summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2019-08-03 14:54:57 +0200
committerJan Dittberner <jandd@cacert.org>2019-08-03 14:54:57 +0200
commit91659d73cf8755673672c29a56cff833da7d1867 (patch)
tree67b4588092486d71501a959b0dde955cbf2d8684
parent87bb33787d795b096a6cf027fd2f1c97cf9fc1cb (diff)
downloadcacert-infradocs-91659d73cf8755673672c29a56cff833da7d1867.tar.gz
cacert-infradocs-91659d73cf8755673672c29a56cff833da7d1867.tar.xz
cacert-infradocs-91659d73cf8755673672c29a56cff833da7d1867.zip
Document new cacert-boardvoting setup
- document motion and proxyin - update documentation of webstatic
-rw-r--r--docs/systems.rst7
-rw-r--r--docs/systems/motion.rst351
-rw-r--r--docs/systems/proxyin.rst287
-rw-r--r--docs/systems/web.rst2
-rw-r--r--docs/systems/webstatic.rst52
5 files changed, 669 insertions, 30 deletions
diff --git a/docs/systems.rst b/docs/systems.rst
index 0e6201f..24e939f 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -18,12 +18,14 @@ administrator team.
systems/git
systems/ircserver
systems/issue
- systems/lists
systems/jenkins
+ systems/lists
systems/monitor
- systems/puppet
+ systems/motion
+ systems/pgpkeys
systems/proxyin
systems/proxyout
+ systems/puppet
systems/svn
systems/test
systems/test2
@@ -33,6 +35,7 @@ administrator team.
systems/web
systems/webmail
systems/webstatic
+ systems/wiki
General
diff --git a/docs/systems/motion.rst b/docs/systems/motion.rst
new file mode 100644
index 0000000..dd1fd92
--- /dev/null
+++ b/docs/systems/motion.rst
@@ -0,0 +1,351 @@
+.. index::
+ single: Systems; Motion
+
+======
+Motion
+======
+
+Purpose
+=======
+
+This system provides the CAcert board motion system. The system replaced the
+board voting system that had been provided on :doc:`webmail` at
+https://community.cacert.org/board/.
+
+Application Links
+-----------------
+
+ Board motion system
+ https://motion.cacert.org/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------------+---------------------+
+| Application | Administrator(s) |
++=====================+=====================+
+| board motion system | :ref:`people_jandd` |
++---------------------+---------------------+
+
+Contact
+-------
+
+* motion-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.117`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::117`
+:MAC address: :mac:`00:ff:cc:ce:0d:24` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+.. index::
+ single: Monitoring; Motion
+
+Monitoring
+----------
+
+:internal checks: :monitor:`motion.infra.cacert.org`
+:external checks: :monitor:`motion.cacert.org`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Motion
+
+======================== ======== ====================================================================
+Name Type Content
+======================== ======== ====================================================================
+motion.cacert.org. IN A 213.154.225.241
+motion.cacert.org. IN AAAA 2001:7b8:616:162:2::241
+motion.cacert.org. IN SSHFP 1 1 f018202c72749af5f48d45d5d536422f9c364fbb
+motion.cacert.org. IN SSHFP 1 2 0d17bbfe2efa97edbb13ffe3e6bfd3b4b9be5117f3c831a2f1a55b6c50e92fd4
+motion.cacert.org. IN SSHFP 2 1 ee6f2e346a5d5164100721f99765a4d3d08c6dce
+motion.cacert.org. IN SSHFP 2 2 53dedfd2c566011db80311528eba15fd000b0a5092ab1fc8104ca5804490cd18
+motion.cacert.org. IN SSHFP 3 1 6d4a9ec30f30aa0634b8879cded8ce884498e290
+motion.cacert.org. IN SSHFP 3 2 325ee301da21844adb8f12c0011b8d73709be8b2b9f375829224ac79c8fdfa6e
+motion.cacert.org. IN SSHFP 4 1 78e1edee04907de6b56d9c0d4900178f9426c02d
+motion.cacert.org. IN SSHFP 4 2 ca108fc298cb08406fe02454d9245ee1cf26c7241691da9a5b6bc69c56afd5c1
+motion.infra.cacert.org. IN A 10.0.0.117
+======================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.9
+
+* Debian GNU/Linux 9.9
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 8443/tcp | https | ANY | board motion application |
++----------+---------+---------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+---------+---------+----------------------------+
+
+The board motion system is reachable via :doc:`proxyin`. SSH is forwarded from
+port 11722 on the public IP addresses.
+
+Running services
+----------------
+
+.. index::
+ single: cacert-boardvoting
+ single: cron
+ single: dbus
+ single: exim4
+ single: icinga2
+ single: openssh
+ single: puppet
+ single: rsyslog
+
++--------------------+--------------------------+---------------------------------------------+
+| Service | Usage | Start mechanism |
++====================+==========================+=============================================+
+| cacert-boardvoting | application | systemd unit ``cacert-boardvoting.service`` |
++--------------------+--------------------------+---------------------------------------------+
+| cron | job scheduler | systemd unit ``cron.service`` |
++--------------------+--------------------------+---------------------------------------------+
+| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
+| | daemon | |
++--------------------+--------------------------+---------------------------------------------+
+| Exim | SMTP server for | systemd unit ``exim4.service`` |
+| | local mail | |
+| | submission | |
++--------------------+--------------------------+---------------------------------------------+
+| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++--------------------+--------------------------+---------------------------------------------+
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote | |
+| | administration | |
++--------------------+--------------------------+---------------------------------------------+
+| Puppet agent | configuration | systemd unit ``puppet.service`` |
+| | management agent | |
++--------------------+--------------------------+---------------------------------------------+
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
++--------------------+--------------------------+---------------------------------------------+
+
+Databases
+---------
+
++--------+------------------------------------------------------+--------------------+
+| RDBMS | Name | Used for |
++========+======================================================+====================+
+| SQLite | :file:`/srv/cacert-boardvoting/data/database.sqlite` | cacert-boardvoting |
++--------+------------------------------------------------------+--------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`proxyin` for incoming application traffic
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT and Puppet
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:DRe7/i76l+27E//j5r/TtLm+URfzyDGi8aVbbFDpL9Q MD5:8a:a8:61:d2:07:79:27:6a:37:f8:30:2a:36:aa:d9:4f
+ :DSA: SHA256:U97f0sVmAR24AxFSjroV/QALClCSqx/IEEylgESQzRg MD5:ec:76:0a:d5:5e:ff:29:1e:f4:b4:78:5f:5e:0f:2a:af
+ :ECDSA: SHA256:Ml7jAdohhErbjxLAARuNc3Cb6LK583WCkiSsecj9+m4 MD5:3f:38:14:95:9e:fb:10:79:c5:72:d6:c6:79:a8:84:cf
+ :ED25519: SHA256:yhCPwpjLCEBv4CRU2SRe4c8mxyQWkdqaW2vGnFav1cE MD5:c5:40:79:42:09:9d:5e:47:45:d6:ab:e9:58:af:eb:26
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* Board motion system
+
+ The system runs the board motion system developed in the
+ :cacertgit:`cacert-boardvoting`.
+
+ The software is installed from a Debian package that is hosted on
+ :doc:`webstatic`.
+
+ The sofware is built on :doc:`jenkins` via the `cacert-boardvoting Job`_ when
+ there are changes in Git. The Debian package can be built using
+ :program:`gbp`.
+
+ The software is installed and configured via Puppet.
+
+ .. _cacert-boardvoting Job: https://jenkins.cacert.org/job/cacert-boardvoting/
+ .. todo:: describe more in-depth how to build the Debian package
+
+Risk assessments on critical packages
+-------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+The system is stripped down to the bare minimum. The CAcert board voting system
+software is developed using `Go <https://golang.org/>`_ which handles a lot of
+common programming errors at compile time and has a quite good security track
+record.
+
+The board motion tool is run as a separate system user ``cacert-boardvoting``
+and is built as a small self-contained static binary. Access is restricted via
+https.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: motion.cacert.org
+ :altnames: DNS:motion.cacert.org
+ :certfile: /srv/cacert-boardvoting/data/server.crt
+ :keyfile: /srv/cacert-boardvoting/data/server.key
+ :serial: 02D8A3
+ :expiration: Aug 01 18:06:22 2021 GMT
+ :sha1fp: 90:B8:A7:CE:ED:56:94:D0:58:7B:65:94:FF:D5:5A:43:08:2C:2A:62
+ :issuer: CAcert Class 3 Root
+
+* :file:`/srv/cacert-boardvoting/data/cacert_class3.pem` CAcert class 3 CA
+ certificate (allowed CA certificate for client certificates)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+cacert-boardvoting configuration
+--------------------------------
+
+:program:`cacert-boardvoting` is configured via Puppet profile
+``profiles::cacert-boardvoting``.
+
+Tasks
+=====
+
+Add/Remove voters
+-----------------
+
+An :term:`Application Administrator` can add and remove voters from the CAcert
+board voting system using the :program:`sqlite3` program:
+
+.. code-block:: bash
+
+ cd /srv/cacert-boardvoting/data
+ # open database
+ sqlite3 database.sqlite
+
+.. code-block:: sql
+
+ -- find existing voters
+ select * from voters where enabled=1;
+
+ -- disable voters that should not be able to vote using Ids from the result
+ -- of the previous query
+ update voters set enabled=0 where id in (1, 2, 3);
+
+ -- find existing accounts of voter John Doe and Jane Smith
+ select * from voters where name like 'John%' or name like 'Jane%';
+
+ -- John has an account with id 4, Jane is not in the system
+ -- enable John
+ update voters set enabled=1 where id=4;
+
+ -- insert Jane
+ insert into voters (name, enabled, reminder) values ('Jane Doe', 1,
+ 'jane.doe@cacert.org');
+
+ -- find voter id for Jane
+ select id from voters where name='Jane Doe';
+
+ -- Jane has id 42
+ -- insert email address mapping for Jane (used for authentication)
+ insert into emails (voter, address) values (42, 'jane.doe@cacert.org');
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: update to Debian 10 (when Puppet is available)
+.. todo:: implement user administration inside the application
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://git.cacert.org/gitweb/?p=cacert-boardvoting.git;a=blob_plain;f=README.md;hb=HEAD
diff --git a/docs/systems/proxyin.rst b/docs/systems/proxyin.rst
new file mode 100644
index 0000000..805602c
--- /dev/null
+++ b/docs/systems/proxyin.rst
@@ -0,0 +1,287 @@
+.. index::
+ single: Systems; Proxyin
+
+=======
+Proxyin
+=======
+
+Purpose
+=======
+
+This system provides an incoming TLS proxy using `sniproxy`_ to share one
+public IPv4 address between multiple services.
+
+.. _sniproxy: https://github.com/dlundquist/sniproxy
+
+Application Links
+-----------------
+
+No direct links, applications run on other systems.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| sniproxy | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* proxyin-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.241`
+:IP Intranet: :ip:v4:`172.16.2.241`
+:IP Internal: :ip:v4:`10.0.0.35`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::35`
+:MAC address: :mac:`00:16:3e:3c:c8:a6` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+.. index::
+ single: Monitoring; Proxyin
+
+Monitoring
+----------
+
+:internal checks: :monitor:`proxyin.infra.cacert.org`
+:external checks: :monitor:`proxyin.cacert.org`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Proxyin
+
+========================= ======== =====================================================================
+Name Type Content
+========================= ======== =====================================================================
+proxyin.cacert.org. IN A 213.154.225.241
+proxyin.cacert.org. IN AAAA 2001:7b8:616:162:2::35
+proxyin.cacert.org. IN SSHFP 1 1 c7c559bc06d236b4128e6d720a573d805a27727a
+proxyin.cacert.org. IN SSHFP 1 2 affa8cc26dffa7f0803db2d027ab23f013aeabfb3b2d1b1a16659e38dba14528
+proxyin.cacert.org. IN SSHFP 2 1 19bb944a917067131f02be4e9a709ade68c260f8
+proxyin.cacert.org. IN SSHFP 2 2 b9b5860f3427ea9c3460c62a880527a41470c77000e5083ffffb7defa0d42e4e
+proxyin.cacert.org. IN SSHFP 3 1 b9581a544ca96fe071341acb450a2cf74b1b7c9f
+proxyin.cacert.org. IN SSHFP 3 2 be3dd21fde37042659a25143cb5171b39d22ea2c846745af9c098003a9004185
+proxyin.cacert.org. IN SSHFP 4 1 9b4ba8c78b6585abaf2b46bce78a6f366f1e9bac
+proxyin.cacert.org. IN SSHFP 4 2 59125e8706a208fa8eed2b5994ec60f7ba8e31b1c26d90ce909d78a0027359ef
+proxyin.intra.cacert.org. IN A 172.16.2.241
+proxyin.infra.cacert.org. IN A 10.0.0.35
+========================= ======== =====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Codename
+ single: Debian GNU/Linux; 9.9
+
+* Debian GNU/Linux 9.9
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 80/tcp | http | ANY | sniproxy |
++----------+---------+---------+----------------------------+
+| 443/tcp | https | ANY | sniproxy |
++----------+---------+---------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+---------+---------+----------------------------+
+| 8080/tcp | http | local | nginx |
++----------+---------+---------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: cron
+ single: dbus
+ single: exim4
+ single: icinga2
+ single: nginx
+ single: openssh
+ single: puppet
+ single: rsyslog
+ single: sniproxy
+
++----------------+--------------------------+-----------------------------------+
+| Service | Usage | Start mechanism |
++================+==========================+===================================+
+| cron | job scheduler | systemd unit ``cron.service`` |
++----------------+--------------------------+-----------------------------------+
+| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
+| | daemon | |
++----------------+--------------------------+-----------------------------------+
+| Exim | SMTP server for | systemd unit ``exim4.service`` |
+| | local mail submission | |
++----------------+--------------------------+-----------------------------------+
+| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+-----------------------------------+
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote administration | |
++----------------+--------------------------+-----------------------------------+
+| Puppet agent | configuration | systemd unit ``puppet.service`` |
+| | management agent | |
++----------------+--------------------------+-----------------------------------+
+| sniproxy | TLS SNI proxy | systemd unit ``sniproxy.service`` |
++----------------+--------------------------+-----------------------------------+
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+-----------------------------------+
+
+Databases
+---------
+
+* None
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`motion` (tcp/8443) as backend for https://motion.cacert.org/
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:r/qMwm3/p/CAPbLQJ6sj8BOuq/s7LRsaFmWeONuhRSg MD5:9d:ab:4f:2d:48:81:a1:86:68:99:8a:49:d5:01:07:6f
+ :DSA: SHA256:ubWGDzQn6pw0YMYqiAUnpBRwx3AA5Qg///t976DULk4 MD5:2c:33:c7:bd:f2:6b:1a:03:ea:cd:c3:da:d8:a7:fa:c2
+ :ECDSA: SHA256:vj3SH943BCZZolFDy1Fxs50i6iyEZ0WvnAmAA6kAQYU MD5:7d:ac:f4:ce:fb:4f:17:72:4d:5a:c4:b4:08:5d:8b:7c
+ :ED25519: SHA256:WRJehwaiCPqO7StZlOxg97qOMbHCbZDOkJ14oAJzWe8 MD5:14:6d:9e:24:de:97:f7:96:bc:cd:45:28:1b:b5:52:7e
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* sniproxy has been installed from Debian buster because it was not available in Stretch.
+
+Risk assessments on critical packages
+-------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+The system is stripped down to the bare minimum. Both :program:`sniproxy` and
+:program:`nginx` are security supported. The :program:`nginx-light` package is
+used for `nginx` because no special features are required.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+The host does not provide own TLS services and therefore has no certificates.
+
+nginx configuration
+-------------------
+
+:program:`nginx` is configured via Puppet profile ``profiles::sniproxy`` and
+just redirects all http traffic to https.
+
+sniproxy configuration
+----------------------
+
+:program:`sniproxy` is configured via Puppet profile ``profiles::sniproxy``,
+TCP traffic on port 80 is forwarded to the local nginx and https traffic is
+forwarded to the target hosts as configured in
+:file:`hieradata/nodes/proxyin.yaml`.
+
+Tasks
+=====
+
+Adding a new forward entry
+--------------------------
+
+Add a line to the ``profiles::sniproxy::https_forwards`` item in Hiera data and
+adjust the firewall configuration on :doc:`infra02`.
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: update to Debian 10 (when Puppet is available)
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://github.com/dlundquist/sniproxy
diff --git a/docs/systems/web.rst b/docs/systems/web.rst
index 4be3549..07a9dce 100644
--- a/docs/systems/web.rst
+++ b/docs/systems/web.rst
@@ -219,7 +219,7 @@ Critical Configuration items
============================
The system configuration is managed via Puppet profiles. There should be no
-configuration items outside of the Puppet repository.
+configuration items outside of the :cacertgit:`cacert-puppet`.
.. todo:: move configuration of :doc:`web` to Puppet code
diff --git a/docs/systems/webstatic.rst b/docs/systems/webstatic.rst
index 8892a0b..de2c616 100644
--- a/docs/systems/webstatic.rst
+++ b/docs/systems/webstatic.rst
@@ -24,6 +24,9 @@ Funding
Infrastructure Documentation
https://infradocs.cacert.org/
+CAcert internal Debian repository
+ https://webstatic.infra.cacert.org/
+
Administration
==============
@@ -116,9 +119,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Stretch
- single: Debian GNU/Linux; 9.4
+ single: Debian GNU/Linux; 9.9
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 9.9
Applicable Documentation
------------------------
@@ -213,13 +216,15 @@ Dedicated user roles
--------------------
+-------------------+---------------------------------------------------+
-| Group | Purpose |
+| Role | Purpose |
+===================+===================================================+
| jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
| | :file:`/var/www/codedocs.cacert.org/html/` and |
| | :file:`/var/www/infradocs.cacert.org/html/` |
+-------------------+---------------------------------------------------+
+.. todo:: manage ``jenkins-infradocs`` user via Puppet
+
Non-distribution packages and modifications
-------------------------------------------
@@ -244,40 +249,31 @@ Critical Configuration items
============================
The system configuration is managed via Puppet profiles. There should be no
-configuration items outside of the Puppet repository.
-
-.. todo:: move configuration of :doc:`webstatic` to Puppet code
+configuration items outside of the :cacertgit:`cacert-puppet`.
Keys and X.509 certificates
---------------------------
-The host does not provide TLS services and therefore has no certificates.
-
-.. todo::
- move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
+The host does not provide own TLS services and therefore has no certificates.
Apache httpd configuration
--------------------------
-The main configuration files for Apache httpd are:
-
-* :file:`/etc/apache2/sites-available/000-default.conf`
-
- Defines the default VirtualHost for requests reaching this host with no
- specifically handled host name.
-
-* :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
-
- Defines the VirtualHost for https://codedocs.cacert.org/
-
-* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
-
- Defines the VirtualHost for https://funding.cacert.org/
+Apache configuration is managed via the Puppet profile
+``profiles::static_websites``.
-* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
+Debian repository configuration
+-------------------------------
- Defines the VirtualHost for https://infradocs.cacert.org/
+The Debian repository is managed via the Puppet profile
+``profiles::debarchive``. Packages that are uploaded to
+:file:`/srv/upload/incoming` are automatically processed by
+:program:`inoticoming` and :program:`reprepro`. Only packages signed by a known
+PGP key (managed via Puppet) are accepted and provided at
+https://webstatic.infra.cacert.org/.
+The repository signing key is stored in
+:file:`/srv/debarchive/.gnupg/private-keys-v1.d/223894064EE26851A245DE9208C5C0ABF772F7A7.key`.
Tasks
=====
@@ -288,7 +284,7 @@ Changes
Planned
-------
-.. todo:: manage the webstatic system using Puppet
+.. todo:: update to Debian 10 (when Puppet is available)
System Future
-------------
@@ -306,3 +302,5 @@ References
----------
* http://httpd.apache.org/docs/2.4/
+* https://manpages.debian.org/buster/inoticoming/inoticoming.1.en.html
+* https://manpages.debian.org/buster/reprepro/reprepro.1.en.html