# Location The VM is running as srv.hc.it-syndikat.org in the hetzner cloud. # Maintainers - @dxld @lambda dns/VM Maintenance - @tyrolyean @minato: Mail services - @tyrolyean: Proxy services # Technical ## Routing The server itself has IPv6 and IPv4 addresses from hetzner, which it uses to access (and be accessed by) the broader internet. It is connected to the ITS intranet via a wireguard tunnel using the 10.17.7.0/24 and 2a0c:9a40:8070:70::/64 subnets. It can access internal services dual stack via this tunnel. The tunnel interface has a record at `srv.srv.it-syndikat.org`. ## DNS SRV is one of our authoritative NSes, please see the [DNS master docs](../space/srv-acraze/dns.md) for further details. ## mail server The system is running a postfix instance which solely acts as a relay for outbound mail traffic. All inbound mail traffic is being processed on `blackmail.srv.it-syndikat.org`. Postfix therefore only accepts mail inbound on the wg0 interface on port 25 and only from the server subnets. Traffic is relayed to and from this host to avoid mail being classified as spam due to the originating ip being a dynamic. ## Proxy server The server utilizes a haproxy to redirect inbound traffic to backend servers. Services have been moved from `infectedmushroom.srv.it-syndikat.org` to this server on 2022-11-28, which effectively obsoletes infectedmushroom. Services have been migrated after a reboot of the machine managed to brick the snid proxy setup we previously had. If you would like to add a service which connects inbound via http/s, please add it to the haproxy config at `/etc/haproxy/haproxy.cfg`. Check wether the configuration is valid using the `sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg` command. ## NGINX The server also operates an NGINX webserver to host the `it-syndik.at` and `spaceapi.it-syndikat.org` domains. The former is merely used to redirect matrix to the correct subdomains whilest the latter is hosted there to achieve a better uptime (though that was up for debate at the time wether it was actually nescessary). After changes check wether the configuration you have produced is valid using the `sudo nginx -T` command. ### SpaceAPI The server hosts the [API endpoints](https://git.it-syndikat.org/IT-Syndikat/ITSynOpen/src/branch/master/server) to read and update the [SpaceAPI](https://spaceapi.io/) status, as well as to handle the "spaceping". This service produces a hard dependency on php and php-fpm. Please don't remove those.