2021-10-03 13:32:31 +02:00
|
|
|
|
# Serveur physique `mother` : serveur-mère de l'infrastructure de Libre en Communs
|
2021-10-03 13:25:51 +02:00
|
|
|
|
|
2021-11-16 18:29:47 +01:00
|
|
|
|
`mother` est un serveur physique hébergé au local de l'association.
|
|
|
|
|
|
|
|
|
|
Avec `aunt` elles forment le centre névralgique de l'infrastructure de l'association.
|
2021-10-03 13:25:51 +02:00
|
|
|
|
|
2021-11-16 18:47:20 +01:00
|
|
|
|
### Matériel
|
2021-10-03 13:25:51 +02:00
|
|
|
|
|
|
|
|
|
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
|
|
|
|
|
CPU : 2 × AMD Opteron 6282SE
|
|
|
|
|
RAM : 4 × Crucial RDIMM 16Go CT2K16G3ERSLD4160B
|
2021-10-12 14:51:25 +02:00
|
|
|
|
Alimentation : 1 × FSP Twins PRO 500W (500W ATX12V / EPS12V 80PLUS Gold)
|
2021-10-03 13:25:51 +02:00
|
|
|
|
Onduleur : 1 × EATON Ellipse PRO 1600 VA
|
|
|
|
|
Casier : 1 × Inter-Tech IPC 4U-4129-N SSI-EEB (Rack)
|
2021-11-16 18:29:47 +01:00
|
|
|
|
Stockage de masse : 2 × Samsung SSD 870 QVO 2To
|
2021-10-03 13:25:51 +02:00
|
|
|
|
|
2021-11-16 18:47:20 +01:00
|
|
|
|
### Logiciel
|
2021-10-03 13:25:51 +02:00
|
|
|
|
|
2021-11-16 18:29:47 +01:00
|
|
|
|
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
|
2021-10-03 13:25:51 +02:00
|
|
|
|
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
|
|
|
|
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
2021-11-16 18:29:47 +01:00
|
|
|
|
Virtualisation : QEMU/KVM (`libvirt`)
|
2021-10-03 13:25:51 +02:00
|
|
|
|
Gestion du onduleur : NUT/UPS
|
2021-10-04 22:33:15 +02:00
|
|
|
|
Audit des paquets mensuel : `vrms`
|
2021-10-03 13:25:51 +02:00
|
|
|
|
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
|
|
|
|
|
Mail Transfer Agent : `postfix`
|
2021-11-16 18:47:20 +01:00
|
|
|
|
Réplication de stockage (vm) : `drbd`, `ocfs2`
|
2021-10-03 13:25:51 +02:00
|
|
|
|
|
2021-11-16 18:47:20 +01:00
|
|
|
|
### Caractéristiques notables
|
2021-10-03 13:25:51 +02:00
|
|
|
|
|
|
|
|
|
Domaine : mother.libre-en-communs.org
|
|
|
|
|
Adresse ipv4 publique : 80.67.179.96
|
2021-11-16 18:29:47 +01:00
|
|
|
|
Adresse ipv4 locale : 192.169.1.108
|
|
|
|
|
Adresse ipv6 publique : 2001:910:1360::2
|
2021-11-16 18:47:20 +01:00
|
|
|
|
|
|
|
|
|
#### Configuration réseau
|
|
|
|
|
|
2021-11-16 19:02:04 +01:00
|
|
|
|
##### /etc/network/interfaces
|
2021-11-16 23:39:54 +01:00
|
|
|
|
<details>
|
2021-11-16 18:47:20 +01:00
|
|
|
|
|
|
|
|
|
# Connexion avec la machine aunt
|
|
|
|
|
allow-hotplug ens9
|
|
|
|
|
iface ens9 inet static
|
|
|
|
|
address 192.169.254.2
|
|
|
|
|
|
|
|
|
|
post-up /usr/bin/ip link set ens9 mtu 9000
|
|
|
|
|
|
|
|
|
|
# Connexion avec le routeur (bridge sur ens10 avec les VM présentes)
|
|
|
|
|
allow-hotplug ens10
|
|
|
|
|
auto br0
|
|
|
|
|
iface br0 inet static
|
|
|
|
|
bridge_ports ens10
|
|
|
|
|
address 192.169.1.108
|
|
|
|
|
gateway 192.169.1.1
|
|
|
|
|
bridge_stp off # désactivation du Spanning Tree Protocol
|
|
|
|
|
bridge_waitport 0 # suppression du délai avant que le port soit disponible pour le bridge
|
|
|
|
|
bridge_fd 0 # suppression de délai avant que le forwarding du bridge soit établi
|
|
|
|
|
|
|
|
|
|
iface br0 inet6 static
|
|
|
|
|
bridge_ports ens10
|
|
|
|
|
address 2001:910:1360:0::2/128
|
|
|
|
|
gateway 2001:910:1360::1
|
|
|
|
|
bridge_stp off # désactivation du Spanning Tree Protocol
|
|
|
|
|
bridge_waitport 0 # suppression du délai avant que le port soit disponible pour le bridge
|
|
|
|
|
bridge_fd 0 # suppression de délai avant que le forwarding du bridge soit établi
|
|
|
|
|
|
2021-11-16 23:39:54 +01:00
|
|
|
|
</details>
|
|
|
|
|
|
2021-11-17 14:20:54 +01:00
|
|
|
|
### Configuration SSH
|
|
|
|
|
|
|
|
|
|
#### /etc/ssh/sshd_config
|
|
|
|
|
<details>
|
|
|
|
|
|
|
|
|
|
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
|
|
|
|
|
|
|
|
|
# This is the sshd server system-wide configuration file. See
|
|
|
|
|
# sshd_config(5) for more information.
|
|
|
|
|
|
|
|
|
|
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
|
|
|
|
|
|
|
|
|
# The strategy used for options in the default sshd_config shipped with
|
|
|
|
|
# OpenSSH is to specify options with their default value where
|
|
|
|
|
# possible, but leave them commented. Uncommented options override the
|
|
|
|
|
# default value.
|
|
|
|
|
|
|
|
|
|
Port 222
|
|
|
|
|
AddressFamily any
|
|
|
|
|
ListenAddress 0.0.0.0
|
|
|
|
|
ListenAddress ::
|
|
|
|
|
|
|
|
|
|
PubkeyAuthentication no
|
|
|
|
|
|
|
|
|
|
PasswordAuthentication no
|
|
|
|
|
PermitEmptyPasswords no
|
|
|
|
|
|
|
|
|
|
ChallengeResponseAuthentication no
|
|
|
|
|
|
|
|
|
|
UsePAM yes
|
|
|
|
|
|
|
|
|
|
AllowAgentForwarding yes
|
|
|
|
|
AllowTcpForwarding yes
|
|
|
|
|
GatewayPorts yes
|
|
|
|
|
X11Forwarding no
|
|
|
|
|
PrintMotd no
|
|
|
|
|
TCPKeepAlive yes
|
|
|
|
|
PermitTunnel yes
|
|
|
|
|
|
|
|
|
|
AcceptEnv LANG LC_* GIT_*
|
|
|
|
|
|
|
|
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Match Group ssh-pubkey
|
|
|
|
|
PubkeyAuthentication yes
|
|
|
|
|
|
|
|
|
|
Match Group ssh-login
|
|
|
|
|
PasswordAuthentication yes
|
|
|
|
|
PubkeyAuthentication yes
|
|
|
|
|
|
|
|
|
|
Match Address 127.0.0.*
|
|
|
|
|
PubkeyAuthentication yes
|
|
|
|
|
|
|
|
|
|
Match Address 192.169.254.3
|
|
|
|
|
PubkeyAuthentication yes
|
|
|
|
|
|
|
|
|
|
</details>
|
|
|
|
|
|
2021-11-16 20:02:05 +01:00
|
|
|
|
### Configuration DRBD
|
|
|
|
|
|
|
|
|
|
#### /etc/drbd.d/drbd1.res
|
2021-11-16 23:39:54 +01:00
|
|
|
|
<details>
|
2021-11-16 20:02:05 +01:00
|
|
|
|
|
|
|
|
|
resource drbd1 {
|
|
|
|
|
meta-disk internal;
|
|
|
|
|
device /dev/drbd1;
|
|
|
|
|
|
|
|
|
|
startup {
|
|
|
|
|
wfc-timeout 20;
|
|
|
|
|
become-primary-on both;
|
|
|
|
|
}
|
|
|
|
|
net {
|
|
|
|
|
verify-alg sha256;
|
|
|
|
|
allow-two-primaries yes;
|
|
|
|
|
max-buffers 10k;
|
|
|
|
|
max-epoch-size 10k;
|
|
|
|
|
unplug-watermark 32;
|
|
|
|
|
sndbuf-size 0;
|
|
|
|
|
rcvbuf-size 0;
|
|
|
|
|
}
|
|
|
|
|
disk {
|
|
|
|
|
on-io-error detach;
|
|
|
|
|
#no-disk-flushes;
|
|
|
|
|
#no-disk-barrier;
|
|
|
|
|
c-plan-ahead 10;
|
|
|
|
|
c-fill-target 150M;
|
|
|
|
|
c-min-rate 10k;
|
|
|
|
|
c-max-rate 500M;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
on mother { # hostname must match `uname -n` output
|
|
|
|
|
disk /dev/md1; # Logical Volume on the provided host
|
|
|
|
|
address 192.169.254.2:7789; # IP Address to be used to connect to the node with port
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
on aunt { # hostname must match `uname -n` output
|
|
|
|
|
disk /dev/md1; # Logical Volume on the provided host
|
|
|
|
|
address 192.169.254.3:7789; # IP Address to be used to connect to the node with port
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-16 23:39:54 +01:00
|
|
|
|
</details>
|
|
|
|
|
|
2021-11-16 20:02:05 +01:00
|
|
|
|
#### /etc/ocfs2/cluster.conf
|
2021-11-16 23:39:54 +01:00
|
|
|
|
<details>
|
2021-11-16 20:02:05 +01:00
|
|
|
|
|
|
|
|
|
cluster:
|
|
|
|
|
name = sharedfs
|
|
|
|
|
heartbeat_mode = local
|
|
|
|
|
node_count = 2
|
|
|
|
|
|
|
|
|
|
node:
|
|
|
|
|
cluster = sharedfs
|
|
|
|
|
number = 0
|
|
|
|
|
ip_port = 7777
|
|
|
|
|
ip_address = 192.169.254.3
|
|
|
|
|
name = aunt
|
|
|
|
|
|
|
|
|
|
node:
|
|
|
|
|
cluster = sharedfs
|
|
|
|
|
number = 1
|
|
|
|
|
ip_port = 7777
|
|
|
|
|
ip_address = 192.169.254.2
|
|
|
|
|
name = mother
|
|
|
|
|
|
2021-11-16 23:39:54 +01:00
|
|
|
|
</details>
|
|
|
|
|
|
2021-11-16 19:50:12 +01:00
|
|
|
|
### Configuration MTA
|
|
|
|
|
|
|
|
|
|
#### /etc/postfix/transport
|
|
|
|
|
|
|
|
|
|
a-lec.org :
|
|
|
|
|
* discard:
|
|
|
|
|
|
|
|
|
|
#### /etc/postfix/virtual
|
|
|
|
|
|
|
|
|
|
@localhost admin@a-lec.org
|
|
|
|
|
@mother.libre-en-communs.org admin@a-lec.org
|