summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2018-04-02 13:12:10 +0200
committerJan Dittberner <jandd@cacert.org>2018-04-02 13:12:10 +0200
commit2bd48c4ec1d637c2e29f0ffb3e3511aa5eb7b78c (patch)
treeee7d9e0335393e07cf4820952589292a708a99cb
parentd0fa876f1d27b68580026655f25ca62771896d38 (diff)
downloadcacert-infradocs-2bd48c4ec1d637c2e29f0ffb3e3511aa5eb7b78c.tar.gz
cacert-infradocs-2bd48c4ec1d637c2e29f0ffb3e3511aa5eb7b78c.tar.xz
cacert-infradocs-2bd48c4ec1d637c2e29f0ffb3e3511aa5eb7b78c.zip
Add web and webstatic to Puppet
- update information on puppet managed systems - sort service tables for changed systems alphabetically - add puppet agent as third party package where this was not documented yet - document DNS resolution via infra02 on Puppet managed systems
-rw-r--r--docs/lxcsetup.rst6
-rw-r--r--docs/systems/ircserver.rst47
-rw-r--r--docs/systems/jenkins.rst30
-rw-r--r--docs/systems/proxyout.rst31
-rw-r--r--docs/systems/puppet.rst36
-rw-r--r--docs/systems/svn.rst25
-rw-r--r--docs/systems/translations.rst37
-rw-r--r--docs/systems/web.rst43
-rw-r--r--docs/systems/webstatic.rst42
9 files changed, 193 insertions, 104 deletions
diff --git a/docs/lxcsetup.rst b/docs/lxcsetup.rst
index 3deaa5a..af79cea 100644
--- a/docs/lxcsetup.rst
+++ b/docs/lxcsetup.rst
@@ -56,11 +56,13 @@ Setup puppet-agent
the `cacert-puppet Repository`_ on :doc:`systems/git`
- see `Puppet agent installation`_ for agent setup (install the agent from
official Puppet repositories)
-- define the puppet master IP address in :file:`/etc/hosts`:
+- make sure that DNS resolution is performed by :doc:`systems/infra02`. The
+ :file:`/etc/resolv.conf` should contain the following lines:
.. code-block:: text
- 10.0.0.200 puppet
+ search infra.cacert.org intra.cacert.org
+ nameserver 10.0.0.1
- set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
the name of the file in :file:`hieradata/nodes/` for the system:
diff --git a/docs/systems/ircserver.rst b/docs/systems/ircserver.rst
index 50852ad..7f33763 100644
--- a/docs/systems/ircserver.rst
+++ b/docs/systems/ircserver.rst
@@ -155,40 +155,33 @@ Running services
----------------
.. index::
+ single: atheme-services
single: cron
single: exim
+ single: inspircd
+ single: kiwiirc
+ single: nginx
single: nrpe
single: openssh
- single: inspircd
- single: atheme-services
+ single: puppet agent
+ single: rsyslog
single: votebot
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+====================+========================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
+| atheme-services | IRC services | init script |
+| | | :file:`/etc/init.d/atheme-services` |
+--------------------+--------------------+----------------------------------------+
| cron | job scheduler | init script :file:`/etc/init.d/cron` |
+--------------------+--------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+--------------------+----------------------------------------+
| Exim | SMTP server for | init script |
| | local mail | :file:`/etc/init.d/exim4` |
| | submission | |
+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring | init script |
-| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-| | :doc:`monitor` | |
-+--------------------+--------------------+----------------------------------------+
| inspircd | IRC daemon | init script |
| | | :file:`/etc/init.d/inspircd` |
+--------------------+--------------------+----------------------------------------+
-| atheme-services | IRC services | init script |
-| | | :file:`/etc/init.d/atheme-services` |
-+--------------------+--------------------+----------------------------------------+
| kiwiirc | IRC web client | start script |
| | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
| | | started by user kiwiirc |
@@ -196,6 +189,20 @@ Running services
| nginx | Reverse proxy for | init script |
| | kiwiirc | :file:`/etc/init.d/nginx` |
+--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Puppet agent | configuration | init script |
+| | management agent | :file:`/etc/init.d/puppet` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
| votebot | CAcert vote bot | init script (spring-boot) |
| | | :file:`/etc/init.d/cacert-votebot` |
+--------------------+--------------------+----------------------------------------+
@@ -208,7 +215,7 @@ Connected Systems
Outbound network connections
----------------------------
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`puppet` (tcp/8140) as Puppet master
* :doc:`proxyout` as HTTP proxy for APT
@@ -236,6 +243,10 @@ Dedicated user roles
Non-distribution packages and modifications
-------------------------------------------
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
Votebot
~~~~~~~
@@ -275,6 +286,10 @@ that available updates are applied.
.. todo:: implement some update monitoring for Kiwi IRC
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
Critical Configuration items
============================
diff --git a/docs/systems/jenkins.rst b/docs/systems/jenkins.rst
index d7c67fd..0ccf7bf 100644
--- a/docs/systems/jenkins.rst
+++ b/docs/systems/jenkins.rst
@@ -131,35 +131,39 @@ Running services
----------------
.. index::
- single: Exim
- single: Jenkins
single: cron
+ single: exim
+ single: jenkins
single: nrpe
single: openssh
+ single: puppet agent
single: rsyslog
+--------------------+--------------------+-----------------------------------------+
| Service | Usage | Start mechanism |
+====================+====================+=========================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+--------------------+-----------------------------------------+
-| Jenkins | Jenkins CI server | init script :file:`/etc/init.d/jenkins` |
-+--------------------+--------------------+-----------------------------------------+
| cron | job scheduler | init script :file:`/etc/init.d/cron` |
+--------------------+--------------------+-----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+--------------------+-----------------------------------------+
| Exim | SMTP server for | init script |
| | local mail | :file:`/etc/init.d/exim4` |
| | submission | |
+--------------------+--------------------+-----------------------------------------+
+| Jenkins | Jenkins CI server | init script :file:`/etc/init.d/jenkins` |
++--------------------+--------------------+-----------------------------------------+
| Nagios NRPE server | remote monitoring | init script |
| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
| | :doc:`monitor` | |
+--------------------+--------------------+-----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+-----------------------------------------+
+| Puppet agent | configuration | init script |
+| | management agent | :file:`/etc/init.d/puppet` |
++--------------------+--------------------+-----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+-----------------------------------------+
Connected Systems
-----------------
@@ -173,7 +177,7 @@ Connected Systems
Outbound network connections
----------------------------
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`git` for fetching source code
* :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
@@ -218,6 +222,8 @@ Critical Configuration items
The system configuration is managed via Puppet profiles. There should be no
configuration items outside of the Puppet repository.
+.. todo:: move configuration of :doc:`jenkins` to Puppet code
+
Jenkins configuration
---------------------
diff --git a/docs/systems/proxyout.rst b/docs/systems/proxyout.rst
index c538bbf..a72ced5 100644
--- a/docs/systems/proxyout.rst
+++ b/docs/systems/proxyout.rst
@@ -117,28 +117,32 @@ Running services
----------------
.. index::
- single: puppet agent
single: cron
- single: exim4
- single: squid
+ single: exim
single: openssh
+ single: puppet agent
+ single: rsyslog
+ single: squid
+----------------+--------------------+--------------------------------------+
| Service | Usage | Start mechanism |
+================+====================+======================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+----------------+--------------------+--------------------------------------+
| cron | job scheduler | init script :file:`/etc/init.d/cron` |
+----------------+--------------------+--------------------------------------+
| Exim | SMTP server for | init script |
| | local mail | :file:`/etc/init.d/exim4` |
| | submission | |
+----------------+--------------------+--------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++----------------+--------------------+--------------------------------------+
| Puppet agent | local Puppet agent | init script |
| | | :file:`/etc/init.d/puppet` |
+----------------+--------------------+--------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++----------------+--------------------+--------------------------------------+
| Squid | Caching and | init script |
| | filtering http/ | :file:`/etc/init.d/squid` |
| | https proxy for | |
@@ -171,7 +175,7 @@ Connected Systems
Outbound network connections
----------------------------
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`puppet` (tcp/8140) as Puppet master
* .debian.org Debian mirrors
@@ -182,9 +186,9 @@ Security
========
.. sshkeys::
- :ECDSA: 74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
- :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
- :RSA: 1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+ :RSA: SHA256:TfsDuQ2tuWnTlpLnFILxlZa+IOpC97QmxDAlGgCa0/I MD5:1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+ :ECDSA: SHA256:d79XAVk0pspIVoI7i4ffohM7PjaBMJdh1J4yv+4Z5ms MD5:74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
+ :ED25519: SHA256:26yiJUT3NfqpFDLgAgXSsRL7ppMiIpNqKmfDiMxpAqc MD5:43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
Non-distribution packages and modifications
-------------------------------------------
@@ -199,6 +203,11 @@ Risk assessments on critical packages
Squid is a proven http and https proxy installed from distribution packages
with low risk.
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
Critical Configuration items
============================
diff --git a/docs/systems/puppet.rst b/docs/systems/puppet.rst
index 0d4dc8c..986c117 100644
--- a/docs/systems/puppet.rst
+++ b/docs/systems/puppet.rst
@@ -124,35 +124,32 @@ Running services
----------------
.. index::
- single: Exim
- single: PostgreSQL
- single: Puppet agent
- single: Puppet server
- single: Puppetdb
single: cron
+ single: exim
single: openssh
+ single: postgresql
+ single: puppet agent
+ single: puppet server
+ single: puppetdb
single: rsyslog
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+====================+========================================+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
| | remote | |
| | administration | |
+--------------------+--------------------+----------------------------------------+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+--------------------+----------------------------------------+
| PostgreSQL | PostgreSQL | init script |
| | database server | :file:`/etc/init.d/postgresql` |
| | for PuppetDB | |
+--------------------+--------------------+----------------------------------------+
-| Exim | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/exim4` |
-| | submission | |
-+--------------------+--------------------+----------------------------------------+
| Puppet server | Puppet master for | init script |
| | infrastructure | :file:`/etc/init.d/puppetserver` |
| | systems | |
@@ -160,11 +157,14 @@ Running services
| Puppet agent | local Puppet agent | init script |
| | | :file:`/etc/init.d/puppet` |
+--------------------+--------------------+----------------------------------------+
-| Puppet DB | PuppetDB for | init script |
+| PuppetDB | PuppetDB for | init script |
| | querying Puppet | :file:`/etc/init.d/puppetdb` |
| | facts and nodes | |
| | and resources | |
+--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
Databases
---------
@@ -185,11 +185,13 @@ Connected Systems
* :doc:`proxyout`
* :doc:`svn`
* :doc:`translations`
+* :doc:`web`
+* :doc:`webstatic`
Outbound network connections
----------------------------
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`proxyout` as HTTP proxy for APT
* forgeapi.puppet.com for Puppet forge access
@@ -216,7 +218,6 @@ advanced Puppet functionality like hiera-eyaml.
All puppet related code is installed in the Puppet specific /opt/puppetlabs
tree.
-
Risk assessments on critical packages
-------------------------------------
@@ -224,7 +225,6 @@ The system uses third party packages with a good security track record and
regular updates. The attack surface is small due to the tightly restricted
access to the system.
-
Critical Configuration items
============================
diff --git a/docs/systems/svn.rst b/docs/systems/svn.rst
index 398ef1a..cdfcbdb 100644
--- a/docs/systems/svn.rst
+++ b/docs/systems/svn.rst
@@ -144,20 +144,17 @@ Running services
----------------
.. index::
- single: Apache
- single: Exim
- single: Puppet agent
+ single: apache httpd
single: cron
+ single: exim
single: nrpe
single: openssh
+ single: puppet agent
+ single: rsyslog
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+====================+========================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+--------------------+----------------------------------------+
| Apache httpd | Webserver for | init script |
| | Subversion | :file:`/etc/init.d/apache2` |
+--------------------+--------------------+----------------------------------------+
@@ -171,9 +168,16 @@ Running services
| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
| | :doc:`monitor` | |
+--------------------+--------------------+----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
| Puppet agent | configuration | init script |
| | management agent | :file:`/etc/init.d/puppet` |
+--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
Connected Systems
-----------------
@@ -186,7 +190,7 @@ Outbound network connections
----------------------------
* crl.cacert.org (rsync) for getting CRLs
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`puppet` (tcp/8140) as Puppet master
* :doc:`proxyout` as HTTP proxy for APT
@@ -222,6 +226,11 @@ the system.
Critical Configuration items
============================
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`svn` to Puppet code
+
Keys and X.509 certificates
---------------------------
diff --git a/docs/systems/translations.rst b/docs/systems/translations.rst
index 6e5aa6c..d70680f 100644
--- a/docs/systems/translations.rst
+++ b/docs/systems/translations.rst
@@ -131,31 +131,25 @@ Running services
----------------
.. index::
- single: Apache
- single: MariaDB
- single: Postfix
- single: Redis
+ single: apache httpd
single: cron
+ single: mariadb
single: nrpe
single: openssh
+ single: postfix
+ single: puppet agent
+ single: redis
single: rsyslog
single: supervisord
+--------------------+------------------------------+-----------------------------------------------------+
| Service | Usage | Start mechanism |
+====================+==============================+=====================================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+------------------------------+-----------------------------------------------------+
| Apache httpd | Webserver for | init script |
| | Pootle | :file:`/etc/init.d/apache2` |
+--------------------+------------------------------+-----------------------------------------------------+
| cron | job scheduler | init script :file:`/etc/init.d/cron` |
+--------------------+------------------------------+-----------------------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+------------------------------+-----------------------------------------------------+
| MySQL | MySQL database | init script |
| | server for Pootle | :file:`/etc/init.d/mysql` |
+--------------------+------------------------------+-----------------------------------------------------+
@@ -163,12 +157,22 @@ Running services
| | local mail | :file:`/etc/init.d/postfix` |
| | submission | |
+--------------------+------------------------------+-----------------------------------------------------+
+| Puppet agent | local Puppet agent | init script |
+| | | :file:`/etc/init.d/puppet` |
++--------------------+------------------------------+-----------------------------------------------------+
| Nagios NRPE server | remote monitoring | init script |
| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
| | :doc:`monitor` | |
+--------------------+------------------------------+-----------------------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+------------------------------+-----------------------------------------------------+
| Redis | Job queue for Pootle | init script :file:`/etc/init.d/redis-server` |
+--------------------+------------------------------+-----------------------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+------------------------------+-----------------------------------------------------+
| Supervisord | Supervisor for background | init script :file:`/etc/init.d/supervisor` |
| | tasks | |
+--------------------+------------------------------+-----------------------------------------------------+
@@ -193,7 +197,7 @@ Connected Systems
Outbound network connections
----------------------------
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
* :doc:`puppet` (tcp/8140) as Puppet master
* :doc:`proxyout` as HTTP proxy for APT
@@ -248,12 +252,21 @@ packages.
consider building the virtualenv on :doc:`jenkins` to avoid development tools
on this system
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
Risk assessments on critical packages
-------------------------------------
System access is limited to http/https via Apache httpd which is restricted to
a minimal set of modules.
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
Pootle is based on Django 1.10 and should be updated to a newer version when it
becomes available. Pootle is run as a dedicated system user `pootle` that is
restricted via filesystem permissions.
diff --git a/docs/systems/web.rst b/docs/systems/web.rst
index f1851a1..d5c51ed 100644
--- a/docs/systems/web.rst
+++ b/docs/systems/web.rst
@@ -128,35 +128,39 @@ Running services
----------------
.. index::
- single: Apache
- single: Postfix
+ single: apache httpd
single: cron
single: nrpe
single: openssh
+ single: postfix
+ single: puppet agent
single: rsyslog
+--------------------+---------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+=====================+========================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+---------------------+----------------------------------------+
| Apache httpd | http redirector, | init script |
| | https reverse proxy | :file:`/etc/init.d/apache2` |
+--------------------+---------------------+----------------------------------------+
| cron | job scheduler | init script :file:`/etc/init.d/cron` |
+--------------------+---------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
+--------------------+---------------------+----------------------------------------+
| Postfix | SMTP server for | init script |
| | local mail | :file:`/etc/init.d/postfix` |
| | submission | |
+--------------------+---------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring | init script |
-| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-| | :doc:`monitor` | |
+| Puppet agent | configuration | init script |
+| | management agent | :file:`/etc/init.d/puppet` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
+--------------------+---------------------+----------------------------------------+
Connected Systems
@@ -167,8 +171,9 @@ Connected Systems
Outbound network connections
----------------------------
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
* :doc:`proxyout` as HTTP proxy for APT
* :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
* :doc:`webstatic` as backend for the funding.cacert.org and
@@ -186,7 +191,9 @@ Security
Non-distribution packages and modifications
-------------------------------------------
-* None
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
Risk assessments on critical packages
-------------------------------------
@@ -194,9 +201,19 @@ Risk assessments on critical packages
Apache httpd is configured with a minimum of enabled modules to allow proxying
and TLS handling only to reduce potential security risks.
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
Critical Configuration items
============================
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`web` to Puppet code
+
Keys and X.509 certificates
---------------------------
diff --git a/docs/systems/webstatic.rst b/docs/systems/webstatic.rst
index 7b96d44..4d35c44 100644
--- a/docs/systems/webstatic.rst
+++ b/docs/systems/webstatic.rst
@@ -135,30 +135,22 @@ Running services
----------------
.. index::
- single: Apache
- single: Exim
+ single: apache httpd
single: cron
- single: nginx
+ single: exim
single: nrpe
single: openssh
+ single: puppet agent
single: rsyslog
+--------------------+----------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+======================+========================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-| | and git access | |
-+--------------------+----------------------+----------------------------------------+
| Apache httpd | Webserver for static | init script |
| | content | :file:`/etc/init.d/apache2` |
+--------------------+----------------------+----------------------------------------+
| cron | job scheduler | init script :file:`/etc/init.d/cron` |
+--------------------+----------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+----------------------+----------------------------------------+
| Exim | SMTP server for | init script |
| | local mail | :file:`/etc/init.d/exim4` |
| | submission | |
@@ -167,6 +159,17 @@ Running services
| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
| | :doc:`monitor` | |
+--------------------+----------------------+----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
+| | and git access | |
++--------------------+----------------------+----------------------------------------+
+| Puppet agent | configuration | init script |
+| | management agent | :file:`/etc/init.d/puppet` |
++--------------------+----------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+----------------------+----------------------------------------+
Connected Systems
-----------------
@@ -180,8 +183,9 @@ Connected Systems
Outbound network connections
----------------------------
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
* :doc:`proxyout` as HTTP proxy for APT
Security
@@ -208,6 +212,10 @@ Dedicated user roles
Non-distribution packages and modifications
-------------------------------------------
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
The used :program:`gitolite` version is from Debian Jessie and should either
be replaced by :program:`gitolite3` from Debian Stretch or a combination of
git repositories on :doc:`git` and web hooks for triggering updates.
@@ -225,9 +233,19 @@ defined set of ssh keys.
.. todo:: check access on gitolite repositories
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
Critical Configuration items
============================
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`webstatic` to Puppet code
+
Keys and X.509 certificates
---------------------------