From 9aa679b8677c455b7426f092ef43de146f02b47a Mon Sep 17 00:00:00 2001 From: Pjotr Prins Date: Thu, 19 Jun 2025 09:19:21 +0200 Subject: Hide references to UT services --- topics/deploy/uthsc-vpn-with-free-software.gmi | 8 ++++---- topics/deploy/uthsc-vpn.scm | 4 ++-- topics/systems/update-production-checklist.gmi | 22 +++++++++++----------- 3 files changed, 17 insertions(+), 17 deletions(-) (limited to 'topics') diff --git a/topics/deploy/uthsc-vpn-with-free-software.gmi b/topics/deploy/uthsc-vpn-with-free-software.gmi index 95fd1cd..707a28a 100644 --- a/topics/deploy/uthsc-vpn-with-free-software.gmi +++ b/topics/deploy/uthsc-vpn-with-free-software.gmi @@ -6,7 +6,7 @@ It is possible to connect to the UTHSC VPN using only free software. For this, y To connect, run openconnect-sso as follows. A browser window will pop up for you to complete the Duo authentication. Once done, you will be connected to the VPN. ``` -$ openconnect-sso --server uthscvpn1.uthsc.edu --authgroup UTHSC +$ openconnect-sso --server vpn-server --authgroup UTHSC ``` Note that openconnect-sso should be run as a regular user, not as root. After passing Duo authentication, openconnect-sso will try to gain root priviliges to set up the network routes. At that point, it will prompt you for your password using sudo. @@ -22,7 +22,7 @@ openconnect, by default, tunnels all your traffic through the VPN. This is not g For example, to connect to the UTHSC VPN but only access the hosts tux01 and tux02e through the VPN, run the following command. ``` -$ openconnect-sso --server uthscvpn1.uthsc.edu --authgroup UTHSC -- --script 'vpn-slice tux01 tux02e' +$ openconnect-sso --server vpn-server --authgroup UTHSC -- --script 'vpn-slice tux01 tux02e' ``` The vpn-slice script looks up the hostnames tux01 and tux02e on the VPN DNS and adds /etc/hosts entries and routes to your system. vpn-slice can also set up more complicated routes. To learn more, read the vpn-slice documentation. @@ -52,7 +52,7 @@ Then, run the openconnect-sso client as usual. ## Misconfigured UTHSC TLS certificate The UTHSC TLS certificate does not validate on some systems. You can work around this by downloading the certificate chain and adding it to your system: -* Navigate with browser to https://uthscvpn1.uthsc.edu/. Inspect the certificate in the browser (lock icon next to search bar) and export .pem file +* Navigate with browser to https://vpn-server/. Inspect the certificate in the browser (lock icon next to search bar) and export .pem file * Move it to /usr/local/share/ca-certificates (with .crt extension) or equivalent * On Debian/Ubuntu update the certificate store with update-ca-certificates You should see @@ -65,7 +65,7 @@ Thanks Niklas. See also However, adding certificates to your system manually is not good security practice. It is better to limit the added certificate to the openconnect process. You can do this using the REQUESTS_CA_BUNDLE environment variable like so: ``` -REQUESTS_CA_BUNDLE=/path/to/uthsc/certificate.pem openconnect-sso --server uthscvpn1.uthsc.edu --authgroup UTHSC +REQUESTS_CA_BUNDLE=/path/to/uthsc/certificate.pem openconnect-sso --server vpn-server --authgroup UTHSC ``` ## Putting it all together using Guix G-expressions diff --git a/topics/deploy/uthsc-vpn.scm b/topics/deploy/uthsc-vpn.scm index 82f67f5..a4106ec 100644 --- a/topics/deploy/uthsc-vpn.scm +++ b/topics/deploy/uthsc-vpn.scm @@ -9,7 +9,7 @@ ;; Put in the hosts you are interested in here. (define %hosts (list "octopus01" - "spacex.uthsc.edu")) + "spacex")) (define (ini-file name scm) "Return a file-like object representing INI file with @var{name} and @@ -81,7 +81,7 @@ (setenv "REQUESTS_CA_BUNDLE" #$(local-file "uthsc-certificate.pem")) (invoke #$(file-append openconnect-sso-uthsc "/bin/openconnect-sso") - "--server" "uthscvpn1.uthsc.edu" + "--server" "$vpn-server" ; ask us for end-point or see UT docs "--authgroup" "UTHSC" "--" "--script" (string-join (cons #$(file-append vpn-slice "/bin/vpn-slice") diff --git a/topics/systems/update-production-checklist.gmi b/topics/systems/update-production-checklist.gmi index b17077b..23bf54c 100644 --- a/topics/systems/update-production-checklist.gmi +++ b/topics/systems/update-production-checklist.gmi @@ -114,12 +114,12 @@ We use borg for backups. First restore the backup on the PCIe. Also a test for o The swaks package is quite useful to test for a valid receive host: ``` -swaks --to testing-my-server@gmail.com --server smtp.uthsc.edu -=== Trying smtp.uthsc.edu:25... -=== Connected to smtp.uthsc.edu. -<- 220 mailrouter8.uthsc.edu ESMTP NO UCE - -> EHLO tux04.uthsc.edu -<- 250-mailrouter8.uthsc.edu +swaks --to testing-my-server@gmail.com --server smtp.network +=== Trying smtp.network:25... +=== Connected to smtp.network. +<- 220 mailrouter8.network ESMTP NO UCE + -> EHLO tux04.network +<- 250-mailrouter8.network <- 250-PIPELINING <- 250-SIZE 26214400 <- 250-VRFY @@ -129,7 +129,7 @@ swaks --to testing-my-server@gmail.com --server smtp.uthsc.edu <- 250-8BITMIME <- 250-DSN <- 250 SMTPUTF8 - -> MAIL FROM: + -> MAIL FROM: <- 250 2.1.0 Ok -> RCPT TO: <- 250 2.1.5 Ok @@ -137,9 +137,9 @@ swaks --to testing-my-server@gmail.com --server smtp.uthsc.edu <- 354 End data with . -> Date: Thu, 06 Mar 2025 08:34:24 +0000 -> To: pjotr2020@thebird.nl - -> From: root@tux04.uthsc.edu + -> From: root@tux04.network -> Subject: test Thu, 06 Mar 2025 08:34:24 +0000 - -> Message-Id: <20250306083424.624509@tux04.uthsc.edu> + -> Message-Id: <20250306083424.624509@tux04.network> -> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/ -> -> This is a test mailing @@ -161,7 +161,7 @@ dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' -dc_smarthost='smtp.uthsc.edu' +dc_smarthost='smtp.network' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='false' @@ -172,7 +172,7 @@ dc_localdelivery='maildir_home' And this should work: ``` -swaks --to myemailaddress --from john@uthsc.edu --server localhost +swaks --to myemailaddress --from john@network --server localhost ``` # Backups -- cgit 1.4.1