Automating configuration and installation tasks means you save time and resources, while eliminating the risks associated with human error.
Setting up Virtual Machines (Servers)
MaadiX uses several types of technologies to set up and configure servers. These technologies are very well established and are used by large organisations, universities and companies to automate the control of other devices remotely.
MaadiX has adapted the way these technologies are implemented to take advantage of them in an environment in which remote computers operate independently and make decisions. Unlike what happens in a company or organisation, MaadiX disables remote control over the servers it creates, but remains available should the client request a new installation.
MaadiX acts as a repository that also provides all the instructions and commands needed to install and configure the applications. Once the task is completed, the client server ends communication with the MaadiX repository.
The technologies used are the following:
- OpenNebula: a solution to create clouds and manage virtualization. OpenNebula orchestrates storage, network, virtualization services, as well as monitoring and ensuring security of deployed services. [more info]
- Ansible: a platform for configuring and managing computers. It communicates with nodes via SSH and can perform several installation and configuration tasks. This is why it is categorised as an orchestration tool. In MaadiX, it is only used while “instantiating” or installing servers from which it is subsequently removed. [more info]
- Puppet: a tool designed for declarative management of system configurations. In MaadiX, Puppet functions as if it were a repository. The nodes (client servers) request the software they want from the repository and Puppet makes sure that the desired configuration is carried out. Puppet uses a declarative programming paradigm: a set of conditions are “declared”, indicating the desired configuration without needing to detail the specific commands of the operating system. [more info].
At MaadiX we have developed a system that allows us to use this technology without having to know or store sensitive data such as personal or system user passwords. All this information, generated and stored locally in the nodes, is not transmitted externally at any time.
What do the servers instantiated with Maadix include?
Servers have Debian 10 (Buster) installed and are virtualized using KVM as hypervisor. The resources assigned vary depending on the user’s needs (CPU, RAM, disk space).
Apart from the applications users can choose to install, there are a number of pieces of software and services that are installed by default. Here’s a list of the main ones: Apache, MariaDB, Let's Encrypt, PostFix, DoveCot, Fail2ban, SSH, OpenLDAP, Monit, etc.
Furthermore, the control panel is installed allowing you to administer the services and applications. This tool, developed by MaadiX, enables management of users, permissions, domains, configurations, installations and updates from within a graphical environment.
The control panel allows advanced tasks to be performed, tasks which usually require extensive system privileges. For security reasons, however, the control panel does not have these privileges. How does it work?
OpenLDAP is installed on each server. The LDAP directory contains data about users, domains, e-mail accounts, and applications.
The control panel is the graphical interface used to manage this directory, which is where the system will find the information necessary for configuration. This means the control panel does not need the privileges needed to directly write this information to the system.
Authentication
User authentication is performed using the pam_ldap module for services such as OpenVPN, SSH and Apache, or through dovecot SASL for the mail server. The system will search for the user in the LDAP directory, verifying the credentials are correct and that authorisation exists for the requested service. This centralises and simplifies control over access, as well as adding protection through a secure transmission channel between the LDAP server and the various services with SSL (Secure Socket Layer).
Domains
For each domain activated from the control panel the necessary Apache configuration is created to make them accessible from any browser. The system will periodically ask the LDAP directory which domains must be available and will then create the necessary virtual hosts automatically. For security reasons, the HTTPS protocol is always enabled by default for all domains and subdomains, and all requests to this protocol are redirected to port 443.