1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
# My personal infrastructure
* OVH 2Gb RAM VPS running FreeIPA (also tinc/ocserv)
* Hetzner auction server: 48Gb RAM, 2x2Tb HDD. Runs Proxmox, tinc/ocserv, Apache as reverse proxy
* LXC container running FreeIPA replica
* LXC container running Nagios
* LXC container running NextCloud
* LXC container running Grafana
* LXC container running Ipsilon
* LXC container running my Wordpress blog
* LXC container running PostgreSQL
* LXC container running a workstation
* VM running Jenkins, Gitolite
* VM running Discourse
* VM running Dokku
* Flat 1
* HP Proliant Microserver: 4Gb RAM, 2x4Tb HDD
* DHCP/DNS
* Runs SMB/NFS
* ZFS backups on external USB drives
* tinc/ocserv
* Raspberry Pi running LibreElec + TVHeadend, records to NFS share on HP server
* Flat 2
* Raspberry Pi running Raspbian, runs DHCP/DNS, tinc/ocserv
## Networking
I like having working DNS, so I run dnsmasq on both flats and for the Proxmox network on the Hetzner server.
It also does integrated DHCP (mostly everything gets a DHCP IP and thus, a hostname).
Every environment has a /24 network with DNS/DHCP and their own domain (hetzner.int.mydomain, flat1.int.mydomain, etc.).
I've set up SRV records so DNS resolution works across networks (even reverse DNS).
I join all networks using tinc in a mesh.
On every network I've also set up ocserv to provide remote access if I'm outside these networks; I can pick the closest access point and reach my entire network.
## Authentication
I run a two-node FreeIPA cluster.
It provides a user directory and centralized auth, with paswordless single-sign on.
It also has sudo integration, so I can sudo on all systems with a single password.
Many systems and services are integrated in FreeIPA.
My laptop is joined to the domain so I can even log in to some web applications without typing a password.
Ipsilon adds SAML for some applications which do not support Kerberos.
## Monitoring
I run Nagios monitoring all hosts and services.
I get alerts for hosts and services being down.
I monitor some stuff like Nextcloud updates using Nagios and cron jobs.
I use https://github.com/alexpdp7/ragent as the monitor, which also means I get notifications when a host is updated and requires a reboot.
## Configuration management
I use Ansible playbooks to provision VMs on Proxmox.
I also use Ansible for some orchestration tasks (such as deploying FreeIPA replicas, handling Letsencrypt certificates, etc.).
I use an Ansible playbook using https://github.com/alexpdp7/ansible-puppet/ to run Puppet to configure individual systems.
|
