|
This page is intendedthe as a 'hub' for all of LUGs internalLUG's documentation.
All of our documentation is intentionally public so that other student organizationsorgs (or individualsstudents) can replicate aspects of our infrastructure if they sowant. Everything sensitive (private keys, break-glass passwords, etc) should go in the LUG desireBitwarden.
'''<br />Topics should generally be broken out into individual articles and linked on this page, unless there's a very small amount of content.'''
== [[Docs/Infrastructure|Infrastructure]] ==
General infrastructure notes
[[Infrastructure/Cables]]
=== Servers & Services[[Docs/Plans|Plans]] ===
Pending upgrades/maintenance to our infrastructure
=== Proxmox ClusterNetwork ===
==== [[Docs/Cables|Cables]] ====
[[Infrastructure/Proxmox Cluster]]
Physical cabling and "layer 1" network config.
[[Infrastructure/Mirrors]]
==== Shell[[Docs/Switches|Switches]] ====
Switch and layer 2 network configs (VLANs).
[[Infrastructure/Shell]]
=== Firewall/Router/NetworkServers ===
Our firewall/router runs [https://www.pfsense.org/ pfSense], soon to be migrated to [https://opnsense.org/ OPNsense].
==== [[Docs/Leskinen|Leskinen]] ====
All IP addressing of servers and virtual machines happens through DHCP, and can be viewed in the pfSense 'DHCP Leases' tab. (except Proxmox nodes, which don't support DHCP and require static addressing)
The primary storage server.
Otherwise, most configuration can be viewed by poking around the web interface.
Currently has Shell home directory backups and media for maho.
=== Firewall rules ===
View the WebUI for the specific firewall rules, but some of the more basic/essential ones are:
==== [[Docs/Maho|Maho]] ====
# Management cannot communicate with LAN/WAN (the internet), and LAN cannot communicate with Management.
The GPU compute server.
## Generally, Management should be restricted from everything else. (maybe even other iDrac servers?)
## OOB services tend to be ''super'' vulnerable, there are dozens of [https://github.com/mgargiullo/cve-2018-1207 premade scripts] that instapwn iDRACs and give you a root shell by just pointing them at the IP address.
## Because of this, the iDRAC web login interface should only be accessible to anyone you're okay having root on the server.
# Wireguard
## The admin/user split is so all members can be given a wireguard config to the internal network without having to worry about them being able to trivially get root on all servers running premade-exploits like [https://github.com/mgargiullo/cve-2018-1207 these] on the iDracs.
## If someone shows up to a couple meetings they're probably fine to get an admin config; this is more for peace-of-mind to not need to worry about the configs given to people who went to one meeting once at the beginning of the semester and have never been seen again.
## Neither config should have access to WAN, just to prevent someone getting LUG in hot water if they attempt to torrent or something similarly dumb through the VPN.
Currently hosts a [https://studio.blender.org/films/ Blender Open Studio Films] mirror via Jellyfin.
=== Main networks ===
We have two main networks:
* 10.10.0.0/24 - Management (OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO])
* 10.10.1.0/24 - LAN (servers/VMs)
We may also be getting a <code>/27</code> of Tech's <code>141.219.0.0/16</code> block through IT (~28-30 usable public IP addresses).
==== [[Docs/Mirrors|Mirrors]] ====
The plan is to use reverse-NAT to map the public IPs to select internal IPs, since we won't have enough IPs for every VM (so we can't do it like IT and exclusively use publicly routable addresses).
The Linux mirror server at mirrors.lug.mtu.edu
==== [[Docs/OPNsense|OPNsense]] (Lasanga/Ravioli) ====
=== VPN Networks ===
Router/Firewall and layer 3+ network configs.
In addition, there are two main VPN networks:
==== [[Docs/Proxmox Cluster|Proxmox Cluster]] ====
* 10.10.10.0/24 - OpenVPN
Our Proxmox cluster running the majority of our services
* 10.10.11.0/24 - Wireguard
** 10.10.11.0/25 - Wireguard admin range (access to Management+LAN, no WAN)
** 10.10.11.128/25 - Wireguard user range (access to only LAN, no WAN)
==== [[Docs/Shell|Shell]] ====
== Fileserver ==
The shared multi-tenant server for LUG members/alums at [https://shell.lug.mtu.edu/ shell.lug.mtu.edu]
Coming Soon, currently unprovisioned (waiting on new PSU; and fixing [[Locked HGST drives|HGST drives]])
==== BlueSky ====
==== [[Docs/IRC Server|IRC Server]] ====
==== [[IRC Bouncer]] ====
==== Website ====
==== Wiki ====
== Org Management ==
==== Docs ====
How to create/manage pages in this category ("Docs").
==== Meeting Minutes ====
Notes are taken during the meetings.
There are no specific guidelines, but usually minutes are kept to a series of bullet points, with some elaboration in sub-bullets.
These notes can be written in whatever markup format is preferred, but must be converted to MediaWiki to be pasted onto the wiki. [https://pandoc.org/ Pandoc] can do this for the majority of formats (Markdown, Vimwiki, ODT, etc.)
=== Time-sensitive ===
* Email IT for new certs (example template to use, make sure to keep SubjectAltName, etc)
* Install-a-thons
* shirtShirt printing / stickers
=== Budget ===
* USG meetings
* makingMaking presentable diagrams and representations of data
=== MTU Policies and Procedures ===
https://www.mtu.edu/umc/services/websites/requirements/
All (sub)domains need to be approved by UMC (University Marketing & Communication)
IT handles IP addressing and SSL certificates
USG handles funding and reimbursements
|