476
edits
Docs: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
|||
|
== Proxmox Cluster ==
The majority of our infrastructure are VMs in the Proxmox cluster, so everything can be [https://en.wikipedia.org/wiki/High_availability highly-available] (meaning VMs can jump to another Proxmox node if one goes down).
In the panel for each VM in the webUI, make sure to enable the guest agent; Debian will auto install the QEMU guest agent on first install when it detects being run inside a VM.
=== Proxmox Nodes ===
* [10.10.1.24] Mayuri
* [10.10.1.25] MrBraun (HP Server)
Note that all these addresses are static, and must be changed manually on each host (Proxmox doesn't currently support DHCP). The process is loosely outlined by the comments [https://forum.proxmox.com/threads/proxmox-change-ip-address.145254/ here].
These are also listed in [[Servers]] since they're all physical servers in the GLRC rack.
=== Virtual Machines ===
All VMs run Debian to keep things homogenous and easy to upgrade/automate (except a few Windows VMs like Allen's scuffed Win10 LTSC gaming VM)▼
The VMs in the cluster include:
* [10.10.1.12] Invidious (private youtube frontend, currently inactive)
* [10.10.1.14] BookStack (alternative knowledgebase for documentation. Inactive, we're using this Wiki instead)
* [10.10.1.15]
* [10.10.1.16] This
* [10.10.1.17] Netbox (network/rack-related documentation. Currently inactive, overly complicated for our needs)
* [10.10.1.70] Socksproxy (so members using the split-tunneled LUG VPN have an easy way to route traffic through LUG)
* [10.10.1.224] Allen's Gaming VM (runs Windows)
* [10.10.1.229] "Kube-Minecraft" (idk; ask Allen)
You can see all VMs listed in the Proxmox WebUI.
=== Updating Nodes ===
Check the [https://pve.proxmox.com/wiki/Category:Upgrade Proxmox wiki's 'Upgrade' category] for specific instructions when the time comes.
=== Updating VMs ===
▲All VMs run Debian to keep things homogenous and easy to upgrade/automate,
The update process is the same as any Debian system:
# <code>apt update && apt upgrade</code>
## If the kernel or systemd get updated, it's a good idea to <code>reboot</code>
# For major version bumps (I think there's one each year?), you need to run the aforementioned <code>apt update && apt upgrade</code>, followed by <code>apt dist-upgrade</code>
Updates need to be automated with [https://docs.ansible.com/ Ansible] at some point.
== Mirrors ==
== Shell ==
== Firewall/Router/Network ==
Our firewall/router runs [https://www.pfsense.org/ pfSense], soon to be [https://opnsense.org/ OPNsense].
Otherwise, most configuration can be viewed by poking around the web interface.
We two main networks:▼
* 10.10.0.0/24 - Management (OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO])▼
* 10.10.1.0/24 - LAN (servers/VMs)▼
In addition, there are two main VPN networks:▼
* 10.10.10.0/24 - OpenVPN▼
* 10.10.11.0/24 - Wireguard▼
** 10.10.11.0/25 - Wireguard admin range (access to Management+LAN, no WAN)▼
** 10.10.11.128/25 - Wireguard user range (access to only LAN, no WAN)▼
=== Firewall rules ===
## If someone shows up to a couple meetings they're probably fine to get an admin config; this is more for peace-of-mind to not need to worry about the configs given to people who went to one meeting once at the beginning of the semester and have never been seen again.
## Neither config should have access to WAN, just to prevent someone getting LUG in hot water if they attempt to torrent or something similarly dumb through the VPN.
=== Main networks ===
▲We have two main networks:
▲* 10.10.0.0/24 - Management (OOB Management services like [https://www.dell.com/en-us/lp/dt/open-manage-idrac Dell iDRAC] / [https://www.hpe.com/us/en/hpe-integrated-lights-out-ilo.html HP iLO])
▲* 10.10.1.0/24 - LAN (servers/VMs)
We may also be getting a <code>/27</code> of Tech's <code>141.219.0.0/16</code> block through IT (~28-30 usable public IP addresses).
The plan is to use reverse-NAT to map the public IPs to select internal IPs, since we won't have enough IPs for every VM (so we can't do it like IT and exclusively use publicly routable addresses).
=== VPN Networks ===
▲In addition, there are two main VPN networks:
▲* 10.10.10.0/24 - OpenVPN
▲* 10.10.11.0/24 - Wireguard
▲** 10.10.11.0/25 - Wireguard admin range (access to Management+LAN, no WAN)
▲** 10.10.11.128/25 - Wireguard user range (access to only LAN, no WAN)
== Fileserver ==
| |||