From d12282d1487439093f82cb9f4c0b41618767e063 Mon Sep 17 00:00:00 2001 From: alex Date: Tue, 17 Mar 2020 22:09:41 +0100 Subject: [PATCH] Initial add of PERSONAL_INFRA.md --- PERSONAL_INFRA.md | 59 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 PERSONAL_INFRA.md diff --git a/PERSONAL_INFRA.md b/PERSONAL_INFRA.md new file mode 100644 index 0000000..6ec20fc --- /dev/null +++ b/PERSONAL_INFRA.md @@ -0,0 +1,59 @@ +# My personal infrastructure + +* OVH 2Gb RAM VPS running FreeIPA (also tinc/ocserv) +* Hetzner auction server: 48Gb RAM, 2x2Tb HDD. Runs Proxmox, tinc/ocserv, Apache as reverse proxy + * LXC container running FreeIPA replica + * LXC container running Nagios + * LXC container running NextCloud + * LXC container running Grafana + * LXC container running Ipsilon + * LXC container running my Wordpress blog + * LXC container running PostgreSQL + * LXC container running a workstation + * VM running Jenkins, Gitolite + * VM running Discourse + * VM running Dokku +* Flat 1 + * HP Proliant Microserver: 4Gb RAM, 2x4Tb HDD + * DHCP/DNS + * Runs SMB/NFS + * ZFS backups on external USB drives + * tinc/ocserv + * Raspberry Pi running LibreElec + TVHeadend, records to NFS share on HP server +* Flat 2 + * Raspberry Pi running Raspbian, runs DHCP/DNS, tinc/ocserv + +## Networking + +I like having working DNS, so I run dnsmasq on both flats and for the Proxmox network on the Hetzner server. +It also does integrated DHCP (mostly everything gets a DHCP IP and thus, a hostname). +Every environment has a /24 network with DNS/DHCP and their own domain (hetzner.int.mydomain, flat1.int.mydomain, etc.). +I've set up SRV records so DNS resolution works across networks (even reverse DNS). +I join all networks using tinc in a mesh. + +On every network I've also set up ocserv to provide remote access if I'm outside these networks; I can pick the closest access point and reach my entire network. + +## Authentication + +I run a two-node FreeIPA cluster. +It provides a user directory and centralized auth, with paswordless single-sign on. +It also has sudo integration, so I can sudo on all systems with a single password. + +Many systems and services are integrated in FreeIPA. +My laptop is joined to the domain so I can even log in to some web applications without typing a password. + +Ipsilon adds SAML for some applications which do not support Kerberos. + +## Monitoring + +I run Nagios monitoring all hosts and services. +I get alerts for hosts and services being down. +I monitor some stuff like Nextcloud updates using Nagios and cron jobs. +I use https://github.com/alexpdp7/ragent as the monitor, which also means I get notifications when a host is updated and requires a reboot. + +## Configuration management + +I use Ansible playbooks to provision VMs on Proxmox. +I also use Ansible for some orchestration tasks (such as deploying FreeIPA replicas, handling Letsencrypt certificates, etc.). + +I use an Ansible playbook using https://github.com/alexpdp7/ansible-puppet/ to run Puppet to configure individual systems. -- 2.47.3