Em março 6, 2018 8:18 Florian Pritz via arch-devops escreveu:
Eventually I'd like to have all of these (+ wiki if possible) in LDAP so that when someone becomes a TU/dev we can just change the group setting in LDAP and everything else adjusts automatically. Ideally, when someone joins the team they already have an account there and things like SSH and GPG keys are already configured because the AUR requires them. We then just change the group and be done with it.
We can have the SSH and GPG keys on the directory itself, yes, and that's accessible by any application.
For now I'd start with, in that order, ssh, kanboard (only a few users so far so it should be easy to migrate), archweb. Later we can work on getting the other services migrated, but there we'll have to come up with a way to resolve conflicts regarding usernames so this requires some more effort.
I would say, as name conflicts goes, we look at our application where we have the biggest number of users. And we determine that as the authoritative source for usernames. Anyone with a username conflicting against that, will need to change. I think the AUR is that application, right?
About the rest: 389ds and VPN sound good. Also I'd still use TLS even on a VPN so that we have multiple layers of security. I've once had a DNS problem with my personal syslog server, but thanks to TLS (with a private CA) there were no connections to the wrong machine. I imagine that we'll use DNS for easier management even if we use private IPs so this also applies here. It will probably be /etc/hosts, but there can still be a mistake at some point.
TLS will be used regardless of VPN or not. And we are going to use valid certs, no self signed. As for the VPN, I would say that tinc or openvpn are options.
Regarding topology I'd like master-master if that works well, otherwise master-slave. How does 389ds resolve conflicts in a master-master setup and what's the performance like?
Coming to think of this, we want multi-master replication, because we need the ability of bringing up and down the servers for upgrades and other stuff. If we go with the master-slave topology, the master machine will require a lot of attention. Regards, Giancarlo Razzolini