Docs: Difference between revisions

This page is intended as a 'hub' for all of LUGs internal documentation.

All of our documentation is intentionally public so that other student organizations or individuals can replicate aspects of our infrastructure if they so desire.

Topics should generally be broken out into individual articles and linked on this page, unless there's a very small amount of content.

Cables

Infrastructure/Cables

Servers & Services

Proxmox Cluster

Infrastructure/Proxmox Cluster

Mirrors

Infrastructure/Mirrors

Shell

Infrastructure/Shell

Firewall/Router/Network

Our firewall/router runs pfSense, soon to be migrated to OPNsense.

All IP addressing of servers and virtual machines happens through DHCP, and can be viewed in the pfSense 'DHCP Leases' tab. (except Proxmox nodes, which don't support DHCP and require static addressing)

Otherwise, most configuration can be viewed by poking around the web interface.

Firewall rules

View the WebUI for the specific firewall rules, but some of the more basic/essential ones are:

1. Management cannot communicate with LAN/WAN (the internet), and LAN cannot communicate with Management.
   1. Generally, Management should be restricted from everything else. (maybe even other iDrac servers?)
   2. OOB services tend to be super vulnerable, there are dozens of premade scripts that instapwn iDRACs and give you a root shell by just pointing them at the IP address.
   3. Because of this, the iDRAC web login interface should only be accessible to anyone you're okay having root on the server.
2. Wireguard
   1. The admin/user split is so all members can be given a wireguard config to the internal network without having to worry about them being able to trivially get root on all servers running premade-exploits like these on the iDracs.
   2. If someone shows up to a couple meetings they're probably fine to get an admin config; this is more for peace-of-mind to not need to worry about the configs given to people who went to one meeting once at the beginning of the semester and have never been seen again.
   3. Neither config should have access to WAN, just to prevent someone getting LUG in hot water if they attempt to torrent or something similarly dumb through the VPN.

Main networks

We have two main networks:

• 10.10.0.0/24 - Management (OOB Management services like Dell iDRAC / HP iLO)
• 10.10.1.0/24 - LAN (servers/VMs)

We may also be getting a /27 of Tech's 141.219.0.0/16 block through IT (~28-30 usable public IP addresses).

The plan is to use reverse-NAT to map the public IPs to select internal IPs, since we won't have enough IPs for every VM (so we can't do it like IT and exclusively use publicly routable addresses).

VPN Networks

In addition, there are two main VPN networks:

• 10.10.10.0/24 - OpenVPN
• 10.10.11.0/24 - Wireguard
  • 10.10.11.0/25 - Wireguard admin range (access to Management+LAN, no WAN)
  • 10.10.11.128/25 - Wireguard user range (access to only LAN, no WAN)

Fileserver

Coming Soon, currently unprovisioned (waiting on new PSU; and fixing HGST drives)

Org Management

Time-sensitive

• Email IT for new certs (example template to use, make sure to keep SubjectAltName, etc)
• Install-a-thons
• shirt printing

Budget

• USG meetings
• making presentable diagrams and representations of data