diff options
| author | arf20 <aruizfernandez05@gmail.com> | 2026-02-13 21:21:56 +0100 |
|---|---|---|
| committer | arf20 <aruizfernandez05@gmail.com> | 2026-02-13 21:21:56 +0100 |
| commit | 4ac5ad64bf7883c63ba02ecd1f1091cab08126f0 (patch) | |
| tree | 3e28ec1ce6ef8fa0d06c1ed44ffdf169dd65b970 /arfnet2.md | |
| parent | 13d4760f9f2421daf295de53d0bba9185716f744 (diff) | |
| download | arfnet2-4ac5ad64bf7883c63ba02ecd1f1091cab08126f0.tar.gz arfnet2-4ac5ad64bf7883c63ba02ecd1f1091cab08126f0.zip | |
Diffstat (limited to 'arfnet2.md')
| -rw-r--r-- | arfnet2.md | 73 |
1 files changed, 52 insertions, 21 deletions
@@ -61,16 +61,17 @@ Steps - [X] Deploy piHole - [X] Create Root CA with clca - [X] Deploy OpenXPKI with it + - [#] OpenXPKI ACME - [X] Deploy OpenLDAP and set up schemas - - [ ] OpenLDAP LDAPS with cert + - [X] OpenLDAP LDAPS with cert - [X] Deploy Keycloak and give it a cert - [X] Connect Keycloak to OpenLDAP - - [ ] DNS on all internal services - - [ ] Reverse proxy all internal services - - [ ] Internal services dashboard - - [ ] Give internal web service endpoints TLS certificates + - [X] DNS on all internal services + - [#] Reverse proxy all internal services + - [X] Internal services dashboard + - [X] Give internal web service endpoints TLS certificates + - [#] Connect non-SSO services to LDAP - [ ] Put SSO login on services where possible - - [ ] Connect remaining services to LDAP - [ ] Kerberos and Keycloak ## Domain @@ -333,14 +334,14 @@ RAID attached here (with the grey stuff) (local only) - Samba SMB* - MiniDLNA* - FTP - - qBittorrent-nox - - jellyfin + - qBittorrent-nox :8085 + - jellyfin :8096 - nginx - mpd :8000 | vhost | webroot/proxy | Comment | |-------|---------------|---------| -| dark.arf20.com | /d/FTPServer/ | Allow only VPS and private | +| default | /d/FTPServer/ | Allow only VPS and private | ### web DMZ.9 @@ -588,22 +589,11 @@ Pihole --- -### yero-debian VPS DMZ.192 (yero) - - - SSH - - mariadb - - FiveM SuperioresRP - -### exo-debian VPS DMZ.195 (exo) +### exo-vps VPS DMZ.195 (exo) - SSH - netbox -### loofa-debian VPS DMZ.196 (loofa) - - - SSH - - ? - \*TODO ## Internal Name and Number Assignation Table @@ -751,6 +741,47 @@ Site-B:PiSoNet |------|------|---------|---------| | 5.250.186.185 | PTR | mail.arf20.com | | +### PKI, authentication and authorization architecture + +``` + +-------+ + | clCA | + +-------+ + | + v + +----------+ + + - - - - - - - - - - -| OpenXPKI | + +----------+ + | | LDAPS cert and cert store + v + | +-----------------------------------------------------------+ + | OpenLDAP | + | +-----------------------------------------------------------+ + ^ ^ ^ ^ + | | | | | + +--------+ +----------+ | +----------+ + | | app | | app | | +-->| Kerberos | + | secure | | SSO-less | | | +----------+ + | +--------+ +----------+ | | + ^ ^ +----------+ OAuth2 +---------+ + | | | | Keycloak |-------->| app | + | | +----------+ /SAML | SSO-ful | + | | | ^ +---------+ + | | | 2FA + | | | | + +--------+ +----------+ + + - >| client | | clients | + +--------+ +----------+ + with cert from CA password based +``` + + - LDAP applications + - Jellyfin + - pubnix* + - SSO applications + - qBittorrent* + + ## Custom ARFNET software - [cstims](https://cgit.arf20.com/arfnet2-cstims): client, service, ticket and invoice management system |