From 9c6ff02c9f79c023a46c094a2a90768cec6fc738 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Tue, 3 Sep 2024 08:44:12 -0600 Subject: [PATCH] Update README.html. --- README.html | 157 +++++++++++++++++++++++++++++----------------------- 1 file changed, 88 insertions(+), 69 deletions(-) diff --git a/README.html b/README.html index 342fbbd..720bf1b 100644 --- a/README.html +++ b/README.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + A Small Institute @@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to members off campus.

-
+
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1022,7 +1022,7 @@ example result follows the code.
 

 
 
-

+

 

 => 10.62.17.0/24
 

@@ -1475,7 +1475,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.
 
 
-
+
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1498,7 +1498,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 

 
-
+
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1651,8 +1651,8 @@ The all role contains tasks that are executed on all of the
 institute's servers.  At the moment there is just the one.
 

 

-

-
6.1. Include Particulars

+

+
6.1. Include Particulars

 

 

 The all role's task contains a reference to a common institute
@@ -1793,8 +1793,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 

 

-

-
7.1. Include Particulars

+

+
7.1. Include Particulars

 

 

 The first task, as in The All Role, is to include the institute
@@ -1819,8 +1819,8 @@ membership roll, so these are included was well.
 

 

 

-

-
7.2. Configure Hostname

+

+
7.2. Configure Hostname

 

 

 This task ensures that Front's /etc/hostname and /etc/mailname are
@@ -1850,8 +1850,8 @@ delivery.
 

 

 

-

-
7.3. Add Administrator to System Groups

+

+
7.3. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -1910,8 +1910,8 @@ those stored in Secret/ssh_front/etc/ssh/
 

 

 

-

-
7.5. Configure Monkey

+

+
7.5. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -1967,8 +1967,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 

 

 

-

-
7.7. Install Unattended Upgrades

+

+
7.7. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -1983,8 +1983,8 @@ The institute prefers to install security updates as soon as possible.
 

 

 

-
-

-
7.9. Install Server Certificate

+

+
7.9. Install Server Certificate

 

 

 The servers on Front use the same certificate (and key) to
@@ -2255,8 +2255,8 @@ created by a more specialized role.
 

 

 

-

-
7.12. Configure Dovecot IMAPd

+

+
7.12. Configure Dovecot IMAPd

 

 

 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2612,8 +2612,8 @@ the users' ~/Public/HTML/ directories.
 

 

 

-

-
7.14. Configure OpenVPN

+

+
7.14. Configure OpenVPN

 

 

 Front uses OpenVPN to provide the institute's public VPN service.  The
@@ -2846,7 +2846,8 @@ be started before the tun device has appeared.
 roles_t/front/handlers/main.yml
 - name: Reload Systemd.
   become: yes
-  command: systemctl daemon-reload
+  systemd:
+    daemon-reload: yes
 

 

 
@@ -2896,8 +2897,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see The Core Machine.)
 

 

-

-
8.1. Include Particulars

+

+
8.1. Include Particulars

 

 

 The first task, as in The Front Role, is to include the institute
@@ -2919,8 +2920,8 @@ particulars and membership roll.
 

 

 

-

-
8.2. Configure Hostname

+

+
8.2. Configure Hostname

 

 

 This task ensures that Core's /etc/hostname and /etc/mailname are
@@ -2953,8 +2954,8 @@ proper email delivery.
 

 

 

-

-
8.3. Configure Systemd Resolved

+

+
8.3. Configure Systemd Resolved

 

 

 Core runs the campus name server, so Resolved is configured to use it
@@ -2986,7 +2987,8 @@ list, and to disable its cache and stub listener.
 roles_t/core/handlers/main.yml
 - name: Reload Systemd.
   become: yes
-  command: systemctl daemon-reload
+  systemd:
+    daemon-reload: yes
 
 - name: Restart Systemd resolved.
   become: yes
@@ -3159,10 +3161,9 @@ with the real private/core-dhcpd.conf8.6. Configure BIND9
 

 

-Core uses BIND9 to provide a private-view name service for the
-institute as described in The Name Service.  The configuration
-supports reverse name lookups, resolving many private network
-addresses to private domain names.
+Core uses BIND9 to provide name service for the institute as described
+in The Name Service.  The configuration supports reverse name lookups,
+resolving many private network addresses to private domain names.
 

 
 

@@ -3367,8 +3368,8 @@ probably be used as forwarders rather than Google.
 

 

 

-

-
8.7. Add Administrator to System Groups

+

+
8.7. Add Administrator to System Groups

 

 

 The administrator often needs to read (directories of) log files owned
@@ -3388,8 +3389,8 @@ these groups speeds up debugging.
 

 

 

-

-
8.8. Configure Monkey

+

+
8.8. Configure Monkey

 

 

 The small institute runs cron jobs and web scripts that generate
@@ -3456,8 +3457,8 @@ described in *Configure Apache2).
 

 

 

-

-
8.9. Install Unattended Upgrades

+

+
8.9. Install Unattended Upgrades

 

 

 The institute prefers to install security updates as soon as possible.
@@ -3489,8 +3490,8 @@ with Nextcloud on the command line.
 

 

 

-

-
8.11. Configure User Accounts

+

+
8.11. Configure User Accounts

 

 

 User accounts are created immediately so that backups can begin
@@ -3532,8 +3533,8 @@ describes the members and usernames variables.
 

 

 

-

-
8.12. Install Server Certificate

+

+
8.12. Install Server Certificate

 

 

 The servers on Core use the same certificate (and key) to authenticate
@@ -3757,8 +3758,8 @@ installed by more specialized roles.
 

 

 

-

-
8.16. Configure Dovecot IMAPd

+

+
8.16. Configure Dovecot IMAPd

 

 

 Core uses Dovecot's IMAPd to store and serve member emails.  As on
@@ -5508,8 +5509,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 

 

-

-
9.1. Include Particulars

+

+
9.1. Include Particulars

 

 

 The following should be familiar boilerplate by now.
@@ -5819,7 +5820,10 @@ command would not be necessary.
 
 

 Installation and configuration of the DHCP daemon follows.  Note that
-the daemon listens only on the Gate-WiFi network interface.
+the daemon listens only on the Gate-WiFi network interface.  Also
+note the drop-in Requires dependency, without which the DHCP server
+intermittently fails, finding the wifi interface has no IPv4
+addresses (or perhaps finding no wifi interface at all?).
 

 
 

@@ -5836,6 +5840,15 @@ the daemon listens only on the Gate-WiFi network interface.
     regexp: ^INTERFACESv4=
   notify: Restart DHCP server.
 
+- name: Configure DHCP server dependence on interface.
+  become: yes
+  copy:
+    content: |
+      [Unit]
+      Requires=network-online.target
+    dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf
+  notify: Reload Systemd.
+
 - name: Configure DHCP for WiFiAP service.
   become: yes
   copy:
@@ -5874,12 +5887,17 @@ the daemon listens only on the Gate-WiFi network interface.
   systemd:
     service: isc-dhcp-server
     state: restarted
+
+- name: Reload Systemd.
+  become: yes
+  systemd:
+    daemon-reload: yes
-
-

9.6. Install Server Certificate

+
+

9.6. Install Server Certificate

The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -5906,8 +5924,8 @@ and Front) do.

-
-

9.7. Configure OpenVPN

+
+

9.7. Configure OpenVPN

Gate uses OpenVPN to provide the institute's campus VPN service. Its @@ -6034,8 +6052,8 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.

-
-

10.1. Include Particulars

+
+

10.1. Include Particulars

The following should be familiar boilerplate by now. @@ -6051,8 +6069,8 @@ The following should be familiar boilerplate by now.

-
-

10.2. Configure Hostname

+
+

10.2. Configure Hostname

Clients should be using the expected host name. @@ -6079,8 +6097,8 @@ Clients should be using the expected host name.

-
-

10.3. Configure Systemd Resolved

+
+

10.3. Configure Systemd Resolved

Campus machines use the campus name server on Core (or dns.google), @@ -6109,7 +6127,8 @@ and include the institute's private domain in their search lists. roles_t/campus/handlers/main.yml

---
 - name: Reload Systemd.
   become: yes
-  command: systemctl daemon-reload
+  systemd:
+    daemon-reload: yes
 
 - name: Restart Systemd resolved.
   become: yes
@@ -6151,8 +6170,8 @@ and file timestamps.
-
-

10.5. Add Administrator to System Groups

+
+

10.5. Add Administrator to System Groups

The administrator often needs to read (directories of) log files owned @@ -6172,8 +6191,8 @@ these groups speeds up debugging.

-
-

10.6. Install Unattended Upgrades

+
+

10.6. Install Unattended Upgrades

The institute prefers to install security updates as soon as possible. @@ -7588,7 +7607,7 @@ A debian host runs a Debian desktop with Network Manager. Again two files are generated, for the campus and public VPNs.

  • ./inst client campus NEW
    -A campus host is an Debian host (with or without desktop) that is +A campus host is a Debian host (with or without desktop) that is used by the institute generally, is not the property of a member, never roams off campus, and so is remotely administered with Ansible. One file is generated, campus.ovpn.
    • @@ -9108,7 +9127,7 @@ routes on Front and Gate, making the simulation less… similar.

    Author: Matt Birkholz

    -

    Created: 2024-05-08 Wed 14:42

    +

    Created: 2024-09-03 Tue 08:43

    Validate

    -- 2.25.1