1.0.0 Release IaaS

docs/runbook/05-hardwares.md

@@ -0,0 +1,220 @@
+# Hardware
+
+All hardware configuration is set after fw vm. The MAC address of hardware is reservated on kea-dhcp.
+
+## Vlan switch
+
+### Access VLAN switch
+
+- http://switch.ilnmors.internal \(192.168.1.2, KEA-DHCP, Only IPv4 support\)
+    - before set ipv6, use ip4 address instead of FQDN
+    - id: admin, password: admin
+    - new password: switch.password
+
+### Set VLAN
+- VLAN:802.1Q VLAN
+    - \[x\] Enable - Apply
+    - VLAN client
+        - id 1
+        - name default > client
+        - member \(Untagged\)
+            - Port 1 \(Trunk, untagged\): Linux bridge is already process untagged packet as id 1
+            - Port 3
+            - Port 4
+            - Port 5
+            - Port 6
+            - Port 7
+            - Port 8
+    - VLAN server
+        - id 10
+        - name server
+        - member
+            - Port 1 \(Trunk, tagged\)
+    - VLAN user
+        - id 20
+        - name user
+        - member
+            - Port 1 \(Trunk, tagged\)
+            - Port 2 \(Not a member of client vlan, untagged\)
+
+- VLAN:802.1Q VLAN PVID setting
+    - Port 2
+        - PVID 20
+
+### Verify VLAN configuration
+
+- Manually set consol ip as user
+- Connect console to Port 2
+- Check internet connection
+
+
+## DSM \(DS124\)
+
+- https://finds.synology.com/# \(192.168.1.11, KEA-DHCP\)
+    - Install DSM
+
+### Initial configuration
+- Device name: ilnmorsNAS
+- Administrator account: il
+- Password: dsm.il.password
+
+- automatical update
+- synology account - skip, skip anyway
+- opt disagree
+
+### Storage
+
+- Storage Manager:Storage:Create:btrfs - Create
+
+### IP address
+
+Kea in fw already reserved DSM's IP. However it is necessary to set IP address statically for stable operation.
+
+- Control Panel:Network:Network Interface:LAN
+    - Edit:IPv4:Use manual configuration
+    - Edit:IPv6:Use manual configuration
+
+### Certificates
+
+- Control Panel:Security:Certificate
+    - Replace an existing certificate:synology
+        - Description: ilnmors.internal
+        - Private Key
+        - Certificate
+        - Intermediate certificate
+    - Edit: For: Set as default certificate
+    - Setting \(!CAUTION!\)
+        - Even though you set the certificate as default, you have to set certificate for each services.
+        - configure: service: certificate: nas.ilnmors.internal
+
+## Authelia OIDC
+
+- **!CAUTION!** It can be set after authelia is implemented
+- Following [here](../../../config/containers/auth/authelia/config/authelia.yaml.j2) for Authelia configuration
+- Control Panel:Domain/LDAP:SSO Client
+    - Login Settings: \[x\] Select SSO by default on the login page
+    - Services
+        - \[x\] Enable OpenID Connect SSO service
+        - OpenID Connect SSO Settings
+            - Profile: OIDC
+            - Account type: Domain/LDAP/local
+            - Name: Authelia
+            - Well-Known URL: https://authelia.ilnmors.com/.well-known/openid-configuration
+            - Application ID: dsm \(what you designated\)
+            - Application Secret: secret value
+            - Redirect URI: https://nas.ilnmors.internal:5001
+            - Authorization scope: openid profile groups email
+            - Username claim: preferred_username
+- Match the user name \(ID\) in DSM and lldap id.
+
+### Kopia in DSM
+
+#### Upload Kopia repository to DSM
+
+- Directory
+    - Control Panel:shared folder: docker
+    - Create: docker/kopia - permission: everyone rwx - inheretence to sub directories
+
+- Container manager
+    - Package Center:Conatiner manager:install
+
+- Upload repository directory from console to DSM
+    - docker/kopia/repository
+
+- Add certificate - DSM reverse proxy cannot deal with gRPC
+    - /docker/kopia/config/ssl/nas.key
+    - /docker/kopia/config/ssl/nas.crt \(including intermediate crt\)
+
+- container manager:images:import
+    - kopia/kopia
+    - tags: \{\{ version['packages']['kopia'] \}\}
+- run
+    - image: kopia/kopia
+    - containername: kopia-server
+    - \[x\] Enable auto restart
+    - port: 51515:51515
+    - volume: /docker/kopia/config:/app/config:rw
+    - volume: /docker/kopia/cache:/app/cache:rw
+    - volume: /docker/kopia/logs:/app/logs:rw
+    - volume: /docker/kopia/repository:/repository:rw
+    - environment: KOPIA_PASSWORD=$KOPIA.REPOSITORY
+    - command: server start --no-ui --tls-cert-file=/app/config/ssl/nas.crt --tls-key-file=/app/config/ssl/nas.key --address=0.0.0.0:51515 --log-level=info 
+- action:Terminal:Create
+```bash
+kopia repository connect filesystem \
+--path=/repository \
+--override-username="il" \
+--override-hostname="nas.ilnmors.internal"
+```
+- action:restart
+
+- Set firewall nftables
+- Remove kopia_tmp dir from console
+
+### Connection from client
+
+#### Structure
+
+Repository directory - encrypted by server KOPIA_PASSWORD as master key of repository
+
+Server manage ACL with user password, user's KOPIA_PASSWORD. When server verify user with their password, server works with its repository password.
+
+Repository - \(Repository key; master key\) -  Server - \(User key; access key\) - Client
+
+- Client knows its access password as KOPIA_PASSWORD to access server. It doesn't know master key, server's KOPIA_PASSWORD. server will control repository by its KOPIA_PASSWORD. their name is the same but it is different.
+
+#### Access
+
+```bash
+# Console
+# you have to use `'` not `"`
+KOPIA_PASSWORD='$kopia.user.user_name' \ 
+/usr/bin/kopia repository connect server \
+--url=https://nas.ilnmors.internal:51515 \
+--override-username=console \
+--override-hostname=console.ilnmors.internal
+# This makes repository.config on ~/.config/kopia
+# verify with kopia server acl list command
+
+# infra or app
+## /etc/secrets/$KOPIA_UID/kopia.env
+KOPIA_PASSWORD={{ hostvars['console']['kopia']['user'][node['name']] }}
+KOPIA_CONFIG_PATH=/etc/kopia/repository.config
+KOPIA_CACHE_DIRECTORY=/var/cache/kopia
+KOPIA_LOG_DIR=/var/cache/kopia/logs
+KOPIA_CHECK_FOR_UPDATES=false
+## .service file
+BindReadOnlyPaths=/path/to/backup
+# In root namescope, %u always bring 0
+BindPaths=/etc/kopia
+BindPaths=/etc/secrets/{{ kopia_uid }}
+BindPaths=/var/cache/kopia
+EnvironmentFile=/etc/secrets/{{ kopia_uid }}/kopia.env
+
+ExecStartPre=/usr/bin/kopia repository connect server \
+    --url=https://{{ infra_uri['kopia']['domain'] }}:{{ infra_uri['kopia']['ports']['https'] }} \
+    --override-username={{ node['name'] }} \
+    --override-hostname={{ node['name'] }}.ilnmors.internal
+
+ExecStart=/usr/bin/kopia snapshot create \
+    /path/to/backup
+```
+
+### Check kopia snapshot
+
+```bash
+# snapshot id check
+kopia snapshot list [--all]
+# Snapshot ID check
+kopia ls -l [-r: for recursive] $SNAPSHOT_ID
+kopia show -l $SNAPSHOT_ID/file/path
+# or
+kopia show -l $FILE_ID
+```
+
+### Restore
+
+```bash
+mkdir -p /mnt/kopia
+kopia mount [$SNAPSHOT_ID|all] kopia &
+```