Table of Contents
Core services overview
This page outlines our core services and platform, and is mostly intended for people intending to work on them.
It mostly links to other pages which go into more detail, but please still check this is up to date when making changes.
Currently, we use virtual machines grouped roughly by task, on top of a single physical host (canton).
We use proxmox to manage these, with a seperate vLAN for managed VMs (only tardis admins have root) and unmanaged VMs (other people have root). See here.
The VMs mentioned below are all restricted to admin access only: You'll need the tardis SSH key stored in bitwarden to SSH in as root. Normal LDAP credentials will not work.
Authentication, and other important things (enclave)
Enclave is responsible for our most sensitive applications, including:
- LDAP, which holds our entire user database
- Kerberos, which holds the passwords for our users
- Keycloak, which provides SSO for most of our web services.
- Vaultwarden, which we use to store admin credentials, etc.
- The Tardis Console, our web account management interface.
We aim to store passwords only in Kerberos. This is possible even if the client doesn't support Kerberos using LDAP passthrough authentication, see here.
Email, DNS, and our main reverse proxy (web)
Web is responsible for our public-facing core services, including:
- Email, sending, receiving and checking
- Recursive and Authoritative DNS, which is also available to users
- Caddy, our primary reverse proxy
- Dokuwiki, which you're reading this on
- Userhomes nginx server, which serves
www/directories. Note that this isn't actually exposed through Caddy.
Caddy is the reverse proxy that most of the tardisproject.uk domain goes through, except for gitlab. It doesn't host any user-services: Those are all handled by a seperate reverse proxy detailed here.
This VM is probably a little overloaded, as it is also hosting:
It sends configured alerts to the
#tardis-bots discord channel.