No edit summary |
(backwardsvm) |
||
Line 4: | Line 4: | ||
This includes separating things into multiple VMs, and deleting old & unused configs, containers etc. | This includes separating things into multiple VMs, and deleting old & unused configs, containers etc. | ||
== Overview == | == Overview == | ||
There | There are 5 VMs, CoreVM, DatabaseVM, DockerVM, ContainVM, BackwardsVM. | ||
=== CoreVM === | === CoreVM === | ||
CoreVM is the VM that | CoreVM is the VM that hosts our webserver, caddy. It is meant to be an "entrypoint" to the other VMs. | ||
Only ssh for core | Only ssh for core will be forwarded for security, so you need to ssh into it first before SSHing into the others. | ||
All traffic going to all other VMs will go through this. | All traffic going to all other VMs will go through this. | ||
CoreVM will be the only restructure VM which has access to the LAN network (so that we can do port forward). | |||
CoreVM will be the only restructure VM other than BackwardsVM which has access to the LAN network (so that we can do port forward). | |||
It will be connected to both the NATs of restructure VMs (vmbr1) and the Pubnix (vmbr2). | It will be connected to both the NATs of restructure VMs (vmbr1) and the Pubnix (vmbr2). | ||
Line 17: | Line 18: | ||
It runs on Debian but might be changed to something else if our security needs grows bigger. | It runs on Debian but might be changed to something else if our security needs grows bigger. | ||
=== DatabaseVM === | === DatabaseVM === | ||
DatabaseVM (DBVM) is the VM that | DatabaseVM (DBVM) is the VM that hosts all the databases for the docker containers. | ||
It will host | It will host PostgreSQL (preferred) & MariaDB (for services that need it). | ||
The separation of the DBVM is so that we can do more optimizations to the DB and use the hardware to its fullest. | |||
This VM will not have internet access at all other than during updates when the IPTables rule will be temporarily disabled. | This VM will not have internet access at all other than during updates when the IPTables rule will be temporarily disabled. | ||
It also runs on Debian and uses the official | It also runs on Debian and uses the official PostgreSQL & MySQL repositories instead of the Debian one. | ||
=== DockerVM === | === DockerVM === | ||
DockerVM is the VM that | DockerVM is the VM that hosts all the docker containers for our services. | ||
It | It is primarily managed using the Docker CLI with compose but also has Portainer available for quick tasks. | ||
It also runs Debian and will use the official docker repository instead of the Debian one. | It also runs Debian and will use the official docker repository instead of the Debian one. | ||
=== ContainVM === | === ContainVM === | ||
ContainVM is the VM that | ContainVM is the VM that hosts all the LXC containers used for our services. | ||
It will not have a WebUI and will be fully managed from the CLI alone. | It will not have a WebUI and will be fully managed from the CLI alone. | ||
This will host the Wiki and other services to come in the near future. | This will host the Wiki and other services to come in the near future. | ||
=== BackwardsVM === | |||
BackwardsVM is the VM that hosts all the non-HTTP services. | |||
It is the only other VM which has access to the LAN. | |||
It was formalized later on when we realized that forwarding the ports via something like HAProxy would mean we wouldn't be able to retrieve IPs of connecting entities, which may cause issues for the programs, like in the case of TURN, or make moderation an extreme hassle. | |||
HAProxy does have an option for [https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ Transparent Proxying (TPROXY)] which remediates this issue, but this is not enabled in Debian's kernel, and we did not want to compile and maintain our own custom kernel for the same. | |||
BackwardsVM is basically a second DockerVM, though it also hosts some things non-docker like our Ejabberd XMPP server and the turnserver used by it and matrix. |
Revision as of 10:41, 26 March 2023
What the hell is this?
In short, we are trying to restructure Project Segfault to make it more secure.
This includes separating things into multiple VMs, and deleting old & unused configs, containers etc.
Overview
There are 5 VMs, CoreVM, DatabaseVM, DockerVM, ContainVM, BackwardsVM.
CoreVM
CoreVM is the VM that hosts our webserver, caddy. It is meant to be an "entrypoint" to the other VMs.
Only ssh for core will be forwarded for security, so you need to ssh into it first before SSHing into the others.
All traffic going to all other VMs will go through this.
CoreVM will be the only restructure VM other than BackwardsVM which has access to the LAN network (so that we can do port forward).
It will be connected to both the NATs of restructure VMs (vmbr1) and the Pubnix (vmbr2).
It runs on Debian but might be changed to something else if our security needs grows bigger.
DatabaseVM
DatabaseVM (DBVM) is the VM that hosts all the databases for the docker containers.
It will host PostgreSQL (preferred) & MariaDB (for services that need it).
The separation of the DBVM is so that we can do more optimizations to the DB and use the hardware to its fullest.
This VM will not have internet access at all other than during updates when the IPTables rule will be temporarily disabled.
It also runs on Debian and uses the official PostgreSQL & MySQL repositories instead of the Debian one.
DockerVM
DockerVM is the VM that hosts all the docker containers for our services.
It is primarily managed using the Docker CLI with compose but also has Portainer available for quick tasks.
It also runs Debian and will use the official docker repository instead of the Debian one.
ContainVM
ContainVM is the VM that hosts all the LXC containers used for our services.
It will not have a WebUI and will be fully managed from the CLI alone.
This will host the Wiki and other services to come in the near future.
BackwardsVM
BackwardsVM is the VM that hosts all the non-HTTP services.
It is the only other VM which has access to the LAN.
It was formalized later on when we realized that forwarding the ports via something like HAProxy would mean we wouldn't be able to retrieve IPs of connecting entities, which may cause issues for the programs, like in the case of TURN, or make moderation an extreme hassle.
HAProxy does have an option for Transparent Proxying (TPROXY) which remediates this issue, but this is not enabled in Debian's kernel, and we did not want to compile and maintain our own custom kernel for the same.
BackwardsVM is basically a second DockerVM, though it also hosts some things non-docker like our Ejabberd XMPP server and the turnserver used by it and matrix.