sysadmin
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
sysadmin [2020-05-24 07:55] – [Technical Policies] tim | sysadmin [2020-06-02 12:41] – [Communications] tim | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== System Administration ====== | ====== System Administration ====== | ||
- | This page will describe how we organise ourselves to operate | + | At the time of writing, most of Hacklab's network and server infrastructure |
- | ===== Categories | + | ===== What do we maintain? |
- | We separate administration into categories based on the level of security required. This is so that we can make a trade-off between including more interested members vs restricting | + | * Internet connection |
+ | * Core network router and switches | ||
+ | * WiFi access | ||
+ | * Rack space and network service for member colo servers | ||
+ | * Virtual machines for members | ||
+ | * DNS & DHCP | ||
+ | * Members registration and authentication | ||
+ | * Access management (doors, tools and lockers) | ||
+ | * Shared services: shell, file storage, nextcloud | ||
+ | * Mailing lists | ||
- | | Internet of Things | Lights, sound, automation | + | ===== What don't we maintain? ===== |
- | | General Systems | + | |
- | | Network | + | |
- | | Personal Data | Members database, home directories, | + | |
- | ===== Network ===== | + | * Hacklab email - this is currently hosted on fastmail.com |
+ | * Domain registration - this is closely guarded. | ||
+ | * Internet of Things at the lab - this is a free-for-all. | ||
+ | * Members' | ||
- | https:// | + | ===== Communications ===== |
- | There is a netadmin unix group which provides access to network-infrastructure VMs and webapps. | + | There is a // |
- | There is a network password for router and switch access. | + | Users can reach us at // |
- | ===== Sysadmin | + | ===== Access Privileges |
- | https://lists.ehlab.uk/ | + | Network: The //netadmin// LDAP group provides access to network-related servers. There is a network password for the router, switches, UniFi controller and anything else that doesn' |
- | There is a sysadmin | + | Servers: The //sysadmin// LDAP group will provide |
- | There is a standard root password for most Linux servers, though it is likely to be disabled over SSH in favour | + | Team members will be expected to agree to the code of conduct before getting any privileges and may not receive all privileges immediately. |
- | ===== Restricted Access | + | ===== Code of Conduct |
- | These are the currently restricted services: | + | We adopt the [[https:// |
- | * ehl-vm-access: | + | Of particular interest: |
- | * Access control for doors, tools and lockers. | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ehl-vm-admin: | + | |
- | * Members database | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ehl-vm-audit: | + | |
- | * Netflow, syslog, mqtt logs. 30 day retention. | + | |
- | * Hosted on Tim's server. | + | |
- | * Available to Tim. | + | |
- | * magnesium: | + | |
- | * Bare-metal VM server. | + | |
- | * Contains VMs with personal data, and VM that belong to individual members. | + | |
- | * Available to sysadmin unix group. | + | |
- | * ganymede, shell server, radon: | + | |
- | * Home directories. | + | |
- | * Nextcloud storage. | + | |
- | * Hosted on magnesium. | + | |
- | * Available to sysadmin unix group. | + | |
- | Tim's commentary: | + | > "I will maintain professional conduct in the workplace and will not allow personal feelings or beliefs |
- | ===== Conduct ===== | + | This means use your powers only for good. You must not use them to annoy people. |
- | What behaviour do we expect from members with access | + | > "I will access |
- | * Respect personal data by only accessing it when legally or technically necessary, or when requested by the owner. | + | This is important because |
- | * Act in good faith. | + | |
- | * Co-operate with other group members. Don't change | + | |
- | Should we adopt an existing code of conduct? https://www.usenix.org/system-administrators-code-ethics | + | > "I will strive to ensure the necessary integrity, reliability, |
+ | > "I will design and maintain each system | ||
+ | |||
+ | This means that we need to co-operate as a team. The services we create should be maintainable after the person who created them has moved on. Technology choices should be shared. | ||
===== Technical Policies ===== | ===== Technical Policies ===== | ||
Line 75: | Line 65: | ||
Configuration management: | Configuration management: | ||
- | * There is an ansible profile for low-level configuration. | + | * There is an [[https:// |
* Use Docker for applications unless they are complex and require a dedicated host. | * Use Docker for applications unless they are complex and require a dedicated host. | ||
+ | |||
+ | ===== Projects / Issues ===== | ||
+ | |||
+ | See [[private: | ||
sysadmin.txt · Last modified: 2022-04-22 13:47 by tim