User Tools

Site Tools


hosts:architecture

Core services overview

This page outlines our core services and platform, and is mostly intended for people intending to work on them.

It mostly links to other pages which go into more detail, but please still check this is up to date when making changes.

Virtualisation

Currently, we use virtual machines grouped roughly by task, on top of a single physical host (canton).

We use proxmox to manage these, with a seperate vLAN for managed VMs (only tardis admins have root) and unmanaged VMs (other people have root). See here.

The VMs mentioned below are all restricted to admin access only: You'll need the tardis SSH key stored in bitwarden to SSH in as root. Normal LDAP credentials will not work.

Authentication, and other important things (enclave)

Enclave is responsible for our most sensitive applications, including:

  • LDAP, which holds our entire user database
  • Kerberos, which holds the passwords for our users
  • Keycloak, which provides SSO for most of our web services.
  • Vaultwarden, which we use to store admin credentials, etc.
  • The Tardis Console, our web account management interface.

We aim to store passwords only in Kerberos. This is possible even if the client doesn't support Kerberos using LDAP passthrough authentication, see here.

Email, DNS, and our main reverse proxy (web)

Web is responsible for our public-facing core services, including:

Caddy is the reverse proxy that most of the tardisproject.uk domain goes through, except for gitlab. It doesn't host any user-services: Those are all handled by a seperate reverse proxy detailed here.

This VM is probably a little overloaded, as it is also hosting:

Monitoring

Monitoring hosts the parent node for Netdata, and does some health checks of our services.

It sends configured alerts to the #tardis-bots discord channel.

hosts/architecture.txt · Last modified: 2023/11/25 19:44 by tcmal