Difference between revisions of "Project infrastructure"

From VCMI Project Wiki
Jump to: navigation, search
(Added launchpad)
Line 1: Line 1:
 
This page hold important information about project infrastructure for current and future contributors. At moment it's all maintained by me (SXX), but following information will be useful if someone going to replace me in future.
 
This page hold important information about project infrastructure for current and future contributors. At moment it's all maintained by me (SXX), but following information will be useful if someone going to replace me in future.
 +
 +
== Droplet configuration ==
 +
 +
=== Droplet and hosted services ===
 +
 +
Currently we using two droplets:
 +
 +
* First one serve all of our web services:
 +
** [https://forum.vcmi.eu/ Forum]
 +
** [https://bugs.vcmi.eu/ Bug tracker]
 +
** [https://wiki.vcmi.eu/ Wiki]
 +
** [https://slack.vcmi.eu/ Slack invite page]
 +
* Second serve downloads:
 +
** [http://download.vcmi.eu/ Legacy download page]
 +
 +
To keep everything secure we should always keep binary downloads separate from any web services.
 +
 +
=== Rules to stick to ===
 +
 +
* SSH authentication by public key only.
 +
* Incoming connections to all ports except SSH (22) must be blocked.
 +
* Exception for HTTP(S) connection on ports 80 / 443 from [https://www.cloudflare.com/ips/ CloudFlare IP Ranges].
 +
* No one except core developers should ever know real server IPs.
 +
* Droplet hostname should never be valid host. Otherwise it's exposed in [https://en.wikipedia.org/wiki/Reverse_DNS reverse DNS].
 +
* If some non-web service need to listen for external connections then read below.
 +
 +
=== Our publicly-facing server ===
 +
We only expose floating IP that can be detached from droplet in case of emergency using [https://cloud.digitalocean.com/networking/floating_ips DO control panel]. This also allow us to easily move public services to dedicated droplet in future.
 +
 +
* Address: beholder.vcmi.eu (67.207.75.182)
 +
* Port 22 serve SFTP for file uploads as well as CI artifacts uploads.
 +
 +
If new services added firewall rules can be adjusted in [https://cloud.digitalocean.com/networking/firewalls DO control panel].
  
 
== Services and accounts ==
 
== Services and accounts ==
 
So far we using following services:
 
So far we using following services:
 +
 +
=== Most important ===
  
 
* VCMI.eu domain paid until July of 2019.
 
* VCMI.eu domain paid until July of 2019.
Line 31: Line 66:
 
Not all services let us safely share login credentials, but at least when possible at least two of core developers must have access to them in case of emergency.
 
Not all services let us safely share login credentials, but at least when possible at least two of core developers must have access to them in case of emergency.
  
== PR services and accounts ==
+
=== Public relations ===
We want to notify players about updates on as many services as possible.
+
We want to notify players about updates on as many social services as possible.
  
 
* Facebook page: https://www.facebook.com/VCMIOfficial
 
* Facebook page: https://www.facebook.com/VCMIOfficial
Line 54: Line 89:
 
** Administrator access: SXX
 
** Administrator access: SXX
  
== Communication channels ==
+
=== Communication channels ===
 
* Slack team: https://h3vcmi.slack.com/
 
* Slack team: https://h3vcmi.slack.com/
 
** Owner: vmarkovtsev
 
** Owner: vmarkovtsev
Line 65: Line 100:
 
* Unofficial IRC channel: irc.freenode.net #vcmi
 
* Unofficial IRC channel: irc.freenode.net #vcmi
  
== Other services and accounts ==
+
=== Other services ===
 
* Launchpad PPA: https://launchpad.net/~vcmi
 
* Launchpad PPA: https://launchpad.net/~vcmi
 
** Member access: SXX
 
** Member access: SXX
Line 81: Line 116:
 
* BitBucket organization: https://bitbucket.org/vcmi/
 
* BitBucket organization: https://bitbucket.org/vcmi/
 
** Administrator access: SXX
 
** Administrator access: SXX
 
  
 
== What's to improve ==
 
== What's to improve ==

Revision as of 17:36, 12 June 2017

This page hold important information about project infrastructure for current and future contributors. At moment it's all maintained by me (SXX), but following information will be useful if someone going to replace me in future.

Droplet configuration

Droplet and hosted services

Currently we using two droplets:

To keep everything secure we should always keep binary downloads separate from any web services.

Rules to stick to

  • SSH authentication by public key only.
  • Incoming connections to all ports except SSH (22) must be blocked.
  • Exception for HTTP(S) connection on ports 80 / 443 from CloudFlare IP Ranges.
  • No one except core developers should ever know real server IPs.
  • Droplet hostname should never be valid host. Otherwise it's exposed in reverse DNS.
  • If some non-web service need to listen for external connections then read below.

Our publicly-facing server

We only expose floating IP that can be detached from droplet in case of emergency using DO control panel. This also allow us to easily move public services to dedicated droplet in future.

  • Address: beholder.vcmi.eu (67.207.75.182)
  • Port 22 serve SFTP for file uploads as well as CI artifacts uploads.

If new services added firewall rules can be adjusted in DO control panel.

Services and accounts

So far we using following services:

Most important

  • VCMI.eu domain paid until July of 2019.
    • Owner: Tow
    • Our main domain used by services.
  • VCMI.download paid until November of 2026.
    • Owner: SXX
    • Intended to be used for all assets downloads.
    • Domain registered on GANDI and can be renewed by anyone without access to account.
  • DigitalOcean team.
    • Our hosting sponsor.
    • Administrator access: SXX, Warmonger.
    • User access: AVS, Tow.
  • CloudFlare account.
    • Access through shared login / password.
    • All of our infrastructure is behind CloudFlare and all our webWe'll manage our DNS there.
  • Google Apps (G Suite) account.
    • It's only for vcmi.eu domain and limited to 5 users.
    • One administrative email used for other services registration.
    • Second "noreply" email used for outgoing mail. Has limit of 500 emails / day.
    • Administrator access: Tow, SXX. One more slot is available.
  • Google Play Console account.
    • Hold ownership over VCMI Android App.
    • Owner: SXX
    • Administrator access: Warmonger, AVS.
    • Release manager access: Fay.

Not all services let us safely share login credentials, but at least when possible at least two of core developers must have access to them in case of emergency.

Public relations

We want to notify players about updates on as many social services as possible.

Other media:

Communication channels

  • Slack team: https://h3vcmi.slack.com/
    • Owner: vmarkovtsev
    • Administrator access: SXX, Warmonger, AVS...
  • Trello team: https://trello.com/vcmi/
    • Administrator access: SXX
  • Unofficial discord:
    • Owner: dydzio
    • Administrator access: SXX
  • Unofficial IRC channel: irc.freenode.net #vcmi

Other services

Reserve accounts for other code hosting services:

What's to improve

  1. Encourage Tow to transfer VCMI.eu to GANDI so it's can be also renewed without access.
  2. Use 2FA on CloudFlare and just ask everyone to get FreeOTP and then use shared secret.
  3. Centralized way to post news about game updates to all social media.