diff options
author | Jan Dittberner <jan@dittberner.info> | 2016-04-17 23:23:11 +0200 |
---|---|---|
committer | Jan Dittberner <jan@dittberner.info> | 2016-04-17 23:23:11 +0200 |
commit | e1586608bafaf52a96daf07673196c635d69883a (patch) | |
tree | cfc47a933553e3d2602ffcd67f8bcb1551e37948 /docs | |
parent | e98a2197499b16db47aa7c897b65c03a3a3f2448 (diff) | |
download | cacert-infradocs-e1586608bafaf52a96daf07673196c635d69883a.tar.gz cacert-infradocs-e1586608bafaf52a96daf07673196c635d69883a.tar.xz cacert-infradocs-e1586608bafaf52a96daf07673196c635d69883a.zip |
Start arbitration documentation
Diffstat (limited to 'docs')
-rw-r--r-- | docs/systems/arbitration.rst | 284 | ||||
-rw-r--r-- | docs/systems/emailout.rst | 0 | ||||
-rw-r--r-- | docs/systems/monitor.rst | 0 |
3 files changed, 284 insertions, 0 deletions
diff --git a/docs/systems/arbitration.rst b/docs/systems/arbitration.rst new file mode 100644 index 0000000..9a931ff --- /dev/null +++ b/docs/systems/arbitration.rst @@ -0,0 +1,284 @@ +.. index:: + single: Systems; Arbitration + +=========== +Arbitration +=========== + +Purpose +======= + +This system is planned to host a future collaboration platform for arbitrators. + +Administration +============== + +System Administration +--------------------- + +* Primary: `Martin Gummi`_ +* Secondary: None + +.. todo:: find an additional admin + +.. _Martin Gummi: martin.gummi@cacert.org + +Application Administration +-------------------------- + +There is no application yet. + +.. todo:: setup application(s) and document admins + +.. * <application>: <sysadmin's name> + +Contact +------- + +* arbitration-admin@cacert.org + +Additional People +----------------- + +`Jan Dittberner`_ and `Mario Lipinski`_ have sudo access on that machine too. + +.. _Jan Dittberner: jandd@cacert.org +.. _Mario Lipinski: mario@cacert.org + +Basics +====== + +Physical Location +----------------- + +This system is located in an LXC_ container on physical machine :doc:`infra02`. + +.. _LXC: https://linuxcontainers.org/ + +Logical Location +---------------- + +:IP Internet: :ip:v4:`213.154.225.241` +:IP Intranet: :ip:v4:`172.16.2.241` +:IP Internal: :ip:v4:`10.0.0.241` +:MAC address: :mac:`00:ff:5b:e0:cd:8a` (eth0) + +.. seealso:: + + See :doc:`../network` + +DNS +--- + +.. index:: + single: DNS records; Arbitration + +============================= ======== ============================================ +Name Type Content +============================= ======== ============================================ +arbitration.cacert.org. IN A 213.154.225.241 +arbitration.cacert.org. IN SSHFP 1 1 40D9C8EBCF8D41A04B990FBC5308675D029BF4EF +arbitration.cacert.org. IN SSHFP 2 1 7474BFB01AF775511805BF15C45BB9D7591D0CE6 +arbitration.intra.cacert.org. IN A 172.16.2.241 +============================= ======== ============================================ + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges + +Operating System +---------------- + +.. index:: + single: Debian GNU/Linux; Jessie + single: Debian GNU/Linux; 8.4 + +* Debian GNU/Linux 8.4 + +Applicable Documentation +------------------------ + +This is it :-) There is nothing usable on this system yet. + +Services +======== + +Listening services +------------------ + ++----------+-----------+-----------+-----------------------------------------+ +| Port | Service | Origin | Purpose | ++==========+===========+===========+=========================================+ +| 22/tcp | ssh | ANY | admin console access | ++----------+-----------+-----------+-----------------------------------------+ +| 25/tcp | smtp | local | mail delivery to local MTA | ++----------+-----------+-----------+-----------------------------------------+ +| 80/tcp | http | ANY | application | ++----------+-----------+-----------+-----------------------------------------+ +| 5666/tcp | nrpe | monitor | remote monitoring service | ++----------+-----------+-----------+-----------------------------------------+ +| 3306/tcp | mysql | local | MySQL database for ... | ++----------+-----------+-----------+-----------------------------------------+ +| 5432/tcp | pgsql | local | PostgreSQL database for ... | ++----------+-----------+-----------+-----------------------------------------+ + +.. todo:: add TLS/SSL to nginx and add HTTPS port +.. todo:: clarify whether both MySQL and PostgreSQL are used + +Running services +---------------- + ++--------------------+--------------------+----------------------------------------+ +| Service | Usage | Start mechanism | ++====================+====================+========================================+ +| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+--------------------+----------------------------------------+ +| nginx | Webserver for ... | init script | +| | | :file:`/etc/init.d/nginx` | ++--------------------+--------------------+----------------------------------------+ +| cron | job scheduler | init script :file:`/etc/init.d/cron` | ++--------------------+--------------------+----------------------------------------+ +| PostgreSQL | PostgreSQL | init script | +| | database server | :file:`/etc/init.d/postgresql` | +| | for ... | | ++--------------------+--------------------+----------------------------------------+ +| MySQL | MySQL database | init script | +| | server for ... | :file:`/etc/init.d/mysql` | ++--------------------+--------------------+----------------------------------------+ +| Exim | SMTP server for | init script | +| | local mail | :file:`/etc/init.d/exim4` | +| | submission, ... | | ++--------------------+--------------------+----------------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+--------------------+----------------------------------------+ + +Databases +--------- + ++-------------+----------+------------------------------+ +| RDBMS | Name | Used for | ++=============+==========+==============================+ +| MySQL | etherpad | future etherpad installation | ++-------------+----------+------------------------------+ + +.. todo:: setup databases + +Connected Systems +----------------- + +* :doc:`monitor` + +Outbound network connections +---------------------------- + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates + +Security +======== + +SSH host keys +------------- + ++-----------+-----------------------------------------------------+ +| Algorithm | Fingerprint | ++===========+=====================================================+ +| RSA | ``a3:6c:f1:f8:8c:81:7c:f7:3b:4e:e4:0e:a3:02:8e:18`` | ++-----------+-----------------------------------------------------+ +| DSA | ``eb:66:0e:0d:d1:f3:d8:02:3a:ed:71:7a:b2:04:db:75`` | ++-----------+-----------------------------------------------------+ +| ECDSA | ``54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09`` | ++-----------+-----------------------------------------------------+ +| ED25519 | - | ++-----------+-----------------------------------------------------+ + +.. todo:: setup ED255519 host key + +.. seealso:: + + See :doc:`../sshkeys` + +Dedicated user roles +-------------------- + +.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here + Regular operating system groups should not be documented + +.. '''Group''' || '''Purpose''' || + goodguys || Shell access for the good guys || + +Non-distribution packages and modifications +------------------------------------------- + +.. * None + or + * List of non-distribution packages and modifications + +Risk assessments on critical packages +------------------------------------- + +Tasks +===== + +Critical Configuration items +============================ + +Keys and X.509 certificates +--------------------------- + +* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>) +* :file:`/etc/apache2/ssl/<path to server key>` server key + +.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates) + * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate) + +.. seealso:: + + * :doc:`../certlist` + * https://wiki.cacert.org/SystemAdministration/CertificateList + +Tasks +===== + +Planned +------- + +.. todo:: install application +.. todo:: setup IPv6 + +Changes +======= + +System Future +------------- + +The system should be setup properly or should be removed it is not required +anymore. + +Additional documentation +======================== + +.. add inline documentation + +.. remove unneeded links from the list below, add other links that apply + +.. seealso: + + * https://wiki.cacert.org/Exim4Configuration + * https://wiki.cacert.org/PostfixConfiguration + * https://wiki.cacert.org/QmailConfiguration + * https://wiki.cacert.org/SendmailConfiguration + * https://wiki.cacert.org/StunnelConfiguration + +References +---------- + +.. can be used to provide links to reference documentation + * http://product.site.com/docs/ + * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]] diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/docs/systems/emailout.rst diff --git a/docs/systems/monitor.rst b/docs/systems/monitor.rst new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/docs/systems/monitor.rst |