From c26c93af8fe33282874eb9186d08120ca10b23db Mon Sep 17 00:00:00 2001
From: Nicolas Castejon <castejon.nicolas@gmail.com>
Date: Fri, 3 May 2019 14:22:11 +0200
Subject: [PATCH] Add new file
---
beta-deployment | 216 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 216 insertions(+)
create mode 100644 beta-deployment
diff --git a/beta-deployment b/beta-deployment
new file mode 100644
index 0000000..5fdda27
--- /dev/null
+++ b/beta-deployment
@@ -0,0 +1,216 @@
+# Software
+
+`$ apt install dnsutils`, which provides dig
+
+resolvconf
+
+
+# Firewall
+
+## front-web
+
+`/etc/iptables/rules.v4`
+
+```
+*filter
+:INPUT DROP [0:0]
+-A INPUT -s 192.168.0.0/24 -j ACCEPT -m comment --comment "FULL ACCESS LAN"
+-A INPUT -i lo -j ACCEPT -m comment --comment "FULL ACCESS LOOPBACK"
+
+-A INPUT -s 217.182.252.78/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH neogeo-ansible"
+-A INPUT -s 80.12.88.99/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH neogeo-bureau"
+-A INPUT -s 213.245.116.190/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH erasmes"
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "in order to receive responses to outgoing requests"
+-A INPUT -i ens3 -p tcp -m tcp --dport 443 -d 51.83.13.51 -j ACCEPT
+-A INPUT -i ens3 -p tcp -m tcp --dport 80 -d 51.83.13.51 -j ACCEPT
+:FORWARD ACCEPT [0:0]
+
+```
+
+
+# Domain Name Resolution
+
+## `/etc/hosts`
+
+By default, the /etc/hosts file is managed by the system. Hence, user modifications as deleted at each reboot. In order to prevent that from happening, a line has to be modified in the `/etc/cloud/cloud.cfg` file:
+
+`manage_etc_hosts: false`
+
+## `dnsmasq`
+
+Installed in the front-web machine, with the following configuration (`/etc/dnsmasq.conf`):
+
+```
+domain-needed
+bogus-priv
+server=213.186.33.99
+listen-address=192.168.0.59
+no-dhcp-interface=ens4
+bind-interfaces
+```
+
+The following lines are appended to the `/etc/hosts` file in the front-web machine:
+
+```
+51.83.13.51 front-web.wan
+192.168.0.59 front-web.lan
+
+51.83.15.2 back-office.wan
+192.168.0.146 back-office.lan
+
+51.68.115.202 es-1.wan
+192.168.0.74 es-1.lan
+
+51.77.229.85 es-2.wan
+192.168.0.65 es-2.lan
+
+51.83.13.94 es-3.wan
+192.168.0.236 es-3.lan
+
+```
+
+The other machines will use front-web as DNS.
+
+
+# Routing
+
+In order for the front-web machine to be usable as a router, we need to apply the following modifications within **front-web**:
+
+1. In `/etc/sysctl.conf` -> `net.ipv4.ip_forward=1`.
+
+2. In `/etc/iptables/rules.v4`,
+`
+*nat
+-I POSTROUTING -s 192.168.0.0/24 -o ens3 -j MASQUERADE
+`
+
+Once that it is done, the other machines can be setup as follows:
+
+`/etc/network/interfaces`
+
+```
+[...]
+iface ens4 inet static
+ address 192.168.0.XXX
+ netmask 255.255.255.0
+ gateway 192.168.0.59
+ dns-nameservers 192.168.0.59
+[...]
+```
+
+In case the default gateway is not taken into account, the following command has to be issued:
+
+`
+$ route add default gw 192.168.0.59 ens4
+`
+
+The line `auto ens3` can be commented out in the file `/etc/network/interfaces.d/50-cloud-init.cfg`, in order to prevent the ens3 from being "upped" at reboot.
+
+In order for the modification to be persisten, we need to disable cloud-init's network configuration capabilities, by editing the file /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following content:
+
+```
+network: {config: disabled}
+```
+
+
+
+# Postfix, OpenDKIM
+
+cf. [https://wiki.debian.org/opendkim](https://wiki.debian.org/opendkim)
+
+```
+$ sudp mkdir /etc/postfix/dkim/
+$ sudo opendkim-genkey -D /etc/postfix/dkim/ -d data.beta.grandlyon.com -s mail
+```
+
+## `/etc/opendkim.conf`
+
+* the line "Mode sv" is uncommented (why?)
+* the following lines are appended
+
+```
+# Specify the list of keys
+KeyTable file:/etc/postfix/dkim/keytable
+
+# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
+SigningTable refile:/etc/postfix/dkim/signingtable
+
+# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
+InternalHosts refile:/etc/postfix/dkim/trustedhosts
+```
+
+The 'Socket' line is setup as follows:
+
+```
+Socket inet:8892@localhost
+```
+
+## `/etc/postfix/dkim/keytable`
+
+```mail._domainkey.data.beta.grandlyon.com data.beta.grandlyon.com:mail:/etc/postfix/dkim/mail.private```
+
+## `/etc/postfix/dkim/signingtable`
+
+```
+# Domain data.beta.grandlyon.com
+*@data.beta.grandlyon.com mail._domainkey.data.beta.grandlyon.com
+```
+
+## `/etc/postfix/dkim/trustedhosts`
+
+```
+127.0.0.1
+192.168.0.0/24
+```
+
+### Note
+
+```
+$ sudo chgrp opendkim /etc/postfix/dkim/*
+$ sudo chmod o= /etc/postfix/dkim/*
+```
+
+## `/etc/postfix/main.cf`
+
+```
+[...]
+myhostname = data.beta.grandlyon.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = $myhostname, data.beta.grandlyon.com, front-web.localdomain, localhost.localdomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = ipv4
+[...]
+```
+
+The following lines are appended:
+
+```
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:127.0.0.1:8892
+non_smtpd_milters = $smtpd_milters
+```
+
+## DNS
+
+The DNS records needs to be updated as follows:
+
+```
+data.beta.grandlyon.com. 86400 IN TXT "v=spf1 +ip4:51.83.13.51 ~all"
+```
+
+```
+mail._domainkey.data.beta.grandlyon.com. 86400 IN TXT "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzoL8dvkfhm3xCpGxW8COUIgmw4r0PV/5GSUekCA8sLGPiqNh8//Jj4tFpLK6eUMacKYPbL4goUdRyTF5gqh/MdEWwafodZczELETRcp3a7mGdmM2nDhD6lk2Xtdf+nS+HWobYN18a3abNFchcF62LJWGTd4fwKV8gOIIuvTiakVxFuC7eIBUO+7m0JU0EnnivLUabphFSL3yV" "hEdpCD3csRGedSnG6+ocpZw25ll8/5f6WZnobU2d5KKqk7MVgOFXfuJMhdjmd6UvSGPaxR+/E+PsxQCU0f9vLG4R8fLPLh0ngNGGiyNYGHB5Sn8VxIrxqpH2pQKaJsfHLK/IgRJwIDAQAB"
+
+```
+
+# Remote API for Dockerd (-> Portainer)
+
+cf. https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd
--
GitLab