sysadmin
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
sysadmin [2020-05-24 07:55] – [Technical Policies] tim | sysadmin [2020-05-25 17:34] – tim | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== System Administration ====== | ====== System Administration ====== | ||
- | This page will describe how we organise ourselves | + | Moved to [[private:sysadmin]]. |
- | + | ||
- | ===== Categories ===== | + | |
- | + | ||
- | We separate administration into categories based on the level of security required. This is so that we can make a trade-off between including more interested members vs restricting access to sensitive data or highly critical systems. | + | |
- | + | ||
- | | Internet of Things | Lights, sound, automation | + | |
- | | General Systems | + | |
- | | Network | + | |
- | | Personal Data | Members database, home directories, | + | |
- | + | ||
- | ===== Network ===== | + | |
- | + | ||
- | https:// | + | |
- | + | ||
- | There is a netadmin unix group which provides access to network-infrastructure VMs and webapps. | + | |
- | + | ||
- | There is a network password for router and switch access. | + | |
- | + | ||
- | ===== Sysadmin ===== | + | |
- | + | ||
- | https:// | + | |
- | + | ||
- | There is a sysadmin unix group which provides access to most Linux servers. | + | |
- | + | ||
- | There is a standard root password for most Linux servers, though it is likely to be disabled over SSH in favour of SSH keys. | + | |
- | + | ||
- | ===== Restricted Access ===== | + | |
- | + | ||
- | These are the currently restricted services: | + | |
- | + | ||
- | * ehl-vm-access: | + | |
- | * Access control for doors, tools and lockers. | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ehl-vm-admin: | + | |
- | * Members database | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ehl-vm-audit: | + | |
- | * Netflow, syslog, mqtt logs. 30 day retention. | + | |
- | * Hosted on Tim's server. | + | |
- | * Available to Tim. | + | |
- | * magnesium: | + | |
- | * Bare-metal VM server. | + | |
- | * Contains VMs with personal data, and VM that belong to individual members. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ganymede, shell server, radon: | + | |
- | * Home directories. | + | |
- | * Nextcloud storage. | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | + | ||
- | Tim's commentary: I would like to restructure these services so that the sysadmin team can be more inclusive. The members database will be moved to an external VM. I would like to adjust the expectations of privacy for home directories and members VMs so that more people can administrate the underlying host (magnesium). | + | |
- | + | ||
- | ===== Conduct ===== | + | |
- | + | ||
- | What behaviour do we expect from members with access privileges? | + | |
- | + | ||
- | * Respect personal data by only accessing it when legally or technically necessary, or when requested by the owner. | + | |
- | * Act in good faith. | + | |
- | * Co-operate with other group members. Don't change the technology choices or methods without discussing first. | + | |
- | + | ||
- | Should we adopt an existing code of conduct? https:// | + | |
- | + | ||
- | ===== Technical Policies ===== | + | |
- | + | ||
- | Server naming: | + | |
- | + | ||
- | * Bare-metal servers are named after chemical elements. | + | |
- | * VMs are named functionally, | + | |
- | + | ||
- | Configuration management: | + | |
- | + | ||
- | * There is an ansible profile for low-level configuration. | + | |
- | * Use Docker for applications unless they are complex and require a dedicated host. | + | |
sysadmin.txt · Last modified: 2022-04-22 13:47 by tim