Difference between revisions of "IT Stuff"

From Meta Makers Wiki
Jump to: navigation, search
(POP1)
(POP2)
 
(3 intermediate revisions by the same user not shown)
Line 112: Line 112:
 
|ssh = sysadmin@rocketchat.pop2.metamakers.org
 
|ssh = sysadmin@rocketchat.pop2.metamakers.org
 
|os = Ubuntu 18.04.2 64-bit
 
|os = Ubuntu 18.04.2 64-bit
|weburl=https://10.3.19.24
+
|weburl=https://chat.metamakers.org
 
|ip = 10.3.19.24
 
|ip = 10.3.19.24
 
|secretid= 22
 
|secretid= 22
Line 140: Line 140:
 
|os = Proxmox v6.0.1
 
|os = Proxmox v6.0.1
 
|description = KVM server for M2C VMs
 
|description = KVM server for M2C VMs
|remotemgmt = iDRAC
+
|remotemgmt = IPMI
 
|remotemgmtIP = 10.3.0.3
 
|remotemgmtIP = 10.3.0.3
 
|ip = 10.3.0.2
 
|ip = 10.3.0.2
Line 146: Line 146:
 
|secretid = ??
 
|secretid = ??
 
|note = {{Note| server is a Dell PowerEdge T300 s/t: ?????}}
 
|note = {{Note| server is a Dell PowerEdge T300 s/t: ?????}}
{{Note|for iDRAC login credentials, use {{secret |id=??}} }}
 
{{Note|this server was originally donated to Hackforge by Pat Andry.  Technically, it belongs to Jeff Drake now after HF closed.}}
 
 
}}
 
}}
  
Line 268: Line 266:
 
You can list all the certs available by running
 
You can list all the certs available by running
 
  sudo emailcerts.sh -l
 
  sudo emailcerts.sh -l
 +
 +
=== How to import a client cert into pfSense ===
 +
Here's the steps
 +
# Create a client cert '''*WITHOUT*''' a password for the private key via step 2b above
 +
# Import the M2C Root CA and intermediate CA into the CA tabs under 'certificates'
 +
# Import the client cert '''*bundle*''' along with the private key.  It doesn't like it if you don't include the intermediate cert with the client cert itself.

Latest revision as of 21:54, 8 November 2019

This page is for keeping track of all the computer shit at Meta Makers

1 General Info

1.1 M2C PKI

Meta Makers has an offline Root CA currently stored on wiki.metamakers.org in the /root/M2Cpki.tar.gz tarball. Yes, that is a bad place to put it but its there for now.

There is also an intermediate CA on wiki.metamakers.or under /opt/easy-rsa/easyrsa3/M2CSubCA and it uses the easy-rsa scripts from openVPN to generate certs.


TODO: move offline root CA to somewhere safe

1.2 DNS info

metamakers.org is registered at hover.com

2 Server Info

2.1 POP1

wiki.metamakers.org ssh - 10.5.20.17
mediawiki, M2C certificate, phpmydadmin, and letsencrypt server
  • server is a virtualbox VM sitting on Shawn's linux server
  • Meta Makers intermediate CA infrastructure is stored under /opt/easy-rsa/easyrsa3/M2CSubCA and is managed by the easyrsa scripts from openvpn. For more information, see Certificates
  • ssh is enabled
  • letsencrypt certs are generated and stored on this server. They are stored under /opt/dehydrated/certs .
  • server is backed up via the free Veeam linux agent
  • membership scripts are stored under /usr/local/src/membership


mail.metamakers.org ssh - 10.5.20.18
mail server configured using iRedMail
  • server is a virtualbox VM sitting on Shawn's linux server
  • Server uses the iRedMail scripts to set up Sogo, Roundcube, postfix, dovecot, and mySQL
  • iRedMail config description is in /home/shawn/src/iRedMail-0.9.8/config
  • server is backed up via the free Veeam linux agent


2.2 POP2

vmhost1.pop2.metamakers.org ssh - 10.3.19.9, 10.3.19.10 (iLO)
KVM server for M2C VMs
  • O/S is Proxmox v5.?
  • See link for username/password
  • server is a Proliant DL380p, p/n: 670856-S01, s/n: 2M233901PB
  • this server was originally donated to Hackforge by Pat Andry. Technically, it belongs to Jeff Drake now after HF closed.
  • server uses SFF drives, full specs are online here
  • HP p/n for ball bearing rail kit w/ cable management arm (CMA): 663478-B21
  • HP p/n for ball bearing rail kit by itself: 720863-B21
  • HP p/n for ball bearing CMA by itself: 720865-B21
linux-desktop1.pop2.metamakers.org ssh - <dhcp>
ubuntu desktop VM for general usage
  • O/S is Ubuntu 18.04.2 64-bit


nextcloud.pop2.metamakers.org ssh - 10.3.19.12
Nextcloud server for storing files
  • this server is normally accessed via nextcloud.metamakers.org
webproxy.pop2.metamakers.org ssh - 10.3.19.13
web server for reverse proxying
  • Uses Nginx for reverse proxying
office.pop2.metamakers.org ssh - 10.3.19.23
Collabora online server for Nextcloud
  • this server is normally accessed when you want to do online editing of a document from the nextcloud server
  • TODO: automate updating of ssl certs via hydrated and copying them to /etc/loolwsd
rocketchat.pop2.metamakers.org ssh - 10.3.19.24
(soon to be) Rocketchat server


jenkins.pop2.metamakers.org ssh - <dhcp>
Jenkins server for building M2C website


frontaccounting.pop2.metamakers.org ssh - 10.3.19.22
test server for frontaccounting software
  • O/S is Ubuntu 18.04.2 64-bit
  • user/pass is admin/admin


2.3 POP3

vmhost1.pop3.metamakers.org ssh - 10.3.0.2, 10.3.0.3 (IPMI)
KVM server for M2C VMs
  • O/S is Proxmox v6.0.1
  • See link for username/password
  • server is a Dell PowerEdge T300 s/t: ?????


2.4 Cloud (static IP servers)

maker1.metamakers.org ssh - 198.46.182.27
KVM VPS for metamakers.org primary DNS and mail proxy server
maker2.metamakers.org ssh - 198.46.182.28
KVM VPS for metamakers.org secondary DNS


3 Storage Info

3.1 POP1

nas1.pop1.metamakers.org - 10.5.20.12
Netgear ReadyNAS Pro 2
  • NAS with 2x1TB drives in RAID-1 array


3.2 POP2

nas1.pop2.metamakers.org - 10.3.19.11, 10.5.7.11 (SAN)
Netgear ReadyNAS 1500


4 Network Info

4.1 POP1

firewall.pop1.metamakers.org - 10.5.20.1 (LAN), 10.4.28.51 (OpenVPN)
internet firewall


4.2 POP2

firewall.pop2.metamakers.org - <dynamic> (WAN), 10.3.19.1 (LAN), 10.4.28.50 (OpenVPN)
internet firewall
  • See link for username/password
  • server is a 1U Intel-branded server. Prod. code: SR1695WBAC, s/n: AZGA1230031
  • does not have out-of-band management capabilities
  • Server is missing 2 disk trays, replacements can be found here
  • RFC2136 dynamic updates are configured to push the WAN IP to maker1.metamakers.org
switch1.pop2.metamakers.org - 10.3.19.2
Cisco ESW-540-24 Gigabit Switch
  • See link for username/password
  • HUGE NOTE: by default this switch ONLY ALLOWS ONE MAC PER PORT!!! This fucks with VMs so they have no access to the network. To disable this, you have to go to "security->traffic control->port security" in the web console and change the port to "limited dynamic lock" and specify more than 1 mac per port.
ap1.pop2.metamakers.org - 10.3.19.3
TP-Link Archer C9 AC1900 wireless access point


5 SOFTWARE

Meta Makers has a github page here: https://github.com/MetaMakersCooperative


6 HOWTOs

6.1 How to renew Let's Encrypt certs

The letsencrypt certs are stored on wiki.metamakers.org and are generated using letsencrypt's nsupdate DNS protocol. All the ACME protocol interactions are handled by a package of shell scripts called 'dehydrated'. All the certs that dehydrated handles are located in the /opt/dehydrated/domains.txt file.

Letsencrypt certs only last for 3 months. In order to renew ALL the certs, do the following:

1.  ssh into wiki.metamakers.org using username/password
2.  run the following commands:
  cd /opt/dehydrated
  sudo ./dehydrated -c
3.  check the /opt/dehydrated/certs directory for any new certs/keys generated.

6.2 How to generate and email an M2C cert

To generate a new member or vpn certificates, do the following:

1. ssh into wiki.metamakers.org using username/password

to generate a member certificate with no password for newusername@metamakers.org:

2a. sudo newmembercert.sh newusername "User Name"

OR to generate a vpn certificate

2b. sudo newvpncert.sh <CN_for_VPN_cert>:

To email the cert and OpenVPN config file to their metamakers email address, run following command:

3a. sudo emailcerts.sh newusername

OR to email the user their new cert and OpenVPN config file to their personal email address, run:

3b. sudo emailcerts.sh newusername someperson@somwhere.com

You can list all the certs available by running

sudo emailcerts.sh -l

6.3 How to import a client cert into pfSense

Here's the steps

  1. Create a client cert *WITHOUT* a password for the private key via step 2b above
  2. Import the M2C Root CA and intermediate CA into the CA tabs under 'certificates'
  3. Import the client cert *bundle* along with the private key. It doesn't like it if you don't include the intermediate cert with the client cert itself.