
webupdatescript fromprivate/, +The following tasks install thewebupdatescript fromprivate/, and create Monkey'scron
job. An examplewebupdatescript is provided here.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: "Install Monkey's webupdate script." become: yes copy: @@ -4740,7 +4749,7 @@ for Core.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install OpenVPN. become: yes apt: pkg=openvpn @@ -4807,7 +4816,7 @@ for Core.
-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Restart OpenVPN. become: yes systemd: @@ -4838,7 +4847,7 @@ Core and Campus (and thus Gate) machines.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install NAGIOS4. become: yes apt: @@ -4890,7 +4899,7 @@ Core and Campus (and thus Gate) machines.-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Reload NAGIOS4. become: yes systemd: @@ -4910,7 +4919,7 @@ used here may specify plugin arguments.-roles_t/core/templates/nagios.cfgdefine host { +roles_t/core/templates/nagios.cfgdefine host { use linux-server host_name core address 127.0.0.1 @@ -4986,7 +4995,7 @@ small institute substitutes a slightly modified version,-roles_t/core/files/inst_sensors#!/bin/sh +roles_t/core/files/inst_sensors#!/bin/sh PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" export PATH @@ -5071,7 +5080,7 @@ Core.-roles_t/core/templates/nagios.cfg+roles_t/core/templates/nagios.cfgdefine command { command_name inst_sensors command_line /usr/local/sbin/inst_sensors @@ -5118,19 +5127,12 @@ pings.-@@ -5140,7 +5142,7 @@ space on the root partition.roles_t/core/templates/nagios.cfg+roles_t/core/templates/nagios.cfgdefine host { use linux-server host_name gate address {{ gate_addr }} } - -define service { - use local-service - host_name gate - service_description PING - check_command check_ping!100.0,20%!500.0,60% -}-@@ -5149,7 +5151,7 @@ Monitorroles_t/campus/files/nrpe.cfgcommand[inst_root]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p / +roles_t/campus/files/nrpe.cfgcommand[inst_root]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /inst_root
on Gate.-roles_t/core/templates/nagios.cfg+roles_t/core/templates/nagios.cfgdefine service { use generic-service host_name gate @@ -5164,7 +5166,7 @@ Monitorcheck_load
on Gate.-roles_t/core/templates/nagios.cfg+roles_t/core/templates/nagios.cfgdefine service { use generic-service host_name gate @@ -5179,7 +5181,7 @@ Monitorcheck_zombie_procs
andcheck_total_procs
on Ga-roles_t/core/templates/nagios.cfg+roles_t/core/templates/nagios.cfgdefine service { use generic-service host_name gate @@ -5202,7 +5204,7 @@ usage.-@@ -5211,7 +5213,7 @@ Monitorroles_t/campus/files/nrpe.cfgcommand[inst_swap]=/usr/lib/nagios/plugins/check_swap -w 20% -c 10% +roles_t/campus/files/nrpe.cfgcommand[inst_swap]=/usr/lib/nagios/plugins/check_swap -w 20% -c 10%inst_swap
on Gate.--roles_t/core/templates/nagios.cfg+roles_t/core/templates/nagios.cfgdefine service { use generic-service host_name gate @@ -5221,28 +5223,13 @@ Monitorinst_swap
on Gate.-Monitor Gate's SSH service. -
- ---roles_t/core/templates/nagios.cfg-define service { - use generic-service - host_name gate - service_description SSH - check_command check_ssh -} -
-For all campus NRPE servers: an
inst_sensors
command to report core CPU temperatures.-@@ -5251,7 +5238,7 @@ Monitorroles_t/campus/files/nrpe.cfgcommand[inst_sensors]=/usr/local/sbin/inst_sensors +roles_t/campus/files/nrpe.cfgcommand[inst_sensors]=/usr/local/sbin/inst_sensorsinst_sensors
on Gate.-roles_t/core/templates/nagios.cfg+roles_t/core/templates/nagios.cfgdefine service { use generic-service host_name gate @@ -5267,12 +5254,12 @@ Monitorinst_sensors
on Gate.7.24. Configure Backups
-The following task installs the
backupscript fromprivate/. An +The following task installs thebackupscript fromprivate/. An example script is provided in here.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install backup script. become: yes copy: @@ -5305,7 +5292,7 @@ installing a cron job.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install packages required by Nextcloud. become: yes apt: @@ -5321,7 +5308,7 @@ Next, a number of Apache2 modules are enabled.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Enable Apache2 modules for Nextcloud. become: yes apache2_module: @@ -5339,7 +5326,7 @@ Administration Guide (sub-section -roles_t/core/files/nextcloud.confAlias /nextcloud "/var/www/nextcloud/" +roles_t/core/files/nextcloud.confAlias /nextcloud "/var/www/nextcloud/" <Directory /var/www/nextcloud/> Require all granted @@ -5354,7 +5341,7 @@ Administration Guide (sub-section -roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install Nextcloud web configuration. become: yes copy: @@ -5379,7 +5366,7 @@ virtual host's document root.-roles_t/core/files/nextcloud.conf+roles_t/core/files/nextcloud.conf<Directory /var/www/html/> <IfModule mod_rewrite.c> RewriteEngine on @@ -5405,7 +5392,7 @@ page. The following portion ofnextcloud.confsets a-roles_t/core/files/nextcloud.conf+roles_t/core/files/nextcloud.conf<IfModule mod_headers.c> Header always set \ Strict-Transport-Security "max-age=15552000; includeSubDomains" @@ -5421,7 +5408,7 @@ cloud FUBARs.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Add {{ ansible_user }} to web server group. become: yes user: @@ -5437,7 +5424,7 @@ jobs.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Create Nextcloud cron job. become: yes cron: @@ -5453,12 +5440,12 @@ jobs.Nextcloud's MariaDB database (and user) are created by the following tasks. The user's password is taken from the
nextcloud_dbpass
-variable, kept inprivate/vars.yml, and generated e.g. with +variable, kept inprivate/vars.yml, and generated e.g. with theapg -n 1 -x 12 -m 12
command.-@@ -5515,7 +5502,7 @@ its document root.private/vars.ymlnextcloud_dbpass: ippAgmaygyob +private/vars.ymlnextcloud_dbpass: ippAgmaygyob-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Link /var/www/nextcloud. become: yes file: @@ -5537,7 +5524,7 @@ performance, as recommended by Nextcloud.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Set PHP memory_limit for Nextcloud. become: yes lineinfile: @@ -5769,7 +5756,7 @@ afterwards tasks causes them to skip rather than fail.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Test for /Nextcloud/nextcloud/. stat: path: /Nextcloud/nextcloud @@ -5800,7 +5787,7 @@ Pretty URLs (below).-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Configure Nextcloud trusted domains. become: yes replace: @@ -5832,7 +5819,7 @@ enables it.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Configure Nextcloud memcache. become: yes lineinfile: @@ -5854,7 +5841,7 @@ andhtaccess.RewriteBase
.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Configure Nextcloud for Pretty URLs. become: yes lineinfile: @@ -5880,12 +5867,12 @@ a complaint on the Settings > Administration > Overview web page.-private/vars.ymlnextcloud_region: US +private/vars.ymlnextcloud_region: US-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Configure Nextcloud phone region. become: yes lineinfile: @@ -5908,7 +5895,7 @@ run before the next backup.--roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Create /Nextcloud/dbbackup.cnf. no_log: yes become: yes @@ -5967,15 +5954,15 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.-8.1. Include Particulars
++8.1. Include Particulars
The following should be familiar boilerplate by now.
-roles_t/gate/tasks/main.yml--- +roles_t/gate/tasks/main.yml--- - name: Include public variables. include_vars: ../public/vars.yml tags: accounts @@ -6001,12 +5988,12 @@ be revised more frequently as the campus ISP changes.Netplan is configured to identify the interfaces by their MAC -addresses, which must be provided in
private/vars.yml, as in the +addresses, which must be provided inprivate/vars.yml, as in the example code here.-private/vars.ymlgate_lan_mac: ff:ff:ff:ff:ff:ff +private/vars.ymlgate_lan_mac: ff:ff:ff:ff:ff:ff gate_wifi_mac: ff:ff:ff:ff:ff:ff gate_isp_mac: ff:ff:ff:ff:ff:ff@@ -6018,7 +6005,7 @@ new network plan.-roles_t/gate/tasks/main.yml+roles_t/gate/tasks/main.yml- name: Install netplan (gate). become: yes apt: pkg=netplan.io @@ -6072,7 +6059,7 @@ new network plan.
--roles_t/gate/handlers/main.yml--- +roles_t/gate/handlers/main.yml--- - name: Apply netplan. become: yes command: netplan apply @@ -6192,7 +6179,7 @@ sudo ufw enable-roles_t/gate/tasks/main.yml+roles_t/gate/tasks/main.yml- name: Install UFW. become: apt: pkg=ufw @@ -6259,7 +6246,7 @@ AP's MAC address.-@@ -6287,7 +6274,7 @@ the daemon listens only on the Gate-WiFi network interface.private/vars.ymlwifi_wan_mac: 94:83:c4:19:7d:57 +private/vars.ymlwifi_wan_mac: 94:83:c4:19:7d:57 wifi_wan_name: campus-wifi-ap-roles_t/gate/tasks/main.yml+roles_t/gate/tasks/main.yml- name: Install DHCP server. become: yes apt: pkg=isc-dhcp-server @@ -6332,7 +6319,7 @@ the daemon listens only on the Gate-WiFi network interface.
-roles_t/gate/handlers/main.yml+roles_t/gate/handlers/main.yml- name: Restart DHCP server. become: yes systemd: @@ -6342,8 +6329,8 @@ the daemon listens only on the Gate-WiFi network interface.-8.6. Install Server Certificate
++-8.6. Install Server Certificate
The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -6353,7 +6340,7 @@ and Front) do.
-roles_t/gate/tasks/main.yml+roles_t/gate/tasks/main.yml- name: Install server certificate/key. become: yes copy: @@ -6370,8 +6357,8 @@ and Front) do.-8.7. Configure OpenVPN
++8.7. Configure OpenVPN
Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6429,7 +6416,7 @@ configure the OpenVPN server on Gate.
-roles_t/gate/tasks/main.yml+roles_t/gate/tasks/main.yml- name: Install OpenVPN. become: yes apt: pkg=openvpn @@ -6505,7 +6492,7 @@ configure the OpenVPN server on Gate.
--roles_t/gate/handlers/main.yml+roles_t/gate/handlers/main.yml- name: Restart OpenVPN. become: yes systemd: @@ -6534,15 +6521,15 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.-9.1. Include Particulars
++-9.1. Include Particulars
The following should be familiar boilerplate by now.
-roles_t/campus/tasks/main.yml--- +roles_t/campus/tasks/main.yml--- - name: Include public variables. include_vars: ../public/vars.yml - name: Include private variables. @@ -6551,15 +6538,15 @@ The following should be familiar boilerplate by now.-9.2. Configure Hostname
++-9.2. Configure Hostname
Clients should be using the expected host name.
-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Configure hostname. become: yes copy: @@ -6577,7 +6564,7 @@ Clients should be using the expected host name.-roles_t/campus/handlers/main.yml--- +roles_t/campus/handlers/main.yml--- - name: Update hostname. become: yes command: hostname -F /etc/hostname @@ -6585,8 +6572,8 @@ Clients should be using the expected host name.-9.3. Enable Systemd Resolved
++-9.3. Enable Systemd Resolved
Campus machines start the
systemd-networkd
andsystemd-resolved
@@ -6594,7 +6581,7 @@ service units on boot. See Enable Systemd Resolved.-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Install systemd-resolved. become: yes apt: pkg=systemd-resolved @@ -6630,8 +6617,8 @@ service units on boot. See Enable Systemd Resolved.-9.4. Configure Systemd Resolved
++9.4. Configure Systemd Resolved
-Campus machines use the campus name server on Core (or
dns.google
), @@ -6639,7 +6626,7 @@ and include the institute's private domain in their search lists.-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Configure resolved. become: yes lineinfile: @@ -6657,7 +6644,7 @@ and include the institute's private domain in their search lists.-roles_t/campus/handlers/main.yml+roles_t/campus/handlers/main.yml- name: Reload Systemd. become: yes command: systemctl daemon-reload @@ -6681,7 +6668,7 @@ and file timestamps.-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Configure timesyncd. become: yes lineinfile: @@ -6692,7 +6679,7 @@ and file timestamps.-roles_t/campus/handlers/main.yml+roles_t/campus/handlers/main.yml- name: Restart systemd-timesyncd. become: yes systemd: @@ -6702,8 +6689,8 @@ and file timestamps.-9.6. Add Administrator to System Groups
++-9.6. Add Administrator to System Groups
The administrator often needs to read (directories of) log files owned @@ -6712,7 +6699,7 @@ these groups speeds up debugging.
-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Add {{ ansible_user }} to system groups. become: yes user: @@ -6723,8 +6710,8 @@ these groups speeds up debugging.-9.7. Trust Institute Certificate Authority
++-9.7. Trust Institute Certificate Authority
Campus hosts should recognize the institute's Certificate Authority as @@ -6734,7 +6721,7 @@ keys, certificates and passwords, see Keys.)
-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Trust the institute CA. become: yes copy: @@ -6748,7 +6735,7 @@ keys, certificates and passwords, see Keys.)-roles_t/campus/handlers/main.yml+roles_t/campus/handlers/main.yml- name: Update CAs. become: yes command: update-ca-certificates @@ -6756,15 +6743,15 @@ keys, certificates and passwords, see Keys.)-9.8. Install Unattended Upgrades
++9.8. Install Unattended Upgrades
The institute prefers to install security updates as soon as possible.
-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Install basic software. become: yes apt: pkg=unattended-upgrades @@ -6790,7 +6777,7 @@ tasks below.-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Install Postfix. become: yes apt: pkg=postfix @@ -6827,7 +6814,7 @@ tasks below.
-roles_t/campus/handlers/main.yml+roles_t/campus/handlers/main.yml- name: Restart Postfix. become: yes systemd: @@ -6847,7 +6834,7 @@ custom of translating the host name into127.0.1.1
is also followed-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Hard-wire important IP addresses. become: yes lineinfile: @@ -6877,7 +6864,7 @@ Role.-roles_t/campus/tasks/main.yml+roles_t/campus/tasks/main.yml- name: Install NRPE. become: yes apt: @@ -6915,7 +6902,7 @@ Role.-roles_t/campus/handlers/main.yml+roles_t/campus/handlers/main.yml- name: Reload NRPE server. become: yes systemd: @@ -6931,8 +6918,8 @@ Role.-The small institute uses Ansible to maintain the configuration of its -servers. The administrator keeps an Ansible inventory in
hosts, and -runs the playbooksite.ymlto apply the appropriate institutional +servers. The administrator keeps an Ansible inventory inhosts, and +runs playbooksite.ymlto apply the appropriate institutional role(s) to each host. Examples of these files are included here, and are used to test the roles. The example configuration applies the institutional roles to VirtualBox machines prepared according to @@ -6941,19 +6928,19 @@ chapter Testing.The actual Ansible configuration is kept in a Git "superproject" -containing replacements for the example
hostsinventory and -site.ymlplaybook, as well as thepublic/andprivate/+containing replacements for the examplehostsinventory and +site.ymlplaybook, as well as thepublic/andprivate/particulars. Thus changes to this document and its tangle are easily merged withgit pull --recurse-submodules
orgit submodule update
, while changes to the institute's particulars are committed to a separate revision history.-10.1.
+ansible.cfg+10.1.
ansible.cfg-The Ansible configuration file
@@ -6963,16 +6950,16 @@ of settings, some included just to create a test jig as described in "automatic interpreter discovery" (described here). It declares that Python 3 can be expected on all institute hosts.ansible.cfgcontains just a handful +The Ansible configuration fileansible.cfgcontains just a handful of settings, some included just to create a test jig as described in Testing.+ vault_password_file
is set to suppress prompts for the vault -password. The institute keeps its vault password inSecret/(as +password. The institute keeps its vault password inSecret/(as described in Keys) and thus sets this parameter to -Secret/vault-password.Secret/vault-password.inventory
is set to avoid specifying it on the command line.+ roles_path
is set to the recently tangled roles files in -roles_t/which are preferred in the test configuration.roles_t/which are preferred in the test configuration.-ansible.cfg[defaults] +ansible.cfg[defaults] interpreter_python=/usr/bin/python3 vault_password_file=Secret/vault-password inventory=hosts @@ -6985,7 +6972,7 @@ described in Keys) and thus sets this parameter to10.2.
hosts-The Ansible inventory file
hostsdescribes all of the institute's +The Ansible inventory filehostsdescribes all of the institute's machines starting with the main servers Front, Core and Gate. It provides the IP addresses, administrator account names and passwords for each machine. The IP addresses are all private, campus network @@ -6994,7 +6981,7 @@ describes three test servers namedfront
,core
and -@@ -7063,13 +7050,13 @@ thehostsall: +hostsall: vars: ansible_user: sysadm ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa @@ -7017,13 +7004,13 @@ describes three test servers namedfront
,core
andThe values of the ansible_become_password
key are references to -variables defined inSecret/become.yml, which is loaded as +variables defined inSecret/become.yml, which is loaded as "extra" variables by a-e
option on theansible-playbook
command line.-Secret/become.ymlbecome_front: !vault | +Secret/become.ymlbecome_front: !vault | $ANSIBLE_VAULT;1.1;AES256 3563626131333733666466393166323135383838666338666131336335326 3656437663032653333623461633866653462636664623938356563306264 @@ -7054,8 +7041,8 @@ become_gate: !vault | The passwords are individually encrypted just to make it difficult to acquire a list of all institute privileged account passwords in one glance. The multi-line values are generated by theansible-vault -encrypt_string
command, which uses theansible.cfgfile and thus -theSecret/vault-passwordfile. +encrypt_string command, which uses theansible.cfgfile and thus +theSecret/vault-passwordfile.Secret/vault-passwordfile.10.3.
playbooks/site.yml-The example
playbooks/site.ymlplaybook (below) applies the +The exampleplaybooks/site.ymlplaybook (below) applies the appropriate institutional role(s) to the hosts and groups defined in -the example inventory:hosts. +the example inventory:hosts.-@@ -7195,9 +7182,9 @@ super-project's directory.playbooks/site.yml--- +playbooks/site.yml--- - name: Configure Front hosts: front roles: [ front ] @@ -7095,14 +7082,14 @@ the example inventory:hosts.As already mentioned, the small institute keeps its Ansible vault password, a "master secret", on the encrypted partition mounted at -
Secret/in a file namedvault-password. The administrator +Secret/in a file namedvault-password. The administrator generated a 16 character pronounceable password withgpw 1 16
and saved it like so:gpw 1 16 >Secret/vault-password
. The following example password matches the example encryptions above.-Secret/vault-passwordalitysortstagess +Secret/vault-passwordalitysortstagess10.6. Maintaining A Working Ansible Configuration
-The Ansible roles currently tangle into the
roles_t/directory to +The Ansible roles currently tangle into theroles_t/directory to ensure that debugged Ansible code inroles/is not clobbered by code -tangled from this document. Comparingroles_t/withroles/will +tangled from this document. Comparingroles_t/withroles/will reveal any changes made toroles/during debugging that need to be reconciled with this document as well as any policy changes in this document that require changes to the currentroles/. @@ -7226,7 +7213,7 @@ to get their defaults from./ansible.cfg.11.1. Sub-command Blocks
-The code blocks in this chapter tangle into the
instscript. Each +The code blocks in this chapter tangle into theinstscript. Each block examines the script's command line arguments to determine whether its sub-command was intended to run, and exits with an appropriate code when it is done. @@ -7237,7 +7224,7 @@ The first code block is the header of the./inst
script.-inst#!/usr/bin/perl -w +inst#!/usr/bin/perl -w # # DO NOT EDIT. This file was tangled from an institute.org file. @@ -7254,13 +7241,13 @@ The first code block is the header of the./inst
script. The next code block does not implement a sub-command; it implements part of all./inst
sub-commands. It performs a "sanity check" on the current directory, warning of missing files or directories, and -especially checking that all files inprivate/have appropriate -permissions. It probes past theSecret/mount point (probing for -Secret/become.yml) to ensure the volume is mounted. +especially checking that all files inprivate/have appropriate +permissions. It probes past theSecret/mount point (probing for +Secret/become.yml) to ensure the volume is mounted.-inst+instsub note_missing_file_p ($); sub note_missing_directory_p ($); @@ -7314,14 +7301,14 @@ permissions. It probes past theSecret/mount point (probing forTo ensure that Ansible and
./inst
are sympatico vis-a-vi certain variable values (esp. private values like network addresses), a -check-inst-vars.ymlplaybook is used to update the Perl syntax file -private/vars.plbefore./inst
loads it. The Perl code ininst-declares the necessary global variables andprivate/vars.plsets +check-inst-vars.ymlplaybook is used to update the Perl syntax file +private/vars.plbefore./inst
loads it. The Perl code ininst+declares the necessary global variables andprivate/vars.plsets them.-inst+instsub mysystem (@) { my $line = join (" ", @_); print "$line\n"; @@ -7337,11 +7324,11 @@ do "./private/vars.pl";-The playbook that updates
private/vars.pl: +The playbook that updatesprivate/vars.pl:-playbooks/check-inst-vars.yml- hosts: localhost +playbooks/check-inst-vars.yml- hosts: localhost gather_facts: no tasks: - include_vars: ../public/vars.yml @@ -7363,21 +7350,21 @@ The playbook that updatesprivate/vars.pl:The next code block implements the
CA
sub-command, which creates a -new CA (certificate authority) inSecret/CA/as well as SSH and PGP +new CA (certificate authority) inSecret/CA/as well as SSH and PGP keys for the administrator, Monkey, Front androot
, also in -sub-directories ofSecret/. The CA is created with the "common +sub-directories ofSecret/. The CA is created with the "common name" provided by thefull_name
variable. An example is given here.-public/vars.ymlfull_name: Small Institute LLC +public/vars.ymlfull_name: Small Institute LLC-The
@@ -7387,8 +7374,8 @@ ln -s /media/sysadm/ADE7-F866/ SecretSecret/directory is on an off-line, encrypted volume plugged in -just for the duration of./inst
commands, soSecret/is actually a +TheSecret/directory is on an off-line, encrypted volume plugged in +just for the duration of./inst
commands, soSecret/is actually a symbolic link to a volume's automount location.-The
@@ -7409,12 +7396,14 @@ config.Secret/CA/directory is prepared using Easy RSA'smake-cadir
-command. TheSecret/CA/varsfile thus created is edited to contain +TheSecret/CA/directory is prepared using Easy RSA'smake-cadir
+command. TheSecret/CA/varsfile thus created is edited to contain the appropriate names (or just to setEASYRSA_DN
tocn_only
).-inst+instif (defined $ARGV[0] && $ARGV[0] eq "CA") { die "usage: $0 CA" if @ARGV != 1; die "Secret/CA/easyrsa: not an executable\n" if ! -x "Secret/CA/easyrsa"; die "Secret/CA/pki/: already exists\n" if -e "Secret/CA/pki"; + + umask 077; mysystem "cd Secret/CA; ./easyrsa init-pki"; mysystem "cd Secret/CA; ./easyrsa build-ca nopass"; # Common Name: small.example.org @@ -7426,8 +7415,8 @@ config. mysystem "cd Secret/CA; ./easyrsa build-server-full core.$pvt nopass"; mysystem "cd Secret/CA; ./easyrsa build-client-full core nopass"; umask 077; - mysystem "openvpn --genkey --secret Secret/front-ta.key"; - mysystem "openvpn --genkey --secret Secret/gate-ta.key"; + mysystem "openvpn --genkey secret Secret/front-ta.key"; + mysystem "openvpn --genkey secret Secret/gate-ta.key"; mysystem "openssl dhparam -out Secret/front-dh2048.pem 2048"; mysystem "openssl dhparam -out Secret/gate-dh2048.pem 2048"; @@ -7436,11 +7425,11 @@ config. " --batch --quick-generate-key --passphrase ''", " root\@core.$pvt"); mysystem ("gpg --homedir Secret/root.gnupg", - " --export --armor --output root-pub.pem", + " --export --armor --output Secret/root-pub.pem", " root\@core.$pvt"); chmod 0440, "root-pub.pem"; mysystem ("gpg --homedir Secret/root.gnupg", - " --export-secret-key --armor --output root-sec.pem", + " --export-secret-key --armor --output Secret/root-sec.pem", " root\@core.$pvt"); chmod 0400, "root-sec.pem"; @@ -7489,7 +7478,7 @@ Example command lines:-inst+instif (defined $ARGV[0] && $ARGV[0] eq "config") { die "Secret/CA/easyrsa: not executable\n" if ! -x "Secret/CA/easyrsa"; @@ -7575,14 +7564,14 @@ revoked:The test campus starts with the empty membership roll found in -
private/members-empty.ymland saved inprivate/members.yml+private/members-empty.ymland saved inprivate/members.yml(which is not tangled from this document, thus not over-written during testing). Ifmembers.ymlis not found,members-empty.ymlis used instead.-private/members-empty.yml--- +private/members-empty.yml--- members: usernames: [] revoked: [] @@ -7595,7 +7584,7 @@ Both locations go on themembership_rolls
variable used by the-private/vars.ymlmembership_rolls: +private/vars.ymlmembership_rolls: - "../private/members.yml" - "../private/members-empty.yml"@@ -7608,7 +7597,7 @@ read from the file. The dump subroutine is another story (below).-inst+instuse YAML::XS qw(LoadFile DumpFile); sub read_members_yaml () { @@ -7684,7 +7673,7 @@ each record.-inst+instsub print_member ($$) { my ($out, $member) = @_; print $out " ", $member->{"username"}, ":\n"; @@ -7728,7 +7717,7 @@ each record. The next code block implements thenew
sub-command. It adds a new member to the institute's membership roll. It runs an Ansible playbook to create the member's Nextcloud user, updates -private/members.yml, and runs thesite.ymlplaybook. The site +private/members.yml, and runs thesite.ymlplaybook. The site playbook (re)creates the member's accounts on Core and Front, (re)installs the member's personal homepage on Front, and the member's Fetchmail service on Core. All services are configured with an @@ -7736,7 +7725,7 @@ initial, generated password.-inst+instsub valid_username (@); sub shell_escape ($); sub strip_vault ($); @@ -7799,7 +7788,7 @@ initial, generated password.-@@ -7852,11 +7841,11 @@ update the servers, so it does not need an SSH key and password to (nor equivalent) on Core. It is a set-UIDplaybooks/nextcloud-new.yml- hosts: core +playbooks/nextcloud-new.yml- hosts: core no_log: yes tasks: - name: Run occ user:add. @@ -7837,7 +7826,7 @@ pass command. In either case, the administrator needs to update the membership roll, and so receives an encrypted email, which gets piped into./inst pass
. This command decrypts the message, parses the (YAML) content, updatesprivate/members.yml, and runs the full -Ansiblesite.ymlplaybook to update the servers. If all goes well a +Ansiblesite.ymlplaybook to update the servers. If all goes well a message is sent tomember@core
.shadow
script so it can read/etc/shadow. The member will need to wait for confirmation from the administrator, but all keys toroot
at the institute stay -inSecret/. +inSecret/.-roles_t/core/templates/passwd#!/bin/perl -wT +roles_t/core/templates/passwd#!/bin/perl -wT use strict; @@ -7944,11 +7933,11 @@ print "The following code block implements the
./inst pass
command, used by the administrator to updateprivate/members.ymlbefore running -playbooks/site.ymland emailing the concerned member. +playbooks/site.ymland emailing the concerned member.-inst+instuse MIME::Base64; if (defined $ARGV[0] && $ARGV[0] eq "pass") { @@ -8007,7 +7996,7 @@ users:resetpassword command usingexpect(1)
.-playbooks/nextcloud-pass.yml- hosts: core +playbooks/nextcloud-pass.yml- hosts: core no_log: yes tasks: - name: Run occ user:resetpassword. @@ -8050,7 +8039,7 @@ configuration so that the email to root can be encrypted.-roles_t/core/tasks/main.yml+roles_t/core/tasks/main.yml- name: Install institute passwd command. become: yes template: @@ -8096,7 +8085,7 @@ configuration so that the email to root can be encrypted.-roles_t/core/handlers/main.yml+roles_t/core/handlers/main.yml- name: Import root PGP key. become: no command: gpg --import ~/.gnupg-root-pub.pem @@ -8113,7 +8102,7 @@ Theold
command disables a member's accounts and clients.-inst+instif (defined $ARGV[0] && $ARGV[0] eq "old") { my $user = valid_username (@ARGV); my $yaml = read_members_yaml (); @@ -8135,7 +8124,7 @@ Theold
command disables a member's accounts and clients.-playbooks/nextcloud-old.yml- hosts: core +playbooks/nextcloud-old.yml- hosts: core tasks: - name: Run occ user:disable. shell: | @@ -8157,7 +8146,7 @@ Theold
command disables a member's accounts and clients.The
@@ -8192,7 +8181,7 @@ copies theclient
command creates an OpenVPN configuration (.ovpn) file authorizing wireless devices to connect to the institute's VPNs. The -command uses the EasyRSA CA inSecret/. The generated configuration +command uses the EasyRSA CA inSecret/. The generated configuration is slightly different depending on the type of host, given as the first argument to the command.campus.ovpnfile to/etc/openvpn/campus.conf.The OpenVPN configurations generated for Debian hosts specify an
up
-script,update-systemd-resolved, installed in/etc/openvpn/by the +script,update-systemd-resolved
, installed in/etc/openvpn/by theopenvpn-systemd-resolved
package. The following configuration lines instruct the OpenVPN clients to run this script whenever the connection is restarted. @@ -8206,7 +8195,7 @@ up-restart-instsub write_template ($$$$$$$$$); +instsub write_template ($$$$$$$$$); sub read_file ($); sub add_client ($$$); @@ -8327,13 +8316,13 @@ up-restart11.11. Institute Command Help