Start arbitration documentation

3 files changed, 284 insertions, 0 deletions

diff --git a/docs/systems/arbitration.rst b/docs/systems/arbitration.rst
new file mode 100644
index 0000000..9a931ff
--- /dev/null
+++ b/docs/systems/arbitration.rst
@@ -0,0 +1,284 @@
+.. index::
+   single: Systems; Arbitration
+
+===========
+Arbitration
+===========
+
+Purpose
+=======
+
+This system is planned to host a future collaboration platform for arbitrators.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: `Martin Gummi`_
+* Secondary: None
+
+.. todo:: find an additional admin
+
+.. _Martin Gummi: martin.gummi@cacert.org
+
+Application Administration
+--------------------------
+
+There is no application yet.
+
+.. todo:: setup application(s) and document admins
+
+.. * <application>: <sysadmin's name>
+
+Contact
+-------
+
+* arbitration-admin@cacert.org
+
+Additional People
+-----------------
+
+`Jan Dittberner`_ and `Mario Lipinski`_ have sudo access on that machine too.
+
+.. _Jan Dittberner: jandd@cacert.org
+.. _Mario Lipinski: mario@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an LXC_ container on physical machine :doc:`infra02`.
+
+.. _LXC: https://linuxcontainers.org/
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.241`
+:IP Intranet: :ip:v4:`172.16.2.241`
+:IP Internal: :ip:v4:`10.0.0.241`
+:MAC address: :mac:`00:ff:5b:e0:cd:8a` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+DNS
+---
+
+.. index::
+   single: DNS records; Arbitration
+
+============================= ======== ============================================
+Name                          Type     Content
+============================= ======== ============================================
+arbitration.cacert.org.       IN A     213.154.225.241
+arbitration.cacert.org.       IN SSHFP 1 1 40D9C8EBCF8D41A04B990FBC5308675D029BF4EF
+arbitration.cacert.org.       IN SSHFP 2 1 7474BFB01AF775511805BF15C45BB9D7591D0CE6
+arbitration.intra.cacert.org. IN A     172.16.2.241
+============================= ======== ============================================
+
+.. seealso::
+
+   See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Jessie
+   single: Debian GNU/Linux; 8.4
+
+* Debian GNU/Linux 8.4
+
+Applicable Documentation
+------------------------
+
+This is it :-) There is nothing usable on this system yet.
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port     | Service   | Origin    | Purpose                                 |
++==========+===========+===========+=========================================+
+| 22/tcp   | ssh       | ANY       | admin console access                    |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp   | http      | ANY       | application                             |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
++----------+-----------+-----------+-----------------------------------------+
+| 3306/tcp | mysql     | local     | MySQL database for ...                  |
++----------+-----------+-----------+-----------------------------------------+
+| 5432/tcp | pgsql     | local     | PostgreSQL database for ...             |
++----------+-----------+-----------+-----------------------------------------+
+
+.. todo:: add TLS/SSL to nginx and add HTTPS port
+.. todo:: clarify whether both MySQL and PostgreSQL are used
+
+Running services
+----------------
+
++--------------------+--------------------+----------------------------------------+
+| Service            | Usage              | Start mechanism                        |
++====================+====================+========================================+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
+| nginx              | Webserver for ...  | init script                            |
+|                    |                    | :file:`/etc/init.d/nginx`              |
++--------------------+--------------------+----------------------------------------+
+| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL         | PostgreSQL         | init script                            |
+|                    | database server    | :file:`/etc/init.d/postgresql`         |
+|                    | for ...            |                                        |
++--------------------+--------------------+----------------------------------------+
+| MySQL              | MySQL database     | init script                            |
+|                    | server for ...     | :file:`/etc/init.d/mysql`              |
++--------------------+--------------------+----------------------------------------+
+| Exim               | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/exim4`              |
+|                    | submission, ...    |                                        |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring  | init script                            |
+|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`     |                                        |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+----------+------------------------------+
+| RDBMS       | Name     | Used for                     |
++=============+==========+==============================+
+| MySQL       | etherpad | future etherpad installation |
++-------------+----------+------------------------------+
+
+.. todo:: setup databases
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-----------------------------------------------------+
+| Algorithm | Fingerprint                                         |
++===========+=====================================================+
+| RSA       | ``a3:6c:f1:f8:8c:81:7c:f7:3b:4e:e4:0e:a3:02:8e:18`` |
++-----------+-----------------------------------------------------+
+| DSA       | ``eb:66:0e:0d:d1:f3:d8:02:3a:ed:71:7a:b2:04:db:75`` |
++-----------+-----------------------------------------------------+
+| ECDSA     | ``54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09`` |
++-----------+-----------------------------------------------------+
+| ED25519   | -                                                   |
++-----------+-----------------------------------------------------+
+
+.. todo:: setup ED255519 host key
+
+.. seealso::
+
+   See :doc:`../sshkeys`
+
+Dedicated user roles
+--------------------
+
+.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
+   Regular operating system groups should not be documented
+
+.. '''Group''' || '''Purpose''' ||
+   goodguys || Shell access for the good guys ||
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. * None
+   or
+   * List of non-distribution packages and modifications
+
+Risk assessments on critical packages
+-------------------------------------
+
+Tasks
+=====
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
+* :file:`/etc/apache2/ssl/<path to server key>` server key
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+   * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+   * :doc:`../certlist`
+   * https://wiki.cacert.org/SystemAdministration/CertificateList
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: install application
+.. todo:: setup IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+The system should be setup properly or should be removed it is not required
+anymore.
+
+Additional documentation
+========================
+
+.. add inline documentation
+
+.. remove unneeded links from the list below, add other links that apply
+
+.. seealso:
+
+   * https://wiki.cacert.org/Exim4Configuration
+   * https://wiki.cacert.org/PostfixConfiguration
+   * https://wiki.cacert.org/QmailConfiguration
+   * https://wiki.cacert.org/SendmailConfiguration
+   * https://wiki.cacert.org/StunnelConfiguration
+
+References
+----------
+
+.. can be used to provide links to reference documentation
+   * http://product.site.com/docs/
+   * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/docs/systems/emailout.rst
diff --git a/docs/systems/monitor.rst b/docs/systems/monitor.rst
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/docs/systems/monitor.rst