Difference between revisions of "Infrastructure"

This page documents VTLUUG's infrastructure post-CVL eviction. It is intended as a scratch pad of sorts for organizing infrastructure changes, since Infrastructure:Log is incredibly out of date, and there are a lot of details which must be sorted out before major infrastructure changes can be made.

Physical Infrastructure

Main Article Infrastructure:Cyberdelia, VTLUUG:Inventory

Cyberdelia is the only connected physical machine right now. It contains 48 GB of memory with 4 ethernet interfaces; only eth4 is connected and is attached to br0. All hosts are on the ECE network behind router.ece.vt.edu, a gateway featuring ARP proxying but no IPv6. For global DNS changes under ece.vt.edu, server room access, and getting hosts added to the ARP proxy, contact Brandon Russell

Virginia Tech has started blocking inbound ports 22 and 3389 and outbound port 25 at the campus border, in a move some are calling Cyber Auschwitz. Contact itso-g@vt.edu for firewall exceptions. When deploying new hosts, make ssh listen on both 2222 and 22. Acidburn currently listens on 443 as well.

Most other VTLUUG-owned servers are currently stored in Ali's basement, with the exception of sunway and a SuperMicro server, which were all transferred to WUVT. The list of these machines includes [[Infrastructure:Wood|Wood], our router, and a variety of other servers, including our old LXC hosts, the mirror, and a DEC Alpha server.

Some goals for once we get rackspace:

• Acquire new servers
  • Phase out older infrastructure
  • Rebuild most existing servers, to clear out old accounts, old passwords, etc.
    • Assume that machines with installs which predate the current sysadmin are pwned
• Expand Tank on cyberdelia, as it is nearing full
  • Current array is seven 1TB drives in a zraid array, equivalent to RAID 6.
  • Do we want to buy disks to replace the current ones, to expand the array all at once, or deploy a new array in a new machine?
• Provide an LXC host (preferably on physical hardware)
• Acquire an IPv6 prefix delegation, and either an IPv6 tunnel or something else
• Build a darknet for fail-over from the main network; perhaps run two OpenBSD boxes in CARP.
• Relaunch and expand mirror.cc.vt.edu, perhaps running in CARP.

On the Network Architecture

Further Information: Infrastructure:Networking

A simple network diagram by mjh

Because VTLUUG infra no longer has IPv6 access, we are limited by the IP addresses assigned to us, and what we can get through DHCP from ECE. As a consequence, all services which do not need to have a global IP should move to the internal network on the 10.99.x.x/16 subnet. In the future, it may be wise to bridge this network to an ethernet port on cyberdelia, so that a switch can be used to network our other services. When we have rackspace to do so, VPN/Iodine access to the internal network will be necessary.

In theory, services can be provided via a hidden service (read: Tor), but that introduces other complications. Alternately, services can require use of the VPN on acidburn, Iodine, or ssh tunnelling, although all of these limit usage to members with a shell account.

Services

Critical

• Acidburn
  • Shell server
  • Email
  • Wadsworth
• Razor
  • LDAP
• Infrastructure:Milton|Milton]]/Sczi
  • Website
    • Wiki
    • Main Page
    • snapfeed
    • linx
    • public file shares
  • git
• Cyberdelia
  • All the above services
  • VMs for projects
  • other services
  • Tank
    • NFS
    • milton_srv (website files)

Acidburn and the website must be accessible through real services, and it is preferable that Cyberdelia is too. This means we must use our public IPv4 Addresses allotted by ECE.

Other (not all functional)

• Tahoe-LAFS
  • Should be on hidden service.
• Jitsi Meet
  • Should be public
• User websites
  • Hosted on Milton/Sczi, so will be public
  • Of course, domain owners have to set up their DNS correctly.
• Diaspora*
  • use of public or hidden service doesn't matter, assuming it can be run as a hidden service.
• Iodine
  • On acidburn. Relies on Acidburn being listed as NS for iod.vtluug.org
• IPsec Tunnel
  • On acidburn

Website details

Main article: Infrastructure:Milton, Infrastructure:Sczi

Current Setup

All vtluug websites are run on nginx on milton. These sites are currently functional:

• gobblerpedia.org
• hokieprivacy.org
• linx.vtluug.org
• snapchat.vtluug.org
• vtluug.org
• wiki.vtluug.org (this redirects to vtluug.org/wiki/)

All of these sites exclusively allow for the use of TLS connections. Hokie Privacy has a cert from letsencrypt, while all other services are verified by StartCom.

Currently, milton has no startup script for the website. If things go down, someone has to run

root@milton:/srv/http/vtluug.org# sudo -u www-data uwsgi --yaml uwsgi.yml

in a tmux session, to restart uWSGI. It is also unlikely that nginx will start properly because of weird dependencies on uWSGI, though it can be started with

# /etc/init.d/nginx restart

Main Page

It currently appears that the main vtluug page (mostly written in php), is or was managed from Drupal as a backend, but for that to function, mysql needs to be running.

uWSGI, django, and PHP appear make up most of the important features of the website in unknown ways. This was configured by James at some point, we presume, but he is not available to provide more information on the set-up, and even with more information, it would be preferable to move the website to something more simple and sane.

In other words, echarlie doesn't want to try to maintain what is in place, but would rather start from scratch and the existing HTML for the website.

Wiki

The wiki currently runs fully on MediaWiki hosted on nginx (as opposed to the default include of apache2, demanded by the Debian package). Postgres is used for the database management, AFAIK, and authentication is through LDAP. MediaWiki is a dated git version from the stablerepository, as of March 2016, however updating is more complicated than a git pull. echarlie ran a database update in mid-March.

Gobblerpedia

All but disabled currently, due to spam. Runs on MediaWiki

Linx

Uses aam's linx, and is an identical implementation to his site linx.li. One of the few sites with a complete startup script. The maintenance is currently the responsibility of aam, however this is subject to change, pending his retaining root access on sczi.

Historically

Beyond these, we have data and nginx configurations for these (deprecated) sites, which were previously hosted on milton:

Needs Restoration

These are VTLUUG services that haven't yet been properly restored:

• foodfor.vtluug.org - For Wadsworth's .pickfood and .foodvote commands. This is jpo's fault.
• tahoe.vtluug.org - mhazinsk's Tahoe-LAFS grid
• git.vtluug.org - git hosting; previously a redirect to gitweb with gitosis as the SSH backend
• gitweb.vtluug.org - git hosting; previously gitweb
• map.vtluug.org - OSM
• vtbash.org - VT QDB
• users.vtluug.org - member hosting of acidburn home directories

Deprecated

These are no longer needed but we should preserve the data/config:

• ccdc.vtluug.org - website used for the Collegiate Cyber Defense Competition in the spring of 2011.
• nagios.vtluug.org - was used for monitoring for a period but not kept up-to-date; the primary issue was that infrastructure, being hosted on the same server, tended to fail all at once
• uniluug.org - deprecated project uniluug
• security.ece.vt.edu - REDACTED
• wargame.vtluug.org - vtluug's wargame pre-vtcsec
• munin.vtluug.org - former attempt at monitoring
• webchat.vtluug.org - channel webchat; version of the service still runs on the vtluug website as an embeded frame from freenode's website. This should be disabled.
• cdn.vtluug.org - member website
• randynance.info - member website
• jessicaandchristopher.net - member website
• vtcybersecurity.org - member website from pre-csec days

Prior to the current site, which was written in Python using Django starting in 2010 and deployed in 2011, the VTLUUG website was a WordPress instance. The files for this still exist. Much of the original django deployment was highly dynamic, with an identi.ca feed, automatic calendar updates, and other features.

Additional files and configuration data exist for multiple versions of dokuwiki and mediawiki. There are also files for a NewsBlur installation which was never functional, and "bitcoin," the purpose of which is unknown.

For a time, a static version of vtbash.org was hosted at bash.vtluug.org.

Until recently, VTLUUG ran a Gopher server on Milton, with a small welcome page and access to /files. Git hosting was also provided; authenticated access was over SSH with gitosis and public access was via Gitweb and the insecure Git protocol.

vtluug.org/public/$user/ was previously a source directory of files placed in a user's $HOME/public directory on NFS. [When? I thought it was always users.vtluug.org?]

VTLUUG members also ran mirror.ece.vt.edu, although it was never an official VTLUUG project. The IPv4 allocation for this domain is still available.

PostgreSQL tables exist on milton for foodforus, jandc, mediawiki, mewsblu, sharedwiki, uniluug, vtluug_wiki, and wargame_bbs. More research is necessary to determine what these are for. There are also a collection of mySQL databases on milton which may be desirable to archive and store.

Considerations for the future

It would be preferable to keep all existing sites functional. Aam suggested the use of caddy to replace nginx, especially on static sites, because it provides automatic letsencrypt. Most likely, this will not be used, though, in favour of manually configuring letsencrypt (because caddy is not in the repositories).

It is also important to ensure there are startup scripts for sczi, so that a reboot of it doesn't result in a 10-hour website outage.

TLS Encryption

All sites should move to automatic letsencrypt certificates within the next few months. letsencrypt is still in beta, but it provides fully functional and low-hassle 3-month certificates. They will have integration for nginx soon, which will decrease the complexity of getting certs.

It may also be of interest to the club to revive monkeysphere signing on the servers.

Project Hosting

Most vtluug internal projects (e.g. HokiePrivacy) are currently hosted on git repositories on milton. How to move forwards with these is still indeterminate.

For public hosting, there has been some conversation about using Go Git Service (gogs), for public, www-viewable git repositories.

Gobblerpedia

Gobblerpedia is effectively non-functional because account creation was disabled to prevent spam. This needs to be addressed by adding captchas which are Blacksburg-specific, limiting account creation access to local IP addresses, or enabling some form of LUUG-managed account creation. One suggestion was using CAS/Login services to authenticate, however that makes it difficult for Blacksburg residents to add content, and has other disadvantages.

VTLUUG Main Page

This needs to be kept up-to-date, and have some way of adding calendar information. [[user:Echarlie|echarlie] would like a simple static site with some clean CSS, to avoid the clusterf*ck that is re-enabling uwsgi at the current time.

VTLUUG Wiki

Meeting creation script needs to be re-implemented.

Addressing

Main article: Infrastructure:Network

VTLUUG currently has DNS with namecheap, however all domains have been re-registered with gandi under vtluug's own account, to replace the mixture of mutantmonkey-holdings and vtluug-held domains on multiple different registrars.

https://linx.vtluug.org/ips1.txt

Deprecated IPs

IPs we were using at some point (by reclaiming CVL IPs, etc), or are mentioned in /etc/exports on Cyberdelia

• 128.173.88.161 (security.ece.vt.edu) - was once milton's IP until luug IPs got routed behind router.ece.vt.edu.
• 128.173.88.145 (cvl05.ece.vt.edu) - was once snapfeed's IP, reclaimed by bmckagen.
• 128.173.88.131 (dog.ece.vt.edu) - we have a Sun box labeled "dog.ece.vt.edu" but the IP appears to be in use now for VMware ESXi. It can be arped from cyberdelia.