| Age | Commit message (Collapse) | Author |
|---|
|
Added user for Oliver to debug jumbotron bell
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
..and add Fiberby's time server as backup too.
|
|
esmil:
- use timer to update the homepage
- git clone/update and install gems as the homepage user
|
|
esmil:
- don't install cron job, just use the packaged timer
- install deploy hook to reload nginx when certificates are updated
|
|
|
|
esmil:
- disable access log and log errors to syslog (journal really)
use journalctl -u nginx to see the errors
- hoist some configuration values into ansible variables
- add tags and use a handler to reload nginx on configuration changes
- make nginx do its DNS queries against our local resolved
this enables nginx to use DNSSEC and DoT
- don't start nginx before the network is up. if it can't do
dns lookups ssl_stapling will be ignored
|
|
|
|
|
|
|
|
..now that we always rely on systemd-resolved being up
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mushbie reports that Windows complains about out of date certificates
even when certbot is running fine, so try restarting radiusd on new
certificates rather than just telling it to reload its configuration.
|
|
|
|
|
|
|
|
"PasswordAuthentication no" only prevents password logins
from ever being successful, but it still entertain clients
with the possiblity of password logins.
This reduces the offered authentication methods from:
debug1: Authentications that can continue: publickey,password
to just publickey:
debug1: Authentications that can continue: publickey
After which most bots just disconnects.
Esmil: simplified so we only need one lineinfile stanza
|
|
systemd mechanics reworked by Esmil
Co-developed-by: Emil Renner Berthing <esmil@labitat.dk>
|
|
|
|
|
|
|
|
|
|
..just reload configuration gracefully with 'configure soft'
|
|
Just so that Esmil can test his Ansible changes.
|
|
Use ipaddress/pxlen{low,high} syntax to allow all
/48 prefixes that are covered by 2a10:2a80::/29.
https://bird.network.cz/?get_doc&v=20&f=bird-5.html#type-set
|
|
|
|
|
|
|
|
..to make sure we keep ip addresses in sync everywhere
|
|
This allows us to look up info on specific hosts without searching
through the whole list.
|
|
..to provide space.s alias
|
|
Add new prefix 2a0e:8f02:2190::/48
|
|
..which doesn't work now that wan is a vlan on
bonded interface.
|
|
Before:
- enp1s0: wan
- enp2s0: lan (with VLANs)
- enp3s0: mgt
Changes in this patch:
- wan is moved to VLAN id 5
- bond0 is created, replacing lan as lower device for VLANs
- mgt config is removed (could be reconfigured as a VLAN, and
made a available on a switch port)
- all 3 ports are enslaved in bond0
From the switch towards the space server load-balance algorithm
src-dst-ip* is used.
From the space server towards the switch L3+L4 is used.
Therefore a single IP pair will always use the same 1G
from the swith to the space server, a client therefore
needs to multiplex over multiple IPs in order to
*) The src-dst-ip algorithm on the switch hasn't been
tested with IPv6 yet. Hopefully we can find a better
switch at some point, so we can include the L4 ports in
the hashing on the switch.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
New* switch for terminating 10 Gbps uplink,
with 3x1G LACP towards the space server,
and 4x1G LACP towards the space switch.
D-Link DGS-1510-28 Ethernet switch
- 24x 10/100/1000 Mbps RJ45 port
- 2x 1 Gbps SFP ports
- 2x 10 Gbps SFP+ ports
*) it was new in 2015, but the firmware was unusable
back then.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Move the Tor exit nodes to their own VLAN, and
their own address space.
Background for move
-------------------
For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.
When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.
Connection tracking
-------------------
Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.
In the future conntrack could also be disabled
for labicolo in general.
Current stats
~~~~~~~~~~~~~
[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071
[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack
Currently 4071 out of 39138 connections are not Tor related.
Also reading /proc/net/nf_conntrack is quite slow atm.:
[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null
real 0m35.097s
user 0m0.010s
sys 0m28.114s
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Until now BGP connections have only been established
when the space server has initiated the connection to
the peer.
It's best practice for both BGP speakers to be able to
connect to one another, lowering recovery time.
|
|
This patch changes the reverse path filtering of the labicolo VLAN
to take place in the prerouting hook, using the kernel routing
table, and removes the need to maintain a static prefix list.
Labicolo routes are exported to the kernel routing table by BIRD,
hence it should be sufficient to only have prefix lists there.
This change has been tested, and it's only possible to spoof
fellow labicolo members address space (same as before).
Esmil: prerouting before input/forward makes more sense to me
|
