diff options
Diffstat (limited to 'arfnet2.md')
| -rw-r--r-- | arfnet2.md | 70 |
1 files changed, 59 insertions, 11 deletions
@@ -4,7 +4,7 @@ After the disastrous ISP [schism](http://arf20.com/explanation.txt) ## Masterplan -Stage 1: very safe +### Stage 1: very safe - Close all ports - Nuke (or stop) all old VMs (exclude OPNSense) @@ -12,40 +12,52 @@ Stage 1: very safe - Make new basic VMs (cloning deb12 template) - Open basic ports -Stage 2: new services +### Stage 2: new services - IONOS VPS for mail - Some new very safe services - HE IPv6 tunnel - Own authoritative nameservers for domain zone -Stage 3\*: finally +### \*Stage 3: finally -- Another VPS in unknown provider for + - Another VPS in unknown provider for - Tor - Reverse-proxying the media library - PHP on main site with more web services from scratch, hopefully secure - More new services -Stage 4: DN42 +### Stage 4: DN42 - Make DN42 router VM with bird and wg - Peer with people - Bring up BGP sessions - Services -Stage 5: Telephony +### Stage 5: Telephony - Asterisk - IP phones and ATAs - Trunks; SDF, Tandmx, uwutel, PSTN -Stage 6\*: Site B (piso) +### \*Stage 6: Site B (piso) - Firewall and switch - Site to Site wireguard - Establish telephony +### \*Stage 7: CA, PKI, LDAP and SSO + - Unify all logins + - Single authentication and authorization LDAP store + - SSO on as many services as possible + - Private CA PKI server certs for private endpoint security + - User certificates for extra secure endpoints + +### \*Stage 8: Internal DNS + + - Drop OPNsense unbound, use BIND + - Use .local.arf20.com zone or something + - PiHole ## Domain @@ -64,6 +76,8 @@ Registrar: namecheap ### Hardware +Physical network + ``` WAP | @@ -104,6 +118,17 @@ ISP ===| ONT |---| DELL switch |-----| TP-Link switch | - server: DELL PowerEdge R720 @ 2x E5-2670 + 64GB + (240+120)GB SSD + (4+3x7RAID5)TB HDD - ATA: Cisco/Linksys PAP2T +Logical network + +``` + +---------+ + +--------+ | + internet| router | DMZ | + +--------++ | + +--------+ + +``` + #### DELL PowerConnect 5424 switch Port assignents @@ -148,6 +173,7 @@ Management - client: 2.59.235.35, 2001:470:1f20:125::2 ### Physical and Logical Networks + | name | VLAN | net | desc | |------|------|-----|------| | WAN | 2 | | | @@ -361,6 +387,8 @@ RAID attached here (with the grey stuff) (local only) | kanboard.arf20.com | / = /var/www/kanboard.arf20.com/html/ | | | vw.arf20.com | http://192.168.4.10:8000 | | | raip.arf20.com | / = /var/www/raip.arf20.com/html<br>/status = http://comm.lan:8080 | | +| pki.arf20.com | / = /var/www/pki.arf20.com/html<br>/download/ = http://ca.lan:80 | | +| testcert.arf20.com | / = /var/www/testcert.arf20.com/html/ | | | | | | | status.yero.dev | http://yerovps.lan:3001 | | | panaland.arf20.com | /var/www/panaland.arf20.com/html/ | | @@ -368,8 +396,16 @@ RAID attached here (with the grey stuff) (local only) ### secure DMZ.10 - SSH + - nginx + - php-fpm8.4 - wazuh* - vaultwarden :8000 + - OpenLDAP slapd :389 + - ldap-account-manager :8389 + +| vhost | webroot/proxy | Comment | +|-------|---------------|---------| +| :8389 | / = /usr/share/ldap-account-manager | | ### game DMZ.11 @@ -464,7 +500,7 @@ RAID attached here (with the grey stuff) (local only) - bind9 master arfnet.dn42 | peer | asn | bgp | - --------------------- + |------|-----|-----| | prefixlabs | 4242421240 | fe80::1240 | | routedbits | 4242420207 | fe80::207 | | lezi | 4242423377 | fe80::3377 | @@ -476,8 +512,8 @@ RAID attached here (with the grey stuff) (local only) - bind9 slave - nginx reverse proxy -| vhost | webroot/proxy | comment ------------------------------------ +| vhost | webroot/proxy | comment | +|-------|---------------|---------| arfnet.dn42 | http://192.168.4.9 | ARFNET in DN42 ### open5gs DMZ.22 @@ -488,6 +524,16 @@ Remote gNodeB - Kamailio - OAI? +### arfnet2-ca DMZ.24 Debian 12 CT + +Certificate Authority PKI + + - clca + - OpenXPKI + - serverd + - clientd + - apache2 :80 + --- ### mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1 @@ -556,7 +602,7 @@ DMZ IPv4s and IPv6 ends in the same way | DMZ.7 | printer.lan | HP Officejet 8020 | | DMZ.8 | desktop.lan | reserved for desktop on DMZ | | DMZ.9 | web.lan | | -| DMZ.10 | wazuh.lan | | +| DMZ.10 | secure.lan | | | DMZ.11 | game.lan | | | DMZ.12 | comm.lan | | | DMZ.13 | misc.lan | | @@ -569,6 +615,7 @@ DMZ IPv4s and IPv6 ends in the same way | DMZ.21 | dn42.lan | DN42 edge router | | DMZ.22 | open5gs.lan | Open5GS 5G core | | DMZ.23 | dn42-services.lan | DN42 service machine | +| DMZ.24 | ca.lan | Certificate Authority | | | | | | DMZ.192 | yero-debian | yero.lan | | DMZ.195 | exo-debian | exo.lan | @@ -648,6 +695,7 @@ Site-B:PiSoNet | vw.arf20.com | CNAME | web.arf20.com | | raip.arf20.com | CNAME | web.arf20.com | | dmr.arf20.com | CNAME | comm.arf20.com | +| pki.arf20.com | CNAME | web.arf20.com | | | status.arf20.com | CNAME | mail.arf20.com | | lists.arf20.com | CNAME | mail.arf20.com | |