Upgraded web to Debian Buster

The web container has been upgraded to Debian Buster. The host and Apache httpd configuration is now fully managed by Puppet. Certificates for funding.cacert.org and jenkins.cacert.org have been renewed.
author: Jan Dittberner <jandd@cacert.org> 2021-01-17 20:20:16 +0100
committer: Jan Dittberner <jandd@cacert.org> 2021-01-17 20:20:16 +0100
commit: 23c6020f187978fed31ee082f8c0dc9624d24d2a (patch)
tree: f99412d9d23576600a306f0d73be361289a2a082
parent: c1e04c982eac012308c52ff72c857f2c510f941e (diff)
download: cacert-infradocs-23c6020f187978fed31ee082f8c0dc9624d24d2a.tar.gz
cacert-infradocs-23c6020f187978fed31ee082f8c0dc9624d24d2a.tar.xz
cacert-infradocs-23c6020f187978fed31ee082f8c0dc9624d24d2a.zip
1 files changed, 43 insertions, 75 deletions
diff --git a/docs/systems/web.rst b/docs/systems/web.rst
index e436f1f..8ed9668 100644
--- a/docs/systems/web.rst
+++ b/docs/systems/web.rst
@@ -113,12 +113,10 @@ Operating System
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.12
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.7
 
-* Debian GNU/Linux 9.12
-
-.. todo:: upgrade to Debian 10 Buster
+* Debian GNU/Linux 10.7
 
 Services
 ========
@@ -152,32 +150,27 @@ Running services
    single: puppet agent
    single: rsyslog
 
-+----------------+--------------------------+-----------------------------------------+
-| Service        | Usage                    | Start mechanism                         |
-+================+==========================+=========================================+
-| Apache httpd   | http redirector,         | init script                             |
-|                | https reverse proxy      | :file:`/etc/init.d/apache2`             |
-+----------------+--------------------------+-----------------------------------------+
-| cron           | job scheduler            | init script :file:`/etc/init.d/cron`    |
-+----------------+--------------------------+-----------------------------------------+
-| icinga2        | Icinga2 monitoring agent | init script :file:`/etc/init.d/icinga2` |
-+----------------+--------------------------+-----------------------------------------+
-| openssh server | ssh daemon for           | init script :file:`/etc/init.d/ssh`     |
-|                | remote                   |                                         |
-|                | administration           |                                         |
-+----------------+--------------------------+-----------------------------------------+
-| Postfix        | SMTP server for          | init script                             |
-|                | local mail               | :file:`/etc/init.d/postfix`             |
-|                | submission               |                                         |
-+----------------+--------------------------+-----------------------------------------+
-| Puppet agent   | configuration            | init script                             |
-|                | management agent         | :file:`/etc/init.d/puppet`              |
-+----------------+--------------------------+-----------------------------------------+
-| rsyslog        | syslog daemon            | init script                             |
-|                |                          | :file:`/etc/init.d/syslog`              |
-+----------------+--------------------------+-----------------------------------------+
-
-.. todo:: switch to systemd
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| Apache httpd   | http redirector,         | systemd unit ``apache2.service`` |
+|                | https reverse proxy      |                                  |
++----------------+--------------------------+----------------------------------+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Postfix        | SMTP server for          | systemd unit ``postfix.service`` |
+|                | local mail submission    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
 
 Connected Systems
 -----------------
@@ -227,11 +220,13 @@ Critical Configuration items
 The system configuration is managed via Puppet profiles. There should be no
 configuration items outside of the :cacertgit:`cacert-puppet`.
 
-.. todo:: move configuration of :doc:`web` to Puppet code
-
 Keys and X.509 certificates
 ---------------------------
 
+All keys and certificates are managed in the file
+https://git.cacert.org/cacert-puppet.git/plain/hieradata/nodes/web.yaml in the
+:cacertgit:`cacert-puppet`.
+
 .. sslcert:: codedocs.cacert.org
    :altnames:   DNS:codedocs.cacert.org
    :certfile:   /etc/ssl/certs/codedocs.cacert.org.crt
@@ -245,9 +240,9 @@ Keys and X.509 certificates
    :altnames:   DNS:funding.cacert.org
    :certfile:   /etc/ssl/certs/funding.cacert.org.crt
    :keyfile:    /etc/ssl/private/funding.cacert.org.key
-   :serial:     02D059
-   :expiration: Jan 31 16:29:20 2021 GMT
-   :sha1fp:     FD:0D:2A:33:70:64:0E:2A:D6:F6:72:0F:D0:47:D9:C7:BD:E3:F4:DF
+   :serial:     02EAF6
+   :expiration: Jan 17 18:53:51 2023 GMT
+   :sha1fp:     30:57:BC:90:4E:C7:A2:CD:D9:BF:AE:7D:5E:9E:FB:B8:3F:3E:0F:64
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: infradocs.cacert.org
@@ -263,9 +258,9 @@ Keys and X.509 certificates
    :altnames:   DNS:jenkins.cacert.org
    :certfile:   /etc/ssl/certs/jenkins.cacert.org.crt
    :keyfile:    /etc/ssl/private/jenkins.cacert.org.key
-   :serial:     02D058
-   :expiration: Jan 31 16:27:54 2021 GMT
-   :sha1fp:     00:5B:9C:4D:2E:D2:E4:69:2D:32:61:DC:25:98:F0:89:C9:E1:50:F1
+   :serial:     02EAF5
+   :expiration: Jan 17 18:52:48 2023 GMT
+   :sha1fp:     B9:88:8D:51:F4:FA:B1:56:64:8E:C8:23:C5:C4:FE:D8:42:B8:1B:72
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: web.cacert.org
@@ -277,9 +272,9 @@ Keys and X.509 certificates
    :sha1fp:     30:C0:61:C5:F7:C6:5E:A3:06:DB:B5:2F:B1:2D:DD:DF:60:5F:D6:88
    :issuer:     CAcert Class 3 Root
 
-* :file:`/usr/share/ca-certificates/CAcert/class3.crt` CAcert.org Class 3
-  certificate for server certificate chains. The Apache httpd configuration
-  files reference the symlinked version at :file:`/etc/ssl/certs/class3.pem`.
+* :file:`/usr/share/ca-certificates/CAcert/class3_X0E.crt` CAcert.org Class 3
+  certificate for server certificate chains. The file is installed from the
+  Debian package `ca-cacert`
 
 .. seealso::
 
@@ -288,38 +283,13 @@ Keys and X.509 certificates
 Apache httpd configuration
 --------------------------
 
-* :file:`/etc/apache2/sites-available/000-default.conf`
-
-  Defines the default VirtualHost for requests reaching this host with no
-  specifically handled host name.
-
-* :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
-
-  Defines the VirtualHost http://codedocs.cacert.org/ that redirects to
-  https://codedocs.cacert.org/ and the VirtualHost
-  https://codedocs.cacert.org/ that provides reverse proxy functionality for
-  the same host name on :doc:`webstatic`.
+Apache httpd configuration is fully managed by Puppet. The VirtualHosts are
+defined in
+https://git.cacert.org/cacert-puppet.git/plain/hieradata/nodes/web.yaml and
+the
+configuration is done via the `web_proxy`_ profile.
 
-* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
-
-  Defines the VirtualHost http://funding.cacert.org/ that redirects to
-  https://funding.cacert.org/ and the VirtualHost https://funding.cacert.org/
-  that provides reverse proxy functionality for the same host name on
-  :doc:`webstatic`.
-
-* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
-
-  Defines the VirtualHost http://infradocs.cacert.org/ that redirects to
-  https://infradocs.cacert.org/ and the VirtualHost
-  https://infradocs.cacert.org/ that provides reverse proxy functionality for
-  the same host name on :doc:`webstatic`.
-
-* :file:`/etc/apache2/sites-available/jenkins.cacert.org.conf`
-
-  Defines the VirtualHost http://jenkins.cacert.org/ that redirects to
-  https://jenkins.cacert.org/ and the VirtualHost https://jenkins.cacert.org/
-  that provides reverse proxy functionality for the Jenkins instance on
-  :doc:`jenkins`.
+.. _web_proxy: https://git.cacert.org/cacert-puppet.git/tree/sitemodules/profiles/manifests/web_proxy.pp
 
 Tasks
 =====
@@ -330,8 +300,6 @@ Changes
 Planned
 -------
 
-.. todo:: manage the web system using Puppet
-
 System Future
 -------------
author	Jan Dittberner <jandd@cacert.org>	2021-01-17 20:20:16 +0100
committer	Jan Dittberner <jandd@cacert.org>	2021-01-17 20:20:16 +0100
commit	23c6020f187978fed31ee082f8c0dc9624d24d2a (patch)
tree	f99412d9d23576600a306f0d73be361289a2a082
parent	c1e04c982eac012308c52ff72c857f2c510f941e (diff)
download	cacert-infradocs-23c6020f187978fed31ee082f8c0dc9624d24d2a.tar.gz cacert-infradocs-23c6020f187978fed31ee082f8c0dc9624d24d2a.tar.xz cacert-infradocs-23c6020f187978fed31ee082f8c0dc9624d24d2a.zip