diff options
| -rw-r--r-- | arfnet2.html | 90 | ||||
| -rw-r--r-- | arfnet2.md | 52 | ||||
| -rw-r--r-- | arfnet2.pdf | bin | 153088 -> 161793 bytes |
3 files changed, 103 insertions, 39 deletions
diff --git a/arfnet2.html b/arfnet2.html index e1d5757..f28d5c8 100644 --- a/arfnet2.html +++ b/arfnet2.html @@ -71,20 +71,47 @@ secure</li> <li>Site to Site wireguard</li> <li>Establish telephony</li> </ul> -<h3 id="stage-7-ca-pki-ldap-and-sso">*Stage 7: CA, PKI, LDAP and -SSO</h3> +<h3 id="stage-7-ca-pki-ldap-iam-and-sso">*Stage 7: CA, PKI, LDAP, IAM +and SSO</h3> +<p>Objectives</p> <ul> <li>Unify all logins</li> <li>Single authentication and authorization LDAP store</li> <li>SSO on as many services as possible</li> <li>Private CA PKI server certs for private endpoint security</li> -<li>User certificates for extra secure endpoints</li> +<li>User certificates for extra secure clients mTLS</li> </ul> -<h3 id="stage-8-internal-dns">*Stage 8: Internal DNS</h3> -<ul> -<li>Drop OPNsense unbound, use BIND</li> -<li>Use .local.arf20.com zone or something</li> -<li>PiHole</li> +<p>Steps</p> +<ul class="task-list"> +<li><label><input type="checkbox" checked="" />Migrate .lan zone to +.int.arf20.com at ARFNET BIND (misc)</label></li> +<li><label><input type="checkbox" checked="" />Deploy +piHole</label></li> +<li><label><input type="checkbox" checked="" />Create Root CA with +clca</label></li> +<li><label><input type="checkbox" checked="" />Deploy OpenXPKI with +it</label></li> +<li><label><input type="checkbox" checked="" />Deploy OpenLDAP and set +up schemas</label></li> +<li><label><input type="checkbox" />OpenLDAP LDAPS with +cert</label></li> +<li><label><input type="checkbox" checked="" />Deploy Keycloak and give +it a cert</label></li> +<li><label><input type="checkbox" checked="" />Connect Keycloak to +OpenLDAP</label></li> +<li><label><input type="checkbox" />DNS on all internal +services</label></li> +<li><label><input type="checkbox" />Reverse proxy all internal +services</label></li> +<li><label><input type="checkbox" />Internal services +dashboard</label></li> +<li><label><input type="checkbox" />Give internal web service endpoints +TLS certificates</label></li> +<li><label><input type="checkbox" />Put SSO login on services where +possible</label></li> +<li><label><input type="checkbox" />Connect remaining services to +LDAP</label></li> +<li><label><input type="checkbox" />Kerberos and Keycloak</label></li> </ul> <h2 id="domain">Domain</h2> <p>arf20.com</p> @@ -1059,6 +1086,7 @@ http://ca.lan:80</td> <li>vaultwarden :8000</li> <li>OpenLDAP slapd :389</li> <li>ldap-account-manager :8389</li> +<li>Keycloak :8443</li> </ul> <table> <thead> @@ -1315,6 +1343,8 @@ CT</h3> </ul></li> <li>apache2 :80</li> </ul> +<h3 id="pihole-dmz.25-debian-13-ct">pihole DMZ.25 Debian 13 CT</h3> +<p>Pihole</p> <hr /> <h3 id="mail-arfnet-ionos-vps-5.250.186.185-2001ba0210d6001">mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1</h3> @@ -1487,55 +1517,65 @@ Number Assignation Table</h2> <td></td> </tr> <tr class="even"> +<td>DMZ.17</td> +<td>[reserved]</td> +<td></td> +</tr> +<tr class="odd"> <td>DMZ.15</td> <td>(t2)</td> <td>T/2 SDE build box</td> </tr> -<tr class="odd"> +<tr class="even"> <td>DMZ.16</td> <td>pubnix</td> <td></td> </tr> -<tr class="even"> +<tr class="odd"> <td>DMZ.17</td> <td>[reserved]</td> <td>for future raspi</td> </tr> -<tr class="odd"> +<tr class="even"> <td>DMZ.18</td> -<td>ata.lan</td> +<td>ata</td> <td>Linksys ATA</td> </tr> -<tr class="even"> +<tr class="odd"> <td>DMZ.19</td> -<td>cucmelan</td> +<td>cucm</td> <td>Cisco CallManager</td> </tr> -<tr class="odd"> +<tr class="even"> <td>DMZ.20</td> -<td>callbox.lan</td> +<td>callbox</td> <td>5G gNodeB</td> </tr> -<tr class="even"> +<tr class="odd"> <td>DMZ.21</td> -<td>dn42.lan</td> +<td>dn42</td> <td>DN42 edge router</td> </tr> -<tr class="odd"> +<tr class="even"> <td>DMZ.22</td> -<td>open5gs.lan</td> +<td>open5gs</td> <td>Open5GS 5G core</td> </tr> -<tr class="even"> +<tr class="odd"> <td>DMZ.23</td> -<td>dn42-services.lan</td> +<td>dn42-services</td> <td>DN42 service machine</td> </tr> -<tr class="odd"> +<tr class="even"> <td>DMZ.24</td> -<td>ca.lan</td> +<td>ca</td> <td>Certificate Authority</td> </tr> +<tr class="odd"> +<td>DMZ.25</td> +<td>pihole</td> +<td>pihole</td> +</tr> <tr class="even"> <td></td> <td></td> @@ -2135,6 +2175,8 @@ service, ticket and invoice management system</li> list browser</li> <li><a href="https://cgit.arf20.com/arfnet2-status">status</a>: status monitor</li> +<li><a href="https://cgit.arf20.com/arfnet2-search">search</a>: fast +file indexer and search</li> </ul> </body> </html> @@ -45,19 +45,33 @@ After the disastrous ISP [schism](http://arf20.com/explanation.txt) - Site to Site wireguard - Establish telephony -### \*Stage 7: CA, PKI, LDAP and SSO +### \*Stage 7: CA, PKI, LDAP, IAM and SSO + +Objectives - Unify all logins - Single authentication and authorization LDAP store - SSO on as many services as possible - Private CA PKI server certs for private endpoint security - - User certificates for extra secure endpoints - -### \*Stage 8: Internal DNS - - - Drop OPNsense unbound, use BIND - - Use .local.arf20.com zone or something - - PiHole + - User certificates for extra secure clients mTLS + +Steps + + - [X] Migrate .lan zone to .int.arf20.com at ARFNET BIND (misc) + - [X] Deploy piHole + - [X] Create Root CA with clca + - [X] Deploy OpenXPKI with it + - [X] Deploy OpenLDAP and set up schemas + - [ ] OpenLDAP LDAPS with cert + - [X] Deploy Keycloak and give it a cert + - [X] Connect Keycloak to OpenLDAP + - [ ] DNS on all internal services + - [ ] Reverse proxy all internal services + - [ ] Internal services dashboard + - [ ] Give internal web service endpoints TLS certificates + - [ ] Put SSO login on services where possible + - [ ] Connect remaining services to LDAP + - [ ] Kerberos and Keycloak ## Domain @@ -402,6 +416,7 @@ RAID attached here (with the grey stuff) (local only) - vaultwarden :8000 - OpenLDAP slapd :389 - ldap-account-manager :8389 + - Keycloak :8443 | vhost | webroot/proxy | Comment | |-------|---------------|---------| @@ -534,6 +549,10 @@ Certificate Authority PKI - clientd - apache2 :80 +### pihole DMZ.25 Debian 13 CT + +Pihole + --- ### mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1 @@ -606,16 +625,18 @@ DMZ IPv4s and IPv6 ends in the same way | DMZ.11 | game.lan | | | DMZ.12 | comm.lan | | | DMZ.13 | misc.lan | | +| DMZ.17 | [reserved] | | | DMZ.15 | (t2) | T/2 SDE build box | | DMZ.16 | pubnix | | | DMZ.17 | [reserved] | for future raspi | -| DMZ.18 | ata.lan | Linksys ATA | -| DMZ.19 | cucmelan | Cisco CallManager | -| DMZ.20 | callbox.lan | 5G gNodeB | -| DMZ.21 | dn42.lan | DN42 edge router | -| DMZ.22 | open5gs.lan | Open5GS 5G core | -| DMZ.23 | dn42-services.lan | DN42 service machine | -| DMZ.24 | ca.lan | Certificate Authority | +| DMZ.18 | ata | Linksys ATA | +| DMZ.19 | cucm | Cisco CallManager | +| DMZ.20 | callbox| 5G gNodeB | +| DMZ.21 | dn42 | DN42 edge router | +| DMZ.22 | open5gs | Open5GS 5G core | +| DMZ.23 | dn42-services | DN42 service machine | +| DMZ.24 | ca | Certificate Authority | +| DMZ.25 | pihole | pihole | | | | | | DMZ.192 | yero-debian | yero.lan | | DMZ.195 | exo-debian | exo.lan | @@ -735,4 +756,5 @@ Site-B:PiSoNet - [cstims](https://cgit.arf20.com/arfnet2-cstims): client, service, ticket and invoice management system - [lists](https://cgit.arf20.com/arfnet2-lists): mailing list browser - [status](https://cgit.arf20.com/arfnet2-status): status monitor + - [search](https://cgit.arf20.com/arfnet2-search): fast file indexer and search diff --git a/arfnet2.pdf b/arfnet2.pdf Binary files differindex 59df365..d0bfe65 100644 --- a/arfnet2.pdf +++ b/arfnet2.pdf |