TheLab.ms Wiki

User Tools

Site Tools

infra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra [2025/01/09 23:13] 6b86b273-ff34-fce1-9d6b-804eff5a3f57infra [2025/03/07 22:37] (current) ef2d127d-e37b-942b-aad0-6145e54b0c61
Line 1: Line 1:
 # IT Infrastructure # IT Infrastructure
- 
-The acting CTO is responsible for maintaining TheLab's network/server infrastructure. 
  
 ---- ----
  
-**Please don't tinker with the IT infrastructure the daily operations of the space depend on it! If you want to change something, ask someone who's been around for a while first.**+**Please don't tinker with the infra - daily operations of the space depend on it! If you want to change something, ask someone who's been around for a while first.**
  
 ---- ----
  
-## Network+## Servers
  
-TheLab has a MikroTik router with a handful of APs, and a Cisco switch for PoE and extra ports.+<nspages :servers -customTitle="{title}" -textPages="" -tree>
  
-The network is divided up into a few subnets, each on their own vlan. +## Cloudflare
- +
-- Members: 10.200.1.0/24 +
-- Members Static IPs: 10.200.0.0/24 +
-- Infrastructure: 10.200.10.0/24 +
-- Cameras: 10.200.20.0/24 +
-- Access Control: 10.220.4.0/24 +
- +
-Management points: +
- +
-- 10.200.10.1: Mikrotik router web interface +
-- 10.200.10.2: Cisco network switch +
- +
-### Switch Ports +
- +
-The switch has 4 obvious bays of ports, each assigned to a VLAN like: +
- +
-- Cameras +
-- Members +
-- Infrastructure +
-- Access Control +
- +
-## CDN (Cloudflare)+
  
 We use Cloudflare for various things including (most importantly) DNS. The account is associated with [email protected], so new CTOs should go reset the password to get access. Things don't change often in this account but it's worth knowing that it exists. We use Cloudflare for various things including (most importantly) DNS. The account is associated with [email protected], so new CTOs should go reset the password to get access. Things don't change often in this account but it's worth knowing that it exists.
  
-## Servers+Cloudflare tunnels are used for all ingress to our servers - no need to worry about rotating TLS certs, free DDoS protection, etc.
  
-### foobar.thelab.ms 
  
-Foobar is the main internet-facing server running [Conway](https://github.com/TheLab-ms/conway) and [Dokuwiki](https://docs.thelab.ms).+## Github
  
-#### Provisioning Process+Any active members working on code-related projects can be added as a member of TheLab's Github org: https://github.com/TheLab-ms.
  
-- Azure Standard_B1s running Ubuntu 24.04 in southcentralus. 
-- Enable daily Azure backups during provisioning. 
-- Manually populate IP in Cloudflare dns record (foobar.thelab.ms) 
-- The cto user should trust the current acting CTO's ssh pubkey. It can always be updated through the Azure portal. 
-- Manually install cloudflared for tunneling. It would be hard to automate, very easy to do by hand. 
-  - Make sure to run as a service i.e. `cloudflared service install` 
-- Run `make ansible`! 
  
-Here's the cloudflared config at the time of provisioning:+## Monitoring
  
-```yaml +We have a shared [cronitor](https://cronitor.io) account used for uptime checks. Failing checks are posted to #it and visible publicly at https://status.thelab.ms
-tunnel: <redacted> +
-credentials-file: /root/.cloudflared/<redacted>.json+
  
-originRequest: +## Network
-  connectTimeout: 10s+
  
-ingress: +TheLab has a MikroTik router with a handful of APs, and a Cisco switch for PoE and extra ports.
-  - hostname: members.thelab.ms +
-    service: http://localhost:8080+
  
-  - hostname: docs.thelab.ms +The network is divided up into a few subnets, each on their own vlan.
-    service: http://localhost:8081+
  
-  servicehttp_status:404 +Members**10.200.1.0/24** 
-```+- Members Static IPs**10.200.0.0/24** 
 +- Infrastructure: **10.200.10.0/24** 
 +- Cameras: **10.200.20.0/24** 
 +- Access Control: **10.220.4.0/24**
  
-### baz.thelab.ms+Management points:
  
-Baz is the main on-prem server at TheLab.+**10.200.10.1**: Mikrotik router web interface (get creds from acting CTO) 
 +- **10.200.10.2**: Cisco network switch 
 +  - `ssh [email protected] -c aes256-cbc -o KexAlgorithms=diffie-hellman-group-exchange-sha1 -o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostKeyAlgorithms=+ssh-rsa`
  
-#### Provisioning Process+### Switch Ports
  
-- Dell 16 core by 96gb r710 with a bunch of SSDs +The switch has 4 obvious bays of ports, each assigned to a VLAN like:
-- Manually configure the RAID controller with a keyboard/monitor +
-  - One RAID 1 group for the first two disks (boot/os drive) +
-  - One RAID 0 group for the rest +
-- Make sure the system option is set to turn on when power is lost +
-- Install Ubuntu 24 from flash drive +
-  - Create a LACP bond for NICs 1 and 2 with the IP10.200.10.234 +
-  - Mount the data drive to /mnt/data +
-- Make the default username "cto" with a reasonable password +
-- Run `make ansible`!+
  
-Here's the cloudflared config at the time of provisioning: +- Cameras 
- +Members 
-```yaml +Infrastructure 
-tunnel: <redacted> +Access Control
-credentials-file: /root/.cloudflared/<redacted>.json +
- +
-originRequest: +
-  connectTimeout: 10s +
- +
-ingress: +
-  hostname: frigate.thelab.ms +
-    service: http://127.0.0.1:8971 +
- +
-  service: http_status:404 +
-```+
  
infra.1736464416.txt.gz · Last modified: 2025/01/09 23:13 by 6b86b273-ff34-fce1-9d6b-804eff5a3f57
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki