# Location

The VM is running as srv.hc.it-syndikat.org in the hetzner cloud.

# Maintainers

 - @dxld @lambda dns/VM Maintenance
 - @tyrolyean @minato: Mail services
 - @tyrolyean: Proxy services

# Technical

## Routing

The server itself has IPv6 and IPv4 addresses from hetzner, which it uses to
access (and be accessed by) the broader internet. It is connected to the ITS
intranet via a wireguard tunnel using the 10.17.7.0/24 and
2a0c:9a40:8070:70::/64 subnets. It can access internal services dual stack via
this tunnel. The tunnel interface has a record at `srv.srv.it-syndikat.org`.

## DNS

SRV is one of our authoritative NSes, please see the
[DNS master docs](../space/srv-acraze/dns.md) for further details.

## mail server

The system is running a postfix instance which solely acts as a relay for
outbound mail traffic. All inbound mail traffic is being processed on 
`blackmail.srv.it-syndikat.org`. Postfix therefore only accepts mail inbound
on the wg0 interface on port 25 and only from the server subnets.
Traffic is relayed to and from this host to avoid mail being classified as spam
due to the originating ip being a dynamic.

## Proxy server

The server utilizes a haproxy to redirect inbound traffic to backend servers.
Services have been moved from `infectedmushroom.srv.it-syndikat.org` to this
server on 2022-11-28, which effectively obsoletes infectedmushroom.

Services have been migrated after a reboot of the machine managed to brick the
snid proxy setup we previously had.

If you would like to add a service which connects inbound via http/s, please
add it to the haproxy config at `/etc/haproxy/haproxy.cfg`. Check wether the
configuration is valid using the
`sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg` command.

## NGINX

The server also operates an NGINX webserver to host the `it-syndik.at` and
`spaceapi.it-syndikat.org` domains. The former is merely used to redirect
matrix to the correct subdomains whilest the latter is hosted there to
achieve a better uptime (though that was up for debate at the time wether it
was actually nescessary).

After changes check wether the configuration you have produced is valid using
the `sudo nginx -T` command.

### SpaceAPI

The server hosts the [API endpoints](https://git.it-syndikat.org/IT-Syndikat/ITSynOpen/src/branch/master/server)
to read and update the [SpaceAPI](https://spaceapi.io/) status, as well as to
handle the "spaceping".

This service produces a hard dependency on php and php-fpm. Please don't remove
those.