-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathnais-device.puml
85 lines (72 loc) · 2.21 KB
/
nais-device.puml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
@startuml component
actor developer as "Developer"
participant device as "NAIS Device"
participant ndca as "NAIS Device Client Agent"
participant aad as "Azure Active Directory"
participant kolide as "Kolide"
participant nds as "NAIS Device Server"
database ndsdb as "NDS database"
collections vpnserver as "VPN Server"
collections ndga as "NAIS Device Gateway Agent"
==Enroll==
developer -> ndca: enroll device
ndca -> device: install kolide-agent
device -> kolide: register
ndca -> aad: login
aad -> ndca: token
ndca -> device: get serial
device -> ndca: serial
ndca -> nds: HTTP POST /device/register {token, serial}
nds -> ndsdb: add db entry {serial, email}
nds -> ndca: response
==Kolide==
loop
device -> kolide: fetch queries
kolide -> device: queries
device -> device: run queries
device -> kolide: results
end
==Monitor device statuses==
loop every x minutes
nds -> kolide: get device statuses
kolide -> nds: device statuses
nds -> nds: update database entries with status
end
==Healthcheck VPN==
ndca->vpnserver: establish tcp connection
loop every second:
ndca -> vpnserver: send byte
vpnserver -> ndca: send byte
end
ndca -> ndca: if no byte response, trigger Connect to VPN
ndca->ndca: close tcp connection
ndca->ndca: restart healthcheck
==Connect to VPN==
ndca -> ndca: if no cached token, login
ndca -> nds: HTTP GET /device/vpn/config {token, public key, serial}
nds -> ndsdb: is device ok?
nds -> ndsdb: get {psk, ip, routes, server-configs}
nds -> ndca: {psk, ip, routes, server-configs}
ndca -> device: ip dev add / ifconfig add / netsh add device
ndca -> device: wg set psk, private key, ip
ndca -> device: route add
==Enroll VPN Server==
ndga -> nds: HTTP POST /gateway/register {token, public key, public ip}
nds -> ndsdb: write server config
nds -> ndga: response
==Rotate psks==
loop every x minutes:
nds -> nds: generate new psks
nds -> ndsdb: write new psks
end
==Configure VPN Server (runs every minute or more)==
loop every minute
ndga -> nds: HTTP GET /gateway/peers {token, public key}
nds -> ndsdb: get peers
nds -> ndga: {peers}
end
loop every peer
ndga -> ndga: configure peer {public key, ip, psk}
ndga -> ndga: configure route {peer ip}
end
@enduml