summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2017-08-27 10:06:48 +0200
committerJan Dittberner <jandd@cacert.org>2017-08-27 13:16:48 +0200
commit399e9201463b4a9cfe3287daaefbb38cc55a57d1 (patch)
treefd16ca8172f23e2e9e05c6678cc06cc94929a660
parentc3eb46e78e28efe28850ee7d4100d27b26be2f58 (diff)
downloadcacert-infradocs-399e9201463b4a9cfe3287daaefbb38cc55a57d1.tar.gz
cacert-infradocs-399e9201463b4a9cfe3287daaefbb38cc55a57d1.tar.xz
cacert-infradocs-399e9201463b4a9cfe3287daaefbb38cc55a57d1.zip
Add proxyout and a bit more related to LXC containers
-rw-r--r--docs/lxcsetup.rst8
-rw-r--r--docs/systems.rst1
-rw-r--r--docs/systems/proxyout.rst29
3 files changed, 29 insertions, 9 deletions
diff --git a/docs/lxcsetup.rst b/docs/lxcsetup.rst
index 5d2826f..b111d4f 100644
--- a/docs/lxcsetup.rst
+++ b/docs/lxcsetup.rst
@@ -54,6 +54,13 @@ Setup puppet-agent
.. todo:: describe puppet setup
+.. code-block:: bash
+
+ sudo apt-get install wget
+ wget -4 -T 2 http://apt.puppetlabs.com/puppetlabs-release-pc1-jessie.deb
+ sudo dpkg -i puppetlabs-release-pc1-jessie.deb
+ sudo apt-get install puppet-agent
+
- Define puppet configuration for the new container in Hiera.
Post-Setup task
@@ -62,3 +69,4 @@ Post-Setup task
- Document the new container in a file of the :file:`docs/systems` directory of
the `Infrastructure documentation
<https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=tree;f=docs/systems>`_.
+- Setup machine-admin alias on :doc:`systems/email`.
diff --git a/docs/systems.rst b/docs/systems.rst
index 72a8125..739ab58 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -22,6 +22,7 @@ administrator team.
systems/ircserver
systems/issue
systems/monitor
+ systems/proxyout
systems/puppet
systems/proxyout
systems/svn
diff --git a/docs/systems/proxyout.rst b/docs/systems/proxyout.rst
index ec28ef1..8f38b43 100644
--- a/docs/systems/proxyout.rst
+++ b/docs/systems/proxyout.rst
@@ -8,14 +8,15 @@ Proxyout
Purpose
=======
-This system acts as outgoing HTTP and HTTPS proxy for access to APT
-repositories.
+This system provides an outgoing http/https proxy for controlled access to
+external resources like APT repositories and code repositories. The decision
+to setup this system has been made due to often changing IP addresses of
+external repositories that lead to update problems on several other machines.
Application Links
-----------------
-This system has no publicly visible URLs.
-
+This machine has no externaly exposed URLs.
Administration
==============
@@ -27,7 +28,6 @@ System Administration
* Secondary: None
.. todo:: find an additional admin
-.. people_<name> are defined in people.rst
Application Administration
--------------------------
@@ -63,6 +63,7 @@ Logical Location
:IP Internet: None
:IP Intranet: None
:IP Internal: :ip:v4:`10.0.0.201`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::201`
:MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
.. seealso::
@@ -160,6 +161,7 @@ Outbound network connections
* :doc:`puppet` (tcp/8140) as Puppet master
* .debian.org Debian mirrors
* apt.puppetlabs.com as Debian repository for puppet packages
+* HTTP and HTTPS servers specified in the squid configuration
Security
========
@@ -169,6 +171,13 @@ Security
:ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
:RSA: 1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+Non-distribution packages and modifications
+-------------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
Risk assessments on critical packages
-------------------------------------
@@ -178,8 +187,8 @@ with low risk.
Critical Configuration items
============================
-All configuration is managed in Puppet. There are no certificates or private
-keys used on this machine.
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
Tasks
=====
@@ -187,8 +196,10 @@ Tasks
Planned
-------
-Change all infrastructure hosts to use this machine as APT proxy to avoid flaky
-firewall configurations on :doc:`infra02`.
+.. todo:: Change all infrastructure hosts to use this machine as APT proxy to
+ avoid flaky firewall configurations on :doc:`infra02`.
+
+.. todo:: Add more APT repositories and ACLs if needed
Additional documentation
========================