# Infrastructure Systems
List of systems and their primary role:


__Core Infrastructure:__
* [boot.psi.ch](boot_server)  - TFTP server for PXE booting

* [sysdb.psi.ch](sysdb_server) - Runs sysdb, providing the dynamic iPXE, Grub and kickstart files

* [puppet01](puppet01) - puppet.psi.ch - 129.129.160.118 - Runs the puppet server for the RHEL7 infra

* [repos.psi.ch](repo_server) - RPM/Yum repository server for RHEL7/8/...

* [lxweb00](lxweb00) - http://linux.web.psi.ch - 129.129.190.46 - Exports further repositories from AFS



__Additional Infrastructure__

Monitoring:
* [lxsup00](lxsup00) - 129.129.190.24 - Shell for linux support, primarily to run bob

* [influx00](influx00) - 129.129.190.225 - Influx database server

* [metrics00](metrics00) - 129.129.190.226 - Grafana frontend for Influx


__Enduser Systems__
* [login](login) - 129.129.190.131 129.129.190.132 129.129.190.133 -  Shell login service for users






![](overview_linux.drawio.svg)



## Metrics
* [Overview Infrastructure](https://metrics.psi.ch/d/1SL13Nxmz/gfa-linux-tabular?orgId=1&from=now-6h&to=now&refresh=30s&var-env=telegraf_lx&var-host=influx00.psi.ch&var-host=lx-boot-01.psi.ch&var-host=lx-puppet-01.psi.ch&var-host=lx-repos-01.psi.ch&var-host=lx-sysdb-01.psi.ch&var-host=lxweb00.psi.ch&var-host=metrics00.psi.ch&var-host=puppet01.psi.ch)

## Procedures

* [Adding a new RHEL version to the RHEL7 install mechanism](newver)
* [How to grant access to RHEL7 infrastructure](https://git.psi.ch/linux-infra/user-ca/blob/master/README.md#automated-with-ansible-for-pli-infrastructure-systems-of-rhel-7)
* [Grant new person right for bob/sysdb](newbob)
* [How to reinstall a machine](howtoreinstall)

## Tools

* [SSH config](sshconf)

## HTTPS Certificates
* [HTTPS Certificates](https://linux.psi.ch/admin-guide/operations/certificates.html)


## SSH Certificates / Signing Public User Keys

Generate a ssh key e.g. as follows:
```bash
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/linux_id_ed25519
```

Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell
```bash
function sign-user-ssh-key {
    (
        name="$1"
        pubkey="$2"

        # let the private key flow through a named pipe
        # so it never ends up on the file system

        umask 077
        pipe_base="$(mktemp)" # MacOS does not know about --dry-run
        pipe="${pipe_base}.pipe"
        echo "mkfifo '$pipe'"
        mkfifo "$pipe" || return 1
        [ -p "$pipe" ] || return 1
        echo "pass ssh-ca/user-ca > '$pipe' &"
        pass ssh-ca/user-ca > "$pipe" &
        echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
        ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
        echo "rm '$pipe' '$pipe_base'"
        rm "$pipe" "$pipe_base"
    )
}
```
and run it with the user name as principal and the public key file
```
sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE
```

More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/


## Unix Groups

Currently we have following AD groups to grant access to certain services/systems:

| Group | Notes |
| ---- | ---- |
| unx-lx_eng | Member of linux engineering - used to give access to management NFS filesystem, sysdb, ... |
| unx-lx_support | used to give Linux supporters access to systems/services |
| unx-puppet_adm -| associated with lxdev environment/systems |
| unx-puppet_dev | developer of puppet code |
| unx-puppet_usr | user of puppet (i.e. need access to linux-infra group/repos) |
| unx-lx_users | all personal linux accounts at PSI (directly updated from SAP) |
| unx-lx_grafana_adm | Grafana Administrators |
| unx-lx_grafana_edi | Group with Grafana editor rights |

These two groups are used within Service now to assign tickets:
| Group |
| ---- |
| itsm-linux  |
| itsm-linux_2nd |

Access VM infrastructure for linux core employees:
| Group | Notes |
| ---- | ---- |
| VC_Admins_Linux  | Access to the PSI VM Infrastructure |

## AD Users
| Group | Notes |
| ---- | ---- |
| lx-netops-api  | (keytab) Used to access the netops api |
| lx_ad_join  | (keytab) Used to join a machine to AD |
| linux_ldap ???? | was registered by Derek (he is noted as responsible in AD) - used for ???? |