summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJan Dittberner <jan@dittberner.info>2016-04-16 23:54:41 +0200
committerJan Dittberner <jan@dittberner.info>2016-04-16 23:54:41 +0200
commite6f80696745512a340fb50bca687b5a33cc77c7f (patch)
tree0bdfbd072ade121a6be5f4432a7f1fa9641eb7b7 /docs
parentccdc22d108c0b88888ea30a50aea4af77d93e21f (diff)
downloadcacert-infradocs-e6f80696745512a340fb50bca687b5a33cc77c7f.tar.gz
cacert-infradocs-e6f80696745512a340fb50bca687b5a33cc77c7f.tar.xz
cacert-infradocs-e6f80696745512a340fb50bca687b5a33cc77c7f.zip
Add initial content for infra02 and configuration
Diffstat (limited to 'docs')
-rw-r--r--docs/conf.py8
-rw-r--r--docs/index.rst2
-rw-r--r--docs/infra02.rst50
-rw-r--r--docs/iplist.rst35
-rw-r--r--docs/network.rst25
-rw-r--r--docs/template.rst270
6 files changed, 376 insertions, 14 deletions
diff --git a/docs/conf.py b/docs/conf.py
index 581c02c..5ce9729 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -18,7 +18,7 @@ import os
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
-#sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
@@ -30,6 +30,8 @@ import os
# ones.
extensions = [
'sphinx.ext.todo',
+ 'jandd.sphinxext.ip',
+ 'jandd.sphinxext.mac',
]
# Add any paths that contain templates here, relative to this directory.
@@ -75,7 +77,7 @@ language = None
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
-exclude_patterns = ['_build']
+exclude_patterns = ['_build', 'template.rst']
# The reST default role (used for this markup: `text`) to use for all
# documents.
@@ -109,7 +111,7 @@ todo_include_todos = True
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
-html_theme = 'alabaster'
+html_theme = 'classic'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
diff --git a/docs/index.rst b/docs/index.rst
index a9f7b67..14780af 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -17,12 +17,12 @@ Contents:
network
infra02
+ iplist
Indices and tables
==================
* :ref:`genindex`
-* :ref:`modindex`
* :ref:`search`
diff --git a/docs/infra02.rst b/docs/infra02.rst
index 35f59e9..d47345d 100644
--- a/docs/infra02.rst
+++ b/docs/infra02.rst
@@ -1,9 +1,33 @@
+=======
Infra02
=======
+Basics
+======
+
+Purpose
+-------
+
The infrastructure host system Infra02 is a dedicated machine for the CAcert
-infrastructure. The machine has been sponsored by Thomas Krenn and has the
-following hardware parameters:
+infrastructure.
+
+Infra02 is the host system for all infrastructure containers. The containers
+are setup using the Linux kernel's LXC_ system. The firewall for infrastructure
+is maintained on this machine using Ferm_.
+
+.. _LXC: https://linuxcontainers.org/
+.. _Ferm: http://ferm.foo-projects.org/
+
+Physical Location
+-----------------
+
+The machine is located in a server rack at BIT B.V. in the Netherlands.
+
+Physical Configuration
+----------------------
+
+The machine has been sponsored by Thomas Krenn and has the following hardware
+parameters:
:Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
@@ -16,8 +40,24 @@ following hardware parameters:
There is a 2 TB USB backup disk attached to the system
-Infra02 is the host system for all infrastructure containers. The containers
-are setup using the Linux kernel's LXC_ system.
+.. seealso::
-.. _LXC: https://linuxcontainers.org/
+ See https://wiki.cacert.org/SystemAdministration/EquipmentList
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.230`
+:IP Intranet: :ip:v4:`172.16.2.10`
+:IP internal: :ip:v4:`10.0.0.1`
+:IPv6: :ip:v6:`2001:7b8:616:162:1::10`
+:IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
+:MAC address:
+
+ * :mac:`00:25:90:a9:66:e9` (eth0)
+ * :mac:`fe:0e:ee:75:a3:a5` (br0)
+
+.. seealso::
+
+ :doc:`network`.
diff --git a/docs/iplist.rst b/docs/iplist.rst
new file mode 100644
index 0000000..a3abc16
--- /dev/null
+++ b/docs/iplist.rst
@@ -0,0 +1,35 @@
+IP address list
+===============
+
+Internet IP addresses
+---------------------
+
+.. ip:v4range:: 213.154.225.0/24
+
+ This is the public CAcert IPv4 address range
+
+.. ip:v4:: 213.154.225.230
+
+.. ip:v6range:: 2001:7b8:616:162:1::/80
+
+.. ip:v6:: 2001:7b8:616:162:1::10
+
+.. ip:v6range:: 2001:7b8:616:162:2::/80
+
+.. ip:v6:: 2001:7b8:616:162:2::10
+
+
+Intranet IP addresses
+---------------------
+
+.. ip:v4range:: 172.16.2.0/24
+
+.. ip:v4:: 172.16.2.10
+
+
+Internal IP addresses
+---------------------
+
+.. ip:v4range:: 10.0.0.0/24
+
+.. ip:v4:: 10.0.0.1
diff --git a/docs/network.rst b/docs/network.rst
index d9697ac..834e219 100644
--- a/docs/network.rst
+++ b/docs/network.rst
@@ -4,26 +4,41 @@ Network
.. this page contains information from the IP address list at
https://wiki.cacert.org/SystemAdministration/IPList
+.. seealso::
+
+ https://wiki.cacert.org/SystemAdministration/IPList
+
Internet
--------
-CAcert has a public Internet IP address range and some of the Internet IP
+CAcert has a public Internet IPv4 address range and some of the Internet IP
addresses are mapped to the infrastructure systems.
+The infrastructure systems use IPv4 addresses from the
+:ip:v4range:`213.154.225.0/24` subnet.
+
+IPv6 connectivity is also available. The infrastructure IPv6 addresses are
+taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
+:ip:v6range:`2001:7b8:616:162:2::/80` ranges.
+
Intranet
--------
CAcert's infrastructure systems are using a private network range that is
-accessible from other CAcert systems.
+accessible from other CAcert systems. The Intranet IPv4 addresses are in the
+:ip:v4range:`172.16.2.0/24` subnet.
Internal
--------
-The infrastructure host :doc:`infra02` has a local bridge interface that is
-used to connect the containers on that machine and allows explicit routing as
-well as services that are purely internal and are not reachable from the
+The infrastructure host :doc:`infra02` has a local bridge interface *br0* that
+is used to connect the containers on that machine and allows explicit routing
+as well as services that are purely internal and are not reachable from the
Internet or Intranet machines in the IP range mentioned above.
+The local bridge uses IPv4 addresses from the :ip:v4range:`10.0.0.0/24` range.
+IPv6 addresses are directly assigned to containers from the
+:ip:v6range:`2001:7b8:616:162:2::/80` range.
diff --git a/docs/template.rst b/docs/template.rst
new file mode 100644
index 0000000..8d0e090
--- /dev/null
+++ b/docs/template.rst
@@ -0,0 +1,270 @@
+==================
+Systems - TEMPLATE
+==================
+
+Basics
+======
+
+Purpose
+-------
+
+.. <SHORT DESCRIPTION>
+
+Physical Location
+-----------------
+
+.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
+
+.. ## Use the following for containers on Infra02:
+
+This system is located in an LXC_ container on physical machine :doc:`infra02`.
+
+Physical Configuration
+----------------------
+
+.. seealso::
+
+ See https://wiki.cacert.org/SystemAdministration/EquipmentList
+
+Logical location
+----------------
+
+ * IP Internet: <IP>
+ * IP Intranet: <IP>
+ * IP Internal: <IP>
+ * MAC address: <MAC> (interfacename)
+
+.. seealso::
+
+ See :doc:`network`
+
+DNS
+---
+
+ * <HOSTNAME>.cacert.org. IN A <IP>
+ * <HOSTNAME>.intra.cacert.org. IN A <IP>
+
+.. seealso::
+
+ See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+ * Debian GNU/Linux x.y
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Administration
+--------------
+
+System Admin:
+ * <SYSADMIN's NAME>
+
+Contact:
+ * <system>-admin@cacert.org
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Users | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | sysadmins | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | local mail pickup in order to send out |
+| | | | notifications |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | all | application |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | all | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | sysadmins | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+.. below are some definitions of commonly open ports, choose those that are applicable and order the table by port number
+ || 3306/tcp || mysql || local || MySQL database for ... ||
+ || 5432/tcp || pgsql || local || PostgreSQL database for ... ||
+ || 465/udp || syslog || local || syslog port ||
+
+Running services
+----------------
+
++--------------------+--------------------+----------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+==================================+
+| openssh server | ssh daemon for | init script `/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------+
+| Apache httpd | Webserver for ... | init script |
+| | | `/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------+
+| cron | job scheduler | init script `/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------+
+| rsyslog | syslog daemon | init script `/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | `/etc/init.d/postgresql` |
+| | for ... | |
++--------------------+--------------------+----------------------------------+
+| MySQL | MySQL database | init script `/etc/init.d/mysql` |
+| | server for ... | |
++--------------------+--------------------+----------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | `/etc/init.d/postfix` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------+
+| Exim | SMTP server for | init script `/etc/init.d/exim4` |
+| | local mail | |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | `/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------+
+
+Databases
+---------
+
++-------------+--------------+---------------------------+
+| RDBMS | Name | Used for |
++=============+==============+===========================+
+| MySQL | application1 | fictional application one |
++-------------+--------------+---------------------------+
+| PostgreSQL | application2 | fictional application two |
++-------------+--------------+---------------------------+
+
+Running Guests
+--------------
+
++----------------+-------------+---------------+---------+---------------+
+| Machine | IP Intranet | IP Internet | Ports | Purpose |
++================+=============+===============+=========+===============+
+| :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
++----------------+-------------+---------------+---------+---------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+............................
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-------------+
+| Algorithm | Fingerprint |
++===========+=============+
+| RSA | |
++-----------+-------------+
+| DSA | |
++-----------+-------------+
+| ECDSA | |
++-----------+-------------+
+
+.. seealso::
+
+ See :doc:`sshkeys`
+
+Dedicated user roles
+--------------------
+
+.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
+ Regular operating system groups should not be documented
+
+.. || '''Group''' || '''Purpose''' ||
+ || goodguys || Shell access for the good guys ||
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. * None
+ or
+ * List of non-distribution packages and modifications
+
+Risk assessments on critical packages
+-------------------------------------
+
+Tasks
+=====
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
+* :file:`/etc/apache2/ssl/<path to server key>` server key
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+ See :doc:`certlist`
+
+Changes
+=======
+
+Planned
+-------
+
+System Future
+.............
+
+.. * No plans
+
+Document Stuff
+..............
+
+.. add a paragraph for each larger planned task that seems to be worth
+ mentioning. You may want to link to specific issues if you use some issue
+ tracker.
+
+Potential Similiar Configurations
+.................................
+
+* https://wiki.cacert.org/Exim4Configuration
+* https://wiki.cacert.org/PostfixConfiguration
+* https://wiki.cacert.org/QmailConfiguration
+* https://wiki.cacert.org/SendmailConfiguration
+* https://wiki.cacert.org/StunnelConfiguration
+
+Potential System Procedures
+...........................
+
+* https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+* https://wiki.cacert.org/SystemAdministration/CertificateList
+
+References
+==========
+
+.. can be used to provide links to reference documentation
+ * http://product.site.com/docs/
+ * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
+
+Links
+=====
+
+.. || [[https://<system>.cacert.org/]] || <System> URL ||
+ may contain more URLs if there are multiple useful entry points
+