User Tools

Site Tools

Trace:
projects:base-infrastructure

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
projects:base-infrastructure [2017-09-11 18:26]
trinitor 		projects:base-infrastructure [2018-05-13 08:58] (current)
trinitor [gitlab]
Line 20: Line 20:
 New highlevel layout New highlevel layout
 <code> <code>
-                            +------------+ +                           +-------------+ 
-                             Fritzbox +                             Fritzbox 
-                            +-+----+----++ +                           | 192.168.1.1 | 
-                              |    |    | +                           +-+----+----+-
-           +------------------+    |    +---------------------+ +                             |    |    | 
-           |                                                +          +------------------+    |    +-----------------------+ 
- 3rd floor |              2nd+floor|                1st+floor | +          |                                                  
-           |                                                +3rd floor |              2nd floor|                   1st+floor| 
-+----------+---------+     +-------+------+          +--------+-----------+ +          |                                                  |USB-NIC (vmbr1, external) 
-       QNAP             WLAN Router |            Proxmox Server   | +          |                                                  
-   192.168.1.31        | 192.168.1.20 |          |    192.168.1.11    | ++---------+---------+   +---------+---------+   +--------------+--------------------------------------+ 
-   +---------------+          NAT              |    +---------------+ +   WLAN Router         WLAN Router    |   |                                                     
-   | 192.168.1.30  |     +--------------+             |  192.168.1.10 +  192.168.1.30        192.168.1.20    |                 +------------------+------------------+ 
-|    |    +------+   |                                  |    +------+   | +       NAT        |          NAT        |                 |192.168.1.10 vmbr1|192.168.1.11 vmbr1| 
-|    |   pfSense VM                                     pfSense VM  +|  192.168.30.0/24  |    192.168.20.0/24  |      Proxmox    |     +------+         +------+     
-      +------+                                 |    |    +------+   ++-------------------+   +-------------------+   192.168.11.10 |    pfSense VM    |     rproxy01     
-   |192.168.30.0/24                                 |               | +                                                    vmbr0         +------+         +------+     
-+------------+-------+                               +----+----+--+-------+ +                                                              |192.168.10.1 vmbr0                 | 
-                                                             |  +                                                |               |192.168.11.1 vmbr2|                  
-             |                                    +------------+  +---------------+ +                                                              +------------------+------------------+ 
-    +--------+-------+                            |                               | +                                                                                                    
-    | Netgear Switch |             192.168.10.0/24|                               |192.168.11.0/24 +                                                +-----------+---+-------------------------------------+ 
-                   |                            |                               | +                                                              | 
-    +----------------+                  +---------+------+                +-------+------+ +                            Virtual Servers (vmbr2, servers)|   |Onboard-NIC (vmbr0, Internal) 
-                                        | Virtual Switch |                |    Switch    | +                                                            |   | 
-                                        +-------+--+-----+                +-----+---+----+ +                                                 +----------+   +----------------+ 
-                                                |  |                            |   | +                                                 |                               | 
-                                           +----+  +----+                 +-----+   +-----+ +                                  192.168.10.0/24|                               |192.168.11.0/24 
-                                           |            |                               | +                                                 |                               | 
-                                +----------+--+   +-----+-------+    +----+-----+   +-----+----+ +                                        +--------+-------+               +-------+------+ 
-                                |   auth VM      chat VM    |       AP      | Freifunk | +                                        | Virtual Switch |               |    Switch    | 
-                                |192.168.10.11|   |192.168.10.12|                        +                                        +------+--+------+               +-----+---+----+ 
-                                +-------------+   +-------------+    +----------+   +----------++                                               |  |                            |   | 
 +                                          +----+  +----+                 +-----+   +-----+ 
 +                                          |            |                               | 
 +                               +----------+--+   +-----+-------+   +-----+------+  +-----+------+ 
 +                               |   auth VM      chat VM    |       AP       Freifunk  
 +                               |192.168.10.11|   |192.168.10.12|   |192.168.11.3            
 +                               +-------------+   +-------------+   +------------+  +------------+
  
 </code> </code>
Line 61: Line 67:
 This is the shared network and it belongs to the building itself. \\ This is the shared network and it belongs to the building itself. \\
 The Fritzbox itself is managed by trinitor \\ The Fritzbox itself is managed by trinitor \\
-Be biggest challenge will the the fight for port forwarding. \\ 
-A shared webserver in the shared network as a reverse proxy could solve the 80/443 fight. \\ 
-Will be done when we have the need. 
  
 Every floor can have 10 static IPs in the shared network \\ Every floor can have 10 static IPs in the shared network \\
Line 95: Line 98:
 |192.168.11.4  |accesspoint01 |freifunk AP | |192.168.11.4  |accesspoint01 |freifunk AP |
 |192.168.11.10 |virt01        |proxmox server | |192.168.11.10 |virt01        |proxmox server |
 +|192.168.11.11 |virt02        |proxmox server |
 +|192.168.11.20 |music01       |RuneAudio RPi |
 ^Virtual Machines ^^^ ^Virtual Machines ^^^
 +|192.168.1.11  |rproxy01      |nginx reverse proxy |
 |192.168.10.11 |auth01        |UCS | |192.168.10.11 |auth01        |UCS |
 |192.168.10.12 |chat01        |rocket chat | |192.168.10.12 |chat01        |rocket chat |
  
-==== Virtualisation ====+==== Virtualisation (main) ====
 There are some options (ESXi, XenServer, oVirt, ...), but the simplest one seems to be Proxmox. \\ There are some options (ESXi, XenServer, oVirt, ...), but the simplest one seems to be Proxmox. \\
 An old Dell Notebook with an additional USB NIC will be used for now. \\ An old Dell Notebook with an additional USB NIC will be used for now. \\
Line 111: Line 117:
 ^Bridges (virtual switches) ^^ ^Bridges (virtual switches) ^^
 |vmbr0 |Internal Bridge, eno1, 192.168.11.10 | |vmbr0 |Internal Bridge, eno1, 192.168.11.10 |
-|vmbr1 |External Bridge, enx9ceb, 192.168.1.11 |+|vmbr1 |External Bridge, enx9ceb, no IP assigned |
 |vmbr2 |Server Bridge, no NIC connected, no IP assigned | |vmbr2 |Server Bridge, no NIC connected, no IP assigned |
  
Line 121: Line 127:
 Management: \\ Management: \\
 [[https://192.168.11.10:8006]] [[https://192.168.11.10:8006]]
 +
 +==== Virtualisation (secondary) ====
 +There is also a second Proxmox server with only one NIC. \\
 +It is running on a MacMini and will only be turned on if needed to safe power. \\
 +
 +Proxmox runs on Apple Hardware, but there are some driver issues. \\
 +Disable modules: \\
 +<code>
 +cat >> /etc/modprobe.d/pve-blacklist.conf <<EOF                               
 +blacklist pcspkr
 +blacklist b43
 +EOF
 +</code>
 +
 +don't enable readondriver (which breaks to console) \\
 +vi /etc/defaults/grub
 +<code>
 +GRUB_CMDLINE_LINUX_DEFAULT="nomodeset debug"
 +</code>
 +update-grub
 +
 +Management: \\
 +[[https://192.168.11.11:8006]]
  
 ==== Firewall ==== ==== Firewall ====
Line 184: Line 213:
     * devbase_delegate_wiki_orgas     * devbase_delegate_wiki_orgas
       * devbase_role_orgas       * devbase_role_orgas
 +
 +LDAP: \\
 +  * create service account (per system)
 +    * Lastname: s-systemname
 +    * Username: s-systemname
 +    * Options
 +      * Kerberos principal
 +      * POSIX account
 +      * Samba account
 +    * test
 +      * Install Apache Directory Studio
 +        * Hostname: auth01.devbase.org
 +        * Port: 389
 +        * Encryption: StartTLS
 +        * Bind DN: cn=s-systemname,cn=users,dc=devbase,dc=org
 +        * Bind Password: xxx
  
 Management: \\ Management: \\
Line 203: Line 248:
  
 === Access Point Config === === Access Point Config ===
-|SSID                    |/dev/base | +|SSID                    |/dev/base     
-|Version                 |WPA2 | +|Version                 |WPA2          
-|Encryption              |AES |+|Encryption              |AES           |
 |Radius Server IP        |192.168.10.11 | |Radius Server IP        |192.168.10.11 |
-|Radius Port             |1812 | +|Radius Port             |1812          
-|Radius Password         |xxx | +|Radius Password         |xxx           
-|Group Key Update Period |0 |+|Group Key Update Period |0             |
  
 === UCS Config === === UCS Config ===
Line 215: Line 260:
 <code> <code>
 client 192.168.11.3 { client 192.168.11.3 {
-        secret=***+        secret=xxx
         shortname=ap01         shortname=ap01
 } }
Line 228: Line 273:
   * systemctl enable snap.rocketchat-server.rocketchat-server.service   * systemctl enable snap.rocketchat-server.rocketchat-server.service
   * systemctl status snap.rocketchat-server.rocketchat-server.service   * systemctl status snap.rocketchat-server.rocketchat-server.service
 +
 +LDAP: \\
 +  * Administration -> LDAP
 +    * Enable: yes
 +    * Login Fallback: True
 +    * Host: auth01.devbase.org
 +    * Port: 389
 +    * Encryption: StartTLS
 +    * CA Cert: -----BEGIN CERTIFICATE----- ...
 +    * Reject: Unauthorized
 +    * Domain Base: dc=devbase,dc=org
 +    * Use Custom Domain Search
 +<code>
 +{"filter": "(&(objectCategory=person)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=devbase_delegate_access_rocketchat,CN=Groups,DC=devbase,DC=org)(sAMAccountName=#{username}))", "scope": "sub", "userDN": "cn=s-rocketchat,cn=users,dc=devbase,dc=org", "password": "xxx"}
 +</code>
 +    * enable LDAP user group filter: false
 +    * Username Field: sAMAccountName
 +    * Unique Identifier Field: objectGUID,ibm-entryUUID,GUID,dominoUNID,nsuniqueId,uidNumber,cn
 +    * Sync Data: True
 +    * Sync User Avatar: True
 +    * User Data Field Map: {"cn":"name", "userPrincipalName":"email"}
 +    * Merge existing users: False
 +    * Import LDAP users: True
  
 Login: \\ Login: \\
 [[http://192.168.10.12:3000/]] [[http://192.168.10.12:3000/]]
  
-==== Chat (Matrix) ====+==== Reverse Proxy ==== 
 +There will be multiple services on the internal network with need certificates \\ 
 +Lets encrypt should be used when possible \\ 
 + 
 +port 80 will point to one server \\ 
 + 
 +Fritzbox configuration: 
 +  * forward port 80 and 443 to 192.168.1.11 
 + 
 +fw01.devbase.org configuration 
 +  * Firewall -> NAT 
 +  * new 
 +    * Interface: WAN 
 +    * Destination: WAN address 
 +    * Destination port rang: 3000 - 3000 
 +    * Redirect target IP: 192.168.10.12 
 +    * Redirect target port: 3000 
 +  * Firewall -> Rules -> WAN 
 +  * move newly created NAT rule to the right place in the ruleset 
 +  * don't forget to save and activate 
 + 
 +Server Configuration:
   * Install Ubuntu 16.04 LTS   * Install Ubuntu 16.04 LTS
-  * apt update && sudo apt upgrade +  * vi /etc/network/interfaces 
-  * add-apt-repository https://matrix.org/packages/debian+<code> 
-  * wget https://matrix.org/packages/debian/repo-key.asc -O key +iface ens18 inet static 
-  * apt-key add - < key +  address 192.168.1.11/24 
-  * apt update +  gateway 192.168.1.1 
-  * apt install matrix-synapse python-matrix-synapse-ldap3 +  dns-nameservers 192.168.1.1 
-    * Server Name: matrix.devbase.org +</code> 
-  * cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 34 | head -1 +  * apt-get install software-properties-common 
-  * vi /etc/matrix-synapse/homeserver.yaml +  * add-apt-repository ppa:certbot/certbot 
-    * registration_shared_secret: your_random_string +  * apt-get update 
-  * systemctl enable matrix-synapse.service +  * apt-get install certbot nginx 
-  * systemctl start matrix-synapse.service +  * mkdir /var/www/chat_devbase_org 
-  * register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml https://localhost:8448 +  * vi /etc/nginx/sites-available/chat_devbase_org 
-    * name root +<code> 
-    * set password +server { 
-    * make admin = yes+    listen 80; 
 +    server_name chat.devbase.org; 
 +    index index.html index.htm; 
 +    location 
 +        alias /var/www/chat_devbase.org/; 
 +    } 
 +}
  
-Public DNS Recort for federation +server { 
-SRV matrix_tcp.devbase.org +    #client_max_body_size 80M; 
 +    listen 443 ssl default_server; 
 +    server_name chat.devbase.org
 + 
 +    ssl          on; 
 +    ssl_certificate /etc/letsencrypt/live/chat.devbase.org/fullchain.pem; 
 +    ssl_certificate_key /etc/letsencrypt/live/chat.devbase.org/privkey.pem; 
 + 
 +    location / { 
 +        proxy_set_header X-Real-IP $remote_addr; 
 +        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
 +        proxy_set_header Host $http_host; 
 +        proxy_set_header X-NginX-Proxy true; 
 +        proxy_pass http://192.168.1.10:3000; 
 +        proxy_redirect off; 
 +    } 
 +
 +</code> 
 +  * ln -s /etc/nginx/sites-available/chat_devbase_org /etc/nginx/sites-enabled 
 +  * systemctl restart nginx.service 
 +  * certbot certonly --webroot -w /var/www/chat_devbase.org -d chat.devbase.org 
 +  * systemctl restart nginx.service 
 +  * echo "* 3 * * * root certbot renew" >> /etc/crontab
  
 ==== VPN ==== ==== VPN ====
Line 309: Line 426:
     * allow * to LAN NET     * allow * to LAN NET
     * allow * to Server NET     * allow * to Server NET
-    * allow * to * UDP53+    * allow * to * 53 UDP
     * allow * to trusted sites     * allow * to trusted sites
     * allow * to ICMP     * allow * to ICMP
     * block * to *     * block * to *
 +
 ==== nextcloud ==== ==== nextcloud ====
 +  * install Ubuntu 16.04 LTS
 +  * configure network
 +  * apt update && sudo apt upgrade
 +  * apt-get install apache2 mariadb-server libapache2-mod-php7.0
 +  * apt-get install php7.0-gd php7.0-json php7.0-mysql php7.0-curl php7.0-mbstring php7.0-intl php7.0-mcrypt php-imagick php7.0-xml php7.0-zip php7.0-ldap
 +  * mkdir /opt/install && cd /opt/install
 +  * wget "https://download.nextcloud.com/server/releases/nextcloud-12.0.2.tar.bz2"
 +  * tar xf nextcloud*.tar.bz2
 +  * mv nextcloud /var/www/
 +  * chown -R www-data.www-data /var/www/nextcloud/
 +  * cat >/etc/apache2/sites-available/nextcloud.conf <<EOF
 +<code>
 +Alias /nextcloud "/var/www/nextcloud/"
 + 
 +<Directory /var/www/nextcloud/>
 +   Options +FollowSymlinks
 +   AllowOverride All
 + 
 +   <IfModule mod_dav.c>
 +     Dav off
 +   </IfModule>
 + 
 +   SetEnv HOME /var/www/nextcloud
 +   SetEnv HTTP_HOME /var/www/nextcloud
 +</Directory>
 +EOF
 +  * ln -s /etc/apache2/sites-available/nextcloud.conf /etc/apache2/sites-enabled/
 +  * mysql_secure_installation
 +    * mysql -u root -p
 +      * CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 's3cret';
 +      * CREATE DATABASE nextcloud;
 +      * GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost';
 +  * cat >> /etc/php/7.0/apache2/php.ini <<EOF
 +<code>
 +opcache.enable=1
 +opcache.enable_cli=1
 +opcache.interned_strings_buffer=8
 +opcache.max_accelerated_files=10000
 +opcache.memory_consumption=128
 +opcache.save_comments=1
 +opcache.revalidate_freq=1
 +EOF
 +</code>
 +  * systemctl restart apache2.service
 +  * browse to http://192.168.10.14/nextcloud/
 +    * enter new user credentials for admin user
 +    * configure database
 +  * enable apps: 
 +    * calendar
 +    * contacts
 +    * deck
 +    * tasks
 +    * LDAP user and group backend
 +      * Admin -> LDAP
 +        * Advanced 
 +          * Turn off SSL certificate validation = checked
 +        * Server
 +          * Server: ldaps:/ /auth01.devbase.org:636 
 +          * User: cn=s-nextcloud,cn=users,dc=devbase,dc=org
 +          * Base DN: dc=devbase,dc=org
 +        * Users
 +          * persons
 +        * Login Attributes
 +          * LDAP user
 +        * Group
 +          * devbase_delegate_access_nextcloud
  
 +==== gitlab ====
 +  * install Ubuntu 16.04 LTS
 +  * configure network
 +  * apt update && sudo apt upgrade
 +  * sudo apt-get install -y curl openssh-server ca-certificates
 +  * curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
 +  * sudo echo en_US.UTF-8 UTF-8 > /etc/locale.gen
 +  * sudo locale-gen en_US.UTF-8
 +  * LC_ALL="en_US.UTF-8"
 +  * LC_CTYPE="en_US.UTF-8"
 +  * sudo EXTERNAL_URL="http://gitlab.devbase.org" apt-get install gitlab-ee
 +  * browse to http://git.devbase.org -> set root password
 +  * vi /etc/gitlab/gitlab.rb
 +<code>
 +gitlab_rails['ldap_enabled'] = false
 +gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
 +  main: # 'main' is the GitLab 'provider ID' of this LDAP server
 +    label: 'LDAP'
 +    host: 'auth01.devbase.org'
 +    port: 389
 +    uid: 'sAMAccountName'
 +    bind_dn: 'CN=s-gitlab,CN=Users,DC=devbase,DC=org'
 +    password: 'mylittlepassword'
 +    encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain"
 +    verify_certificates: false
 +    active_directory: true
 +    allow_username_or_email_login: false
 +    lowercase_usernames: false
 +    block_auto_created_users: false
 +    base: 'CN=Users,DC=devbase,DC=org'
 +#     user_filter: ''
 +EOS
 +</code>
 +  * gitlab-ctl reconfigure
 +  * gitlab-rake gitlab:ldap:check
 +
 +==== Music ====
 +Background music should not be interrupted by rebooting clients or phones leaving the building. \\
 +A dedicated client should play the music and controllable by all kind of devices.
 +
 +  * download runeaudio for RPi
 +  * flash to SD card and boot
 +  * browse http://ip
 +    * settings
 +      * hostname: music01
 +      * airplay: on
 +      * airplay name: music01
 +      * UPnP: on
 +      * UPnP name: music01
 +  * ssh root@ip
 +    * passwd
 +    * cat >> /etc/mpd.conf <<EOF
 +<code>
 +audio_output {
 +   type            "httpd"
 +   name            "My HTTP Stream"
 +   encoder         "flac"       # optional, vorbis or lame
 +   port            "8000"
 +   bind_to_address "0.0.0.0"    # optional, IPv4 or IPv6
 +   quality         "5.0"        # do not define if bitrate is defined
 +   # bitrate         "128"      # do not define if quality is defined
 +   format          "44100:16:1"
 +   max_clients     "0"          # optional 0=no limit
 +}
 +EOF
 +</code>
 +  * Library
 +    * Webradio
 +      * http://trance-high.rautemusik.fm
 +      * http://house-high.rautemusik.fm
 +      * http://stream03.uzic.ch:9010
 +
 +Management: \\
 +[[http://music01.devbase.org]]
 +
 +==== Ubiquiti Controller ====
 +To manage the Unfi WiFi access points a Controller is needed
 +  * Install Ubuntu 16.04 LTS
 +  * echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
 +  * apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
 +  * apt-get install unifi
 +  * https://<ip>:8443
 ==== Wiki ==== ==== Wiki ====
  
 +==== Matrix - testing only ====
 +  * Install Ubuntu 16.04 LTS
 +  * apt update && sudo apt upgrade
 +  * add-apt-repository https://matrix.org/packages/debian/
 +  * wget https://matrix.org/packages/debian/repo-key.asc -O key
 +  * apt-key add - < key
 +  * apt update
 +  * apt install matrix-synapse python-matrix-synapse-ldap3
 +    * Server Name: matrix.devbase.org
 +  * cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 34 | head -1
 +  * vi /etc/matrix-synapse/homeserver.yaml
 +    * registration_shared_secret: your_random_string
 +  * systemctl enable matrix-synapse.service
 +  * systemctl start matrix-synapse.service
 +  * register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml https://localhost:8448
 +    * name root
 +    * set password
 +    * make admin = yes
 +
 +Public DNS Recort for federation
 +SRV matrix_tcp.devbase.org 
projects/base-infrastructure.1505154394.txt.gz · Last modified: 2017-09-11 18:26 by trinitor

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki