From fca64b12defac256c824af647dfc0200d608aec6 Mon Sep 17 00:00:00 2001
From: Matt Birkholz
+= _|||_ =-The-Institute-= @@ -1030,7 +1030,7 @@ example result follows the code.-+-=> 10.62.17.0/24
@@ -1230,7 +1230,7 @@ file, copied it to the droplet, and installed it as thenotebook$ cat ~/.ssh/id_rsa.pub Secret/ssh_admin/id_rsa.pub \ notebook_ > admin_keys -notebook$ rsync admin_keys sysadm@159.65.75.60: +notebook$ scp admin_keys sysadm@159.65.75.60: The authenticity of host '159.65.75.60' can't be established. .... Are you sure you want to continue connecting (...)? yes @@ -1247,6 +1247,31 @@ notebook$++The Ansible configuration expects certain host keys on the new front. +The administrator should install them now, and deal with the machine's +change of SSH identity. The following commands copied the host keys +in
+ +Secret/ssh_front/to the droplet and restarted the SSH server. ++notebook$ scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@159.65.75.60: +notebook$ ssh sysadm@159.65.75.60 +sysadm@ubuntu$ chmod 600 ssh_host_* +sysadm@ubuntu$ chmod 644 ssh_host_*.pub +sysadm@ubuntu$ sudo cp -b ssh_host_* /etc/ssh/ +sysadm@ubuntu$ sudo systemctl restart ssh +sysadm@ubuntu$ logout +notebook$ ssh-keygen -f ~/.ssh/known_hosts -R 159.65.75.60 ++ + ++The last command removes the old host key from the administrator's +
+known_hostsfile. The next SSH connection should ask to confirm the +new host identity. +The administrator then tested the password-less ssh login as well as the privilege escalation command. @@ -1345,8 +1370,10 @@ modem and installed them as shown below.
-$ sudo apt install openssh-server rsync isc-dhcp-server netplan.io \ -_ bind9 fetchmail openvpn apache2 +$ sudo apt install netplan.io systemd-resolved unattended-upgrades \ +_ ntp isc-dhcp-server bind9 apache2 openvpn \ +_ postfix dovecot-imapd fetchmail expect rsync \ +_ gnupg openssh-server@@ -1357,12 +1384,23 @@ final configuration "in position" (on a frontier).-$ sudo apt install mariadb-server php php-{bcmath,curl,gd,gmp,json}\ -_ php-{mysql,mbstring,intl,imagick,xml,zip} \ +$ sudo apt install mariadb-server php php-{apcu,bcmath,curl,gd,gmp}\ +_ php-{json,mysql,mbstring,intl,imagick,xml,zip} \ _ libapache2-mod-php++Similarly, the NAGIOS configuration requires a handful of packages +that were pre-loaded via cable modem (to test a frontier deployment). +
+ ++$ sudo apt install nagios4 monitoring-plugins-basic lm-sensors \ +_ nagios-nrpe-plugin ++ +Next, the administrator concatenated a personal public ssh key and the key found in
Secret/ssh_admin/(created by The CA Command) into an @@ -1373,7 +1411,7 @@ key found inSecret/ssh_admin/(created bnotebook$ cat ~/.ssh/id_rsa.pub Secret/ssh_admin/id_rsa.pub \ notebook_ > admin_keys -notebook$ rsync admin_keys sysadm@core.lan: +notebook$ scp admin_keys sysadm@core.lan: The authenticity of host 'core.lan' can't be established. .... Are you sure you want to continue connecting (...)? yes @@ -1445,7 +1483,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a campground Wi-Fi access point, etc. -+=============== | ================================================== | Premises (Campus ISP) @@ -1468,7 +1506,7 @@ This avoids the need for a second Wi-Fi access point and leads to the following topology. -+=============== | ================================================== | Premises (House ISP) @@ -1541,7 +1579,9 @@ cable modem and installed them as shown below.-$ sudo apt install openssh-server isc-dhcp-server netplan.io +$ sudo apt install netplan.io systemd-resolved unattended-upgrades \ +_ ufw isc-dhcp-server postfix openvpn \ +_ openssh-server@@ -1555,7 +1595,7 @@ key found inSecret/ssh_admin/(created bnotebook$ cat ~/.ssh/id_rsa.pub Secret/ssh_admin/id_rsa.pub \ notebook_ > admin_keys -notebook$ rsync admin_keys sysadm@gate.lan: +notebook$ scp admin_keys sysadm@gate.lan: The authenticity of host 'gate.lan' can't be established. .... Are you sure you want to continue connecting (...)? yes @@ -1611,10 +1651,73 @@ At this point Gate was ready for provisioning with Ansible.-6. The Front Role
+++6. The All Role
++The
+all
role contains tasks that are executed on all of the +institute's servers. At the moment there is just the one. +++6.1. Include Particulars
++++The
+ +all
role's task contains a reference to a common institute +particular, the institute'sdomain_name
, a variable found in the +public/vars.ymlfile. Thus the first task of theall
role is to +include the variables defined in this file (described in The +Particulars). The code block below is the first to tangle into +roles/all/tasks/main.yml. +++roles/all/tasks/main.yml--- +- name: Include public variables. + include_vars: ../public/vars.yml + tags: accounts ++++6.2. Trust Institute Certificate Authority
++++All servers should recognize the institute's Certificate Authority as +trustworthy, so its certificate is added to the set of trusted CAs on +each host. More information about how the small institute manages its +X.509 certificates is available in Keys. +
+ +++ +roles_t/all/tasks/main.yml+- name: Trust the institute CA. + become: yes + copy: + src: ../Secret/CA/pki/ca.crt + dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt + mode: u=r,g=r,o=r + owner: root + group: root + notify: Update CAs. +
+++roles_t/all/handlers/main.yml+- name: Update CAs. + become: yes + command: update-ca-certificates +++7. The Front Role
++-The
front
role installs and configures the services expected on the institute's publicly accessible "front door": email, web, VPN. The virtual machine is prepared with an Ubuntu Server install and remote @@ -1640,20 +1743,13 @@ uses the institute's CA and server certificates, and expects client certificates signed by the institute CA.-6.1. Include Particulars
---The
- +front
role's tasks contain references to several common -institute particulars, variables in the public and privatevars.yml-files and the institute membership roll inprivate/members.yml. The -firstfront
role tasks are to include these files (described in The -Particulars and Account Management). -+-7.1. Include Particulars
+-The code block below is the first to tangle into -
roles/front/tasks/main.yml. +The first task, as in The All Role, is to include the institute +particulars. Thefront
role refers to private variables and the +membership roll, so these are included was well.@@ -1673,9 +1769,9 @@ The code block below is the first to tangle into-6.2. Configure Hostname
-++7.2. Configure Hostname
+This task ensures that Front's
/etc/hostnameand/etc/mailnameare correct. The correct/etc/mailnameis essential to proper email @@ -1705,8 +1801,8 @@ delivery.-6.3. Enable Systemd Resolved
- --6.4. Add Administrator to System Groups
-++7.4. Add Administrator to System Groups
+The administrator often needs to read (directories of) log files owned by groups
root
andadm
. Adding the administrator's account to @@ -1820,8 +1916,8 @@ these groups speeds up debugging.--6.5. Configure SSH
-+7.5. Configure SSH
+The SSH service on Front needs to be known to Monkey. The following tasks ensure this by replacing the automatically generated keys with @@ -1858,9 +1954,9 @@ those stored in
Secret/ssh_front/etc/ssh/-6.6. Configure Monkey
-++7.6. Configure Monkey
+The small institute runs cron jobs and web scripts that generate reports and perform checks. The un-privileged jobs are run by a @@ -1900,8 +1996,8 @@ key on Core.
--6.7. Install Rsync
-+7.7. Install Rsync
+Monkey uses Rsync to keep the institute's public web site up-to-date.
@@ -1915,9 +2011,9 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.-6.8. Install Unattended Upgrades
-+-+7.8. Install Unattended Upgrades
+The institute prefers to install security updates as soon as possible.
@@ -1931,9 +2027,9 @@ The institute prefers to install security updates as soon as possible.-6.9. Configure User Accounts
-+-+7.9. Configure User Accounts
+User accounts are created immediately so that Postfix and Dovecot can start delivering email immediately, without returning "no such @@ -1975,42 +2071,9 @@ recipient" replies. The Account Management chapter de
--6.10. Trust Institute Certificate Authority
----Front should recognize the institute's Certificate Authority as -trustworthy, so its certificate is added to Front's set of trusted -CAs. More information about how the small institute manages its -X.509 certificates is available in Keys. -
- --- -roles_t/front/tasks/main.yml-- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. -
---roles_t/front/handlers/main.yml-- name: Update CAs. - become: yes - command: update-ca-certificates ---6.11. Install Server Certificate
-++7.10. Install Server Certificate
+The servers on Front use the same certificate (and key) to authenticate themselves to institute clients. They share the @@ -2040,8 +2103,8 @@ readable by
root
.-6.12. Configure Postfix on Front
-+7.11. Configure Postfix on Front
+Front uses Postfix to provide the institute's public SMTP service, and uses the institute's domain name for its host name. The default @@ -2232,8 +2295,8 @@ start and enable the service.
--6.13. Configure Public Email Aliases
-+7.12. Configure Public Email Aliases
+The institute's Front needs to deliver email addressed to a number of common aliases as well as those advertised on the web site. System @@ -2273,9 +2336,9 @@ created by a more specialized role.
-6.14. Configure Dovecot IMAPd
-++-7.13. Configure Dovecot IMAPd
+Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to pick up messages. Front's Dovecot configuration is largely the Debian @@ -2345,8 +2408,8 @@ and enables it to start at every reboot.
-6.16. Configure OpenVPN
-++7.15. Configure OpenVPN
+Front uses OpenVPN to provide the institute's public VPN service. The configuration is straightforward with one complication. OpenVPN needs @@ -2937,8 +3000,8 @@ configure the OpenVPN server on Front.
-6.17. Configure Kamailio
-+7.16. Configure Kamailio
+Front uses Kamailio to provide a SIP service on the public VPN so that members abroad can chat privately. This is a connection-less UDP @@ -3053,8 +3116,8 @@ Finally, Kamailio can be configured and started.
-7. The Core Role
-+8. The Core Role
+-The
core
role configures many essential campus network services as well as the institute's private cloud, so the core machine has @@ -3063,9 +3126,9 @@ Debian install and remote access to a privileged, administrator's account. (For details, see The Core Machine.)-7.1. Include Particulars
-+-+8.1. Include Particulars
+The first task, as in The Front Role, is to include the institute particulars and membership roll. @@ -3086,9 +3149,9 @@ particulars and membership roll.
-7.2. Configure Hostname
-+-+8.2. Configure Hostname
+This task ensures that Core's
/etc/hostnameand/etc/mailnameare correct. Core accepts email addressed to the institute's public or @@ -3120,9 +3183,9 @@ proper email delivery.-7.3. Enable Systemd Resolved
-+-+8.3. Enable Systemd Resolved
+Core starts the
systemd-networkd
andsystemd-resolved
service units on boot. See Enable Systemd Resolved. @@ -3165,9 +3228,9 @@ units on boot. See Enable Systemd Resolved.-7.4. Configure Systemd Resolved
-++8.4. Configure Systemd Resolved
+Core runs the campus name server, so Resolved is configured to use it (or
dns.google
), to include the institute's domain in its search @@ -3210,8 +3273,8 @@ list, and to disable its cache and stub listener.-7.5. Configure Netplan
-+8.5. Configure Netplan
+Core's network interface is statically configured using Netplan and an
+/etc/netplan/60-core.yamlfile. That file provides Core's address @@ -3222,6 +3285,18 @@ created here. It is created by OpenVPN when Core connects to Front's VPN.+Core's Netplan needs the name of its main (only) Ethernet interface, +an example of which is given here. (A clever way to extract that name +from
+ +ansible_facts
would be appreciated. Theansible_default_ipv4
+fact was an empty hash at first boot on a simulated campus Ethernet.) +++private/vars.ymlcore_ethernet: enp0s3 ++roles_t/core/tasks/main.yml- name: Install netplan. @@ -3235,7 +3310,7 @@ VPN. network: renderer: networkd ethernets: - {{ ansible_default_ipv4.interface }}: + {{ core_ethernet }}: dhcp4: false addresses: [ {{ core_addr_cidr }} ] nameservers: @@ -3258,8 +3333,8 @@ VPN.-7.6. Configure DHCP For the Private Ethernet
-+8.6. Configure DHCP For the Private Ethernet
+Core speaks DHCP (Dynamic Host Configuration Protocol) using the Internet Software Consortium's DHCP server. The server assigns unique @@ -3324,7 +3399,7 @@ with the real
private/core-dhcpd.confbecome: yes lineinfile: path: /etc/default/isc-dhcp-server - line: INTERFACESv4="{{ ansible_default_ipv4.interface }}" + line: INTERFACESv4="{{ core_ethernet }}" regexp: ^INTERFACESv4= notify: Restart DHCP server. @@ -3356,8 +3431,8 @@ with the realprivate/core-dhcpd.conf--7.7. Configure BIND9
-+8.7. Configure BIND9
+Core uses BIND9 to provide a private-view name service for the institute as described in The Name Service. The configuration @@ -3633,9 +3708,9 @@ craps up
/var/log/and the Systemd journal.-7.8. Add Administrator to System Groups
-+-+8.8. Add Administrator to System Groups
+The administrator often needs to read (directories of) log files owned by groups
root
andadm
. Adding the administrator's account to @@ -3654,9 +3729,9 @@ these groups speeds up debugging.-7.9. Configure Monkey
-+-+8.9. Configure Monkey
+The small institute runs cron jobs and web scripts that generate reports and perform checks. The un-privileged jobs are run by a @@ -3722,9 +3797,9 @@ described in *Configure Apache2).
-7.10. Install
-unattended-upgrades
++8.10. Install Unattended Upgrades
+The institute prefers to install security updates as soon as possible.
@@ -3739,8 +3814,8 @@ The institute prefers to install security updates as soon as possible.--7.11. Install Expect
-+8.11. Install Expect
+The
expect
program is used by The Institute Commands to interact with Nextcloud on the command line. @@ -3755,9 +3830,9 @@ with Nextcloud on the command line.-7.12. Configure User Accounts
-+-+8.12. Configure User Accounts
+User accounts are created immediately so that backups can begin restoring as soon as possible. The Account Management chapter @@ -3798,42 +3873,9 @@ describes the
members
andusernames
variables.--7.13. Trust Institute Certificate Authority
----Core should recognize the institute's Certificate Authority as -trustworthy, so its certificate is added to Core's set of trusted -CAs. More information about how the small institute manages its -X.509 certificates is available in Keys. -
- --- -roles_t/core/tasks/main.yml-- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. -
---roles_t/core/handlers/main.yml-- name: Update CAs. - become: yes - command: update-ca-certificates ---7.14. Install Server Certificate
-++8.13. Install Server Certificate
+The servers on Core use the same certificate (and key) to authenticate themselves to institute clients. They share the
/etc/server.crtand @@ -3862,8 +3904,8 @@ themselves to institute clients. They share the/etc/server.crtand-7.15. Install NTP
-+8.14. Install NTP
+Core uses NTP to provide a time synchronization service to the campus. The default daemon's default configuration is fine. @@ -3879,8 +3921,8 @@ The default daemon's default configuration is fine.
-7.16. Configure Postfix on Core
-+8.15. Configure Postfix on Core
+Core uses Postfix to provide SMTP service to the campus. The default Debian configuration (for an "Internet Site") is nearly sufficient. @@ -4048,8 +4090,8 @@ enable the service. Whenever
/etc/postfix/transportis changed, the--7.17. Configure Private Email Aliases
-+8.16. Configure Private Email Aliases
+The institute's Core needs to deliver email addressed to institute aliases including those advertised on the campus web site, in VPN @@ -4085,9 +4127,9 @@ installed by more specialized roles.
-7.18. Configure Dovecot IMAPd
-++8.17. Configure Dovecot IMAPd
+Core uses Dovecot's IMAPd to store and serve member emails. As on Front, Core's Dovecot configuration is largely the Debian default with @@ -4152,8 +4194,8 @@ and enables it to start at every reboot.
-7.19. Configure Fetchmail
-+8.18. Configure Fetchmail
+Core runs a
fetchmail
for each member of the institute. Individualfetchmail
jobs can run with the--idle
option and thus can @@ -4330,8 +4372,8 @@ Otherwise the following task might be appropriate.-7.20. Configure Apache2
-+8.19. Configure Apache2
+@@ -4670,8 +4723,8 @@ TheThis is the small institute's campus web server. It hosts several web sites as described in The Web Services. @@ -4538,6 +4580,17 @@ interfere with mapping URLs to the correct virtual host. name: "{{ item }}" loop: [ userdir, cgi ] notify: Restart Apache2. + when: ansible_distribution != 'Debian' + or 12 > ansible_distribution_major_version|int + +- name: Enable Apache2 modules (Debian 12). + become: yes + apache2_module: + name: "{{ item }}" + loop: [ userdir, cgid ] + notify: Restart Apache2. + when: ansible_distribution == 'Debian' + and 11 < ansible_distribution_major_version|int
a2ensite
command enables them.-7.21. Configure Website Updates
-+8.20. Configure Website Updates
+Monkey on Core runs
/usr/local/sbin/webupdateevery 15 minutes via acron
job. The example script mirrors/WWW/live/on Core to @@ -4721,8 +4774,8 @@ provided here.-7.22. Configure OpenVPN Connection to Front
-+8.21. Configure OpenVPN Connection to Front
+Core connects to Front's public VPN to provide members abroad with a route to the campus networks. As described in the configuration of @@ -4843,8 +4896,8 @@ for Core.
-7.23. Configure NAGIOS
-+8.22. Configure NAGIOS
+Core runs a
nagios4
server to monitor "services" on institute hosts. The following tasks install the necessary packages and configure the @@ -4925,8 +4978,8 @@ Core and Campus (and thus Gate) machines.-7.23.1. Configure NAGIOS Monitors for Core
-+8.22.1. Configure NAGIOS Monitors for Core
+The first block in
nagios.cfgspecifies monitors for services on Core. The monitors are simple, local plugins, and the block is very @@ -5001,8 +5054,8 @@ used here may specify plugin arguments.-7.23.2. Custom NAGIOS Monitor
-inst_sensors
+8.22.2. Custom NAGIOS Monitor
+inst_sensors
The
check_sensors
plugin is included in the packagemonitoring-plugins-basic
, but it does not report any readings. The @@ -5113,8 +5166,8 @@ Core.-7.23.3. Configure NAGIOS Monitors for Remote Hosts
-+8.22.3. Configure NAGIOS Monitors for Remote Hosts
+The following sections contain code blocks specifying monitors for services on other campus hosts. The NAGIOS server on Core will @@ -5135,8 +5188,8 @@ on each campus host by the campus role's Configure NRPE
-7.23.4. Configure NAGIOS Monitors for Gate
-+8.22.4. Configure NAGIOS Monitors for Gate
+Define the monitored host,
gate
. Monitor its response to network pings. @@ -5267,8 +5320,8 @@ Monitorinst_sensors
on Gate.-7.24. Configure Backups
-+8.23. Configure Backups
+-7.25. Configure Nextcloud
-+8.24. Configure Nextcloud
+Core runs Nextcloud to provide a private institute cloud, as described in The Cloud Service. Installing, restoring (from backup), and @@ -5299,8 +5352,8 @@ afterwards.
-7.25.1. Prepare Core For Nextcloud
-+8.24.1. Prepare Core For Nextcloud
+The Ansible code contained herein prepares Core to run Nextcloud by installing required software packages, configuring the web server, and @@ -5493,7 +5546,7 @@ created manually. The following task would work (
@@ -5532,8 +5585,8 @@ its document root.mysql_user
supportscheck_implicit_admin
) but thenextcloud
database was not created above. Thus both database and user are created manually, with SQL -given in the 7.25.5 subsection below, beforeocc +given in the 8.24.5 subsection below, before
occ maintenance:install
can run.-7.25.2. Configure PHP
-+8.24.2. Configure PHP
+The following tasks set a number of PHP parameters for better performance, as recommended by Nextcloud. @@ -5547,6 +5600,17 @@ performance, as recommended by Nextcloud. path: /etc/php/7.4/apache2/php.ini regexp: memory_limit *= line: memory_limit = 512M + when: ansible_distribution != 'Debian' + or 12 > ansible_distribution_major_version|int + +- name: Set PHP memory_limit for Nextcloud (Debian 12). + become: yes + lineinfile: + path: /etc/php/8.2/apache2/php.ini + regexp: memory_limit *= + line: memory_limit = 512M + when: ansible_distribution == 'Debian' + and 11 < ansible_distribution_major_version|int - name: Include PHP parameters for Nextcloud. become: yes @@ -5576,8 +5640,8 @@ performance, as recommended by Nextcloud.
-7.25.3. Create
-/Nextcloud/+8.24.3. Create
+/Nextcloud/The Ansible tasks up to this point have completed Core's LAMP stack and made Core ready to run Nextcloud, but they have not installed @@ -5635,8 +5699,8 @@ sudo mount /Nextcloud
-7.25.4. Restore Nextcloud
-+8.24.4. Restore Nextcloud
+Restoring Nextcloud in the newly created
/Nextcloud/presumably starts with plugging in the portable backup drive and unlocking it so @@ -5687,8 +5751,8 @@ Overview web page.-7.25.5. Install Nextcloud
-+8.24.5. Install Nextcloud
+Installing Nextcloud in the newly created
/Nextcloud/starts with downloading and verifying a recent release tarball. The following @@ -5759,8 +5823,8 @@ Administration > Overview page.-7.25.6. Afterwards
-+8.24.6. Afterwards
+Whether Nextcloud was restored or installed, there are a few things Ansible can do to bolster reliability and security (aka privacy). @@ -5942,8 +6006,8 @@ run before the next backup.
-8. The Gate Role
-+9. The Gate Role
+-The
gate
role configures the services expected at the campus gate: a VPN into the campus network via a campus Wi-Fi access point, and @@ -5970,9 +6034,9 @@ applied first, by which Gate gets a campus machine's DNS and Postfix configurations, etc.-8.1. Include Particulars
-++9.1. Include Particulars
+The following should be familiar boilerplate by now.
@@ -5993,8 +6057,8 @@ The following should be familiar boilerplate by now.-8.2. Configure Netplan
-+9.2. Configure Netplan
+Gate's network interfaces are configured using Netplan and two files.
/etc/netplan/60-gate.yamldescribes the static interfaces, to the @@ -6009,9 +6073,9 @@ example code here.-@@ -6090,8 +6154,8 @@ campus ISP without interference from Ansible.private/vars.ymlgate_lan_mac: ff:ff:ff:ff:ff:ff -gate_wifi_mac: ff:ff:ff:ff:ff:ff -gate_isp_mac: ff:ff:ff:ff:ff:ff +private/vars.ymlgate_lan_mac: 08:00:27:f3:16:79 +gate_isp_mac: 08:00:27:3d:42:e5 +gate_wifi_mac: 08:00:27:4a:de:d2-8.3. UFW Rules
-+9.3. UFW Rules
+Gate uses the Uncomplicated FireWall (UFW) to install its packet filters at boot-time. The institute does not use a firewall except to @@ -6174,8 +6238,8 @@ the
wifi
device to thelan
device, just theovpn
-8.4. Install UFW
-+9.4. Install UFW
+The following tasks install the Uncomplicated Firewall (UFW), set its policy in
/etc/default/ufw, and install the above rules in @@ -6241,8 +6305,8 @@ sudo ufw enable--8.5. Configure DHCP For The Gate-WiFi Ethernet
-+9.5. Configure DHCP For The Gate-WiFi Ethernet
+To accommodate commodity Wi-Fi access points without re-configuring them, the institute attempts to look like an up-link, an ISP, e.g. a @@ -6345,9 +6409,9 @@ the daemon listens only on the Gate-WiFi network interface.
-8.6. Install Server Certificate
-+-+9.6. Install Server Certificate
+The (OpenVPN) server on Gate uses an institute certificate (and key) to authenticate itself to its clients. It uses the
/etc/server.crt@@ -6373,9 +6437,9 @@ and Front) do.-8.7. Configure OpenVPN
-++9.7. Configure OpenVPN
+Gate uses OpenVPN to provide the institute's campus VPN service. Its clients are not configured to route all of their traffic through @@ -6520,8 +6584,8 @@ configure the OpenVPN server on Gate.
-9. The Campus Role
-+10. The Campus Role
+-The
campus
role configures generic campus server machines: network NAS, DVRs, wireless sensors, etc. These are simple Debian machines @@ -6537,9 +6601,9 @@ Wireless campus devices can get a key to the campus VPN from the configured manually.-9.1. Include Particulars
-+-+10.1. Include Particulars
+The following should be familiar boilerplate by now.
@@ -6554,9 +6618,9 @@ The following should be familiar boilerplate by now.-9.2. Configure Hostname
-+-+10.2. Configure Hostname
+Clients should be using the expected host name.
@@ -6582,9 +6646,9 @@ Clients should be using the expected host name.-9.3. Enable Systemd Resolved
-+-+10.3. Enable Systemd Resolved
+Campus machines start the
systemd-networkd
andsystemd-resolved
service units on boot. See Enable Systemd Resolved. @@ -6627,9 +6691,9 @@ service units on boot. See Enable Systemd Resolved.-9.4. Configure Systemd Resolved
-++10.4. Configure Systemd Resolved
+Campus machines use the campus name server on Core (or
dns.google
), and include the institute's private domain in their search lists. @@ -6669,8 +6733,8 @@ and include the institute's private domain in their search lists.--9.5. Configure Systemd Timesyncd
-+10.5. Configure Systemd Timesyncd
+The institute uses a common time reference throughout the campus. This is essential to campus security, improving the accuracy of log @@ -6699,9 +6763,9 @@ and file timestamps.
-9.6. Add Administrator to System Groups
-+-+10.6. Add Administrator to System Groups
+The administrator often needs to read (directories of) log files owned by groups
root
andadm
. Adding the administrator's account to @@ -6720,42 +6784,9 @@ these groups speeds up debugging.--9.7. Trust Institute Certificate Authority
----Campus hosts should recognize the institute's Certificate Authority as -trustworthy, so its certificate is added to the host's set of trusted -CAs. (For more information about how the small institute manages its -keys, certificates and passwords, see Keys.) -
- --- -roles_t/campus/tasks/main.yml-- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. -
---roles_t/campus/handlers/main.yml-- name: Update CAs. - become: yes - command: update-ca-certificates ---9.8. Install Unattended Upgrades
-++10.7. Install Unattended Upgrades
+The institute prefers to install security updates as soon as possible.
@@ -6770,8 +6801,8 @@ The institute prefers to install security updates as soon as possible.-9.9. Configure Postfix on Campus
-+10.8. Configure Postfix on Campus
+The Postfix settings used by the campus include message size, queue times, and the
relayhost
Core. The default Debian configuration @@ -6835,8 +6866,8 @@ tasks below.-9.10. Hard-wire Important IP Addresses
-+10.9. Hard-wire Important IP Addresses
+For the edification of programs consulting the
/etc/hostsfile, the institute's domain name and public IP address are added. The Debian @@ -6864,8 +6895,8 @@ custom of translating the host name into127.0.1.1
is also followed-9.11. Configure NRPE
-+10.10. Configure NRPE
+Each campus host runs an NRPE (a NAGIOS Remote Plugin Executor) server so that the NAGIOS4 server on Core can collect statistics. The @@ -6924,8 +6955,8 @@ Role.
-10. The Ansible Configuration
-+11. The Ansible Configuration
+The small institute uses Ansible to maintain the configuration of its servers. The administrator keeps an Ansible inventory in
hosts, and @@ -6947,8 +6978,8 @@ separate revision history.-10.1.
-ansible.cfg+11.1.
+ansible.cfgThe Ansible configuration file
ansible.cfgcontains just a handful of settings, some included just to create a test jig as described in @@ -6979,8 +7010,8 @@ described in Keys) and thus sets this parameter to-10.2.
-hosts+11.2.
+hostsThe Ansible inventory file
hostsdescribes all of the institute's machines starting with the main servers Front, Core and Gate. It @@ -7057,8 +7088,8 @@ theSecret/vault-passwordfile.-10.3.
-playbooks/site.yml+11.3.
+playbooks/site.ymlThe example
playbooks/site.ymlplaybook (below) applies the appropriate institutional role(s) to the hosts and groups defined in @@ -7067,6 +7098,10 @@ the example inventory:hosts.playbooks/site.yml--- +- name: Configure All + hosts: all + roles: [ all ] + - name: Configure Front hosts: front roles: [ front ] @@ -7087,8 +7122,8 @@ the example inventory:hosts.-10.4.
-Secret/vault-password+11.4.
+Secret/vault-passwordAs already mentioned, the small institute keeps its Ansible vault password, a "master secret", on the encrypted partition mounted at @@ -7105,8 +7140,8 @@ example password matches the example encryptions above.
-10.5. Creating A Working Ansible Configuration
-+11.5. Creating A Working Ansible Configuration
+A working Ansible configuration can be "tangled" from this document to produce the test configuration described in the Testing chapter. The @@ -7189,8 +7224,8 @@ super-project's directory.
-10.6. Maintaining A Working Ansible Configuration
-+11.6. Maintaining A Working Ansible Configuration
+The Ansible roles currently tangle into the
roles_t/directory to ensure that debugged Ansible code inroles/is not clobbered by code @@ -7209,8 +7244,8 @@ their way back to the code block in this document.-11. The Institute Commands
-+12. The Institute Commands
+The institute's administrator uses a convenience script to reliably execute standard procedures. The script is run with the command name @@ -7220,8 +7255,8 @@ to get their defaults from
./ansible.cfg.-11.1. Sub-command Blocks
-+12.1. Sub-command Blocks
+The code blocks in this chapter tangle into the
instscript. Each block examines the script's command line arguments to determine @@ -7245,8 +7280,8 @@ The first code block is the header of the./inst
script.-11.2. Sanity Check
-+12.2. Sanity Check
+The next code block does not implement a sub-command; it implements part of all
./inst
sub-commands. It performs a "sanity check" on @@ -7306,8 +7341,8 @@ permissions. It probes past theSecret/mount poin-11.3. Importing Ansible Variables
-+12.3. Importing Ansible Variables
+To ensure that Ansible and
./inst
are sympatico vis-a-vi certain variable values (esp. private values like network addresses), a @@ -7356,8 +7391,8 @@ The playbook that updatesprivate/vars.pl:-11.4. The CA Command
-+12.4. The CA Command
+The next code block implements the
CA
sub-command, which creates a new CA (certificate authority) inSecret/CA/as well as SSH and PGP @@ -7465,8 +7500,8 @@ config.-11.5. The Config Command
-+12.5. The Config Command
+The next code block implements the
config
sub-command, which provisions network services by running thesite.ymlplaybook @@ -7517,8 +7552,8 @@ Example command lines:-11.6. Account Management
-+12.6. Account Management
+For general information about members and their Unix accounts, see Accounts. The account management sub-commands maintain a mapping @@ -7721,8 +7756,8 @@ each record.
-11.7. The New Command
-+12.7. The New Command
+The next code block implements the
new
sub-command. It adds a new member to the institute's membership roll. It runs an Ansible @@ -7826,8 +7861,8 @@ initial, generated password.-11.8. The Pass Command
-+12.8. The Pass Command
+The institute's
passwd
command on Core securely emailsroot
with a member's desired password (hashed). The command may update the @@ -7841,8 +7876,8 @@ message is sent tomember@core
.-11.8.1. Less Aggressive passwd.
-+12.8.1. Less Aggressive passwd.
+The next code block implements the less aggressive
passwd
command. It is less aggressive because it just emailsroot
. It does not @@ -7938,8 +7973,8 @@ print "-11.8.2. Less Aggressive Pass Command
-+12.8.2. Less Aggressive Pass Command
+The following code block implements the
./inst pass
command, used by the administrator to updateprivate/members.ymlbefore running @@ -8036,8 +8071,8 @@ users:resetpassword command usingexpect(1)
.-11.8.3. Installing the Less Aggressive passwd
-+12.8.3. Installing the Less Aggressive passwd
+The following Ansible tasks install the less aggressive
passwd
script in/usr/local/bin/passwdon Core, and asudo
policy file @@ -8105,8 +8140,8 @@ configuration so that the email to root can be encrypted.-11.9. The Old Command
-+12.9. The Old Command
+The
@@ -8151,8 +8186,8 @@ Theold
command disables a member's accounts and clients.old
command disables a member's accounts and clients.-11.10. The Client Command
-+12.10. The Client Command
+The
client
command creates an OpenVPN configuration (.ovpn) file authorizing wireless devices to connect to the institute's VPNs. The @@ -8323,8 +8358,8 @@ up-restart-11.11. Institute Command Help
-+12.11. Institute Command Help
+This should be the last block tangled into the
instscript. It catches any command lines that were not handled by a sub-command @@ -8340,31 +8375,31 @@ above.-12. Testing
-+13. Testing
+-The example files in this document,
ansible.cfgandhostsas -well as those inpublic/andprivate/, along with the -matching EasyRSA certificate authority and GnuPG key-ring in -Secret/(included in the distribution), can be used to configure -three VirtualBox VMs simulating Core, Gate and Front in a test network -simulating a campus Ethernet, campus ISP, and commercial cloud. With -the test network up and running, a simulated member's notebook can be -created, and alternately attached to the simulated campus Wi-Fi or the -simulated Internet (as though abroad). The administrator's notebook -in this simulation is the VirtualBox host. +The example files in this document,ansible.cfgandhostsas well +as those inpublic/andprivate/, along with the matching EasyRSA +certificate authority and GnuPG key-ring inSecret/(included in the +distribution), can be used to configure three VirtualBox VMs +simulating Core, Gate and Front in test networks simulating a campus +Ethernet, Wi-Fi, ISP, and a commercial cloud. With the test networks +up and running, a simulated member's notebook can be created and +alternately attached to the simulated campus Wi-Fi or the Internet (as +though abroad). The administrator's notebook in this simulation is +the VirtualBox host.The next two sections list the steps taken to create the simulated -Core, Gate and Front, and connect them to a simulated campus Ethernet, -campus ISP, and commercial cloud. The process is similar to that -described in The (Actual) Hardware, but is covered in detail here -where the VirtualBox hypervisor can be assumed and exact command lines -can be given (and copied during re-testing). The remaining sections -describe the manual testing process, simulating an administrator -adding and removing member accounts and devices, a member's desktop -sending and receiving email, etc. +Core, Gate and Front machines, and connect them to their networks. +The process is similar to that described in The (Actual) Hardware, but +is covered in detail here where the VirtualBox hypervisor can be +assumed and exact command lines can be given (and copied during +re-testing). The remaining sections describe the manual testing +process, simulating an administrator adding and removing member +accounts and devices, a member's desktop sending and receiving email, +etc.
@@ -8375,8 +8410,8 @@ site at https://www.
-12.1. The Test Networks
-+13.1. The Test Networks
+The networks used in the test:
@@ -8392,29 +8427,19 @@ private Ethernet switch. It has no services, no DHCP, just the host machine at192.168.56.10
pretending to be the administrator's notebook. -vboxnet1
-Another Host-only network, simulating the tiny +
vboxnet1
Another Host-only network, simulating the tiny Ethernet between Gate and the campus Wi-Fi access point. It has no -services, no DHCP, just the host at +services, no DHCP, just the host at192.168.57.2
. It might one -day have a simulated access point at that address. Currently it is -just an interface forgate
's DHCP server to listen on. - - --In this simulation the IP address for
front
is not a public -address but a private address on the NAT networkpremises
. Thus -front
is not accessible to the administrator's notebook (the -host). To work around this restriction,front
gets a second -network interface connected to thevboxnet1
network and used only -for ssh access from the host.5 -192.168.57.2
, simulating the +NATed Wi-Fi network.-As in The Hardware, all machines start with their primary Ethernet -adapters attached to the NAT Network
premises
so that they can -download additional packages. Later,core
andgate
are moved to -the simulated private Ethernetvboxnet0
. +In this simulation the IP address forfront
is not a public address +but a private address on the NAT networkpremises
. Thusfront
is +not accessible to the administrator's notebook (the host). To work +around this restriction,front
gets a second network interface +connected to thevboxnet1
network and used only for ssh access from +the host.5@@ -8428,37 +8453,50 @@ following
VBoxManage
commands. --enable --dhcp on --ipv6 off VBoxManage natnetwork start --netname premises VBoxManage hostonlyif create # vboxnet0 -VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.10 \ - --dhcp off --ipv6 off +VBoxManage hostonlyif ipconfig vboxnet0 --ip=192.168.56.10 +VBoxManage dhcpserver modify --interface=vboxnet0 --disable VBoxManage hostonlyif create # vboxnet1 -VBoxManage hostonlyif ipconfig vboxnet1 --ip 192.168.57.2 \ - --dhcp off --ipv6 off +VBoxManage hostonlyif ipconfig vboxnet1 --ip=192.168.57.2-Note that actual ISPs and clouds will provide Gate and Front with -public network addresses but in this simulation "they" provide -addresses in the private
+ +192.168.15.0/24
network. +Note that the first host-only network,vboxnet0
, gets DHCP service +by default, but that will interfere with the service being tested on +core
, so it must be explicitly disabled. Only the NAT network +premises
should have a DHCP server enabled. ++Note also that actual ISPs and clouds will provide Gate and Front with +public network addresses. In this simulation "they" provide addresses +on the private
192.168.15.0/24
network.-12.2. The Test Machines
-+13.2. The Test Machines
+The virtual machines are created by
+ +VBoxManage
command lines in the following sub-sections. They each start with a recent Debian release -(e.g.debian-11.3.0-amd64-netinst.iso) on the NAT network -premises
. As in The Hardware preparation process being simulated, a -few additional software packages are installed and remote access is -authorized before the machines are moved to their final networks, -prepared for Ansible. +(e.g.debian-12.5.0-amd64-netinst.iso) in their simulated DVD +drives. As in The Hardware preparation process being simulated, a few +additional software packages are installed. Unlike in The Hardware +preparation, machines are moved to their final networks and then +remote access is authorized. (They are not accessible viassh
on +the VirtualBox NAT network where they first boot.) ++Once the administrator's notebook is authorized to access the +privileged accounts on the virtual machines, they are prepared for +configuration by Ansible.
-12.2.1. A Test Machine
-+13.2.1. A Test Machine
+The following shell function contains most of the
VBoxManage
commands needed to create the test machines. The name of the machine @@ -8485,47 +8523,42 @@ taken from theISO
shell variable. VBoxManage storageattach $NAME --storagectl "IDE Controller" \ --port 0 --device 0 --type dvddrive --medium $ISO VBoxManage modifyvm $NAME --boot1 dvd --boot2 disk - VBoxManage unattended install $NAME --iso=$ISO \ - --locale en_US --country US \ - --hostname $NAME.small.private \ - --user=sysadm --password=fubar \ - --full-user-name=System\ Administrator }After this shell function creates a VM, its network interface is -typically attached to the NAT network
premises
, simulating the -Internet connected network where actual hardware will be prepared. +attached to the default NAT network, simulating the Internet connected +network where actual hardware is prepared.Here are the commands needed to create the test machine
front
with -512MiB of RAM and 4GiB of disk and the Debian 11.3.0 release in its -CDROM drive, to putfront
on the Internet connected NAT network -premises
, and to bootfront
into the Debian installer. +512MiB of RAM and 4GiB of disk and the Debian 12.5.0 release in its +CDROM drive.NAME=front RAM=512 DISK=4096 -ISO=~/Downloads/debian-11.3.0-amd64-netinst.iso +ISO=~/Downloads/debian-12.5.0-amd64-netinst.iso create_vm -VBoxManage modifyvm $NAME --nic1 natnetwork --natnetwork1 premises -VBoxManage startvm $NAME --type headless-The machine's console should soon show the installer's first prompt: -to choose a system language. The appropriate responses to the -installer's prompts are given in the list below. +Soon after starting, the machine console should show the installer's +first prompt: to choose a system language. Installation on the small +machines,
front
andgate
, may put the installation into "low +memory mode", in which case the installation is textual, the system +language is English, and the first prompt is for location. The +appropriate responses to the prompts are given in the list below.-
- Select a language +
- Select a language (unless in low memory mode!)
@@ -8586,101 +8619,76 @@ installer's prompts are given in the list below.
- Language: English - English
-After the reboot (first boot into the installed OS) the machine's -console should produce a
login:
prompt. The administrator logs in -here, with usernamesysadm
and passwordfubar
, before continuing -with the specific machine's preparation (below). +After the reboot, the machine's console should produce alogin:
+prompt. The administrator logs in here, with usernamesysadm
and +passwordfubar
, before continuing with the specific machine's +preparation (below).-12.2.2. The Test Front Machine
-+13.2.2. The Test Front Machine
+The
front
machine is created with 512MiB of RAM, 4GiB of disk, and -Debian 11.3.0 (recently downloaded) in its CDROM drive. The exact +Debian 12.5.0 (recently downloaded) in its CDROM drive. The exact command lines were given in the previous section.-After Debian is installed (as detailed in A Test Machine) and the -machine rebooted, the administrator logs in and installs several -additional software packages. +After Debian is installed (as detailed above)
front
is shut down and +its primary network interface moved to the simulated Internet, the NAT +networkpremises
.front
also gets a second network interface, on +the host-only networkvboxnet1
, to make it directly accessible to +the administrator's notebook (as described in The Test Networks).-sudo apt install netplan.io expect unattended-upgrades postfix \ - dovecot-imapd apache2 openvpn +VBoxManage modifyvm front --nic1 natnetwork --natnetwork1 premises +VBoxManage modifyvm front --nic2 hostonly --hostonlyadapter2 vboxnet1-Note that the Postfix installation may prompt for a couple settings. -The defaults, listed below, are fine. -
- --
- -- General type of mail configuration: Internet Site
-- System mail name: small.example.org
--To make
front
accessible to the simulated administrator's notebook, -it gets a second network interface attached to the host-only network -vboxnet1
and is given the local address192.168.57.3
. +After Debian is installed and the machine rebooted, the administrator +logs in and configures the "extra" network interface with a static IP +address using a drop-in configuration file: +/etc/network/interfaces.d/eth1.-VBoxManage modifyvm front --nic2 hostonly --hostonlyadapter2 vboxnet1 +eth1auto enp0s8 +iface enp0s8 inet static + address 192.168.57.3/24-The second network interface is configured with an IP address via the -Netplan configuration file
-/etc/netplan/01-testing.yaml, which is -created with the following lines. +Asudo ifup enp0s8
command then brings the interface up.--network: - ethernets: - enp0s8: - dhcp4: false - addresses: [ 192.168.57.3/24 ] ---The amended Netplan is applied immediately with the following command, -or the machine is rebooted. -
- --- -sudo netplan apply ---Finally, the administrator authorizes remote access by following the -instructions in the final section: Ansible Test Authorization. +Note that there is no pre-provisioning for
front
, which is never +deployed on a frontier, always in the cloud. Additional Debian +packages are assumed to be readily available. Thus Ansible installs +them as necessary, but first the administrator authorizes remote +access by following the instructions in the final section: Ansible +Test Authorization.-12.2.3. The Test Gate Machine
-+13.2.3. The Test Gate Machine
+The
gate
machine is created with the same amount of RAM and disk asfront
. Assuming theRAM
,DISK
, andISO
shell variables have -not changed,gate
can be created with two commands, then connected -to NAT networkpremesis
and booted with two more. +not changed,gate
can be created with two commands.@@ -8691,8 +8699,8 @@ additional software packages.NAME=gate create_vm -VBoxManage modifyvm gate --nic1 natnetwork --natnetwork1 premises -VBoxManage startvm gate --type headless
-@@ -8707,29 +8715,26 @@ defaults, listed below, are fine.sudo apt install netplan.io ufw unattended-upgrades postfix \ - isc-dhcp-server openvpn +sudo apt install netplan.io systemd-resolved unattended-upgrades \ + ufw isc-dhcp-server postfix openvpn
-
gate
can now move to the campus. It is shut down before the +gate
can then move to the campus. It is shut down before the followingVBoxManage
commands are executed. The commands disconnect -the primary Ethernet interface frompremises
and -connected it tovboxnet0
. Theisp
andwifi
interfaces are also +the primary Ethernet interface frompremises
and connected it to +vboxnet0
. They also create two new interfaces,isp
andwifi
, connected to the simulated ISP and campus wireless access point.-VBoxManage modifyvm gate --nic1 hostonly -VBoxManage modifyvm gate --hostonlyadapter1 vboxnet0 +VBoxManage modifyvm gate --mac-address1=080027f31679 +VBoxManage modifyvm gate --nic1 hostonly --hostonlyadapter1 vboxnet0 +VBoxManage modifyvm gate --mac-address2=0800273d42e5 VBoxManage modifyvm gate --nic2 natnetwork --natnetwork2 premises -VBoxManage modifyvm gate --nic3 hostonly -VBoxManage modifyvm gate --hostonlyadapter3 vboxnet1 +VBoxManage modifyvm gate --mac-address3=0800274aded2 +VBoxManage modifyvm gate --nic3 hostonly --hostonlyadapter3 vboxnet1-Before rebooting, the MAC addresses of the three network interfaces -should be compared to the example variable settings in
hosts. The -values of thegate_lan_mac
,gate_wifi_mac
, andgate_isp_mac
-variables must agree with the MAC addresses assigned to the virtual -machine's network interfaces. The following table assumes device -names that may vary depending on the hypervisor, version, etc. +The MAC addresses above were specified so they match the example +values of the MAC address variables in this table.@@ -8777,7 +8782,7 @@ names that may vary depending on the hypervisor, version, etc.
-After
@@ -8794,8 +8799,8 @@ instructions in the final section: Ansible Test Authorizatgate
boots up with its new network connections, the primary +Aftergate
boots up with its new network interfaces, the primary Ethernet interface is temporarily configured with an IP address. (Ansible will install a Netplan soon.)-12.2.4. The Test Core Machine
-+13.2.4. The Test Core Machine
+@@ -8819,14 +8822,20 @@ additional software packages.The
core
machine is created with 1GiB of RAM and 6GiB of disk. Assuming theISO
shell variable has not changed,core
can be @@ -8807,8 +8812,6 @@ created with following commands. RAM=2048 DISK=6144 create_vm -VBoxManage modifyvm core --nic1 natnetwork --natnetwork1 premises -VBoxManage startvm core --type headless-sudo apt install netplan.io unattended-upgrades postfix \ - isc-dhcp-server bind9 fetchmail gnupg \ - expect dovecot-imapd apache2 openvpn +sudo apt install netplan.io systemd-resolved unattended-upgrades \ + ntp isc-dhcp-server bind9 apache2 openvpn \ + postfix dovecot-imapd fetchmail expect rsync \ + gnupg +sudo apt install mariadb-server php php-{apcu,bcmath,curl,gd,gmp}\ + php-{json,mysql,mbstring,intl,imagick,xml,zip} \ + libapache2-mod-php +sudo apt install nagios4 monitoring-plugins-basic lm-sensors \ + nagios-nrpe-plugin-Again, the Postfix installation prompts for a couple settings. The +Again the Postfix installation prompts for a couple settings. The defaults, listed below, are fine.
@@ -8835,6 +8844,13 @@ defaults, listed below, are fine.System mail name: core.small.private ++Before shutting down, the name of the primary Ethernet interface +should be compared to the example variable setting in +
+private/vars.yml. The value assigned tocore_ethernet
should +match the interface name. +
core
can now move to the campus. It is shut down before the followingVBoxManage
command is executed. The command connects the @@ -8849,13 +8865,12 @@ Ethernet.After
core
boots up with its new network connection, its primary NIC -is temporarily configured with an IP address and default route (to -gate
). (Ansible will install a Netplan soon.) +is temporarily configured with an IP address. (Ansible will install a +Netplan soon.)@@ -8866,19 +8881,20 @@ instructions in the next section: Ansible Test Authorizatisudo ip address add 192.168.56.1/24 dev enp0s3 -sudo ip route add default via 192.168.56.2 dev enp0s3-12.2.5. Ansible Test Authorization
-+-13.2.5. Ansible Test Authorization
++ +-Before Ansible can configure the three test machines, they must allow -remote access to their
sysadm
accounts. The administrator must use -IP addresses to copy the public key to each test machine. +To authorize Ansible's access to the three test machines, they must +allow remote access to theirsysadm
accounts. In the following +commands, the administrator must use IP addresses to copy the public +key to each test machine.@@ -8892,12 +8908,48 @@ each machine).SRC=Secret/ssh_admin/id_rsa.pub -scp $SRC sysadm@192.168.56.1:admin_key # Core -scp $SRC sysadm@192.168.56.2:admin_key # Gate scp $SRC sysadm@192.168.57.3:admin_key # Front +scp $SRC sysadm@192.168.56.2:admin_key # Gate +scp $SRC sysadm@192.168.56.1:admin_key # Core( cd; umask 077; mkdir .ssh; cp admin_key .ssh/authorized_keys )+The
+ +front
machine needs a little additional preparation. Ansible +will configurefront
with the host keys inSecret/. These should +be installed there now so thatfront
does not appear to change +identities while Ansible is configuring. ++First, the host keys are securely copied to
+ +front
with the following +command. +++ +scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@192.168.57.3: ++Then they are installed with these commands. +
+ +++ +chmod 600 ssh_host_* +chmod 644 ssh_host_*.pub +sudo cp -b ssh_host_* /etc/ssh/ ++Finally, the system administrator removes the old identity of
+ +front
. ++ssh-keygen -f ~/.ssh/known_hosts -R 192.168.57.3 +-+12.3. The Test Ansible Configuration
-+++-13.3. Configure Test Machines
+-At this point the three test machines
-core
,gate
, andfront
are running fresh Debian systems with select additional packages, on their @@ -8905,11 +8957,7 @@ final networks, with a privileged account namedsysadm
that authorizes password-less access from the administrator's notebook, ready to be configured by Ansible.-12.4. Configure Test Machines
-+To configure the test machines, the
./inst config
command is executed andcore
restarted. Note that this first run should @@ -8919,8 +8967,8 @@ not.-12.5. Test Basics
-+13.4. Test Basics
+At this point the test institute is just
core
,gate
andfront
, no other campus servers, no members nor their VPN client devices. On @@ -8982,8 +9030,8 @@ instant attention).-12.6. The Test Nextcloud
-+13.5. The Test Nextcloud
+Further tests involve Nextcloud account management. Nextcloud is installed on
core
as described in Configure Nextcloud. Once @@ -9009,8 +9057,8 @@ using the./inst new
command and issuing client VPN keys with the-12.7. Test New Command
-+13.6. Test New Command
+A member must be enrolled so that a member's client machine can be authorized and then test the VPNs, Nextcloud, and the web sites. @@ -9030,8 +9078,8 @@ Take note of Dick's initial password.
-12.8. The Test Member Notebook
-+13.7. The Test Member Notebook
+@@ -9075,8 +9122,8 @@ require several more).A test member's notebook is created next, much like the servers, except with memory and disk space doubled to 2GiB and 8GiB, and a @@ -9045,9 +9093,8 @@ desktop VPN client and web browser test the OpenVPN configurations on RAM=2048 DISK=8192 create_vm -VBoxManage modifyvm $NAME --nic1 hostonly --hostonlyadapter1 vboxnet1 VBoxManage modifyvm $NAME --macaddress1 080027dc54b5 -VBoxManage startvm $NAME --type headless +VBoxManage modifyvm $NAME --nic1 hostonly --hostonlyadapter1 vboxnet1
-12.9. Test Client Command
-+13.8. Test Client Command
+The
./inst client
command is used to issue keys for the institute's VPNs. The following command generates two.ovpn(OpenVPN @@ -9092,8 +9139,8 @@ the test VPNs.-12.10. Test Campus VPN
-+13.9. Test Campus VPN
+The
campus.ovpnOpenVPN configuration file (generated in Test Client Command) is transferred todick
, which is at the Wi-Fi access @@ -9131,8 +9178,8 @@ host www-12.11. Test Web Pages
-+13.10. Test Web Pages
+Next, the administrator copies
Backup/WWW/(included in the distribution) to/WWW/oncore
and sets the file permissions @@ -9171,8 +9218,8 @@ will warn but allow the luser to continue.-12.12. Test Web Update
-+13.11. Test Web Update
+Modify
/WWW/live/index.htmloncore
and wait 15 minutes for it to appear ashttps://small.example.org/
(and in/home/www/index.html@@ -9186,8 +9233,8 @@ Hack/home/www/index.htmlonfront
and observe the result at-12.13. Test Nextcloud
-+13.12. Test Nextcloud
+Nextcloud is typically installed and configured after the first Ansible run, when
core
has Internet access viagate
. Until the @@ -9196,7 +9243,7 @@ code skips parts of the Nextcloud configuration. The same installation (or restoration) process used on Core is used oncore
to create/Nextcloud/. The process starts with Create/Nextcloud/, involves Restore Nextcloud or Install Nextcloud, -and runs./inst config core
again 7.25.6. When the./inst +and runs
./inst config core
again 8.24.6. When the./inst config core
command is happy with the Nextcloud configuration oncore
, the administrator uses Dick's notebook to test it, performing the following tests ondick
's desktop. @@ -9275,8 +9322,8 @@ the calendar.-12.14. Test Email
-+13.13. Test Email
+With Evolution running on the member notebook
dick
, one second email delivery can be demonstrated. The administrator runs the following @@ -9304,8 +9351,8 @@ Outgoing email is also tested. A message to-12.15. Test Public VPN
-+13.14. Test Public VPN
+At this point,
dick
can move abroad, from the campus Wi-Fi (host-only networkvboxnet1
) to the broader Internet (the NAT @@ -9358,8 +9405,8 @@ calendar events.-12.16. Test Pass Command
-+13.15. Test Pass Command
+To test the
./inst pass
command, the administrator logs in tocore
asdick
and runspasswd
. A random password is entered, more @@ -9406,8 +9453,8 @@ Finally, the administrator verifies thatdick
can login onco
-12.17. Test Old Command
-+13.16. Test Old Command
+One more institute command is left to exercise. The administrator retires
dick
and his main devicedick
. @@ -9427,16 +9474,16 @@ should fail.-13. Future Work
-+14. Future Work
+The small institute's network, as currently defined in this doocument, is lacking in a number of respects.
-13.1. Deficiencies
-+14.1. Deficiencies
+The current network monitoring is rudimentary. It could use some love, like intrusion detection via Snort or similar. Services on @@ -9502,16 +9549,16 @@ Nextcloud Administration Overview page.
-13.2. More Tests
-+14.2. More Tests
+The testing process described in the previous chapter is far from complete. Additional tests are needed.
-13.2.1. Backup
-+14.2.1. Backup
+The
backup
command has not been tested. It needs an encrypted partition with which to sync? And then some way to compare that to @@ -9520,8 +9567,8 @@ partition with which to sync? And then some way to compare that to-13.2.2. Restore
-+14.2.2. Restore
+The restore process has not been tested. It might just copy
Backup/tocore:/
, but then it probably needs to fix up file ownerships, @@ -9531,8 +9578,8 @@ perhaps permissions too. It could also use an example-13.2.3. Campus Disconnect
-+14.2.3. Campus Disconnect
+Email access (IMAPS) on
front
is… difficult to test unlesscore
's fetchmails are disconnected, i.e. the whole campus is @@ -9556,8 +9603,8 @@ could be used.-14. Appendix: The Bootstrap
-+15. Appendix: The Bootstrap
+Creating the private network from whole cloth (machines with recent standard distributions installed) is not straightforward. @@ -9577,8 +9624,8 @@ get to the additional packages.
-14.1. The Current Strategy
-+15.1. The Current Strategy
+The strategy pursued in The Hardware is two phase: prepare the servers on the Internet where additional packages are accessible, then connect @@ -9589,8 +9636,8 @@ fails), and avoid names until BIND9 is configured.
-14.2. Starting With Gate
-+15.2. Starting With Gate
+The strategy of Starting With Gate concentrates on configuring Gate's connection to the campus ISP in hope of allowing all to download @@ -9634,8 +9681,8 @@ ansible-playbook -l core site.yml
-14.3. Pre-provision With Ansible
-+-- 2.25.1 -15.3. Pre-provision With Ansible
+A refinement of the current strategy might avoid the need to maintain (and test!) lists of "additional" packages. With Core and Gate and @@ -9694,7 +9741,7 @@ routes on Front and Gate, making the simulation less… similar.