DNS servers#
Intended audience
staff members
Those are (accessible only from INRIA data center):
193.51.196.130
193.51.196.131
unbound configuration#
If you want to use Software Heritage internal DNS to resolve *.internal.softwareheritage.org, you might want to use unbound, which is a local caching DNS capable of dispatching requests for different domain names to different DNS resolvers. This way you can use Software Heritage’s one for hosts reachable via the VPN and your usual DNS server (possibly obtained via DHCP) for everything else, as usual.
$ sudo apt install unbound dnssec-trigger
$ cat /etc/unbound/unbound.conf.d/internal-softwareheritage.conf
forward-zone:
name: "internal.softwareheritage.org."
forward-addr: 192.168.100.29
forward-zone:
name: "internal.staging.swh.network."
forward-addr: 192.168.100.29
forward-zone:
name: "100.168.192.in-addr.arpa."
forward-addr: 192.168.100.29
forward-zone:
name: "101.168.192.in-addr.arpa."
forward-addr: 192.168.100.29
if you use network-manager, make sure that the line dns=unbound appears in the main
section of its configuration file, e.g.
$ cat /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=unbound
[ifupdown]
managed=true
dnsmasq configuration (with network-manager)#
If you use network-manager, using dnsmasq to have the split vpn nameserver configuration might be the easiest. For this:
make sure you do not have the stock dnsmasq package installed, as it will turn on an instance that conflicts with the one spawned by network-manager
configure network-manager as follows
$ cat /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=dnsmasq
[ifupdown]
managed=true
You need to add:
$ cat /etc/NetworkManager/dnsmasq.d/swh.conf
server=/internal.softwareheritage.org/192.168.100.29@tun0
server=/100.168.192.in-addr.arpa/192.168.100.29@tun0
server=/101.168.192.in-addr.arpa/192.168.100.29@tun0
server=/200.168.192.in-addr.arpa/192.168.100.29@tun0
server=/201.168.192.in-addr.arpa/192.168.100.29@tun0
server=/202.168.192.in-addr.arpa/192.168.100.29@tun0
server=/203.168.192.in-addr.arpa/192.168.100.29@tun0
server=/204.168.192.in-addr.arpa/192.168.100.29@tun0
server=/205.168.192.in-addr.arpa/192.168.100.29@tun0
server=/206.168.192.in-addr.arpa/192.168.100.29@tun0
server=/207.168.192.in-addr.arpa/192.168.100.29@tun0
# staging area
server=/staging.swh.network/192.168.100.29@tun0
server=/128.168.192.in-addr.arpa/192.168.100.29@tun0
server=/128.168.192.in-addr.arpa/192.168.100.29@tun0
# admin area
server=/admin.swh.network/192.168.100.29@tun0
server=/128.168.192.in-addr.arpa/192.168.100.29@tun0
server=/admin.swh.network/192.168.100.29@tun0
server=/128.168.192.in-addr.arpa/192.168.100.29@tun0
Note: assuming your vpn connection is using the tun0 device, if not please adapt accordingly.
dnsmasq standalone#
Only if you’re not using network-manager to handle OpenVPN configuration nor dnsmasq configuration above.
$ apt install dnsmasq
$ cat /etc/dnsmasq.d/swh.conf
... # same content as prior paragraph
$ systemctl restart dnsmasq
/etc/hosts#
If you rather not use a DNS, a (ad-hoc maintained) sample /etc/hosts is available:
192.168.100.18 banco banco.internal.softwareheritage.org backup.internal.softwareheritage.org
192.168.100.21 worker01 worker01.internal.softwareheritage.org
192.168.100.22 worker02 worker02.internal.softwareheritage.org
192.168.100.23 worker03 worker03.internal.softwareheritage.org
192.168.100.24 worker04 worker04.internal.softwareheritage.org
192.168.100.25 worker05 worker05.internal.softwareheritage.org
192.168.100.26 worker06 worker06.internal.softwareheritage.org
192.168.100.27 worker07 worker07.internal.softwareheritage.org
192.168.100.28 worker08 worker08.internal.softwareheritage.org
192.168.100.35 worker09 worker09.internal.softwareheritage.org
192.168.100.36 worker10 worker10.internal.softwareheritage.org
192.168.100.37 worker11 worker11.internal.softwareheritage.org
192.168.100.38 worker12 worker12.internal.softwareheritage.org
192.168.100.39 worker13 worker13.internal.softwareheritage.org
192.168.100.40 worker14 worker14.internal.softwareheritage.org
192.168.100.41 worker15 worker15.internal.softwareheritage.org
192.168.100.42 worker16 worker16.internal.softwareheritage.org
192.168.100.50 kibana kibana.internal.softwareheritage.org
192.168.100.29 pergamon pergamon.internal.softwareheritage.org debian.internal.softwareheritage.org icinga.internal.softwareheritage.org
192.168.100.30 tate tate.internal.softwareheritage.org
192.168.100.31 moma moma.internal.softwareheritage.org
192.168.100.32 beaubourg beaubourg.internal.softwareheritage.org
192.168.101.58 petit-palais petit-palais.internal.softwareheritage.org
192.168.101.62 grand-palais grand-palais.internal.softwareheritage.org
192.168.101.118 giverny giverny.internal.softwareheritage.org
192.168.100.101 uffizi uffizi.internal.softwareheritage.org
192.168.100.102 getty getty.internal.softwareheritage.org
192.168.100.103 somerset somerset.internal.softwareheritage.org
192.168.100.104 saatchi saatchi.internal.softwareheritage.org
192.168.100.210 belvedere belvedere.internal.softwareheritage.org
192.168.100.4 louvre louvre.internal.softwareheritage.org
192.168.100.101 uffizi uffizi.internal.softwareheritage.org
SSH configuration#
The only host with public (internet) SSH access, gitlab.softwareheritage.org, does
not need any specific configuration.
All other hosts (*.internal.softwareheritage.org,
*.internal.staging.swh.network, *.internal.admin.swh.network) are only (but
directly) accessible through the VPN.
Note: the default ssh port on tate.internal.softwareheritage.org is used for the
sandboxed access to phabricator. Access to the system goes through port 2222. In
.ssh/config:
Host tate.internal.softwareheritage.org
Port 2222
User LOGIN