yepoleb/its-network
1
0
Fork 0
forked from IT-Syndikat/its-network
Code Pull requests Activity
its-network/docs/cloud/srv.md
Wachtl Enterprises LLC 53b7313e71 Remove as of now, unnescessary header for pandoc 
Pandoc used the % in the first line to define the header for a generated
PDF, we don't do that now so I removed the header.

Signed-off-by: Wachtl Enterprises LLC <tyrolyean@escpe.net>
2025-03-16 03:39:41 +01:00

2.5 KiB
Raw Permalink Blame History

Location

The VM is running as srv.hc.it-syndikat.org in the hetzner cloud.

Maintainers

Technical

Routing

The server itself has IPv6 and IPv4 addresses from hetzner, which it uses to access (and be accessed by) the broader internet. It is connected to the ITS intranet via a wireguard tunnel using the 10.17.7.0/24 and 2a0c:9a40:8070:70::/64 subnets. It can access internal services dual stack via this tunnel. The tunnel interface has a record at srv.srv.it-syndikat.org.

DNS

SRV is one of our authoritative NSes, please see the DNS master docs for further details.

mail server

The system is running a postfix instance which solely acts as a relay for outbound mail traffic. All inbound mail traffic is being processed on blackmail.srv.it-syndikat.org. Postfix therefore only accepts mail inbound on the wg0 interface on port 25 and only from the server subnets. Traffic is relayed to and from this host to avoid mail being classified as spam due to the originating ip being a dynamic.

Proxy server

The server utilizes a haproxy to redirect inbound traffic to backend servers. Services have been moved from infectedmushroom.srv.it-syndikat.org to this server on 2022-11-28, which effectively obsoletes infectedmushroom.

Services have been migrated after a reboot of the machine managed to brick the snid proxy setup we previously had.

If you would like to add a service which connects inbound via http/s, please add it to the haproxy config at /etc/haproxy/haproxy.cfg. Check wether the configuration is valid using the sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg command.

NGINX

The server also operates an NGINX webserver to host the it-syndik.at and spaceapi.it-syndikat.org domains. The former is merely used to redirect matrix to the correct subdomains whilest the latter is hosted there to achieve a better uptime (though that was up for debate at the time wether it was actually nescessary).

After changes check wether the configuration you have produced is valid using the sudo nginx -T command.

SpaceAPI

The server hosts the API endpoints to read and update the SpaceAPI status, as well as to handle the "spaceping".

This service produces a hard dependency on php and php-fpm. Please don't remove those.