Proposal for network page

Related to T3154

Proposal for network page
449f7ad4 · Vincent Sellier · 5dd615c5 · 449f7ad4 · 449f7ad4 · 449f7ad4
Verified Commit 449f7ad4 authored 3 years ago by Vincent Sellier
--- a/sysadm/images/.gitignore
+++ b/sysadm/images/.gitignore
 staging-environment.svg
-
+network.svg
--- a/sysadm/images/network.uml
+++ b/sysadm/images/network.uml
+@startuml
+
+nwdiag {
+    inet [ shape = cloud ];
+    inet -- inria_gw;
+
+    network VLAN1300 {
+        address = "128.93.166.0/26"
+        workers;
+        kafka;
+        inria_gw;
+        forge;
+        pergamon;
+        moma;
+
+        group {
+            pushkin [shape = boundary];
+            glyptotek [shape = boundary];
+        }
+
+    }
+    network VLAN440 {
+        address = "192.168.100.0/24"
+        workers;
+        pushkin;
+        glyptotek;
+        forge;
+        kafka;
+        pergamon;
+        moma;
+        production_nodes [description = "Production nodes"];
+    }
+
+    network VLAN443 {
+        address = "192.168.130.0/24"
+        pushkin;
+        glyptotek;
+        staging_nodes [description = "Staging nodes"];
+    }
+
+    network VLAN442 {
+        address = "192.168.50.0/24"
+        pushkin;
+        glyptotek;
+        admin_nodes [description = "Admin nodes"];
+    }
+}
+@enduml
--- a/sysadm/network-architecture/reference-network-configuration.rst
+++ b/sysadm/network-architecture/reference-network-configuration.rst
@@ -3,5 +3,61 @@
 Reference: Network configuration
 ================================

+The network is split in several VLANs provided by the INRIA network team:
+
+.. thumbnail:: ../images/network.svg
+
+VLANs
+-----
+
+All inter vlan communications are filtered by our firewalls `pushkin` and `glyptotek`.
+
 .. todo::
-   This page is a work in progress. For now, please refer to the :ref:`swh-devel:network_configuration`.
\ No newline at end of file
+   Check the <firewall settings page> for more information.
+
+VLAN1300 - Public network
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The detail of this range is available in this `VLAN1300 inventory page <https://inventory.internal.softwareheritage.org/ipam/prefixes/6/>`_
+
+All the inbound traffic is firewalled by the INRIA gateway. The detail of the opened ports is
+visible on the private archive in the file :file:`sysadm/Software_Heritage_VLAN1300_plan.ods`
+
+Some nodes are directly exposed on this network for special needs:
+
+* moma: the main archive entry point
+* production workers: to have different visible ips during forge crawling
+* pergamon: act as a reverse proxy for some public sites (debian repository, annex, sentry, ...)
+* forge: needs some special rules
+
+VLAN440 - Production network
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All the nodes dedicated to the main archive are deployed in this network.
+
+The detail of this range is available in this `VLAN440 inventory page <https://inventory.internal.softwareheritage.org/ipam/prefixes/2/>`_
+
+For historical reasons, some admin nodes are deployed in this range (monitoring, ci, ...)
+and will be progressively moved into the admin network.
+
+The internal domain associted to ththis vlan is ``.internal.staging.swh.network``
+
+VLAN443 - Staging network
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All the nodes dedicated to the staging version of the archive are deployed on this network.
+POCs and temporary nodes can also take place in the range.
+
+The detail of this range is visible in this `VLAN443 inventory page <https://inventory.internal.softwareheritage.org/ipam/prefixes/8/>`_
+
+The internal domain associted to this vlan is ``.internal.staging.swh.network``
+
+VLAN442 - Admin network
+~~~~~~~~~~~~~~~~~~~~~~~
+
+This network is dedicated for admin and support nodes.
+
+The detail of this range is visible in this `VLAN442 inventory page <https://inventory.internal.softwareheritage.org/ipam/prefixes/10/>`_.
+
+The internal domain associted to this vlan is ``.internal.admin.swh.network``
+