summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/external.rst11
-rw-r--r--docs/external/extmon.rst243
-rw-r--r--docs/index.rst1
-rw-r--r--docs/iplist.rst4
-rw-r--r--docs/network.rst2
-rw-r--r--docs/systems.rst13
6 files changed, 265 insertions, 9 deletions
diff --git a/docs/external.rst b/docs/external.rst
new file mode 100644
index 0000000..464c569
--- /dev/null
+++ b/docs/external.rst
@@ -0,0 +1,11 @@
+================
+External Systems
+================
+
+External systems that are relevant to the CAcert infrastructure but are not
+part of the infrastructure.
+
+.. toctree::
+ :maxdepth: 1
+
+ external/extmon
diff --git a/docs/external/extmon.rst b/docs/external/extmon.rst
new file mode 100644
index 0000000..6efd51f
--- /dev/null
+++ b/docs/external/extmon.rst
@@ -0,0 +1,243 @@
+.. index::
+ single: Systems; Extmon
+
+======
+Extmon
+======
+
+Purpose
+=======
+
+Extmon is used as an external Icinga2 agent that monitors the availability of
+CAcert service from the Internet. The system is sponsored by
+:ref:`people_jandd` and is running on a Hetzner cloud instance in Germany.
+
+Application Links
+-----------------
+
+Service checks executed by extmon
+ https://monitor.cacert.org/monitoring/list/servicegroups#!/monitoring/list/services?servicegroup_name=external-checks
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| icinga2 agent | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* extmon-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is a virtual KVM machine hosted on a Hetzner cloud server in
+N├╝rnberg, Germany.
+
+Physical Configuration
+----------------------
+
+* 1 VCPU
+* 2 GB RAM
+* 20 GB local disc
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`116.203.192.12`
+:IPv6: :ip:v6:`2a01:4f8:c2c:a5b9::1`
+:MAC address: :mac:`96:00:00:2c:89:82` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+.. index::
+ single: Monitoring; Extmon
+
+Monitoring
+----------
+
+:internal checks: :monitor:`extmon.infra.cacert.org`
+
+DNS
+---
+
+The system has no DNS entries.
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.9
+
+* Debian GNU/Linux 9.9
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+===============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-------------------------------+
+| 68/udp | dhcp | hetzner | dynamic network configuration |
++----------+---------+---------+-------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+---------+---------+-------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: cron
+ single: dbus
+ single: exim4
+ single: icinga2
+ single: openssh
+ single: puppet
+ single: rsyslog
+
++----------------+--------------------------+----------------------------------+
+| Service | Usage | Start mechanism |
++================+==========================+==================================+
+| cron | job scheduler | systemd unit ``cron.service`` |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
+| | daemon | |
++----------------+--------------------------+----------------------------------+
+| Exim | SMTP server for | systemd unit ``exim4.service`` |
+| | local mail submission | |
++----------------+--------------------------+----------------------------------+
+| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote administration | |
++----------------+--------------------------+----------------------------------+
+| Puppet agent | configuration | systemd unit ``puppet.service`` |
+| | management agent | |
++----------------+--------------------------+----------------------------------+
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
+
+Databases
+---------
+
+* None
+
+Connected Systems
+-----------------
+
+* :doc:`../systems/monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) Hetzner cloud nameservers
+* :doc:`../systems/puppet` (tcp/8140) as Puppet master
+* checked CAcert systems on publicly opened ports
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:pRCCUOzQbNf2MSDyq3mt/zCYrf9Cowo0tUp+cLcP5ZU MD5:89:07:d2:68:02:37:73:86:a3:f0:53:46:e9:93:3c:b5
+ :DSA: SHA256:qQmdmDcCrj9CgGK/LsT0zz8d90wCmn0HlSmt9WRqIF8 MD5:8c:f0:fa:e2:18:98:22:fb:ae:ed:c3:84:78:0e:70:5f
+ :ECDSA: SHA256:+5X1KhHfqCSfVzNhT6xXpKYwsS/bZvI5rOM7hPogcWo MD5:f3:65:d0:12:a6:e9:cc:91:f4:55:32:c0:ca:75:59:17
+ :ED25519: SHA256:lxUPfNgUMZ/JrZHVG9Qc33x7vqyKGgmIJ54rgx+dZow MD5:39:b7:17:91:05:2d:1c:ad:4b:5a:5e:e0:e6:01:2c:a5
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+The system provides no public services besides an Icinga2 agent that executes
+commands sent from :doc:`../systems/monitor`.
+
+The Puppet agent package and a few dependencies are installed from the
+official Puppet APT repository because the versions in Debian are too old to
+use modern Puppet features.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+* None
+
+Tasks
+=====
+
+Add a service to be checked by extmon
+-------------------------------------
+
+Service monitoring is configured in the :cacertgit:`cacert-icinga2-conf_d`.
+
+All checks for services on hosts with the following block will be executed by
+extmon:
+
+.. code-block::
+
+ vars.external = true
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: update to Debian 10 (when Puppet is available)
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+* None
+
+References
+----------
+
+* https://icinga.com/docs/icinga2/latest/
diff --git a/docs/index.rst b/docs/index.rst
index d6200dc..c132b7d 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -12,6 +12,7 @@ Table of Contents
critical
systems
+ external
lxcsetup
network
iplist
diff --git a/docs/iplist.rst b/docs/iplist.rst
index f20050c..16c38dc 100644
--- a/docs/iplist.rst
+++ b/docs/iplist.rst
@@ -12,6 +12,10 @@ Internet IP addresses
.. ip:v6range:: 2001:7b8:616:162:2::/80
+.. ip:v4range:: 116.203.192.12/32
+
+.. ip:v6range:: 2a01:4f8:c2c:a5b9::1/128
+
Intranet IP addresses
---------------------
diff --git a/docs/network.rst b/docs/network.rst
index 078f3ad..99e9c57 100644
--- a/docs/network.rst
+++ b/docs/network.rst
@@ -22,6 +22,8 @@ IPv6 connectivity is also available. The infrastructure IPv6 addresses are
taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
:ip:v6range:`2001:7b8:616:162:2::/80` ranges.
+External monitoring is provided from the ranges :ip:v4range:`116.203.192.12/32`
+and :ip:v6range:`2a01:4f8:c2c:a5b9::1/128`.
Intranet
--------
diff --git a/docs/systems.rst b/docs/systems.rst
index 24e939f..404f430 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -90,28 +90,23 @@ General
That's it, now the package update status should be properly displayed in
Icinga.
-.. todo:: think about replacing nrpe with Icinga2 satellites
-
Checklist
=========
.. index::
single: etckeeper
+ single: icinga2
single: nrpe
+ single: puppet
* All containers should be monitored by :doc:`systems/monitor` and should
- therefore have :program:`nagios-nrpe-server` installed
+ therefore have :program:`icinga2` installed and managed via Puppet (older
+ systems without Puppet have :program:`nagios-nrpe-server` installed)
* All containers should use :program:`etckeeper` to put their local setup into
version control. All local setup should use :file:`/etc` to make sure it is
handled by :program:`etckeeper`
* All infrastructure systems must send their mail via :doc:`systems/emailout`
* All infrastructure systems should have an system-admin@cacert.org alias to
reach their admins
-* The installation of :index:`systemd-sysv` in containers can be blocked by
- putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
-
- Package: systemd-sysv
- Pin: release a=stable
- Pin-Priority: -1
.. todo:: document how to setup the system-admin alias on the email system