yepoleb/its-network
1
0
Fork 0
forked from IT-Syndikat/its-network
Code Pull requests Activity
its-network/presentation/pres.tex
Waschtl 4386bc34b8 Add missing - 
Signed-off-by: Waschtl <tyrolyean@escpe.net>
2022-12-20 00:44:48 +01:00

530 lines
16 KiB
TeX
Raw Permalink Blame History

\documentclass[
11pt, % Set the default font size, options include: 8pt, 9pt, 10pt, 11pt, 12pt, 14pt, 17pt, 20pt
%
aspectratio=169, % Uncomment to set the aspect ratio to a 16:9 ratio which matches the aspect ratio of 1080p and 4K screens and projectors
]{beamer}
\usepackage{booktabs} % Allows the use of \toprule, \midrule and \bottomrule for better rules in tables
\usepackage{listings}
\usepackage{fontspec}
\usepackage{verbatim}
%\usepackage{appendixnumberbeamer} %If you want a separate slide counter for your appendix
%%% Customize Theme %%%%%%%%%%%%%%%%%%%%%%
\usetheme{Madrid} % You can use other themes too, but this changes many things. I've found Madrid to be the best for this color scheme
%fg = font color
%bg = background color
% ! WARNING ! : Many colors are linked to multiple attributes, so changing one color can have unexpected changes!
% If you want to tweak the shading of orange and red, tweak the below 2 lines:t
\definecolor{myRed}{RGB}{62, 112, 20}
\definecolor{myOrange}{RGB}{227, 125, 0}
% Bottom right hand color
\setbeamercolor*{structure}{bg=myRed!20,fg=myRed!90}
\setbeamercolor*{palette primary}{use=structure,fg=white,bg=structure.fg} %?
\setbeamercolor*{palette secondary}{use=structure,fg=myRed,bg=white}
%bottom left of footer & bar between title & top bubbles
\setbeamercolor*{palette tertiary}{use=structure,fg=white,bg=myRed}
\setbeamercolor{frametitle}{bg=myRed!85,fg=white} %title of each slide
\setbeamercolor*{titlelike}{parent=palette primary} %?
%\setbeamercolor{titlelike}{parent=palette primary,fg=structure.fg!50!myRed}
%for miniframe (very top) AND center footer
\setbeamercolor{section in head/foot}{fg=myOrange, bg=white}
%%% Specific Colors %%%
\setbeamercolor{item projected}{bg=myOrange}
\setbeamertemplate{enumerate items}{bg=myOrange}
\setbeamercolor{itemize item}{fg=myOrange}
\setbeamercolor{itemize subitem}{fg=myOrange}
\setbeamercolor{button}{bg=myOrange}
%%% Edits ONLY the TOC slide %%%
\setbeamercolor{section in toc}{fg=black}
\setbeamercolor{subsection in toc}{fg=black}
%%% Block Colors %%%
% Standard block %
\setbeamercolor{block title}{bg=myOrange, fg=white}
\setbeamercolor{block body}{bg=myOrange!20}
% Alerted block % If you want to customize it's color
%\setbeamercolor{block title alerted}{bg=cyan, fg=white}
%\setbeamercolor{block body alerted}{bg=cyan!10}
% Example block % If you want to customize it's color
%\setbeamercolor{block title example}{bg=cyan, fg=white}
%\setbeamercolor{block body example}{bg=cyan!10}
%---------------------------------------------------------
% SELECT FONT THEME & FONTS
%---------------------------------------------------------
\usefonttheme{default} % Typeset using the default sans serif font
\usepackage{palatino} % Use the Palatino font for serif text
\useinnertheme{circles}
\usepackage{svg}
%---------------------------------------------------------
% SELECT OUTER THEME
%---------------------------------------------------------
% Outer themes change the overall layout of slides, such as: header and footer lines, sidebars and slide titles. Uncomment each theme in turn to see what changes it makes to your presentation.
%\useoutertheme{default}
%
\useoutertheme{miniframes}
%\useoutertheme{infolines}
%\useoutertheme{smoothbars}
%\useoutertheme{sidebar}
%\useoutertheme{split}
%\useoutertheme{shadow}
%\useoutertheme{tree}
%\useoutertheme{smoothtree}
\setmonofont[Scale=MatchLowercase]{Hack}
\fontspec{Libertinus Sans}
%---------------------------------------------------------
% PRESENTATION INFORMATION
%---------------------------------------------------------
\title[ITS-Infra WS]{ITS-Infrastructure Workshop}
\subtitle{From router to email and back}
\author[Waschtl <tyrolyean@semi-professional.org>]{Author: waschtl}
\institute[]{IT-Syndikat \\ \smallskip \textit{wir@it-syndikat.org}}
\date[\today]
\logo{\includesvg[width=1.0cm]{./images/its.svg}}
%---------------------------------------------------------
%---------------------------------------------------------
%---------------------------------------------------------
\begin{document}
%---------------------------------------------------------
% TITLE SLIDE
%---------------------------------------------------------
\section{}
\begin{frame}
\titlepage
\end{frame}
%---------------------------------------------------------
% TABLE OF CONTENTS SLIDE
%---------------------------------------------------------
% The table of contents outputs the sections and subsections that appear in your presentation, specified with the standard \section and \subsection commands. You may either display all sections and subsections on one slide with \tableofcontents, or display each section at a time on subsequent slides with \tableofcontents[pausesections]. The latter is useful if you want to step through each section and mention what you will discuss.
\begin{frame}
\frametitle{Table of Contents} % Slide title, remove this command for no title
\tableofcontents % Output the table of contents (all sections on one slide)
%\tableofcontents[pausesections] % Output the table of contents (break sections up across separate slides)
\end{frame}
\section{General}
\subsection{Documentation}
\begin{frame}
\frametitle{Infrastructure Documentation}
Git repository at \url{https://git.it-syndikat.org/it-syndikat/its-network.git}\\
\begin{tiny}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\verbatiminput{text/doc_tree.txt}
\end{column}
\begin{column}{0.5\textwidth}
\verbatiminput{text/res_tree.txt}
\end{column}
\end{columns}
\end{tiny}
\end{frame}
\subsection{IP}
\begin{frame}
\frametitle{IP}
\begin{itemize}
\item{IPv4}
\begin{itemize}
\item{Space} infrastructure resides inside the \texttt{10.17.0.0/16} subnet
\item{Cuco} Resides in \texttt{192.168.1.0/24} subnet
\end{itemize}
\item{IPv6}
\begin{itemize}
\item{Space} subnet \texttt{2a0c:9a40:8070::/44} uplink via @dxld's infrastructure.
\begin{itemize}
\item{Servers} obtain address via DHCPv6, which auto-registers hostname in \texttt{srv.it-syndikat.org} Zone
\item{LAN} obtains address via DHCPv6 \textbf{AND} SLAAC, only DHCPv6 address registered in \texttt{asozial.it-syndikat.org}
\end{itemize}
\item{Cuco} doesn't have or want IPv6
\end{itemize}
\end{itemize}
\end{frame}
\subsection{Router/FW}
\begin{frame}
\frametitle{Router/FW}
\begin{itemize}
\item PFSense reachable at \texttt{sozial.asozial.it-syndikat.org}
\item SSO via ldap; all members of netadmins group
\item recovery credentials in vaultwarden
\item stateful firewalling and port forwarding
\item DDNS public record at \texttt{public.srv.it-syndikat.org}
\item Openvpn server for remote access with ldap credentials
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Router/FW Hardware}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\begin{itemize}
\item NRG Systems IPU654
\item Intel Pentium N5405U 2C/4T
\item 4GB DDR4 SO-DIMM
\item 128G Intel SATA SSD
\item 6x Intel i211-AT Gigabit NIC
\item 10W IDLE
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\begin{figure}[H]
\includegraphics[height=.5\textheight]{images/IPU654}
\end{figure}
\end{column}
\end{columns}
\end{frame}
\subsection{Subnets}
\begin{frame}
\frametitle{Subnets}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\begin{itemize}
\item{LAN} - ITS network
\begin{itemize}
\item \texttt{10.17.54.0/24}
\item \texttt{2a0c:9a40:8070::/64}
\end{itemize}
\item{CUCO}
\begin{itemize}
\item \texttt{192.168.1.0/24}
\end{itemize}
\item{PLAYGROUND} - Sandbox net
\begin{itemize}
\item \texttt{10.17.3.0/24}
\end{itemize}
\item{SERVERS}
\begin{itemize}
\item \texttt{10.17.4.0/24}
\item \texttt{2a0c:9a40:8070:40::/64}
\end{itemize}
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item{VPNSRV} - VPN access from outside
\begin{itemize}
\item \texttt{10.17.5.0/24}
\item \texttt{2a0c:9a40:8070:50::/64}
\end{itemize}
\item{SRVHCVPN} - Tunnel to \texttt{srv.hc.it-syndikat.org}
\begin{itemize}
\item \texttt{10.17.7.0/24}
\item \texttt{2a0c:9a40:8070:70::/64}
\end{itemize}
\item{JADE}
\begin{itemize}
\item \texttt{10.17.7.0/24}
\item \texttt{2a0c:9a40:8070:70::/64}
\end{itemize}
\end{itemize}
\end{column}
\end{columns}
\end{frame}
\section{LDAP}
\subsection{LDAP general}
\begin{frame}
\frametitle{LDAP}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\begin{itemize}
\item \textbf{L}ightweight \textbf{D}irectory \textbf{A}ccess \textbf{P}rotocol
\item Subset of ITU X.500 standards (mostly X.511)
\item Uses X standard naming scheme (key=value pairs separated by commas)
\item hierarchical structure
\item Case insensitive
\item different software can access same user information
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item used to store and retrieve directory information i.e.
\begin{itemize}
\item usernames/passwords
\item login shell
\item ssh-keys
\item home directory location
\item group memberships
\item service configuration (DNS,dhcp,etc.)
\end{itemize}
\end{itemize}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{X.500 standard abbreviations}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\begin{itemize}
\item OU…Organizational Unit
\item DN…Distinctive Name
\item CN…Common Name
\item UID…username
\item SN…Sure Name
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item O…Organization
\item DC…Domain component
\end{itemize}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{objectClasses}
Object classes define what information may be present in an object in which format
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\begin{itemize}
\item posixAccount…Account with passwd information
\item shadowAccount…Account with password
\item inetOrgPerson…RFC 2798 standard user account
\item organizationalPerson…Person in organisation
\item ldapPublicKey…Non-standard: ssh key in ldap
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item posixGroup…Posix style group
\item organizationalUnit…Defines contents of OU object
\item organizationalRole…Role within organisation (More or less subset of organizationalPerson)
\end{itemize}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Examplary LDAP entry}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\tiny\verbatiminput{text/tyrolyean.ldif}
\end{column}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item \texttt{dn} denotes position in ldap tree
\item \texttt{uid} and \texttt{cn} are used synonimously for users
\item \texttt{uidNumber} \textbf{MUST} be unique
\item \texttt{gecos} field stems from UNIX
\end{itemize}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Standard (open)ldap utils}
\begin{itemize}
\item \texttt{ldapsearch} query ldap server
\item \texttt{ldapremove} remove object/field from server
\item \texttt{ldapadd} add object/field from server
\item \texttt{ldapadd} add/remove/modify object/field from server
\item \texttt{ldappasswd} change password field (LDAPv3 extension)
\item \texttt{ldapwhoami} whoami in ldap
\end{itemize}
\end{frame}
\subsection{ITS-Setup}
\begin{frame}
\frametitle{LDAP Server setup}
\begin{columns}[t]
\begin{column}{0.35\textwidth}
\begin{itemize}
\begin{tiny}
\item \texttt{blacksunempire.srv.it-syndikat.org}
\item \texttt{ldap.it-syndikat.org}
\item Debian
\item \url{ldaps://ldap.it-syndikat.org}
\item \texttt{SLAPD} from debian repositories
\item Base DN: \texttt{dc=it-syndikat,dc=org}
\item \texttt{ou=groups} and \texttt{ou=users} OUs
\end{tiny}
\end{itemize}
\end{column}
\begin{column}{0.65\textwidth}
\tiny\verbatiminput{text/bse_neofetch.txt}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{LDAP Server setup (cont.)}
\begin{columns}[t]
\begin{column}{\textwidth}
\begin{itemize}
\item SLAPD gets cert from certbot
\item access restriced by host and network firewall
\item Accepts starttls (TCP 389) and normal tls (TCP 636)
\item Stores passwords as argon2i
\item Posix-Style group memberships
\item ''SSO''-Provider
\end{itemize}
\end{column}
\end{columns}
\end{frame}
\section{Services}
\subsection{Virtualisation}
\begin{frame}
\frametitle{Main Hypervisor}
\begin{columns}[t]
\begin{column}{0.35\textwidth}
\begin{itemize}
\begin{tiny}
\item \texttt{acraze.srv.it-syndikat.org}
\item Proxmox VE
\item \url{https://acraze.srv.it-syndikat.org:8006}
\item LDAP SSO; Permissions have to be assigned manually!
\end{tiny}
\end{itemize}
\end{column}
\begin{column}{0.65\textwidth}
\tiny\verbatiminput{text/acraze_neofetch.txt}
\end{column}
\end{columns}
\end{frame}
\subsection{Edge proxy}
\begin{frame}
\frametitle{Hetzner Edge Proxy}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\begin{itemize}
\begin{small}
\item \texttt{srv.hc.it-syndikat.org}
\item Hetzner CX11 Instance
\item Haproxy server
\item Postfix smtp relay
\item DNS authoritative server \texttt{ns0.srv.it-syndikat.org. }
\end{small}
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\tiny\verbatiminput{text/srv_neofetch.txt}
\end{column}
\end{columns}
\end{frame}
\subsection{DNS}
\begin{frame}
\frametitle{DNS services}
\begin{columns}[t]
\begin{column}{0.5\textwidth}
\begin{itemize}
\begin{small}
\item \texttt{srv.hc.it-syndikat.org}
\item DNS authoritative server \texttt{ns0.it-syndikat.org.}
\item Master for \texttt{it-syndikat.org.} and \texttt{it-syndik.at.}
\item Slave for \texttt{srv.it-syndikat.org.} and \texttt{asozial.it-syndikat.org.}
\end{small}
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\begin{itemize}
\begin{small}
\item \texttt{luude.srv.it-syndikat.org}
\item DNS authoritative server \texttt{ns01.srv.it-syndikat.org.}
\item Master for \texttt{srv.it-syndikat.org.} and \texttt{asozial.it-syndikat.org.}
\end{small}
\end{itemize}
\end{column}
\end{columns}
\end{frame}
\subsection{E-Mail}
\begin{frame}
\frametitle{E-Mail services}
\begin{itemize}
\item \texttt{blackmail.srv.it-syndikat.org}
\item Debian standard postfix and dovecot
\item Access as \texttt{mail.it-syndikat.org}
\item Proxied through \texttt{srv.hc.it-syndikat.org}
\item SMTP, IMAP and POP3
\end{itemize}
\end{frame}
\subsection{Database}
\begin{frame}
\frametitle{Postgresql Database}
\begin{itemize}
\item \texttt{pgsql.srv.it-syndikat.org}
\item Debian standard postgresql
\item Authorization via TLS certificates
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Mariadb Database}
\begin{itemize}
\item \texttt{pgsql.srv.it-syndikat.org}
\item Debian standard mariadb
\item Authorization via user/password
\item Certificate from certbot
\end{itemize}
\end{frame}
%---------------------------------------------------------
% CLOSING SLIDE
%---------------------------------------------------------
% To remove miniframe from top
\appendix
\begin{frame}[noframenumbering] %So the end and appendix slides don't contribute to the page count
\frametitle{OPNSense vs PFSense}
OPNSense
\begin{itemize}
\item Nicer user interface
\item Allows rules to match inbound and outbound on interface
\item mixed up ldap and active directory
\item broken dualstack address mapping
\item weird wirguard interface issues
\end{itemize}
\end{frame}
\begin{frame}[noframenumbering] %So the end and appendix slides don't contribute to the page count
\frametitle{OPNSense vs PFSense}
PFSense
\begin{itemize}
\item Working ldap group memberships
\item Working wireguard support
\item Working dualstack rule matching
\item Did I mention stuff working?
\end{itemize}
\end{frame}
\end{document}
View git blame Copy permalink