(Add info) |
(Formatting fix) |
||
| Line 1: | Line 1: | ||
=== What the hell is this? === | === What the hell is this? === | ||
In short, we are trying to restructure Project Segfault to make it more secure. | In short, we are trying to restructure Project Segfault to make it more secure. | ||
This includes separating things into multiple VMs, and deleting old & unused configs, containers etc. | This includes separating things into multiple VMs, and deleting old & unused configs, containers etc. | ||
=== Overview === | === Overview === | ||
| Line 6: | Line 7: | ||
==== CoreVM ==== | ==== CoreVM ==== | ||
CoreVM is the VM that will host the Turnserver and Caddy instance. It is meant to be an "entrypoint" to the other VMs. | CoreVM is the VM that will host the Turnserver and Caddy instance. It is meant to be an "entrypoint" to the other VMs. | ||
Only ssh for core (and git) will be forwarded for security, so you need to ssh into it first before SSHing into the others. | Only ssh for core (and git) will be forwarded for security, so you need to ssh into it first before SSHing into the others. | ||
All traffic going to all other VMs will go through this. | All traffic going to all other VMs will go through this. | ||
CoreVM will be the only restructure VM which has access to the LAN network (so that we can do port forward). | CoreVM will be the only restructure VM which has access to the LAN network (so that we can do port forward). | ||
It will be connected to both the NATs of restructure VMs (vmbr1) and the Pubnix (vmbr2). | It will be connected to both the NATs of restructure VMs (vmbr1) and the Pubnix (vmbr2). | ||
It runs on Debian but might be changed to something else if our security needs grows bigger. | It runs on Debian but might be changed to something else if our security needs grows bigger. | ||
==== DatabaseVM ==== | ==== DatabaseVM ==== | ||
DatabaseVM (DBVM) is the VM that will host all the databases for the docker & LXC containers. | DatabaseVM (DBVM) is the VM that will host all the databases for the docker & LXC containers. | ||
It will host Postgres (preferred) & MariaDB (for services that need it). | It will host Postgres (preferred) & MariaDB (for services that need it). | ||
Separation of the DBVM is so that we can do more optimizations to the DB and use the hardware to its fullest. | Separation of the DBVM is so that we can do more optimizations to the DB and use the hardware to its fullest. | ||
This VM will not have internet access at all other than during updates when the IPTables rule will be temporarily disabled. | This VM will not have internet access at all other than during updates when the IPTables rule will be temporarily disabled. | ||
It will also run on Debian and will use the official postgres repository instead of the Debian one. | It will also run on Debian and will use the official postgres repository instead of the Debian one. | ||
==== DockerVM ==== | ==== DockerVM ==== | ||
DockerVM is the VM that will host all the docker containers for our services. | DockerVM is the VM that will host all the docker containers for our services. | ||
It will be managed with Portainer and the Docker CLI. | It will be managed with Portainer and the Docker CLI. | ||
It will also run Debian and will use the official docker repository instead of the Debian one. | It will also run Debian and will use the official docker repository instead of the Debian one. | ||
==== ContainVM ==== | ==== ContainVM ==== | ||
ContainVM is the VM that will host all the LXC containers used for our services. | ContainVM is the VM that will host all the LXC containers used for our services. | ||
It will not have a WebUI and will be fully managed from the CLI alone. | It will not have a WebUI and will be fully managed from the CLI alone. | ||
This will host the Wiki and other services to come in the near future. | This will host the Wiki and other services to come in the near future. | ||
Revision as of 05:46, 13 February 2023
What the hell is this?
In short, we are trying to restructure Project Segfault to make it more secure.
This includes separating things into multiple VMs, and deleting old & unused configs, containers etc.
Overview
There will be 4 VMs, CoreVM, DatabaseVM, DockerVM, ContainVM
CoreVM
CoreVM is the VM that will host the Turnserver and Caddy instance. It is meant to be an "entrypoint" to the other VMs.
Only ssh for core (and git) will be forwarded for security, so you need to ssh into it first before SSHing into the others.
All traffic going to all other VMs will go through this. CoreVM will be the only restructure VM which has access to the LAN network (so that we can do port forward).
It will be connected to both the NATs of restructure VMs (vmbr1) and the Pubnix (vmbr2).
It runs on Debian but might be changed to something else if our security needs grows bigger.
DatabaseVM
DatabaseVM (DBVM) is the VM that will host all the databases for the docker & LXC containers.
It will host Postgres (preferred) & MariaDB (for services that need it).
Separation of the DBVM is so that we can do more optimizations to the DB and use the hardware to its fullest.
This VM will not have internet access at all other than during updates when the IPTables rule will be temporarily disabled.
It will also run on Debian and will use the official postgres repository instead of the Debian one.
DockerVM
DockerVM is the VM that will host all the docker containers for our services. It will be managed with Portainer and the Docker CLI.
It will also run Debian and will use the official docker repository instead of the Debian one.
ContainVM
ContainVM is the VM that will host all the LXC containers used for our services.
It will not have a WebUI and will be fully managed from the CLI alone.
This will host the Wiki and other services to come in the near future.