diff options
| -rw-r--r-- | arfnet2.html | 82 | ||||
| -rw-r--r-- | arfnet2.md | 73 | ||||
| -rw-r--r-- | arfnet2.pdf | bin | 161793 -> 164402 bytes |
3 files changed, 107 insertions, 48 deletions
diff --git a/arfnet2.html b/arfnet2.html index f28d5c8..4abb8fd 100644 --- a/arfnet2.html +++ b/arfnet2.html @@ -82,7 +82,7 @@ and SSO</h3> <li>User certificates for extra secure clients mTLS</li> </ul> <p>Steps</p> -<ul class="task-list"> +<ul> <li><label><input type="checkbox" checked="" />Migrate .lan zone to .int.arf20.com at ARFNET BIND (misc)</label></li> <li><label><input type="checkbox" checked="" />Deploy @@ -91,26 +91,25 @@ piHole</label></li> clca</label></li> <li><label><input type="checkbox" checked="" />Deploy OpenXPKI with it</label></li> +<li>[#] OpenXPKI ACME</li> <li><label><input type="checkbox" checked="" />Deploy OpenLDAP and set up schemas</label></li> -<li><label><input type="checkbox" />OpenLDAP LDAPS with +<li><label><input type="checkbox" checked="" />OpenLDAP LDAPS with cert</label></li> <li><label><input type="checkbox" checked="" />Deploy Keycloak and give it a cert</label></li> <li><label><input type="checkbox" checked="" />Connect Keycloak to OpenLDAP</label></li> -<li><label><input type="checkbox" />DNS on all internal -services</label></li> -<li><label><input type="checkbox" />Reverse proxy all internal +<li><label><input type="checkbox" checked="" />DNS on all internal services</label></li> -<li><label><input type="checkbox" />Internal services +<li>[#] Reverse proxy all internal services</li> +<li><label><input type="checkbox" checked="" />Internal services dashboard</label></li> -<li><label><input type="checkbox" />Give internal web service endpoints -TLS certificates</label></li> +<li><label><input type="checkbox" checked="" />Give internal web service +endpoints TLS certificates</label></li> +<li>[#] Connect non-SSO services to LDAP</li> <li><label><input type="checkbox" />Put SSO login on services where possible</label></li> -<li><label><input type="checkbox" />Connect remaining services to -LDAP</label></li> <li><label><input type="checkbox" />Kerberos and Keycloak</label></li> </ul> <h2 id="domain">Domain</h2> @@ -837,8 +836,8 @@ unbound config)</li> <li>Samba SMB*</li> <li>MiniDLNA*</li> <li>FTP</li> -<li>qBittorrent-nox</li> -<li>jellyfin</li> +<li>qBittorrent-nox :8085</li> +<li>jellyfin :8096</li> <li>nginx</li> <li>mpd :8000</li> </ul> @@ -852,7 +851,7 @@ unbound config)</li> </thead> <tbody> <tr class="odd"> -<td>dark.arf20.com</td> +<td>default</td> <td>/d/FTPServer/</td> <td>Allow only VPS and private</td> </tr> @@ -1420,24 +1419,11 @@ VPS) 92.60.77.4</h3> </tbody> </table> <hr /> -<h3 id="yero-debian-vps-dmz.192-yero">yero-debian VPS DMZ.192 -(yero)</h3> -<ul> -<li>SSH</li> -<li>mariadb</li> -<li>FiveM SuperioresRP</li> -</ul> -<h3 id="exo-debian-vps-dmz.195-exo">exo-debian VPS DMZ.195 (exo)</h3> +<h3 id="exo-vps-vps-dmz.195-exo">exo-vps VPS DMZ.195 (exo)</h3> <ul> <li>SSH</li> <li>netbox</li> </ul> -<h3 id="loofa-debian-vps-dmz.196-loofa">loofa-debian VPS DMZ.196 -(loofa)</h3> -<ul> -<li>SSH</li> -<li>?</li> -</ul> <p>*TODO</p> <h2 id="internal-name-and-number-assignation-table">Internal Name and Number Assignation Table</h2> @@ -2167,6 +2153,48 @@ Number Assignation Table</h2> </tr> </tbody> </table> +<h3 id="pki-authentication-and-authorization-architecture">PKI, +authentication and authorization architecture</h3> +<pre><code> +-------+ + | clCA | + +-------+ + | + v + +----------+ + + - - - - - - - - - - -| OpenXPKI | + +----------+ + | | LDAPS cert and cert store + v + | +-----------------------------------------------------------+ + | OpenLDAP | + | +-----------------------------------------------------------+ + ^ ^ ^ ^ + | | | | | + +--------+ +----------+ | +----------+ + | | app | | app | | +-->| Kerberos | + | secure | | SSO-less | | | +----------+ + | +--------+ +----------+ | | + ^ ^ +----------+ OAuth2 +---------+ + | | | | Keycloak |-------->| app | + | | +----------+ /SAML | SSO-ful | + | | | ^ +---------+ + | | | 2FA + | | | | + +--------+ +----------+ + + - >| client | | clients | + +--------+ +----------+ + with cert from CA password based </code></pre> +<ul> +<li>LDAP applications +<ul> +<li>Jellyfin</li> +<li>pubnix*</li> +</ul></li> +<li>SSO applications +<ul> +<li>qBittorrent*</li> +</ul></li> +</ul> <h2 id="custom-arfnet-software">Custom ARFNET software</h2> <ul> <li><a href="https://cgit.arf20.com/arfnet2-cstims">cstims</a>: client, @@ -61,16 +61,17 @@ Steps - [X] Deploy piHole - [X] Create Root CA with clca - [X] Deploy OpenXPKI with it + - [#] OpenXPKI ACME - [X] Deploy OpenLDAP and set up schemas - - [ ] OpenLDAP LDAPS with cert + - [X] OpenLDAP LDAPS with cert - [X] Deploy Keycloak and give it a cert - [X] Connect Keycloak to OpenLDAP - - [ ] DNS on all internal services - - [ ] Reverse proxy all internal services - - [ ] Internal services dashboard - - [ ] Give internal web service endpoints TLS certificates + - [X] DNS on all internal services + - [#] Reverse proxy all internal services + - [X] Internal services dashboard + - [X] Give internal web service endpoints TLS certificates + - [#] Connect non-SSO services to LDAP - [ ] Put SSO login on services where possible - - [ ] Connect remaining services to LDAP - [ ] Kerberos and Keycloak ## Domain @@ -333,14 +334,14 @@ RAID attached here (with the grey stuff) (local only) - Samba SMB* - MiniDLNA* - FTP - - qBittorrent-nox - - jellyfin + - qBittorrent-nox :8085 + - jellyfin :8096 - nginx - mpd :8000 | vhost | webroot/proxy | Comment | |-------|---------------|---------| -| dark.arf20.com | /d/FTPServer/ | Allow only VPS and private | +| default | /d/FTPServer/ | Allow only VPS and private | ### web DMZ.9 @@ -588,22 +589,11 @@ Pihole --- -### yero-debian VPS DMZ.192 (yero) - - - SSH - - mariadb - - FiveM SuperioresRP - -### exo-debian VPS DMZ.195 (exo) +### exo-vps VPS DMZ.195 (exo) - SSH - netbox -### loofa-debian VPS DMZ.196 (loofa) - - - SSH - - ? - \*TODO ## Internal Name and Number Assignation Table @@ -751,6 +741,47 @@ Site-B:PiSoNet |------|------|---------|---------| | 5.250.186.185 | PTR | mail.arf20.com | | +### PKI, authentication and authorization architecture + +``` + +-------+ + | clCA | + +-------+ + | + v + +----------+ + + - - - - - - - - - - -| OpenXPKI | + +----------+ + | | LDAPS cert and cert store + v + | +-----------------------------------------------------------+ + | OpenLDAP | + | +-----------------------------------------------------------+ + ^ ^ ^ ^ + | | | | | + +--------+ +----------+ | +----------+ + | | app | | app | | +-->| Kerberos | + | secure | | SSO-less | | | +----------+ + | +--------+ +----------+ | | + ^ ^ +----------+ OAuth2 +---------+ + | | | | Keycloak |-------->| app | + | | +----------+ /SAML | SSO-ful | + | | | ^ +---------+ + | | | 2FA + | | | | + +--------+ +----------+ + + - >| client | | clients | + +--------+ +----------+ + with cert from CA password based +``` + + - LDAP applications + - Jellyfin + - pubnix* + - SSO applications + - qBittorrent* + + ## Custom ARFNET software - [cstims](https://cgit.arf20.com/arfnet2-cstims): client, service, ticket and invoice management system diff --git a/arfnet2.pdf b/arfnet2.pdf Binary files differindex d0bfe65..f47a514 100644 --- a/arfnet2.pdf +++ b/arfnet2.pdf |