Simon Marsh
3970981f1b
All checks were successful
continuous-integration/drone/push Build is passing
104 lines
3.5 KiB
Markdown
104 lines
3.5 KiB
Markdown
---
|
|
title: "Internal Services"
|
|
geekdocDescription: "Documentation for Non-public applications"
|
|
weight: 30
|
|
---
|
|
This page provides some documenation on other services used within burble.dn42
|
|
that are not directly available for public use.
|
|
|
|
## rproxy.burble.dn42
|
|
|
|
Core nodes run an [nginx](nginx.com) container that acts as a reverse proxy
|
|
for services hosted in tier2.
|
|
|
|
The reverse proxy is distributed to improve local response times and is
|
|
anycast as rproxy.burble.dn42. Most web services provided by burble.dn42 are
|
|
simply CNAMEs to the reverse proxy which then balances and forwards the
|
|
request to the actual service.
|
|
|
|
As well as a reverse proxy, nginx also provides:
|
|
|
|
- TLS termination
|
|
- A local page cache to act as a poor man's CDN
|
|
- Static content server
|
|
|
|
## n8n.burble.dn42
|
|
|
|
[n8n](https://n8n.io) is used to provide an automation and workflow service.
|
|
|
|
As an example, n8n is used to update [dn42regsrv](https://explorer.burble.com)
|
|
and [ROA tables](/services/public#ROA Tables) when the
|
|
[registry](https://git.dn42.dev) changes.
|
|
|
|
|
|
|
|
## vault.burble.dn42
|
|
|
|
[Hashicorp Vault](https://www.vaultproject.io/) is used to handle secrets
|
|
across the burble.dn42 network.<br/>
|
|
Vault is deployed as a 3 node cluster across the Europe core nodes
|
|
and uses [Consul](https://www.consul.io) as the cluster back end.
|
|
|
|
### TLS Certificate Authority
|
|
|
|
Vault acts as the main [certificate authority](/services/ca/) for burble.dn42
|
|
PKI, however there is also an intermediate ACME server based on
|
|
[smallstep CA](https://smallstep.com/docs/step-ca).
|
|
|
|
Vault allows for regular, automated renewal of certificates on short timeframes
|
|
(typically a rolling week or monthly basis).
|
|
|
|
### SSH Certificate Authority
|
|
|
|
Vault also acts as an SSH certificate authority, verifying both users and servers
|
|
within the network.
|
|
|
|
Server certificates are generated during deployment, whilst user (or role)
|
|
certificates are short lived and generated on demand.
|
|
|
|
### Deployment Secrets
|
|
|
|
Vault holds secrets used during node and service deployments.
|
|
|
|
Most burble.dn42 are built as stateless container images and secrets are
|
|
pushed from vault in to the live containers at runtime. This ensures the
|
|
container images do not contain secrets and that secrets can be applied per
|
|
instance even when using a common image.
|
|
|
|
Vault also manages database credentials (using the mysql/mariadb integration),
|
|
and these are also automatically generated and pushed in to container
|
|
instances on deployment.
|
|
|
|
The authority to access deployment secrets is inherited, on demand, from the
|
|
user token during the deployment process. This ensures that even if access was
|
|
gained to the deployment server, secrets could still not be accessed without
|
|
also having access to a live user token.
|
|
|
|
## ci.burble.dn42
|
|
|
|
The burble.dn42 [git](/services/public#git) has an associated CI/CD service
|
|
based on [drone](https://www.drone.io/).
|
|
|
|
The CI/CD service is used to manage DNS, build and publish applications and
|
|
the burble.dn42 website.
|
|
|
|
## minio.burble.dn42
|
|
|
|
[min.io](https://min.io) is used as an S3 compatible block storage service.
|
|
For example, min.io is used for storing build artifacts from CI pipelines.
|
|
|
|
As well as a central storage server, min.io is deployed in 'gateway' mode
|
|
to provide local, regional caches for the block storage.
|
|
|
|
The min.io services uses a global [etcd](https://etcd.io) cluster for credential
|
|
management.
|
|
|
|
## lounge.burble.dn42
|
|
|
|
For lurking on [#dn42](https://wiki.dn42.us/services/IRC) I use
|
|
[thelounge](https://thelounge.chat/), a web based IRC client.
|
|
|
|
|
|
|
|
|