From e1a9e20cb4991e0acc0bf9e7ec433e0c9b2d35ee Mon Sep 17 00:00:00 2001
From: arf20 <aruizfernandez05@gmail.com>
Date: Mon, 3 Nov 2025 20:26:10 +0100
Subject: PKI

---
 arfnet2.html | 116 +++++++++++++++++++++++++++++++++++++++++++----------------
 arfnet2.md   |  54 +++++++++++++++++++++++-----
 arfnet2.pdf  | Bin 150968 -> 153642 bytes
 3 files changed, 132 insertions(+), 38 deletions(-)

diff --git a/arfnet2.html b/arfnet2.html
index 3eb7552..e8148aa 100644
--- a/arfnet2.html
+++ b/arfnet2.html
@@ -26,7 +26,7 @@
 <p>After the disastrous ISP <a
 href="http://arf20.com/explanation.txt">schism</a></p>
 <h2 id="masterplan">Masterplan</h2>
-<p>Stage 1: very safe</p>
+<h3 id="stage-1-very-safe">Stage 1: very safe</h3>
 <ul>
 <li>Close all ports</li>
 <li>Nuke (or stop) all old VMs (exclude OPNSense)</li>
@@ -34,14 +34,14 @@ href="http://arf20.com/explanation.txt">schism</a></p>
 <li>Make new basic VMs (cloning deb12 template)</li>
 <li>Open basic ports</li>
 </ul>
-<p>Stage 2: new services</p>
+<h3 id="stage-2-new-services">Stage 2: new services</h3>
 <ul>
 <li>IONOS VPS for mail</li>
 <li>Some new very safe services</li>
 <li>HE IPv6 tunnel</li>
 <li>Own authoritative nameservers for domain zone</li>
 </ul>
-<p>Stage 3*: finally</p>
+<h3 id="stage-3-finally">*Stage 3: finally</h3>
 <ul>
 <li>Another VPS in unknown provider for
 <ul>
@@ -52,21 +52,40 @@ href="http://arf20.com/explanation.txt">schism</a></p>
 secure</li>
 <li>More new services</li>
 </ul>
-<p>Stage 4: DN42</p>
+<h3 id="stage-4-dn42">Stage 4: DN42</h3>
 <ul>
 <li>Make DN42 router VM with bird and wg</li>
 <li>Peer with people</li>
 <li>Bring up BGP sessions</li>
 <li>Services</li>
 </ul>
-<p>Stage 5: Telephony - Asterisk - IP phones and ATAs - Trunks; SDF,
-Tandmx, uwutel, PSTN</p>
-<p>Stage 6*: Site B (piso)</p>
+<h3 id="stage-5-telephony">Stage 5: Telephony</h3>
+<ul>
+<li>Asterisk</li>
+<li>IP phones and ATAs</li>
+<li>Trunks; SDF, Tandmx, uwutel, PSTN</li>
+</ul>
+<h3 id="stage-6-site-b-piso">*Stage 6: Site B (piso)</h3>
 <ul>
 <li>Firewall and switch</li>
 <li>Site to Site wireguard</li>
 <li>Establish telephony</li>
 </ul>
+<h3 id="stage-7-ca-pki-ldap-and-sso">*Stage 7: CA, PKI, LDAP and
+SSO</h3>
+<ul>
+<li>Unify all logins</li>
+<li>Single authentication and authorization LDAP store</li>
+<li>SSO on as many services as possible</li>
+<li>Private CA PKI server certs for private endpoint security</li>
+<li>User certificates for extra secure endpoints</li>
+</ul>
+<h3 id="stage-8-internal-dns">*Stage 8: Internal DNS</h3>
+<ul>
+<li>Drop OPNsense unbound, use BIND</li>
+<li>Use .local.arf20.com zone or something</li>
+<li>PiHole</li>
+</ul>
 <h2 id="domain">Domain</h2>
 <p>arf20.com</p>
 <p>Registrar: namecheap</p>
@@ -95,6 +114,7 @@ registrar</h3>
 </table>
 <h2 id="networking">Networking</h2>
 <h3 id="hardware">Hardware</h3>
+<p>Physical network</p>
 <pre><code>                   WAP
                     |
        +-----+   +--------------------------+     +----------------+
@@ -131,6 +151,13 @@ ISP ===| ONT |---| DELL switch              |-----| TP-Link switch |
 (4+3x7RAID5)TB HDD</li>
 <li>ATA: Cisco/Linksys PAP2T</li>
 </ul>
+<p>Logical network</p>
+<pre><code>                    +---------+
+           +--------+         |
+   internet| router |   DMZ   |
+           +--------++        |
+                     +--------+
+</code></pre>
 <h4 id="dell-powerconnect-5424-switch">DELL PowerConnect 5424
 switch</h4>
 <p>Port assignents</p>
@@ -996,16 +1023,22 @@ http://comm.lan:8080</td>
 <td></td>
 </tr>
 <tr class="even">
+<td>pki.arf20.com</td>
+<td>/ = /var/www/pki.arf20.com/html<br>/download/ =
+http://ca.lan:80</td>
+<td></td>
+</tr>
+<tr class="odd">
 <td></td>
 <td></td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>status.yero.dev</td>
 <td>http://yerovps.lan:3001</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>panaland.arf20.com</td>
 <td>/var/www/panaland.arf20.com/html/</td>
 <td></td>
@@ -1242,6 +1275,18 @@ comment</h2>
 <li>Kamailio</li>
 <li>OAI?</li>
 </ul>
+<h3 id="arfnet2-ca-dmz.24-debian-12-ct">arfnet2-ca DMZ.24 Debian 12
+CT</h3>
+<p>Certificate Authority PKI</p>
+<ul>
+<li>clca</li>
+<li>OpenXPKI
+<ul>
+<li>serverd</li>
+<li>clientd</li>
+</ul></li>
+<li>apache2 :80</li>
+</ul>
 <hr />
 <h3 id="mail-arfnet-ionos-vps-5.250.186.185-2001ba0210d6001">mail
 (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1</h3>
@@ -1395,7 +1440,7 @@ Number Assignation Table</h2>
 </tr>
 <tr class="even">
 <td>DMZ.10</td>
-<td>wazuh.lan</td>
+<td>secure.lan</td>
 <td></td>
 </tr>
 <tr class="odd">
@@ -1459,21 +1504,26 @@ Number Assignation Table</h2>
 <td>DN42 service machine</td>
 </tr>
 <tr class="odd">
+<td>DMZ.24</td>
+<td>ca.lan</td>
+<td>Certificate Authority</td>
+</tr>
+<tr class="even">
 <td></td>
 <td></td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>DMZ.192</td>
 <td>yero-debian</td>
 <td>yero.lan</td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>DMZ.195</td>
 <td>exo-debian</td>
 <td>exo.lan</td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>DMZ.196</td>
 <td>loofa-debian</td>
 <td>loofa.lan</td>
@@ -1878,108 +1928,114 @@ Number Assignation Table</h2>
 <td></td>
 </tr>
 <tr class="odd">
+<td>pki.arf20.com</td>
+<td>CNAME</td>
+<td>web.arf20.com</td>
+<td></td>
+</tr>
+<tr class="even">
 <td></td>
 <td></td>
 <td></td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>status.arf20.com</td>
 <td>CNAME</td>
 <td>mail.arf20.com</td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>lists.arf20.com</td>
 <td>CNAME</td>
 <td>mail.arf20.com</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>mlmmj.arf20.com</td>
 <td>CNAME</td>
 <td>mail.arf20.com</td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td></td>
 <td></td>
 <td></td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>lahomosexualidadde.arf20.com</td>
 <td>CNAME</td>
 <td>weonpollo.xyz</td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>panaland.arf20.com</td>
 <td>CNAME</td>
 <td>web.arf20.com</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td></td>
 <td></td>
 <td></td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>_acme-challenge.jellyfin</td>
 <td>CNAME</td>
 <td>(challenge)</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>_acme-challenge.irc</td>
 <td>CNAME</td>
 <td>(challenge)</td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>_acme-challenge.matrix</td>
 <td>CNAME</td>
 <td>(challenge)</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>_acme-challenge.mail</td>
 <td>CNAME</td>
 <td>(challenge)</td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>_acme-challenge.xmpp</td>
 <td>CNAME</td>
 <td>(challenge)</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td></td>
 <td></td>
 <td></td>
 <td></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>arf20.com</td>
 <td>MX</td>
 <td>mail.arf20.com</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>selector._domainkey</td>
 <td>TXT</td>
 <td>(DKIM)</td>
 <td>DKIM for selector ‘selector’</td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td>_dmarc</td>
 <td>TXT</td>
 <td>(DMARC)</td>
 <td></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td>arf20.com</td>
 <td>TXT</td>
 <td>(SPF)</td>
diff --git a/arfnet2.md b/arfnet2.md
index 1ba026a..c2bacb8 100644
--- a/arfnet2.md
+++ b/arfnet2.md
@@ -4,7 +4,7 @@ After the disastrous ISP [schism](http://arf20.com/explanation.txt)
 
 ## Masterplan
 
-Stage 1: very safe
+### Stage 1: very safe
 
  - Close all ports
  - Nuke (or stop) all old VMs (exclude OPNSense)
@@ -12,40 +12,52 @@ Stage 1: very safe
  - Make new basic VMs (cloning deb12 template)
  - Open basic ports
 
-Stage 2: new services
+### Stage 2: new services
 
  - IONOS VPS for mail
  - Some new very safe services
  - HE IPv6 tunnel
  - Own authoritative nameservers for domain zone
 
-Stage 3\*: finally
+### \*Stage 3: finally
 
-- Another VPS in unknown provider for
+ - Another VPS in unknown provider for
     - Tor
     - Reverse-proxying the media library
  - PHP on main site with more web services from scratch, hopefully secure
  - More new services
 
-Stage 4: DN42
+### Stage 4: DN42
 
  - Make DN42 router VM with bird and wg
  - Peer with people
  - Bring up BGP sessions
  - Services
 
-Stage 5: Telephony
+### Stage 5: Telephony
  - Asterisk
  - IP phones and ATAs
  - Trunks; SDF, Tandmx, uwutel, PSTN
 
-Stage 6\*: Site B (piso)
+### \*Stage 6: Site B (piso)
 
  - Firewall and switch
  - Site to Site wireguard
  - Establish telephony
 
+### \*Stage 7: CA, PKI, LDAP and SSO
 
+ - Unify all logins
+ - Single authentication and authorization LDAP store
+ - SSO on as many services as possible
+ - Private CA PKI server certs for private endpoint security
+ - User certificates for extra secure endpoints
+
+### \*Stage 8: Internal DNS
+
+ - Drop OPNsense unbound, use BIND
+ - Use .local.arf20.com zone or something
+ - PiHole
 
 ## Domain
 
@@ -64,6 +76,8 @@ Registrar: namecheap
 
 ### Hardware
 
+Physical network
+
 ```
                    WAP
                     |
@@ -104,6 +118,17 @@ ISP ===| ONT |---| DELL switch              |-----| TP-Link switch |
  - server: DELL PowerEdge R720 @ 2x E5-2670 + 64GB + (240+120)GB SSD + (4+3x7RAID5)TB HDD
  - ATA: Cisco/Linksys PAP2T
 
+Logical network
+
+```
+                    +---------+
+           +--------+         |
+   internet| router |   DMZ   |
+           +--------++        |
+                     +--------+
+
+```
+
 #### DELL PowerConnect 5424 switch
 
 Port assignents
@@ -361,6 +386,7 @@ RAID attached here (with the grey stuff) (local only)
 | kanboard.arf20.com | / = /var/www/kanboard.arf20.com/html/ | |
 | vw.arf20.com | http://192.168.4.10:8000 | |
 | raip.arf20.com | / = /var/www/raip.arf20.com/html<br>/status = http://comm.lan:8080 | |
+| pki.arf20.com | / = /var/www/pki.arf20.com/html<br>/download/ = http://ca.lan:80 | |
 | | | |
 | status.yero.dev | http://yerovps.lan:3001 | |
 | panaland.arf20.com | /var/www/panaland.arf20.com/html/ | |
@@ -496,6 +522,16 @@ Remote gNodeB
  - Kamailio
  - OAI?
 
+### arfnet2-ca DMZ.24 Debian 12 CT
+
+Certificate Authority PKI
+
+ - clca
+ - OpenXPKI
+   - serverd
+   - clientd
+ - apache2 :80
+
 ---
 
 ### mail (ARFNET-IONOS VPS) 5.250.186.185 2001:ba0:210:d600::1
@@ -564,7 +600,7 @@ DMZ IPv4s and IPv6 ends in the same way
 | DMZ.7 |  printer.lan | HP Officejet 8020 |
 | DMZ.8 |  desktop.lan | reserved for desktop on DMZ |
 | DMZ.9 |  web.lan | |
-| DMZ.10 | wazuh.lan | |
+| DMZ.10 | secure.lan | |
 | DMZ.11 | game.lan | |
 | DMZ.12 | comm.lan | |
 | DMZ.13 | misc.lan | |
@@ -577,6 +613,7 @@ DMZ IPv4s and IPv6 ends in the same way
 | DMZ.21 | dn42.lan | DN42 edge router |
 | DMZ.22 | open5gs.lan | Open5GS 5G core |
 | DMZ.23 | dn42-services.lan | DN42 service machine |
+| DMZ.24 | ca.lan | Certificate Authority |
 | | | |
 | DMZ.192 | yero-debian | yero.lan |
 | DMZ.195 | exo-debian | exo.lan |
@@ -656,6 +693,7 @@ Site-B:PiSoNet
 | vw.arf20.com | CNAME | web.arf20.com |
 | raip.arf20.com | CNAME | web.arf20.com |
 | dmr.arf20.com | CNAME | comm.arf20.com |
+| pki.arf20.com | CNAME | web.arf20.com |
 |
 | status.arf20.com | CNAME | mail.arf20.com |
 | lists.arf20.com | CNAME | mail.arf20.com |
diff --git a/arfnet2.pdf b/arfnet2.pdf
index 90ebca6..e92bf09 100644
Binary files a/arfnet2.pdf and b/arfnet2.pdf differ
-- 
cgit v1.2.3