From 3895630e5719e6a9e91a00daade9999405030cdc Mon Sep 17 00:00:00 2001 From: arf20 Date: Tue, 20 Feb 2024 18:50:02 +0100 Subject: Remove shit, compile html and pdf, makefile --- Makefile | 7 + arfnet2.html | 1008 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ arfnet2.md | 52 ++- arfnet2.pdf | Bin 0 -> 154821 bytes backlog.txt | 16 - template.html | 28 ++ 6 files changed, 1087 insertions(+), 24 deletions(-) create mode 100644 Makefile create mode 100644 arfnet2.html create mode 100644 arfnet2.pdf delete mode 100644 backlog.txt create mode 100644 template.html diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..0a15b16 --- /dev/null +++ b/Makefile @@ -0,0 +1,7 @@ +all: arfnet2.html arfnet2.pdf + +arfnet2.html: arfnet2.md template.html + pandoc --template template.html -s arfnet2.md -o arfnet2.html + +arfnet2.pdf: arfnet2.md + pandoc -s arfnet2.md -o arfnet2.pdf diff --git a/arfnet2.html b/arfnet2.html new file mode 100644 index 0000000..067982f --- /dev/null +++ b/arfnet2.html @@ -0,0 +1,1008 @@ + + + + + + + + +

ARFNET2 deployment

+

After the disastrous ISP schism

+

Masterplan

+

Stage 1: very safe - Close all ports - Nuke (or stop) all old VMs + (exclude OPNSense) - Make DMZ - Make new basic VMs (cloning deb12 + template) - Open basic ports

+

Stage 2: new services - IONOS VPS for mail - Some new very safe + services - HE IPv6 tunnel - Own authoritative nameservers for domain + zone

+

Stage 3*: finally - Another VPS in unknown provider for - Tor - + Reverse-proxying the media library - PHP on main site with more web + services from scratch, hopefully secure - More new services

+

Domain

+

arf20.com

+

Registrar: namecheap

+

Name sever glue records + at registrar

+ + + + + + + + + + + + + + + + + + + + +
NameserverNameIP
NS1ns1.arf20.com2.59.235.35
2001:470:1f21:125::13
NS2ns2.arf20.com5.250.186.185
2001:ba0:210:d600::1
+

Networking

+

Hardware

+ 
                   WAP
+                    |
+       +-----+   +--------------------------+     +----------------+
+ISP ===| ONT |---| DELL switch              |-----| TP-Link switch |
+       +-----+   +--------------------------+     +----------------+
+                    |        |          |                |
+                    |        |          |                |
+                 +---------------+  Rest of devices   Living room devices
+                 | eno1     eno2 |
+                 | server router |
+                 +---------------+
+                   
+- 1000BASE-T
+= GPON fiber
+

DELL PowerConnect 5424 + switch

+

Port assignents

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
portendpointoptions
g2ONTVLAN access 2
g4server eno2 WANVLAN access 2
g6test2VLAN access 2
g3WAPVLAN access 5
g5PCVLAN access 4
g7Living R.VLAN access 5
g9server eno1 DMZ+LANVLAN trunk 4, 5
g15test4VLAN access 4
g17test1VLAN access 1
g19test5VLAN access 5
g21iDRACVLAN access 4
g23printerVLAN access 4
+

Management

+ +

Public IPs

+ +

Gateways

+ +

Physical and Logical + Networks

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
nameVLANnetdesc
WAN2
DMZ4192.168.4.0/24
2001:470:1f21:125::/64		Services
LAN5192.168.5.0/24Clients
VPN10.5.0.0/24Wireguard clients
+

Firewall

+

Interface Rules

+ +

IPv4 NAT Rules

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ServiceCustomerIPProtoExt PortHostRe Port
OpenVPNTCP1195router
WireGuardUDP51820router
DNS NS1TCP/UDP53misc
iperf3TCP5201misc
NNTPTCP119misc
WebTCP80,443web
GitTCP9418web
bittorrentTCP/UDP8999nas
rsyncTCP/UDP873nas
IRCTCP6667comm
IRCSTCP6697comm
XMPP c2sTCP5222comm
XMPP s2sTCP5269comm
TURN STUNTCP/UDP3478comm
TURNTCP/UDP5349comm
TURN UDP relayTCP/UDP49152-50176comm
mc-waterfall-proxyTCP25565game25567
exo-sshexoTCP4041exovps22
exo-extraexoTCP4040exovps4040
yero-sshyeroTCP1511yerovps22
yero-sqlyeroTCP1512yerovps3306
FiveM SuperioresRPyeroTCP30120,40120yerovps
+

IPv6 port rules

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
ServiceCustomerIPProtoHostPort
DNS NS1TCP/UDPmisc53
WebTCPweb80,443
+

Hosts

+ +

Management

+ +

server VMs and services

+

server runs Proxmox PVE.

+

All VMs are Debian 12 (templated) with wazuh agent

+

proxmox DMZ.4 (hypervisor)

+ +

router DMZ.1

+ +

nas DMZ.6

+

RAID attached here (with the grey stuff) (local only) - SSH - NFS - + Samba SMB - MiniDLNA - FTP - qBittorrent-nox - jellyfin

+

web DMZ.9

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
vhostwebroot/proxyComment
default<return 418 im a teapot>
default:8080<return nstub_status>
arf20.com/var/www/arf20.com/html/
www.arf20.com<301 redirect arf20.com>
matrix.arf20.comhttp://comm.lan:8008/_matrix
webmail.arf20.com/var/www/webmail.arf20.com/html/SquirrelMail
nextcloud.arf20.com/var/www/nextcloud.arf20.com/html/
grafana.arf20.comhttp://localhost:3000
jellyfin.arf20.comhttp://nas.lan:8096
git.arf20.com/srv/git/
cgit.arf20.comfastcgi:/usr/lib/cgit/cgit.cgi
blog.arf20.com/var/www/blog.arf20.com/_site/
forum.arf20.com/var/www/forum.arf20.com/html/
deb.arf20.com/d/FTPServer/software/debian/
memes.arf20.com/var/www/memes.arf20.com/, /d/FTPserver/{dcimg, dcmemes, + explosionsandfire}
status.yero.devhttp://yerovps.lan:3001
+

wazuh DMZ.10

+ +

game DMZ.11

+ +

comm DMZ.12

+ +

misc (Deb12 LXC) DMZ.13

+ +

mail + (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1

+ +

### proxy (ARFNET-HOSTMENOW VPS) *

+ +
+

yerovps DMZ.192 (yero)

+ +

exovps DMZ.195 (exo)

+ +

*TODO

+

Internal Name and + Number Assignation Table

+

DMZ IPv4s and IPv6 ends in the same way | Addr | Name | |——|——| | + DMZ.1 | router.lan | | DMZ.2 | switch.lan | | DMZ.3 | wap.lan | | + DMZ.4 | proxmox.lan | | DMZ.5 | idrac.lan | | DMZ.6 | nas.lan | | + DMZ.7 | printer.lan | | DMZ.8 | desktop.lan | | DMZ.9 | web.lan | | + DMZ.10 | wazuh.lan | | DMZ.11 | game.lan | | DMZ.12 | comm.lan | | + DMZ.13 | misc.lan | | | | | | DMZ.192 | yerovps | yero.lan | | DMZ.195 + | exovps | exo.lan |

+

Domain DNS zone

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeContentComment
arf20.comNSns1.arf20.com
arf20.comNSns2.arf20.com
ns1A2.59.235.35
ns1AAAA2001:470:1f21:125::13
ns2A5.250.186.185
ns2AAAA2001:ba0:210:d600::1
arf20.comA2.59.235.35
arf20.comAAAA2001:470:1f21:125::9
arf20.comMXmail.arf20.com
mailA5.250.186.185
mailAAAA2001:ba0:210:d600::1
selector._domainkeyTXT(DKIM)DKIM for selector ‘selector’
_dmarcTXT(DMARC)
arf20.comTXT(SPF)
ircCNAMEarf20.com
jellyfinCNAMEarf20.com
matrixCNAMEarf20.com
nextcloudCNAMEarf20.com
turnCNAMEarf20.com
webmailCNAMEarf20.com
wwwCNAMEarf20.com
xmppCNAMEarf20.com
xmppconfCNAMEarf20.com
grafanaCNAMEarf20.com
gitCNAMEarf20.com
cgitCNAMEarf20.com
blogCNAMEarf20.com
forumCNAMEarf20.com
debCNAMEarf20.com
zabbixCNAMEarf20.com
memesCNAMEarf20.com
newsCNAMEarf20.com
_acme-challenge.jellyfinCNAME(challenge)
_acme-challenge.ircCNAME(challenge)
_acme-challenge.matrixCNAME(challenge)
_acme-challenge.mailCNAME(challenge)
_acme-challenge.xmppCNAME(challenge)
+

HE v6 rDNS zone

+ + + + + + + + + + + + + + + + + + + + + + + +
NameTypeContentComment
2001:470:1f21:125::13PTRns1.arf20.com
2001:470:1f21:125::9PTRarf20.com
+

IONOS rDNS zone

+ + + + + + + + + + + + + + + + + +
NameTypeContentComment
5.250.186.185PTRmail.arf20.com
+ + diff --git a/arfnet2.md b/arfnet2.md index 67622d2..5142c2a 100644 --- a/arfnet2.md +++ b/arfnet2.md @@ -1,7 +1,9 @@ # ARFNET2 deployment + After the disastrous ISP [schism](http://arf20.com/explanation.txt) ## Masterplan + Stage 1: very safe - Close all ports - Nuke (or stop) all old VMs (exclude OPNSense) @@ -15,7 +17,7 @@ Stage 2: new services - HE IPv6 tunnel - Own authoritative nameservers for domain zone -Stage 3*: finally +Stage 3\*: finally - Another VPS in unknown provider for - Tor - Reverse-proxying the media library @@ -23,17 +25,22 @@ Stage 3*: finally - More new services ## Domain -arf20.com
+ +arf20.com + Registrar: namecheap ### Name sever glue records at registrar + | Nameserver | Name | IP | |------------|------|----| | NS1 | ns1.arf20.com | 2.59.235.35
2001:470:1f21:125::13 | | NS2 | ns2.arf20.com | 5.250.186.185
2001:ba0:210:d600::1 | ## Networking + ### Hardware + ``` WAP | @@ -52,7 +59,9 @@ ISP ===| ONT |---| DELL switch |-----| TP-Link switch | ``` #### DELL PowerConnect 5424 switch + Port assignents + | port | endpoint | options | |------|----------|---------| | g2 | ONT | VLAN access 2 | @@ -69,15 +78,18 @@ Port assignents | g23 | printer | VLAN access 4 | Management + - interface vlan 4: 192.168.4.2/24 gw 192.168.4.1 ### Public IPs + - AVANZA_STATIC: 2.59.235.35 - AVANZA_CGNAT: dynamic - HE v6 tunnel: 2001:470:1f20:125::2 - IONOS VPS: 5.250.186.185 2001:ba0:210:d600::1 ### Gateways + - AVANZA - WAN_STATIC: 2.59.235.1 - WAN_CGNAT: dynamic @@ -91,9 +103,10 @@ Management | LAN | 5 | 192.168.5.0/24 | Clients | | VPN | | 10.5.0.0/24 | Wireguard clients | - ## Firewall + ### Interface Rules + - WAN_CGNAT in - deny * - WAN_STATIC in @@ -109,6 +122,7 @@ Management - allow from LAN net to * gw WAN_CGNAT ### IPv4 NAT Rules + | Service | Customer | IPProto | Ext Port | Host | Re Port | |---------|----------|---------|----------|------|---------| | OpenVPN | | TCP | 1195 | router | | @@ -136,6 +150,7 @@ Management | FiveM SuperioresRP | yero | TCP | 30120,40120 | yerovps | | ### IPv6 port rules + | Service | Customer | IPProto | Host | Port | |---------|----------|---------|------|------| | DNS NS1 | | TCP/UDP | misc | 53 | @@ -143,10 +158,12 @@ Management ## Hosts + - server - DELL PowerEdge R720 running Proxmox PVE - ... - mail - IONOS VPS running Debian 12 - 5.250.186.185 2001:ba0:210:d600::1 ## Management + - OPNSense router DMZ.1 - DELL switch DMZ.2 - TP-Link WAP LAN.2 @@ -155,10 +172,13 @@ Management - HP printer DMZ.7 ## server VMs and services -server runs Proxmox PVE. + +server runs Proxmox PVE. + All VMs are Debian 12 (templated) with wazuh agent ### proxmox DMZ.4 (hypervisor) + - SSH - Proxmox management interface :8006 - smartmon + node exporter :9100 @@ -166,6 +186,7 @@ All VMs are Debian 12 (templated) with wazuh agent - NUT - Network UPS TOols daemon (and proper UPS)* ### router DMZ.1 + - (routing/firewalling) - SSH - DHCP @@ -177,6 +198,7 @@ All VMs are Debian 12 (templated) with wazuh agent - telegraf - note: editing config via webfig breaks (timeout and unbound config) ### nas DMZ.6 + RAID attached here (with the grey stuff) (local only) - SSH - NFS @@ -187,6 +209,7 @@ RAID attached here (with the grey stuff) (local only) - jellyfin ### web DMZ.9 + - SSH - cerbot - nginx (status at :8080) @@ -212,18 +235,18 @@ RAID attached here (with the grey stuff) (local only) | vhost | webroot/proxy | Comment | |-------|---------------|---------| -| default | | | +| default | \ | | | default:8080 | \ | | | arf20.com | /var/www/arf20.com/html/ | | | www.arf20.com | <301 redirect arf20.com> | | -| matrix.arf20.com | http://comm.lan:8008/_matrix | | +| matrix.arf20.com | http://comm.lan:8008/\_matrix | | | webmail.arf20.com | /var/www/webmail.arf20.com/html/ | SquirrelMail | | nextcloud.arf20.com | /var/www/nextcloud.arf20.com/html/ | | | grafana.arf20.com | http://localhost:3000 | | | jellyfin.arf20.com | http://nas.lan:8096 | | | git.arf20.com | /srv/git/ | | | cgit.arf20.com | fastcgi:/usr/lib/cgit/cgit.cgi | | -| blog.arf20.com | /var/www/blog.arf20.com/_site/ | | +| blog.arf20.com | /var/www/blog.arf20.com/\_site/ | | | forum.arf20.com | /var/www/forum.arf20.com/html/ | | | deb.arf20.com | /d/FTPServer/software/debian/ | | | memes.arf20.com | /var/www/memes.arf20.com/, /d/FTPserver/{dcimg, dcmemes, explosionsandfire} | @@ -231,10 +254,12 @@ RAID attached here (with the grey stuff) (local only) | status.yero.dev | http://yerovps.lan:3001 | | ### wazuh DMZ.10 + - SSH - wazuh ### game DMZ.11 + - SSH - waterfall (minecraft reverse proxy) - mclobby (auth) @@ -244,6 +269,7 @@ RAID attached here (with the grey stuff) (local only) - csgo server* ### comm DMZ.12 + - SSH - cerbot - unrealircd - IRC @@ -256,6 +282,7 @@ RAID attached here (with the grey stuff) (local only) - asterisk - VoIP SIP PBX* ### misc (Deb12 LXC) DMZ.13 + - SSH - iperf3 - bind9 - master authoritative nameserver for arf20.com zone NS1 @@ -265,6 +292,7 @@ RAID attached here (with the grey stuff) (local only) - gDebrid ### mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1 + - SSH - certbot - postfix - MTA smtpd, submission, submissions @@ -274,6 +302,7 @@ RAID attached here (with the grey stuff) (local only) - bind9 - slave authoritative nameserver NS2 ### proxy (ARFNET-HOSTMENOW VPS) * + - SSH* - IPsec client* - proxy for ftp.arf20.com somehow* @@ -281,17 +310,20 @@ RAID attached here (with the grey stuff) (local only) --- ### yerovps DMZ.192 (yero) + - SSH - mariadb - FiveM SuperioresRP ### exovps DMZ.195 (exo) + - SSH - netbox -*TODO +\*TODO ## Internal Name and Number Assignation Table + DMZ IPv4s and IPv6 ends in the same way | Addr | Name | |------|------| @@ -313,6 +345,7 @@ DMZ IPv4s and IPv6 ends in the same way | DMZ.195 | exovps | exo.lan | ## Domain DNS zone + | Name | Type | Content | Comment | |------|------|---------|---------| | arf20.com | NS | ns1.arf20.com | | @@ -356,12 +389,15 @@ DMZ IPv4s and IPv6 ends in the same way | _acme-challenge.xmpp | CNAME | (challenge) | | ## HE v6 rDNS zone + | Name | Type | Content | Comment | |------|------|---------|---------| | 2001:470:1f21:125::13 | PTR | ns1.arf20.com | | | 2001:470:1f21:125::9 | PTR | arf20.com | | ## IONOS rDNS zone + | Name | Type | Content | Comment | |------|------|---------|---------| | 5.250.186.185 | PTR | mail.arf20.com | | + diff --git a/arfnet2.pdf b/arfnet2.pdf new file mode 100644 index 0000000..63db298 Binary files /dev/null and b/arfnet2.pdf differ diff --git a/backlog.txt b/backlog.txt deleted file mode 100644 index 1d79edc..0000000 --- a/backlog.txt +++ /dev/null @@ -1,16 +0,0 @@ -TODO - NAS - Samba - DLNA - Web - more web - -COMPLETED - Nuked all VMs but OPNSense and Proxmox itself - DMZ - Wazuh VM - NAS - NFS - qbt - Web - httpd diff --git a/template.html b/template.html new file mode 100644 index 0000000..9b298e7 --- /dev/null +++ b/template.html @@ -0,0 +1,28 @@ + + + + + $title$ + + + + $body$ + + + -- cgit v1.2.3