summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc-requirements.txt4
-rw-r--r--docs/building.rst81
-rw-r--r--docs/certlist.rst24
-rw-r--r--docs/conf.py44
-rw-r--r--docs/configdiff/emailout/canonical_maps2
-rw-r--r--docs/configdiff/emailout/postfix.diff61
-rw-r--r--docs/configdiff/emailout/transport3
-rw-r--r--docs/critical.rst11
-rw-r--r--docs/critical/template.rst346
-rw-r--r--docs/critical/webdb.rst6
-rw-r--r--docs/downloads/template_new_community_mailaddress.rfc82219
-rw-r--r--docs/glossary.rst42
-rw-r--r--docs/images/CAcert-logo-colour.svg46
-rw-r--r--docs/images/favicon.icobin0 -> 3638 bytes
-rw-r--r--docs/index.rst22
-rw-r--r--docs/network.rst4
-rw-r--r--docs/patches/openerp/account.py.patch27
-rw-r--r--docs/patches/openerp/account_followup_paypal.patch38
-rw-r--r--docs/patches/openerp/account_followup_print.patch10
-rw-r--r--docs/patches/openerp/invoice.py.patch10
-rw-r--r--docs/patches/openerp/py.js.patch18
-rw-r--r--docs/patches/openerp/view_form.js.patch15
-rw-r--r--docs/people.rst93
-rw-r--r--docs/sphinxext/__init__.py0
-rw-r--r--docs/sphinxext/cacert.py671
-rw-r--r--docs/sshkeys.rst2
-rw-r--r--docs/systems.rst59
-rw-r--r--docs/systems/arbitration.rst68
-rw-r--r--docs/systems/blog.rst127
-rw-r--r--docs/systems/board.rst370
-rw-r--r--docs/systems/email.rst576
-rw-r--r--docs/systems/emailout.rst339
-rw-r--r--docs/systems/infra02.rst60
-rw-r--r--docs/systems/monitor.rst309
-rw-r--r--docs/systems/template.rst143
-rw-r--r--docs/systems/webmail.rst358
36 files changed, 3762 insertions, 246 deletions
diff --git a/doc-requirements.txt b/doc-requirements.txt
index 655dfb4..fdbe2c3 100644
--- a/doc-requirements.txt
+++ b/doc-requirements.txt
@@ -9,5 +9,7 @@ imagesize==0.7.0
pytz==2016.3
six==1.10.0
snowballstemmer==1.2.1
-jandd.sphinxext.ip==0.1.1
+jandd.sphinxext.ip==0.2.4
jandd.sphinxext.mac==0.1.0
+py-dateutil==2.2
+validate-email==1.3
diff --git a/docs/building.rst b/docs/building.rst
new file mode 100644
index 0000000..573ac67
--- /dev/null
+++ b/docs/building.rst
@@ -0,0 +1,81 @@
+==========================
+Building the documentation
+==========================
+
+This documentation is maintained as a set of ReStructuredText documents and
+uses `Sphinx <http://www.sphinx-doc.org/>`_ to build HTML formatted
+representations of the documents.
+
+To build this documentation you need a Python 3 installation. To isolate the
+documentation build from your system Python 3 packages using a virtual
+environment is recommended.
+
+Python 3 installation instructions can be found on the `Python website`_.
+
+.. _Python website: https://www.python.org/
+
+.. topic:: Building the documentation on a Debian system
+
+ The following example shows how to build the documentation on a Debian system:
+
+ .. code-block:: bash
+
+ # Install required operating system packages
+ sudo apt-get install python3 python3-venv make
+ # Setup a fresh virtual Python environment in the venv subdirectory
+ pyvenv venv
+ # Activate the virtual environment
+ . venv/bin/activate
+ # Install the documentation build dependencies (Sphinx, extensions and
+ # their dependencies)
+ pip install -r doc-requirements.txt
+ # Build the documentation in the docs subdirectory
+ cd docs
+ make html
+
+ .. note::
+
+ The above commands should be run from the root directory of a git clone
+ of the cacert-infradocs git repository. The result of the :program:`make`
+ exection will be available in the :file:`_build/html/` directory inside
+ the :file:`docs/` directory.
+
+Getting the documentation source
+--------------------------------
+
+The documentation is available from the git repository cacert-infradocs on
+git.cacert.org. You can browse the `repository
+<http://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=summary>`_ via gitweb.
+
+You can clone the repository anonymously by executing::
+
+ git clone git://git.cacert.org/cacert-infradocs.git
+
+If you want to contribute to the documentation please ask git-admin@cacert.org
+to setup a user in the group git-infra on git.cacert.org for you. You will have
+to provide an SSH public key (either RSA with at least 2048 Bits modulus or an
+ECDSA or ED25519 key with similar strength) with your request.
+
+If you have a user in the git-infra group you can clone the repository by
+executing::
+
+ git clone ssh://<username>@git.cacert.org/var/cache/git/cacert-infradocs.git
+
+.. note:: replace ``<username>`` with your actual username
+
+Continuous integration
+----------------------
+
+If changes are pushed to the cacert-infradocs git repository on git.cacert.org
+a `Jenkins Job <https://jenkins.cacert.org/job/cacert-infradocs/>`_ is
+automatically triggered. If the documentation is built successfully it can be
+viewed in the `docs/_build/html directory of the Job's workspace
+<https://jenkins.cacert.org/job/cacert-infradocs/ws/docs/_build/html/>`_. You may
+open `index.html
+<https://jenkins.cacert.org/job/cacert-infradocs/ws/docs/_build/html/index.html>`_
+to browse the documentation (there are some JavaScript and SVG glitches due to
+Content-Security-Policy settings).
+
+If the documentation build is successful the result is pushed to a webserver
+document root on :doc:`webstatic` and is publicly available at
+https://infradocs.cacert.org/.
diff --git a/docs/certlist.rst b/docs/certlist.rst
index e8c5fb2..44651c3 100644
--- a/docs/certlist.rst
+++ b/docs/certlist.rst
@@ -2,26 +2,4 @@
X.509 Certificates
==================
-.. _cert_blog_cacert_org:
-
-blog.cacert.org
-===============
-
-.. index::
- ! single: Certificate; Blog
-
-+------------------+------------------------------------------------------------------------+
-| Common Name | blog.cacert.org |
-+------------------+------------------------------------------------------------------------+
-| Subject Altnames | none |
-+------------------+------------------------------------------------------------------------+
-| Key kept at | :doc:`blog <systems/blog>`:file:`/etc/ssl/private/blog.cacert.org.key` |
-+------------------+------------------------------------------------------------------------+
-| Cert kept at | :doc:`blog <systems/blog>`:file:`/etc/ssl/public/blog.cacert.org.crt` |
-+------------------+------------------------------------------------------------------------+
-| Serial Number | 1173559 (0x11e837) |
-+------------------+------------------------------------------------------------------------+
-| Expiration date | Mar 31 16:34:28 2018 GMT |
-+------------------+------------------------------------------------------------------------+
-| SHA1 Fingerprint | ``69:A5:5F:3E:1B:D8:2E:CB:B3:AB:0B:E9:81:A6:CF:31:DF:C8:A4:5F`` |
-+------------------+------------------------------------------------------------------------+
+.. sslcertlist::
diff --git a/docs/conf.py b/docs/conf.py
index 0a7d7b0..d612007 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -14,6 +14,8 @@
import sys
import os
+from urllib.parse import urljoin
+from docutils import nodes, utils
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
@@ -30,8 +32,10 @@ sys.path.insert(0, os.path.abspath('.'))
# ones.
extensions = [
'sphinx.ext.todo',
+ 'sphinx.ext.extlinks',
'jandd.sphinxext.ip',
'jandd.sphinxext.mac',
+ 'sphinxext.cacert',
]
# Add any paths that contain templates here, relative to this directory.
@@ -77,7 +81,7 @@ language = None
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
-exclude_patterns = ['_build', 'systems/template.rst']
+exclude_patterns = ['_build', 'systems/template.rst', 'critical/template.rst']
# The reST default role (used for this markup: `text`) to use for all
# documents.
@@ -116,26 +120,30 @@ html_theme = 'classic'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
-#html_theme_options = {}
+html_theme_options = {
+ 'sidebarbgcolor': '#f5f7f7',
+ 'sidebartextcolor': '#334d55',
+ 'sidebarlinkcolor': '#005fa9',
+}
# Add any paths that contain custom themes here, relative to this directory.
#html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
-#html_title = None
+html_title = project + " documentation v" + release
# A shorter title for the navigation bar. Default is the same as html_title.
#html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
-#html_logo = None
+html_logo = os.path.join('images', 'CAcert-logo-colour.svg')
# The name of an image file (relative to this directory) to use as a favicon of
# the docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
-#html_favicon = None
+html_favicon = os.path.join('images', 'favicon.ico')
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
@@ -355,3 +363,29 @@ epub_exclude_files = ['search.html']
# If false, no index is generated.
#epub_use_index = True
+
+
+extlinks = {
+ 'wiki': ('https://wiki.cacert.org/%s', 'Wiki '),
+}
+
+
+def cacert_bug(name, rawtext, text, lineno, inliner, options={}, content=[]):
+ try:
+ bugnum = int(text)
+ if bugnum <= 0:
+ raise ValueError
+ except ValueError:
+ msg = inliner.reporter.error(
+ 'Bug number must be a number greater than or equal to 1; '
+ '"%s" is invalid.' % text, line=lineno)
+ prb = inliner.problematic(rawtext, rawtext, msg)
+ return [prb], [msg]
+ ref = 'https://bugs.cacert.org/view.php?id=%d' % bugnum
+ node = nodes.reference(rawtext, '#' + utils.unescape(text), refuri=ref,
+ **options)
+ return [node], []
+
+
+def setup(app):
+ app.add_role('bug', cacert_bug)
diff --git a/docs/configdiff/emailout/canonical_maps b/docs/configdiff/emailout/canonical_maps
new file mode 100644
index 0000000..4b8c021
--- /dev/null
+++ b/docs/configdiff/emailout/canonical_maps
@@ -0,0 +1,2 @@
+/@(.*).intra.cacert.org$/ $1-admin@cacert.org
+/@(.*).infra.cacert.org$/ $1-admin@cacert.org
diff --git a/docs/configdiff/emailout/postfix.diff b/docs/configdiff/emailout/postfix.diff
new file mode 100644
index 0000000..1e1d759
--- /dev/null
+++ b/docs/configdiff/emailout/postfix.diff
@@ -0,0 +1,61 @@
+diff -urwN wheezy-chroot/etc/postfix/dynamicmaps.cf vm-emailout/rootfs/etc/postfix/dynamicmaps.cf
+--- wheezy-chroot/etc/postfix/dynamicmaps.cf 2016-05-08 00:51:54.738716333 +0200
++++ vm-emailout/rootfs/etc/postfix/dynamicmaps.cf 2015-02-02 13:58:10.151038663 +0100
+@@ -4,3 +4,4 @@
+ #==== ================================ ============= ============
+ tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open
+ sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open
++pcre /usr/lib/postfix/dict_pcre.so dict_pcre_open
+diff -urwN wheezy-chroot/etc/postfix/main.cf vm-emailout/rootfs/etc/postfix/main.cf
+--- wheezy-chroot/etc/postfix/main.cf 2016-05-08 00:51:55.514721219 +0200
++++ vm-emailout/rootfs/etc/postfix/main.cf 2015-02-02 19:13:43.370652677 +0100
+@@ -5,6 +5,8 @@
+ # line of that file to be used as the name. The Debian default
+ # is /etc/mailname.
+ #myorigin = /etc/mailname
++mydomain = emailout.intra.cacert.org
++smtp_helo_name = infrastructure.cacert.org
+
+ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+ biff = no
+@@ -24,16 +26,37 @@
+ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
++smtp_tls_security_level = may
++
++# map internal host names to their corresponding admin addresses
++canonical_maps = pcre:/etc/postfix/canonical_maps
++
+ # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+ # information on enabling SSL in the smtp client.
+
+-myhostname = infra02.intra.cacert.org
++myhostname = emailout.intra.cacert.org
+ alias_maps = hash:/etc/aliases
+ alias_database = hash:/etc/aliases
+ myorigin = /etc/mailname
+-mydestination = infra02.intra.cacert.org, localhost.intra.cacert.org, , localhost
++mydestination = emailout.cacert.org, emailout, localhost.localdomain, localhost
+ relayhost =
+-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
++mynetworks = 172.16.2.0/24 10.0.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+ mailbox_size_limit = 0
+ recipient_delimiter = +
+ inet_interfaces = all
++inet_protocols = all
++
++# DKIM milter
++# http://www.postfix.org/MILTER_README.html
++# TODO: enable DKIM once the DNS record is in place
++#smtpd_milters = unix:/opendkim/opendkim.sock
++#non_smtpd_milters = $smtpd_milters
++
++# what to do if the dkim filter fails
++#milter_default_action = accept
++#milter_command_timeout = 5s
++#milter_connect_timeout = $milter_command_timeout
++#milter_content_timeout = 45s
++
++transport_maps = hash:/etc/postfix/transport
++local_transport = error:local delivery is disabled
diff --git a/docs/configdiff/emailout/transport b/docs/configdiff/emailout/transport
new file mode 100644
index 0000000..8c4f3d1
--- /dev/null
+++ b/docs/configdiff/emailout/transport
@@ -0,0 +1,3 @@
+lists.cacert.org smtp:[lists.intra.cacert.org]
+issue.cacert.org smtp:[issue.intra.cacert.org]
+cacert.org smtp:[email.intra.cacert.org]
diff --git a/docs/critical.rst b/docs/critical.rst
new file mode 100644
index 0000000..8ac0472
--- /dev/null
+++ b/docs/critical.rst
@@ -0,0 +1,11 @@
+================
+Critical Systems
+================
+
+.. toctree::
+ :maxdepth: 1
+
+ critical/webdb
+
+.. add more systems here. https://wiki.cacert.org/SystemAdministration/Systems/
+ is a good starting point on what should be documented
diff --git a/docs/critical/template.rst b/docs/critical/template.rst
new file mode 100644
index 0000000..6419262
--- /dev/null
+++ b/docs/critical/template.rst
@@ -0,0 +1,346 @@
+.. index::
+ single: Systems; <host>
+
+==================
+Systems - TEMPLATE
+==================
+
+Purpose
+=======
+
+.. <SHORT DESCRIPTION>
+
+Application Links
+-----------------
+
+.. link1
+ https://<hostname>/<path>
+
+ link2
+ https://<hostname>/<path2>
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+.. people_<name> are defined in people.rst
+
+* Primary: :ref:`people_primary`
+* Secondary: :ref:`people_secondary`
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| <application> | :ref:`people_admin` |
++---------------+---------------------+
+
+Contact
+-------
+
+* <system>-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_a` and :ref:`people_b` have :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
+
+.. ## Use the following for containers on Infra02:
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Physical Configuration
+----------------------
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/EquipmentList`
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`<IP>`
+:IP Intranet: :ip:v4:`<IP>`
+:IP Internal: :ip:v4:`<IP>`
+:MAC address: :mac:`<MAC>` (interfacename)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; <machine>
+
+========================== ======== ==========================================
+Name Type Content
+========================== ======== ==========================================
+<HOST>.cacert.org. IN A <IP>
+<HOST>.intra.cacert.org. IN A <IP>
+========================== ======== ==========================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Codename
+ single: Debian GNU/Linux; x.y
+
+* Debian GNU/Linux x.y
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
+.. use the values from this table or add new lines if applicable
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+| 3306/tcp | mysql | local | MySQL database for ... |
++----------+-----------+-----------+-----------------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for ... |
++----------+-----------+-----------+-----------------------------------------+
+| 465/udp | syslog | local | syslog port |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Icinga2
+ single: MySQL
+ single: OpenERP
+ single: Postfix
+ single: PostgreSQL
+ single: cron
+ single: nginx
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for ... | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for ... | |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for ... | :file:`/etc/init.d/mysql` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+--------------+---------------------------+
+| RDBMS | Name | Used for |
++=============+==============+===========================+
+| MySQL | application1 | fictional application one |
++-------------+--------------+---------------------------+
+| PostgreSQL | application2 | fictional application two |
++-------------+--------------+---------------------------+
+
+Running Guests
+--------------
+
++----------------+-------------+---------------+---------+---------------+
+| Machine | IP Intranet | IP Internet | Ports | Purpose |
++================+=============+===============+=========+===============+
+| :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
++----------------+-------------+---------------+---------+---------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+.. add the MD5 fingerprints of the SSH host keys
+
+.. sshkeys::
+ :RSA:
+ :DSA:
+ :ECDSA:
+ :ED25519:
+
+Dedicated user roles
+--------------------
+
+.. If the system has some dedicated user groups besides the sudo group used for
+ administration it should be documented here Regular operating system groups
+ should not be documented
+
++-------------+-----------------------------+
+| Group | Purpose |
++=============+=============================+
+| <groupname> | <short purpose description> |
++-------------+-----------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. * None
+ or
+ * List of non-distribution packages and modifications (with some
+ explaination why no distribution package could be used)
+
+Risk assessments on critical packages
+-------------------------------------
+
+.. add a paragraph for each known risk. The risk has to be described.
+ Mitigation or risk acceptance has to be documented.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. for certificates that are orginally created on another host use
+
+.. sslcert:: other.cacert.org
+ :certfile:
+ :keyfile:
+ :serial:
+ :secondary:
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+<service_x> configuration
+-------------------------
+
+.. add a section for the configuration of each service where configuration
+ deviates from OS package defaults
+
+Tasks
+=====
+
+Planned
+-------
+
+.. add a paragraph or todo directive for each larger planned task. You may want
+ to link to specific issues if you use some issue tracker.
+
+Changes
+=======
+
+System Future
+-------------
+
+.. use this section to describe any plans for the system future. These are
+ larger plans like moving to another host, abandoning the system or replacing
+ its funtionality with something else.
+
+.. * No plans
+
+Additional documentation
+========================
+
+.. add inline documentation
+
+.. remove unneeded links from the list below, add other links that apply
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+ * :wiki:`PostfixConfiguration`
+ * :wiki:`QmailConfiguration`
+ * :wiki:`SendmailConfiguration`
+ * :wiki:`StunnelConfiguration`
+
+References
+----------
+
+.. can be used to provide links to reference documentation
+ * http://product.site.com/docs/
+ * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
diff --git a/docs/critical/webdb.rst b/docs/critical/webdb.rst
new file mode 100644
index 0000000..4cb1cb7
--- /dev/null
+++ b/docs/critical/webdb.rst
@@ -0,0 +1,6 @@
+=====
+Webdb
+=====
+
+.. copy content structure from critical/template.rst and adapt to the needs for
+ this system
diff --git a/docs/downloads/template_new_community_mailaddress.rfc822 b/docs/downloads/template_new_community_mailaddress.rfc822
new file mode 100644
index 0000000..3dd8118
--- /dev/null
+++ b/docs/downloads/template_new_community_mailaddress.rfc822
@@ -0,0 +1,19 @@
+Subject: Your new cacert.org address
+Reply-To: email-admin@cacert.org
+
+Hello,
+
+your new address <firstname.lastname>@cacert.org has just been setup in the
+cacert email system.
+
+The initial password is <password>.
+
+Please get a client certificate for this address and reset your password via
+[1] as documented in the wiki [2].
+
+[1] https://community.cacert.org/password.php as documented in
+[2] https://wiki.cacert.org/Technology/TechnicalSupport/EndUserSupport/CommunityE-Mail
+
+
+Best regards
+<mail admin name>
diff --git a/docs/glossary.rst b/docs/glossary.rst
index 02977b4..95344ea 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -2,9 +2,13 @@ Glossary
========
.. glossary::
+ :sorted:
LXC
- `Linux Containers <https://linuxcontainers.org/>`_
+ LXC is a userspace interface to the Linux kernel containment features.
+ See `The LXC introduction
+ <https://linuxcontainers.org/lxc/introduction/>`_ on the Linux containers
+ website for more information
Container
A container is an isolated system with a separate root file system and
@@ -20,3 +24,39 @@ Glossary
reboot. LVM provides snapshot functionality that is useful for backup and
upgrade procedures.
+ Infrastructure Team Lead
+ This person is appointed to coordinate the non-critical infrastructure
+ team by a board motion. The Infrastructure Team Lead works with
+ :term:`Infrastructure Administrators <Infrastructure Administrator>` and
+ the :term:`Critical System Administrators <Critical System
+ Administrator>`.
+
+ Infrastructure Administrator
+ Infrastructure Administrators have :program:`sudo` access to one or
+ multiple infrastructure systems. Most of them are :term:`Application
+ Administrators <Application Administrator>` too.
+
+ Critical System Administrator
+ The Critical System Administrators take care of the critical systems
+ required for the CA and RA operation, they have access to the Internet
+ firewall and DNS setup.
+
+ Application Administrator
+ An Application Administrator takes care of the functionality of one or
+ more server applications. Application Administrators do not necessarily
+ need system level access if the managed application has other means of
+ administration, for example a web based administration frontend.
+
+ DKIM
+ Domain Key Identified Mail
+ A mechanism where legitimate mail for a domain is verifiable by a
+ signature in a mail header and a corresponding public key in a specific
+ :term:`DNS` record. Outgoing mail servers for the domain have to be
+ configured to add the necessary signature to mails for their domains.
+
+ DNS
+ Domain Name System
+ DNS maps names to other information, the most well known use case is
+ mapping human readable names to IP addresses, but their are more
+ applications for DNS like service discovery, storage of public keys and
+ other public information.
diff --git a/docs/images/CAcert-logo-colour.svg b/docs/images/CAcert-logo-colour.svg
new file mode 100644
index 0000000..0d8e071
--- /dev/null
+++ b/docs/images/CAcert-logo-colour.svg
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ version="1.1"
+ width="510"
+ height="116.25"
+ id="svg3020"
+ xml:space="preserve"><metadata
+ id="metadata3026"><rdf:RDF><cc:Work
+ rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><defs
+ id="defs3024" /><g
+ transform="matrix(1.25,0,0,-1.25,0,116.25)"
+ id="g3028"><g
+ transform="scale(0.1,0.1)"
+ id="g3030"><path
+ d="m 2031.75,34.9688 c -56.31,0 -107.84,6.4062 -154.59,19.2812 -46.35,12.8438 -86.77,32.6562 -121.25,59.469 -34.1,26.781 -60.53,60.531 -79.3,101.312 -18.77,40.75 -28.16,88.469 -28.16,143.125 0,57.656 9.96,107.375 29.88,149.219 20.29,41.844 48.47,76.531 84.48,104.063 34.86,26.062 75.08,45.156 120.67,57.25 45.6,12.124 92.91,18.187 141.94,18.187 44.06,0 84.67,-4.594 121.85,-13.781 37.15,-9.156 71.82,-21.094 104,-35.782 l 0,-169.031 -29.3,0 c -8.05,6.594 -17.83,14.281 -29.31,23.094 -11.11,8.844 -24.91,17.469 -41.38,25.937 -15.7,8.032 -32.95,14.688 -51.72,19.782 -18.78,5.531 -40.61,8.25 -65.51,8.25 -55.17,0 -97.69,-16.875 -127.58,-50.625 -29.49,-33.438 -44.25,-78.907 -44.25,-136.563 0,-59.468 15.12,-104.625 45.4,-135.406 30.66,-30.875 73.94,-46.281 129.88,-46.281 26.05,0 49.42,2.781 70.11,8.25 21.06,5.875 38.5,12.687 52.3,20.375 13.01,7.344 24.51,15.062 34.47,23.125 9.96,8.093 19.15,15.969 27.59,23.687 l 29.3,0 0,-169.031 C 2218.72,68.1875 2184.61,56.6562 2148.98,48.1875 2113.73,39.375 2074.66,34.9688 2031.75,34.9688"
+ id="path3032"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 2980.95,330.895 -458.79,0 c 2.97,-50.008 21.54,-88.27 55.68,-114.79 34.52,-26.519 85.19,-39.777 152,-39.777 42.32,0 83.33,7.766 123.05,23.297 39.72,15.535 71.08,32.203 94.09,50.008 l 22.27,0 0,-164.2268 c -45.28,-18.5624 -87.96,-32.0117 -128.05,-40.3476 -40.09,-8.332 -84.45,-12.5 -133.07,-12.5 -125.46,0 -221.6,28.7891 -288.41,86.3754 -66.81,57.582 -100.22,139.601 -100.22,246.058 0,105.317 31.55,188.664 94.65,250.035 63.47,61.75 150.33,92.625 260.57,92.629 101.71,-0.004 178.17,-26.332 229.39,-78.992 51.22,-52.277 76.84,-127.668 76.84,-226.168 l 0,-71.601 m -199.33,119.906 c -1.11,42.808 -11.51,75.008 -31.18,96.601 -19.67,21.594 -50.3,32.391 -91.87,32.395 -38.6,-0.004 -70.34,-10.231 -95.2,-30.688 -24.87,-20.457 -38.79,-53.23 -41.76,-98.308 l 260.01,0"
+ id="path3034"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 3514.54,477.766 -18.23,0 c -8.74,2.953 -22.79,5.172 -42.17,6.656 -19.38,1.484 -35.53,2.234 -48.44,2.234 -29.26,0 -55.09,-1.859 -77.5,-5.562 -22.42,-3.703 -46.55,-10 -72.39,-18.891 l 0,-417.5155 -205.16,0 0,623.5005 205.16,0 0,-91.594 c 45.21,37.75 84.54,62.734 117.98,74.937 33.42,12.594 64.2,18.875 92.31,18.875 7.22,0 15.39,-0.172 24.51,-0.547 9.12,-0.375 17.1,-0.921 23.93,-1.671 l 0,-190.422"
+ id="path3036"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 3874.46,836.262 -207.5,-80.5 0,-94.75 -85.75,0 0,-133.5 85.75,0 0,-287 c 0,-75.071 19.63,-128.028 59,-159.0003 39.74,-30.9805 99.97,-46.5 181,-46.5 36.27,0 67.16,1.7188 92.25,5 25.08,2.9141 48.61,7.0313 71,12.5 l 0,135.0003 -17.25,0 c -6.95,-3.645 -19.25,-7.633 -37,-12 -17.37,-4.375 -31.45,-6.504 -42.25,-6.5 -26.24,-0.008 -46.36,3.461 -60.25,10.75 -13.51,7.652 -23.1,17.988 -28.5,30.75 -5.79,12.754 -8.87,27.211 -9.25,43.25 -0.39,16.035 -0.5,34.746 -0.5,56.25 l 0,217.5 195,0 0,133.5 -195,0 0,175.25 -0.75,0"
+ id="path3038"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 439.125,20.2734 c -62.25,0 -119.813,9.1875 -172.687,27.5625 -52.5,18.375 -97.688,45.75 -135.563,82.1251 C 93,166.336 63.5625,211.711 42.5625,266.086 21.9375,320.461 11.625,383.273 11.625,454.523 c 0,66.375 9.9375,126.563 29.8125,180.563 19.875,53.996 48.75,100.309 86.6245,138.937 36.376,37.122 81.376,65.809 135,86.063 54,20.246 112.876,30.371 176.626,30.375 35.25,-0.004 66.933,-2.066 95.062,-6.188 28.496,-3.753 54.746,-8.816 78.75,-15.187 25.121,-7.129 47.809,-15.191 68.062,-24.188 20.622,-8.628 38.622,-16.691 54,-24.187 l 0,-203.063 -24.75,0 c -10.503,9 -23.816,19.684 -39.937,32.063 -15.754,12.371 -33.754,24.559 -54,36.562 -20.629,11.997 -42.941,22.122 -66.937,30.375 -24.004,8.247 -49.688,12.372 -77.063,12.375 -30.375,-0.003 -59.25,-4.878 -86.625,-14.625 -27.375,-9.378 -52.688,-25.128 -75.938,-47.25 -22.124,-21.378 -40.124,-49.687 -54,-84.937 -13.5,-35.25 -20.25,-78 -20.25,-128.25 0,-52.5 7.313,-96.375 21.938,-131.625 15,-35.25 33.75,-63 56.25,-83.25 22.875,-20.625 48.375,-35.438 76.5,-44.438 28.125,-8.625 55.875,-12.937 83.25,-12.937 26.25,0 52.121,3.937 77.625,11.812 25.871,7.875 49.684,18.563 71.437,32.063 18.372,10.875 35.434,22.5 51.188,34.875 15.746,12.375 28.684,23.062 38.812,32.062 l 22.5,0 0,-200.2496 c -21.003,-9.375 -41.066,-18.1875 -60.187,-26.4375 -19.129,-8.25 -39.191,-15.375 -60.187,-21.375 -27.379,-7.875 -53.067,-13.875 -77.063,-18 -24.004,-4.125 -57,-6.1875 -99,-6.1875"
+ id="path3040"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 1672.23,45.082 -223.31,0 -57.94,169.313 -310.5,0 -57.94,-169.313 -217.685,0 309.375,837.563 248.63,0 309.37,-837.563 m -333.56,322.875 -102.94,300.375 -102.94,-300.375 205.88,0"
+ id="path3042"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 529.656,684.461 c -36.738,-1.871 -77.344,-32.203 -81.344,-73.883 -4.417,-45.98 17.786,-71.976 51.626,-89.816 16.921,-8.922 36.476,-11.504 56.164,-8.313 19.683,3.192 38.996,12.778 52.886,32.239 5.774,8.136 3.856,19.41 -4.281,25.183 -8.137,5.774 -19.41,3.856 -25.184,-4.281 -8.914,-12.488 -18.597,-15.906 -29.214,-17.629 -10.618,-1.723 -22.473,-1.027 -33.497,4.785 -22.046,11.621 -34.374,29.988 -32.992,54.609 1.391,24.7 26.168,40.575 49.614,41.09 23.449,0.52 45.949,-10.675 53.894,-41.804 0.942,-6.871 5.746,-12.473 12.344,-14.606 6.594,-2.137 13.851,-0.488 18.637,4.531 4.781,5.02 6.226,12.403 3.777,18.887 -11.832,46.344 -52.047,69.836 -89.66,69.008 -0.879,-0.02 -1.887,0.043 -2.77,0 z M 25.9648,673.129 c -0.5546,-0.07 -1.0859,-0.332 -1.5117,-0.504 -0.125,-0.055 -0.3906,-0.191 -0.5039,-0.254 -0.0351,-0.023 -0.2187,-0.226 -0.25,-0.25 -0.0664,-0.051 -0.1953,-0.199 -0.2539,-0.254 -0.0547,-0.055 -0.1992,-0.191 -0.25,-0.25 -0.0234,-0.031 -0.2305,-0.219 -0.2539,-0.254 -0.0586,-0.101 -0.207,-0.39 -0.25,-0.504 -0.0156,-0.035 0.0117,-0.211 0,-0.25 -0.0352,-0.117 -0.2305,-0.375 -0.2539,-0.504 -0.0039,-0.043 0.0078,-0.207 0,-0.25 -0.4102,-4.816 14.4805,-20.425 20.4023,-26.445 6.1016,-6.211 56.5235,-46.558 84.8712,-65.73 28.527,-19.297 94.066,-54.223 110.812,-62.461 16.594,-8.16 68.145,-29.715 102.25,-40.043 58.672,-17.77 118.954,-28.031 177.297,-32.488 58.348,-4.454 114.86,-2.961 165.969,3.023 102.219,11.965 184,38.824 222.379,85.879 19.191,23.527 29.098,61.598 7.305,85.375 -23.711,25.871 -78.68,46.996 -82.102,47.097 -0.191,0 -0.582,0.012 -0.754,0 -0.113,-0.011 -0.402,0.016 -0.504,0 -0.051,-0.011 -0.203,0.012 -0.254,0 -0.047,-0.015 -0.207,-0.238 -0.25,-0.253 -0.043,-0.016 -0.211,0.019 -0.254,0 -0.117,-0.055 -0.398,-0.18 -0.503,-0.25 -0.032,-0.028 -0.219,-0.227 -0.25,-0.254 -0.028,-0.028 -0.227,-0.223 -0.254,-0.25 -0.067,-0.098 -0.196,-0.395 -0.25,-0.504 -0.043,-0.117 -0.223,-0.375 -0.254,-0.504 -0.016,-0.086 0.011,-0.41 0,-0.504 -0.004,-0.047 0.004,-0.203 0,-0.254 0,-0.047 0,-0.199 0,-0.25 0.316,-8.516 16.094,-27.164 27.785,-40.113 9.016,-9.981 16.566,-16.922 19.832,-21.176 12.211,-15.898 3.715,-27.934 -4.047,-39.703 -18.082,-27.414 -96.656,-58.742 -192.914,-70.012 -48.129,-5.633 -101.41,-6.867 -156.398,-2.519 -54.985,4.347 -111.622,14.078 -166.719,30.726 -37.449,11.317 -88.692,31.836 -107.539,39.793 -19.356,8.168 -77.43,36.235 -97.215,46.086 -19.625,9.774 -93.2384,55.328 -99.2267,59.688 -5.9882,4.359 -21.3007,9.871 -25.6875,9.32 z M 442.52,410.703 c -1.821,-0.109 -3.649,-0.5 -5.04,-1.008 -0.453,-0.175 -1.101,-0.535 -1.511,-0.754 -0.199,-0.113 -0.567,-0.382 -0.754,-0.503 -0.184,-0.126 -0.582,-0.368 -0.754,-0.504 -0.227,-0.188 -0.555,-0.551 -0.758,-0.754 -0.199,-0.211 -0.578,-0.532 -0.754,-0.758 -0.129,-0.172 -0.387,-0.574 -0.504,-0.754 -0.3,-0.496 -0.539,-1.203 -0.757,-1.766 -0.254,-0.711 -0.629,-1.707 -0.754,-2.515 -1.094,-8.11 4.429,-21.043 16.371,-36.266 23.273,-29.68 22.093,-53.344 22.414,-80.844 0.316,-27.5 -17.395,-56.957 -41.051,-84.621 C 401.41,167.785 370.586,140.562 342.559,118.773 314.715,97.1289 260.012,63.6016 242.551,50.0586 225.332,36.707 212,28.3867 209.309,20.8477 c -0.153,-0.4532 -0.418,-1.086 -0.504,-1.5118 -0.063,-0.3554 0.019,-0.9257 0,-1.2617 -0.004,-0.1992 -0.012,-0.5625 0,-0.7539 0.015,-0.1914 -0.032,-0.5703 0,-0.7578 0.039,-0.1797 0.195,-0.5781 0.25,-0.7539 0.043,-0.1133 0.207,-0.3906 0.254,-0.5039 0.05,-0.1094 0.191,-0.3945 0.25,-0.5039 0.129,-0.211 0.347,-0.5586 0.503,-0.7539 0.043,-0.0508 0.211,-0.2071 0.254,-0.2539 0.043,-0.0469 0.204,-0.2032 0.25,-0.25 0.051,-0.0469 0.204,-0.2071 0.254,-0.2539 0.625,-0.5196 1.614,-1.1211 2.52,-1.5118 6.336,-2.56246 19.394,-1.97652 39.539,3.5274 15.758,4.3086 34.66,10.8086 47.348,15.6133 13.023,4.9375 74.964,38.4648 109,63.1523 33.785,24.5077 71.421,62.1407 87.437,83.1717 15.879,20.848 41.262,53.235 43.32,118.367 1.371,43.528 -8.191,72.75 -54.902,99.731 -19.402,11.207 -33.578,15.898 -42.562,15.363"
+ id="path3044"
+ style="fill:#00be00;fill-opacity:1;fill-rule:evenodd;stroke:none" /><path
+ d="m 1298.29,33.0547 c -64.72,19.7617 -128.5,42.1328 -168.77,74.4333 -42.17,33.824 -51.52,48.008 -75.3,80.746 -29.81,41.043 -59.63,125.993 -62.228,205.957 -1.933,59.375 6.25,107.641 25.268,151.563 16.31,37.664 50.72,85.133 66.86,83.586 16.79,-1.613 12.79,-22.199 1.8,-68.606 -12.97,-54.804 -14.7,-69.25 -14.78,-123.539 -0.1,-65.406 6,-96.316 28.15,-162.394 9.16,-27.34 20.57,-61.301 52.72,-97.508 25.63,-28.879 61.73,-56.82 127.17,-93.0274 52.63,-29.1172 66.92,-42.0234 67.68,-50.7422 0.35,-3.9531 -3.72,-6.789 -10.93,-6.9336 -9.68,-0.2031 -23.7,2.211 -37.64,6.4649 z m 219.34,469.2573 c -42.18,10.309 -58.18,20.684 -88.8,33.672 -96.79,41.055 -164.89,71.496 -185.55,78.805 -27.01,9.551 -112.64,39.285 -163.57,51.039 -57.65,13.309 -142.409,29.652 -175.3,31.434 -29.926,1.621 -72.531,-2.672 -90.598,-12.86 -21.546,-12.152 -18.187,-34.172 9.403,-79.953 4.918,-8.16 9.805,-13.461 7.773,-16.984 -1.883,-3.27 -12.652,-0.403 -21.808,3.894 -12.336,5.786 -29.75,23.145 -39.18,37.668 -22.016,33.914 -9.391,79.172 30.613,101.153 28.953,15.906 60.739,19.273 126.742,13.832 73.885,-6.094 143.355,-26.278 176.195,-36.188 180.42,-54.453 245.08,-80.371 317.15,-119.347 33.6,-18.176 63.75,-39.961 71.71,-44.762 6.56,-3.953 29.91,-18.887 40.27,-29.125 4.14,-4.094 5.63,-7.664 4.93,-9.129 -1.52,-3.176 -15.1,-4.34 -19.98,-3.149 z m -467.18,247.145 c -13.3,5.957 -22.54,18.926 -29.18,31.254 -4.52,8.375 -7.28,21.266 -6.57,35.387 0.71,14.113 1.87,25.601 10.46,43.691 11.5,24.199 28.57,41.508 51.45,52.16 14.78,6.883 17.58,7.863 36.23,7.906 18.8,0.04 24.33,-3.253 34.76,-9.316 13.03,-7.57 19.42,-18.258 23.87,-28.062 4.41,-9.68 6.72,-16.102 6.87,-33.622 0.14,-17.671 -4.96,-37.812 -21.27,-63.027 -8,-12.375 -21.5,-24.558 -41.88,-36.012 -14.21,-7.988 -43.3,-9.964 -64.74,-0.359 z m 60.84,33.828 c 18.94,16.098 25.2,29.086 26.87,54.242 1.75,26.485 -19.08,44.25 -28.66,45.25 -25.17,2.621 -47.61,-15.839 -52.81,-50.113 -1.11,-7.344 -0.44,-14.316 2.39,-25.043 3.08,-11.683 10.74,-23.902 23.13,-27.586 12.77,-3.793 22.57,-0.824 29.08,3.25"
+ id="path3046"
+ style="fill:#c7ff00;fill-opacity:1;fill-rule:nonzero;stroke:none" /></g></g></svg> \ No newline at end of file
diff --git a/docs/images/favicon.ico b/docs/images/favicon.ico
new file mode 100644
index 0000000..3c9c9c2
--- /dev/null
+++ b/docs/images/favicon.ico
Binary files differ
diff --git a/docs/index.rst b/docs/index.rst
index 17a4e83..271aefc 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -1,26 +1,24 @@
-.. CAcert infrastructure documentation master file, created by
- sphinx-quickstart on Wed Apr 13 19:34:10 2016.
- You can adapt this file completely to your liking, but it should at least
- contain the root `toctree` directive.
+CAcert infrastructure documentation
+===================================
-Welcome to CAcert infrastructure's documentation!
-=================================================
+This documentation aims to describe the current status of CAcert's technical
+infrastructure.
-This documentation aims to describe the current status of CAcert's
-infrastructure systems. The goal is to provide a more practical way to publish
-the documentation.
-
-Contents:
+Table of Contents
+=================
.. toctree::
- :maxdepth: 2
+ :maxdepth: 1
+ critical
systems
network
iplist
sshkeys
certlist
+ people
glossary
+ building
Indices and tables
diff --git a/docs/network.rst b/docs/network.rst
index 33e79f2..b8262f0 100644
--- a/docs/network.rst
+++ b/docs/network.rst
@@ -2,11 +2,11 @@ Network
=======
.. this page contains information from the IP address list at
- https://wiki.cacert.org/SystemAdministration/IPList
+ :wiki:`SystemAdministration/IPList`
.. seealso::
- https://wiki.cacert.org/SystemAdministration/IPList
+ :wiki:`SystemAdministration/IPList`
Internet
diff --git a/docs/patches/openerp/account.py.patch b/docs/patches/openerp/account.py.patch
new file mode 100644
index 0000000..c0157fe
--- /dev/null
+++ b/docs/patches/openerp/account.py.patch
@@ -0,0 +1,27 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 22:56:20.528382003 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 23:32:37.088302059 +0000
+@@ -234,7 +234,7 @@
+ pos = 0
+ while pos < len(domain):
+ if domain[pos][0] == 'code' and domain[pos][1] in ('like', 'ilike') and domain[pos][2]:
+- domain[pos] = ('code', '=like', tools.ustr(domain[pos][2].replace('%', '')) + '%')
++ domain[pos] = ('code', '=ilike', tools.ustr(domain[pos][2].replace('%', '')) + '%')
+ if domain[pos][0] == 'journal_id':
+ if not domain[pos][2]:
+ del domain[pos]
+@@ -583,13 +583,13 @@
+ pass
+ if name:
+ if operator not in expression.NEGATIVE_TERM_OPERATORS:
+- ids = self.search(cr, user, ['|', ('code', '=like', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['|', ('code', '=ilike', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
+ if not ids and len(name.split()) >= 2:
+ #Separating code and name of account for searching
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
+ ids = self.search(cr, user, [('code', operator, operand1), ('name', operator, operand2)]+ args, limit=limit)
+ else:
+- ids = self.search(cr, user, ['&','!', ('code', '=like', name+"%"), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['&','!', ('code', '=ilike', name+"%"), ('name', operator, name)]+args, limit=limit)
+ # as negation want to restric, do if already have results
+ if ids and len(name.split()) >= 2:
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
diff --git a/docs/patches/openerp/account_followup_paypal.patch b/docs/patches/openerp/account_followup_paypal.patch
new file mode 100644
index 0000000..9ac9958
--- /dev/null
+++ b/docs/patches/openerp/account_followup_paypal.patch
@@ -0,0 +1,38 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:39:56.719266967 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:41:39.620003461 +0000
+@@ -21,6 +21,7 @@
+
+ from openerp.osv import fields, osv
+ from lxml import etree
++from urllib import urlencode
+
+ from openerp.tools.translate import _
+
+@@ -274,10 +275,25 @@
+ strbegin = "<TD><B>"
+ strend = "</B></TD>"
+ followup_table +="<TR>" + strbegin + str(aml['date']) + strend + strbegin + aml['name'] + strend + strbegin + (aml['ref'] or '') + strend + strbegin + str(date) + strend + strbegin + str(aml['balance']) + strend + strbegin + block + strend + "</TR>"
+- total = rml_parse.formatLang(total, dp='Account', currency_obj=currency)
+ followup_table += '''<tr> </tr>
+ </table>
+- <center>''' + _("Amount due") + ''' : %s </center>''' % (total)
++ <center>''' + _("Amount due") + ''' : %s </center>''' % (rml_parse.formatLang(total, dp='Account', currency_obj=currency))
++ # Add PayPal link if available to allow direct payment
++ if company.paypal_account:
++ params = {
++ "cmd": "_xclick",
++ "business": company.paypal_account,
++ "item_name": "%s Amount Due in %s" % (company.name, currency.name or ''),
++ "invoice": currency_dict['line'][0]['name'],
++ "amount": total,
++ "currency_code": currency.name,
++ "button_subtype": "services",
++ "bn": "OpenERP_Invoice_PayNow_" + currency.name,
++ }
++ followup_table += '''
++ <center><a href="%s">
++ <img class="oe_edi_paypal_button" src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif" alt="Pay directly with PayPal"/>
++ </a></center>''' % ("https://www.paypal.com/cgi-bin/webscr?" + urlencode(params))
+ return followup_table
+
+ def write(self, cr, uid, ids, vals, context=None):
diff --git a/docs/patches/openerp/account_followup_print.patch b/docs/patches/openerp/account_followup_print.patch
new file mode 100644
index 0000000..a0b83d0
--- /dev/null
+++ b/docs/patches/openerp/account_followup_print.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:07:31.357995387 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:09:21.314693739 +0000
+@@ -58,7 +58,6 @@
+ ('reconcile_id', '=', False),
+ ('state', '!=', 'draft'),
+ ('company_id', '=', company_id),
+- ('date_maturity', '<=', fields.date.context_today(self,self.cr,self.uid)),
+ ])
+
+ # lines_per_currency = {currency: [line data, ...], ...}
diff --git a/docs/patches/openerp/invoice.py.patch b/docs/patches/openerp/invoice.py.patch
new file mode 100644
index 0000000..93f1217
--- /dev/null
+++ b/docs/patches/openerp/invoice.py.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:44:57.389199363 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:45:21.745410574 +0000
+@@ -271,7 +271,6 @@
+ "amount": inv.residual,
+ "currency_code": inv.currency_id.name,
+ "button_subtype": "services",
+- "no_note": "1",
+ "bn": "OpenERP_Invoice_PayNow_" + inv.currency_id.name,
+ }
+ res[inv.id] = "https://www.paypal.com/cgi-bin/webscr?" + url_encode(params)
diff --git a/docs/patches/openerp/py.js.patch b/docs/patches/openerp/py.js.patch
new file mode 100644
index 0000000..a172396
--- /dev/null
+++ b/docs/patches/openerp/py.js.patch
@@ -0,0 +1,18 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:26:30.660384152 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:30:02.035589446 +0000
+@@ -764,7 +764,14 @@
+
+ // Conversion
+ toJSON: function () {
+- throw new Error(this.constructor.name + ' can not be converted to JSON');
++ var out = {};
++ for(var k in this) {
++ if (this.hasOwnProperty(k) && !/^__/.test(k)) {
++ var val = this[k];
++ out[k] = val.toJSON ? val.toJSON() : val;
++ }
++ }
++ return out;
+ }
+ });
+ var NoneType = py.type('NoneType', null, {
diff --git a/docs/patches/openerp/view_form.js.patch b/docs/patches/openerp/view_form.js.patch
new file mode 100644
index 0000000..8628865
--- /dev/null
+++ b/docs/patches/openerp/view_form.js.patch
@@ -0,0 +1,15 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:03:35.053098527 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:08:27.372588389 +0000
+@@ -3176,7 +3176,11 @@
+ if (! no_recurse) {
+ var dataset = new instance.web.DataSetStatic(this, this.field.relation, self.build_context());
+ dataset.name_get([self.get("value")]).done(function(data) {
+- self.display_value["" + self.get("value")] = data[0][1];
++ var value = "";
++ if (data.length > 0 && data[0].length > 1) {
++ value = data[0][1];
++ }
++ self.display_value["" + self.get("value")] = value;
+ self.render_value(true);
+ });
+ }
diff --git a/docs/people.rst b/docs/people.rst
new file mode 100644
index 0000000..91d2a92
--- /dev/null
+++ b/docs/people.rst
@@ -0,0 +1,93 @@
+===========
+People list
+===========
+
+.. _people_abahlo:
+
+Alexander Bahlo
+===============
+
+:roles: :term:`Application Administrator` on :doc:`systems/blog`
+:contact: alexander.bahlo@cacert.org
+
+.. _people_jandd:
+
+Jan Dittberner
+==============
+
+:roles: :term:`Infrastructure Team Lead`, :term:`Infrastructure Administrator`
+:contact: jandd@cacert.org
+:wiki: :wiki:`JanDittberner`
+:irc: jandd
+
+.. _people_martin:
+
+Martin Gummi
+============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: martin.gummi@cacert.org
+
+.. _people_mario:
+
+Mario Lipinski
+==============
+
+:roles: :term:`Infrastructure Administrator`, former Team Lead
+:contact: mario@cacert.org
+
+.. _people_marcus:
+
+Marcus Mängel
+=============
+
+:roles: :term:`Application Administrator` on :doc:`systems/blog`
+:contact: marcus.maengel@cacert.org
+
+.. _people_mendel:
+
+Mendel Mobach
+=============
+
+:roles: :term:`Critical System Administrator`
+:contact: mendel@cacert.org
+
+.. _people_neo:
+
+Michael Tänzer
+==============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: michael.taenzer@cacert.org
+
+.. _people_gero:
+
+Gero Treuner
+============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: gero.treuner@cacert.org
+
+.. _people_ulrich:
+
+Ulrich Schröter
+===============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: ulrich@cacert.org
+
+.. _people_jselzer:
+
+Jochim Selzer
+=============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: jselzer@cacert.org
+
+.. _people_wytze:
+
+Wytze van der Raay
+==================
+
+:roles: :term:`Critical System Administrator`
+:contact: wytze@cacert.org
diff --git a/docs/sphinxext/__init__.py b/docs/sphinxext/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/docs/sphinxext/__init__.py
diff --git a/docs/sphinxext/cacert.py b/docs/sphinxext/cacert.py
new file mode 100644
index 0000000..9ec27a7
--- /dev/null
+++ b/docs/sphinxext/cacert.py
@@ -0,0 +1,671 @@
+# -*- python -*-
+# This module provides the following CAcert specific sphinx directives
+#
+# sslcert
+# sslcertlist
+# sshkeys
+# sshkeylist
+
+import re
+import os.path
+from ipaddress import ip_address
+
+from docutils import nodes
+from docutils.parsers.rst import Directive
+from docutils.parsers.rst import directives
+from docutils.parsers.rst import roles
+
+from sphinx import addnodes
+from sphinx.errors import SphinxError
+from sphinx.util.nodes import set_source_info, make_refnode, traverse_parent
+
+from dateutil.parser import parse as date_parse
+from validate_email import validate_email
+
+__version__ = '0.1.0'
+
+SUPPORTED_SSH_KEYTYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+
+
+class sslcert_node(nodes.General, nodes.Element):
+ pass
+
+
+class sslcertlist_node(nodes.General, nodes.Element):
+ pass
+
+
+class sshkeys_node(nodes.General, nodes.Element):
+ pass
+
+
+class sshkeylist_node(nodes.General, nodes.Element):
+ pass
+
+
+# mapping and validation functions for directive options
+
+def hex_int(argument):
+ value = int(argument, base=16)
+ return value
+
+
+def md5_fingerprint(argument):
+ value = argument.strip().lower()
+ if not re.match(r'^([0-9a-f]{2}:){15}[0-9a-f]{2}$', value):
+ raise ValueError('no correctly formatted SHA1 fingerprint')
+ return value
+
+
+def sha1_fingerprint(argument):
+ value = argument.strip().lower()
+ if not re.match(r'^([0-9a-f]{2}:){19}[0-9a-f]{2}$', value):
+ raise ValueError('no correctly formatted SHA1 fingerprint')
+ return value
+
+
+def is_valid_hostname(hostname):
+ if len(hostname) > 255:
+ return False
+ if hostname[-1] == ".": # strip exactly one dot from the right, if present
+ hostname = hostname[:-1]
+ allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
+ return all(allowed.match(x) for x in hostname.split("."))
+
+
+def is_valid_ipaddress(content):
+ try:
+ ip_address(content)
+ except ValueError:
+ return False
+ return True
+
+
+def subject_alternative_names(argument):
+ value = [san.strip().split(':', 1) for san in argument.split(',')]
+ for typ, content in value:
+ if typ == 'DNS':
+ if not is_valid_hostname(content):
+ raise ValueError("%s is no valid DNS name" % content)
+ elif typ == 'EMAIL':
+ if not validate_email(content):
+ raise ValueError("%s is not a valid email address" % content)
+ elif typ == 'IP':
+ if not is_valid_ipaddress(content):
+ raise ValueError("%s is not a valid IP address" % content)
+ else:
+ raise ValueError(
+ "handling of %s subject alternative names (%s) has not been "
+ "implemented" % (typ, content))
+ return value
+
+
+def expiration_date(argument):
+ return date_parse(directives.unchanged_required(argument))
+
+
+class CAcertSSLCert(Directive):
+ """
+ The sslcert directive implementation.
+
+ There must only be one instance of a certificate with the same CN and
+ serial number that is not flagged as secondary
+ """
+ final_argument_whitespace = True
+ required_arguments = 1
+ option_spec = {
+ 'certfile': directives.path,
+ 'keyfile': directives.path,
+ 'serial': hex_int,
+ 'expiration': expiration_date,
+ 'sha1fp': sha1_fingerprint,
+ 'altnames': subject_alternative_names,
+ 'issuer': directives.unchanged_required,
+ 'secondary': directives.flag
+ }
+
+ def run(self):
+ if 'secondary' in self.options:
+ missing = [
+ required for required in ('certfile', 'keyfile', 'serial')
+ if required not in self.options
+ ]
+ else:
+ missing = [
+ required for required in (
+ 'certfile', 'keyfile', 'serial', 'expiration', 'sha1fp',
+ 'issuer')
+ if required not in self.options
+ ]
+ if missing:
+ raise self.error(
+ "required option(s) '%s' is/are not set for %s." % (
+ "', '".join(missing), self.name))
+ sslcert = sslcert_node()
+ sslcert.attributes['certdata'] = self.options.copy()
+ sslcert.attributes['certdata']['cn'] = self.arguments[0]
+ set_source_info(self, sslcert)
+
+ env = self.state.document.settings.env
+ targetid = 'sslcert-%s' % env.new_serialno('sslcert')
+ targetnode = nodes.target('', '', ids=[targetid])
+ para = nodes.paragraph()
+ para.append(targetnode)
+ para.append(sslcert)
+ return [para]
+
+
+class CAcertSSLCertList(Directive):
+ """
+ The sslcertlist directive implementation
+ """
+ def run(self):
+ return [sslcertlist_node()]
+
+
+class CAcertSSHKeys(Directive):
+ """
+ The sshkeys directive implementation that can be used to specify the ssh
+ host keys for a host.
+ """
+ option_spec = {
+ keytype.lower(): md5_fingerprint for keytype in SUPPORTED_SSH_KEYTYPES
+ }
+ def run(self):
+ if len(self.options) == 0:
+ raise self.error(
+ "at least one ssh key fingerprint must be specified. The "
+ "following formats are supported: %s" % ", ".join(
+ SUPPORTED_SSH_KEYTYPES))
+ sshkeys = sshkeys_node()
+ sshkeys.attributes['keys'] = self.options.copy()
+ set_source_info(self, sshkeys)
+
+ env = self.state.document.settings.env
+ secid = 'sshkeys-%s' % env.new_serialno('sshkeys')
+
+ section = nodes.section(ids=[secid])
+ section += nodes.title(text='SSH host keys')
+ section += sshkeys
+ return [section]
+
+
+class CAcertSSHKeyList(Directive):
+ """
+ The sshkeylist directive implementation
+ """
+ def run(self):
+ return [sshkeylist_node()]
+
+
+def create_table_row(rowdata):
+ row = nodes.row()
+ for cell in rowdata:
+ entry = nodes.entry()
+ row += entry
+ entry += cell
+ return row
+
+
+def _create_interpreted_file_node(text, line=0):
+ return roles._roles['file']('', ':file:`%s`' % text,
+ text, line, None)[0][0]
+
+
+def _sslcert_item_key(item):
+ return "%s-%d" % (item['cn'], item['serial'])
+
+
+def _sshkeys_item_key(item):
+ return "%s" % os.path.basename(item['docname'])
+
+
+def _build_cert_anchor_name(cn, serial):
+ return 'cert_%s_%d' % (cn.replace('.', '_'), serial)
+
+
+def _format_subject_alternative_names(altnames):
+ return nodes.paragraph(text=", ".join(
+ [content for _, content in altnames]
+ ))
+
+
+def _place_sort_key(place):
+ return "%s-%d" % (place['docname'], place['lineno'])
+
+
+def _file_ref_paragraph(cert_info, filekey, app, env, docname):
+ para = nodes.paragraph()
+
+ places = [place for place in cert_info['places'] if place['primary']]
+ places.extend(sorted([
+ place for place in cert_info['places'] if not place['primary']],
+ key=_place_sort_key))
+
+ for pos in range(len(places)):
+ place = places[pos]
+ title = env.titles[place['docname']].astext().lower()
+ if place['primary'] and len(places) > 1:
+ reftext = nodes.strong(text=title)
+ else:
+ reftext = nodes.Text(title)
+ para += make_refnode(
+ app.builder, docname, place['docname'], place['target']['ids'][0],
+ reftext)
+ para += nodes.Text(":")
+ para += _create_interpreted_file_node(place[filekey])
+ if pos + 1 < len(places):
+ para += nodes.Text(", ")
+ return para
+
+
+def _format_serial_number(serial):
+ return nodes.paragraph(text="%d (0x%0x)" % (serial, serial))
+
+
+def _format_expiration_date(expiration):
+ return nodes.paragraph(text=expiration)
+
+
+def _format_fingerprint(fingerprint):
+ para = nodes.paragraph()
+ para += nodes.literal(text=fingerprint, classes=['fingerprint'])
+ return para
+
+
+def _get_cert_index_text(cert_info):
+ return "Certificate; %s" % cert_info['cn']
+
+
+def _get_formatted_keyentry(keys_info, algorithm):
+ entry = nodes.entry()
+ algkey = algorithm.lower()
+ if algkey in keys_info:
+ para = nodes.paragraph()
+ keyfp = nodes.literal(text=keys_info[algkey])
+ para += keyfp
+ else:
+ para = nodes.paragraph(text="-")
+ entry += para
+ return entry
+
+
+def process_sslcerts(app, doctree):
+ env = app.builder.env
+ if not hasattr(env, 'cacert_sslcerts'):
+ env.cacert_sslcerts = []
+
+ for node in doctree.traverse(sslcertlist_node):
+ if hasattr(env, 'cacert_certlistdoc'):
+ raise SphinxError(
+ "There must be one sslcertlist directive present in "
+ "the document tree only.")
+ env.cacert_certlistdoc = env.docname
+
+ for node in doctree.traverse(sslcert_node):
+ try:
+ targetnode = node.parent[node.parent.index(node) - 1]
+ if not isinstance(targetnode, nodes.target):
+ raise IndexError
+ except IndexError:
+ targetnode = None
+ certdata = node.attributes['certdata'].copy()
+ existing = [
+ cert_info for cert_info in env.cacert_sslcerts
+ if (cert_info['cn'], cert_info['serial']) ==
+ (certdata['cn'], certdata['serial'])
+ ]
+ place_info = {
+ 'docname': env.docname,
+ 'lineno': node.line,
+ 'certfile': certdata['certfile'],
+ 'keyfile': certdata['keyfile'],
+ 'primary': 'secondary' not in certdata,
+ 'target': targetnode,
+ }
+ if existing:
+ info = existing[0]
+ else:
+ info = {
+ 'cn': certdata['cn'],
+ 'serial': certdata['serial'],
+ 'places': [],
+ }
+ env.cacert_sslcerts.append(info)
+ info['places'].append(place_info)
+ if 'sha1fp' in certdata:
+ info['sha1fp'] = certdata['sha1fp']
+ if 'issuer' in certdata:
+ info['issuer'] = certdata['issuer']
+ if 'expiration' in certdata:
+ info['expiration'] = certdata['expiration']
+ if 'altnames' in certdata:
+ info['altnames'] = certdata['altnames'].copy()
+ indexnode = addnodes.index(entries=[
+ ('pair', _get_cert_index_text(info), targetnode['ids'][0],
+ '', None)
+ ])
+
+ bullets = nodes.bullet_list()
+ certitem = nodes.list_item()
+ bullets += certitem
+ certpara = nodes.paragraph()
+ certpara += nodes.Text('Certificate for CN %s, see ' % certdata['cn'])
+ refid = _build_cert_anchor_name(certdata['cn'], certdata['serial'])
+ detailref = addnodes.pending_xref(
+ reftype='certlistref', refdoc=env.docname, refid=refid,
+ reftarget='certlist'
+ )
+ detailref += nodes.Text("details in the certificate list")
+ certpara += detailref
+ certitem += certpara
+
+ subbullets = nodes.bullet_list()
+ bullets += subbullets
+ item = nodes.list_item()
+ subbullets += item
+ certfile = nodes.paragraph(text="certificate in file ")
+ certfile += _create_interpreted_file_node(
+ certdata['certfile'], node.line)
+ item += certfile
+ item = nodes.list_item()
+ subbullets += item
+ keyfile = nodes.paragraph(text="private key in file ")
+ keyfile += _create_interpreted_file_node(
+ certdata['keyfile'], node.line)
+ item += keyfile
+
+ node.parent.replace_self([targetnode, indexnode, bullets])
+ env.note_indexentries_from(env.docname, doctree)
+
+
+def process_sshkeys(app, doctree):
+ env = app.builder.env
+ if not hasattr(env, 'cacert_sshkeys'):
+ env.cacert_sshkeys = []
+
+ for node in doctree.traverse(sshkeylist_node):
+ if hasattr(env, 'cacert_sshkeylistdoc'):
+ raise SphinxError(
+ "There must be one sshkeylist directive present in "
+ "the document tree only.")
+ env.cacert_sshkeylistdoc = env.docname
+
+ for node in doctree.traverse(sshkeys_node):
+ # find section
+ section = [s for s in traverse_parent(node, nodes.section)][0]
+ dockeys = {'docname': env.docname, 'secid': section['ids'][0]}
+ dockeys.update(node['keys'])
+ env.cacert_sshkeys.append(dockeys)
+
+ secparent = section.parent
+ pos = secparent.index(section)
+ # add index node for section
+ indextitle = 'SSH host key; %s' % (
+ env.docname in env.titles and env.titles[env.docname].astext()
+ or os.path.basename(env.docname)
+ )
+ secparent.insert(pos, addnodes.index(entries=[
+ ('pair', indextitle, section['ids'][0], '', None),
+ ]))
+
+ # add table
+ content = []
+ table = nodes.table()
+ content.append(table)
+ cols = (1, 4)
+ tgroup = nodes.tgroup(cols=len(cols))
+ table += tgroup
+ for col in cols:
+ tgroup += nodes.colspec(colwidth=col)
+ thead = nodes.thead()
+ tgroup += thead
+ thead += create_table_row([
+ nodes.paragraph(text='Algorithm'),
+ nodes.paragraph(text='Fingerprint'),
+ ])
+ tbody = nodes.tbody()
+ tgroup += tbody
+ for alg in SUPPORTED_SSH_KEYTYPES:
+ if alg.lower() in dockeys:
+ fpparagraph = nodes.paragraph()
+ fpparagraph += nodes.literal(text=dockeys[alg.lower()])
+ else:
+ fpparagraph = nodes.paragraph(text='-')
+ tbody += create_table_row([
+ nodes.paragraph(text=alg),
+ fpparagraph,
+ ])
+ # add pending_xref for link to ssh key list
+ seealso = addnodes.seealso()
+ content.append(seealso)
+ detailref = addnodes.pending_xref(
+ reftype='sshkeyref', refdoc=env.docname, refid='sshkeylist',
+ reftarget='sshkeylist'
+ )
+ detailref += nodes.Text("SSH host key list")
+ seepara = nodes.paragraph()
+ seepara += detailref
+ seealso += seepara
+
+ node.replace_self(content)
+ env.note_indexentries_from(env.docname, doctree)
+
+
+def process_sslcert_nodes(app, doctree, docname):
+ env = app.builder.env
+
+ if not hasattr(env, 'cacert_sslcerts'):
+ env.cacert_sslcerts = []
+
+ for node in doctree.traverse(sslcertlist_node):
+ content = []
+
+ for cert_info in sorted(env.cacert_sslcerts, key=_sslcert_item_key):
+ primarycount = len([
+ place for place in cert_info['places'] if place['primary']
+ ])
+ if primarycount != 1:
+ raise SphinxError(
+ "There must be exactly one primary place for a "
+ "certificate, but the certificate for CN %s with "
+ "serial number %d has %d" %
+ (cert_info['cn'], cert_info['serial'], primarycount)
+ )
+ cert_sec = nodes.section()
+ cert_sec['ids'].append(
+ _build_cert_anchor_name(cert_info['cn'],
+ cert_info['serial'])
+ )
+ cert_sec += nodes.title(text=cert_info['cn'])
+ indexnode = addnodes.index(entries=[
+ ('pair', _get_cert_index_text(cert_info),
+ cert_sec['ids'][0], '', None),
+ ])
+ content.append(indexnode)
+ table = nodes.table()
+ cert_sec += table
+ tgroup = nodes.tgroup(cols=2)
+ table += tgroup
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=5)
+ tbody = nodes.tbody()
+ tgroup += tbody
+ tbody += create_table_row([
+ nodes.paragraph(text='Common Name'),
+ nodes.paragraph(text=cert_info['cn'])
+ ])
+ if 'altnames' in cert_info:
+ tbody += create_table_row([
+ nodes.paragraph(text='Subject Alternative Names'),
+ _format_subject_alternative_names(
+ cert_info['altnames'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Key kept at'),
+ _file_ref_paragraph(cert_info, 'keyfile', app, env, docname)
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Cert kept at'),
+ _file_ref_paragraph(cert_info, 'certfile', app, env, docname)
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Serial number'),
+ _format_serial_number(cert_info['serial'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Expiration date'),
+ _format_expiration_date(cert_info['expiration'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Issuer'),
+ nodes.paragraph(text=cert_info['issuer'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='SHA1 fingerprint'),
+ _format_fingerprint(cert_info['sha1fp'])
+ ])
+ content.append(cert_sec)
+
+ node.replace_self(content)
+ env.note_indexentries_from(docname, doctree)
+
+
+def process_sshkeys_nodes(app, doctree, docname):
+ env = app.builder.env
+
+ if not hasattr(env, 'cacert_sshkeys'):
+ env.cacert_sslcerts = []
+
+ for node in doctree.traverse(sshkeylist_node):
+ content = []
+ content.append(nodes.target(ids=['sshkeylist']))
+
+ if len(env.cacert_sshkeys) > 0:
+ table = nodes.table()
+ content.append(table)
+ tgroup = nodes.tgroup(cols=3)
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=4)
+ table += tgroup
+
+ thead = nodes.thead()
+ row = nodes.row()
+ entry = nodes.entry()
+ entry += nodes.paragraph(text="Host")
+ row += entry
+ entry = nodes.entry(morecols=1)
+ entry += nodes.paragraph(text="SSH Host Keys")
+ row += entry
+ thead += row
+ tgroup += thead
+
+ tbody = nodes.tbody()
+ tgroup += tbody
+
+ for keys_info in sorted(env.cacert_sshkeys, key=_sshkeys_item_key):
+ trow = nodes.row()
+ entry = nodes.entry(morerows=len(SUPPORTED_SSH_KEYTYPES))
+ para = nodes.paragraph()
+ para += make_refnode(
+ app.builder, docname, keys_info['docname'],
+ keys_info['secid'],
+ nodes.Text(env.titles[keys_info['docname']].astext())
+ )
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='Algorithm')
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='SSH host key MD5 fingerprint')
+ entry += para
+ trow += entry
+
+ tbody += trow
+
+ for algorithm in SUPPORTED_SSH_KEYTYPES:
+ trow = nodes.row()
+
+ entry = nodes.entry()
+ entry += nodes.paragraph(text=algorithm)
+ trow += entry
+
+ trow += _get_formatted_keyentry(keys_info, algorithm)
+ tbody += trow
+ else:
+ content.append(nodes.paragraph(
+ text="No ssh keys have been documented.")
+ )
+
+ node.replace_self(content)
+
+
+def resolve_missing_reference(app, env, node, contnode):
+ if node['reftype'] == 'certlistref':
+ if hasattr(env, 'cacert_certlistdoc'):
+ return make_refnode(
+ app.builder, node['refdoc'], env.cacert_certlistdoc,
+ node['refid'], contnode)
+ raise SphinxError('No certlist directive found in the document tree')
+ if node['reftype'] == 'sshkeyref' :
+ if hasattr(env, 'cacert_sshkeylistdoc'):
+ return make_refnode(
+ app.builder, node['refdoc'], env.cacert_sshkeylistdoc,
+ node['refid'], contnode)
+ raise SphinxError('No sshkeylist directive found in the document tree')
+
+
+def purge_sslcerts(app, env, docname):
+ if (
+ hasattr(env, 'cacert_certlistdoc') and
+ env.cacert_certlistdoc == docname
+ ):
+ delattr(env, 'cacert_certlistdoc')
+ if not hasattr(env, 'cacert_sslcerts'):
+ return
+ for cert_info in env.cacert_sslcerts:
+ cert_info['places'] = [
+ place for place in cert_info['places']
+ if place['docname'] != docname
+ ]
+
+
+def purge_sshkeys(app, env, docname):
+ if (
+ hasattr(env, 'cacert_sshkeylistdoc') and
+ env.cacert_sshkeylistdoc == docname
+ ):
+ delattr(env, 'cacert_sshkeylistdoc')
+ if not hasattr(env, 'cacert_sshkeys'):
+ return
+ env.cacert_sshkeys = [
+ keys for keys in env.cacert_sshkeys if keys['docname'] != docname
+ ]
+
+
+def setup(app):
+ app.add_node(sslcertlist_node)
+ app.add_node(sslcert_node)
+ app.add_node(sshkeylist_node)
+ app.add_node(sshkeys_node)
+
+ app.add_directive('sslcert', CAcertSSLCert)
+ app.add_directive('sslcertlist', CAcertSSLCertList)
+ app.add_directive('sshkeys', CAcertSSHKeys)
+ app.add_directive('sshkeylist', CAcertSSHKeyList)
+
+ app.connect('doctree-read', process_sslcerts)
+ app.connect('doctree-read', process_sshkeys)
+ app.connect('doctree-resolved', process_sslcert_nodes)
+ app.connect('doctree-resolved', process_sshkeys_nodes)
+ app.connect('missing-reference', resolve_missing_reference)
+ app.connect('env-purge-doc', purge_sslcerts)
+ app.connect('env-purge-doc', purge_sshkeys)
+ return {'version': __version__}
diff --git a/docs/sshkeys.rst b/docs/sshkeys.rst
index b9d8ec0..07efa21 100644
--- a/docs/sshkeys.rst
+++ b/docs/sshkeys.rst
@@ -1,3 +1,5 @@
=============
SSH Host Keys
=============
+
+.. sshkeylist::
diff --git a/docs/systems.rst b/docs/systems.rst
index fb2db35..69b72a6 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -1,17 +1,25 @@
-Systems
-=======
+====================
+Non-Critical Systems
+====================
+
+Non-critical systems are those that are managed by the infrastructure
+administrator team.
.. toctree::
- :maxdepth: 2
+ :maxdepth: 1
systems/infra02
systems/arbitration
systems/blog
+ systems/board
+ systems/email
systems/emailout
systems/monitor
+ systems/webmail
+
General
--------
+=======
.. todo:: consider whether a central MySQL service should be setup
@@ -24,8 +32,48 @@ General
setup a central syslog service and install syslog clients in each container
+.. _setup_apt_checking:
+
+.. topic:: Setup package update monitoring for a new container
+
+ For Icinga to be able to check the update status of packages on you server
+ you need to install NRPE, a helper service. Install the necessary packages::
+
+ sudo aptitude install nagios-plugins-basic nagios-nrpe-server
+
+ Put :doc:`systems/monitor` on the list of allowed hosts to access the NRPE
+ service by adding the following line to :file:`/etc/nagios/nrpe_local.cfg`::
+
+ allowed_hosts=172.16.2.18
+
+ Tell the NRPE service that there is such a thing as the check_apt command by
+ creating the file :file:`/etc/nagios/nrpe.d/apt.cfg` with the following
+ contents::
+
+ # 'check_apt' command definition
+ command[check_apt]=/usr/lib/nagios/plugins/check_apt
+
+ # 'check_apt_distupgrade' command definition
+ command[check_apt_distupgrade]=/usr/lib/nagios/plugins/check_apt -d
+
+ Restart the NRPE service::
+
+ sudo service nagios-nrpe-server restart
+
+ Check that everything went well by going to https://monitor.cacert.org/,
+ going to the APT service on the host and clicking :guilabel:`"Re-schedule
+ the next check of this service"`. Make sure that :guilabel:`"Force Check"`
+ is checked and click :guilabel:`"Commit"`. Now you should see a page with a
+ green background. If not something went wrong, please contact the
+ :doc:`systems/monitor` administrators with the details.
+
+ That's it, now the package update status should be properly displayed in
+ Icinga.
+
+.. todo:: think about replacing nrpe with Icinga2 satellites
+
Checklist
----------
+=========
.. index::
single: etckeeper
@@ -46,5 +94,4 @@ Checklist
Pin: release a=stable
Pin-Priority: -1
-.. todo:: think about replacing nrpe with Icinga2 satellites
.. todo:: document how to setup the system-admin alias on the email system
diff --git a/docs/systems/arbitration.rst b/docs/systems/arbitration.rst
index 8b38813..d2166f6 100644
--- a/docs/systems/arbitration.rst
+++ b/docs/systems/arbitration.rst
@@ -10,19 +10,23 @@ Purpose
This system is planned to host a future collaboration platform for arbitrators.
+Application Links
+-----------------
+
+Arbitration nginx welcome page
+ http://arbitration.cacert.org/
+
Administration
==============
System Administration
---------------------
-* Primary: `Martin Gummi`_
+* Primary: :ref:`people_martin`
* Secondary: None
.. todo:: find an additional admin
-.. _Martin Gummi: martin.gummi@cacert.org
-
Application Administration
--------------------------
@@ -30,8 +34,6 @@ There is no application yet.
.. todo:: setup application(s) and document admins
-.. * <application>: <sysadmin's name>
-
Contact
-------
@@ -40,12 +42,9 @@ Contact
Additional People
-----------------
-`Jan Dittberner`_ and `Mario Lipinski`_ have :program:`sudo` access on that
+:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
machine too.
-.. _Jan Dittberner: jandd@cacert.org
-.. _Mario Lipinski: mario@cacert.org
-
Basics
======
@@ -84,7 +83,7 @@ arbitration.intra.cacert.org. IN A 172.16.2.241
.. seealso::
- See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
Operating System
----------------
@@ -196,27 +195,13 @@ Outbound network connections
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``a3:6c:f1:f8:8c:81:7c:f7:3b:4e:e4:0e:a3:02:8e:18`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``eb:66:0e:0d:d1:f3:d8:02:3a:ed:71:7a:b2:04:db:75`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
+.. sshkeys::
+ :RSA: a3:6c:f1:f8:8c:81:7c:f7:3b:4e:e4:0e:a3:02:8e:18
+ :DSA: eb:66:0e:0d:d1:f3:d8:02:3a:ed:71:7a:b2:04:db:75
+ :ECDSA: 54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09
.. todo:: setup ED25519 host key
-.. seealso::
-
- See :doc:`../sshkeys`
-
Dedicated user roles
--------------------
@@ -232,10 +217,6 @@ Non-distribution packages and modifications
* some experimental nmp/nodejs/etherpad things in :file:`/home/magu` not
running yet
-..
- or
- * List of non-distribution packages and modifications
-
Risk assessments on critical packages
-------------------------------------
@@ -250,15 +231,20 @@ Keys and X.509 certificates
* No keys or certificates setup yet
..
- * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
- * :file:`/etc/apache2/ssl/<path to server key>` server key
- * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
- * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+ * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid
+ until <datetime>)
+ * :file:`/etc/apache2/ssl/<path to server key>` server key
+ * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate
+ (certificate chain for server certificate)
.. seealso::
- * :doc:`../certlist`
- * https://wiki.cacert.org/SystemAdministration/CertificateList
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Nginx; configuration
Nginx configuration
-------------------
@@ -290,10 +276,10 @@ Additional documentation
.. seealso::
- * https://wiki.cacert.org/Exim4Configuration
+ * :wiki:`Exim4Configuration`
References
----------
-Arbitration nginx welcome page
- http://arbitration.cacert.org/
+nginx Documentation
+ http://nginx.org/en/docs/
diff --git a/docs/systems/blog.rst b/docs/systems/blog.rst
index 7814247..bb64d77 100644
--- a/docs/systems/blog.rst
+++ b/docs/systems/blog.rst
@@ -11,44 +11,48 @@ Purpose
This system hosts the blog, blog.cacert.org. The blog meets the needs of public
relations and the CAcert community to publish CAcert's activities.
+Application Links
+-----------------
+
+Blog URL
+ https://blog.cacert.org/
+
+Adding a category
+ https://blog.cacert.org/wp-admin/categories.php
+
Administration
==============
System Administration
---------------------
-* Primary: `Martin Gummi`_
+* Primary: :ref:`people_martin`
* Secondary: None
.. todo:: find an additional admin
-.. _Martin Gummi: martin.gummi@cacert.org
-
Application Administration
--------------------------
-+-----------------------+---------------------------------------------------+
-| Role | Users |
-+=======================+===================================================+
-| Wordpress Admin | * `Alexander Bahlo`_ |
-| | * `Marcus Mängel`_ |
-| | * `Mario Lipinski`_ |
-| | * `Martin Gummi`_ |
-+-----------------------+---------------------------------------------------+
-| Wordpress Editor | * PR Team |
-| | * `Support`_ |
-+-----------------------+---------------------------------------------------+
-| Wordpress Author | * Anyone with a certificate |
-+-----------------------+---------------------------------------------------+
-| Wordpress Contributor | * Anyone with contributor privileges |
-+-----------------------+---------------------------------------------------+
-| Wordpress Subscriber | * Any Spammer or person who has not posted or has |
-| | not logged in |
-+-----------------------+---------------------------------------------------+
-
-.. _Alexander Bahlo: alexander.bahlo@cacert.org
-.. _Marcus Mängel: markus.maengel@cacert.org
-.. _Mario Lipinski: mario@cacert.org
++-----------------------+-------------------------------------------------+
+| Role | Users |
++=======================+=================================================+
+| Wordpress Admin | :ref:`people_abahlo`, |
+| | :ref:`people_marcus`, |
+| | :ref:`people_mario`, |
+| | :ref:`people_martin` |
++-----------------------+-------------------------------------------------+
+| Wordpress Editor | PR Team, |
+| | `Support`_ |
++-----------------------+-------------------------------------------------+
+| Wordpress Author | Anyone with a certificate |
++-----------------------+-------------------------------------------------+
+| Wordpress Contributor | Anyone with contributor privileges |
++-----------------------+-------------------------------------------------+
+| Wordpress Subscriber | Any Spammer or person who has not posted or has |
+| | not logged in |
++-----------------------+-------------------------------------------------+
+
.. _Support: support@cacert.org
Contact
@@ -59,11 +63,8 @@ Contact
Additional People
-----------------
-`Jan Dittberner`_ and `Mario Lipinski`_ have :program:`sudo` access on that
-machine too.
-
-.. _Jan Dittberner: jandd@cacert.org
-.. _Mario Lipinski: mario@cacert.org
+:ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
+have :program:`sudo` access on that machine too.
Basics
======
@@ -103,7 +104,7 @@ blog.intra.cacert.org. IN A 172.16.2.13
.. seealso::
- See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
Operating System
----------------
@@ -117,8 +118,7 @@ Operating System
Applicable Documentation
------------------------
-A small (work in progress) guide can be found in the `Wiki
-<https://wiki.cacert.org/BlogDoc>`_.
+A small (work in progress) guide can be found in the :wiki:`BlogDoc`.
Services
========
@@ -126,8 +126,6 @@ Services
Listening services
------------------
-.. use the values from this table or add new lines if applicable
-
+----------+---------+---------+----------------------------+
| Port | Service | Origin | Purpose |
+==========+=========+=========+============================+
@@ -150,13 +148,13 @@ Running services
----------------
.. index::
- single: openssh
single: Apache
- single: cron
single: MySQL
single: PHP FPM
single: Postfix
+ single: cron
single: nrpe
+ single: openssh
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
@@ -222,27 +220,13 @@ Outbound network connections
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
+.. sshkeys::
+ :RSA: ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
+ :DSA: c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
+ :ECDSA: 00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
.. todo:: setup ED25519 host key
-.. seealso::
-
- See :doc:`../sshkeys`
-
Dedicated user roles
--------------------
@@ -282,11 +266,14 @@ Critical Configuration items
Keys and X.509 certificates
---------------------------
-.. index::
- single: Certificate; Blog
+.. sslcert:: blog.cacert.org
+ :certfile: /etc/ssl/public/blog.cacert.org.crt
+ :keyfile: /etc/ssl/private/blog.cacert.org.key
+ :serial: 11e837
+ :expiration: Mar 31 16:34:28 2018 GMT
+ :sha1fp: 69:A5:5F:3E:1B:D8:2E:CB:B3:AB:0B:E9:81:A6:CF:31:DF:C8:A4:5F
+ :issuer: CAcert.org Class 1 Root CA
-* :file:`/etc/ssl/public/blog.cacert.org.crt` server certificate
-* :file:`/etc/ssl/private/blog.cacert.org.key` server key
* :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
and Class 3 certificates (allowed CA certificates for client certificates)
and symlinks with hashed names as expected by OpenSSL
@@ -295,10 +282,12 @@ Keys and X.509 certificates
.. seealso::
- * :ref:`cert_blog_cacert_org` in :doc:`../certlist`
- * https://wiki.cacert.org/SystemAdministration/CertificateList
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
-Apache configuration files
+Apache httpd configuration
--------------------------
* :file:`/etc/apache2/cacert/blog.inc.conf`
@@ -326,6 +315,9 @@ The following RewriteRule is used to redirect old blog URLs::
RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
+.. index::
+ pair: Wordpress; configuration
+
Wordpress configuration
-----------------------
@@ -357,15 +349,10 @@ Additional documentation
.. seealso::
- * https://wiki.cacert.org/PostfixConfiguration
-
-Adding a category
------------------
-
-* https://blog.cacert.org/wp-admin/categories.php
+ * :wiki:`PostfixConfiguration`
References
----------
-Blog URL
- https::/blog.cacert.org/
+Wordpress website
+ https://wordpress.org/
diff --git a/docs/systems/board.rst b/docs/systems/board.rst
new file mode 100644
index 0000000..3f0b810
--- /dev/null
+++ b/docs/systems/board.rst
@@ -0,0 +1,370 @@
+.. index::
+ single: Systems; Board
+
+=====
+Board
+=====
+
+Purpose
+=======
+
+This system hosts an OpenERP instance available at board.cacert.org.
+
+Application Links
+-----------------
+
+OpenERP URL
+ https://board.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_gero`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+--------------------------------------------------+
+| Application | Administrator(s) |
++=============+==================================================+
+| OpenERP | :ref:`people_gero`, :ref:`people_neo`, Treasurer |
++-------------+--------------------------------------------------+
+
+.. note:: use personalized accounts only
+
+Contact
+-------
+
+* board-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd`, :ref:`people_mario` and :ref:`people_neo` have
+:program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.252`
+:IP Intranet: :ip:v4:`172.16.2.34`
+:IP Internal: :ip:v4:`10.0.0.34`
+:MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Board
+
+====================== ======== ============================================
+Name Type Content
+====================== ======== ============================================
+board.cacert.org. IN A 213.154.225.252
+board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
+board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
+board.intra.cacert.org IN A 172.16.2.34
+====================== ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.10
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+---------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+---------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+---------------------------------+
+| 80/tcp | http | ANY | Webserver redirecting to HTTPS |
++----------+---------+---------+---------------------------------+
+| 443/tcp | https | ANY | Webserver for OpenERP |
++----------+---------+---------+---------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+---------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
++----------+---------+---------+---------------------------------+
+| 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
++----------+---------+---------+---------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: Apache
+ single: cron
+ single: PostgreSQL
+ single: OpenERP
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | OpenERP | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for OpenERP | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| OpenERP server | OpenERP WSGI | init script |
+| | application | :file:`/etc/init.d/openerp` |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++------------+---------+----------+
+| RDBMS | Name | Used for |
++============+=========+==========+
+| PostgreSQL | openerp | OpenERP |
++------------+---------+----------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* HTTP (80/tcp) to nightly.openerp.com
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+.. sshkeys::
+ :RSA: c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
+ :DSA: f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
+ :ECDSA: 0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
+
+.. todo:: setup ED25519 host key
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:program:`OpenERP` is installed from non-distribution packages from
+http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
+:file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
+cause damage to the customization.
+
+Local modifications to OpenERP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
+following line added to the :func:`do_start()` function to make a request to
+the OpenERP daemon that causes that daemon to load its configuration and start
+regular cleanup tasks (like sending scheduled mails):
+
+.. code:: bash
+
+ sleep 1; curl --silent localhost:8069 > /dev/null
+
+Some files have been patched to either fix bugs in the upstream OpenERP code or
+to add customizations for CAcert's needs.
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
+
+.. literalinclude:: ../patches/openerp/py.js.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
+
+.. literalinclude:: ../patches/openerp/account.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
+
+.. literalinclude:: ../patches/openerp/invoice.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
+
+This patch includes a Paypal link in payment reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_paypal.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
+
+This patch causes OpenERP to include non-overdue but open payments in reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_print.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
+
+Fix form display.
+
+.. todo:: check whether the form display issue has been fixed upstream
+
+.. literalinclude:: ../patches/openerp/view_form.js.patch
+ :language: diff
+
+Risk assessments on critical packages
+-------------------------------------
+
+Using a customized OpenERP version that is not updated causes a small risk to
+miss upstream security updates. The risk is mitigated by restricting the access
+to the system to a very small group of users that are authenticated using
+personalized client certificates.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: board.cacert.org
+ :certfile: /etc/ssl/certs/board.crt
+ :keyfile: /etc/ssl/private/board.key
+ :serial: 11e839
+ :expiration: Mar 31 16:47:11 2018 GMT
+ :sha1fp: 2C:AC:8C:F8:D6:4A:9E:1D:B0:35:B8:E4:5E:24:B1:43:E3:69:98:46
+ :issuer: CAcert.org Class 1 Root CA
+
+* :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/conf.d/openerp-httpd.conf`
+
+ Defines the WSGI setup for OpenERP
+
+* :file:`/etc/apache2/sites-available/default`
+
+ Defines the HTTP to HTTPS redirection
+
+* :file:`/etc/apache2/sites-available/default-ssl`
+
+ Defines the HTTPS and client authentication configuration
+
+* :file:`/var/local/ssl/http_fake_auth.passwd`
+
+ Defines the authorized users based on the DN in their client certificate
+
+.. index::
+ single: cron; CRL
+ single: CRL
+
+CRL update job
+--------------
+
+:file:`/etc/cron.hourly/update-crls`
+
+.. index::
+ pair: OpenERP; configuration
+
+OpenERP configuration
+---------------------
+
+:file:`/etc/openerp/openerp-server.conf`
+
+This file configures the database that is used by OpenERP and the interface
+that the XML-RPC service binds to.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: disable unneeded Apache modules
+
+.. todo:: setup IPv6
+
+.. todo:: consider using a centralized PostgreSQL instance
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: system should be updated to Debian 8
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+OpenERP 7.0 documentation
+ https://doc.odoo.com/
diff --git a/docs/systems/email.rst b/docs/systems/email.rst
new file mode 100644
index 0000000..b62779e
--- /dev/null
+++ b/docs/systems/email.rst
@@ -0,0 +1,576 @@
+.. index::
+ single: Systems; Email
+
+=====
+Email
+=====
+
+Purpose
+=======
+
+This system handles email for @cacert.org addresses. It also provides users of
+@cacert.org with IMAPs and POP3s access to their accounts.
+
+The database on this container is used by :doc:`webmail` too.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jselzer`
+* Secondary: :ref:`people_jandd`
+
+Contact
+-------
+
+* email-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.228`
+:IP Intranet: :ip:v4:`172.16.2.19`
+:IP Internal: :ip:v4:`10.0.0.19`
+:MAC address: :mac:`00:ff:8f:e0:4a:90` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Email
+
+======================= ======== ============================================
+Name Type Content
+======================= ======== ============================================
+email.cacert.org. IN A 213.154.225.228
+email.cacert.org. IN SSHFP 1 1 BF391FD72656A275524D1D25A624C6045B44AE90
+email.cacert.org. IN SSHFP 2 1 73B0D8ACB492A7187016DD3C5FC1519B309A550F
+email.intra.cacert.org. IN A 172.16.2.19
+======================= ======== ============================================
+
+A DKIM record for cacert.org ist setup but no DKIM signing is active currently.
+
+.. todo:: setup DKIM properly, see :bug:`696` for an older discussion
+
+.. todo:: setup SPF records when the system is ready, see :bug:`492` for an
+ older discussion
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Lenny
+ single: Debian GNU/Linux; 5.0.10
+
+* Debian GNU/Linux 5.0.10
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+----------------+----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+================+========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------------+----------------------------------------+
+| 25/tcp | smtp | ANY | mail receiver for cacert.org |
++----------+---------+----------------+----------------------------------------+
+| 110/tcp | pop3 | ANY | POP3 access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 143/tcp | imap | ANY | IMAP access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 587/tcp | smtp | ANY | mail submission for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 993/tcp | imaps | ANY | IMAPS access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 995/tcp | pop3s | ANY | POP3S access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 2000/tcp | sieve | ANY | Manage sieve access for cacert.org |
+| | | | mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 2001/tcp | sieve | :doc:`webmail` | Manage sieve access for cacert.org |
+| | | | mail addresses without TLS, accessible |
+| | | | from ``172.16.2.20`` only |
++----------+---------+----------------+----------------------------------------+
+| 3306/tcp | mysql | local | MySQL database server |
++----------+---------+----------------+----------------------------------------+
+| 4433/tcp | http | internal | Apache httpd with phpmyadmin |
++----------+---------+----------------+----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+----------------+----------------------------------------+
+
+.. topic:: PHPMyAdmin access
+
+ Administrators can use ssh to forward the Apache httpd HTTPS port to their
+ own machine:
+
+ .. code-block:: bash
+
+ ssh -L 4433:localhost:4433 -l username email.cacert.org
+
+ and access PHPMyAdmin at https://localhost:4443/phpmyadmin
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: dovecot
+ single: nrpe
+ single: openssh
+ single: pysieved
+ single: rsyslog
+ single: xinetd
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| Apache httpd | Webserver for | init script |
+| | phpmyadmin | :file:`/etc/init.d/apache2` |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| dovecot | IMAP(s) and POP3(s) | init script |
+| | daemon | :file:`/etc/init.d/dovecot` |
++--------------------+---------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for email | :file:`/etc/init.d/mysql` |
+| | services | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | cacert.org | :file:`/etc/init.d/postfix` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| xinetd | socket listener | init script |
+| | for pysieved | :file:`/etc/init.d/xinetd` |
++--------------------+---------------------+----------------------------------------+
+
+Databases
+---------
+
++-------+----------------+----------------------------------+
+| RDBMS | Name | Used for |
++=======+================+==================================+
+| MySQL | cacertusers | database for dovecot and postfix |
++-------+----------------+----------------------------------+
+| MySQL | postfixpolicyd | empty database |
++-------+----------------+----------------------------------+
+| MySQL | roundcubemail | roundcube on :doc:`webmail` |
++-------+----------------+----------------------------------+
+
+.. todo:: check whether the empty postfixpolicyd database is required
+
+.. todo:: consider moving the databases to a new central MySQL service
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`webmail`
+* all @cacert.org address owners have access to POP3 (STARTTLS and POP3S), IMAP
+ (STARTTLS and IMAPS), SMTPS, SMTP submission (STARTTLS) and manage sieve
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* archive.debian.org as Debian mirror
+* :doc:`issue` for OTRS mail
+* :doc:`lists` for mailing lists
+* arbitrary internet smtp servers for outgoing mail
+
+Security
+========
+
+.. sshkeys::
+ :RSA: a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
+ :DSA: f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91
+
+.. warning::
+
+ The system is too old to support ECDSA or ED25519 keys.
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Tlslite in :file:`/usr/local/lib/tlslite-0.3.8/` has been patched to handle
+GeneratorExit exceptions. The original tlslite 0.3.8 is stored in
+:file:`/usr/local/lib/tlslite-0.3.8-orig/`.
+
+Pysieved in :file:`/usr/local/lib/pysieved.neale/` seems to be a git clone from
+2009 originating from http://woozle.org/~neale/repos/pysieved at commit
+``d9b67036387a9a7aca954a17ff6fec44a8d309e0`` with no local modifications.
+
+:file:`/usr/local/lib/pysieved` is a symbolic link to
+:file:`/usr/local/lib/pysieved.neale/`.
+
+.. todo:: use pysieved, python-tlslite and dovecot-sieve from distribution
+ packages after OS upgrade
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The whole system is outdated, it needs to be replaced as soon as possible.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+Server certificate for SMTP communication from the Internet and PHPMyAdmin.
+
+.. sslcert:: email.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-email-cacert.pem
+ :keyfile: /etc/ssl/private/ssl-cert-email-cacert.key
+ :serial: 11e84a
+ :expiration: Mar 31 19:50:03 2018 GMT
+ :sha1fp: 49:5E:55:35:F4:D5:69:B1:BD:92:14:94:38:CD:40:6D:97:A7:2A:0A
+ :issuer: CAcert.org Class 1 Root CA
+
+Server certificate for community email services (SMTPS, SMTP submission in
+Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
+
+.. sslcert:: community.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-community-cacert.pem
+ :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
+ :serial: 11e846
+ :secondary:
+
+* :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
+ Diffie-Hellman parameter files for Postfix
+
+.. note::
+
+ Postfix uses the email.cacert.org certificate for client authentication if
+ requested by a target server.
+
+ .. todo::
+ check whether it makes sense to use a separate certificate for that
+ purpose
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+:file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
+allows dedicated users to access a PHPMyAdmin instance. The allowed users are
+authenticated by client certificates and are authorized by an entry in
+:file:`/etc/apache2/phpmyadmin.passwd`.
+
+.. note::
+
+ to authorize a user you need the subject distinguished name of the user's
+ client certificate which can be extracted with::
+
+ openssl x509 -noout -subject -in certificate.crt
+
+ A line with the subject distinguished name and the fake password
+ ``xxj31ZMTZzkVA`` separated by colon have to be added to
+ :file:`/etc/apache2/phpmyadmin.passwd`::
+
+ /CN=Example User/emailAddress=example@cacert.org:xxj31ZMTZzkVA
+
+.. seealso::
+
+ FakeBasicAuth option of the `SSLOptions
+ <https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
+ directive in the mod_ssl reference documentation.
+
+.. index::
+ pair: MySQL; configuration
+
+MySQL configuration
+-------------------
+
+MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+
+.. index::
+ pair: MySQL; NSS
+ single: libnss-mysql
+
+.. _nss:
+
+NSS configuration
+-----------------
+
+The libc name service switch is configured to use MySQL lookups for passwd,
+group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
+:file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
+is configured in :file:`/etc/libnss-mysql-root.cfg`.
+
+.. index::
+ pair: PHPMyAdmin; configuration
+
+PHPMyAdmin configuration
+------------------------
+
+PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
+
+.. index::
+ pair: dovecot; configuration
+
+Dovecot configuration
+---------------------
+
+Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
+database settings are stored in
+:file:`dovecot-sql-masterpassword-webmail.conf`.
+
+.. index::
+ pair: dovecot; authentication
+
+.. topic:: Dovecot authentication
+
+ :file:`/etc/dovecot/dovecot.conf` refers to PAM mail. PAM mail is defined
+ :file:`/etc/pam.d/mail`. System users are defined by NSS which is a
+ combination of :file:`/etc/passwd` (for root and non-imap/pop users) and
+ :file:`/etc/libnss-mysql*` (see `nss`_).
+
+ There is a special master password so that webmail can do the authentication
+ for dovecot using certificates. This is defined in
+ :file:`/etc/dovecot/dovecot-sql-masterpassword-webmail.conf`. This special
+ password is restricted to the IP address of Community.
+
+.. index::
+ pair: Postfix; configuration
+
+Postfix configuration
+---------------------
+
+Postfix configuration is stored in the :file:`/etc/postfix/` directory. The
+following files are special for this setup:
+
++----------------+-------------------------------------------------------------+
+| File | Used for |
++================+=============================================================+
+| arbitration | rewrite recipients matching specific regular expressions to |
+| | support+deletedaccounts@cacert.org and |
+| | support@issue.cacert.org |
++----------------+-------------------------------------------------------------+
+| cacert-inc-bcc | used as recipient_bcc_maps for specific functional mail |
+| | addresses |
++----------------+-------------------------------------------------------------+
+| main.cf | the main configuration file |
++----------------+-------------------------------------------------------------+
+| master.cf | adds configuration for the community SMTPS and SMTP |
+| | submission transports |
++----------------+-------------------------------------------------------------+
+| mysql-\*.cf | configuration of several MySQL queries for alias mapping, |
+| | Postfix operates on views for the user table |
++----------------+-------------------------------------------------------------+
+| transport | forward email for lists.cacert.org to :doc:`lists` and for |
+| | issue.cacert.org to :doc:`issue` |
++----------------+-------------------------------------------------------------+
+
+.. todo:: consider to send all outgoing mail via :doc:`emailout`
+
+.. todo:: remove unused transports from :file:`master.cf`
+
+.. index::
+ pair: pysieved; configuration
+
+PySieved configuration
+----------------------
+
+:file:`/usr/local/etc/pysieved.ini` for regular manage sieve access and
+:file:`/usr/local/etc/pysieved-notls.ini` for use with Roundcube webmail.
+Pysieved uses dovecot for authentication.
+
+.. index::
+ pair: rsyslog; configuration
+
+Rsyslog configuration
+---------------------
+
+Rsyslog is configured in :file:`/etc/rsyslog.conf` which includes files in
+:file:`/etc/rsyslog.d/`. Consumption of kernel log messages and network input
+is disabled. :file:`/etc/rsyslog.d/postfix.conf` configures a separate unix
+socket to receive log messages from postfix and
+:file:`/etc/rsyslog.d/remotelog.conf` contains commented settings for a
+non-existant remote syslog server.
+
+.. todo:: setup remote logging when a central logging container is available
+
+.. index::
+ pair: xinetd; configuration
+
+Xinetd configuration
+--------------------
+
+Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
+these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
+:file:`/etc/xinetd.d/pysieved-notls`.
+
+Email storage
+-------------
+
+Mail for :samp:`{user}` is stored in :samp:`/home/{user}/Maildir`.
+
+.. todo::
+ move mail storage to a separate data volume to allow easier backup and OS
+ upgrades
+
+Tasks
+=====
+
+.. index::
+ single: add email users
+
+Adding email users
+------------------
+
+1. create user in the database table ``cacertusers.user``:
+
+ .. code-block:: bash
+
+ mysql -p cacertusers
+
+ .. code-block:: sql
+
+ INSERT INTO user (username, fullnamealias, realname, password)
+ VALUES ('user', 'user.name', 'User Name', '$1$salt$passwordhash')
+
+2. create the user's home directory and Maildir:
+
+ :samp:`install -o {user} -g {user} -m 0755 -d /home/{user}/Maildir`
+
+.. note::
+
+ * a valid password hash for the password ``secret`` is
+ ``$1$caea3837$gPafod/Do/8Jj5M9HehhM.``
+ * users can reset their password via
+ https://community.cacert.org/password.php on :doc:`webmail`
+ * use the :download:`mail template
+ <../downloads/template_new_community_mailaddress.rfc822>` to send out to a
+ user's non-cacert.org mail account and make sure to encrypt the mail to a
+ known public key of that user
+
+.. todo::
+ implement tooling to automate password salt generation and user creation
+
+Setting up mail aliases
+-----------------------
+
+There are two types of aliases.
+
+1. The first type are those that are never sent from. e.g.
+ postmaster@cacert.org. All these aliases are defined in
+ :file:`/etc/aliases`. Don't forget to run
+
+ .. code-block:: bash
+
+ postalias /etc/aliases
+
+ after any changes. Aliases for issue tracking are installed here as
+ :samp:`{issuetrackingaddress} : {issuetrackingaddress}@issue.cacert.org`.
+
+2. The second type are those aliases that are used to send email too, e.g
+ pr@cacert.org. These aliases are recorded in the aliases table on the
+ cacertusers database. The reason for this implementation is to only allow
+ the designated person to send email from this email address.
+
+Planned
+-------
+
+.. todo:: implement CRL checking
+
+.. todo:: setup IPv6
+
+.. todo::
+ throttle brute force attack attempts using fail2ban or similar mechanism
+
+.. todo::
+ consider to use LDAP to consolidate user, password and email information
+
+* there were plans for X.509 certificate authentication for mail services, but
+ there is no progress so far
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo::
+ The system has to be replaced with a new system using a current operating
+ system version
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+ * :wiki:`SystemAdministration/Systems/Email` for some discussion on legal
+ implications related to mail archiving
+
+References
+----------
+
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+Dovecot 1.x wiki
+ http://wiki1.dovecot.org/FrontPage
+Postfix documentation
+ http://www.postfix.org/documentation.html
diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst
index a6fb000..4053955 100644
--- a/docs/systems/emailout.rst
+++ b/docs/systems/emailout.rst
@@ -1,5 +1,344 @@
.. index::
single: Systems; Emailout
+========
Emailout
========
+
+Purpose
+=======
+
+This system is used as outgoing mail relay for other infrastructure services.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: :ref:`people_jselzer`
+
+Contact
+-------
+
+* emailout-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.239`
+:IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
+:IP Internal: :ip:v4:`10.0.0.32`
+:MAC address: :mac:`00:ff:12:01:65:02` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Emailout
+
+========================== ======== ====================================================================
+Name Type Content
+========================== ======== ====================================================================
+emailout.cacert.org. IN A 213.154.225.239
+emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
+emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
+emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
+emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
+emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
+emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
+emailout.intra.cacert.org. IN A 172.16.2.32
+========================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.10
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+The following packages where installed after the container setup::
+
+ apt-get install vim-nox screen aptitude git etckeeper postfix \
+ postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
+ heirloom-mailx netcat-openbsd swaks
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | intranet | mail delivery from intranet MTAs |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: OpenDKIM
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| OpenDKIM | DKIM signing | init script |
+| | daemon | :file:`/etc/init.d/opendkim` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, and | |
+| | mail relay for | |
+| | infrastructure | |
+| | systems | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* SMTP (25/tcp) from other infrastructure systems
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
+ :DSA: 6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
+ :ECDSA: cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
+
+.. todo:: setup ED25519 ssh host key
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Postfix has a very good security reputation. The system is patched regularly.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. todo:: setup a proper certificate for incoming STARTTLS
+
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. .. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate
+ (certificate chain for server certificate)
+
+.. index::
+ pair: DKIM; Private Key
+ see: DKIM; OpenDKIM
+
+* :file:`/etc/dkim/2015.private` contains the RSA private key to be used for
+ :term:`DKIM` signing by OpenDKIM.
+
+.. index::
+ pair: DKIM; DNS
+ see: DNS; OpenDKIM
+
+* :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for
+ the public component of the DKIM signing key
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Postfix; configuration
+
+Postfix configuration
+---------------------
+
+Postfix has been configured as outgoing email relay with very little changes to
+the default configuration.
+
+The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`.
+
+Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to:
+
+* set infrastructure related host and network parameters
+* allow regular expressions in maps
+* activate oportunistic TLS
+* prepare for DKIM support
+* disable local delivery
+
+.. literalinclude:: ../configdiff/emailout/postfix.diff
+ :language: diff
+
+Emails sent to specific intranet hostnames are rewritten to their respective
+admin addresses in :file:`/etc/postfix/canonical_maps`:
+
+.. literalinclude:: ../configdiff/emailout/canonical_maps
+ :language: text
+
+Emails sent to specific cacert.org hostnames are forwarded via
+:file:`/etc/postfix/transport`:
+
+.. literalinclude:: ../configdiff/emailout/transport
+ :language: text
+
+:file:`/etc/postfix/transport` has to be rehashed if it is changed because
+Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To
+perform the rehashing and restart Postfix use::
+
+ postmap hash:/etc/postfix/transport
+ service postfix restart
+
+.. index::
+ pair: OpenDKIM; configuration
+
+OpenDKIM configuration
+----------------------
+
+.. todo::
+ enable OpenDKIM in Postfix configuration when the DNS record is in place and
+ :doc:`email` is ready for DKIM too or is configured to send mail via
+ emailout.
+
+The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The
+following lines have been added:
+
+.. code:: diff
+
+ --- wheezy-chroot/etc/opendkim.conf 2013-01-09 04:10:46.000000000 +0100
+ +++ vm-emailout/rootfs/etc/opendkim.conf 2015-02-02 15:47:58.161884259 +0100
+ @@ -13,6 +13,12 @@
+ #Domain example.com
+ #KeyFile /etc/mail/dkim.key
+ #Selector 2007
+ +Domain cacert.org
+ +KeyFile /etc/dkim/2015.private
+ +Selector 2015
+ +
+ +Socket /var/spool/postfix/opendkim/opendkim.sock
+ +InternalHosts /etc/dkim/internalhosts
+
+ # Commonly-used options; the commented-out versions show the defaults.
+ #Canonicalization simple
+
+The key has been generated with::
+
+ mkdir /etc/dkim
+ cd /etc/dkim
+ opendkim-genkey -d cacert.org -s 2015
+
+Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
+
+ 127.0.0.1
+ 10.0.0.0/24
+ 172.16.2.0/24
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: update the system to Debian Jessie
+.. todo:: setup IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+OpenDKIM documentation
+ http://www.opendkim.org/docs.html
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst
index eb521b7..cd93c2f 100644
--- a/docs/systems/infra02.rst
+++ b/docs/systems/infra02.rst
@@ -27,11 +27,8 @@ Administration
System Administration
---------------------
-* Primary: `Jan Dittberner`_
-* Secondary: `Mario Lipinski`_
-
-.. _Jan Dittberner: jandd@cacert.org
-.. _Mario Lipinski: mario@cacert.org
+* Primary: :ref:`people_jandd`
+* Secondary: :ref:`people_mario`
Contact
-------
@@ -41,12 +38,9 @@ Contact
Additional People
-----------------
-`Wytze van der Raay`_ and `Mendel Mobach`_ have :program:`sudo` access on that
+:ref:`people_wytze` and :ref:`people_mendel` have :program:`sudo` access on that
machine too.
-.. _Wytze van der Raay: wytze@cacert.org
-.. _Mendel Mobach: mendel@cacert.org
-
Basics
======
@@ -74,7 +68,7 @@ There is a 2 TB USB backup disk attached to the system.
.. seealso::
- See https://wiki.cacert.org/SystemAdministration/EquipmentList
+ See :wiki:`SystemAdministration/EquipmentList`
.. _Thomas Krenn: https://www.thomas-krenn.com/
@@ -116,7 +110,7 @@ infra02.intra.cacert.org. IN A 172.16.2.10
.. seealso::
- See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
Operating System
----------------
@@ -209,27 +203,11 @@ Outbound network connections
Security
========
-SSH host keys
--------------
-
-.. index::
- single: SSH host keys; Infra02
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
-
- See :doc:`../sshkeys`
+.. sshkeys::
+ :RSA: 86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
+ :DSA: b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
+ :ECDSA: 79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
+ :ED25519: 25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
Dedictated user roles
---------------------
@@ -274,7 +252,8 @@ System Future
Critical Configuration items
============================
-.. index:: Ferm
+.. index::
+ pair: Ferm; configuration
Ferm firewall configuration
---------------------------
@@ -282,6 +261,9 @@ Ferm firewall configuration
The `Ferm`_ based firewall setup is located in :file:`/etc/ferm` and its
subdirectories.
+.. index::
+ pair: LXC; configuration
+
Container configuration
-----------------------
@@ -296,4 +278,14 @@ Additional documentation
.. seealso::
- * https://wiki.cacert.org/PostfixConfiguration
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Ferm documentation
+ http://ferm.foo-projects.org/download/2.3/ferm.html
+Ferm Debian Wiki page
+ https://wiki.debian.org/ferm
+LXC Debian Wiki page
+ https://wiki.debian.org/LXC
diff --git a/docs/systems/monitor.rst b/docs/systems/monitor.rst
index 6260153..fb5472a 100644
--- a/docs/systems/monitor.rst
+++ b/docs/systems/monitor.rst
@@ -1,5 +1,314 @@
.. index::
single: Systems; Monitor
+=======
Monitor
=======
+
+Purpose
+=======
+
+This system hosts an `Icinga`_ instance to centrally monitor the services in
+the CAcert network (especially for security updates and certificate
+expiry).
+
+.. note::
+
+ To access the system you need a client certificate where the first email
+ address in the Subject Distinguished Name field is a cacert.org address.
+ Subject Alternative Names are not checked.
+
+ If you are the administrator of a service please ask the monitor admins to
+ add your system to the monitoring configuration and add you as system
+ contact to allow for notifications and tasks like service outage
+ acknowledgement, adding notes, rescheduling checks or setting downtimes for
+ your service.
+
+.. _Icinga: https://www.icinga.org/
+
+Application Links
+-----------------
+
+The Icinga classic frontend
+ https://monitor.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_martin`
+* Secondary: :ref:`people_neo`
+
+Application Administration
+--------------------------
+
++-------------+-----------------------+
+| Application | Administrator(s) |
++=============+=======================+
+| Icinga | :ref:`people_martin`, |
+| | :ref:`people_neo`, |
+| | :ref:`people_jandd` |
++-------------+-----------------------+
+
+Contact
+-------
+
+* monitor-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.230`
+:IP Intranet: :ip:v4:`172.16.2.18`
+:IP Internal: :ip:v4:`10.0.0.18`
+:MAC address: :mac:`10.0.0.18` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Monitor
+
+=================== ======== =========================
+Name Type Content
+=================== ======== =========================
+monitor.cacert.org. IN CNAME infrastructure.cacert.org
+=================== ======== =========================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.10
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+.. seealso::
+
+ :ref:`Setup package update monitoring for a new container
+ <setup_apt_checking>`
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-----------------------------+
+| 80/tcp | http | ANY | Icinga classic web frontend |
++----------+---------+---------+-----------------------------+
+| 443/tcp | https | ANY | Icinga classic web frontend |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+-----------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for IDO |
++----------+---------+---------+-----------------------------+
+
+.. note::
+
+ The ssh port is reachable via NAT on infrastructure.cacert.org:11822
+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Icinga
+ single: IDO2DB
+ single: Postfix
+ single: PostgreSQL
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | Icinga classic | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| Icinga | Icinga monitoring | init script |
+| | daemon | :file:`/etc/init.d/icinga` |
++--------------------+--------------------+----------------------------------------+
+| IDO2DB | IDO database | init script |
+| | writer daemon | :file:`/etc/init.d/ido2db` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for IDO | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | this system itself | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++------------+--------+-----------------+
+| RDBMS | Name | Used for |
++============+========+=================+
+| PostgreSQL | icinga | Icinga IDO data |
++------------+--------+-----------------+
+
+Connected Systems
+-----------------
+
+None
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+* all :ip:v4range:`10.0.0.0/24` and :ip:v4range:`172.16.2.0/24` systems for
+ monitoring their services
+
+.. todo:: add IPv6 ranges when they are monitored
+
+Security
+========
+
+.. sshkeys::
+ :RSA: df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
+ :DSA: 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
+ :ECDSA: 48:46:b1:5a:4e:05:64:8a:c3:76:33:77:20:91:14:70
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Icinga and the classic frontend are a bit aged but have a good security track
+record.
+
+Apache httpd has a good reputation and is a low risk package.
+
+NRPE is flawed and should be replaced. The risk is somewhat mitigated by
+firewalling on :doc:`the infrastructure host <infra02>`.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+* :file:`/etc/ssl/certs/monitor.c.o.pem` server certificate
+* :file:`/etc/ssl/private/monitor.c.o.priv` server key
+* :file:`/etc/ssl/certs/cacert.allcerts.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates and the
+ certificate chain for the server certificate)
+* :file:`/var/local/ssl/crls/`
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+CRL fetch job
+-------------
+
+The script :file:`/etc/cron.hourly/update-crls` is used to fetch CRLs once per
+hour.
+
+Apache httpd configuration
+--------------------------
+
+The HTTP and HTTPS VirtualHost configuration is defined in
+:file:`/etc/apache2/sites-available/icinga-nossl` and
+:file:`/etc/apache2/sites-available/icinga` the HTTP VirtualHost redirects to
+the HTTPS VirtualHost.
+
+Icinga configuration
+--------------------
+
+The Icinga configuration is stored in the :file:`/etc/icinga/` directory.
+Database configuration for IDO is stored in :file:`ido2db.cfg`. The Icinga
+classic frontend configuration is stored in :file:`cgi.cfg`. Host and service
+configurations are defined in the :file:`objects/` subdirectory.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: upgrade to Debian Jessie
+.. todo:: switch to Icinga2 and Icingaweb2
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Wiki page for this system
+ :wiki:`SystemAdministration/Systems/Monitor`
diff --git a/docs/systems/template.rst b/docs/systems/template.rst
index 7b8555d..6419262 100644
--- a/docs/systems/template.rst
+++ b/docs/systems/template.rst
@@ -10,22 +10,35 @@ Purpose
.. <SHORT DESCRIPTION>
+Application Links
+-----------------
+
+.. link1
+ https://<hostname>/<path>
+
+ link2
+ https://<hostname>/<path2>
+
+
Administration
==============
System Administration
---------------------
-* Primary: `Primary Name`_
-* Secondary: `Secondary Name`_
+.. people_<name> are defined in people.rst
-.. _Primary Name: primary@cacert.org
-.. _Secondary Name: secondary@cacert.org
+* Primary: :ref:`people_primary`
+* Secondary: :ref:`people_secondary`
Application Administration
--------------------------
-* <application>: <sysadmin's name>
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| <application> | :ref:`people_admin` |
++---------------+---------------------+
Contact
-------
@@ -35,10 +48,7 @@ Contact
Additional People
-----------------
-`Person A`_ and `Person B`_ have :program:`sudo` access on that machine too.
-
-.. _Person A: persona@cacert.org
-.. _Person B: personb@cacert.org
+:ref:`people_a` and :ref:`people_b` have :program:`sudo` access on that machine too.
Basics
======
@@ -58,7 +68,7 @@ Physical Configuration
.. seealso::
- See https://wiki.cacert.org/SystemAdministration/EquipmentList
+ See :wiki:`SystemAdministration/EquipmentList`
Logical Location
----------------
@@ -78,16 +88,16 @@ DNS
.. index::
single: DNS records; <machine>
-========================== ======== ====================================================================
+========================== ======== ==========================================
Name Type Content
-========================== ======== ====================================================================
+========================== ======== ==========================================
<HOST>.cacert.org. IN A <IP>
<HOST>.intra.cacert.org. IN A <IP>
-========================== ======== ====================================================================
+========================== ======== ==========================================
.. seealso::
- See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
Operating System
----------------
@@ -134,6 +144,18 @@ Listening services
Running services
----------------
+.. index::
+ single: Apache
+ single: Icinga2
+ single: MySQL
+ single: OpenERP
+ single: Postfix
+ single: PostgreSQL
+ single: cron
+ single: nginx
+ single: nrpe
+ single: openssh
+
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+====================+========================================+
@@ -206,46 +228,40 @@ Outbound network connections
Security
========
-SSH host keys
--------------
+.. add the MD5 fingerprints of the SSH host keys
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | |
-+-----------+-----------------------------------------------------+
-| DSA | |
-+-----------+-----------------------------------------------------+
-| ECDSA | |
-+-----------+-----------------------------------------------------+
-| ED25519 | |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
-
- See :doc:`../sshkeys`
+.. sshkeys::
+ :RSA:
+ :DSA:
+ :ECDSA:
+ :ED25519:
Dedicated user roles
--------------------
-.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
- Regular operating system groups should not be documented
+.. If the system has some dedicated user groups besides the sudo group used for
+ administration it should be documented here Regular operating system groups
+ should not be documented
-.. || '''Group''' || '''Purpose''' ||
- || goodguys || Shell access for the good guys ||
++-------------+-----------------------------+
+| Group | Purpose |
++=============+=============================+
+| <groupname> | <short purpose description> |
++-------------+-----------------------------+
Non-distribution packages and modifications
-------------------------------------------
.. * None
or
- * List of non-distribution packages and modifications
+ * List of non-distribution packages and modifications (with some
+ explaination why no distribution package could be used)
Risk assessments on critical packages
-------------------------------------
-Tasks
-=====
+.. add a paragraph for each known risk. The risk has to be described.
+ Mitigation or risk acceptance has to be documented.
Critical Configuration items
============================
@@ -253,16 +269,38 @@ Critical Configuration items
Keys and X.509 certificates
---------------------------
-* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
-* :file:`/etc/apache2/ssl/<path to server key>` server key
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. for certificates that are orginally created on another host use
+
+.. sslcert:: other.cacert.org
+ :certfile:
+ :keyfile:
+ :serial:
+ :secondary:
.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
* `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
.. seealso::
- * :doc:`../certlist`
- * https://wiki.cacert.org/SystemAdministration/CertificateList
+ * :wiki:`SystemAdministration/CertificateList`
+
+<service_x> configuration
+-------------------------
+
+.. add a section for the configuration of each service where configuration
+ deviates from OS package defaults
Tasks
=====
@@ -270,9 +308,8 @@ Tasks
Planned
-------
-.. add a paragraph for each larger planned task that seems to be worth
- mentioning. You may want to link to specific issues if you use some issue
- tracker.
+.. add a paragraph or todo directive for each larger planned task. You may want
+ to link to specific issues if you use some issue tracker.
Changes
=======
@@ -280,6 +317,10 @@ Changes
System Future
-------------
+.. use this section to describe any plans for the system future. These are
+ larger plans like moving to another host, abandoning the system or replacing
+ its funtionality with something else.
+
.. * No plans
Additional documentation
@@ -289,13 +330,13 @@ Additional documentation
.. remove unneeded links from the list below, add other links that apply
-.. seealso:
+.. seealso::
- * https://wiki.cacert.org/Exim4Configuration
- * https://wiki.cacert.org/PostfixConfiguration
- * https://wiki.cacert.org/QmailConfiguration
- * https://wiki.cacert.org/SendmailConfiguration
- * https://wiki.cacert.org/StunnelConfiguration
+ * :wiki:`Exim4Configuration`
+ * :wiki:`PostfixConfiguration`
+ * :wiki:`QmailConfiguration`
+ * :wiki:`SendmailConfiguration`
+ * :wiki:`StunnelConfiguration`
References
----------
diff --git a/docs/systems/webmail.rst b/docs/systems/webmail.rst
new file mode 100644
index 0000000..6a4851e
--- /dev/null
+++ b/docs/systems/webmail.rst
@@ -0,0 +1,358 @@
+.. index::
+ single: Systems; Webmail
+
+===================
+Webmail (Community)
+===================
+
+Purpose
+=======
+
+This container hosts the webmail system available at
+https://community.cacert.org/ that provides web based mail access to users with
+a @cacert.org email address.
+
+The system also hosts the `board voting system`_, `staff list`_ and `email
+password reset`_.
+
+.. todo:: move `board voting system`_ to a separate container
+
+.. todo::
+ move `staff list`_ to a separate container or integrate it into some
+ new self service system
+
+.. _board voting system: https://community.cacert.org/board
+.. _staff list: https://community.cacert.org/staff.php
+.. _email password reset: https://community.cacert.org/password.php
+
+Application Links
+-----------------
+
+Webmail URL
+ https://community.cacert.org/ (redirects to
+ https://community.cacert.org/roundcubemail/)
+
+Board Voting System URL
+ https://community.cacert.org/board/
+
+Password reset
+ https://community.cacert.org/password.php
+
+Staff list
+ https://community.cacert.org/staff.php
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: None
+* Secondary: None
+
+.. todo:: find admins for webmail
+
+Application Administration
+--------------------------
+
++---------------------+-----------------------+
+| Application | Administrators |
++=====================+=======================+
+| Webmail | :ref:`people_ulrich`, |
+| | :ref:`people_jselzer` |
++---------------------+-----------------------+
+| Board voting system | :ref:`people_jandd` |
++---------------------+-----------------------+
+| Staff list | None |
++---------------------+-----------------------+
+| Password reset | None |
++---------------------+-----------------------+
+
+Contact
+-------
+
+* webmail-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd`, :ref:`people_mario` and :ref:`people_jselzer` have
+:program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.228`
+:IP Intranet: :ip:v4:`172.16.2.20`
+:IP Internal: :ip:v4:`10.0.0.120`
+:MAC address: :mac:`00:ff:9a:a7:64:78` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Webmail
+ single: DNS records; Community
+
+===================== ======== ================
+Name Type Content
+===================== ======== ================
+community.cacert.org. IN CNAME email.cacert.org
+===================== ======== ================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Etch
+ single: Debian GNU/Linux; 4.0
+
+* Debian GNU/Linux 4.0
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+.. seealso::
+
+ * :wiki:`CommunityEmail`
+ * :wiki:`EmailAccountPolicy`
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+---------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+===========================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+---------------------------+
+| 443/tcp | https | ANY | Web server |
++----------+---------+---------+---------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+---------------------------+
+
+.. note::
+
+ The ssh port is reachable via NAT on email.cacert.org:12022
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: Apache
+ single: cron
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | Applications | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* archive.debian.org as Debian mirror
+* :doc:`email` for MySQL (3306/tcp) for webmail, password reset and staff list
+* :doc:`email` IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS
+ (465/tcp) and SMTP Submission (587/tcp) for the webmail system
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48
+ :DSA: 6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd
+
+.. warning::
+
+ The system is too old to support ECDSA or ED25519 keys.
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:file:`/var/www/roundcubemail` contains a `Roundcube`_ 0.2.1 installation,
+probably with patches.
+
+.. todo::
+
+ Research wether Roundcube has been patched or not
+
+:file:`/var/www/staff.php` is a custom built PHP script to show a list of
+people with cacert.org email addresses.
+
+:file:`/var/www/password.php` is a custom build PHP script to allow users to
+reset their email password.
+
+:file:`/var/www/board` contains the board voting system.
+
+.. _Roundcube: https://roundcube.net/
+
+Risk assessments on critical packages
+-------------------------------------
+
+The whole system is outdated, the PHP version is ancient, Roundcube is old.
+Needs to be replaced as soon as possible.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: community.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-community-cacert.crt
+ :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
+ :serial: 11e846
+ :expiration: Mar 31 18:50:26 2018 GMT
+ :sha1fp: F1:BC:77:BD:12:EA:69:CF:5E:5F:74:C2:6B:AD:3E:43:94:9A:7F:B4
+ :altnames: DNS:community.cacert.org, DNS:nocert.community.cacert.org,
+ DNS:cert.community.cacert.org, DNS:email.cacert.org,
+ DNS:nocert.email.cacert.org, DNS:cert.email.cacert.org
+ :issuer: CAcert.org Class 1 Root CA
+
+* :file:`/usr/share/ca-certificates/cacert.org/` directory containing the
+ CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
+ client authentication and certificate chain for server certificate) with
+ symbolic links with the :command:`openssl` hashed certificate names
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The Apache httpd configuration is stored in
+:file:`/etc/apache2/sites-available/webmail`.
+
+:file:`/etc/hosts`
+------------------
+
+Defines some aliases for :doc:`email` that are used by Roundcube, the password
+reset script and the staff list script.
+
+.. index::
+ pair: Roundcube; configuration
+
+Roundcube configuration
+-----------------------
+
+The Roundcube configuration is stored in files in the
+:file:`/var/www/roundcubemail/config/` directory.
+
+
+Staff list script
+-----------------
+
+The staff list contains its configuration in :file:`/var/www/staff.php` itself.
+
+.. todo::
+
+ Put the staff list script in a git repository
+
+Password reset script
+---------------------
+
+The password reset script contains it configuration in
+:file:`/var/www/password.php` itself.
+
+.. todo::
+
+ Put the password reset script in a git repository
+
+Board voting system configuration
+---------------------------------
+
+The board voting system uses a SQLite database in
+:file:`/var/www/board/database.sqlite`.
+
+.. warning::
+
+ The board voting system software seems to be checked out from a Subversion
+ repository at https://svn.cacert.cl/Software/Voting/vote that does not exist
+ anymore
+
+.. todo::
+
+ Put the current version of the board voting system in a git repository
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: implement CRL checking
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo::
+ The system has to be replaced with a new system using a current operating
+ system version
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Wiki page for this system
+ :wiki:`SystemAdministration/Systems/Community`