krolik

This is going to be a higher-security network services host, mostly to host LDAP and maybe some associated services.

Maxtang MAX-N100 Mini PC (Intel N100, 4x E-cores, 16gb RAM)
AlmaLinux 9.5
LAN MACs
- enp1s0: e8:ff:1e:d5:60:7a
- enp2s0: e8:ff:1e:d5:60:79 (I've used this as the main NIC because it has the lower MAC, despite being the second NIC)
located at home

Contents

krolik
1. Build notes
2. FreeIPA

Build notes

Build a clean Alma9 system than add FreeIPA to it.

Prepare network

This will live in a new VLAN, with firewalling done on helian.

This is using a new subdomain because of FreeIPA. It's optional, but I want to try letting it manage its own DNS, which it could provide to all the clients.

int.thighhighs.top

Prepare helian:

Create it in bridge-VLANs
- ID 53
- tagged on liv2-SABRINA, bed3, and local
- comment "Secure infra services"

Create an interface-VLAN
- name SecureInfra53
- ID 53
- Interface: local

Add an IP address on the VLAN
- 192.168.53.1/24
- network 192.168.53.0
- on interface SecureInfra53

Update the Network on the DHCP Server for krolik and ksenia
- address 192.168.53.0/24
- gateway 192.168.53.1
- mask 24
- DNS server 192.168.1.26
- domain thighhighs.top
- next server 192.168.1.71
- boot file name grub/grubx64.efi

Create an IP pool for it
- name: vlan53
- addresses: 192.168.53.10-192.168.53.30
- next pool: none

Create a new DHCP Server for the segment
- name: secure infra
- interface: SecureInfra53
- address pool: vlan53

Update DHCP lease for krolik to give correct address
- address: 192.168.53.10
- server: secure infra

Boot it up and hope it works!

The VLAN is piped through to sabrina where we need to configure that too. This is simpler because sabrina has no presence on the VLAN, it's just VLAN-assigned ports:

Create it in bridge VLANs
- bridge: bridge
- VLAN IDs: 53
- tagged: ether16, sfp-sfpplus1
- untagged: ether13

Comment on the bridge-port: krolik

Configure the bridge-port
- PVID 53
- Admit only untagged

Do firewalling on helian:

We can't use in/out ports because it's part of the bridge, and we don't want to enable ip-firewalling on the bridge because it'll slow it down, so we'll just use src/dst IPs for now.
Google this error for details: "in-bridge-port matcher not possible when bridge use-ip-firewall is disabled"

OS imaging

Get the MAC address, put it into azusa, grab new Alma 9.5 PXE images and set them up.

It should now build fully automatically, after poking the configs a little.

What do we want to even install here anyway?

FreeIPA?
Mrepo? http://dag.wiee.rs/home-made/mrepo/
- https://github.com/dagwieers/mrepo

Add krolik to thighhighs DNS, in gandi and in pihole: krolik.int.thighhighs.top = 192.168.53.10

dnf install mtr traceroute

FreeIPA

Start on the QSG: https://www.freeipa.org/page/Quick_Start_Guide

TBC