diff options
Diffstat (limited to 'arfnet2.html')
| -rw-r--r-- | arfnet2.html | 82 |
1 files changed, 55 insertions, 27 deletions
diff --git a/arfnet2.html b/arfnet2.html index f28d5c8..4abb8fd 100644 --- a/arfnet2.html +++ b/arfnet2.html @@ -82,7 +82,7 @@ and SSO</h3> <li>User certificates for extra secure clients mTLS</li> </ul> <p>Steps</p> -<ul class="task-list"> +<ul> <li><label><input type="checkbox" checked="" />Migrate .lan zone to .int.arf20.com at ARFNET BIND (misc)</label></li> <li><label><input type="checkbox" checked="" />Deploy @@ -91,26 +91,25 @@ piHole</label></li> clca</label></li> <li><label><input type="checkbox" checked="" />Deploy OpenXPKI with it</label></li> +<li>[#] OpenXPKI ACME</li> <li><label><input type="checkbox" checked="" />Deploy OpenLDAP and set up schemas</label></li> -<li><label><input type="checkbox" />OpenLDAP LDAPS with +<li><label><input type="checkbox" checked="" />OpenLDAP LDAPS with cert</label></li> <li><label><input type="checkbox" checked="" />Deploy Keycloak and give it a cert</label></li> <li><label><input type="checkbox" checked="" />Connect Keycloak to OpenLDAP</label></li> -<li><label><input type="checkbox" />DNS on all internal -services</label></li> -<li><label><input type="checkbox" />Reverse proxy all internal +<li><label><input type="checkbox" checked="" />DNS on all internal services</label></li> -<li><label><input type="checkbox" />Internal services +<li>[#] Reverse proxy all internal services</li> +<li><label><input type="checkbox" checked="" />Internal services dashboard</label></li> -<li><label><input type="checkbox" />Give internal web service endpoints -TLS certificates</label></li> +<li><label><input type="checkbox" checked="" />Give internal web service +endpoints TLS certificates</label></li> +<li>[#] Connect non-SSO services to LDAP</li> <li><label><input type="checkbox" />Put SSO login on services where possible</label></li> -<li><label><input type="checkbox" />Connect remaining services to -LDAP</label></li> <li><label><input type="checkbox" />Kerberos and Keycloak</label></li> </ul> <h2 id="domain">Domain</h2> @@ -837,8 +836,8 @@ unbound config)</li> <li>Samba SMB*</li> <li>MiniDLNA*</li> <li>FTP</li> -<li>qBittorrent-nox</li> -<li>jellyfin</li> +<li>qBittorrent-nox :8085</li> +<li>jellyfin :8096</li> <li>nginx</li> <li>mpd :8000</li> </ul> @@ -852,7 +851,7 @@ unbound config)</li> </thead> <tbody> <tr class="odd"> -<td>dark.arf20.com</td> +<td>default</td> <td>/d/FTPServer/</td> <td>Allow only VPS and private</td> </tr> @@ -1420,24 +1419,11 @@ VPS) 92.60.77.4</h3> </tbody> </table> <hr /> -<h3 id="yero-debian-vps-dmz.192-yero">yero-debian VPS DMZ.192 -(yero)</h3> -<ul> -<li>SSH</li> -<li>mariadb</li> -<li>FiveM SuperioresRP</li> -</ul> -<h3 id="exo-debian-vps-dmz.195-exo">exo-debian VPS DMZ.195 (exo)</h3> +<h3 id="exo-vps-vps-dmz.195-exo">exo-vps VPS DMZ.195 (exo)</h3> <ul> <li>SSH</li> <li>netbox</li> </ul> -<h3 id="loofa-debian-vps-dmz.196-loofa">loofa-debian VPS DMZ.196 -(loofa)</h3> -<ul> -<li>SSH</li> -<li>?</li> -</ul> <p>*TODO</p> <h2 id="internal-name-and-number-assignation-table">Internal Name and Number Assignation Table</h2> @@ -2167,6 +2153,48 @@ Number Assignation Table</h2> </tr> </tbody> </table> +<h3 id="pki-authentication-and-authorization-architecture">PKI, +authentication and authorization architecture</h3> +<pre><code> +-------+ + | clCA | + +-------+ + | + v + +----------+ + + - - - - - - - - - - -| OpenXPKI | + +----------+ + | | LDAPS cert and cert store + v + | +-----------------------------------------------------------+ + | OpenLDAP | + | +-----------------------------------------------------------+ + ^ ^ ^ ^ + | | | | | + +--------+ +----------+ | +----------+ + | | app | | app | | +-->| Kerberos | + | secure | | SSO-less | | | +----------+ + | +--------+ +----------+ | | + ^ ^ +----------+ OAuth2 +---------+ + | | | | Keycloak |-------->| app | + | | +----------+ /SAML | SSO-ful | + | | | ^ +---------+ + | | | 2FA + | | | | + +--------+ +----------+ + + - >| client | | clients | + +--------+ +----------+ + with cert from CA password based </code></pre> +<ul> +<li>LDAP applications +<ul> +<li>Jellyfin</li> +<li>pubnix*</li> +</ul></li> +<li>SSO applications +<ul> +<li>qBittorrent*</li> +</ul></li> +</ul> <h2 id="custom-arfnet-software">Custom ARFNET software</h2> <ul> <li><a href="https://cgit.arf20.com/arfnet2-cstims">cstims</a>: client, |