yepoleb/its-network
1
0
Fork 0
forked from IT-Syndikat/its-network
Code Pull requests Activity
its-network/docs/cloud/srv.md
Wachtl Enterprises LLC 53b7313e71 Remove as of now, unnescessary header for pandoc 
Pandoc used the % in the first line to define the header for a generated
PDF, we don't do that now so I removed the header.

Signed-off-by: Wachtl Enterprises LLC <tyrolyean@escpe.net>
2025-03-16 03:39:41 +01:00

67 lines
2.5 KiB
Markdown
Raw Permalink Blame History

# Location
The VM is running as srv.hc.it-syndikat.org in the hetzner cloud.
# Maintainers
- @dxld @lambda dns/VM Maintenance
- @tyrolyean @minato: Mail services
- @tyrolyean: Proxy services
# Technical
## Routing
The server itself has IPv6 and IPv4 addresses from hetzner, which it uses to
access (and be accessed by) the broader internet. It is connected to the ITS
intranet via a wireguard tunnel using the 10.17.7.0/24 and
2a0c:9a40:8070:70::/64 subnets. It can access internal services dual stack via
this tunnel. The tunnel interface has a record at `srv.srv.it-syndikat.org`.
## DNS
SRV is one of our authoritative NSes, please see the
[DNS master docs](../space/srv-acraze/dns.md) for further details.
## mail server
The system is running a postfix instance which solely acts as a relay for
outbound mail traffic. All inbound mail traffic is being processed on
`blackmail.srv.it-syndikat.org`. Postfix therefore only accepts mail inbound
on the wg0 interface on port 25 and only from the server subnets.
Traffic is relayed to and from this host to avoid mail being classified as spam
due to the originating ip being a dynamic.
## Proxy server
The server utilizes a haproxy to redirect inbound traffic to backend servers.
Services have been moved from `infectedmushroom.srv.it-syndikat.org` to this
server on 2022-11-28, which effectively obsoletes infectedmushroom.
Services have been migrated after a reboot of the machine managed to brick the
snid proxy setup we previously had.
If you would like to add a service which connects inbound via http/s, please
add it to the haproxy config at `/etc/haproxy/haproxy.cfg`. Check wether the
configuration is valid using the
`sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg` command.
## NGINX
The server also operates an NGINX webserver to host the `it-syndik.at` and
`spaceapi.it-syndikat.org` domains. The former is merely used to redirect
matrix to the correct subdomains whilest the latter is hosted there to
achieve a better uptime (though that was up for debate at the time wether it
was actually nescessary).
After changes check wether the configuration you have produced is valid using
the `sudo nginx -T` command.
### SpaceAPI
The server hosts the [API endpoints](https://git.it-syndikat.org/IT-Syndikat/ITSynOpen/src/branch/master/server)
to read and update the [SpaceAPI](https://spaceapi.io/) status, as well as to
handle the "spaceping".
This service produces a hard dependency on php and php-fpm. Please don't remove
those.
View git blame Copy permalink