Design Concepts¶
This chapter describes the design concepts of Blunix Stack and how it aims to provide a stable, predictably priced, easy to manage and fully automated managed hosting environment.
Accounts¶
The cloud provider account is provided by the customer of Blunix GmbH. We do not provide any servers, cloud instances or appliances. We only manage Debian Linux installations.
You own your infrastructure, we just maintain it and give you the configuration management code for doing that.
Network¶
Hostnames and groups¶
The naming of servers and server groups are as follows:
| Component | Description | Example | Naming scheme abbreviation |
|---|---|---|---|
| Company | Name of the company | Customer GmbH | cus |
| Server group | Logical name for a group of servers | Utilities | util |
| Stage | Point in development process the group is allocated for | Production | prod |
| Usecase | Central log server | Log | log |
| Redundancy number | Number of servers that exist with this configuration | 2 | 2 |
Naming scheme examples:
| Description | Server hostname |
|---|---|
| Customer GmbH's utility stack production central log server one | cus-util-prod-log-1 |
| Customers GmbH's "myapp" project staging web server one | cus-myapp-stag-web-1 |
| Example GmbH's (a customer of Customer GmbH)"wiki" project production web server two | exa-wiki-prod-web-2 |
| Customer GmbH's "myapp" project production load balancer - redundant instance one (active) | cus-myapp-prod-lb-1 |
| Customer GmbH's "myapp" project production load balancer - redundant instance two (failover) | cus-myapp-prod-lb-2 |
As well as for groups of servers:
| Description | Group name |
|---|---|
| Customer GmbH's utility stack production | cus_util_prod |
| Customer GmbH's "myapp" project production | cus_myapp_prod |
DNS¶
Domains are split into three categories:
- Public domain: (your-company.com)
- Private internal domain: (cus.int) only reachable over company VPN (monitoring.cus.int, jenkins.cus.int)
- Public internal domain: (cus.pub) reachable over regular internet (Example: public-staging.cus.pub)
All domains have to be hosted with a DNS provider has certbot dns challange plugin for generating Letsencrypt certificates.
All Debian installations run dnscrypt-proxy which resolves all internal domains.
Firewall¶
Each Debian installation runs a firewall (shorewall) that has a whitelist for incoming and outgoing connections on all network interfaces.
The firewall solution provided by the cloud provider is not used.
Internal Subnets¶
Each Debian installation is part of an end-to-end encrypted mesh VPN using wireguard.
The internal network or subnet solution provided by the cloud provider is not used.
Employee VPN¶
The employee VPN realized with wireguard allows for fine grained access control to the infrastructures services. When connected to the VPN, employees can resolve internal Domains (Example: cus.int - backup.cus.int).
SSL certificates¶
Blunix encourages the use of Letsencrypt certificates for all your https:// needs.
It is required to host the Domains with a DNS provider that supports DNS challanges and provides a certbot-dns-dns_provider_name pip package (Example: certbot-dns-hetzner).