From 3b483e7cd32e9354703aceb679bda6f001de8a8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Tue, 7 Sep 2021 15:31:45 +0200 Subject: [PATCH] Review openvpn SOP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michal Konečný --- modules/sysadmin_guide/nav.adoc | 2 +- modules/sysadmin_guide/pages/openvpn.adoc | 28 ++++++++++++----------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/modules/sysadmin_guide/nav.adoc b/modules/sysadmin_guide/nav.adoc index 8d48a63..c719cf7 100644 --- a/modules/sysadmin_guide/nav.adoc +++ b/modules/sysadmin_guide/nav.adoc @@ -82,7 +82,7 @@ ** xref:odcs.adoc[On Demand Compose Service - SOP] ** xref:openqa.adoc[OpenQA Infrastructure - SOP] ** xref:openshift.adoc[OpenShift - SOP] -** xref:openvpn.adoc[openvpn - SOP in review ] +** xref:openvpn.adoc[OpenVPN - SOP] ** xref:outage.adoc[outage - SOP in review ] ** xref:packagedatabase.adoc[packagedatabase - SOP in review ] ** xref:packagereview.adoc[packagereview - SOP in review ] diff --git a/modules/sysadmin_guide/pages/openvpn.adoc b/modules/sysadmin_guide/pages/openvpn.adoc index 793765e..8be4f55 100644 --- a/modules/sysadmin_guide/pages/openvpn.adoc +++ b/modules/sysadmin_guide/pages/openvpn.adoc @@ -2,7 +2,7 @@ OpenVPN is our server->server VPN solution. It is deployed in a routeless manner and uses ansible managed keys for authentication. All -hosts should be given static IP's and a hostname.vpn.fedoraproject.org +hosts should be given static IP's and a _hostname.vpn.fedoraproject.org_ DNS address. == Contact Information @@ -11,8 +11,6 @@ Owner:: Fedora Infrastructure Team Contact:: #fedora-admin, sysadmin-main -Location:: - Phoenix Servers:: bastion (vpn.fedoraproject.org) Purpose:: @@ -34,7 +32,7 @@ cd ansible-private/vpn/openvpn .... Next prepare your environment and run the build-key script. This example -is for host "proxy4.fedora.phx.redhat.com": +is for host "proxy4.fedora.iad2.redhat.com": .... . ./vars @@ -102,7 +100,7 @@ sudo -i ansible ns\* -a "/usr/local/bin/update-dns" === Update resolv.conf on the client To make sure traffic actually goes over the VPN, make sure the search -line in /etc/resolv.conf looks like: +line in `/etc/resolv.conf` looks like: .... search vpn.fedoraproject.org fedoraproject.org @@ -111,20 +109,24 @@ search vpn.fedoraproject.org fedoraproject.org for external hosts and: .... -search phx2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org +search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org .... -for PHX2 hosts. +for IAD2 hosts. == Remove a host -:::: - # This is to ensure that the clone is not world-readable at any point. - RESTORE_UMASK=$(umask -p) umask 0077 git clone - /srv/git/ansible-private $RESTORE_UMASK cd private/vpn/openvpn +.... +# This is to ensure that the clone is not world-readable at any point. +RESTORE_UMASK=$(umask -p) +umask 0077 +git clone /srv/git/ansible-private +$RESTORE_UMASK +cd ansible-private/vpn/openvpn +.... Next prepare your environment and run the build-key script. This example -is for host "proxy4.fedora.phx.redhat.com": +is for host "proxy4.fedora.iad2.redhat.com": .... . ./vars @@ -136,6 +138,6 @@ git push == TODO -Deploy an additional VPN server outside of PHX. OpenVPN does support +Deploy an additional VPN server outside of IAD2. OpenVPN does support failover automatically so if configured properly, when the primary VPN server goes down all hosts should connect to the next host in the list.