Network

From Makers Local 256
Jump to: navigation, search

Creator:
Brimstone
Status:
Almost Workable
Born On:
the dawn of time
Last Updated:
21:43, 15 December 2022 (CDT)

The Makers Local 256 network includes Internet gateway services, switching and routing infrastructure, virtual machine hosts, and servers (both virtual and physical). The servers provide both the internal and external-facing services that the shop provides to members and the general public.

Delegates and Contact Information

Here are our current administrators.

To contact the netadmins, email root@makerslocal.org. This is simply the same thing as addressing all of the netadmins individually. There are no publicly accessible archives.

Information

317 clicks.jpg

Services

Service Description
dev Server for software development use
Mailing Lists Email discussion lists, including the official means of communication between Makers
URL Shortener Provides short URLs to the pages on the wiki and the weblog
LAN Provides Internet and ML256 server access from within the shop
Maker Baker Allows Makers to manage their own accounts
VPN Permits access to shop resources from off-site
SpaceAPI Provides programmatic access to information about our physical space via JSON API
Big LED Sign Displays messages to people at the shop
Wham Provides audio routing control for the various speaker outputs and BlueTooth inputs

External Services (Facebook, Slack, etc)

Networks

Description VLAN ID IP Space
WAN 100 24.96.165.224/29
DMZ 200 10.56.0.0/24
Trusted LAN 300 10.56.1.0/24
Guest LAN 400 10.56.2.0/24
New VPN none; routed by newvpn 10.56.4.0/24
Server VPN none; routed by edgerouter 10.56.5.0/24
Point-to-point links none; used for router peering interfaces 10.56.6.0/24
DN42 500 172.20.164.65/27
IoT 700 10.56.7.0/24

Projects

Scripts that do things

Script that subscribes new members to mailing lists when they are added to the LDAP in creation.

  • VM: mail: /root/syncmakers2.sh
    • A cron job runs every hour (on the :30) minutes querying ldap
    • It is currently timing out because of problems with LDAP returning the query too slowly, and so it occasionally unlists all but two or three members. This breaks the mailing list and spams a few people with hundreds of emails.
      • Short-term fix (currently implemented): comment out the logic that removes members from the list. Leave the parts that add new members.
      • Long-term fix: update the script to check for a successful LDAP response status before making changes. Also consider moving zoneminder off the VM host that is running the LDAP VM, and increase the timeout of the LDAP query. This should make the VM peppier, and fix the timeout problem.


Script that checks mysql db donations table to see who has donated and emails reminders to those who haven't

  • VM: remote2: /var/www/256/donations/client.pl
    • Short-term fix (currently implemented): comment out the logic that emails all members
  • we need to overhaul how the donations table does registrations as well
    • what other tables are in the mysql db and what is using them? (probably the blog)
    • it would also be nice to have the donations table show a full year ahead
    • long term goal would be a script that parses gnucash, updates the donations table from it, and emails the treasurer the detected changes.
  • a problem with cake is that it updates the entire visible contents of the table whenever a single cell is changed. this makes cake slow to use.


Script that restarts zoneminder when it overloads.

  • it may be OBE by moving zoneminder to a dedicated standalone server.
  • This is part of the zoneminder.service file at /lib/systemd/system/zoneminder.service
    • The entry changed was "Restart=always" under [Service]

Procedures

Miscellaneous helpful commands

move the Web site to vps

Maintain a listserv that is usable and reliable on the modern Internet

Create, modify, or delete Makers' LDAP records

Create a Makers Local LDAP server

Create a new VM

Migrate a VM to a new VM Host

Grow a VM's disk

Convert a normal logical volume to a DRBD

Create a Makers Local VM host

Set up backups on a box via borg

Use the PDU to power stuff in the rack on and off remotely

Setting up a new Zoneminder machine at the shop

Setting up a new Redmine machine at the shop

Relevant documentation

Short video outlining my philosophy on being a Makers Local netadmin

SSL config generator

best practices for SSL CSR

Road Map

UPGRAYEDD.jpg
  • Fully retire VM2 and convert to a proxmoxbox
  • Find a way to incorporate the new door lock into makerbaker unlocking
  • Fix mailing list scripts
  • Make Friends at Makers?
  • Reduce traffic to root
  • Member management
    • App for easily joining and leaving mailing lists
    • Better directory page
    • remove extraneous ldap users. (ldapsearch -xH ldap://newldap -b ou=People,dc=makerslocal,dc=org '(!(objectClass=Maker))')
    • Make ldap script deprovision from donation system as well.
      • Currently a manual process of editing the DB. Jimshoe (talk)
      • May want to hold off on this as Tyler is considering writing a replacement that will not have a "Users" table. Hfuller (talk) 21:06, 2 May 2015 (CDT)
    • Allow admins to reset users' passwords in Maker Baker.
    • Allow any admin to provision or deprovision users.
    • Expand Maker Baker to replace the ldapadmin script for adding NFC and USB tags.
      • The basis is already started: [1]
    • Expand Maker Baker to replace the bash script for provisioning new Makers.
    • Fix minor LDAP potential security issue before we rely on attributes that the user can edit themselves.
  • Turn publicity alias into a list?
  • netconfig
  • http://arc-spec.org/
  • Create mailing list availability matrix and update auto-subscribe scripts.
  • Try borg for backups.
    • We can use this as a cheap destination.
  • Fix mailing list security.
  • Establish Zabbix (or Nagios?) at shop for monitoring.
  • Attempt warranty repair on HP switch
  • [2]
  • IPAM
    • [3] to build ISC configs.
  • config archiving
  • ntopng
  • Let Makers send mail as their @makerslocal.org addresses
  • Set up ldapscripts so that it's easy to add/remove users from ldap groups.
  • Verify backup solution.
  • Add monitoring solution
  • Make wireless use ldap for login (802.1x and RADIUS).
  • make dev and other VMs/boxes use LDAP login (PAM)
  • Create an easy to use Web interface for the URL shortener.
  • Establish general host management system
    • For VMs and physical boxes alike, but mostly the VMs; probably Ajenti if it's a good fit
  • IPv6.
  • apt cacher

News

Newest on top.

  • The remote web VM has been moved to a box hosted by Hunter and running ESXi underneath it
  • The site-to-site VPN has been migrated to tailscale attached to our Github organization
  • All active VMs have been migrated to proxmox 16:00 26 March 2022
  • A UPS has been rebuilt to take some of the load off of the existing rack UPS 21:00 24 March 2022
  • The front door controller has been replaced with a duplicate of the back door controller late 2021
  • Script installed on the VM hosts to make them automatically start any VMs that have died (due to a host reboot or whatever). hfuller (talk) 00:15, 15 March 2017 (CDT)
  • I was informed that it was impossible to upload photos larger than 2 MB to the weblog. Now the limit is 24 MB and they are automatically resized for our audience's viewing pleasure. hfuller (talk) 21:34, 25 January 2017 (CST)
  • I have (again) updated $wgLegalTitleChars in the wiki settings. It is now impossible to create a wiki page where the title contains a backslash. hfuller (talk) 20:26, 19 January 2017 (CST)
  • Completed further work on the ZoneMinder VM. Now storing over 10 days of recordings from six cameras. Need to enlarge the HDD to store more recordings. hfuller (talk) 19:03, 19 January 2017 (CST)
  • Removed dns hack for lists.makerslocal.org - that host will work over TLS as well, now, from inside the shop. hfuller (talk) 20:01, 3 January 2017 (CST)
  • Moved owncloud from https://256.makerslocal.org/owncloud/ to https://owncloud.makerslocal.org/ including regex redirect. hfuller (talk) 20:46, 6 December 2016 (CST)
  • Upgrade Grafana for latest version 4.0.1 also make ML256 Stats page the default for public user. Jimshoe (talk) 23:18, 5 December 2016 (CST)
  • Reverse Proxy box has ssl via letsencrypt. Jimshoe (talk) 11:00, 30 November 2016 (CST)
  • Reverse Proxy box setup and working. stats.makerslocal.org and lists.makerslocal.org go though that now Jimshoe (talk) 20:19, 2 November 2016 (CDT)
  • Wordpress and Owncloud Upgrayedd Jimshoe (talk) 20:19, 11 October 2016 (CDT)
  • Network/Mini Server Build complete. Will update build log soon. hfuller (talk) 14:53, 7 June 2016 (CDT)
  • Computer for big laser control donated by Travis. hfuller (talk) 14:53, 7 June 2016 (CDT)
  • ownCloud short URL plugin installed. Example URL: http://ml256.org/o?GpU6Tx - this works using mod_rewrite magic, just like blog and wiki short urls. Hfuller (talk) 23:09, 30 March 2016 (CDT)
  • ownCloud plugin installed that creates an "everyone" group for sharing. The attempted import of the makers LDAP group was then removed as this is taken care of within ownCloud by the plugin now. still need to fix "things" dir. Hfuller (talk) 02:07, 30 March 2016 (CDT)
  • The Makers Local site now requests that you only use TLS to access it for 6 months. (Strict-Transport-Security: max-age=15768000) Hfuller (talk) 00:34, 30 March 2016 (CDT)
  • we have eduroam! Hfuller (talk) 01:06, 19 March 2016 (CDT)
  • owncloud now doubles as a print server. Hfuller (talk) 14:55, 21 February 2016 (CST)
  • Called WideOpenWest and change the cable modem speed from 12Mbit/2Mbit to 60/5. Hfuller (talk) 14:55, 21 February 2016 (CST)
  • Upgraded VM hosts with new hardware (storage, mainboard, CPU). Hfuller (talk) 14:55, 21 February 2016 (CST)
  • Had to use this patch file to make owncloud 8.2.0 work. Jimshoe (talk) 20:38, 26 October 2015 (CDT)
  • Updated Owncloud to version 8.2.0 using new apt repo. Jimshoe (talk) 20:38, 26 October 2015 (CDT)
  • Replaced cable modem with SB6121 last Wednesday. Hfuller (talk) 23:05, 25 October 2015 (CDT)
  • Added nocache stuff for the calendar.ics file on makerslocal.org so that google might actually read it now. Jimshoe (talk)
  • Gave a talk about IT resources at the shop. Hfuller (talk) 19:04, 30 July 2015 (CDT)
  • Set up all boxes to email to netadmin when they have problems (forward root email). Hfuller (talk) 21:37, 30 June 2015 (CDT)
  • Decommissioned Zimbra. Hfuller (talk) 21:37, 30 June 2015 (CDT)
  • Set up LDAP groups for owncloud group sharing and admin groups and owncloud group sharing of "THINGS". Hfuller (talk) 21:37, 30 June 2015 (CDT)
  • Fixed the delinquent members email and payment reminder emails. Hfuller (talk) 21:37, 30 June 2015 (CDT)
  • Backup vm has been enlarged Hfuller (talk) 21:37, 30 June 2015 (CDT)
  • LDAP now has some groups, and you can share stuff with those groups using OwnCloud. Hfuller (talk) 13:41, 17 May 2015 (CDT)
  • plotter has a good black pen now. Yellow is pretty good, magenta is iffy, cyan no output. Hfuller (talk) 23:09, 9 May 2015 (CDT)
  • TIL if a server doesn't have enough entropy available then SSL connections will be delayed... Hfuller (talk) 22:21, 29 April 2015 (CDT)
  • Nathan and I moved the Web server for 256.makerslocal.org to the Simple Helix server!!! #yolo Hfuller (talk) 23:03, 28 April 2015 (CDT)
  • The crypto between the shop and the VPS has been fixed. Also, WideOpenWest reverse DNS update is done, we can log into our WOW account online, and they are ready to switch the modem over any time before 10p on a weeknight or so. Hfuller (talk) 16:21, 18 April 2015 (CDT)
  • User:JimShoe is working on the Simple Helix VM VPN reliability and on migrating the Web site on a trial basis. CasCA and the door have been migrated to new LDAP. Hfuller (talk) 20:37, 5 April 2015 (CDT)
  • provisioning is now independent of zimbra, and we have migrate from Zimbra's integrated LDAP to openldap. Hfuller (talk) 23:54, 29 March 2015 (CDT)
  • OwnCloud is now a thing thanks to User:JimShoe. Hfuller (talk) 23:54, 29 March 2015 (CDT)
  • The VPN linking the VPS and the shop is up, but not all that reliable. Need to pursue. Hfuller (talk) 23:47, 29 March 2015 (CDT)
  • The hub near the sign locked up, causing the alert light and temperature sensor not to function. Replugging it solved the issue. Hfuller (talk) 14:56, 27 March 2015 (CDT)
  • I set up QoS at the shop to mitigate link congestion when uploads are running. It's only applied in the upload direction (i.e., to egress traffic on the physical WAN interface on the router). I may apply more later if we have more saturation. Hfuller (talk) 19:18, 3 March 2015 (CST)
  • We have a VPS. WOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO. (remote.makerslocal.org) Hfuller (talk) 16:02, 28 February 2015 (CST)
  • TIL do not turn on "Auto IP Aliasing" in your UBNT access points' settings if you want your wireless clients to be able to talk to each other!!! Hfuller (talk) 00:09, 8 February 2015 (CST)
  • DNS changes for User:ctag's project - added cerealbox.256.* Hfuller (talk) 21:48, 21 January 2015 (CST)
  • We had a disk pre-failure warning on vm3 so its data was migrated to a new host, vm4, and then I swapped vm3 for vm4. The VMs are split half and half right now and we are running quite well. I forgot to install more RAM in vm4 so it only has 2GB right now. The lighter VMs can run there until I install more RAM. Hfuller (talk) 21:02, 21 January 2015 (CST)
  • I think that everyone's NFC tags are reregistered that need to be. User:Omegix has the door working so I guess we can close that particular case. Hfuller (talk) 20:21, 21 January 2015 (CST)
  • ocserv (OpenConnect/AnyConnect) VPN added. It does not use LDAP yet. This will happen after zimbra decommissioning. Hfuller (talk) 00:45, 14 October 2014 (CDT)
  • Phones installed various places in the shop. Thanks User:Opticron. Hfuller (talk) 00:45, 14 October 2014 (CDT)
  • UPS batteries. actually happened like last week. Hfuller (talk) 18:09, 19 September 2014 (CDT)
  • Web - Stopped /root/gnucash/check.sh from running because it was pegging cpu. Jimshoe (talk) 21:41, 4 September 2014 (CDT)
  • Web - Added $wgJobRunRate = 0.1 to wiki's LocalSettings.php Jimshoe (talk) 21:41, 4 September 2014 (CDT)
  • I set up projects.makerslocal.org for Ludum Dare. It's currently screwed up though. Hfuller (talk) 00:41, 28 August 2014 (CDT)
  • The door now agrees with CasCADE about what an NFC tag should look like. We will need to re-register any NFC tags that were registered before, but only worked on the door. Hfuller (talk) 00:41, 28 August 2014 (CDT)
  • vm2 (on old kratos hardware) crashed one time about a week ago. I'm getting really nervous about the mainboard, CPU, or PSU in that machine. The PSU is pretty new, so I'm guessing mainboard or CPU... either way, I bought some DDR2 and will add it to vm3 soon, bringing it to a similar spec of vm2, and then we don't have to worry about reliability as much. Which is good, because atm, I am unsure if I can call kratos' old hardware reliable. Hfuller (talk) 21:50, 2 August 2014 (CDT)
  • Migrated one VM host (vm2?) to be running on top of old kratos hardware. So, we have vm3 (Switchvox hardware) and vm2 (old kratos hardware). Hfuller (talk) 21:56, 29 July 2014 (CDT)
  • Fixed DNS FQDN wonkiness. So now, stuff like tainslaptop.256.makerslocal.org will work. I know I said this before, but now it really works, for real. Hfuller (talk) 19:48, 29 July 2014 (CDT)
  • Lots of stuff going on! Two new VM hosts vm2 and vm3 are set up on the exact same platform, same xen and drbd and debian versions, etc... VM migration is working well between these. Some VMs (backup) run on vm3, the rest currently run on vm2. We need to get a machine beefy enough to run all VMs again - old kratos can do this, and I THINK the hardware on that is in a usable state (all failed parts replaced) now. So that's on the top of the to-do list now. (I may move it down, depending on what I feel like doing - there's high demand for VPN for sure.) So anyway, we can cross these off the list: Hfuller (talk) 16:45, 27 July 2014 (CDT)
    • Enable live migration of all VMs between 2-3 VM hosts.
    • Set up netadmin list and send welcome messages, etc.
    • Replace disk in kratos with 300GB VelociRaptor.
  • Holy hell, disk failures left and right. Tl;dr: kratos is now a switchvox box, it's got another failing disk in it, vm2 is hosting everything, none of the boxes are really workable (kratos has failing disk again and vm2 has no RAM). Good news is we have a new box thanks to User:Compuhacker that has a lot of RAM and is generally good. So we can use that, at least for a while, and vm2 seems to be supporting the essentials in the meantime.
  • router reconfigured to support adding dhcp clients' host names to its /etc/hosts, and it is therefore now responding to NS requests for these names. the fqdn is something like hfuller-pc.256.makerslocal.org. I also made one minor change to allow the switch and router to detect each other over cdp. Hfuller (talk) 01:36, 14 May 2014 (CDT)
    • hfuller@router# compare
    • [edit service dhcp-server]
    • >hostfile-update enable
    • [edit service]
    • +lldp {
    • + legacy-protocols {
    • + cdp
    • + }
    • + management-address 10.56.1.1
    • +}
  • router (UBNT EdgeRouter Lite) updated to UBNT software version 1.4.1 to hopefully fix our dhcp issues. There are some cool new features, too. Hfuller (talk) 01:36, 14 May 2014 (CDT)