From fdf4dca28b92223c3db2584b0a5e2fd39e8dbcbc Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Sun, 8 Jun 2025 15:51:39 -0600 Subject: [PATCH] Rename front_private_addr. Fix overlong lines, and ./inst client argument parsing error handling. --- README.org | 58 ++++++++++++++++++--------------- inst | 2 +- private/vars.yml | 2 +- roles_t/core/files/inst_sensors | 3 +- roles_t/core/tasks/main.yml | 7 ++-- roles_t/front/tasks/main.yml | 4 +-- 6 files changed, 41 insertions(+), 35 deletions(-) diff --git a/README.org b/README.org index 62e92a5..3c14eb8 100644 --- a/README.org +++ b/README.org @@ -751,17 +751,17 @@ domain_priv: small.private ** Subnets The small institute uses a private Ethernet, two VPNs, and an -untrusted Ethernet (for the campus Wi-Fi access point). Each must -have a unique private network address. Hosts using the VPNs are also -using foreign private networks, e.g. a notebook on a hotel Wi-Fi. To -better the chances that all of these networks get unique addresses, -the small institute uses addresses in the IANA's (Internet Assigned -Numbers Authority's) private network address ranges /except/ the -~192.168~ address range already in widespread use. This still leaves -69,632 8 bit networks (each addressing up to 254 hosts) from which to -choose. The following table lists their CIDRs (subnet numbers in -Classless Inter-Domain Routing notation) in abbreviated form (eliding -69,624 rows). +untrusted Ethernet for the campus Wi-Fi access point(s) and wired IoT +appliances). Each must have a unique private network address. Hosts +using the VPNs are also using foreign private networks, e.g. a +notebook on a hotel Wi-Fi. To better the chances that all of these +networks get unique addresses, the small institute uses addresses in +the IANA's (Internet Assigned Numbers Authority's) private network +address ranges /except/ the ~192.168~ address range already in +widespread use. This still leaves 69,632 8 bit networks (each +addressing up to 254 hosts) from which to choose. The following table +lists their CIDRs (subnet numbers in Classless Inter-Domain Routing +notation) in abbreviated form (eliding 69,624 rows). # 10.0.0.0 -- 10.255.255.255 => (* 256 256) subnets # 172.16.0.0 -- 172.31.255.255 => (* 16 256) subnets # (+ (* 256 256) (* 16 256)) => 69632 subnets @@ -871,9 +871,10 @@ code. The first two are Core's and Gate's addresses on the private Ethernet. The next two are Gate's and the campus Wi-Fi's addresses on the "wild" subnet, the untrusted Ethernet (~wild_net~) between Gate and the campus Wi-Fi access point(s) and IoT appliances. The last is -Front's address on the public VPN, perversely called -~front_private_addr~. The following code block picks the obvious IP -addresses for Core (host 1) and Gate (host 2). +Front's address on the public VPN, ~front_vpn_addr~. The following +code block picks the obvious IP addresses for Core (host 1) and Gate +(host 2) on the private Ethernet, Gate and a Wi-Fi access point on the +wild Ethernet, and Front on the public VPN. #+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] #+BEGIN_SRC conf :tangle private/vars.yml @@ -882,7 +883,7 @@ gate_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('2') }}" gate_wild_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('1') }}" wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}" -front_private_addr_cidr: +front_vpn_addr_cidr: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}" core_addr: "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}" @@ -891,8 +892,8 @@ gate_wild_addr: "{{ gate_wild_addr_cidr | ansible.utils.ipaddr('address') }}" wifi_wan_addr: "{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}" -front_private_addr: - "{{ front_private_addr_cidr | ansible.utils.ipaddr('address') }}" +front_vpn_addr: + "{{ front_vpn_addr_cidr | ansible.utils.ipaddr('address') }}" #+END_SRC @@ -987,7 +988,8 @@ The administrator should install them now, and deal with the machine's change of SSH identity. The following commands copied the host keys in =Secret/ssh_front/= to the droplet and restarted the SSH server. -: notebook$ scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@159.65.75.60: +: notebook$ ( cd Secret/ssh_front/etc/ssh/; +: notebook_ scp ssh_host_* sysadm@159.65.75.60: ) : notebook$ ssh sysadm@159.65.75.60 : sysadm@ubuntu$ chmod 600 ssh_host_* : sysadm@ubuntu$ chmod 644 ssh_host_*.pub @@ -1790,7 +1792,7 @@ created by a more specialized role. abuse: root webmaster: root admin: root - monkey: monkey@{{ front_private_addr }} + monkey: monkey@{{ front_vpn_addr }} root: {{ ansible_user }} path: /etc/aliases marker: "# {mark} INSTITUTE MANAGED BLOCK" @@ -2165,7 +2167,7 @@ push "route {{ campus_vpn_net_and_mask }}" The complete OpenVPN configuration for Front includes a ~server~ option, the ~client-config-dir~ option, the routes mentioned above, -and the common options discussed in [[*The VPN Services][The VPN Service]]. +and the common options discussed in [[*The VPN Service][The VPN Service]]. #+NAME: openvpn-front #+CAPTION: ~openvpn-front~ @@ -2293,12 +2295,12 @@ the public VPN. To enforce this expectation, Kamailio is instructed to listen /only/ on Front's public VPN. The private name ~sip.small.private~ resolves to this address for the convenience of members configuring SIP clients. The server configuration -specifies the actual IP, known here as ~front_private_addr~. +specifies the actual IP, known here as ~front_vpn_addr~. #+NAME: kamailio #+CAPTION: ~kamailio~ #+BEGIN_SRC conf -listen=udp:{{ front_private_addr }}:5060 +listen=udp:{{ front_vpn_addr }}:5060 #+END_SRC The Ansible tasks that install and configure Kamailio follow, but @@ -3052,7 +3054,7 @@ Core uses Front to relay messages to the Internet. #+NAME: postfix-core-relayhost #+CAPTION: ~postfix-core-relayhost~ #+BEGIN_SRC conf -- { p: relayhost, v: "[{{ front_private_addr }}]" } +- { p: relayhost, v: "[{{ front_vpn_addr }}]" } #+END_SRC Core uses a Postfix transport file, =/etc/postfix/transport=, to @@ -3253,7 +3255,7 @@ set no spambounce set no syslog #set logfile /home/{{ item }}/.fetchmail.log -poll {{ front_private_addr }} protocol imap timeout 15 +poll {{ front_vpn_addr }} protocol imap timeout 15 username {{ item }} password "{{ members[item].password_fetchmail }}" fetchall ssl sslproto tls1.2+ sslcertck sslcommonname {{ domain_name }} @@ -3763,7 +3765,8 @@ Core and Campus (and thus Gate) machines. backrefs: yes loop: - { regexp: "^( *cfg_file *= *localhost.cfg)", line: "# \\1" } - - { regexp: "^( *admin_email *= *)", line: "\\1{{ ansible_user }}@localhost" } + - { regexp: "^( *admin_email *= *)", + line: "\\1{{ ansible_user }}@localhost" } notify: Reload NAGIOS4. - name: Configure NAGIOS4 contacts. @@ -3899,7 +3902,8 @@ print_help() { echo "" print_usage echo "" - echo "This plugin checks hardware status using the lm_sensors package." + echo -n "This plugin checks hardware status" + echo " using the lm_sensors package." echo "" support exit $STATE_OK @@ -6606,7 +6610,7 @@ if (defined $ARGV[0] && $ARGV[0] eq "client") { die "usage: $0 client $type NAME USER\n" if @ARGV != 4; die "$name: invalid host name\n" if $name !~ /^[a-z][-a-z0-9]+$/; } else { - die "usage: $0 client [debian|android|campus]\n" if @ARGV != 4; + die "usage: $0 client [debian|android|campus]\n"; } my $yaml; my $member; diff --git a/inst b/inst index 6a2e8f2..43ee139 100755 --- a/inst +++ b/inst @@ -374,7 +374,7 @@ if (defined $ARGV[0] && $ARGV[0] eq "client") { die "usage: $0 client $type NAME USER\n" if @ARGV != 4; die "$name: invalid host name\n" if $name !~ /^[a-z][-a-z0-9]+$/; } else { - die "usage: $0 client [debian|android|campus]\n" if @ARGV != 4; + die "usage: $0 client [debian|android|campus]\n"; } my $yaml; my $member; diff --git a/private/vars.yml b/private/vars.yml index 1f493df..41a070b 100644 --- a/private/vars.yml +++ b/private/vars.yml @@ -35,7 +35,7 @@ gate_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('2') }}" gate_wild_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('1') }}" wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}" -front_private_addr_cidr: +front_vpn_addr_cidr: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}" core_addr: "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}" diff --git a/roles_t/core/files/inst_sensors b/roles_t/core/files/inst_sensors index 1bca115..023aa3e 100644 --- a/roles_t/core/files/inst_sensors +++ b/roles_t/core/files/inst_sensors @@ -16,7 +16,8 @@ print_help() { echo "" print_usage echo "" - echo "This plugin checks hardware status using the lm_sensors package." + echo -n "This plugin checks hardware status" + echo " using the lm_sensors package." echo "" support exit $STATE_OK diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 8110f1f..fe15e91 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -309,7 +309,7 @@ 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 - - { p: relayhost, v: "[{{ front_private_addr }}]" } + - { p: relayhost, v: "[{{ front_vpn_addr }}]" } - { p: inet_interfaces, v: "127.0.0.1 {{ core_addr }}" } - { p: transport_maps, v: "hash:/etc/postfix/transport" } notify: Restart Postfix. @@ -381,7 +381,7 @@ set no syslog #set logfile /home/{{ item }}/.fetchmail.log - poll {{ front_private_addr }} protocol imap timeout 15 + poll {{ front_vpn_addr }} protocol imap timeout 15 username {{ item }} password "{{ members[item].password_fetchmail }}" fetchall ssl sslproto tls1.2+ sslcertck sslcommonname {{ domain_name }} @@ -677,7 +677,8 @@ backrefs: yes loop: - { regexp: "^( *cfg_file *= *localhost.cfg)", line: "# \\1" } - - { regexp: "^( *admin_email *= *)", line: "\\1{{ ansible_user }}@localhost" } + - { regexp: "^( *admin_email *= *)", + line: "\\1{{ ansible_user }}@localhost" } notify: Reload NAGIOS4. - name: Configure NAGIOS4 contacts. diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index 882291e..ed06a63 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -177,7 +177,7 @@ abuse: root webmaster: root admin: root - monkey: monkey@{{ front_private_addr }} + monkey: monkey@{{ front_vpn_addr }} root: {{ ansible_user }} path: /etc/aliases marker: "# {mark} INSTITUTE MANAGED BLOCK" @@ -478,7 +478,7 @@ become: yes copy: content: | - listen=udp:{{ front_private_addr }}:5060 + listen=udp:{{ front_vpn_addr }}:5060 dest: /etc/kamailio/kamailio-local.cfg notify: Restart Kamailio. -- 2.25.1