1.0.0 Release IaaS

2026-03-15 04:41:02 +09:00
commit a7365da431
292 changed files with 36059 additions and 0 deletions
@@ -0,0 +1,154 @@
+# Server and client environments
+
+## Console
+
+- OS: WSL2 \(Debian 13\)
+- Processor: 4vCPU
+- Memory: 4GiB
+- Disk:
+    - 32GiB for `/` \(VHD file\)
+- Services:
+    - [x] Terminal
+    - [x] Step-CLI
+    - [x] Ansible
+    - Git
+    - Kopia
+    - [x] cloud-image-utils
+
+## vmm \(Hypervisor\)
+
+- OS: Debian13
+- Processor: pCPU \(N150\)
+- Memory: 3GiB \(margin\)
+    - KSM allows more than 3GiB for vmm
+- MAC:
+    - c8:ff:bf:05:aa:b0
+    - c8:ff:bf:05:aa:b1
+- Disk:
+    - SSD:
+        - 64GiB for `/` \(ext4 in LVM\)
+        - 700GiB for `/var/lib/libvirt` \(ext4 in LVM\)
+- Services:
+    - [x] QEMU/KVM
+    - [x] libvirtd
+    - [x] ksmtuned
+
+## fw \(Firewall\)
+
+- OS: Debian13
+- Processor: 2vCPU
+    - cputune.shares 2048
+- Memory: 4GiB
+- MAC:
+    - 0a:49:6e:4d:00:00
+    - 0a:49:6e:4d:00:01
+- Disk:
+    - SSD: 64GiB for `/` \(ext4 in qcow2 file\)
+- Services:
+    - native packages:
+        - [x] nftables \(firewall based on ZONE\)
+        - [x] Suricata \(IDS\)
+        - [x] CrowdSec LAPI \(IPS\)
+        - [x] Kea DHCP
+        - [x] Wireguard-tool
+        - [x] BIND9 \(Local authoritative DNS\)
+        - [x] Blocky \(Resolver DNS\)
+    - Scripts:
+        - [x] ddns.sh
+
+## infra \(Infrastructure\)
+
+- OS: Debian13
+- Processor: 2vCPU
+    - cputune.shares 1024
+- Memory: 6GiB
+- MAC: 0a:49:6e:4d:01:00
+- Disk:
+    - SSD: 256GiB for `/` \(ext4 in qcow2 file\)
+- Services:
+    - Rootless containers:
+        - [x] PostgreSQL
+        - [x] lldap
+        - [x] Step-CA
+        - [x] Caddy \(with nsupdate\)
+        - [x] Prometheus \(alloy - push\)
+        - [x] Loki \(alloy\)
+        - [x] Grafana 
+        <!-- 
+        Mail service is not needed, especially Diun is not needed.
+        - Postfix
+        - Dovecot
+        - mbsync
+        - Diun
+        -->
+    - Study \(Rootless container\):
+        - Kali
+        - Debian 
+
+
+## auth \(Authorization\)
+
+- OS: Debian13
+- Processor: 2vCPU
+    - cputune.shares 512
+- Memory: 2GiB
+- MAC: 0a:49:6e:4d:02:00
+- Disk:
+    - SSD: 64GiB for `/` \(ext4 in qcow2 file\)
+- Services:
+    - Rootless containers:
+        - [x] Caddy \(with nsupdate, crowdsec-http, crowdsec-bouncer module\)
+        - [x] authelia
+
+## app \(Application\)
+
+- OS: Debian13
+- Processor: 4vCPU
+    - cputune.shares 1024
+- Memory: 16GiB
+- MAC: 0a:49:6e:4d:03:00
+- Disk:
+    - SSD: 256GiB for `/` \(ext4 in qcow2 file\)
+    - HDD: 4TB for `/home/app/data` \(btrfs\)
+- VFIO \(Hardware passthrough):
+    - Graphic: N150 iGPU
+    - Disk: SATA Controller
+- Services:
+    - OIDC native services:
+        - OpenCloud \(with Radicale, Collabora Web Office\)
+        - Vikunja \(with CalDAV\)
+        - Gitea
+        - Outline
+        - Wiki.js
+        - WriteFreely
+        - Immich
+        - MediaCMS
+        - Funkwhale
+        - Kavita
+        - Audiobookshelf
+        - we-promise/sure - budget
+        - Paperless-ngx
+        - Miniflux
+        - Linkwarden
+        - Ralph
+        - Conduit
+        - SnappyMail
+        - Vaultwarden
+        <!--
+        - n8n
+        -->
+    - Forward_auth
+        - Homepage
+
+## External Backup server
+
+- OS: DSM \(Synology\)
+- Processor: pCPU \(Realtek RTD1619B\)
+- Memory: 1GiB
+- MAC: 90:09:d0:65:a9:db
+- Disk:
+     - HDD: 4TB
+- Services:
+    - SFTP
+    - Kopia repository server
+    - CloudSync \(Upload backup files to Cloud\)
@@ -0,0 +1,67 @@
+# Hardware specifications
+
+## Servers
+
+### Main server
+
+- Aoostar WTR Pro N150
+    - Processor: Intel N150 \(4C4T\)
+    - Graphic: Intel UHD Graphics
+    - 2.5 Gbps NIC x 2
+    - M.2 Slot x 2 \(SSD, WiFi\)
+    - SATA bay x 4
+    - 279,900 KRW
+- Samsung DDR4 SO-DIMM 3200 32G x 1
+    - 106,900 KRW
+- Samsung 980 Pro 1TB TLC x 1
+    - 276,000 KRW \(Previously owned\)
+- 3RAYS glaicer 6 m.2 SSD heatsink x 1
+    - 7,330 KRW
+- HGST Ultrastar 7K4000 2TB HDD x 3
+    - 99,000 KRW
+- HGST Ultrastar 7K2 2TB HDD x 1
+    - 43,000 KRW
+- Total price: 698,030 KRW \(1,460,030 KRW with previously owned ones\)
+
+### Backup server
+- Synology DS124
+    - Processor: Realtek RTD1619B \(4C4T\)
+    - Memory: DDR4 1GB
+    - 1 Gbps NIC x 1
+    - SATA bay x 1
+    - 242,000 KRW
+- TOSHIBA DT02 4TB x 1
+    - 55,000 KRW
+- Total price: 297,000 KRW
+
+### Console \(Laptop\)
+- Microsoft surface laptop 7th ZGJ-00021
+    - Processor: Snapdragon X Plus \(ARM64, 10C10T\)
+    - Memory: LPDDR5x 16GB
+    - SSD: 256GB SSD
+    - OS: Windows11 Home
+    - 1,290,210 KRW
+- Microsoft surface USB-C travel hub x 1
+    - 157,890 KRW
+- Total price: 1,448,100 KRW
+
+### External HDD
+- EFM 3.5 External HDD case ipTIME HDD3135 Plus x 1
+    - 29,400 KRW
+- Seagate BARRACUDA HDD 2TB x 1
+    - 99,000 KRW \(Previously owned\)
+- Total price: 128,400 KRW
+
+## Devices
+
+### Switch
+- TP-link TL-SG108E x 1
+    - 1 Gbps NIC x 8
+    - IEEE 802.2q
+    - 39,900 KRW
+- Total Price: 39,900 KRW
+
+### Monitor
+- Samsung S6 LS27F610 x 1
+    - 277,000 KRW
+- Total price: 277,000 KRW
@@ -0,0 +1,117 @@
+# Matrix
+
+## UID/GID Matrix
+
+### Table
+
+|name|uid|gid|comments|
+|:-:|:-:|:-:|:-:|
+|svadmins|-|2000|server group|
+|vmm|2000|2000|hypervisor|
+|fw|2001|2000|firewall|
+|infra|2002|2000|infrastructure|
+|auth|2003|2000|authentication and authorization|
+|app|2004|2000|services|
+|console|2999|2000|console node\(surface\)|
+
+### subuid and subgid
+
+- user:100000:65536
+
+## Switch ports matrix
+
+### 8 Ports main switch
+
+|port number|node|subnet|id|
+|:-:|:-:|:-:|:-:|
+|1|WTR Pro N150|Trunk|-|
+|2|AP\(Preparation\)|USER|20|
+|3|DS124\(NAS\)|CLIENT|1|
+|4|Console|CLIENT|1|
+|5|Printer|CLIENT|1|
+|6|-|-|-|
+|7|-|-|-|
+|8|-|-|-|
+
+## IP matrix
+
+### Subnet
+
+|name|IPv4|IPv6|id|
+|:-:|:-:|:-:|:-:|
+|CLIENT|192.168.1.0/24|fd00:1::/64\(ULA\)|1|
+|SERVER|192.168.10.0/24|fd00:10::/64\(ULA\)|10|
+|USER|192.168.20.0/24|GUA from ISP|20|
+|WG0|192.168.99.0/24|fd00:99::/64\(ULA\)|-|
+
+### Host
+
+####  console:
+- CLIENT
+    - 192.168.1.20
+    - fd00:1::20
+- WG0
+    - 192.168.99.20
+    - fd00:99::20
+
+#### fw
+- CLIENT
+    - 192.168.1.1
+    - fd00:1::1
+- SERVER
+    - 192.168.10.1
+    - fd00:10::1
+- USER
+    - 192.168.20.1
+    - GUA SLAAC
+- WG0
+    - 192.168.99.1
+    - fd00:99::1
+
+#### blocky \(fw\)
+- SERVER
+    - 192.168.10.2
+    - fd00:10::2
+
+#### bind \(fw\)
+- SERVER
+    - 192.168.10.3
+    - fd00:10::3
+
+#### vmm
+- CLIENT
+    - 192.168.1.10
+    - fd00:1::10
+- SERVER
+    - 192.168.10.10
+    - fd00:10::10
+
+#### infra
+- SERVER
+    - 192.168.10.11
+    - fd00:10::11
+
+#### auth
+- SERVER
+    - 192.168.10.12
+    - fd00:10::12
+
+#### app
+- SERVER
+    - 192.168.10.13
+    - fd00:10::13
+
+#### VLAN switch
+- CLIENT
+    - 192.168.1.2
+    - fd00:1::2
+
+#### ds124
+- CLIENT
+    - 192.168.1.11
+    - fd00:1::11
+
+#### Printer
+- CLIENT
+    - 192.168.1.101
+    - fd00:1::101