Skip to content

Network

Jump to bottom Edit New page
Felix E. Klee edited this page Aug 9, 2023 · 5 revisions

Dim Sum Labs network notes

DNS zones

  • dimsumlabs.com

    • Registered by Manolis
    • Hidden master DNS hosted by Philip
      • Philip and Hamish can push changes
    • Public DNS by he.net
      • Pulls from Philip's hidden master

  • dimsumlabs.org (unused)

    • Empty zone. Forwards to dimsumlabs.com
    • Same configuration as dimsumlabs.com

  • in.dimsumlabs.com

    • Internal namespace for hosts inside the space
    • DNS on ns0.in.dimsumlabs.com jail on tofu.in.dimsumlabs.com

  • certbot.dimsumlabs.com

    • Dynamic zone for validating LetsEncrypt.org certificates
    • DNS on ns0.in.dimsumlabs.com jail on tofu.in.dimsumlabs.com

Tunnel

Go via space.dimsumlabs.com, e.g.:

ssh -J $YOUR_USERNAME@space.dimsumlabs.com pi@door.in.dimsumlabs.com

Network configuration

Infrastructure

tofu.in.dimsumlabs.com is a single board computer from Kettop running FreeBSD.

Configuration files:

  • /etc/rc.conf: system and network configuration
  • /etc/jail.conf: jail configuration
  • /usr/local/etc/dhcpd.conf: DHCPv4
  • /usr/local/etc/dhcpd6.conf: DHCPv6
  • /usr/local/etc/unbound/unbound.conf: recursive DNS

Jails:

  • ns0.in.dimsumlabs.com: hidden master DNS for internal zones
  • avahi.in.dimsumlabs.com: mDNS relay between service and public networks (for zeroconf printing, etc)
  • unifi.in.dimsumlabs.com: Ubiquiti controller for the Wi-Fi
  • webfront.in.dimsumlabs.com: reverse proxy for web services inside the space (e.g. door)
  • certbot.in.dimsumlabs.com: acme.sh certbot for issuing/renewing LetsEncrypt.org certificates

From /etc/rc.conf:

# Network layout:
#
# igb0,igb1 -> lagg0 -> trunk to switch
#     \_ vlan9 -> PCCW uplink
#     .
#     \_ vlan1   -> legacy network      (192.168.100.0/24)
#     \_ vlan100 -> Service network     (172.31.0.0/24)
#     \_ vlan102 -> Wired/wlan users    (172.31.2.0/23)
#     .
#     \_ vlan115 -> Management network  (172.31.15.0/24)
#
# vlan1 -> legacy network
#          mainly to reach the old hypervisor on 192.168.100.1
# igb3  -> emergency backdoor 192.168.88.1/24
# gif0  -> IPv6 tunnel to he.net
#
# Notes:
#  - IPv4: 172.31.0.0/20
#          172.31.X.0/24           X = VLAN ID - 100
#  - IPv6: 2001:470:fbdc::/48
#          2001:470:fbdc:6X::/64   X = 0x0VLANID
#

TLS certificates for internal hosts

We run acme.sh in the certbot jail on tofu.in.dimsumlabs.com.

To issue a LetsEncrypt.org certificate for an internal service (e.g. door):

  1. Add _acme-challenge.door CNAME _acme-challenge.certbot to the dimsumlabs.com DNS
  2. Issue the certificate, as root on tofu.in.dimsumlabs.com:
# jexec certbot
# su - acme
$ acme.sh --issue -k 4096 -d door.dimsumlabs.com --dns dns_nsupdate --challenge-alias certbot.dimsumlabs.com
$ acme.sh --issue -k ec-256 -d door.dimsumlabs.com --dns dns_nsupdate --challenge-alias certbot.dimsumlabs.com
$ acme.sh --deploy --deploy-hook dimsumlabs -d door.dimsumlabs.com
$ acme.sh --deploy --deploy-hook dimsumlabs -d door.dimsumlabs.com --ecc

See the notes in /var/db/acme/README in the certbot jail for more information on the acme.sh bits. See the comments in /usr/local/etc/namedb/named.conf in the ns0 jail for more information on the DNS bits.

Add a custom footer
Add a custom sidebar
Clone this wiki locally