[Dev] DDNS + parabola.nu sub-domain for our build server

[Isaac David]

Le ven. 24 mars 2017 à 23:29, André Silva:
> Hey guys, Luke .R let me know that DDNS + sub-domain is not needed for
> our build server, since we can configure it to upload directly to
> winston. Using DDNS on a build server may expose my local area 
> network,
> which isn't good for security.

what about starting the builds themselves? will it also read the TODO
list from another server?

do we want more than ssh on that server? one option would be asking
that machine to open a reverse ssh tunnel to winston or proton (I will
use proton in this example):

    ssh -f -N -T -R $BURNER_PROTON_PORT:localhost:$PORT_IN_BUILD_SERVER 
\
        -i $KEYFILE_TO_PROTON -p $USUAL_PORT_TO_PROTON \
        $BUILD_USER at proton

$BUILD_USER and its corresponding $KEYFILE_TO_PROTON would have to be
set up in advance. then any user at proton with the ability to `ssh -p
$BURNER_PROTON_PORT localhost` would begin to negotiate a connection
to the build server; which, at your option, could use hackers.git and
the bulk of the login infraestructure being used in winston to spare
the need for more credentials. more generally and conveniently, one
would:

    ssh -p $BURNER_PROTON_PORT -i $KEYFILE_TO_BUILD_SERVER \
        $SOME_USER_ON_BUILD_SERVER at proton

to jump straight to the build server from anywhere, via proton behind
the scenes.

of course any form of ssh access to the build server would give a
select few a free pass to its LAN. you could try to isolate the server
to a second LAN daisy-chained to the main one. it only takes an extra
router.

-- 
Isaac David
GPG: 38D33EF29A7691134357648733466E12EC7BA943
Tox: 
0C730E0156E96E6193A1445D413557FF5F277BA969A4EA20AC9352889D3B390E77651E816F0C