= krolik = This is going to be a higher-security network services host, mostly to host LDAP and maybe some associated services. * Maxtang MAX-N100 Mini PC (Intel N100, 4x E-cores, 16gb RAM) * AlmaLinux 9.5 * LAN MACs * `enp1s0: e8:ff:1e:d5:60:7a` * `enp2s0: e8:ff:1e:d5:60:79` (I've used this as the main NIC because it has the lower MAC, despite being the second NIC) * located at home <> == Build notes == Build a clean Alma9 system than add FreeIPA to it. === Prepare network === This will live in a new VLAN, with firewalling done on helian. '''This is using a new subdomain because of FreeIPA. It's optional, but I want to try letting it manage its own DNS, which it could provide to all the clients.''' `int.thighhighs.top` Prepare helian: {{{ Create it in bridge-VLANs - ID 53 - tagged on liv2-SABRINA, bed3, and local - comment "Secure infra services" Create an interface-VLAN - name SecureInfra53 - ID 53 - Interface: local Add an IP address on the VLAN - 192.168.53.1/24 - network 192.168.53.0 - on interface SecureInfra53 Update the Network on the DHCP Server for krolik and ksenia - address 192.168.53.0/24 - gateway 192.168.53.1 - mask 24 - DNS server 192.168.1.26 - domain thighhighs.top - next server 192.168.1.71 - boot file name grub/grubx64.efi Create an IP pool for it - name: vlan53 - addresses: 192.168.53.10-192.168.53.30 - next pool: none Create a new DHCP Server for the segment - name: secure infra - interface: SecureInfra53 - address pool: vlan53 Update DHCP lease for krolik to give correct address - address: 192.168.53.10 - server: secure infra Boot it up and hope it works! }}} The VLAN is piped through to sabrina where we need to configure that too. This is simpler because sabrina has no presence on the VLAN, it's just VLAN-assigned ports: {{{ Create it in bridge VLANs - bridge: bridge - VLAN IDs: 53 - tagged: ether16, sfp-sfpplus1 - untagged: ether13 Comment on the bridge-port: krolik Configure the bridge-port - PVID 53 - Admit only untagged }}} Do firewalling on helian: * We can't use in/out ports because it's part of the bridge, and we don't want to enable ip-firewalling on the bridge because it'll slow it down, so we'll just use src/dst IPs for now. * Google this error for details: "in-bridge-port matcher not possible when bridge use-ip-firewall is disabled" === OS imaging === Get the MAC address, put it into azusa, grab new Alma 9.5 PXE images and set them up. It should now build fully automatically, after poking the configs a little. === What do we want to even install here anyway? === * FreeIPA? * Mrepo? http://dag.wiee.rs/home-made/mrepo/ * https://github.com/dagwieers/mrepo Add krolik to thighhighs DNS, in gandi and in pihole: krolik.int.thighhighs.top = 192.168.53.10 {{{ dnf install mtr traceroute }}} == FreeIPA == Start on the QSG: https://www.freeipa.org/page/Quick_Start_Guide TBC