-
-
Notifications
You must be signed in to change notification settings - Fork 102
Colocation
Provided by Nine, hosted at Colozüri.
Overview:
- 20u usable (9u free)
- One 1 Gbps link with HA (automatic failover if port goes down)
- Redundant power bars
- 1 kW power budget
People that are elegible to open support requests and request remote hands:
Network, management:
- Deciso DEC4630 with OPNSense (purchased from Deciso 2020-11-06)
- Deciso DEC4630 with OPNSense (purchased from Deciso 2020-11-06)
- Netgear M4300-48X (purchased from Brack on 2020-10-13)
- Raritan Dominion KX III-108 (purchased from Brack on 2020-10-16)
Servers:
- Twin Mac Minis:
- Mac Mini (2020) with 3.2 GHz 6 Core Intel i7, 64 GB RAM, 2 TB SSD, 10 GBase-T Ethernet with Apple Care+ (purchased from Apple on 2020-10-16)
- mounted in Sonnet RackMac mini 2018 (purchased from Brack on 2020-10-16)
- connected to KVM switch via HDMI, dual USB
- ER12A BitScope Edge Rack incl. 12 Raspberry Pis 4B, 8GB, 120 GB SSD (purchased from BitScope on 2020-10-16)
- ER12A BitScope Edge Rack incl. 12 Raspberry Pis 4B, 8GB, 120 GB SSD (purchased from BitScope on 2020-10-16)
The firewalls are accessible via our bastion host (use it as a SOCKS proxy) or internally via VPN.
The uplink is configured with active/passive high-availability over two perimeter networks (1 and 2, see below). 1 is the active, 2 the passive link. If one link goes down, traffic flows over the other link.
5.148.175.184/30
Uplink IP: 5.148.175.185
Our (gateway/firewall) IP: 5.148.175.186
2a02:418:39aa:2::/64
Uplink IP: 2a02:418:39aa:2::1
Our (gateway/firewall) IP: 2a02:418:39aa:2::2
5.148.175.188/30
Uplink IP: 5.148.175.189
Our (gateway/firewall) IP: 5.148.175.190
2a02:418:39aa:7::1/64
Uplink IP: 2a02:418:39aa:2::1
Our (gateway/firewall) IP: 2a02:418:39aa:7::2
5.148.170.144/28
2a02:418:3001::/48
10.0.10.0/24 (VLAN 10)
x.1 CARP
x.2 Firewall 01
x.3 Firewall 02
x.4 Switch
x.5 KVM switch 01
VPN is required to manage or access servers and other equipments. We use OpenVPN (SSL/TLS + User Auth with TOTP enabled) and have 3 different networks.
Provides full access to all equipment except TCK infrastructure. For TCK infrastructure, only access to lights-out management is provided. Limited to AdoptOpenJDK infrastructure team.
Provides access to build and test networks (for debugging builds, tests, ...).
Provides access to TCK infrastructure. Limited to EMO staff and people that have signed a three-way OCTLA with Eclipse and Oracle.
VPN:
- OpenVPN was chosen because it's the most flexible and recommended option for OPNSense (Jan 2021).
- We have one OpenVPN instance per user group because (again) it's the most flexible option we found during the setup (Jan 2021). The approach outlined in the official How To Guide works with client-specific rules. Those rules are specific for a single client, require a separate network per user, and therefore do not scale with a larger number of users.