From 7455d6f2a21a88db14797ca76f195c673b4b9d3d Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Wed, 18 Dec 2024 10:37:16 +0100 Subject: [PATCH] document new repo nodes --- docs/index.md | 2 ++ docs/repo-deb.md | 72 ++++++++++++++++++++++++++++++++++++++++++++++++ docs/repo-rpm.md | 70 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 144 insertions(+) create mode 100644 docs/repo-deb.md create mode 100644 docs/repo-rpm.md diff --git a/docs/index.md b/docs/index.md index 93d769420..81ca0707a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -25,6 +25,8 @@ Fork https://github.com/theforeman/foreman-infra and add your key into the [file | [Redmine](redmine.md) | Conova | | [Virt](virt.md) | Conova | | [Webserver](webserver.md) | OSUOSL | +| [DEB repository](repo-deb.md) | OSUOSL | +| [RPM repository](repo-rpm.md) | OSUOSL | ## Infrastructure providers diff --git a/docs/repo-deb.md b/docs/repo-deb.md new file mode 100644 index 000000000..6414745de --- /dev/null +++ b/docs/repo-deb.md @@ -0,0 +1,72 @@ +# DEB repository server + +| | repo-deb01.osuosl.theforeman.org | +| - | - | +| type | OpenStack VM | +| OS | CentOS Stream 9 | +| CPUs | 2 | +| RAM | 4GB | +| Storage | /dev/sda (30GB): root, /dev/sdb (150GB): data (LVM) | +| Managed by | [deb.pp](https://github.com/theforeman/foreman-infra/blob/master/puppet/modules/profiles/manifests/repo/deb.pp) | + +## Domains + +These domains are all hosted on the server. + +* deb.theforeman.org +* stagingdeb.theforeman.org +* archivedeb.theforeman.org + +### Backends + +This server does not host the domains directly, but has the following backend vhosts configured: + +* deb-backend.repo-deb01.osuosl.theforeman.org +* stagingdeb-backend.repo-deb01.osuosl.theforeman.org +* archivedeb-backend.repo-deb01.osuosl.theforeman.org + +#### TLS + +The backends have TLS certificates from Let's Encrypt, using the HTTP challenge. + +This allows the frontend to talk securely to the backends. + +### Fastly CDN + +The frontend is served by the Fastly CDN. + +The configuration happens through the `ansible/fastly.yml` Ansible playbook in this repository. + +The major points of the configuration are: + +* Set the backend to `-backend.repo-deb01.osuosl.theforeman.org` +* Enable shielding: a central system fetches the assets and then distributes them across the CDN instead of each CDN node fetches them itself, this costs more CDN traffic, but is usually faster +* Configure a health-check and serve stale content when it fails + +#### TLS + +Fastly provides a shared certificate which has `theforeman.org` and `*.theforeman.org` as DNSAltName. + +This certificate is signed by GlobalSign and we have a `_globalsign-domain-verification` TXT record in the `theforeman.org` DNS zone for verification of ownership. + +#### DNS + +Each vhost has a CNAME pointing at `dualstack.p2.shared.global.fastly.net` which is the Fastly global, dualstack loadbalancer. + +Alternatively one can use `p2.shared.global.fastly.net` for an IPv4-only setup. + +## Volumes + +`/var/www` is mounted on a separate block device. `/var/www/freight*` contains the staging areas for freight (deb), and `/var/www/vhosts` contains the web roots themselves. + +## Firewall + +There is no firewall on the machine itself. OpenStack has the following ports open: + +* 22/tcp (SSH) +* 80/tcp (HTTP) +* 443/tcp (HTTPS) + +## Other + +* freight and freightstage users have private auto-signing GPG key imported manually (non-puppetized) diff --git a/docs/repo-rpm.md b/docs/repo-rpm.md new file mode 100644 index 000000000..abdb856de --- /dev/null +++ b/docs/repo-rpm.md @@ -0,0 +1,70 @@ +# RPM repository server + +| | repo-rpm01.osuosl.theforeman.org | +| - | - | +| type | OpenStack VM | +| OS | CentOS Stream 9 | +| CPUs | 2 | +| RAM | 4GB | +| Storage | /dev/sda (30GB): root, /dev/sdb (100GB): data (LVM) | +| Managed by | [rpm.pp](https://github.com/theforeman/foreman-infra/blob/master/puppet/modules/profiles/manifests/repo/rpm.pp) | + +## Domains + +These domains are all hosted on the server. + +* rpm.theforeman.org +* stagingrpm.theforeman.org +* yum.theforeman.org +* stagingyum.theforeman.org + +### Backends + +This server does not host the domains directly, but has the following backend vhosts configured: + +* rpm-backend.repo-rpm01.osuosl.theforeman.org +* stagingrpm-backend.repo-rpm01.osuosl.theforeman.org +* yum-backend.repo-rpm01.osuosl.theforeman.org +* stagingyum-backend.repo-rpm01.osuosl.theforeman.org + +#### TLS + +The backends have TLS certificates from Let's Encrypt, using the HTTP challenge. + +This allows the frontend to talk securely to the backends. + +### Fastly CDN + +The frontend is served by the Fastly CDN. + +The configuration happens through the `ansible/fastly.yml` Ansible playbook in this repository. + +The major points of the configuration are: + +* Set the backend to `-backend.repo-rpm01.osuosl.theforeman.org` +* Enable shielding: a central system fetches the assets and then distributes them across the CDN instead of each CDN node fetches them itself, this costs more CDN traffic, but is usually faster +* Configure a health-check and serve stale content when it fails + +#### TLS + +Fastly provides a shared certificate which has `theforeman.org` and `*.theforeman.org` as DNSAltName. + +This certificate is signed by GlobalSign and we have a `_globalsign-domain-verification` TXT record in the `theforeman.org` DNS zone for verification of ownership. + +#### DNS + +Each vhost has a CNAME pointing at `dualstack.p2.shared.global.fastly.net` which is the Fastly global, dualstack loadbalancer. + +Alternatively one can use `p2.shared.global.fastly.net` for an IPv4-only setup. + +## Volumes + +`/var/www` is mounted on a separate block device. `/var/www/vhosts` contains the web roots themselves. + +## Firewall + +There is no firewall on the machine itself. OpenStack has the following ports open: + +* 22/tcp (SSH) +* 80/tcp (HTTP) +* 443/tcp (HTTPS)