diff options
author | Jan Dittberner <jandd@cacert.org> | 2017-08-27 10:06:48 +0200 |
---|---|---|
committer | Jan Dittberner <jandd@cacert.org> | 2017-08-27 13:16:48 +0200 |
commit | 399e9201463b4a9cfe3287daaefbb38cc55a57d1 (patch) | |
tree | fd16ca8172f23e2e9e05c6678cc06cc94929a660 | |
parent | c3eb46e78e28efe28850ee7d4100d27b26be2f58 (diff) | |
download | cacert-infradocs-399e9201463b4a9cfe3287daaefbb38cc55a57d1.tar.gz cacert-infradocs-399e9201463b4a9cfe3287daaefbb38cc55a57d1.tar.xz cacert-infradocs-399e9201463b4a9cfe3287daaefbb38cc55a57d1.zip |
Add proxyout and a bit more related to LXC containers
-rw-r--r-- | docs/lxcsetup.rst | 8 | ||||
-rw-r--r-- | docs/systems.rst | 1 | ||||
-rw-r--r-- | docs/systems/proxyout.rst | 29 |
3 files changed, 29 insertions, 9 deletions
diff --git a/docs/lxcsetup.rst b/docs/lxcsetup.rst index 5d2826f..b111d4f 100644 --- a/docs/lxcsetup.rst +++ b/docs/lxcsetup.rst @@ -54,6 +54,13 @@ Setup puppet-agent .. todo:: describe puppet setup +.. code-block:: bash + + sudo apt-get install wget + wget -4 -T 2 http://apt.puppetlabs.com/puppetlabs-release-pc1-jessie.deb + sudo dpkg -i puppetlabs-release-pc1-jessie.deb + sudo apt-get install puppet-agent + - Define puppet configuration for the new container in Hiera. Post-Setup task @@ -62,3 +69,4 @@ Post-Setup task - Document the new container in a file of the :file:`docs/systems` directory of the `Infrastructure documentation <https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=tree;f=docs/systems>`_. +- Setup machine-admin alias on :doc:`systems/email`. diff --git a/docs/systems.rst b/docs/systems.rst index 72a8125..739ab58 100644 --- a/docs/systems.rst +++ b/docs/systems.rst @@ -22,6 +22,7 @@ administrator team. systems/ircserver systems/issue systems/monitor + systems/proxyout systems/puppet systems/proxyout systems/svn diff --git a/docs/systems/proxyout.rst b/docs/systems/proxyout.rst index ec28ef1..8f38b43 100644 --- a/docs/systems/proxyout.rst +++ b/docs/systems/proxyout.rst @@ -8,14 +8,15 @@ Proxyout Purpose ======= -This system acts as outgoing HTTP and HTTPS proxy for access to APT -repositories. +This system provides an outgoing http/https proxy for controlled access to +external resources like APT repositories and code repositories. The decision +to setup this system has been made due to often changing IP addresses of +external repositories that lead to update problems on several other machines. Application Links ----------------- -This system has no publicly visible URLs. - +This machine has no externaly exposed URLs. Administration ============== @@ -27,7 +28,6 @@ System Administration * Secondary: None .. todo:: find an additional admin -.. people_<name> are defined in people.rst Application Administration -------------------------- @@ -63,6 +63,7 @@ Logical Location :IP Internet: None :IP Intranet: None :IP Internal: :ip:v4:`10.0.0.201` +:IPv6: :ip:v6:`2001:7b8:616:162:2::201` :MAC address: :mac:`00:16:3e:15:b8:8c` (eth0) .. seealso:: @@ -160,6 +161,7 @@ Outbound network connections * :doc:`puppet` (tcp/8140) as Puppet master * .debian.org Debian mirrors * apt.puppetlabs.com as Debian repository for puppet packages +* HTTP and HTTPS servers specified in the squid configuration Security ======== @@ -169,6 +171,13 @@ Security :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4 :RSA: 1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f +Non-distribution packages and modifications +------------------------------------------- + +The Puppet agent package and a few dependencies are installed from the official +Puppet APT repository because the versions in Debian are too old to use modern +Puppet features. + Risk assessments on critical packages ------------------------------------- @@ -178,8 +187,8 @@ with low risk. Critical Configuration items ============================ -All configuration is managed in Puppet. There are no certificates or private -keys used on this machine. +The system configuration is managed via Puppet profiles. There should be no +configuration items outside of the Puppet repository. Tasks ===== @@ -187,8 +196,10 @@ Tasks Planned ------- -Change all infrastructure hosts to use this machine as APT proxy to avoid flaky -firewall configurations on :doc:`infra02`. +.. todo:: Change all infrastructure hosts to use this machine as APT proxy to + avoid flaky firewall configurations on :doc:`infra02`. + +.. todo:: Add more APT repositories and ACLs if needed Additional documentation ======================== |