summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJan Dittberner <jan@dittberner.info>2016-05-03 15:11:57 +0200
committerJan Dittberner <jan@dittberner.info>2016-05-03 15:11:57 +0200
commit65e0f67ca1ffba005cbddb18f1f44ab3487275d1 (patch)
treecc8f87651955bd680d0f5a16c0462a98c5c80f01 /docs
parent7d7c8ba26bd434a5adf98ba83d1733d4ee795ec3 (diff)
downloadcacert-infradocs-65e0f67ca1ffba005cbddb18f1f44ab3487275d1.tar.gz
cacert-infradocs-65e0f67ca1ffba005cbddb18f1f44ab3487275d1.tar.xz
cacert-infradocs-65e0f67ca1ffba005cbddb18f1f44ab3487275d1.zip
Add board system documentation
This commit adds documentation for the board.cacert.org container. Documentation is based on the Wiki documentation at https://wiki.cacert.org/SystemAdministration/Systems/Board and information gathered from the running system. The patches to OpenERP are stored in separate files to allow using them on top of an unpacked OpenERP tree.
Diffstat (limited to 'docs')
-rw-r--r--docs/certlist.rst25
-rw-r--r--docs/patches/openerp/account.py.patch27
-rw-r--r--docs/patches/openerp/account_followup_paypal.patch38
-rw-r--r--docs/patches/openerp/account_followup_print.patch10
-rw-r--r--docs/patches/openerp/invoice.py.patch10
-rw-r--r--docs/patches/openerp/py.js.patch18
-rw-r--r--docs/patches/openerp/view_form.js.patch15
-rw-r--r--docs/systems.rst1
-rw-r--r--docs/systems/board.rst368
9 files changed, 512 insertions, 0 deletions
diff --git a/docs/certlist.rst b/docs/certlist.rst
index e8c5fb2..754be42 100644
--- a/docs/certlist.rst
+++ b/docs/certlist.rst
@@ -25,3 +25,28 @@ blog.cacert.org
+------------------+------------------------------------------------------------------------+
| SHA1 Fingerprint | ``69:A5:5F:3E:1B:D8:2E:CB:B3:AB:0B:E9:81:A6:CF:31:DF:C8:A4:5F`` |
+------------------+------------------------------------------------------------------------+
+
+.. _cert_board_cacert_org:
+
+board.cacert.org
+================
+
+.. index::
+ ! single: Certificate; Board
+
++------------------+--------------------------------------------------------------------+
+| Common Name | board.cacert.org |
++==================+====================================================================+
+| Subject Altnames | none |
++------------------+--------------------------------------------------------------------+
+| Key kept at | :doc:`board <systems/board>`:file:`/etc/ssl/private/board.key.pem` |
++------------------+--------------------------------------------------------------------+
+| Cert kept at | :doc:`board <systems/board>`:file:`/etc/ssl/certs/board.crt` |
++------------------+--------------------------------------------------------------------+
+| Serial Number | 1173561 (0x11e839) |
++------------------+--------------------------------------------------------------------+
+| Expiration date | Mar 31 16:47:11 2018 GMT |
++------------------+--------------------------------------------------------------------+
+| SHA1 Fingerprint | ``2C:AC:8C:F8:D6:4A:9E:1D:B0:35:B8:E4:5E:24:B1:43:E3:69:98:46`` |
++------------------+--------------------------------------------------------------------+
+
diff --git a/docs/patches/openerp/account.py.patch b/docs/patches/openerp/account.py.patch
new file mode 100644
index 0000000..c0157fe
--- /dev/null
+++ b/docs/patches/openerp/account.py.patch
@@ -0,0 +1,27 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 22:56:20.528382003 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 23:32:37.088302059 +0000
+@@ -234,7 +234,7 @@
+ pos = 0
+ while pos < len(domain):
+ if domain[pos][0] == 'code' and domain[pos][1] in ('like', 'ilike') and domain[pos][2]:
+- domain[pos] = ('code', '=like', tools.ustr(domain[pos][2].replace('%', '')) + '%')
++ domain[pos] = ('code', '=ilike', tools.ustr(domain[pos][2].replace('%', '')) + '%')
+ if domain[pos][0] == 'journal_id':
+ if not domain[pos][2]:
+ del domain[pos]
+@@ -583,13 +583,13 @@
+ pass
+ if name:
+ if operator not in expression.NEGATIVE_TERM_OPERATORS:
+- ids = self.search(cr, user, ['|', ('code', '=like', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['|', ('code', '=ilike', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
+ if not ids and len(name.split()) >= 2:
+ #Separating code and name of account for searching
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
+ ids = self.search(cr, user, [('code', operator, operand1), ('name', operator, operand2)]+ args, limit=limit)
+ else:
+- ids = self.search(cr, user, ['&','!', ('code', '=like', name+"%"), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['&','!', ('code', '=ilike', name+"%"), ('name', operator, name)]+args, limit=limit)
+ # as negation want to restric, do if already have results
+ if ids and len(name.split()) >= 2:
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
diff --git a/docs/patches/openerp/account_followup_paypal.patch b/docs/patches/openerp/account_followup_paypal.patch
new file mode 100644
index 0000000..9ac9958
--- /dev/null
+++ b/docs/patches/openerp/account_followup_paypal.patch
@@ -0,0 +1,38 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:39:56.719266967 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:41:39.620003461 +0000
+@@ -21,6 +21,7 @@
+
+ from openerp.osv import fields, osv
+ from lxml import etree
++from urllib import urlencode
+
+ from openerp.tools.translate import _
+
+@@ -274,10 +275,25 @@
+ strbegin = "<TD><B>"
+ strend = "</B></TD>"
+ followup_table +="<TR>" + strbegin + str(aml['date']) + strend + strbegin + aml['name'] + strend + strbegin + (aml['ref'] or '') + strend + strbegin + str(date) + strend + strbegin + str(aml['balance']) + strend + strbegin + block + strend + "</TR>"
+- total = rml_parse.formatLang(total, dp='Account', currency_obj=currency)
+ followup_table += '''<tr> </tr>
+ </table>
+- <center>''' + _("Amount due") + ''' : %s </center>''' % (total)
++ <center>''' + _("Amount due") + ''' : %s </center>''' % (rml_parse.formatLang(total, dp='Account', currency_obj=currency))
++ # Add PayPal link if available to allow direct payment
++ if company.paypal_account:
++ params = {
++ "cmd": "_xclick",
++ "business": company.paypal_account,
++ "item_name": "%s Amount Due in %s" % (company.name, currency.name or ''),
++ "invoice": currency_dict['line'][0]['name'],
++ "amount": total,
++ "currency_code": currency.name,
++ "button_subtype": "services",
++ "bn": "OpenERP_Invoice_PayNow_" + currency.name,
++ }
++ followup_table += '''
++ <center><a href="%s">
++ <img class="oe_edi_paypal_button" src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif" alt="Pay directly with PayPal"/>
++ </a></center>''' % ("https://www.paypal.com/cgi-bin/webscr?" + urlencode(params))
+ return followup_table
+
+ def write(self, cr, uid, ids, vals, context=None):
diff --git a/docs/patches/openerp/account_followup_print.patch b/docs/patches/openerp/account_followup_print.patch
new file mode 100644
index 0000000..a0b83d0
--- /dev/null
+++ b/docs/patches/openerp/account_followup_print.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:07:31.357995387 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:09:21.314693739 +0000
+@@ -58,7 +58,6 @@
+ ('reconcile_id', '=', False),
+ ('state', '!=', 'draft'),
+ ('company_id', '=', company_id),
+- ('date_maturity', '<=', fields.date.context_today(self,self.cr,self.uid)),
+ ])
+
+ # lines_per_currency = {currency: [line data, ...], ...}
diff --git a/docs/patches/openerp/invoice.py.patch b/docs/patches/openerp/invoice.py.patch
new file mode 100644
index 0000000..93f1217
--- /dev/null
+++ b/docs/patches/openerp/invoice.py.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:44:57.389199363 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:45:21.745410574 +0000
+@@ -271,7 +271,6 @@
+ "amount": inv.residual,
+ "currency_code": inv.currency_id.name,
+ "button_subtype": "services",
+- "no_note": "1",
+ "bn": "OpenERP_Invoice_PayNow_" + inv.currency_id.name,
+ }
+ res[inv.id] = "https://www.paypal.com/cgi-bin/webscr?" + url_encode(params)
diff --git a/docs/patches/openerp/py.js.patch b/docs/patches/openerp/py.js.patch
new file mode 100644
index 0000000..a172396
--- /dev/null
+++ b/docs/patches/openerp/py.js.patch
@@ -0,0 +1,18 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:26:30.660384152 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:30:02.035589446 +0000
+@@ -764,7 +764,14 @@
+
+ // Conversion
+ toJSON: function () {
+- throw new Error(this.constructor.name + ' can not be converted to JSON');
++ var out = {};
++ for(var k in this) {
++ if (this.hasOwnProperty(k) && !/^__/.test(k)) {
++ var val = this[k];
++ out[k] = val.toJSON ? val.toJSON() : val;
++ }
++ }
++ return out;
+ }
+ });
+ var NoneType = py.type('NoneType', null, {
diff --git a/docs/patches/openerp/view_form.js.patch b/docs/patches/openerp/view_form.js.patch
new file mode 100644
index 0000000..8628865
--- /dev/null
+++ b/docs/patches/openerp/view_form.js.patch
@@ -0,0 +1,15 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:03:35.053098527 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:08:27.372588389 +0000
+@@ -3176,7 +3176,11 @@
+ if (! no_recurse) {
+ var dataset = new instance.web.DataSetStatic(this, this.field.relation, self.build_context());
+ dataset.name_get([self.get("value")]).done(function(data) {
+- self.display_value["" + self.get("value")] = data[0][1];
++ var value = "";
++ if (data.length > 0 && data[0].length > 1) {
++ value = data[0][1];
++ }
++ self.display_value["" + self.get("value")] = value;
+ self.render_value(true);
+ });
+ }
diff --git a/docs/systems.rst b/docs/systems.rst
index fb2db35..6489a86 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -7,6 +7,7 @@ Systems
systems/infra02
systems/arbitration
systems/blog
+ systems/board
systems/emailout
systems/monitor
diff --git a/docs/systems/board.rst b/docs/systems/board.rst
new file mode 100644
index 0000000..3fdbc3b
--- /dev/null
+++ b/docs/systems/board.rst
@@ -0,0 +1,368 @@
+.. index::
+ single: Systems; Board
+
+=====
+Board
+=====
+
+Purpose
+=======
+
+This systems hosts an OpenERP instance available at board.cacert.org.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: `Gero Treuner`_
+* Secondary: None
+
+.. todo:: find an additional admin
+
+.. _Gero Treuner: gero.treuner@cacert.org
+
+Application Administration
+--------------------------
+
+* OpenERP: `Gero Treuner`_, `Michael Tänzer`_, Treasurer
+
+.. note:: use personalized accounts only
+
+Contact
+-------
+
+* board-admin@cacert.org
+
+Additional People
+-----------------
+
+`Jan Dittberner`_, `Mario Lipinski`_ and `Michael Tänzer`_ have :program:`sudo`
+access on that machine too.
+
+.. _Jan Dittberner: jandd@cacert.org
+.. _Mario Lipinski: mario@cacert.org
+.. _Michael Tänzer: michael.taenzer@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.252`
+:IP Intranet: :ip:v4:`172.16.2.34`
+:IP Internal: :ip:v4:`10.0.0.34`
+:MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; <machine>
+
+====================== ======== ============================================
+Name Type Content
+====================== ======== ============================================
+board.cacert.org. IN A 213.154.225.252
+board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
+board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
+board.intra.cacert.org IN A 172.16.2.34
+====================== ======== ============================================
+
+.. seealso::
+
+ See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.10
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+---------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+---------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+---------------------------------+
+| 80/tcp | http | ANY | Webserver redirecting to HTTPS |
++----------+---------+---------+---------------------------------+
+| 443/tcp | https | ANY | Webserver for OpenERP |
++----------+---------+---------+---------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+---------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
++----------+---------+---------+---------------------------------+
+| 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
++----------+---------+---------+---------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: Apache
+ single: cron
+ single: PostgreSQL
+ single: OpenERP
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | OpenERP | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for OpenERP | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| OpenERP server | OpenERP WSGI | init script |
+| | application | :file:`/etc/init.d/openerp` |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++------------+---------+----------+
+| RDBMS | Name | Used for |
++============+=========+==========+
+| PostgreSQL | openerp | OpenERP |
++------------+---------+----------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* HTTP (80/tcp) to nightly.openerp.com
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-----------------------------------------------------+
+| Algorithm | Fingerprint |
++===========+=====================================================+
+| RSA | ``c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1`` |
++-----------+-----------------------------------------------------+
+| DSA | ``f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3`` |
++-----------+-----------------------------------------------------+
+| ECDSA | ``0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac`` |
++-----------+-----------------------------------------------------+
+| ED25519 | \- |
++-----------+-----------------------------------------------------+
+
+.. todo:: setup ED25519 host key
+
+.. seealso::
+
+ See :doc:`../sshkeys`
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:program:`OpenERP` is installed from non-distribution packages from
+http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
+:file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
+cause damage to the customization.
+
+Local modifications to OpenERP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
+following line added to the :func:`do_start()` function to make a request to
+the OpenERP daemon that causes that daemon to load its configuration and start
+regular cleanup tasks (like sending scheduled mails):
+
+.. code:: bash
+
+ sleep 1; curl --silent localhost:8069 > /dev/null
+
+Some files have been patched to either fix bugs in the upstream OpenERP code or
+to add customizations for CAcert's needs.
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
+
+.. literalinclude:: ../patches/openerp/py.js.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
+
+.. literalinclude:: ../patches/openerp/account.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
+
+.. literalinclude:: ../patches/openerp/invoice.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
+
+This patch includes a Paypal link in payment reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_paypal.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
+
+This patch causes OpenERP to include non-overdue but open payments in reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_print.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
+
+Fix form display.
+
+.. todo:: check whether the form display issue has been fixed upstream
+
+.. literalinclude:: ../patches/openerp/view_form.js.patch
+ :language: diff
+
+Risk assessments on critical packages
+-------------------------------------
+
+Using a customized OpenERP version that is not updated causes a small risk to
+miss upstream security updates. The risk is mitigated by restricting the access
+to the system to a very small group of users that are authenticated using
+personalized client certificates.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. index::
+ single: Certificate; Board
+
+* :file:`/etc/ssl/certs/board.crt` server certificate
+* :file:`/etc/ssl/private/board.key` server key
+* :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+
+.. seealso::
+
+ * :ref:`cert_board_cacert_org` in :doc:`../certlist`
+ * https://wiki.cacert.org/SystemAdministration/CertificateList
+
+Apache configuration files
+--------------------------
+
+* :file:`/etc/apache2/conf.d/openerp-httpd.conf`
+
+ Defines the WSGI setup for OpenERP
+
+* :file:`/etc/apache2/sites-available/default`
+
+ Defines the HTTP to HTTPS redirection
+
+* :file:`/etc/apache2/sites-available/default-ssl`
+
+ Defines the HTTPS and client authentication configuration
+
+* :file:`/var/local/ssl/http_fake_auth.passwd`
+
+ Defines the authorized users based on the DN in their client certificate
+
+CRL update job
+--------------
+
+:file:`/etc/cron.hourly/update-crls`
+
+OpenERP configuration
+---------------------
+
+:file:`/etc/openerp/openerp-server.conf`
+
+This file configures the database that is used by OpenERP and the interface
+that the XML-RPC service binds to.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: disable unneeded Apache modules
+
+.. todo:: setup IPv6
+
+.. todo:: consider using a centralized PostgreSQL instance
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: system should be updated to Debian 8
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * https://wiki.cacert.org/PostfixConfiguration
+
+References
+----------
+
+OpenERP URL
+ https://board.cacert.org/