A/I Orange Book (1.0)

An how-to for the realization of a resilient network of self-managed servers

This document describes in detail the configuration and management of a network composed of geographically distributed servers, considering the requisites of the servers and their objectives. The mechanism described in this page uses CFengine and other free software tools to increase the automation involved in the process.

To check out for other version of this document, read Appendice C, Sezione 1

This document was originally written for internal use within the Autistici/Inventati collective, but it is here released to the public in the hope it may be useful and interesting to somebody. It was written by ale@incal.net, phasa@autistici.org, void@ecn.org, cybergio@autistici.org, and all the other people from the Autistici/Inventati collective.

We encourage you to use and distribute this paper freely, in its complete form or parts of it, provided you do it including this note and the copyright statement above.


"Sharing knowledges, without founding powers."

--Primo Moroni 

Table of Contents
1. Introduction
1.1. First Thoughts
1.2. Guidelines
2. Network
2.1. Network Structure
2.1.1. VPN
2.2. DNS Organization
2.2.1. Infrastructural Domain
2.2.2. Other Domains
3. Filesystem
3.1. Disks Organization
3.1.1. Encrypted Partitions
3.2. Filesystem Synchronization
4. The users database
4.1. Introduction
4.2. Database structure
4.2.1. Database Content
4.2.2. Virtual Users
4.2.3. Authentication
4.3. The LDAP scheme
4.4. LDIF
4.5. LDAP Database Replication
4.6. Slapd Configuration
4.6.1. Fine Tuning
4.6.2. ACL
5. Mail Services
5.1. Postfix Configuration
5.1.1. LDAP Maps
5.1.2. Antispam/Antivirus
5.2. POP / IMAP
5.3. Webmail
5.4. Mailman Configuration
6. Configuration
6.1. Overview
6.1.1. Database-independent configuration
6.1.2. Database dependent configurations
6.2. CFengine
6.2.1. CFengine configuration structure
6.2.2. An example on how to configure a service
6.2.3. Current CFengine configuration
6.2.4. Automatic updates
6.2.5. Security
6.3. Script
7. Certification Authority
7.1. Initial Configuration
7.2. CA creation
7.3. Certificates
7.4. Revoking and CRL
8. The Web Services
8.1. Apache
8.1.1. Web service structure
8.1.2. Configuration
8.1.3. Distributed Applications
8.2. MySQL
8.2.1. Replication
9. Log anonymization
9.1. Apache
9.2. syslog-ng
9.3. Postfix
A. Installation of a new server
A.1. Debian packages installation
A.2. RSA key initial distribution
A.3. First configuration
B. Scalability
C. Where to find other versions of this document