diff --git a/content/network/IPAM.md b/content/network/IPAM.md index 2f3a086..42cba47 100644 --- a/content/network/IPAM.md +++ b/content/network/IPAM.md @@ -37,12 +37,13 @@ IP address tables |wiki.burble.dn42|172.20.129.6|fd42:4242:2601:ac81::1|DN42 Wiki Mirror| |rproxy.burble.dn42|172.20.129.7|fd42:4242:2601:acf0::1|Distributed NGINX Reverse Proxy| |whois.burble.dn42|172.20.129.8|fd42:4242:2601:ac43::1|Whois service| -| |_172.20.129.10-19_| |_Unallocated_| +|voip.burble.dn42|172.20.129.9|fd42:4242:2601:37:216:3eff:fe8f:6211|Asterisk VOIP Service| +|shell.burble.dn42|172.20.129.10|fd42:4242:2601:ac22::1|Shell service| +| |_172.20.129.11-19_| |_Unallocated_| ||172.20.129.20/30|_n/a_|[Dialup Service](/retro/modem/) endpoints| | |_172.20.129.24-26_| |_Unallocated_| |shell.us-lax1.burble.dn42|172.20.129.27|fd42:4242:2601:100a:216:3eff:fe5c:30b2|us-lax1 shell service| |shell.fr-par1.burble.dn42|172.20.129.28|fd42:4242:2601:1017:216:3eff:fe01:2f1f|fr-par1 shell service| -|shell.fr-nte2.burble.dn42|172.20.129.29|fd42:4242:2601:1004:fc13:b592:53b0:8ff4|fr-nte2 shell service| |shell.ca-bhs2.burble.dn42|172.20.129.30|fd42:4242:2601:100d:216:3eff:fed7:2ceb|ca-bhs2 shell service| ||172.20.129.31||*unassigned*| diff --git a/content/services/dns.md b/content/services/dns.md index 90da838..18b6147 100644 --- a/content/services/dns.md +++ b/content/services/dns.md @@ -79,7 +79,7 @@ Forwarding is provided by the recursive service, dns.burble.dn42.* | dns.burble.dn42
b.recursive-servers.dn42| 172.20.129.2
fd42:4242:2601:ac53::53 | dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42 -and clearnet domains. The service issues parallel queries from five regional masters, the +and clearnet domains. The service issues parallel queries from regional masters, the recursive service takes advantage of the burble.dn42 global scale to reduce latency and avoid local connectivity problems. @@ -171,7 +171,7 @@ Clearnet queries are forwarded on the edge nodes to a combination of Google and Cloudflare services. The edge services are monitored and anycast routes automatically injected (or -removed) using [GoBGP](https://github.com/osrg/gobgp) and a health checking script. +removed) with a health checking script. ### dns-slave @@ -179,6 +179,7 @@ removed) using [GoBGP](https://github.com/osrg/gobgp) and a health checking scri |:--|:--|:--| | Europe | dns-slave.de-fra1.burble.dn42 | PHP Friends, Frankfurt, Germany | | Americas (East) | dns-slave.ca-bhs2.burble.dn42 | OVH, Beauharnois, Canada | +| Americas (West) | dns-slave.us-lax1.burble.dn42 | Alvin Servers, Los Angeles, USA | The slave nodes are implemented using [PowerDNS](https://www.powerdns.com/). diff --git a/content/services/internal.md b/content/services/internal.md index 63959fa..05cbd9a 100644 --- a/content/services/internal.md +++ b/content/services/internal.md @@ -22,16 +22,6 @@ As well as a reverse proxy, nginx also provides: - A local page cache to act as a poor man's CDN - Static content server -## n8n.burble.dn42 - -[n8n](https://n8n.io) is used to provide an automation and workflow service. - -As an example, n8n is used to update [dn42regsrv](https://explorer.burble.com) -and [ROA tables](/services/public#ROA Tables) when the -[registry](https://git.dn42.dev) changes. - -![n8n-workflow](/n8n-workflow.png) - ## vault.burble.dn42 [Hashicorp Vault](https://www.vaultproject.io/) is used to handle secrets diff --git a/content/services/shell.md b/content/services/shell.md index dec9eb5..ba3da21 100644 --- a/content/services/shell.md +++ b/content/services/shell.md @@ -6,10 +6,12 @@ weight: 60 burble.dn42 provides shell accounts on the following servers: - shell.fr-par1.burble.dn42 -- shell.fr-nte2.burble.dn42 (hosted at [IXP frnte](https://dn42.dev/services/IXP-frnte)) - shell.ca-bhs2.burble.dn42 - shell.us-lax1.burble.dn42 +There is also an anycast address [shell.burble.dn42](https://shell.burble.dn42) +that will route to the closest server. + ## Accessing the Service The shell service imports user information from the dn42 registry allowing @@ -27,26 +29,24 @@ shell server. MNTNERs without an SSH key must first use the [burble.dn42 service portal](https://svc.burble.dn42) to set an account password. -{{}} -**FOO-MNT** -``` -mntner: FOO-MNT -auth: ssh-ed25519 xxxxxxxxx +### Connection Example + +For mntner *FOO-MNT* + +Log in to the closest server using your ssh key or burble.dn42 password: + +```shell +ssh foo@shell.burble.dn42 ``` -Log in using your ssh key or burble.dn42 password: - +or log in to a specific server: ```shell ssh foo@shell.fr-par1.burble.dn42 ``` -{{}} Your home directory is created automatically on first access and will then -persist across logins. - -*Note that individual ~/.ssh/authorized_keys are disabled and will -not work, you will only be able to log in using an SSH key from the registry -or using a burble.dn42 password* +persist across logins. +Home directories are *not* replicated across servers. ## Key Services @@ -67,13 +67,12 @@ Requests for additional packages are welcome, please raise these as The shell servers include a webserver with user directories (`~/public_html/`) and CGI (`~/public_html/cgi-bin/`) enabled. The webserver is accessed over https -and has a dn42 certificate auto-renewed from the -[ACME service](https://acme.dn42/about.html). +and has a dn42 certificate. - `https://shell.fr-par1.burble.dn42/~/` -- `https://shell.fr-nte2.burble.dn42/~/` - `https://shell.ca-bhs2.burble.dn42/~/` - `https://shell.us-lax1.burble.dn42/~/` +- `https://shell.burble.dn42/~/` {{}} Remember that any files need to be accessible by the webserver @@ -99,6 +98,13 @@ setfacl -Rdm "u:www-data:rx" ~/public_html/cgi-bin ``` {{}} +{{}} +Note also that home directories are not replicated across each shell server. + +If you want to provide services using the anycast address you must copy your code +between servers yourself. +{{}} + ### Login Shell You can change your login shell using the @@ -141,6 +147,23 @@ Clearnet access is provided. Rate limiting allows for a small amount of burst traffic, but then bandwidth is quickly limited to 10mbit/sec. In general, you should be better off using your own clearnet access for large downloads. +### Connection Forwarding + +SSH forwarding is enabled on the servers. + +For example, this means you are able to use the shell servers as a +resilient, anycast jump host: + +```sh +ssh -J shell.burble.dn42 my.other.host.dn42 +``` + +There are also a small number of X11 apps installed on the servers: + +```sh +ssh -X shell.burble.dn42 -f 'xterm & xeyes' +``` + ### Performance Monitoring The shell servers are monitored using netdata and prometheus, with performance @@ -149,7 +172,6 @@ graphs available in [grafana](https://grafana.burble.dn42). The netdata dashboard is also directly accessible: - [http://shell.fr-par1.burble.dn42:19999](http://shell.fr-par1.burble.dn42:19999) -- [http://shell.fr-nte2.burble.dn42:19999](http://shell.fr-nte2.burble.dn42:19999) - [http://shell.ca-bhs2.burble.dn42:19999](http://shell.ca-bhs2.burble.dn42:19999) - [http://shell.us-lax1.burble.dn42:19999](http://shell.us-lax1.burble.dn42:19999)