summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore6
-rw-r--r--doc-requirements.txt25
-rw-r--r--docs/building.rst81
-rw-r--r--docs/certlist.rst10
-rw-r--r--docs/conf.py62
-rw-r--r--docs/configdiff/bugs/apache/bugs-apache-config.diff47
-rw-r--r--docs/configdiff/cats/apache/cats-apache-config.diff63
-rw-r--r--docs/configdiff/cats/logrotate/cats18
-rw-r--r--docs/configdiff/emailout/canonical_maps2
-rw-r--r--docs/configdiff/emailout/postfix-main.cf52
-rw-r--r--docs/configdiff/emailout/transport3
-rw-r--r--docs/configdiff/git/git-apache-config.diff121
-rw-r--r--docs/configdiff/git/git-daemon-run.diff8
-rw-r--r--docs/configdiff/git/gitweb.conf.diff40
-rw-r--r--docs/critical.rst11
-rw-r--r--docs/critical/template.rst346
-rw-r--r--docs/critical/webdb.rst6
-rw-r--r--docs/downloads/template_new_community_mailaddress.rfc82219
-rw-r--r--docs/glossary.rst62
-rw-r--r--docs/images/CAcert-logo-colour.svg46
-rw-r--r--docs/images/favicon.icobin0 -> 3638 bytes
-rw-r--r--docs/index.rst27
-rw-r--r--docs/iplist.rst25
-rw-r--r--docs/lxcsetup.rst117
-rw-r--r--docs/network.rst45
-rw-r--r--docs/patches/openerp/account.py.patch27
-rw-r--r--docs/patches/openerp/account_followup_paypal.patch38
-rw-r--r--docs/patches/openerp/account_followup_print.patch10
-rw-r--r--docs/patches/openerp/invoice.py.patch10
-rw-r--r--docs/patches/openerp/py.js.patch18
-rw-r--r--docs/patches/openerp/view_form.js.patch15
-rw-r--r--docs/patches/otrs/Layout.pm.patch54
-rw-r--r--docs/people.rst152
-rw-r--r--docs/sphinxext/__init__.py0
-rw-r--r--docs/sphinxext/cacert.py710
-rw-r--r--docs/sshkeys.rst5
-rw-r--r--docs/systems.rst111
-rw-r--r--docs/systems/blog.rst362
-rw-r--r--docs/systems/board.rst372
-rw-r--r--docs/systems/bugs.rst356
-rw-r--r--docs/systems/cats.rst381
-rw-r--r--docs/systems/email.rst575
-rw-r--r--docs/systems/emailout.rst332
-rw-r--r--docs/systems/git.rst374
-rw-r--r--docs/systems/infra02.rst291
-rw-r--r--docs/systems/irc.rst366
-rw-r--r--docs/systems/ircserver.rst376
-rw-r--r--docs/systems/issue.rst382
-rw-r--r--docs/systems/jenkins.rst246
-rw-r--r--docs/systems/lists.rst412
-rw-r--r--docs/systems/monitor.rst313
-rw-r--r--docs/systems/proxyout.rst229
-rw-r--r--docs/systems/puppet.rst304
-rw-r--r--docs/systems/svn.rst348
-rw-r--r--docs/systems/template.rst345
-rw-r--r--docs/systems/translations.rst423
-rw-r--r--docs/systems/web.rst308
-rw-r--r--docs/systems/webmail.rst358
-rw-r--r--docs/systems/webstatic.rst285
-rwxr-xr-xtools/ssh_host_keys.py37
-rwxr-xr-xtools/sslcert.py116
-rw-r--r--tools/tool-requirements.txt3
62 files changed, 10256 insertions, 30 deletions
diff --git a/.gitignore b/.gitignore
index 32af1b4..7285178 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,9 @@
*.pyc
*.pyo
.*.swp
-venv/
+.ropeproject/
+.swp
_build/
+py2venv/
+venv/
+.idea/ \ No newline at end of file
diff --git a/doc-requirements.txt b/doc-requirements.txt
index 0146ee7..7752ffe 100644
--- a/doc-requirements.txt
+++ b/doc-requirements.txt
@@ -1,11 +1,16 @@
-Babel==2.3.3
-Jinja2==2.8
-MarkupSafe==0.23
-Pygments==2.1.3
-Sphinx==1.4.1
-alabaster==0.7.7
-docutils==0.12
-imagesize==0.7.0
-pytz==2016.3
-six==1.10.0
+Babel==2.5.1
+Jinja2==2.10
+MarkupSafe==1.0
+Pygments==2.2.0
+Sphinx==1.6.6
+alabaster==0.7.10
+docutils==0.14
+imagesize==0.7.1
+pytz==2017.3
+six==1.11.0
snowballstemmer==1.2.1
+jandd.sphinxext.ip==0.2.4
+jandd.sphinxext.mac==0.1.0
+py-dateutil==2.2
+validate-email==1.3
+GitPython==2.1.8
diff --git a/docs/building.rst b/docs/building.rst
new file mode 100644
index 0000000..733c6da
--- /dev/null
+++ b/docs/building.rst
@@ -0,0 +1,81 @@
+==========================
+Building the documentation
+==========================
+
+This documentation is maintained as a set of ReStructuredText documents and
+uses `Sphinx <http://www.sphinx-doc.org/>`_ to build HTML formatted
+representations of the documents.
+
+To build this documentation you need a Python 3 installation. To isolate the
+documentation build from your system Python 3 packages using a virtual
+environment is recommended.
+
+Python 3 installation instructions can be found on the `Python website`_.
+
+.. _Python website: https://www.python.org/
+
+.. topic:: Building the documentation on a Debian system
+
+ The following example shows how to build the documentation on a Debian system:
+
+ .. code-block:: bash
+
+ # Install required operating system packages
+ sudo apt-get install python3 python3-venv make
+ # Setup a fresh virtual Python environment in the venv subdirectory
+ pyvenv venv
+ # Activate the virtual environment
+ . venv/bin/activate
+ # Install the documentation build dependencies (Sphinx, extensions and
+ # their dependencies)
+ pip install -r doc-requirements.txt
+ # Build the documentation in the docs subdirectory
+ cd docs
+ make html
+
+ .. note::
+
+ The above commands should be run from the root directory of a git clone
+ of the cacert-infradocs git repository. The result of the :program:`make`
+ exection will be available in the :file:`_build/html/` directory inside
+ the :file:`docs/` directory.
+
+Getting the documentation source
+--------------------------------
+
+The documentation is available from the git repository cacert-infradocs on
+git.cacert.org. You can browse the `repository
+<http://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=summary>`_ via gitweb.
+
+You can clone the repository anonymously by executing::
+
+ git clone git://git.cacert.org/cacert-infradocs.git
+
+If you want to contribute to the documentation please ask git-admin@cacert.org
+to setup a user in the group git-infra on git.cacert.org for you. You will have
+to provide an SSH public key (either RSA with at least 2048 Bits modulus or an
+ECDSA or ED25519 key with similar strength) with your request.
+
+If you have a user in the git-infra group you can clone the repository by
+executing::
+
+ git clone ssh://<username>@git.cacert.org/var/cache/git/cacert-infradocs.git
+
+.. note:: replace ``<username>`` with your actual username
+
+Continuous integration
+----------------------
+
+If changes are pushed to the cacert-infradocs git repository on git.cacert.org
+a `Jenkins Job <https://jenkins.cacert.org/job/cacert-infradocs/>`_ is
+automatically triggered. If the documentation is built successfully it can be
+viewed in the `docs/_build/html directory of the Job's workspace
+<https://jenkins.cacert.org/job/cacert-infradocs/ws/docs/_build/html/>`_. You may
+open `index.html
+<https://jenkins.cacert.org/job/cacert-infradocs/ws/docs/_build/html/index.html>`_
+to browse the documentation (there are some JavaScript and SVG glitches due to
+Content-Security-Policy settings).
+
+If the documentation build is successful the result is pushed to a webserver
+document root on :doc:`systems/webstatic` and is publicly available at
+https://infradocs.cacert.org/.
diff --git a/docs/certlist.rst b/docs/certlist.rst
new file mode 100644
index 0000000..68f5bf0
--- /dev/null
+++ b/docs/certlist.rst
@@ -0,0 +1,10 @@
+==================
+X.509 Certificates
+==================
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+ * :wiki:`SystemAdministration/Procedures/CertificateIssuing`
+
+.. sslcertlist::
diff --git a/docs/conf.py b/docs/conf.py
index 581c02c..dcc539f 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -14,11 +14,16 @@
import sys
import os
+from datetime import datetime
+from urllib.parse import urljoin
+
+from git import repo
+from docutils import nodes, utils
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
-#sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
@@ -30,6 +35,10 @@ import os
# ones.
extensions = [
'sphinx.ext.todo',
+ 'sphinx.ext.extlinks',
+ 'jandd.sphinxext.ip',
+ 'jandd.sphinxext.mac',
+ 'sphinxext.cacert',
]
# Add any paths that contain templates here, relative to this directory.
@@ -48,8 +57,8 @@ master_doc = 'index'
# General information about the project.
project = u'CAcert infrastructure'
-copyright = u'2016, Jan Dittberner'
-author = u'Jan Dittberner'
+copyright = u'2016, 2017, 2018 Jan Dittberner, CAcert'
+author = u'CAcert infrastructure team'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
@@ -58,7 +67,10 @@ author = u'Jan Dittberner'
# The short X.Y version.
version = u'0.1'
# The full version, including alpha/beta/rc tags.
-release = u'0.1'
+release = "{}-git:{} built:{}".format(
+ version,
+ repo.Repo('..').git.describe('--always', '--dirty'),
+ datetime.utcnow().replace(microsecond=0))
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
@@ -75,7 +87,7 @@ language = None
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
-exclude_patterns = ['_build']
+exclude_patterns = ['_build', 'systems/template.rst', 'critical/template.rst']
# The reST default role (used for this markup: `text`) to use for all
# documents.
@@ -109,31 +121,35 @@ todo_include_todos = True
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
-html_theme = 'alabaster'
+html_theme = 'classic'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
-#html_theme_options = {}
+html_theme_options = {
+ 'sidebarbgcolor': '#f5f7f7',
+ 'sidebartextcolor': '#334d55',
+ 'sidebarlinkcolor': '#005fa9',
+}
# Add any paths that contain custom themes here, relative to this directory.
#html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
-#html_title = None
+html_title = project + " documentation v" + release
# A shorter title for the navigation bar. Default is the same as html_title.
#html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
-#html_logo = None
+html_logo = os.path.join('images', 'CAcert-logo-colour.svg')
# The name of an image file (relative to this directory) to use as a favicon of
# the docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
-#html_favicon = None
+html_favicon = os.path.join('images', 'favicon.ico')
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
@@ -353,3 +369,29 @@ epub_exclude_files = ['search.html']
# If false, no index is generated.
#epub_use_index = True
+
+
+extlinks = {
+ 'wiki': ('https://wiki.cacert.org/%s', 'Wiki '),
+}
+
+
+def cacert_bug(name, rawtext, text, lineno, inliner, options={}, content=[]):
+ try:
+ bugnum = int(text)
+ if bugnum <= 0:
+ raise ValueError
+ except ValueError:
+ msg = inliner.reporter.error(
+ 'Bug number must be a number greater than or equal to 1; '
+ '"%s" is invalid.' % text, line=lineno)
+ prb = inliner.problematic(rawtext, rawtext, msg)
+ return [prb], [msg]
+ ref = 'https://bugs.cacert.org/view.php?id=%d' % bugnum
+ node = nodes.reference(rawtext, '#' + utils.unescape(text), refuri=ref,
+ **options)
+ return [node], []
+
+
+def setup(app):
+ app.add_role('bug', cacert_bug)
diff --git a/docs/configdiff/bugs/apache/bugs-apache-config.diff b/docs/configdiff/bugs/apache/bugs-apache-config.diff
new file mode 100644
index 0000000..355b796
--- /dev/null
+++ b/docs/configdiff/bugs/apache/bugs-apache-config.diff
@@ -0,0 +1,47 @@
+diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf
+--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
++++ bugs/etc/apache2/conf-available/security.conf 2016-05-08 14:04:46.335145675 +0200
+@@ -5,11 +5,11 @@
+ # This currently breaks the configurations that come with some web application
+ # Debian packages.
+ #
+-#<Directory />
+-# AllowOverride None
+-# Order Deny,Allow
+-# Deny from all
+-#</Directory>
++<Directory />
++ AllowOverride None
++ Order Deny,Allow
++ Deny from all
++</Directory>
+
+
+ # Changing the following options will not really affect the security of the
+@@ -61,14 +61,24 @@
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+-#Header set X-Content-Type-Options: "nosniff"
++Header set X-Content-Type-Options: "nosniff"
++
++#
++# Some browsers have a built-in XSS filter that will detect some cross site
++# scripting attacks. By default, these browsers modify the suspicious part of
++# the page and display the result. This behavior can create various problems
++# including new security issues. This header will tell the XSS filter to
++# completely block access to the page instead.
++# Requires mod_headers to be enabled.
++#
++Header set X-XSS-Protection: "1; mode=block"
+
+ #
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+-#Header set X-Frame-Options: "sameorigin"
++Header set X-Frame-Options: "sameorigin"
+
+
+ # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/docs/configdiff/cats/apache/cats-apache-config.diff b/docs/configdiff/cats/apache/cats-apache-config.diff
new file mode 100644
index 0000000..355722e
--- /dev/null
+++ b/docs/configdiff/cats/apache/cats-apache-config.diff
@@ -0,0 +1,63 @@
+diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf cats/etc/apache2/mods-available/ssl.conf
+--- orig/etc/apache2/mods-available/ssl.conf 2015-08-18 09:35:40.000000000 +0200
++++ cats/etc/apache2/mods-available/ssl.conf 2014-10-21 15:38:01.894358956 +0200
+@@ -53,7 +53,7 @@
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
++#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+ # Speed-optimized SSL Cipher configuration:
+ # If speed is your main concern (on busy HTTPS servers e.g.),
+@@ -66,10 +66,11 @@
+ # compromised, captures of past or future traffic must be
+ # considered compromised, too.
+ #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+-#SSLHonorCipherOrder on
++SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
++SSLHonorCipherOrder on
+
+ # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
+-SSLProtocol all -SSLv2
++SSLProtocol all -SSLv2 -SSLv3
+
+ # Allow insecure renegotiation with clients which do not yet support the
+ # secure renegotiation protocol. Default: Off
+diff -urwN -X diffignore-apache2 orig/etc/apache2/ports.conf cats/etc/apache2/ports.conf
+--- orig/etc/apache2/ports.conf 2015-08-18 09:35:40.000000000 +0200
++++ cats/etc/apache2/ports.conf 2016-05-16 16:53:43.551587545 +0200
+@@ -14,6 +14,7 @@
+ # to <VirtualHost *:443>
+ # Server Name Indication for SSL named virtual hosts is currently not
+ # supported by MSIE on Windows XP.
++ NameVirtualHost *:443
+ Listen 443
+ </IfModule>
+
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/cats cats/etc/apache2/sites-available/cats
+--- orig/etc/apache2/sites-available/cats 1970-01-01 01:00:00.000000000 +0100
++++ cats/etc/apache2/sites-available/cats 2016-05-16 16:56:53.220765336 +0200
+@@ -0,0 +1,22 @@
++<VirtualHost *:80>
++ ServerAdmin support@cacert.org
++ DocumentRoot /home/cats/public_html
++ ServerName cats.cacert.org
++ ErrorLog /home/cats/logs/error.log
++ CustomLog /home/cats/logs/access.log combined
++</VirtualHost>
++<VirtualHost *:443>
++ SSLEngine On
++ SSLCertificateFile /home/cats/ssl/certs/cats_cert.pem
++ SSLCertificateKeyFile /home/cats/ssl/private/cats_privatekey.pem
++ SSLCACertificateFile /usr/share/ca-certificates/cacert.org/cacert.org.crt
++ SSLVerifyDepth 10
++ SSLOptions +StdEnvVars +ExportCertData +StrictRequire
++ SSLVerifyClient require
++
++ ServerAdmin support@cacert.org
++ DocumentRoot /home/cats/public_html
++ ServerName cats.cacert.org
++ ErrorLog /home/cats/logs/error.log
++ CustomLog /home/cats/logs/access.log "%h %l %{SSL_CLIENT_S_DN_Email}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
++</VirtualHost>
diff --git a/docs/configdiff/cats/logrotate/cats b/docs/configdiff/cats/logrotate/cats
new file mode 100644
index 0000000..e43b163
--- /dev/null
+++ b/docs/configdiff/cats/logrotate/cats
@@ -0,0 +1,18 @@
+/home/cats/logs/*.log {
+ weekly
+ missingok
+ rotate 52
+ compress
+ delaycompress
+ notifempty
+ create 640 root cats
+ sharedscripts
+ postrotate
+ /etc/init.d/apache2 reload > /dev/null
+ endscript
+ prerotate
+ if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+ run-parts /etc/logrotate.d/httpd-prerotate; \
+ fi; \
+ endscript
+}
diff --git a/docs/configdiff/emailout/canonical_maps b/docs/configdiff/emailout/canonical_maps
new file mode 100644
index 0000000..4b8c021
--- /dev/null
+++ b/docs/configdiff/emailout/canonical_maps
@@ -0,0 +1,2 @@
+/@(.*).intra.cacert.org$/ $1-admin@cacert.org
+/@(.*).infra.cacert.org$/ $1-admin@cacert.org
diff --git a/docs/configdiff/emailout/postfix-main.cf b/docs/configdiff/emailout/postfix-main.cf
new file mode 100644
index 0000000..90c57a1
--- /dev/null
+++ b/docs/configdiff/emailout/postfix-main.cf
@@ -0,0 +1,52 @@
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+
+compatibility_level = 2
+
+mydomain = emailout.intra.cacert.org
+myorigin = /etc/mailname
+
+mydestination = emailout.cacert.org, emailout, localhost.localdomain, localhost
+myhostname = emailout.intra.cacert.org
+
+mynetworks = 172.16.2.0/24 10.0.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+
+biff = no
+
+smtp_helo_name = infrastructure.cacert.org
+
+# TLS parameters
+#
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# map internal host names to their corresponding admin addresses
+canonical_maps = pcre:/etc/postfix/canonical_maps
+
+mailbox_size_limit = 0
+recipient_delimiter = +
+
+# DKIM milter
+# http://www.postfix.org/MILTER_README.html
+# TODO: enable DKIM once the DNS record is in place
+#smtpd_milters = unix:/opendkim/opendkim.sock
+#non_smtpd_milters = $smtpd_milters
+
+# what to do if the dkim filter fails
+#milter_default_action = accept
+#milter_command_timeout = 5s
+#milter_connect_timeout = $milter_command_timeout
+#milter_content_timeout = 45s
+
+transport_maps = hash:/etc/postfix/transport
+local_transport = error:local delivery is disabled
diff --git a/docs/configdiff/emailout/transport b/docs/configdiff/emailout/transport
new file mode 100644
index 0000000..8c4f3d1
--- /dev/null
+++ b/docs/configdiff/emailout/transport
@@ -0,0 +1,3 @@
+lists.cacert.org smtp:[lists.intra.cacert.org]
+issue.cacert.org smtp:[issue.intra.cacert.org]
+cacert.org smtp:[email.intra.cacert.org]
diff --git a/docs/configdiff/git/git-apache-config.diff b/docs/configdiff/git/git-apache-config.diff
new file mode 100644
index 0000000..ad2c182
--- /dev/null
+++ b/docs/configdiff/git/git-apache-config.diff
@@ -0,0 +1,121 @@
+diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
+--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
++++ git/etc/apache2/conf-available/security.conf 2016-05-20 00:15:49.874994024 +0200
+@@ -10,6 +10,17 @@
+ # Order Deny,Allow
+ # Deny from all
+ #</Directory>
++<Directory />
++ Options FollowSymLinks
++ AllowOverride None
++</Directory>
++
++<Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++</Directory>
+
+
+ # Changing the following options will not really affect the security of the
+diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
+--- orig/etc/apache2/mods-available/ssl.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/mods-available/ssl.conf 2016-01-02 16:13:42.695785273 +0100
+@@ -56,7 +56,8 @@
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+- SSLCipherSuite HIGH:!aNULL
++ #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
++ SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
+
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+@@ -65,7 +66,7 @@
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
+- #SSLHonorCipherOrder on
++ SSLHonorCipherOrder on
+
+ # The protocols to enable.
+ # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
+--- orig/etc/apache2/sites-available/000-default.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/sites-available/000-default.conf 2016-05-20 00:21:02.697250540 +0200
+@@ -11,11 +11,19 @@
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
++ RewriteEngine on
++ RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
++ RewriteCond %{HTTP_HOST} !^$
++ RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE]
++
++ Redirect / https://git.cacert.org/gitweb
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
+--- orig/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:05:51.022493172 +0200
++++ git/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:14:50.350565644 +0200
+@@ -2,13 +2,27 @@
+ <VirtualHost _default_:443>
+ ServerAdmin webmaster@localhost
+
++ Redirect /index.html /gitweb/
++
+ DocumentRoot /var/www/html
+
++ <Directory />
++ Options FollowSymLinks
++ AllowOverride None
++ </Directory>
++ <Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++ </Directory>
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+@@ -29,8 +43,8 @@
+ # /usr/share/doc/apache2/README.Debian.gz for more info.
+ # If both key and certificate are stored in the same file, only the
+ # SSLCertificateFile directive is needed.
+- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++ SSLCertificateFile /etc/ssl/public/git.c.o.chain.crt
++ SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+@@ -130,6 +144,12 @@
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
++ # HSTS
++ Header always set Strict-Transport-Security "max-age=31536000"
++ Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
++ Header always set X-Frame-Options "DENY"
++ Header always set X-XSS-Protection "1; mode=block"
++ Header always set X-Content-Type-Options "nosniff"
+ </VirtualHost>
+ </IfModule>
+
diff --git a/docs/configdiff/git/git-daemon-run.diff b/docs/configdiff/git/git-daemon-run.diff
new file mode 100644
index 0000000..abcca5a
--- /dev/null
+++ b/docs/configdiff/git/git-daemon-run.diff
@@ -0,0 +1,8 @@
+--- orig/etc/sv/git-daemon/run 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/sv/git-daemon/run 2014-02-06 01:46:55.424870926 +0100
+@@ -3,4 +3,4 @@
+ echo 'git-daemon starting.'
+ exec chpst -ugitdaemon \
+ "$(git --exec-path)"/git-daemon --verbose --reuseaddr \
+- --base-path=/var/lib /var/lib/git
++ --base-path=/var/cache/git /var/cache/git
diff --git a/docs/configdiff/git/gitweb.conf.diff b/docs/configdiff/git/gitweb.conf.diff
new file mode 100644
index 0000000..0e8e957
--- /dev/null
+++ b/docs/configdiff/git/gitweb.conf.diff
@@ -0,0 +1,40 @@
+--- orig/etc/gitweb.conf 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/gitweb.conf 2014-02-17 02:25:18.281157394 +0100
+@@ -1,5 +1,8 @@
+ # path to git projects (<project>.git)
+-$projectroot = "/var/lib/git";
++$projectroot = "/var/cache/git";
++
++# only show repos that are also served via git-daemon
++$export_ok = "git-daemon-export-ok";
+
+ # directory to use for temp files
+ $git_temp = "/tmp";
+@@ -13,6 +16,9 @@
+ # file with project list; by default, simply scan the projectroot dir.
+ #$projects_list = $projectroot;
+
++# Enable categories
++$projects_list_group_categories = 1;
++
+ # stylesheet to use
+ #@stylesheets = ("static/gitweb.css");
+
+@@ -28,3 +34,17 @@
+ # git-diff-tree(1) options to use for generated patches
+ #@diff_opts = ("-M");
+ @diff_opts = ();
++
++# auto generate fetch URLs
++@git_base_url_list = (
++ "git://git.cacert.org",
++ "ssh://git.cacert.org/var/cache/git");
++
++# Prevent XSS attacks
++$prevent_xss = 1;
++
++# enable gravatar support
++$feature{'avatar'}{'default'} = ['gravatar'];
++
++# enable syntax highlighting
++$feature{'highlight'}{'default'} = [1];
diff --git a/docs/critical.rst b/docs/critical.rst
new file mode 100644
index 0000000..8ac0472
--- /dev/null
+++ b/docs/critical.rst
@@ -0,0 +1,11 @@
+================
+Critical Systems
+================
+
+.. toctree::
+ :maxdepth: 1
+
+ critical/webdb
+
+.. add more systems here. https://wiki.cacert.org/SystemAdministration/Systems/
+ is a good starting point on what should be documented
diff --git a/docs/critical/template.rst b/docs/critical/template.rst
new file mode 100644
index 0000000..89319c8
--- /dev/null
+++ b/docs/critical/template.rst
@@ -0,0 +1,346 @@
+.. index::
+ single: Systems; <host>
+
+==================
+Systems - TEMPLATE
+==================
+
+Purpose
+=======
+
+.. <SHORT DESCRIPTION>
+
+Application Links
+-----------------
+
+.. link1
+ https://<hostname>/<path>
+
+ link2
+ https://<hostname>/<path2>
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+.. people_<name> are defined in people.rst
+
+* Primary: :ref:`people_primary`
+* Secondary: :ref:`people_secondary`
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| <application> | :ref:`people_admin` |
++---------------+---------------------+
+
+Contact
+-------
+
+* <system>-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_a` and :ref:`people_b` have :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
+
+.. ## Use the following for containers on Infra02:
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Physical Configuration
+----------------------
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/EquipmentList`
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`<IP>`
+:IP Intranet: :ip:v4:`<IP>`
+:IP Internal: :ip:v4:`<IP>`
+:MAC address: :mac:`<MAC>` (interfacename)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; <machine>
+
+========================== ======== ==========================================
+Name Type Content
+========================== ======== ==========================================
+<HOST>.cacert.org. IN A <IP>
+<HOST>.intra.cacert.org. IN A <IP>
+========================== ======== ==========================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Codename
+ single: Debian GNU/Linux; x.y
+
+* Debian GNU/Linux x.y
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
+.. use the values from this table or add new lines if applicable
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+| 3306/tcp | mysql | local | MySQL database for ... |
++----------+-----------+-----------+-----------------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for ... |
++----------+-----------+-----------+-----------------------------------------+
+| 465/udp | syslog | local | syslog port |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Icinga2
+ single: MySQL
+ single: OpenERP
+ single: Postfix
+ single: PostgreSQL
+ single: cron
+ single: nginx
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for ... | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for ... | |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for ... | :file:`/etc/init.d/mysql` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+--------------+---------------------------+
+| RDBMS | Name | Used for |
++=============+==============+===========================+
+| MySQL | application1 | fictional application one |
++-------------+--------------+---------------------------+
+| PostgreSQL | application2 | fictional application two |
++-------------+--------------+---------------------------+
+
+Running Guests
+--------------
+
++----------------+-------------+---------------+---------+---------------+
+| Machine | IP Intranet | IP Internet | Ports | Purpose |
++================+=============+===============+=========+===============+
+| :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
++----------------+-------------+---------------+---------+---------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+.. add the MD5 fingerprints of the SSH host keys
+
+.. sshkeys::
+ :RSA:
+ :DSA:
+ :ECDSA:
+ :ED25519:
+
+Dedicated user roles
+--------------------
+
+.. If the system has some dedicated user groups besides the sudo group used for
+ administration it should be documented here Regular operating system groups
+ should not be documented
+
++-------------+-----------------------------+
+| Group | Purpose |
++=============+=============================+
+| <groupname> | <short purpose description> |
++-------------+-----------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. * None
+ or
+ * List of non-distribution packages and modifications (with some
+ explaination why no distribution package could be used)
+
+Risk assessments on critical packages
+-------------------------------------
+
+.. add a paragraph for each known risk. The risk has to be described.
+ Mitigation or risk acceptance has to be documented.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. for certificates that are orginally created on another host use
+
+.. sslcert:: other.cacert.org
+ :certfile:
+ :keyfile:
+ :serial:
+ :secondary:
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+<service_x> configuration
+-------------------------
+
+.. add a section for the configuration of each service where configuration
+ deviates from OS package defaults
+
+Tasks
+=====
+
+Planned
+-------
+
+.. add a paragraph or todo directive for each larger planned task. You may want
+ to link to specific issues if you use some issue tracker.
+
+Changes
+=======
+
+System Future
+-------------
+
+.. use this section to describe any plans for the system future. These are
+ larger plans like moving to another host, abandoning the system or replacing
+ its functionality with something else.
+
+.. * No plans
+
+Additional documentation
+========================
+
+.. add inline documentation
+
+.. remove unneeded links from the list below, add other links that apply
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+ * :wiki:`PostfixConfiguration`
+ * :wiki:`QmailConfiguration`
+ * :wiki:`SendmailConfiguration`
+ * :wiki:`StunnelConfiguration`
+
+References
+----------
+
+.. can be used to provide links to reference documentation
+ * http://product.site.com/docs/
+ * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
diff --git a/docs/critical/webdb.rst b/docs/critical/webdb.rst
new file mode 100644
index 0000000..4cb1cb7
--- /dev/null
+++ b/docs/critical/webdb.rst
@@ -0,0 +1,6 @@
+=====
+Webdb
+=====
+
+.. copy content structure from critical/template.rst and adapt to the needs for
+ this system
diff --git a/docs/downloads/template_new_community_mailaddress.rfc822 b/docs/downloads/template_new_community_mailaddress.rfc822
new file mode 100644
index 0000000..3dd8118
--- /dev/null
+++ b/docs/downloads/template_new_community_mailaddress.rfc822
@@ -0,0 +1,19 @@
+Subject: Your new cacert.org address
+Reply-To: email-admin@cacert.org
+
+Hello,
+
+your new address <firstname.lastname>@cacert.org has just been setup in the
+cacert email system.
+
+The initial password is <password>.
+
+Please get a client certificate for this address and reset your password via
+[1] as documented in the wiki [2].
+
+[1] https://community.cacert.org/password.php as documented in
+[2] https://wiki.cacert.org/Technology/TechnicalSupport/EndUserSupport/CommunityE-Mail
+
+
+Best regards
+<mail admin name>
diff --git a/docs/glossary.rst b/docs/glossary.rst
new file mode 100644
index 0000000..95344ea
--- /dev/null
+++ b/docs/glossary.rst
@@ -0,0 +1,62 @@
+Glossary
+========
+
+.. glossary::
+ :sorted:
+
+ LXC
+ LXC is a userspace interface to the Linux kernel containment features.
+ See `The LXC introduction
+ <https://linuxcontainers.org/lxc/introduction/>`_ on the Linux containers
+ website for more information
+
+ Container
+ A container is an isolated system with a separate root file system and
+ operating system userland. The containers share a common operating system
+ kernel.
+
+ LVM
+ Logical volume manager. The LVM allows to allocate space on block
+ devices more dynamically than with traditional partitions. The block
+ devices are managed as physical volumes (PVs) that are grouped in volume
+ groups (VGs). Space can be allocated as logical volumes (LVs) that can be
+ formatted using regular file system tools. LVs can be resized without
+ reboot. LVM provides snapshot functionality that is useful for backup and
+ upgrade procedures.
+
+ Infrastructure Team Lead
+ This person is appointed to coordinate the non-critical infrastructure
+ team by a board motion. The Infrastructure Team Lead works with
+ :term:`Infrastructure Administrators <Infrastructure Administrator>` and
+ the :term:`Critical System Administrators <Critical System
+ Administrator>`.
+
+ Infrastructure Administrator
+ Infrastructure Administrators have :program:`sudo` access to one or
+ multiple infrastructure systems. Most of them are :term:`Application
+ Administrators <Application Administrator>` too.
+
+ Critical System Administrator
+ The Critical System Administrators take care of the critical systems
+ required for the CA and RA operation, they have access to the Internet
+ firewall and DNS setup.
+
+ Application Administrator
+ An Application Administrator takes care of the functionality of one or
+ more server applications. Application Administrators do not necessarily
+ need system level access if the managed application has other means of
+ administration, for example a web based administration frontend.
+
+ DKIM
+ Domain Key Identified Mail
+ A mechanism where legitimate mail for a domain is verifiable by a
+ signature in a mail header and a corresponding public key in a specific
+ :term:`DNS` record. Outgoing mail servers for the domain have to be
+ configured to add the necessary signature to mails for their domains.
+
+ DNS
+ Domain Name System
+ DNS maps names to other information, the most well known use case is
+ mapping human readable names to IP addresses, but their are more
+ applications for DNS like service discovery, storage of public keys and
+ other public information.
diff --git a/docs/images/CAcert-logo-colour.svg b/docs/images/CAcert-logo-colour.svg
new file mode 100644
index 0000000..0d8e071
--- /dev/null
+++ b/docs/images/CAcert-logo-colour.svg
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ version="1.1"
+ width="510"
+ height="116.25"
+ id="svg3020"
+ xml:space="preserve"><metadata
+ id="metadata3026"><rdf:RDF><cc:Work
+ rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><defs
+ id="defs3024" /><g
+ transform="matrix(1.25,0,0,-1.25,0,116.25)"
+ id="g3028"><g
+ transform="scale(0.1,0.1)"
+ id="g3030"><path
+ d="m 2031.75,34.9688 c -56.31,0 -107.84,6.4062 -154.59,19.2812 -46.35,12.8438 -86.77,32.6562 -121.25,59.469 -34.1,26.781 -60.53,60.531 -79.3,101.312 -18.77,40.75 -28.16,88.469 -28.16,143.125 0,57.656 9.96,107.375 29.88,149.219 20.29,41.844 48.47,76.531 84.48,104.063 34.86,26.062 75.08,45.156 120.67,57.25 45.6,12.124 92.91,18.187 141.94,18.187 44.06,0 84.67,-4.594 121.85,-13.781 37.15,-9.156 71.82,-21.094 104,-35.782 l 0,-169.031 -29.3,0 c -8.05,6.594 -17.83,14.281 -29.31,23.094 -11.11,8.844 -24.91,17.469 -41.38,25.937 -15.7,8.032 -32.95,14.688 -51.72,19.782 -18.78,5.531 -40.61,8.25 -65.51,8.25 -55.17,0 -97.69,-16.875 -127.58,-50.625 -29.49,-33.438 -44.25,-78.907 -44.25,-136.563 0,-59.468 15.12,-104.625 45.4,-135.406 30.66,-30.875 73.94,-46.281 129.88,-46.281 26.05,0 49.42,2.781 70.11,8.25 21.06,5.875 38.5,12.687 52.3,20.375 13.01,7.344 24.51,15.062 34.47,23.125 9.96,8.093 19.15,15.969 27.59,23.687 l 29.3,0 0,-169.031 C 2218.72,68.1875 2184.61,56.6562 2148.98,48.1875 2113.73,39.375 2074.66,34.9688 2031.75,34.9688"
+ id="path3032"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 2980.95,330.895 -458.79,0 c 2.97,-50.008 21.54,-88.27 55.68,-114.79 34.52,-26.519 85.19,-39.777 152,-39.777 42.32,0 83.33,7.766 123.05,23.297 39.72,15.535 71.08,32.203 94.09,50.008 l 22.27,0 0,-164.2268 c -45.28,-18.5624 -87.96,-32.0117 -128.05,-40.3476 -40.09,-8.332 -84.45,-12.5 -133.07,-12.5 -125.46,0 -221.6,28.7891 -288.41,86.3754 -66.81,57.582 -100.22,139.601 -100.22,246.058 0,105.317 31.55,188.664 94.65,250.035 63.47,61.75 150.33,92.625 260.57,92.629 101.71,-0.004 178.17,-26.332 229.39,-78.992 51.22,-52.277 76.84,-127.668 76.84,-226.168 l 0,-71.601 m -199.33,119.906 c -1.11,42.808 -11.51,75.008 -31.18,96.601 -19.67,21.594 -50.3,32.391 -91.87,32.395 -38.6,-0.004 -70.34,-10.231 -95.2,-30.688 -24.87,-20.457 -38.79,-53.23 -41.76,-98.308 l 260.01,0"
+ id="path3034"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 3514.54,477.766 -18.23,0 c -8.74,2.953 -22.79,5.172 -42.17,6.656 -19.38,1.484 -35.53,2.234 -48.44,2.234 -29.26,0 -55.09,-1.859 -77.5,-5.562 -22.42,-3.703 -46.55,-10 -72.39,-18.891 l 0,-417.5155 -205.16,0 0,623.5005 205.16,0 0,-91.594 c 45.21,37.75 84.54,62.734 117.98,74.937 33.42,12.594 64.2,18.875 92.31,18.875 7.22,0 15.39,-0.172 24.51,-0.547 9.12,-0.375 17.1,-0.921 23.93,-1.671 l 0,-190.422"
+ id="path3036"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 3874.46,836.262 -207.5,-80.5 0,-94.75 -85.75,0 0,-133.5 85.75,0 0,-287 c 0,-75.071 19.63,-128.028 59,-159.0003 39.74,-30.9805 99.97,-46.5 181,-46.5 36.27,0 67.16,1.7188 92.25,5 25.08,2.9141 48.61,7.0313 71,12.5 l 0,135.0003 -17.25,0 c -6.95,-3.645 -19.25,-7.633 -37,-12 -17.37,-4.375 -31.45,-6.504 -42.25,-6.5 -26.24,-0.008 -46.36,3.461 -60.25,10.75 -13.51,7.652 -23.1,17.988 -28.5,30.75 -5.79,12.754 -8.87,27.211 -9.25,43.25 -0.39,16.035 -0.5,34.746 -0.5,56.25 l 0,217.5 195,0 0,133.5 -195,0 0,175.25 -0.75,0"
+ id="path3038"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 439.125,20.2734 c -62.25,0 -119.813,9.1875 -172.687,27.5625 -52.5,18.375 -97.688,45.75 -135.563,82.1251 C 93,166.336 63.5625,211.711 42.5625,266.086 21.9375,320.461 11.625,383.273 11.625,454.523 c 0,66.375 9.9375,126.563 29.8125,180.563 19.875,53.996 48.75,100.309 86.6245,138.937 36.376,37.122 81.376,65.809 135,86.063 54,20.246 112.876,30.371 176.626,30.375 35.25,-0.004 66.933,-2.066 95.062,-6.188 28.496,-3.753 54.746,-8.816 78.75,-15.187 25.121,-7.129 47.809,-15.191 68.062,-24.188 20.622,-8.628 38.622,-16.691 54,-24.187 l 0,-203.063 -24.75,0 c -10.503,9 -23.816,19.684 -39.937,32.063 -15.754,12.371 -33.754,24.559 -54,36.562 -20.629,11.997 -42.941,22.122 -66.937,30.375 -24.004,8.247 -49.688,12.372 -77.063,12.375 -30.375,-0.003 -59.25,-4.878 -86.625,-14.625 -27.375,-9.378 -52.688,-25.128 -75.938,-47.25 -22.124,-21.378 -40.124,-49.687 -54,-84.937 -13.5,-35.25 -20.25,-78 -20.25,-128.25 0,-52.5 7.313,-96.375 21.938,-131.625 15,-35.25 33.75,-63 56.25,-83.25 22.875,-20.625 48.375,-35.438 76.5,-44.438 28.125,-8.625 55.875,-12.937 83.25,-12.937 26.25,0 52.121,3.937 77.625,11.812 25.871,7.875 49.684,18.563 71.437,32.063 18.372,10.875 35.434,22.5 51.188,34.875 15.746,12.375 28.684,23.062 38.812,32.062 l 22.5,0 0,-200.2496 c -21.003,-9.375 -41.066,-18.1875 -60.187,-26.4375 -19.129,-8.25 -39.191,-15.375 -60.187,-21.375 -27.379,-7.875 -53.067,-13.875 -77.063,-18 -24.004,-4.125 -57,-6.1875 -99,-6.1875"
+ id="path3040"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 1672.23,45.082 -223.31,0 -57.94,169.313 -310.5,0 -57.94,-169.313 -217.685,0 309.375,837.563 248.63,0 309.37,-837.563 m -333.56,322.875 -102.94,300.375 -102.94,-300.375 205.88,0"
+ id="path3042"
+ style="fill:#11568c;fill-opacity:1;fill-rule:nonzero;stroke:none" /><path
+ d="m 529.656,684.461 c -36.738,-1.871 -77.344,-32.203 -81.344,-73.883 -4.417,-45.98 17.786,-71.976 51.626,-89.816 16.921,-8.922 36.476,-11.504 56.164,-8.313 19.683,3.192 38.996,12.778 52.886,32.239 5.774,8.136 3.856,19.41 -4.281,25.183 -8.137,5.774 -19.41,3.856 -25.184,-4.281 -8.914,-12.488 -18.597,-15.906 -29.214,-17.629 -10.618,-1.723 -22.473,-1.027 -33.497,4.785 -22.046,11.621 -34.374,29.988 -32.992,54.609 1.391,24.7 26.168,40.575 49.614,41.09 23.449,0.52 45.949,-10.675 53.894,-41.804 0.942,-6.871 5.746,-12.473 12.344,-14.606 6.594,-2.137 13.851,-0.488 18.637,4.531 4.781,5.02 6.226,12.403 3.777,18.887 -11.832,46.344 -52.047,69.836 -89.66,69.008 -0.879,-0.02 -1.887,0.043 -2.77,0 z M 25.9648,673.129 c -0.5546,-0.07 -1.0859,-0.332 -1.5117,-0.504 -0.125,-0.055 -0.3906,-0.191 -0.5039,-0.254 -0.0351,-0.023 -0.2187,-0.226 -0.25,-0.25 -0.0664,-0.051 -0.1953,-0.199 -0.2539,-0.254 -0.0547,-0.055 -0.1992,-0.191 -0.25,-0.25 -0.0234,-0.031 -0.2305,-0.219 -0.2539,-0.254 -0.0586,-0.101 -0.207,-0.39 -0.25,-0.504 -0.0156,-0.035 0.0117,-0.211 0,-0.25 -0.0352,-0.117 -0.2305,-0.375 -0.2539,-0.504 -0.0039,-0.043 0.0078,-0.207 0,-0.25 -0.4102,-4.816 14.4805,-20.425 20.4023,-26.445 6.1016,-6.211 56.5235,-46.558 84.8712,-65.73 28.527,-19.297 94.066,-54.223 110.812,-62.461 16.594,-8.16 68.145,-29.715 102.25,-40.043 58.672,-17.77 118.954,-28.031 177.297,-32.488 58.348,-4.454 114.86,-2.961 165.969,3.023 102.219,11.965 184,38.824 222.379,85.879 19.191,23.527 29.098,61.598 7.305,85.375 -23.711,25.871 -78.68,46.996 -82.102,47.097 -0.191,0 -0.582,0.012 -0.754,0 -0.113,-0.011 -0.402,0.016 -0.504,0 -0.051,-0.011 -0.203,0.012 -0.254,0 -0.047,-0.015 -0.207,-0.238 -0.25,-0.253 -0.043,-0.016 -0.211,0.019 -0.254,0 -0.117,-0.055 -0.398,-0.18 -0.503,-0.25 -0.032,-0.028 -0.219,-0.227 -0.25,-0.254 -0.028,-0.028 -0.227,-0.223 -0.254,-0.25 -0.067,-0.098 -0.196,-0.395 -0.25,-0.504 -0.043,-0.117 -0.223,-0.375 -0.254,-0.504 -0.016,-0.086 0.011,-0.41 0,-0.504 -0.004,-0.047 0.004,-0.203 0,-0.254 0,-0.047 0,-0.199 0,-0.25 0.316,-8.516 16.094,-27.164 27.785,-40.113 9.016,-9.981 16.566,-16.922 19.832,-21.176 12.211,-15.898 3.715,-27.934 -4.047,-39.703 -18.082,-27.414 -96.656,-58.742 -192.914,-70.012 -48.129,-5.633 -101.41,-6.867 -156.398,-2.519 -54.985,4.347 -111.622,14.078 -166.719,30.726 -37.449,11.317 -88.692,31.836 -107.539,39.793 -19.356,8.168 -77.43,36.235 -97.215,46.086 -19.625,9.774 -93.2384,55.328 -99.2267,59.688 -5.9882,4.359 -21.3007,9.871 -25.6875,9.32 z M 442.52,410.703 c -1.821,-0.109 -3.649,-0.5 -5.04,-1.008 -0.453,-0.175 -1.101,-0.535 -1.511,-0.754 -0.199,-0.113 -0.567,-0.382 -0.754,-0.503 -0.184,-0.126 -0.582,-0.368 -0.754,-0.504 -0.227,-0.188 -0.555,-0.551 -0.758,-0.754 -0.199,-0.211 -0.578,-0.532 -0.754,-0.758 -0.129,-0.172 -0.387,-0.574 -0.504,-0.754 -0.3,-0.496 -0.539,-1.203 -0.757,-1.766 -0.254,-0.711 -0.629,-1.707 -0.754,-2.515 -1.094,-8.11 4.429,-21.043 16.371,-36.266 23.273,-29.68 22.093,-53.344 22.414,-80.844 0.316,-27.5 -17.395,-56.957 -41.051,-84.621 C 401.41,167.785 370.586,140.562 342.559,118.773 314.715,97.1289 260.012,63.6016 242.551,50.0586 225.332,36.707 212,28.3867 209.309,20.8477 c -0.153,-0.4532 -0.418,-1.086 -0.504,-1.5118 -0.063,-0.3554 0.019,-0.9257 0,-1.2617 -0.004,-0.1992 -0.012,-0.5625 0,-0.7539 0.015,-0.1914 -0.032,-0.5703 0,-0.7578 0.039,-0.1797 0.195,-0.5781 0.25,-0.7539 0.043,-0.1133 0.207,-0.3906 0.254,-0.5039 0.05,-0.1094 0.191,-0.3945 0.25,-0.5039 0.129,-0.211 0.347,-0.5586 0.503,-0.7539 0.043,-0.0508 0.211,-0.2071 0.254,-0.2539 0.043,-0.0469 0.204,-0.2032 0.25,-0.25 0.051,-0.0469 0.204,-0.2071 0.254,-0.2539 0.625,-0.5196 1.614,-1.1211 2.52,-1.5118 6.336,-2.56246 19.394,-1.97652 39.539,3.5274 15.758,4.3086 34.66,10.8086 47.348,15.6133 13.023,4.9375 74.964,38.4648 109,63.1523 33.785,24.5077 71.421,62.1407 87.437,83.1717 15.879,20.848 41.262,53.235 43.32,118.367 1.371,43.528 -8.191,72.75 -54.902,99.731 -19.402,11.207 -33.578,15.898 -42.562,15.363"
+ id="path3044"
+ style="fill:#00be00;fill-opacity:1;fill-rule:evenodd;stroke:none" /><path
+ d="m 1298.29,33.0547 c -64.72,19.7617 -128.5,42.1328 -168.77,74.4333 -42.17,33.824 -51.52,48.008 -75.3,80.746 -29.81,41.043 -59.63,125.993 -62.228,205.957 -1.933,59.375 6.25,107.641 25.268,151.563 16.31,37.664 50.72,85.133 66.86,83.586 16.79,-1.613 12.79,-22.199 1.8,-68.606 -12.97,-54.804 -14.7,-69.25 -14.78,-123.539 -0.1,-65.406 6,-96.316 28.15,-162.394 9.16,-27.34 20.57,-61.301 52.72,-97.508 25.63,-28.879 61.73,-56.82 127.17,-93.0274 52.63,-29.1172 66.92,-42.0234 67.68,-50.7422 0.35,-3.9531 -3.72,-6.789 -10.93,-6.9336 -9.68,-0.2031 -23.7,2.211 -37.64,6.4649 z m 219.34,469.2573 c -42.18,10.309 -58.18,20.684 -88.8,33.672 -96.79,41.055 -164.89,71.496 -185.55,78.805 -27.01,9.551 -112.64,39.285 -163.57,51.039 -57.65,13.309 -142.409,29.652 -175.3,31.434 -29.926,1.621 -72.531,-2.672 -90.598,-12.86 -21.546,-12.152 -18.187,-34.172 9.403,-79.953 4.918,-8.16 9.805,-13.461 7.773,-16.984 -1.883,-3.27 -12.652,-0.403 -21.808,3.894 -12.336,5.786 -29.75,23.145 -39.18,37.668 -22.016,33.914 -9.391,79.172 30.613,101.153 28.953,15.906 60.739,19.273 126.742,13.832 73.885,-6.094 143.355,-26.278 176.195,-36.188 180.42,-54.453 245.08,-80.371 317.15,-119.347 33.6,-18.176 63.75,-39.961 71.71,-44.762 6.56,-3.953 29.91,-18.887 40.27,-29.125 4.14,-4.094 5.63,-7.664 4.93,-9.129 -1.52,-3.176 -15.1,-4.34 -19.98,-3.149 z m -467.18,247.145 c -13.3,5.957 -22.54,18.926 -29.18,31.254 -4.52,8.375 -7.28,21.266 -6.57,35.387 0.71,14.113 1.87,25.601 10.46,43.691 11.5,24.199 28.57,41.508 51.45,52.16 14.78,6.883 17.58,7.863 36.23,7.906 18.8,0.04 24.33,-3.253 34.76,-9.316 13.03,-7.57 19.42,-18.258 23.87,-28.062 4.41,-9.68 6.72,-16.102 6.87,-33.622 0.14,-17.671 -4.96,-37.812 -21.27,-63.027 -8,-12.375 -21.5,-24.558 -41.88,-36.012 -14.21,-7.988 -43.3,-9.964 -64.74,-0.359 z m 60.84,33.828 c 18.94,16.098 25.2,29.086 26.87,54.242 1.75,26.485 -19.08,44.25 -28.66,45.25 -25.17,2.621 -47.61,-15.839 -52.81,-50.113 -1.11,-7.344 -0.44,-14.316 2.39,-25.043 3.08,-11.683 10.74,-23.902 23.13,-27.586 12.77,-3.793 22.57,-0.824 29.08,3.25"
+ id="path3046"
+ style="fill:#c7ff00;fill-opacity:1;fill-rule:nonzero;stroke:none" /></g></g></svg> \ No newline at end of file
diff --git a/docs/images/favicon.ico b/docs/images/favicon.ico
new file mode 100644
index 0000000..3c9c9c2
--- /dev/null
+++ b/docs/images/favicon.ico
Binary files differ
diff --git a/docs/index.rst b/docs/index.rst
index 08c8492..d6200dc 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -1,22 +1,31 @@
-.. CAcert infrastructure documentation master file, created by
- sphinx-quickstart on Wed Apr 13 19:34:10 2016.
- You can adapt this file completely to your liking, but it should at least
- contain the root `toctree` directive.
+CAcert infrastructure documentation
+===================================
-Welcome to CAcert infrastructure's documentation!
-=================================================
+This documentation aims to describe the current status of CAcert's technical
+infrastructure.
-Contents:
+Table of Contents
+=================
.. toctree::
- :maxdepth: 2
+ :maxdepth: 1
+ critical
+ systems
+ lxcsetup
+ network
+ iplist
+ sshkeys
+ certlist
+ people
+ glossary
+ building
Indices and tables
==================
* :ref:`genindex`
-* :ref:`modindex`
* :ref:`search`
+.. todolist::
diff --git a/docs/iplist.rst b/docs/iplist.rst
new file mode 100644
index 0000000..f20050c
--- /dev/null
+++ b/docs/iplist.rst
@@ -0,0 +1,25 @@
+IP address list
+===============
+
+Internet IP addresses
+---------------------
+
+.. ip:v4range:: 213.154.225.224/27
+
+ This is the public CAcert IPv4 address range
+
+.. ip:v6range:: 2001:7b8:616:162:1::/80
+
+.. ip:v6range:: 2001:7b8:616:162:2::/80
+
+
+Intranet IP addresses
+---------------------
+
+.. ip:v4range:: 172.16.2.0/24
+
+
+Internal IP addresses
+---------------------
+
+.. ip:v4range:: 10.0.0.0/24
diff --git a/docs/lxcsetup.rst b/docs/lxcsetup.rst
new file mode 100644
index 0000000..3deaa5a
--- /dev/null
+++ b/docs/lxcsetup.rst
@@ -0,0 +1,117 @@
+=====================================================
+Setup of a new CAcert LXC container with Puppet agent
+=====================================================
+
+Preparation
+===========
+
+Network considerations
+----------------------
+
+- Decide on a hostname for the container. The hostname should be short and
+ correspond to the functionality provided by the container.
+- Define an IPv4 address from the :ip:v4range:`213.154.225.224/27` subnet if
+ the container should be reachable from the outside via IPv4. If the services
+ provide HTTP or HTTPS services you will not need a dedicated IP address
+ because virtual hosting and SNI can be used via :doc:`systems/proxyin`
+- Define an IPv6 address in the :ip:v6range:`2001:7b8:616:162:2::/80` subnet.
+ There is no reason not to use IPv6 for new services.
+- Define an IPv4 address in the :ip:v4range:`172.16.2.0/24` subnet if the
+ container should be reachable from other CAcert machines than
+ :doc:`systems/infra02` or other :doc:`systems`.
+- Define an IPv4 address in the :ip:v4range:`10.0.0.0/24` subnet. Containers
+ that are only used by other containers do not need any other IP addresses
+ than this one.
+
+.. note::
+
+ Please use the same last octet for all IP addresses of a container if
+ possible
+
+Storage considerations
+----------------------
+
+- Define the size of the LVM volume for the root filesystem. Be conservative,
+ volume size can be increased on demand.
+
+OS considerations
+-----------------
+
+- Define the OS userland version for the container. Use the latest Debian
+ stable release if there are no good reasons not to.
+
+Setup
+=====
+
+- Define machine parameters for in lxc-setup.ini
+- Run :command:`lxc-setup` (uses lxc-create/debootstrap and makes sure that
+ systemd-sysv is not setup in the containers)
+- Define firewall rules in a separate file in :file:`/etc/ferm/ferm.d/` on
+ :doc:`systems/infra02`.
+
+Setup puppet-agent
+------------------
+
+- define puppet configuration for the new container in Hiera / sitemodules in
+ the `cacert-puppet Repository`_ on :doc:`systems/git`
+- see `Puppet agent installation`_ for agent setup (install the agent from
+ official Puppet repositories)
+- define the puppet master IP address in :file:`/etc/hosts`:
+
+ .. code-block:: text
+
+ 10.0.0.200 puppet
+
+- set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
+ the name of the file in :file:`hieradata/nodes/` for the system:
+
+ .. code-block:: ini
+
+ [main]
+ certname = <system>
+
+- run:
+
+ .. code-block:: sh
+
+ root@system: puppet agent --test --noop
+
+ to create a new certificate for the system and send a signing request to the
+ :doc:`puppet master <systems/puppet>`
+- sign the system certificate on the :doc:`puppet master <systems/puppet>`
+ using:
+
+ .. code-block:: sh
+
+ root@puppet: puppet cert sign <system>
+
+- run:
+
+ .. code-block:: sh
+
+ root@system: puppet agent --test --noop
+
+ on the system to see whether the catalog for the machine compiles and what it
+ would change
+- apply the catalog with:
+
+ .. code-block:: sh
+
+ root@system: puppet agent --test
+
+- start the puppet agent using:
+
+ .. code-block:: sh
+
+ root@system: /etc/init.d/puppet start
+
+.. _Puppet agent installation: https://puppet.com/docs/puppet/5.4/install_linux.html
+.. _cacert-puppet Repository: https://git.cacert.org/gitweb/?p=cacert-puppet.git
+
+Post-Setup task
+===============
+
+- Document the new container in a file of the :file:`docs/systems` directory of
+ the `Infrastructure documentation
+ <https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=tree;f=docs/systems>`_.
+- Setup machine-admin alias on :doc:`systems/email`.
diff --git a/docs/network.rst b/docs/network.rst
new file mode 100644
index 0000000..078f3ad
--- /dev/null
+++ b/docs/network.rst
@@ -0,0 +1,45 @@
+Network
+=======
+
+.. this page contains information from the IP address list at
+ :wiki:`SystemAdministration/IPList`
+
+.. seealso::
+
+ :wiki:`SystemAdministration/IPList`
+
+
+Internet
+--------
+
+CAcert has a public Internet IPv4 address range and some of the Internet IP
+addresses are mapped to the infrastructure systems.
+
+The infrastructure systems use IPv4 addresses from the
+:ip:v4range:`213.154.225.224/27` subnet.
+
+IPv6 connectivity is also available. The infrastructure IPv6 addresses are
+taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
+:ip:v6range:`2001:7b8:616:162:2::/80` ranges.
+
+
+Intranet
+--------
+
+CAcert's infrastructure systems are using a private network range that is
+accessible from other CAcert systems. The Intranet IPv4 addresses are in the
+:ip:v4range:`172.16.2.0/24` subnet.
+
+
+Internal
+--------
+
+The infrastructure host :doc:`systems/infra02` has a local bridge interface
+*br0* that is used to connect the containers on that machine and allows
+explicit routing as well as services that are purely internal and are not
+reachable from the Internet or Intranet machines in the IP range mentioned
+above.
+
+The local bridge uses IPv4 addresses from the :ip:v4range:`10.0.0.0/24` range.
+IPv6 addresses are directly assigned to containers from the
+:ip:v6range:`2001:7b8:616:162:2::/80` range.
diff --git a/docs/patches/openerp/account.py.patch b/docs/patches/openerp/account.py.patch
new file mode 100644
index 0000000..c0157fe
--- /dev/null
+++ b/docs/patches/openerp/account.py.patch
@@ -0,0 +1,27 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 22:56:20.528382003 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 23:32:37.088302059 +0000
+@@ -234,7 +234,7 @@
+ pos = 0
+ while pos < len(domain):
+ if domain[pos][0] == 'code' and domain[pos][1] in ('like', 'ilike') and domain[pos][2]:
+- domain[pos] = ('code', '=like', tools.ustr(domain[pos][2].replace('%', '')) + '%')
++ domain[pos] = ('code', '=ilike', tools.ustr(domain[pos][2].replace('%', '')) + '%')
+ if domain[pos][0] == 'journal_id':
+ if not domain[pos][2]:
+ del domain[pos]
+@@ -583,13 +583,13 @@
+ pass
+ if name:
+ if operator not in expression.NEGATIVE_TERM_OPERATORS:
+- ids = self.search(cr, user, ['|', ('code', '=like', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['|', ('code', '=ilike', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
+ if not ids and len(name.split()) >= 2:
+ #Separating code and name of account for searching
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
+ ids = self.search(cr, user, [('code', operator, operand1), ('name', operator, operand2)]+ args, limit=limit)
+ else:
+- ids = self.search(cr, user, ['&','!', ('code', '=like', name+"%"), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['&','!', ('code', '=ilike', name+"%"), ('name', operator, name)]+args, limit=limit)
+ # as negation want to restric, do if already have results
+ if ids and len(name.split()) >= 2:
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
diff --git a/docs/patches/openerp/account_followup_paypal.patch b/docs/patches/openerp/account_followup_paypal.patch
new file mode 100644
index 0000000..9ac9958
--- /dev/null
+++ b/docs/patches/openerp/account_followup_paypal.patch
@@ -0,0 +1,38 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:39:56.719266967 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:41:39.620003461 +0000
+@@ -21,6 +21,7 @@
+
+ from openerp.osv import fields, osv
+ from lxml import etree
++from urllib import urlencode
+
+ from openerp.tools.translate import _
+
+@@ -274,10 +275,25 @@
+ strbegin = "<TD><B>"
+ strend = "</B></TD>"
+ followup_table +="<TR>" + strbegin + str(aml['date']) + strend + strbegin + aml['name'] + strend + strbegin + (aml['ref'] or '') + strend + strbegin + str(date) + strend + strbegin + str(aml['balance']) + strend + strbegin + block + strend + "</TR>"
+- total = rml_parse.formatLang(total, dp='Account', currency_obj=currency)
+ followup_table += '''<tr> </tr>
+ </table>
+- <center>''' + _("Amount due") + ''' : %s </center>''' % (total)
++ <center>''' + _("Amount due") + ''' : %s </center>''' % (rml_parse.formatLang(total, dp='Account', currency_obj=currency))
++ # Add PayPal link if available to allow direct payment
++ if company.paypal_account:
++ params = {
++ "cmd": "_xclick",
++ "business": company.paypal_account,
++ "item_name": "%s Amount Due in %s" % (company.name, currency.name or ''),
++ "invoice": currency_dict['line'][0]['name'],
++ "amount": total,
++ "currency_code": currency.name,
++ "button_subtype": "services",
++ "bn": "OpenERP_Invoice_PayNow_" + currency.name,
++ }
++ followup_table += '''
++ <center><a href="%s">
++ <img class="oe_edi_paypal_button" src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif" alt="Pay directly with PayPal"/>
++ </a></center>''' % ("https://www.paypal.com/cgi-bin/webscr?" + urlencode(params))
+ return followup_table
+
+ def write(self, cr, uid, ids, vals, context=None):
diff --git a/docs/patches/openerp/account_followup_print.patch b/docs/patches/openerp/account_followup_print.patch
new file mode 100644
index 0000000..a0b83d0
--- /dev/null
+++ b/docs/patches/openerp/account_followup_print.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:07:31.357995387 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:09:21.314693739 +0000
+@@ -58,7 +58,6 @@
+ ('reconcile_id', '=', False),
+ ('state', '!=', 'draft'),
+ ('company_id', '=', company_id),
+- ('date_maturity', '<=', fields.date.context_today(self,self.cr,self.uid)),
+ ])
+
+ # lines_per_currency = {currency: [line data, ...], ...}
diff --git a/docs/patches/openerp/invoice.py.patch b/docs/patches/openerp/invoice.py.patch
new file mode 100644
index 0000000..93f1217
--- /dev/null
+++ b/docs/patches/openerp/invoice.py.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:44:57.389199363 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:45:21.745410574 +0000
+@@ -271,7 +271,6 @@
+ "amount": inv.residual,
+ "currency_code": inv.currency_id.name,
+ "button_subtype": "services",
+- "no_note": "1",
+ "bn": "OpenERP_Invoice_PayNow_" + inv.currency_id.name,
+ }
+ res[inv.id] = "https://www.paypal.com/cgi-bin/webscr?" + url_encode(params)
diff --git a/docs/patches/openerp/py.js.patch b/docs/patches/openerp/py.js.patch
new file mode 100644
index 0000000..a172396
--- /dev/null
+++ b/docs/patches/openerp/py.js.patch
@@ -0,0 +1,18 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:26:30.660384152 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:30:02.035589446 +0000
+@@ -764,7 +764,14 @@
+
+ // Conversion
+ toJSON: function () {
+- throw new Error(this.constructor.name + ' can not be converted to JSON');
++ var out = {};
++ for(var k in this) {
++ if (this.hasOwnProperty(k) && !/^__/.test(k)) {
++ var val = this[k];
++ out[k] = val.toJSON ? val.toJSON() : val;
++ }
++ }
++ return out;
+ }
+ });
+ var NoneType = py.type('NoneType', null, {
diff --git a/docs/patches/openerp/view_form.js.patch b/docs/patches/openerp/view_form.js.patch
new file mode 100644
index 0000000..8628865
--- /dev/null
+++ b/docs/patches/openerp/view_form.js.patch
@@ -0,0 +1,15 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:03:35.053098527 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:08:27.372588389 +0000
+@@ -3176,7 +3176,11 @@
+ if (! no_recurse) {
+ var dataset = new instance.web.DataSetStatic(this, this.field.relation, self.build_context());
+ dataset.name_get([self.get("value")]).done(function(data) {
+- self.display_value["" + self.get("value")] = data[0][1];
++ var value = "";
++ if (data.length > 0 && data[0].length > 1) {
++ value = data[0][1];
++ }
++ self.display_value["" + self.get("value")] = value;
+ self.render_value(true);
+ });
+ }
diff --git a/docs/patches/otrs/Layout.pm.patch b/docs/patches/otrs/Layout.pm.patch
new file mode 100644
index 0000000..05ce2a2
--- /dev/null
+++ b/docs/patches/otrs/Layout.pm.patch
@@ -0,0 +1,54 @@
+--- otrs_orig/Layout.pm 2015-01-11 03:13:29.049626928 +0000
++++ /usr/share/otrs/Kernel/Output/HTML/Layout.pm 2015-01-11 03:18:55.736035997 +0000
+@@ -369,7 +369,21 @@
+ }
+
+ # locate template files
+- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
++ $Self->{TemplateDir}
++ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
++ $Self->{StandardTemplateDir}
++ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . 'Standard';
++
++ # Check if 'Standard' fallback exists
++ if ( !-e $Self->{StandardTemplateDir} ) {
++ $Self->{LogObject}->Log(
++ Priority => 'error',
++ Message =>
++ "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
++ );
++ $Self->FatalDie();
++ }
++
+ if ( !-e $Self->{TemplateDir} ) {
+ $Self->{LogObject}->Log(
+ Priority => 'error',
+@@ -378,17 +392,9 @@
+ Default theme used instead.",
+ );
+
+- # Set TemplateDir to 'Standard' as a fallback and check if it exists.
++ # Set TemplateDir to 'Standard' as a fallback.
+ $Theme = 'Standard';
+- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+- if ( !-e $Self->{TemplateDir} ) {
+- $Self->{LogObject}->Log(
+- Priority => 'error',
+- Message =>
+- "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
+- );
+- $Self->FatalDie();
+- }
++ $Self->{TemplateDir} = $Self->{StandardTemplateDir};
+ }
+
+ # load sub layout files
+@@ -531,7 +537,7 @@
+ $File = "$Self->{TemplateDir}/$Param{TemplateFile}.dtl";
+ }
+ else {
+- $File = "$Self->{TemplateDir}/../Standard/$Param{TemplateFile}.dtl";
++ $File = "$Self->{StandardTemplateDir}/$Param{TemplateFile}.dtl";
+ }
+ if ( open my $TEMPLATEIN, '<', $File ) {
+ $TemplateString = do { local $/; <$TEMPLATEIN> };
diff --git a/docs/people.rst b/docs/people.rst
new file mode 100644
index 0000000..b6d8220
--- /dev/null
+++ b/docs/people.rst
@@ -0,0 +1,152 @@
+===========
+People list
+===========
+
+The following list shows information for people in charge of some systems or
+applications. The list of roles is known to not be complete.
+
+.. maybe this can be improved by some automation later
+
+.. _people_dirk:
+
+Dirk Astrath
+============
+
+:roles: :term:`Application Administrator` on :doc:`systems/bugs`,
+ :term:`Infrastructure Administrator`
+
+.. _people_abahlo:
+
+Alexander Bahlo
+===============
+
+:roles: :term:`Application Administrator` on :doc:`systems/blog`
+:contact: alexander.bahlo@cacert.org
+
+.. _people_benbe:
+
+Benny Baumann
+=============
+
+:roles: :term:`Infrastructure Administrator`, :term:`Application Administrator`
+ on :doc:`systems/bugs`
+
+.. _people_ian:
+
+Ian Grigg
+=========
+
+:contact: ian.grigg@cacert.org
+
+.. _people_jandd:
+
+Jan Dittberner
+==============
+
+:roles: :term:`Infrastructure Team Lead`, :term:`Infrastructure Administrator`
+:contact: jandd@cacert.org
+:wiki: :wiki:`JanDittberner`
+:irc: jandd
+
+.. _people_ted:
+
+Bernhard Fröhlich
+=================
+
+:roles: :term:`Application Administrator` on :doc:`systems/bugs`
+
+.. _people_martin:
+
+Martin Gummi
+============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: martin.gummi@cacert.org
+
+.. _people_philipp:
+
+Philipp Gühring
+===============
+
+:roles: :term:`Application Administrator` on :doc:`systems/bugs`
+
+.. _people_mario:
+
+Mario Lipinski
+==============
+
+:roles: :term:`Infrastructure Administrator`, former Team Lead
+:contact: mario@cacert.org
+
+.. _people_marcus:
+
+Marcus Mängel
+=============
+
+:roles: :term:`Application Administrator` on :doc:`systems/blog`
+:contact: marcus.maengel@cacert.org
+
+.. _people_mendel:
+
+Mendel Mobach
+=============
+
+:roles: :term:`Critical System Administrator`
+:contact: mendel@cacert.org
+
+.. _people_msimons:
+
+Martin Simons
+=============
+
+:roles: :term:`Critical System Administrator`
+:contact: msimons@cacert.org
+
+.. _people_neo:
+
+Michael Tänzer
+==============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: michael.taenzer@cacert.org
+:wiki: :wiki:`MichaelTänzer`
+
+
+.. _people_nick:
+
+Nicolas Bebout
+==============
+
+:contact: nick.bebout@cacert.org
+
+.. _people_gero:
+
+Gero Treuner
+============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: gero.treuner@cacert.org
+
+.. _people_ulrich:
+
+Ulrich Schröter
+===============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: ulrich@cacert.org
+
+.. _people_jselzer:
+
+Jochim Selzer
+=============
+
+:roles: :term:`Infrastructure Administrator`
+:contact: jselzer@cacert.org
+
+.. _people_wytze:
+
+Wytze van der Raay
+==================
+
+:roles: :term:`Critical System Administrator`
+:contact: wytze@cacert.org
diff --git a/docs/sphinxext/__init__.py b/docs/sphinxext/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/docs/sphinxext/__init__.py
diff --git a/docs/sphinxext/cacert.py b/docs/sphinxext/cacert.py
new file mode 100644
index 0000000..fe8e7ff
--- /dev/null
+++ b/docs/sphinxext/cacert.py
@@ -0,0 +1,710 @@
+# -*- python -*-
+# This module provides the following CAcert specific sphinx directives
+#
+# sslcert
+# sslcertlist
+# sshkeys
+# sshkeylist
+
+import binascii
+import re
+import os.path
+from ipaddress import ip_address
+
+from docutils import nodes
+from docutils.parsers.rst import Directive
+from docutils.parsers.rst import directives
+
+from sphinx import addnodes
+from sphinx.errors import SphinxError
+from sphinx.util.nodes import set_source_info, make_refnode, traverse_parent
+
+from dateutil.parser import parse as date_parse
+from base64 import b64decode
+from validate_email import validate_email
+
+__version__ = '0.1.0'
+
+SUPPORTED_SSH_KEYTYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+SSH_MD5_RE = r'^([0-9a-f]{2}:){15}[0-9a-f]{2}$'
+
+
+class sslcert_node(nodes.General, nodes.Element):
+ pass
+
+
+class sslcertlist_node(nodes.General, nodes.Element):
+ pass
+
+
+class sshkeys_node(nodes.General, nodes.Element):
+ pass
+
+
+class sshkeylist_node(nodes.General, nodes.Element):
+ pass
+
+
+# mapping and validation functions for directive options
+
+def hex_int(argument):
+ value = int(argument, base=16)
+ return value
+
+
+def ssh_fingerprint(argument):
+ value = argument.strip().split(" ")
+ result = {}
+ for k in value:
+ if k.startswith('SHA256:'):
+ sha256_encoded = k[len('SHA256:'):]
+ try:
+ sha256_decoded = b64decode(sha256_encoded + "=", validate=True)
+ if len(sha256_decoded) != 32:
+ raise ValueError(
+ '{} is no correctly formatted SHA256 fingerprint'.format(
+ k))
+ except binascii.Error:
+ raise ValueError(
+ '{} is no correctly formatted SHA256 fingerprint'.format(k))
+ result['sha256'] = sha256_encoded
+ elif k.startswith('MD5:'):
+ if not re.match(SSH_MD5_RE, k[len('MD5:'):].lower()):
+ raise ValueError(
+ '{} is no correctly formatted MD5 fingerprint'.format(k))
+ result['md5'] = k[len('MD5:'):]
+ else:
+ if not re.match(SSH_MD5_RE, k.lower()):
+ raise ValueError(
+ '{} is no correctly formatted MD5 fingerprint'.format(k))
+ result['md5'] = k.lower()
+ return result
+
+
+def sha1_fingerprint(argument):
+ value = argument.strip().lower()
+ if not re.match(r'^([0-9a-f]{2}:){19}[0-9a-f]{2}$', value):
+ raise ValueError('no correctly formatted SHA1 fingerprint')
+ return value
+
+
+def is_valid_hostname(hostname):
+ if len(hostname) > 255:
+ return False
+ if hostname[-1] == ".": # strip exactly one dot from the right, if present
+ hostname = hostname[:-1]
+ allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
+ return all(allowed.match(x) for x in hostname.split("."))
+
+
+def is_valid_ipaddress(content):
+ try:
+ ip_address(content)
+ except ValueError:
+ return False
+ return True
+
+
+def subject_alternative_names(argument):
+ value = [san.strip().split(':', 1) for san in argument.split(',')]
+ for typ, content in value:
+ if typ == 'DNS':
+ if not is_valid_hostname(content):
+ raise ValueError("%s is no valid DNS name" % content)
+ elif typ == 'EMAIL':
+ if not validate_email(content):
+ raise ValueError("%s is not a valid email address" % content)
+ elif typ == 'IP':
+ if not is_valid_ipaddress(content):
+ raise ValueError("%s is not a valid IP address" % content)
+ else:
+ raise ValueError(
+ "handling of %s subject alternative names (%s) has not been "
+ "implemented" % (typ, content))
+ return value
+
+
+def expiration_date(argument):
+ return date_parse(directives.unchanged_required(argument))
+
+
+class CAcertSSLCert(Directive):
+ """
+ The sslcert directive implementation.
+
+ There must only be one instance of a certificate with the same CN and
+ serial number that is not flagged as secondary
+ """
+ final_argument_whitespace = True
+ required_arguments = 1
+ option_spec = {
+ 'certfile': directives.path,
+ 'keyfile': directives.path,
+ 'serial': hex_int,
+ 'expiration': expiration_date,
+ 'sha1fp': sha1_fingerprint,
+ 'altnames': subject_alternative_names,
+ 'issuer': directives.unchanged_required,
+ 'secondary': directives.flag
+ }
+
+ def run(self):
+ if 'secondary' in self.options:
+ missing = [
+ required for required in ('certfile', 'keyfile', 'serial')
+ if required not in self.options
+ ]
+ else:
+ missing = [
+ required for required in (
+ 'certfile', 'keyfile', 'serial', 'expiration', 'sha1fp',
+ 'issuer')
+ if required not in self.options
+ ]
+ if missing:
+ raise self.error(
+ "required option(s) '%s' is/are not set for %s." % (
+ "', '".join(missing), self.name))
+ sslcert = sslcert_node()
+ sslcert.attributes['certdata'] = self.options.copy()
+ sslcert.attributes['certdata']['cn'] = self.arguments[0]
+ set_source_info(self, sslcert)
+
+ env = self.state.document.settings.env
+ targetid = 'sslcert-%s' % env.new_serialno('sslcert')
+ targetnode = nodes.target('', '', ids=[targetid])
+ para = nodes.paragraph()
+ para.append(targetnode)
+ para.append(sslcert)
+ return [para]
+
+
+class CAcertSSLCertList(Directive):
+ """
+ The sslcertlist directive implementation
+ """
+
+ def run(self):
+ return [sslcertlist_node()]
+
+
+class CAcertSSHKeys(Directive):
+ """
+ The sshkeys directive implementation that can be used to specify the ssh
+ host keys for a host.
+ """
+ option_spec = {
+ keytype.lower(): ssh_fingerprint for keytype in SUPPORTED_SSH_KEYTYPES
+ }
+
+ def run(self):
+ if len(self.options) == 0:
+ raise self.error(
+ "at least one ssh key fingerprint must be specified. The "
+ "following formats are supported: %s" % ", ".join(
+ SUPPORTED_SSH_KEYTYPES))
+ sshkeys = sshkeys_node()
+ sshkeys.attributes['keys'] = self.options.copy()
+ set_source_info(self, sshkeys)
+
+ env = self.state.document.settings.env
+ secid = 'sshkeys-%s' % env.new_serialno('sshkeys')
+
+ section = nodes.section(ids=[secid])
+ section += nodes.title(text='SSH host keys')
+ section += sshkeys
+ return [section]
+
+
+class CAcertSSHKeyList(Directive):
+ """
+ The sshkeylist directive implementation
+ """
+
+ def run(self):
+ return [sshkeylist_node()]
+
+
+def create_table_row(rowdata):
+ row = nodes.row()
+ for cell in rowdata:
+ entry = nodes.entry()
+ row += entry
+ entry += cell
+ return row
+
+
+def _sslcert_item_key(item):
+ return "%s-%d" % (item['cn'], item['serial'])
+
+
+def _sshkeys_item_key(item):
+ return "%s" % os.path.basename(item['docname'])
+
+
+def _build_cert_anchor_name(cn, serial):
+ return 'cert_%s_%d' % (cn.replace('.', '_'), serial)
+
+
+def _format_subject_alternative_names(altnames):
+ return nodes.paragraph(text=", ".join(
+ [content for _, content in altnames]
+ ))
+
+
+def _place_sort_key(place):
+ return "%s-%d" % (place['docname'], place['lineno'])
+
+
+def _file_ref_paragraph(cert_info, filekey, app, env, docname):
+ para = nodes.paragraph()
+
+ places = [place for place in cert_info['places'] if place['primary']]
+ places.extend(sorted([
+ place for place in cert_info['places'] if not place['primary']],
+ key=_place_sort_key))
+
+ for pos in range(len(places)):
+ place = places[pos]
+ title = env.titles[place['docname']].astext().lower()
+ if place['primary'] and len(places) > 1:
+ reftext = nodes.strong(text=title)
+ else:
+ reftext = nodes.Text(title)
+ para += make_refnode(
+ app.builder, docname, place['docname'], place['target']['ids'][0],
+ reftext)
+ para += nodes.Text(":")
+ para += addnodes.literal_emphasis(text=place[filekey])
+ if pos + 1 < len(places):
+ para += nodes.Text(", ")
+ return para
+
+
+def _format_serial_number(serial):
+ return nodes.paragraph(text="%d (0x%0x)" % (serial, serial))
+
+
+def _format_expiration_date(expiration):
+ return nodes.paragraph(text=expiration)
+
+
+def _format_fingerprint(fingerprint):
+ para = nodes.paragraph()
+ para += nodes.literal(text=fingerprint, classes=['fingerprint'])
+ return para
+
+
+def _get_cert_index_text(cert_info):
+ return "Certificate; %s" % cert_info['cn']
+
+
+def _get_formatted_keyentry(keys_info, algorithm, fptype):
+ entry = nodes.entry()
+ algkey = algorithm.lower()
+ if algkey in keys_info and fptype in keys_info[algkey]:
+ para = nodes.paragraph()
+ keyfp = nodes.literal(text=keys_info[algkey][fptype])
+ para += keyfp
+ else:
+ para = nodes.paragraph(text="-")
+ entry += para
+ return entry
+
+
+def process_sslcerts(app, doctree):
+ env = app.builder.env
+ if not hasattr(env, 'cacert_sslcerts'):
+ env.cacert_sslcerts = []
+
+ for node in doctree.traverse(sslcertlist_node):
+ if hasattr(env, 'cacert_certlistdoc'):
+ raise SphinxError(
+ "There must be one sslcertlist directive present in "
+ "the document tree only.")
+ env.cacert_certlistdoc = env.docname
+
+ for node in doctree.traverse(sslcert_node):
+ try:
+ targetnode = node.parent[node.parent.index(node) - 1]
+ if not isinstance(targetnode, nodes.target):
+ raise IndexError
+ except IndexError:
+ targetnode = None
+ certdata = node.attributes['certdata'].copy()
+ existing = [
+ cert_info for cert_info in env.cacert_sslcerts
+ if (cert_info['cn'], cert_info['serial']) ==
+ (certdata['cn'], certdata['serial'])
+ ]
+ place_info = {
+ 'docname': env.docname,
+ 'lineno': node.line,
+ 'certfile': certdata['certfile'],
+ 'keyfile': certdata['keyfile'],
+ 'primary': 'secondary' not in certdata,
+ 'target': targetnode,
+ }
+ if existing:
+ info = existing[0]
+ else:
+ info = {
+ 'cn': certdata['cn'],
+ 'serial': certdata['serial'],
+ 'places': [],
+ }
+ env.cacert_sslcerts.append(info)
+ info['places'].append(place_info)
+ if 'sha1fp' in certdata:
+ info['sha1fp'] = certdata['sha1fp']
+ if 'issuer' in certdata:
+ info['issuer'] = certdata['issuer']
+ if 'expiration' in certdata:
+ info['expiration'] = certdata['expiration']
+ if 'altnames' in certdata:
+ info['altnames'] = certdata['altnames'].copy()
+ indexnode = addnodes.index(entries=[
+ ('pair', _get_cert_index_text(info), targetnode['ids'][0],
+ '', None)
+ ])
+
+ bullets = nodes.bullet_list()
+ certitem = nodes.list_item()
+ bullets += certitem
+ certpara = nodes.paragraph()
+ certpara += nodes.Text('Certificate for CN %s, see ' % certdata['cn'])
+ refid = _build_cert_anchor_name(certdata['cn'], certdata['serial'])
+ detailref = addnodes.pending_xref(
+ reftype='certlistref', refdoc=env.docname, refid=refid,
+ reftarget='certlist'
+ )
+ detailref += nodes.Text("details in the certificate list")
+ certpara += detailref
+ certitem += certpara
+
+ subbullets = nodes.bullet_list()
+ bullets += subbullets
+ item = nodes.list_item()
+ subbullets += item
+ certfile = nodes.paragraph(text="certificate in file ")
+ certfile += addnodes.literal_emphasis(
+ text=certdata['certfile']) # , node.line)
+ item += certfile
+ item = nodes.list_item()
+ subbullets += item
+ keyfile = nodes.paragraph(text="private key in file ")
+ keyfile += addnodes.literal_emphasis(text=certdata['keyfile'])
+ # keyfile += _create_interpreted_file_node(
+ # certdata['keyfile'], node.line)
+ item += keyfile
+
+ node.parent.replace_self([targetnode, indexnode, bullets])
+ # env.note_indexentries_from(env.docname, doctree)
+
+
+def process_sshkeys(app, doctree):
+ env = app.builder.env
+ if not hasattr(env, 'cacert_sshkeys'):
+ env.cacert_sshkeys = []
+
+ for _ in doctree.traverse(sshkeylist_node):
+ if hasattr(env, 'cacert_sshkeylistdoc'):
+ raise SphinxError(
+ "There must be one sshkeylist directive present in "
+ "the document tree only.")
+ env.cacert_sshkeylistdoc = env.docname
+
+ for node in doctree.traverse(sshkeys_node):
+ # find section
+ section = [s for s in traverse_parent(node, nodes.section)][0]
+ doc_keys = {'docname': env.docname, 'secid': section['ids'][0]}
+ doc_keys.update(node['keys'])
+ env.cacert_sshkeys.append(doc_keys)
+
+ secparent = section.parent
+ pos = secparent.index(section)
+ # add index node for section
+ indextitle = 'SSH host key; %s' % (
+ env.docname in env.titles and env.titles[env.docname].astext()
+ or os.path.basename(env.docname)
+ )
+ secparent.insert(pos, addnodes.index(entries=[
+ ('pair', indextitle, section['ids'][0], '', None),
+ ]))
+
+ # add table
+ content = []
+ table = nodes.table()
+ content.append(table)
+ cols = (1, 4)
+ tgroup = nodes.tgroup(cols=len(cols))
+ table += tgroup
+ for col in cols:
+ tgroup += nodes.colspec(colwidth=col)
+ thead = nodes.thead()
+ tgroup += thead
+ thead += create_table_row([
+ nodes.paragraph(text='Algorithm'),
+ nodes.paragraph(text='Fingerprints'),
+ ])
+ tbody = nodes.tbody()
+ tgroup += tbody
+ for alg in SUPPORTED_SSH_KEYTYPES:
+ alg_key = alg.lower()
+ if alg_key in doc_keys:
+ result = []
+ fpparagraph = nodes.paragraph()
+ for ktype in ('sha256', 'md5'):
+ if ktype in doc_keys[alg_key]:
+ result.append("{}:{}".format(
+ ktype.upper(), doc_keys[alg_key][ktype]))
+ for idx in range(len(result)):
+ fpparagraph += nodes.literal(text=result[idx])
+ if idx < len(result) - 1:
+ fpparagraph += nodes.inline(text=", ")
+ else:
+ fpparagraph = nodes.paragraph(text='-')
+ tbody += create_table_row([
+ nodes.paragraph(text=alg),
+ fpparagraph,
+ ])
+ # add pending_xref for link to ssh key list
+ seealso = addnodes.seealso()
+ content.append(seealso)
+ detailref = addnodes.pending_xref(
+ reftype='sshkeyref', refdoc=env.docname, refid='sshkeylist',
+ reftarget='sshkeylist'
+ )
+ detailref += nodes.Text("SSH host key list")
+ seepara = nodes.paragraph()
+ seepara += detailref
+ seealso += seepara
+
+ node.replace_self(content)
+
+
+def process_sslcert_nodes(app, doctree, docname):
+ env = app.builder.env
+
+ if not hasattr(env, 'cacert_sslcerts'):
+ env.cacert_sslcerts = []
+
+ for node in doctree.traverse(sslcertlist_node):
+ content = []
+
+ for cert_info in sorted(env.cacert_sslcerts, key=_sslcert_item_key):
+ primarycount = len([
+ place for place in cert_info['places'] if place['primary']
+ ])
+ if primarycount != 1:
+ raise SphinxError(
+ "There must be exactly one primary place for a "
+ "certificate, but the certificate for CN %s with "
+ "serial number %d has %d" %
+ (cert_info['cn'], cert_info['serial'], primarycount)
+ )
+ cert_sec = nodes.section()
+ cert_sec['ids'].append(
+ _build_cert_anchor_name(cert_info['cn'],
+ cert_info['serial'])
+ )
+ cert_sec += nodes.title(text=cert_info['cn'])
+ indexnode = addnodes.index(entries=[
+ ('pair', _get_cert_index_text(cert_info),
+ cert_sec['ids'][0], '', None),
+ ])
+ content.append(indexnode)
+ table = nodes.table()
+ cert_sec += table
+ tgroup = nodes.tgroup(cols=2)
+ table += tgroup
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=5)
+ tbody = nodes.tbody()
+ tgroup += tbody
+ tbody += create_table_row([
+ nodes.paragraph(text='Common Name'),
+ nodes.paragraph(text=cert_info['cn'])
+ ])
+ if 'altnames' in cert_info:
+ tbody += create_table_row([
+ nodes.paragraph(text='Subject Alternative Names'),
+ _format_subject_alternative_names(
+ cert_info['altnames'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Key kept at'),
+ _file_ref_paragraph(cert_info, 'keyfile', app, env, docname)
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Cert kept at'),
+ _file_ref_paragraph(cert_info, 'certfile', app, env, docname)
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Serial number'),
+ _format_serial_number(cert_info['serial'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Expiration date'),
+ _format_expiration_date(cert_info['expiration'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='Issuer'),
+ nodes.paragraph(text=cert_info['issuer'])
+ ])
+ tbody += create_table_row([
+ nodes.paragraph(text='SHA1 fingerprint'),
+ _format_fingerprint(cert_info['sha1fp'])
+ ])
+ content.append(cert_sec)
+
+ node.replace_self(content)
+ # env.note_indexentries_from(docname, doctree)
+
+
+def process_sshkeys_nodes(app, doctree, docname):
+ env = app.builder.env
+
+ if not hasattr(env, 'cacert_sshkeys'):
+ env.cacert_sslcerts = []
+
+ for node in doctree.traverse(sshkeylist_node):
+ content = [nodes.target(ids=['sshkeylist'])]
+
+ if len(env.cacert_sshkeys) > 0:
+ table = nodes.table()
+ content.append(table)
+ tgroup = nodes.tgroup(cols=4)
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=2)
+ tgroup += nodes.colspec(colwidth=2)
+ table += tgroup
+
+ thead = nodes.thead()
+ row = nodes.row()
+ entry = nodes.entry()
+ entry += nodes.paragraph(text="Host")
+ row += entry
+ entry = nodes.entry(morecols=2)
+ entry += nodes.paragraph(text="SSH Host Keys")
+ row += entry
+ thead += row
+ tgroup += thead
+
+ tbody = nodes.tbody()
+ tgroup += tbody
+
+ for keys_info in sorted(env.cacert_sshkeys, key=_sshkeys_item_key):
+ trow = nodes.row()
+ entry = nodes.entry(morerows=len(SUPPORTED_SSH_KEYTYPES))
+ para = nodes.paragraph()
+ para += make_refnode(
+ app.builder, docname, keys_info['docname'],
+ keys_info['secid'],
+ nodes.Text(env.titles[keys_info['docname']].astext())
+ )
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='Algorithm')
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='MD5 fingerprint')
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='SHA256 fingerprint')
+ entry += para
+ trow += entry
+
+ tbody += trow
+
+ for algorithm in SUPPORTED_SSH_KEYTYPES:
+ trow = nodes.row()
+
+ entry = nodes.entry()
+ entry += nodes.paragraph(text=algorithm)
+ trow += entry
+
+ trow += _get_formatted_keyentry(keys_info, algorithm, 'md5')
+ trow += _get_formatted_keyentry(keys_info, algorithm,
+ 'sha256')
+ tbody += trow
+ else:
+ content.append(nodes.paragraph(
+ text="No ssh keys have been documented.")
+ )
+
+ node.replace_self(content)
+
+
+def resolve_missing_reference(app, env, node, contnode):
+ if node['reftype'] == 'certlistref':
+ if hasattr(env, 'cacert_certlistdoc'):
+ return make_refnode(
+ app.builder, node['refdoc'], env.cacert_certlistdoc,
+ node['refid'], contnode)
+ raise SphinxError('No certlist directive found in the document tree')
+ if node['reftype'] == 'sshkeyref':
+ if hasattr(env, 'cacert_sshkeylistdoc'):
+ return make_refnode(
+ app.builder, node['refdoc'], env.cacert_sshkeylistdoc,
+ node['refid'], contnode)
+ raise SphinxError('No sshkeylist directive found in the document tree')
+
+
+def purge_sslcerts(app, env, docname):
+ if (
+ hasattr(env, 'cacert_certlistdoc') and
+ env.cacert_certlistdoc == docname
+ ):
+ delattr(env, 'cacert_certlistdoc')
+ if not hasattr(env, 'cacert_sslcerts'):
+ return
+ for cert_info in env.cacert_sslcerts:
+ cert_info['places'] = [
+ place for place in cert_info['places']
+ if place['docname'] != docname
+ ]
+
+
+def purge_sshkeys(app, env, docname):
+ if (
+ hasattr(env, 'cacert_sshkeylistdoc') and
+ env.cacert_sshkeylistdoc == docname
+ ):
+ delattr(env, 'cacert_sshkeylistdoc')
+ if not hasattr(env, 'cacert_sshkeys'):
+ return
+ env.cacert_sshkeys = [
+ keys for keys in env.cacert_sshkeys if keys['docname'] != docname
+ ]
+
+
+def setup(app):
+ app.add_node(sslcertlist_node)
+ app.add_node(sslcert_node)
+ app.add_node(sshkeylist_node)
+ app.add_node(sshkeys_node)
+
+ app.add_directive('sslcert', CAcertSSLCert)
+ app.add_directive('sslcertlist', CAcertSSLCertList)
+ app.add_directive('sshkeys', CAcertSSHKeys)
+ app.add_directive('sshkeylist', CAcertSSHKeyList)
+
+ app.connect('doctree-read', process_sslcerts)
+ app.connect('doctree-read', process_sshkeys)
+ app.connect('doctree-resolved', process_sslcert_nodes)
+ app.connect('doctree-resolved', process_sshkeys_nodes)
+ app.connect('missing-reference', resolve_missing_reference)
+ app.connect('env-purge-doc', purge_sslcerts)
+ app.connect('env-purge-doc', purge_sshkeys)
+ return {'version': __version__}
diff --git a/docs/sshkeys.rst b/docs/sshkeys.rst
new file mode 100644
index 0000000..07efa21
--- /dev/null
+++ b/docs/sshkeys.rst
@@ -0,0 +1,5 @@
+=============
+SSH Host Keys
+=============
+
+.. sshkeylist::
diff --git a/docs/systems.rst b/docs/systems.rst
new file mode 100644
index 0000000..ad89d78
--- /dev/null
+++ b/docs/systems.rst
@@ -0,0 +1,111 @@
+====================
+Non-Critical Systems
+====================
+
+Non-critical systems are those that are managed by the infrastructure
+administrator team.
+
+.. toctree::
+ :maxdepth: 1
+
+ systems/infra02
+ systems/blog
+ systems/board
+ systems/bugs
+ systems/cats
+ systems/email
+ systems/emailout
+ systems/git
+ systems/irc
+ systems/ircserver
+ systems/issue
+ systems/lists
+ systems/jenkins
+ systems/monitor
+ systems/puppet
+ systems/proxyin
+ systems/proxyout
+ systems/svn
+ systems/translations
+ systems/web
+ systems/webmail
+ systems/webstatic
+
+
+General
+=======
+
+.. todo:: consider whether a central MySQL service should be setup
+
+ Many containers contain their own instance of MySQL. It might be a better
+ idea to centralize the MySQL setups in a single container.
+
+.. todo:: consider whether a central PostgreSQL service should be setup
+
+.. todo::
+
+ setup a central syslog service and install syslog clients in each container
+
+.. _setup_apt_checking:
+
+.. topic:: Setup package update monitoring for a new container
+
+ For Icinga to be able to check the update status of packages on you server
+ you need to install NRPE, a helper service. Install the necessary packages::
+
+ sudo aptitude install nagios-plugins-basic nagios-nrpe-server
+
+ Put :doc:`systems/monitor` on the list of allowed hosts to access the NRPE
+ service by adding the following line to :file:`/etc/nagios/nrpe_local.cfg`::
+
+ allowed_hosts=172.16.2.18
+
+ Tell the NRPE service that there is such a thing as the check_apt command by
+ creating the file :file:`/etc/nagios/nrpe.d/apt.cfg` with the following
+ contents::
+
+ # 'check_apt' command definition
+ command[check_apt]=/usr/lib/nagios/plugins/check_apt
+
+ # 'check_apt_distupgrade' command definition
+ command[check_apt_distupgrade]=/usr/lib/nagios/plugins/check_apt -d
+
+ Restart the NRPE service::
+
+ sudo service nagios-nrpe-server restart
+
+ Check that everything went well by going to https://monitor.cacert.org/,
+ going to the APT service on the host and clicking :guilabel:`"Re-schedule
+ the next check of this service"`. Make sure that :guilabel:`"Force Check"`
+ is checked and click :guilabel:`"Commit"`. Now you should see a page with a
+ green background. If not something went wrong, please contact the
+ :doc:`systems/monitor` administrators with the details.
+
+ That's it, now the package update status should be properly displayed in
+ Icinga.
+
+.. todo:: think about replacing nrpe with Icinga2 satellites
+
+Checklist
+=========
+
+.. index::
+ single: etckeeper
+ single: nrpe
+
+* All containers should be monitored by :doc:`systems/monitor` and should
+ therefore have :program:`nagios-nrpe-server` installed
+* All containers should use :program:`etckeeper` to put their local setup into
+ version control. All local setup should use :file:`/etc` to make sure it is
+ handled by :program:`etckeeper`
+* All infrastructure systems must send their mail via :doc:`systems/emailout`
+* All infrastructure systems should have an system-admin@cacert.org alias to
+ reach their admins
+* The installation of :index:`systemd-sysv` in containers can be blocked by
+ putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
+
+ Package: systemd-sysv
+ Pin: release a=stable
+ Pin-Priority: -1
+
+.. todo:: document how to setup the system-admin alias on the email system
diff --git a/docs/systems/blog.rst b/docs/systems/blog.rst
new file mode 100644
index 0000000..b225e87
--- /dev/null
+++ b/docs/systems/blog.rst
@@ -0,0 +1,362 @@
+.. index::
+ single: Systems; Blog
+
+====
+Blog
+====
+
+Purpose
+=======
+
+This system hosts the blog, blog.cacert.org. The blog meets the needs of public
+relations and the CAcert community to publish CAcert's activities.
+
+Application Links
+-----------------
+
+Blog URL
+ https://blog.cacert.org/
+
+Adding a category
+ https://blog.cacert.org/wp-admin/categories.php
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_dirk`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-----------------------+-------------------------------------------------+
+| Role | Users |
++=======================+=================================================+
+| Wordpress Admin | :ref:`people_dirk`, |
+| | :ref:`people_mario`, |
++-----------------------+-------------------------------------------------+
+| Wordpress Editor | PR Team, |
+| | `Support`_ |
++-----------------------+-------------------------------------------------+
+| Wordpress Author | Anyone with a certificate |
++-----------------------+-------------------------------------------------+
+| Wordpress Contributor | Anyone with contributor privileges |
++-----------------------+-------------------------------------------------+
+| Wordpress Subscriber | Any Spammer or person who has not posted or has |
+| | not logged in |
++-----------------------+-------------------------------------------------+
+
+.. _Support: support@cacert.org
+
+Contact
+-------
+
+* blog-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`Jan Dittberner <people_jandd>`, :ref:`Mario Lipinski <people_mario>` and
+:ref:`Dirk Astrath <people_dirk>` have :program:`sudo` access on that machine
+too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.234`
+:IP Intranet: :ip:v4:`172.16.2.13`
+:IP Internal: :ip:v4:`10.0.0.13`
+:MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Blog
+
+====================== ======== ====================================================================
+Name Type Content
+====================== ======== ====================================================================
+blog.cacert.org. IN A 213.154.225.234
+blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
+blog.cacert.org. IN SSHFP 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6
+blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
+blog.cacert.org. IN SSHFP 2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680
+blog.cacert.org. IN SSHFP 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86
+blog.cacert.org. IN SSHFP 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047
+blog.cacert.org. IN SSHFP 4 1 90903e8f4b35457bf41235f070adf592d7f724dd
+blog.cacert.org. IN SSHFP 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b
+blog.intra.cacert.org. IN A 172.16.2.13
+====================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Jessie
+ single: Debian GNU/Linux; 8.10
+
+* Debian GNU/Linux 8.10
+
+Applicable Documentation
+------------------------
+
+A small (work in progress) guide can be found in the :wiki:`BlogDoc`.
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+---------+----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+---------+----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+----------------------------+
+| 3306/tcp | mysql | local | MySQL database for blog |
++----------+---------+---------+----------------------------+
+| 9000/tcp | php-fpm | local | PHP FPM executor |
++----------+---------+---------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: PHP FPM
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for blog | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for blog | :file:`/etc/init.d/mysql` |
++--------------------+--------------------+----------------------------------------+
+| PHP FPM | PHP FPM executor | init script |
+| | for blog | :file:`/etc/init.d/php5-fpm` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------+------------+------------------------------+
+| RDBMS | Name | Used for |
++=======+============+==============================+
+| MySQL | blog | Wordpress blog |
++-------+------------+------------------------------+
+| MySQL | phpmyadmin | PHPMyAdmin settings database |
++-------+------------+------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* HTTP (80/tcp) and HTTPS (443/tcp) `Ping-o-matic`_ blog update service [#f1]_
+* HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service [#f2]_
+* HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+
+.. _Ping-o-matic: http://rpc.pingomatic.com/
+.. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
+.. [#f2] http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config
+
+.. - check network status
+
+Security
+========
+
+.. sshkeys::
+ :RSA: MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
+ :DSA: MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
+ :ECDSA: MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
+ :ED25519: MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
+
+Dedicated user roles
+--------------------
+
++-------+--------------------------------------------------------------------+
+| Group | Purpose |
++=======+====================================================================+
+| blog | group owning the blog file content and temporary files. This group |
+| | is used to execute the Wordpress PHP code. |
++-------+--------------------------------------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* **Wordpress Plugins**
+
+ * `client-certificate-authentication
+ <http://wordpress.org/plugins/client-certificate-authentication/>`_
+ * akismet
+
+Risk assessments on critical packages
+-------------------------------------
+
++-------------+-------------+---------------------------------------------+
+| Software | Risk rating | Mitigation |
++=============+=============+=============================================+
+| *Wordpress* | high | Regular updates, avoid unnecessary plugins, |
+| | | Consider `Wordpress hardening`_ |
++-------------+-------------+---------------------------------------------+
+
+.. todo:: `Wordpress hardening`_
+
+.. _Wordpress hardening: http://codex.wordpress.org/Hardening_WordPress
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: blog.cacert.org
+ :altnames: DNS:blog.cacert.org
+ :certfile: /etc/ssl/public/blog.cacert.org.crt
+ :keyfile: /etc/ssl/private/blog.cacert.org.key
+ :serial: 1381E6
+ :expiration: Mar 16 09:17:48 2020 GMT
+ :sha1fp: E9:92:97:26:01:C1:00:3C:D7:BC:A2:2D:F4:F7:24:1C:47:C0:01:51
+ :issuer: CA Cert Signing Authority
+
+* :file:`/etc/ssl/certs/cacert.org/` directory containing CAcert.org Class 1
+ and Class 3 certificates (allowed CA certificates for client certificates)
+ and symlinks with hashed names as expected by OpenSSL
+* :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 certificate
+ (certificate chain for server certificate)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/cacert/blog.inc.conf`
+
+ Defines settings that are shared by the HTTP and the HTTPS VirtualHost
+ definitions. This file takes care of the PHP FCGI setup.
+
+* :file:`/etc/apache2/cacert/headers.inc.conf`
+
+ Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost
+ definitions. The file is included by
+ :file:`/etc/apache2/cacert/blog.inc.conf`.
+
+* :file:`/etc/apache2/sites-available/blog-ssl.conf`
+
+ This file contains the HTTPS VirtualHost definition and defines client
+ certificate authentication for ``/wp-admin`` and ``/wp-login.php``.
+
+* :file:`/etc/apache2/sites-available/blog-nossl.conf`
+
+ This file defines the HTTP VirtualHost definition and takes care of
+ redirecting ``/wp-admin`` and ``/wp-login.php`` to the HTTPS VirtualHost.
+
+The following RewriteRule is used to redirect old blog URLs::
+
+ RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
+
+.. index::
+ pair: Wordpress; configuration
+
+Wordpress configuration
+-----------------------
+
+* :file:`/srv/www/blog/wp-config.php` contains the Wordpress database
+ configuration. The rest of the Wordpress configuration is stored in the
+ database (assumption).
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: setup IPv6
+
+.. todo::
+ setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: system should be upgraded to Debian 9
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Wordpress website
+ https://wordpress.org/
diff --git a/docs/systems/board.rst b/docs/systems/board.rst
new file mode 100644
index 0000000..18bde33
--- /dev/null
+++ b/docs/systems/board.rst
@@ -0,0 +1,372 @@
+.. index::
+ single: Systems; Board
+
+=====
+Board
+=====
+
+Purpose
+=======
+
+This system hosts an OpenERP instance available at board.cacert.org.
+
+Application Links
+-----------------
+
+OpenERP URL
+ https://board.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_gero`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+--------------------------------------------------+
+| Application | Administrator(s) |
++=============+==================================================+
+| OpenERP | :ref:`people_gero`, :ref:`people_neo`, Treasurer |
++-------------+--------------------------------------------------+
+
+.. note:: use personalized accounts only
+
+Contact
+-------
+
+* board-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.252`
+:IP Intranet: :ip:v4:`172.16.2.34`
+:IP Internal: :ip:v4:`10.0.0.34`
+:MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Board
+
+====================== ======== ============================================
+Name Type Content
+====================== ======== ============================================
+board.cacert.org. IN A 213.154.225.252
+board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
+board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
+board.intra.cacert.org IN A 172.16.2.34
+====================== ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+---------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+---------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+---------------------------------+
+| 80/tcp | http | ANY | Webserver redirecting to HTTPS |
++----------+---------+---------+---------------------------------+
+| 443/tcp | https | ANY | Webserver for OpenERP |
++----------+---------+---------+---------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+---------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
++----------+---------+---------+---------------------------------+
+| 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
++----------+---------+---------+---------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: Apache
+ single: cron
+ single: PostgreSQL
+ single: OpenERP
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | OpenERP | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for OpenERP | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| OpenERP server | OpenERP WSGI | init script |
+| | application | :file:`/etc/init.d/openerp` |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++------------+---------+----------+
+| RDBMS | Name | Used for |
++============+=========+==========+
+| PostgreSQL | openerp | OpenERP |
++------------+---------+----------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* HTTP (80/tcp) to nightly.openerp.com
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+.. sshkeys::
+ :RSA: c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
+ :DSA: f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
+ :ECDSA: 0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
+
+.. todo:: setup ED25519 host key (needs update to Jessie)
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:program:`OpenERP` is installed from non-distribution packages from
+http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
+:file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
+cause damage to the customization.
+
+.. todo:: update to Odoo (OpenERP successor)
+
+Local modifications to OpenERP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
+following line added to the :func:`do_start()` function to make a request to
+the OpenERP daemon that causes that daemon to load its configuration and start
+regular cleanup tasks (like sending scheduled mails):
+
+.. code:: bash
+
+ sleep 1; curl --silent localhost:8069 > /dev/null
+
+Some files have been patched to either fix bugs in the upstream OpenERP code or
+to add customizations for CAcert's needs.
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
+
+.. literalinclude:: ../patches/openerp/py.js.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
+
+.. literalinclude:: ../patches/openerp/account.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
+
+.. literalinclude:: ../patches/openerp/invoice.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
+
+This patch includes a Paypal link in payment reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_paypal.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
+
+This patch causes OpenERP to include non-overdue but open payments in reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_print.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
+
+Fix form display.
+
+.. todo:: check whether the form display issue has been fixed upstream
+
+.. literalinclude:: ../patches/openerp/view_form.js.patch
+ :language: diff
+
+Risk assessments on critical packages
+-------------------------------------
+
+Using a customized OpenERP version that is not updated causes a small risk to
+miss upstream security updates. The risk is mitigated by restricting the access
+to the system to a very small group of users that are authenticated using
+personalized client certificates.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: board.cacert.org
+ :altnames: DNS:board.cacert.org
+ :certfile: /etc/ssl/certs/board.crt
+ :keyfile: /etc/ssl/private/board.key
+ :serial: 1381F6
+ :expiration: Mar 16 10:53:47 2020 GMT
+ :sha1fp: 3B:BF:06:89:BC:79:3F:FD:B7:CB:02:FD:97:82:26:C4:0E:6A:F8:DB
+ :issuer: CA Cert Signing Authority
+
+* :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/conf.d/openerp-httpd.conf`
+
+ Defines the WSGI setup for OpenERP
+
+* :file:`/etc/apache2/sites-available/default`
+
+ Defines the HTTP to HTTPS redirection
+
+* :file:`/etc/apache2/sites-available/default-ssl`
+
+ Defines the HTTPS and client authentication configuration
+
+* :file:`/var/local/ssl/http_fake_auth.passwd`
+
+ Defines the authorized users based on the DN in their client certificate
+
+.. index::
+ single: cron; CRL
+ single: CRL
+
+CRL update job
+--------------
+
+:file:`/etc/cron.hourly/update-crls`
+
+.. index::
+ pair: OpenERP; configuration
+
+OpenERP configuration
+---------------------
+
+:file:`/etc/openerp/openerp-server.conf`
+
+This file configures the database that is used by OpenERP and the interface
+that the XML-RPC service binds to.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: disable unneeded Apache modules
+
+.. todo:: setup IPv6
+
+.. todo:: consider using a centralized PostgreSQL instance
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: system should be updated to Debian 8/9
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+OpenERP 7.0 documentation
+ https://doc.odoo.com/
diff --git a/docs/systems/bugs.rst b/docs/systems/bugs.rst
new file mode 100644
index 0000000..39e9193
--- /dev/null
+++ b/docs/systems/bugs.rst
@@ -0,0 +1,356 @@
+.. index::
+ single: Systems; Bugs
+
+====
+Bugs
+====
+
+Purpose
+=======
+
+This system provides the public bug tracker for the CAcert community.
+
+Application Links
+-----------------
+
+Bugtracker
+ https://bugs.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_neo`
+* Secondary: :ref:`people_jandd`
+* Secondary: :ref:`people_dirk`
+
+Application Administration
+--------------------------
+
++----------------------+--------------------------------------------+
+| Application | Administrator(s) |
++======================+============================================+
+| Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
+| | :ref:`people_dirk`, :ref:`people_jandd`, |
+| | :ref:`people_ted`, :ref:`people_philipp` |
++----------------------+--------------------------------------------+
+| Mantis Manager | |
++----------------------+--------------------------------------------+
+
+Contact
+-------
+
+* bugs-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.232`
+:IP Intranet: :ip:v4:`172.16.2.16`
+:IP Internal: :ip:v4:`10.0.0.16`
+:MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Bugs
+
+======================== ======== ====================================================================
+Name Type Content
+======================== ======== ====================================================================
+bugs.cacert.org. IN A 213.154.225.232
+bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
+bugs.cacert.org IN SSHFP 1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a
+bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
+bugs.cacert.org IN SSHFP 2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892
+bugs.cacert.org IN SSHFP 3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7
+bugs.cacert.org IN SSHFP 3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44
+bugs.cacert.org IN SSHFP 4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1
+bugs.cacert.org IN SSHFP 4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15
+bugs.intra.cacert.org. IN A 172.16.2.16
+======================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+That's it
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+--------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+--------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+--------------------------------+
+| 80/tcp | http | ANY | web server for bug tracker |
++----------+---------+---------+--------------------------------+
+| 443/tcp | https | ANY | web server for bug tracker |
++----------+---------+---------+--------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+--------------------------------+
+| 3306/tcp | mysql | local | MySQL database for bug tracker |
++----------+---------+---------+--------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for bug | init script |
+| | tracker | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for bug | :file:`/etc/init.d/mysql` |
+| | tracker | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
+.. index::
+ pair: MySQL database; mantis
+
++-------+--------+--------------------+
+| RDBMS | Name | Used for |
++=======+========+====================+
+| MySQL | mantis | Mantis bug tracker |
++-------+--------+--------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+* HTTP (80/tcp) to :doc:`git`
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
+ :DSA: SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
+ :ECDSA: SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
+ :ED25519: SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. index::
+ pair: non-distribution package; Mantis
+
+* Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
+* custom built `certificate authentication`-plugin by :ref:`people_dirk`
+ https://github.com/dastrath/CertificateAuthentication_Mantis
+* For client certificate authentication a Class-3 client certificate issued by
+ CAcert is needed, 1st email-adress in certificate has to match email-adress in
+ account
+
+.. _mantis: https://www.mantisbt.org/
+
+Risk assessments on critical packages
+-------------------------------------
+
+Mantis as a PHP application is vulnerable to common PHP problems. The system
+has to be kept up-to-date with OS patches. The custom built mantis package has
+to be updated when new releases are provided upstream.
+
+Administrators for this system should subscribe to the
+mantisbt-announce@lists.sourceforge.net list to get notified when updates are
+released.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: bugs.cacert.org
+ :altnames: DNS:bugs.cacert.org
+ :certfile: /etc/ssl/public/bugs.c.o.crt
+ :keyfile: /etc/ssl/private/bugs.c.o.key
+ :serial: 02BEFD
+ :expiration: Mar 03 13:08:19 2020 GMT
+ :sha1fp: DB:16:71:13:60:38:AD:21:A7:36:CA:5A:D2:65:75:4D:C5:3C:C8:15
+ :issuer: CAcert Class 3 Root
+
+.. index::
+ pair: Mantis; configuration
+
+Mantis configuration
+--------------------
+
+The Mantis bug tracker configuration is stored in the directory
+:file:`/etc/mantis/`.
+
+* :file:`config_inc.php` contains the database settings for Mantis
+* :file:`config_local.php` the main configuration file, including custom bug states
+* :file:`custom_constants_inc.php` defines custom constants. Required for the
+ non-default bug states
+* :file:`custom_strings_inc.php` defines custom string definitions. Required
+ for the non-default bug states
+
+.. note::
+
+ Localisation for these could go here but currently I would avoid that so all
+ developers have the same vocabulary.
+
+ -- :ref:`people_neo` 2011-07-04 02:44:45
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
+changed to add some additional headers to improve client security:
+
+.. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
+ :language: diff
+
+The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
+configured in :file:`/etc/apache2/sites-available/mantis` (shared
+configuration) that includes configuration from the mantis package provided
+:file:`/etc/apache2/conf.d/mantis` file,
+:file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
+:file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
+
+.. index::
+ pair: MySQL; configuration
+
+MySQL configuration
+-------------------
+
+MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+
+.. index::
+ pair: rsyslog; configuration
+
+Rsyslog configuration
+---------------------
+
+Rsyslog has been configured to disable draining the kernel log:
+
+.. code-block:: diff
+
+ --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
+ +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
+ @@ -9,7 +9,7 @@
+ #################
+
+ $ModLoad imuxsock # provides support for local system logging
+ -$ModLoad imklog # provides kernel logging support
+ +#$ModLoad imklog # provides kernel logging support
+ #$ModLoad immark # provides --MARK-- message capability
+
+ # provides UDP syslog reception
+
+The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
+add an additional logging socket in the Postfix chroot.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: setup IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Mantis Bugtracker documentation
+ https://www.mantisbt.org/documentation.php
+Apache httpd documentation
+ https://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/cats.rst b/docs/systems/cats.rst
new file mode 100644
index 0000000..43f1b9e
--- /dev/null
+++ b/docs/systems/cats.rst
@@ -0,0 +1,381 @@
+.. index::
+ single: Systems; CATS
+
+====
+CATS
+====
+
+Purpose
+=======
+
+This system provides the CAcert Assurer Training System (CATS), which is used
+to perform the Assurer Challenge.
+
+Application Links
+-----------------
+
+CATS
+ https://cats.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_ted`
+* Secondary: :ref:`people_jandd`
+
+Application Administration
+--------------------------
+
++-------------+-------------------+
+| Application | Administrator(s) |
++=============+===================+
+| CATS | :ref:`people_ted` |
++-------------+-------------------+
+
+Contact
+-------
+
+* cats-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` and :ref:`people_wytze` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.243`
+:IP Intranet: :ip:v4:`172.16.2.27`
+:IP Internal: :ip:v4:`10.0.0.27`
+:MAC address: :mac:`00:ff:53:2d:a0:65` (interfacename)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; CATS
+
+====================== ======== ====================================================================
+Name Type Content
+====================== ======== ====================================================================
+cats.cacert.org. IN A 213.154.225.243
+cats.cacert.org. IN SSHFP 1 1 D29D4CC4662D5CB5F42C02823CA8677F05439589
+cats.cacert.org. IN SSHFP 1 2 605AF57CE0F1ECF8EEAC5C71901F1434BF65C06FC0796B932D0F10F21DDF65FE
+cats.cacert.org. IN SSHFP 2 1 0342EB1E7325EB90A1C0483DE3D6597E36E569C8
+cats.cacert.org. IN SSHFP 2 2 0835241A5B1905097C332B176FAEC92E05C690169BA125184F3FE2C9612D9718
+cats.cacert.org. IN SSHFP 3 1 CC7F9EDC6F2B9CE4A3F3953FF97C951572BA0F8C
+cats.cacert.org. IN SSHFP 3 2 1F54953C96DE0E93CD19E66CA25085D6773CEEFD3C376BE2E77C1A337CCD008D
+cats.intra.cacert.org. IN A 172.16.2.27
+====================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-----------------------------+
+| 80/tcp | http | ANY | CATS |
++----------+---------+---------+-----------------------------+
+| 443/tcp | https | ANY | CATS |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+-----------------------------+
+| 3306/tcp | mysql | local | MySQL database for CATS |
++----------+---------+---------+-----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for CATS | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for CATS | :file:`/etc/init.d/mysql` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
+.. index::
+ pair: MySQL database; cats_cats
+
++------------+--------------+---------------------------+
+| RDBMS | Name | Used for |
++============+==============+===========================+
+| MySQL | cats_cats | CATS database |
++------------+--------------+---------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+* HTTPS (443/tcp) to :doc:`secure.cacert.org <../critical/webdb>` for pushing
+ test results
+* HTTPS (443/tcp) to :doc:`svn` for subversion access
+* HTTPS (443/tcp) to `github.com <https://github.com>`_
+
+.. todo:: disable subversion access
+
+Security
+========
+
+.. sshkeys::
+ :RSA: d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
+ :DSA: 0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
+ :ECDSA: bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
+
+.. todo:: setup ED25519 host key (needs update to Jessie)
+
+Dedicated user roles
+--------------------
+
++-------+----------------------------------------------------------+
+| Group | Purpose |
++=======+==========================================================+
+| cats | The cats group is meant to maintain the CATS application |
++-------+----------------------------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The CATS software is a custom PHP based system. The application is contained in
+:file:`/home/cats/public_html`. The current repository is at
+https://github.com/CAcertOrg/cats, historic versions are available at
+https://svn.cacert.org/CAcert/Education/CATS. `Instructions for CATS setup
+<https://github.com/CAcertOrg/cats/blob/release/INSTALL.txt>`_ can be found in
+the git repository.
+
+CATS requires client certificate authentication setup in the Apache httpd
+server.
+
+.. todo:: add a Vagrantfile to allow easy CATS testing setups
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+CATS as a PHP application is vulnerable to common PHP problems. The system
+has to be kept up-to-date with OS patches.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+The server certificate for the CATS web application.
+
+.. sslcert:: cats.cacert.org
+ :altnames: DNS:cats.cacert.org
+ :certfile: /home/cats/ssl/certs/cats_cert.pem
+ :keyfile: /home/cats/ssl/private/cats_privatekey.pem
+ :serial: 1381F7
+ :expiration: Mar 16 10:59:35 2020 GMT
+ :sha1fp: 8E:26:FE:E9:EE:86:35:D4:F4:E9:AE:7C:85:78:0A:A9:5B:AD:CE:53
+ :issuer: CA Cert Signing Authority
+
+.. _cats_client_cert:
+
+Client certificate for pushing results to secure.cacert.org.
+
+.. sslcert:: cats@cacert.org
+ :altnames: EMAIL:cats@cacert.org
+ :certfile: /home/cats/private/cert_201605.pem
+ :keyfile: /home/cats/private/key_201605.pem
+ :serial: 0266AE
+ :expiration: May 7 21:14:39 2016 GMT
+ :sha1fp: F9:8D:DC:67:68:30:5D:46:84:DE:77:F1:70:1A:E1:F7:9C:F4:DC:9A
+ :issuer: CAcert Class 3 Root
+
+.. todo:: move certificates to :file:`/etc/ssl/public` and keys to
+ :file:`/etc/ssl/private`
+
+* :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt` CAcert.org Class
+ 1 and Class 3 CA certificates (allowed CA certificates for client certificates
+ and certificate chain for server certificate)
+* :file:`/home/cats/public_html/education.txt` is a symbolic link pointing to
+ the most current client certificate issued to the education@cacert.org
+ address.
+
+.. index::
+ pair: CATS; configuration
+
+CATS configuration
+------------------
+
+CATS configuration is stored in files in
+:file:`/home/cats/public_html/index.php` (roughly based on
+:file:`index.php.template` from git) and
+:file:`/home/cats/public_html/includes/db_connect.inc`.
+
+.. todo:: move CATS configuration to :file:`/etc/`
+.. todo:: refactor CATS to not store configuration in the PHP session
+
+CATS uses two cronjobs in the cats user's crontab::
+
+ # m h dom mon dow command
+ MAILTO=bernhard@cacert.org
+ */5 * * * * /home/cats/tools/do_upload
+ # Reduced upload rate during problems...
+ #0 * * * * /home/cats/tools/do_upload
+ 35 4 * * * /home/cats/tools/do_backup
+
+The :file:`do_upload` job uses the client :ref:`certificate for cats@cacert.org
+<cats_client_cert>` to authenticate to secure.cacert.org.
+
+The :file:`do_backup` job creates a backup of the *cats_cats* MySQL database.
+The backups are rotated (9 copies are kept) and encrypted to PGP keys of
+:ref:`people_ted` and :ref:`people_philipp`. The job also attempts to fetch a
+database dump from http://cats1.it-sls.de/dump.gz and store it in
+:file:`/home/cats/dumps/dump.dev.gz`. This functionality is broken.
+
+.. todo:: either fix fetching from the test system or remove this functionality
+.. todo:: use :file:`/etc/cron.d` instead of user specific crontab
+.. todo:: put the scripts in :file:`/home/cats/tools/` into git
+
+.. seealso::
+
+ Instructions for `CATS translation
+ <https://wiki.cacert.org/Brain/Study/EducationTraining/CATSTranslation>`_
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
+modified to improve TLS settings and define an HTTP and an HTTPS VirtualHost
+for cats.cacert.org.
+
+.. literalinclude:: ../configdiff/cats/apache/cats-apache-config.diff
+ :language: diff
+
+.. index::
+ pair: logrotate; configuration
+
+logrotate configuration
+-----------------------
+
+CATS specific Apache httpd logfiles are rotated by logrotate. The rotation is
+controlled by a separate configuration in :file:`/etc/logrotate.d/cats`:
+
+.. literalinclude:: ../configdiff/cats/logrotate/cats
+
+.. index::
+ pair: MySQL; configuration
+
+MySQL configuration
+-------------------
+
+MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+
+.. index::
+ pair: Postfix; configuration
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: update to Debian Jessie
+.. todo:: setup IPv6
+.. todo:: setup CRL checks
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: system should be updated to Debian 8/9
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+PHP documentation
+ https://secure.php.net/manual/en/
diff --git a/docs/systems/email.rst b/docs/systems/email.rst
new file mode 100644
index 0000000..5b319cc
--- /dev/null
+++ b/docs/systems/email.rst
@@ -0,0 +1,575 @@
+.. index::
+ single: Systems; Email
+
+=====
+Email
+=====
+
+Purpose
+=======
+
+This system handles email for @cacert.org addresses. It also provides users of
+@cacert.org with IMAPs and POP3s access to their accounts.
+
+The database on this container is used by :doc:`webmail` too.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jselzer`
+* Secondary: :ref:`people_jandd`
+
+Contact
+-------
+
+* email-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.228`
+:IP Intranet: :ip:v4:`172.16.2.19`
+:IP Internal: :ip:v4:`10.0.0.19`
+:MAC address: :mac:`00:ff:8f:e0:4a:90` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Email
+
+======================= ======== ============================================
+Name Type Content
+======================= ======== ============================================
+email.cacert.org. IN A 213.154.225.228
+email.cacert.org. IN SSHFP 1 1 BF391FD72656A275524D1D25A624C6045B44AE90
+email.cacert.org. IN SSHFP 2 1 73B0D8ACB492A7187016DD3C5FC1519B309A550F
+email.intra.cacert.org. IN A 172.16.2.19
+======================= ======== ============================================
+
+A DKIM record for cacert.org ist setup but no DKIM signing is active currently.
+
+.. todo:: setup DKIM properly, see :bug:`696` for an older discussion
+
+.. todo:: setup SPF records when the system is ready, see :bug:`492` for an
+ older discussion
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Lenny
+ single: Debian GNU/Linux; 5.0.10
+
+* Debian GNU/Linux 5.0.10
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+----------------+----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+================+========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------------+----------------------------------------+
+| 25/tcp | smtp | ANY | mail receiver for cacert.org |
++----------+---------+----------------+----------------------------------------+
+| 110/tcp | pop3 | ANY | POP3 access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 143/tcp | imap | ANY | IMAP access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 587/tcp | smtp | ANY | mail submission for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 993/tcp | imaps | ANY | IMAPS access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 995/tcp | pop3s | ANY | POP3S access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 2000/tcp | sieve | ANY | Manage sieve access for cacert.org |
+| | | | mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 2001/tcp | sieve | :doc:`webmail` | Manage sieve access for cacert.org |
+| | | | mail addresses without TLS, accessible |
+| | | | from ``172.16.2.20`` only |
++----------+---------+----------------+----------------------------------------+
+| 3306/tcp | mysql | local | MySQL database server |
++----------+---------+----------------+----------------------------------------+
+| 4433/tcp | http | local | Apache httpd with phpmyadmin |
++----------+---------+----------------+----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+----------------+----------------------------------------+
+
+.. topic:: PHPMyAdmin access
+
+ Administrators can use ssh to forward the Apache httpd HTTPS port to their
+ own machine:
+
+ .. code-block:: bash
+
+ ssh -L 4433:localhost:4433 -l username email.cacert.org
+
+ and access PHPMyAdmin at https://localhost:4433/
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: dovecot
+ single: nrpe
+ single: openssh
+ single: pysieved
+ single: rsyslog
+ single: xinetd
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| Apache httpd | Webserver for | init script |
+| | phpmyadmin | :file:`/etc/init.d/apache2` |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| dovecot | IMAP(s) and POP3(s) | init script |
+| | daemon | :file:`/etc/init.d/dovecot` |
++--------------------+---------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for email | :file:`/etc/init.d/mysql` |
+| | services | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | cacert.org | :file:`/etc/init.d/postfix` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| xinetd | socket listener | init script |
+| | for pysieved | :file:`/etc/init.d/xinetd` |
++--------------------+---------------------+----------------------------------------+
+
+Databases
+---------
+
++-------+----------------+----------------------------------+
+| RDBMS | Name | Used for |
++=======+================+==================================+
+| MySQL | cacertusers | database for dovecot and postfix |
++-------+----------------+----------------------------------+
+| MySQL | postfixpolicyd | empty database |
++-------+----------------+----------------------------------+
+| MySQL | roundcubemail | roundcube on :doc:`webmail` |
++-------+----------------+----------------------------------+
+
+.. todo:: check whether the empty postfixpolicyd database is required
+
+.. todo:: consider moving the databases to a new central MySQL service
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`webmail`
+* all @cacert.org address owners have access to POP3 (STARTTLS and POP3S), IMAP
+ (STARTTLS and IMAPS), SMTPS, SMTP submission (STARTTLS) and manage sieve
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`issue` for OTRS mail
+* :doc:`lists` for mailing lists
+* arbitrary Internet SMTP servers for outgoing mail
+
+Security
+========
+
+.. sshkeys::
+ :RSA: a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
+ :DSA: f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91
+
+.. warning::
+
+ The system is too old to support ECDSA or ED25519 keys.
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Tlslite in :file:`/usr/local/lib/tlslite-0.3.8/` has been patched to handle
+GeneratorExit exceptions. The original tlslite 0.3.8 is stored in
+:file:`/usr/local/lib/tlslite-0.3.8-orig/`.
+
+Pysieved in :file:`/usr/local/lib/pysieved.neale/` seems to be a git clone from
+2009 originating from http://woozle.org/~neale/repos/pysieved at commit
+``d9b67036387a9a7aca954a17ff6fec44a8d309e0`` with no local modifications.
+
+:file:`/usr/local/lib/pysieved` is a symbolic link to
+:file:`/usr/local/lib/pysieved.neale/`.
+
+.. todo:: use pysieved, python-tlslite and dovecot-sieve from distribution
+ packages after OS upgrade
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The whole system is outdated, it needs to be replaced as soon as possible.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+Server certificate for SMTP communication from the Internet and PHPMyAdmin.
+
+.. sslcert:: email.cacert.org
+ :altnames: DNS:email.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-email-cacert.pem
+ :keyfile: /etc/ssl/private/ssl-cert-email-cacert.key
+ :serial: 1381FA
+ :expiration: Mar 16 11:23:55 2020 GMT
+ :sha1fp: 3A:EC:11:D0:78:6C:99:34:F2:45:A5:DF:08:90:94:1F:67:2C:6F:47
+ :issuer: CA Cert Signing Authority
+
+Server certificate for community email services (SMTPS, SMTP submission in
+Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
+
+.. sslcert:: community.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-community-cacert.pem
+ :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
+ :serial: 1381F8
+ :secondary:
+
+* :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
+ Diffie-Hellman parameter files for Postfix
+
+.. note::
+
+ Postfix uses the email.cacert.org certificate for client authentication if
+ requested by a target server.
+
+ .. todo::
+ check whether it makes sense to use a separate certificate for that
+ purpose
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+:file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
+allows dedicated users to access a PHPMyAdmin instance. The allowed users are
+authenticated by client certificates and are authorized by an entry in
+:file:`/etc/apache2/phpmyadmin.passwd`.
+
+.. note::
+
+ to authorize a user you need the subject distinguished name of the user's
+ client certificate which can be extracted with::
+
+ openssl x509 -noout -subject -in certificate.crt
+
+ A line with the subject distinguished name and the fake password
+ ``xxj31ZMTZzkVA`` separated by colon have to be added to
+ :file:`/etc/apache2/phpmyadmin.passwd`::
+
+ /CN=Example User/emailAddress=example@cacert.org:xxj31ZMTZzkVA
+
+.. seealso::
+
+ FakeBasicAuth option of the `SSLOptions
+ <https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
+ directive in the mod_ssl reference documentation.
+
+.. index::
+ pair: MySQL; configuration
+
+MySQL configuration
+-------------------
+
+MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+
+.. index::
+ pair: MySQL; NSS
+ single: libnss-mysql
+
+.. _nss:
+
+NSS configuration
+-----------------
+
+The libc name service switch is configured to use MySQL lookups for passwd,
+group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
+:file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
+is configured in :file:`/etc/libnss-mysql-root.cfg`.
+
+.. index::
+ pair: PHPMyAdmin; configuration
+
+PHPMyAdmin configuration
+------------------------
+
+PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
+
+.. index::
+ pair: dovecot; configuration
+
+Dovecot configuration
+---------------------
+
+Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
+database settings are stored in
+:file:`dovecot-sql-masterpassword-webmail.conf`.
+
+.. index::
+ pair: dovecot; authentication
+
+.. topic:: Dovecot authentication
+
+ :file:`/etc/dovecot/dovecot.conf` refers to PAM mail. PAM mail is defined
+ :file:`/etc/pam.d/mail`. System users are defined by NSS which is a
+ combination of :file:`/etc/passwd` (for root and non-imap/pop users) and
+ :file:`/etc/libnss-mysql*` (see `nss`_).
+
+ There is a special master password so that webmail can do the authentication
+ for dovecot using certificates. This is defined in
+ :file:`/etc/dovecot/dovecot-sql-masterpassword-webmail.conf`. This special
+ password is restricted to the IP address of Community.
+
+.. index::
+ pair: Postfix; configuration
+
+Postfix configuration
+---------------------
+
+Postfix configuration is stored in the :file:`/etc/postfix/` directory. The
+following files are special for this setup:
+
++----------------+-------------------------------------------------------------+
+| File | Used for |
++================+=============================================================+
+| arbitration | rewrite recipients matching specific regular expressions to |
+| | support+deletedaccounts@cacert.org and |
+| | support@issue.cacert.org |
++----------------+-------------------------------------------------------------+
+| cacert-inc-bcc | used as recipient_bcc_maps for specific functional mail |
+| | addresses |
++----------------+-------------------------------------------------------------+
+| main.cf | the main configuration file |
++----------------+-------------------------------------------------------------+
+| master.cf | adds configuration for the community SMTPS and SMTP |
+| | submission transports |
++----------------+-------------------------------------------------------------+
+| mysql-\*.cf | configuration of several MySQL queries for alias mapping, |
+| | Postfix operates on views for the user table |
++----------------+-------------------------------------------------------------+
+| transport | forward email for lists.cacert.org to :doc:`lists` and for |
+| | issue.cacert.org to :doc:`issue` |
++----------------+-------------------------------------------------------------+
+
+.. todo:: consider to send all outgoing mail via :doc:`emailout`
+
+.. todo:: remove unused transports from :file:`master.cf`
+
+.. index::
+ pair: pysieved; configuration
+
+PySieved configuration
+----------------------
+
+:file:`/usr/local/etc/pysieved.ini` for regular manage sieve access and
+:file:`/usr/local/etc/pysieved-notls.ini` for use with Roundcube webmail.
+Pysieved uses dovecot for authentication.
+
+.. index::
+ pair: rsyslog; configuration
+
+Rsyslog configuration
+---------------------
+
+Rsyslog is configured in :file:`/etc/rsyslog.conf` which includes files in
+:file:`/etc/rsyslog.d/`. Consumption of kernel log messages and network input
+is disabled. :file:`/etc/rsyslog.d/postfix.conf` configures a separate unix
+socket to receive log messages from postfix and
+:file:`/etc/rsyslog.d/remotelog.conf` contains commented settings for a
+non-existant remote syslog server.
+
+.. todo:: setup remote logging when a central logging container is available
+
+.. index::
+ pair: xinetd; configuration
+
+Xinetd configuration
+--------------------
+
+Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
+these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
+:file:`/etc/xinetd.d/pysieved-notls`.
+
+Email storage
+-------------
+
+Mail for :samp:`{user}` is stored in :samp:`/home/{user}/Maildir`.
+
+.. todo::
+ move mail storage to a separate data volume to allow easier backup and OS
+ upgrades
+
+Tasks
+=====
+
+.. index::
+ single: add email users
+
+Adding email users
+------------------
+
+1. create user in the database table ``cacertusers.user``:
+
+ .. code-block:: bash
+
+ mysql -p cacertusers
+
+ .. code-block:: sql
+
+ INSERT INTO user (username, fullnamealias, realname, password)
+ VALUES ('user', 'user.name', 'User Name', '$1$salt$passwordhash')
+
+2. create the user's home directory and Maildir:
+
+ :samp:`install -o {user} -g {user} -m 0755 -d /home/{user}/Maildir`
+
+.. note::
+
+ * a valid password hash for the password ``secret`` is
+ ``$1$caea3837$gPafod/Do/8Jj5M9HehhM.``
+ * users can reset their password via
+ https://community.cacert.org/password.php on :doc:`webmail`
+ * use the :download:`mail template
+ <../downloads/template_new_community_mailaddress.rfc822>` to send out to a
+ user's non-cacert.org mail account and make sure to encrypt the mail to a
+ known public key of that user
+
+.. todo::
+ implement tooling to automate password salt generation and user creation
+
+Setting up mail aliases
+-----------------------
+
+There are two types of aliases.
+
+1. The first type are those that are never sent from. e.g.
+ postmaster@cacert.org. All these aliases are defined in
+ :file:`/etc/aliases`. Don't forget to run
+
+ .. code-block:: bash
+
+ postalias /etc/aliases
+
+ after any changes. Aliases for issue tracking are installed here as
+ :samp:`{issuetrackingaddress} : {issuetrackingaddress}@issue.cacert.org`.
+
+2. The second type are those aliases that are used to send email too, e.g
+ pr@cacert.org. These aliases are recorded in the aliases table on the
+ cacertusers database. The reason for this implementation is to only allow
+ the designated person to send email from this email address.
+
+Planned
+-------
+
+.. todo:: implement CRL checking
+
+.. todo:: setup IPv6
+
+.. todo::
+ throttle brute force attack attempts using fail2ban or similar mechanism
+
+.. todo::
+ consider to use LDAP to consolidate user, password and email information
+
+* there were plans for X.509 certificate authentication for mail services, but
+ there is no progress so far
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo::
+ The system has to be replaced with a new system using a current operating
+ system version
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+ * :wiki:`SystemAdministration/Systems/Email` for some discussion on legal
+ implications related to mail archiving
+
+References
+----------
+
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+Dovecot 1.x wiki
+ http://wiki1.dovecot.org/FrontPage
diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst
new file mode 100644
index 0000000..5993eee
--- /dev/null
+++ b/docs/systems/emailout.rst
@@ -0,0 +1,332 @@
+.. index::
+ single: Systems; Emailout
+
+========
+Emailout
+========
+
+Purpose
+=======
+
+This system is used as outgoing mail relay for other infrastructure services.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: :ref:`people_jselzer`
+
+Contact
+-------
+
+* emailout-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.239`
+:IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
+:IP Internal: :ip:v4:`10.0.0.32`
+:MAC address: :mac:`00:ff:12:01:65:02` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Emailout
+
+========================== ======== ====================================================================
+Name Type Content
+========================== ======== ====================================================================
+emailout.cacert.org. IN A 213.154.225.239
+emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
+emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
+emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
+emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
+emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
+emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
+emailout.intra.cacert.org. IN A 172.16.2.32
+========================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+The following packages where installed after the container setup::
+
+ apt-get install vim-nox screen aptitude git etckeeper postfix \
+ postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
+ heirloom-mailx netcat-openbsd swaks
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | intranet | mail delivery from intranet MTAs |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: OpenDKIM
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| OpenDKIM | DKIM signing | init script |
+| | daemon | :file:`/etc/init.d/opendkim` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, and | |
+| | mail relay for | |
+| | infrastructure | |
+| | systems | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* SMTP (25/tcp) from other infrastructure systems
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
+ :DSA: SHA256:p0AvAUtHuAVmPJBNq7yVkNt9jQ81DOptn2PhK8J7rAw MD5:6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
+ :ECDSA: SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20 MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
+ :ED25519: SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Postfix has a very good security reputation. The system is patched regularly.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. todo:: setup a proper certificate for incoming STARTTLS
+
+.. index::
+ pair: DKIM; Private Key
+ see: DKIM; OpenDKIM
+
+* :file:`/etc/dkim/2015.private` contains the RSA private key to be used for
+ :term:`DKIM` signing by OpenDKIM.
+
+.. index::
+ pair: DKIM; DNS
+ see: DNS; OpenDKIM
+
+* :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for
+ the public component of the DKIM signing key
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Postfix; configuration
+
+Postfix configuration
+---------------------
+
+Postfix has been configured as outgoing email relay with very little changes to
+the default configuration.
+
+The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`.
+
+Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to:
+
+* set infrastructure related host and network parameters
+* allow regular expressions in maps
+* activate opportunistic TLS
+* prepare for DKIM support
+* disable local delivery
+
+.. literalinclude:: ../configdiff/emailout/postfix-main.cf
+ :language: text
+
+Emails sent to specific intranet hostnames are rewritten to their respective
+admin addresses in :file:`/etc/postfix/canonical_maps`:
+
+.. literalinclude:: ../configdiff/emailout/canonical_maps
+ :language: text
+
+Emails sent to specific cacert.org hostnames are forwarded via
+:file:`/etc/postfix/transport`:
+
+.. literalinclude:: ../configdiff/emailout/transport
+ :language: text
+
+:file:`/etc/postfix/transport` has to be rehashed if it is changed because
+Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To
+perform the rehashing and restart Postfix use::
+
+ postmap hash:/etc/postfix/transport
+ service postfix restart
+
+.. index::
+ pair: OpenDKIM; configuration
+
+OpenDKIM configuration
+----------------------
+
+.. todo::
+ enable OpenDKIM in Postfix configuration when the DNS record is in place and
+ :doc:`email` is ready for DKIM too or is configured to send mail via
+ emailout.
+
+The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The
+following lines have been added:
+
+.. code:: diff
+
+ --- opendkim.conf.dpkg-dist 2017-09-04 00:17:50.000000000 +0000
+ +++ opendkim.conf 2018-02-16 13:38:55.545110292 +0000
+ @@ -13,6 +13,11 @@
+ #Domain example.com
+ #KeyFile /etc/dkimkeys/dkim.key
+ #Selector 2007
+ +Domain cacert.org
+ +KeyFile /etc/dkim/2015.private
+ +Selector 2015
+ +
+ +InternalHosts /etc/dkim/internalhosts
+
+ # Commonly-used options; the commented-out versions show the defaults.
+ #Canonicalization simple
+ @@ -31,7 +36,7 @@
+ # ## local:/path/to/socket to listen on a UNIX domain socket
+ #
+ #Socket inet:8892@localhost
+ -Socket local:/var/run/opendkim/opendkim.sock
+ +Socket local:/var/spool/postfix/opendkim/opendkim.sock
+
+ ## PidFile filename
+ ### default (none)
+
+The key has been generated with::
+
+ mkdir /etc/dkim
+ cd /etc/dkim
+ opendkim-genkey -d cacert.org -s 2015
+
+Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
+
+ 127.0.0.1
+ 10.0.0.0/24
+ 172.16.2.0/24
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: setup IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+OpenDKIM documentation
+ http://www.opendkim.org/docs.html
diff --git a/docs/systems/git.rst b/docs/systems/git.rst
new file mode 100644
index 0000000..4b59901
--- /dev/null
+++ b/docs/systems/git.rst
@@ -0,0 +1,374 @@
+.. index::
+ single: Systems; Git
+
+===
+Git
+===
+
+Purpose
+=======
+
+`Git`_ server for the :wiki:`Software` development and :wiki:`System
+Administration <SystemAdministration/Team>` teams.
+
+.. _Git: https://www.git-scm.com/
+
+Application Links
+-----------------
+
+Gitweb
+ http://git.cacert.org/gitweb/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Git | :ref:`people_jandd` |
++-------------+---------------------+
+| Gitweb | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* git-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` and :ref:`people_neo` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.250`
+:IP Intranet: :ip:v4:`172.16.2.250`
+:IP Internal: :ip:v4:`10.0.0.250`
+:MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Git
+
+===================== ======== ============================================
+Name Type Content
+===================== ======== ============================================
+git.cacert.org. IN A 213.154.225.250
+git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
+git.cacert.org. IN SSHFP 1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5
+git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
+git.cacert.org. IN SSHFP 2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01
+git.cacert.org. IN SSHFP 3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED
+git.cacert.org. IN SSHFP 3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644
+git.cacert.org. IN SSHFP 4 1 13D611007B43D073CF4D89784510398116623EB7
+git.cacert.org. IN SSHFP 4 2 40A61A25488FE01C056EAAFF703EF0FF9C6B01BEE00580A91B95741DFAA59751
+git.intra.cacert.org. IN A 172.16.2.250
+===================== ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+---------+-----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+-----------------------------+
+| 9418/tcp | git | ANY | Git daemon port |
++----------+---------+---------+-----------------------------+
+
+.. todo:: disable insecure git-daemon port and http for git, replace these with
+ https for read access and git+ssh for write access
+
+Running services
+----------------
+
+.. index::
+ single: Apache httpd
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+ single: git-daemon
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | gitweb | :file:`/etc/init.d/apache2` |
+| | | |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| runit | service supervision | :file:`/etc/inittab` entry |
+| | for git-daemon | |
++--------------------+---------------------+----------------------------------------+
+| git-daemon | Daemon for native | runit service description in |
+| | Git protocol | :file:`/etc/sv/git-daemon/run` |
+| | access | |
++--------------------+---------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`jenkins` for git repository access
+
+Outbound network connections
+----------------------------
+
+* crl.cacert.org (rsync) for getting CRLs
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`jenkins` for triggering web hooks
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:2rvhdmx5MwccTmlCod/HLCbZ2GfY3uhL7aIQyO+eosU MD5:b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
+ :DSA: SHA256:AMIMJra5oCa7sRtcRcvsXTq0SgOdwPCXytiDdNNWfQE MD5:27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
+ :ECDSA: SHA256:EyvZhINEAST2uBFxSLAqZmRUd/U8GPl05N7LMqdJVkQ MD5:b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
+ :ED25519: SHA256:QKYaJUiP4BwFbqr/cD7w/5xrAb7gBYCpG5V0Hfqll1E MD5:38:6b:90:f7:8b:c7:b2:cf:cd:86:29:5c:e4:03:fa:35
+
+Dedicated user roles
+--------------------
+
++-----------------+----------------------------------------------------+
+| Group | Purpose |
++=================+====================================================+
+| git-birdshack | access to :wiki:`BirdShack` git repositories |
++-----------------+----------------------------------------------------+
+| softass | Software assessors |
++-----------------+----------------------------------------------------+
+| git-boardvoting | access to board voting git repository |
++-----------------+----------------------------------------------------+
+| git-rccrtauth | access to Roundcube certificate authentication git |
+| | repository |
++-----------------+----------------------------------------------------+
+| git-infra | access to infrastructure git repositories |
++-----------------+----------------------------------------------------+
+
+.. todo:: think about regulating git access by a proper git repository manager
+ like gitolite or gitea
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Gitweb has been modified to use https for `Gravatar`_ lookups:
+
+.. code-block:: diff
+
+ --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
+ +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
+ @@ -2064,7 +2064,7 @@
+ my $email = lc shift;
+ my $size = shift;
+ $avatar_cache{$email} ||=
+ - "http://www.gravatar.com/avatar/" .
+ + "https://secure.gravatar.com/avatar/" .
+ Digest::MD5::md5_hex($email) . "?s=";
+ return $avatar_cache{$email} . $size;
+ }
+
+.. _Gravatar: http://www.gravatar.com/
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The package git-daemon-run exposes the git native protocol which is prone to
+man in the middle attacks that could hand out modified code to users. There are
+alternatives (ssh, https) and git-daemon support should be disabled.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: git.cacert.org
+ :altnames: DNS:git.cacert.org
+ :certfile: /etc/ssl/public/git.c.o.chain.crt
+ :keyfile: /etc/ssl/private/git.c.o.key
+ :serial: 1381E7
+ :expiration: Mar 16 09:28:01 2020 GMT
+ :sha1fp: 23:0D:DC:34:D5:4D:B0:96:9C:6B:A6:18:69:5C:5C:5F:80:62:DC:A6
+ :issuer: CA Cert Signing Authority
+
+The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
+certificate too.
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index:: Git repositories
+
+Git repositories
+----------------
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+Apache httpd serves the gitweb interface via http and https. The http
+VirtualHost redirects all traffic to https. The following changes have been
+applied to the Debian package's Apache httpd configuration:
+
+.. literalinclude:: ../configdiff/git/git-apache-config.diff
+ :language: diff
+
+.. index::
+ pair: Gitweb; configuration
+
+Gitweb configuration
+--------------------
+
+Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
+changes to the version contained in the distribution package:
+
+.. literalinclude:: ../configdiff/git/gitweb.conf.diff
+ :language: diff
+
+.. index::
+ pair: runit; configuration
+ pair: git-daemon; configuration
+
+git-daemon configuration
+------------------------
+
+The git-daemon is started by runit. The configuration is stored in
+:file:`/etc/sv/git-daemon/run` and has the following changes to the version
+contained in the distribution package git-daemon-run:
+
+.. literalinclude:: ../configdiff/git/git-daemon-run.diff
+ :language: diff
+
+The runit service handling is triggered through :file:`/etc/inittab`.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: enable IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+Adding a git repository
+-----------------------
+
+The git repositories are stored in :file:`/var/cache/git/`. To create a new
+repository use:
+
+.. code-block:: shell
+
+ cd /var/cache/git/
+ git init --bare --shared=group <reponame.git>
+ chgrp -R <groupname> <reponame.git>
+
+The gitweb index is built from all repositories that contain a file
+:file:`git-daemon-export-ok`. You should also put a description in the
+repository's :file:`description` file and set the repository owner via:
+
+.. code-block:: shell
+
+ cd <reponame.git>
+ git config gitweb.owner "Owner information"
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+ http://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst
new file mode 100644
index 0000000..fe6f0c0
--- /dev/null
+++ b/docs/systems/infra02.rst
@@ -0,0 +1,291 @@
+.. index::
+ single: Systems; Infra02
+
+=======
+Infra02
+=======
+
+Purpose
+=======
+
+The infrastructure host system Infra02 is a dedicated physical machine for the
+CAcert infrastructure.
+
+.. index::
+ single: Ferm
+
+Infra02 is the host system for all infrastructure :term:`containers
+<container>`. The containers are setup using the Linux kernel's :term:`LXC`
+system. The firewall for infrastructure is maintained on this machine using
+Ferm_.
+
+.. _Ferm: http://ferm.foo-projects.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: :ref:`people_mario`
+
+Contact
+-------
+
+* infrastructure-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_wytze` and :ref:`people_mendel` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+The machine is located in a server rack at BIT B.V. in the Netherlands.
+
+Physical Configuration
+----------------------
+
+The machine has been sponsored by `Thomas Krenn`_ and has the following hardware
+parameters:
+
+:Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
+:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
+:RAM: 16 GiB ECC
+:Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
+:NIC:
+
+ * eth0 Intel Corporation 82579LM Gigabit Network Connection
+ * eth1 Intel Corporation 82574L Gigabit Network Connection
+
+There is a 2 TB USB backup disk attached to the system.
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/EquipmentList`
+
+.. _Thomas Krenn: https://www.thomas-krenn.com/
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.230`
+:IP Intranet: :ip:v4:`172.16.2.10`
+:IP internal: :ip:v4:`10.0.0.1`
+:IPv6: :ip:v6:`2001:7b8:616:162:1::10`
+:IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
+:MAC address:
+
+ * :mac:`00:25:90:a9:66:e9` (eth0)
+ * :mac:`fe:0e:ee:75:a3:a5` (br0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Infra02
+
+========================== ======== ====================================================================
+Name Type Content
+========================== ======== ====================================================================
+infrastructure.cacert.org. IN A 213.154.225.230
+infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
+infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
+infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
+infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
+infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
+infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
+infra02.intra.cacert.org. IN A 172.16.2.10
+========================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 123/udp | ntp | ANY | network time protocol for host, |
+| | | | listening on the Internet IPv6 and IPv4 |
+| | | | addresses |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: cron
+ single: rsyslog
+ single: ntpd
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| ntpd | time server | init script :file:`/etc/init.d/ntp` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+.. Running Guests
+ --------------
+
+ .. some directive to list guests here
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`emailout`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* all traffic of non-critical infrastructure systems
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
+ :DSA: b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
+ :ECDSA: 79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
+ :ED25519: 25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
+
+Dedictated user roles
+---------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments and critical packages
+--------------------------------------
+
+The system is the basis for all other infrastructure systems. Access to this
+system has to be tightly controlled.
+
+Tasks
+=====
+
+.. todo:: find out why the system logs are messed up
+.. todo:: upgrade to Debian Jessie
+.. todo:: document whether it is safe to reboot this system
+.. todo:: document how to setup a new container
+.. todo:: document how to setup firewall rules/forwarding
+.. todo:: document how the backup system works
+.. todo:: add DNS setup for IPv6 address
+
+Planned
+-------
+
+* None
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Critical Configuration items
+============================
+
+.. index::
+ pair: Ferm; configuration
+
+Ferm firewall configuration
+---------------------------
+
+The `Ferm`_ based firewall setup is located in :file:`/etc/ferm` and its
+subdirectories.
+
+.. index::
+ pair: LXC; configuration
+
+Container configuration
+-----------------------
+
+The container configuration is contained in files named
+:file:`/var/lib/lxc/<container>/config`.
+
+The root filesystems of the containers are stored on :term:`LVM` volumes that
+are mounted in :file:`/var/lib/lxc/<container>/rootfs` for each container.
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Ferm documentation
+ http://ferm.foo-projects.org/download/2.3/ferm.html
+Ferm Debian Wiki page
+ https://wiki.debian.org/ferm
+LXC Debian Wiki page
+ https://wiki.debian.org/LXC
diff --git a/docs/systems/irc.rst b/docs/systems/irc.rst
new file mode 100644
index 0000000..b947bea
--- /dev/null
+++ b/docs/systems/irc.rst
@@ -0,0 +1,366 @@
+.. index::
+ single: Systems; Irc
+
+===
+IRC
+===
+
+Purpose
+=======
+
+This system provides the CAcert IRC service for private communications,
+allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday
+chat, meetings, and general support.
+
+Application Links
+-----------------
+
+https://irc.cacert.org/
+ HTTPS secured Web based IRC access
+
+http://irc.cacert.org/
+ HTTP fallback for Web based IRC access
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: None
+* Secondary: :ref:`people_mario`, :ref:`people_jandd`
+
+Application Administration
+--------------------------
+
++--------------+------------------+
+| Application | Administrator(s) |
++==============+==================+
+| IRC server | None |
++--------------+------------------+
+| IRC services | None |
++--------------+------------------+
+| IRC webchat | None |
++--------------+------------------+
+
+.. todo::
+ find an administrator willing to properly setup/maintain IRC applications
+ and push the migration to :doc:`ircserver`.
+
+Contact
+-------
+
+* irc-admin@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.233`
+:IP Intranet: :ip:v4:`172.16.2.14`
+:IP Internal: :ip:v4:`10.0.0.14`
+:MAC address: :mac:`00:ff:8d:45:01:a4` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Irc
+
+======================= ======== ==========================================
+Name Type Content
+======================= ======== ==========================================
+irc.cacert.org. IN A 213.154.225.233
+irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
+irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
+irc.intra.cacert.org. IN A 172.16.2.14
+======================= ======== ==========================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+:wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+--------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+======================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+--------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+--------------------------------------+
+| 80/tcp | http | ANY | IRC webchat |
++----------+---------+---------+--------------------------------------+
+| 443/tcp | https | ANY | IRC webchat |
++----------+---------+---------+--------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+--------------------------------------+
+| 6667/tcp | ircd | ANY | IRC |
++----------+---------+---------+--------------------------------------+
+| 6668/tcp | ircd | ANY | IRC [#f1]_ |
++----------+---------+---------+--------------------------------------+
+| 7000/tcp | ircd | ANY | IRC |
++----------+---------+---------+--------------------------------------+
+
+ircd opens a random UDP port for some reason.
+
+.. [#f1] Not forwarded from :doc:`infra02` to container
+
+.. todo:: find out what the UDP port is used for
+
+Running services
+----------------
+
+.. index::
+ single: Postfix
+ single: cron
+ single: lighttpd
+ single: nrpe
+ single: openssh
+ single: oftc-hybrid-ircd
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| lighttpd | Webserver for | init script |
+| | IRC webchat | :file:`/etc/init.d/lighttpd` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| OFTC Hybrid IRCD | IRC server | start script |
+| | | :file:`/home/ircserver/ircd/bin/ircd` |
+| | | started manually |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 6e:7c:14:4b:a3:fe:8c:88:1b:d0:e8:3c:93:9c:33:2f
+ :DSA: e7:92:a5:80:49:a9:fe:d3:57:11:1d:ca:b8:0f:c0:44
+ :ECDSA: c5:6a:f5:cc:be:a5:94:03:b8:32:d0:97:ef:26:ac:35
+
+Dedicated user roles
+--------------------
+
++-----------+--------------+
+| Group | Purpose |
++===========+==============+
+| ircserver | IRC daemon |
++-----------+--------------+
+| services | IRC services |
++-----------+--------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. index::
+ pair: non-distribution; oftc-ircd
+
+OFTC Hybrid IRC daemon
+......................
+
+* The IRC server runs as a self compiled `OFTC Hybrid
+ <http://www.oftc.net/CodingProjects/#ircd>`_ from upstream's `GitHub
+ repository <https://github.com/oftc/oftc-hybrid>`_ at revision
+ 1435aa49a8b20d6ed816f53518ae5f22d0579cc4 (tag: oftc-hybrid-1.6.15).
+* The configured source code is available in
+ :file:`/home/ircserver/oftc-hybrid/`
+* The installed ircd is in :file:`/home/ircserver/ircd/`
+* The used configure options are contained in
+ :file:`/home/ircserver/configline`
+
+The IRC server is linked against system shared libraries and may not work
+anymore if these are updated to ABI incompatible versions.
+
+This is the listed of linked libraries as of 2014-10-24::
+
+ $ ldd ircd/bin/ircd
+ linux-gate.so.1 => (0xf7714000)
+ libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xf7709000)
+ libcrypt.so.1 => /lib/i386-linux-gnu/i686/cmov/libcrypt.so.1 (0xf76d7000)
+ libssl.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0 (0xf767d000)
+ libcrypto.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libcrypto.so.1.0.0 (0xf74bf000)
+ libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xf735a000)
+ /lib/ld-linux.so.2 (0xf7715000)
+ libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xf7341000)
+
+OFTC IRC services
+.................
+
+* The IRC services where self compiled `OFTC Services
+ <http://www.oftc.net/CodingProjects/#services>`_ from upstreams `release
+ tarballs <http://www.oftc.net/releases/oftc-ircservices/>`_ unfortunatelly
+ recompilation on the current Debian system does not produce a working binary.
+* The configured source code is available at
+ :file:`/home/services/oftc-services-1.5.8/`
+* The installed disfunctional IRC services are installed in
+ :file:`/home/services/services`
+* The used configure options are contained in :file:`/home/services/configline`
+
+.. warning::
+ There are no services running currently because loading the PostgreSQL
+ driver leads to a segmentation fault in the compiled binaries. PostgreSQL
+ has been uninstalled and the ircservices database has been backed up to
+ :file:`/home/ircserver/archive/pg_ircservices_dump-20180216-143937.sql.gz`.
+
+IRC Webchat
+...........
+
+* The used Web based IRC software is a self compiled `CGI:IRC
+ <http://cgiirc.sourceforge.net/>`_ version 0.5.9
+* The Web based IRC software is contained in :file:`/var/cgi/`
+
+Risk assessments on critical packages
+-------------------------------------
+
+The self compiled binaries of OFTC Hybrid ircd, OFTC Services and IRC webchat
+are not updated regularly. There is no administrator with good enough knowledge
+for these applications to properly maintain these.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: irc.cacert.org
+ :altnames: DNS:cert.irc.cacert.org, DNS:irc.cacert.org, DNS:nocert.irc.cacert.org
+ :certfile: /home/ircserver/ssl/cert2048.pem
+ :keyfile: /home/ircserver/ssl/rsa2048.key
+ :serial: 1375A2
+ :expiration: Feb 19 12:06:05 2020 GMT
+ :sha1fp: 92:CA:56:74:C5:3B:C9:1E:A9:61:08:59:BE:B4:04:3D:AC:A0:F1:6A
+ :issuer: CA Cert Signing Authority
+
+.. sslcert:: irc.cacert.org
+ :certfile: /etc/lighttpd/ssl/server.pem
+ :keyfile: /etc/lighttpd/ssl/server.pem
+ :serial: 1375A2
+ :secondary:
+
+The :file:`/etc/lighttpd/ssl/server.pem` is a combined key and certificate file
+for lighttpd.
+
+.. index::
+ pair: lighttpd; configuration
+
+lighttpd configuration
+----------------------
+
+* :file:`/etc/lighttpd/lighttpd.conf` main configuration file
+* :file:`/etc/lighttpd/conf-enabled/10-cgi.conf` CGI path configuration
+* :file:`/etc/lighttpd/conf-enabled/10-ssl.conf` TLS configuration
+* :file:`/etc/lighttpd/conf-enabled/10-redirect-http.conf` redirect from http to
+ https
+
+Configure CGI and TLS support for lighttpd. CGI requests go to /var/cgi
+containing the CGI IRC client. Request to configuration and source code is
+restricted.
+
+.. index::
+ pair: oftc-hybrid-ircd; configuration
+ pair: ircd; configuration
+
+oftc-hybrid-ircd configuration
+------------------------------
+
+* :file:`/home/ircserver/ircd/etc/ircd.conf` main IRC server configuration,
+ defining settings, ports and TLS settings
+
+.. todo:: add more details
+
+.. todo::
+ there are a lot of ops users defined in :file:`ircd.conf` check whether
+ these are still valid
+
+.. index::
+ pair: IRC webchat; configuration
+
+IRC webchat configuration
+-------------------------
+
+* :file:`/var/cgi/cgiirc.config`
+
+The configuration defines the connection to the ircd and some defaults for the
+client like default user names and channel.
+
+Changes
+=======
+
+System Future
+-------------
+
+This system should be retired and replaced with the new :doc:`ircserver` that
+should be running packaged and properly supported software.
+
+.. note::
+
+ Current Debian releases contain packaged versions of some ircd/irc services
+ combinations:
+
+ * `ircd-hybrid <https://packages.debian.org/jessie/ircd-hybrid>`_ similar
+ to the current software
+ * `charybdis <https://packages.debian.org/jessie/charybdis>`_ with
+ `atheme-services <https://packages.debian.org/jessie/atheme-services>`_
+ (compatible with ircd-hybrid too)
+ * `ircd-ratbox <https://packages.debian.org/jessie/ircd-ratbox>`_ with
+ `ratbox-services
+ <https://packages.debian.org/jessie/ratbox-services-pgsql>`_ used by
+ EFNet
+
+ CGI:IRC has been removed from Debian because it had no active maintainer.
diff --git a/docs/systems/ircserver.rst b/docs/systems/ircserver.rst
new file mode 100644
index 0000000..479912d
--- /dev/null
+++ b/docs/systems/ircserver.rst
@@ -0,0 +1,376 @@
+.. index::
+ single: Systems; Ircserver
+
+=========
+Ircserver
+=========
+
+Purpose
+=======
+
+This system is the planned replacement for :doc:`irc`.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++--------------+---------------------+
+| Application | Administrator(s) |
++==============+=====================+
+| IRC server | :ref:`people_jandd` |
++--------------+---------------------+
+| IRC services | :ref:`people_jandd` |
++--------------+---------------------+
+| Votebot | :ref:`people_jandd` |
++--------------+---------------------+
+
+Contact
+-------
+
+* irc-admin@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.233`
+:IP Intranet: :ip:v4:`172.16.2.24`
+:IP Internal: :ip:v4:`10.0.0.130`
+:MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
+
+.. todo:: setup IPv6
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Ircserver
+ single: DNS records; Irc
+
+======================= ======== ==========================================
+Name Type Content
+======================= ======== ==========================================
+irc.cacert.org. IN A 213.154.225.233
+irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
+irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
+irc.intra.cacert.org. IN A 172.16.2.14
+======================= ======== ==========================================
+
+.. todo:: setup new SSHFP records
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+--------------+---------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+==============+=========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+--------------+---------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+--------------+---------+----------------------------+
+| 80/tcp | http | ANY | redirect to https |
++----------+--------------+---------+----------------------------+
+| 443/tcp | https | ANY | reverse proxy for kiwiirc |
++----------+--------------+---------+----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+--------------+---------+----------------------------+
+| 6667/tcp | ircd | ANY | IRC |
++----------+--------------+---------+----------------------------+
+| 7000/tcp | ircd | ANY | IRC (SSL) |
++----------+--------------+---------+----------------------------+
+| 7001/tcp | ircd | local | IRC (services) |
++----------+--------------+---------+----------------------------+
+| 7778/tcp | kiwiirc | local | kiwiirc process |
++----------+--------------+---------+----------------------------+
+| 8080/tcp | irc-services | ANY | IRC services |
++----------+--------------+---------+----------------------------+
+
+irc opens a random UDP port.
+
+The following port forwarding is setup on :doc:`infra02`
+
++-------------+-------+-----------------+
+| Intranet IP | Port | Target |
++=============+=======+=================+
+| 172.16.2.14 | 13022 | 10.0.0.130:22 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13080 | 10.0.0.130:80 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13443 | 10.0.0.130:443 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13667 | 10.0.0.130:6667 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13700 | 10.0.0.130:7000 |
++-------------+-------+-----------------+
+
+.. todo:: implement final forwarding to required ports from :doc:`infra02`
+
+Running services
+----------------
+
+.. index::
+ single: cron
+ single: exim
+ single: nrpe
+ single: openssh
+ single: inspircd
+ single: atheme-services
+ single: votebot
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| inspircd | IRC daemon | init script |
+| | | :file:`/etc/init.d/inspircd` |
++--------------------+--------------------+----------------------------------------+
+| atheme-services | IRC services | init script |
+| | | :file:`/etc/init.d/atheme-services` |
++--------------------+--------------------+----------------------------------------+
+| kiwiirc | IRC web client | start script |
+| | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
+| | | started by user kiwiirc |
++--------------------+--------------------+----------------------------------------+
+| nginx | Reverse proxy for | init script |
+| | kiwiirc | :file:`/etc/init.d/nginx` |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
+ :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
+ :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
+ :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
+
+Dedicated user roles
+--------------------
+
++---------+-------------------------------------+
+| User | Purpose |
++=========+=====================================+
+| votebot | used to run the votebot |
++---------+-------------------------------------+
+| kiwiirc | used to run the Kiwi IRC web client |
++---------+-------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Votebot
+~~~~~~~
+
+The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
+as a self contained Java jar archive. The bot is started manually as described
+above. For improved maintainability it should be packaged and provide a start
+mechanism that is better integrated with the system.
+
+.. _votebot:
+
+.. topic:: Votebot
+
+ The vote bot is a Java based IRC bot developed at
+ https://github.com/CAcertOrg/cacert-votebot. The bot is started manually by
+ running
+
+ .. code-block:: bash
+
+ java -DvoteBot.meetingChn=SGM -cp VoteBot.jar \
+ de.dogcraft.irc.CAcertVoteBot -u -h 10.0.0.14 -p 6667 --nick VoteBot
+
+.. todo:: use a CAcert git repository for votebot
+
+.. todo:: package votebot for Debian
+
+.. todo:: provide a proper init script/and or systemd unit for votebot
+
+
+Kiwi IRC
+~~~~~~~~
+
+Kiwi IRC is a nodejs based IRC web client. The software has been installed via
+`Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
+https://kiwiirc.com/docs/installing and
+https://kiwiirc.com/docs/installing/proxies. The software is running on the
+local loopback interface and Internet access is provided by an nginx reverse
+proxy that also provides https connectivity. NodeJS and npm have been installed
+from Debian packages.
+
+Risk assessments on critical packages
+-------------------------------------
+
+Votebot is a Java based application and therefore Java security patches should
+be applied as soon as they become available.
+
+Kiwi IRC is nodejs based and uses some third party npm packages. The
+application is kept behind a reverse proxy but it is advisable to make sure
+that available updates are applied.
+
+.. todo:: implement some update monitoring for Kiwi IRC
+
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: irc.cacert.org
+ :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
+ :certfile: /etc/ssl/public/irc.cacert.org.crt
+ :keyfile: /etc/ssl/private/irc.cacert.org.key
+ :serial: 1381E8
+ :expiration: Mar 16 09:35:36 2020 GMT
+ :sha1fp: 42:F6:7C:4E:0C:AC:8A:42:7D:9A:94:55:7E:73:7E:E9:40:5C:87:91
+ :issuer: CA Cert Signing Authority
+
+
+.. index::
+ pair: inspircd; configuration
+
+inspircd configuration
+----------------------
+
+Inspircd is installed from a Debian package. It is configured via files in
+:file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
+
+.. index::
+ pair: atheme-services; configuration
+
+atheme-services configuration
+-----------------------------
+
+Atheme-services is installed from a Debian package. It is configured via
+:file:`/etc/atheme/atheme.conf`.
+
+Kiwi IRC configuration
+----------------------
+
+Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
+the configuration is changed it can be applied by running:
+
+.. code-block:: bash
+
+ sudo -s -u kiwi
+ cd ~/KiwiIRC
+ ./kiwi reconfig
+
+nginx configuration
+-------------------
+
+The nginx configuration for reverse proxying Kiwi IRC is stored in
+:file:`/etc/nginx/sites-available/default`. The same certificate and private
+key are used for inspirced and nginx.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+- setup IPv6
+- setup DNS records
+
+Changes
+=======
+
+System Future
+-------------
+
+- replace :doc:`irc` by this system
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+ * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
+
+References
+----------
+
+Atheme services website
+ https://atheme.github.io/atheme.html
+
+Inspircd wiki
+ https://wiki.inspircd.org/
+
+Kiwi IRC documentation
+ https://kiwiirc.com/docs/
+
+nginx documentation
+ http://nginx.org/en/docs/
diff --git a/docs/systems/issue.rst b/docs/systems/issue.rst
new file mode 100644
index 0000000..c6983ee
--- /dev/null
+++ b/docs/systems/issue.rst
@@ -0,0 +1,382 @@
+.. index::
+ single: Systems; Issue
+
+=====
+Issue
+=====
+
+Purpose
+=======
+
+The purpose of the issue server is to serve the issue tracking system,
+implemented with _`OTRS <https://www.otrs.com/>` used by :wiki:`Triage` and
+:wiki:`Support` for handling requests going to the support@cacert.org mail
+address. Usage for other teams e.g. Arbitration (currently used occasionally),
+Organisation Assurance is planned in future.
+
+Application Links
+-----------------
+
+OTRS URL
+ https://issue.cacert.org/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_mario`
+* Secondary: :ref:`people_neo`
+
+Application Administration
+--------------------------
+
++-------------+----------------------+
+| Application | Administrator(s) |
++=============+======================+
+| OTRS | :ref:`people_mario`, |
+| | :ref:`people_nick`, |
+| | :ref:`people_ian`, |
+| | :ref:`people_neo` |
++-------------+----------------------+
+
+Contact
+-------
+
+* issue-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd` and :ref:`people_dirk` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.244`
+:IP Intranet: :ip:v4:`172.16.2.28`
+:IP Internal: :ip:v4:`10.0.0.28`
+:MAC address: :mac:`00:ff:8c:94:e1:c8` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Issue
+
+======================= ======== ============================================
+Name Type Content
+======================= ======== ============================================
+issue.cacert.org. IN A 213.154.225.244
+issue.intra.cacert.org. IN A 172.16.2.28
+issue.cacert.org. IN SSHFP 2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB
+issue.cacert.org. IN SSHFP 1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E
+======================= ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+.. todo:: upgrade to Debian Jessie
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+----------+--------------------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+==========+==================================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------+--------------------------------------------------+
+| 25/tcp | smtp | localnet | local mail pickup in order to send out |
+| | | | notifications via |
+| | | | :doc:`emailout`, incoming mail from :doc:`email` |
++----------+---------+----------+--------------------------------------------------+
+| 80/tcp | http | ANY | HTTP access to issue, redirects to HTTPS |
++----------+---------+----------+--------------------------------------------------+
+| 443/tcp | https | ANY | HTTPS access to issue |
++----------+---------+----------+--------------------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+----------+--------------------------------------------------+
+| 3306/tcp | mysql | local | MySQL database for OTRS |
++----------+---------+----------+--------------------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+-----------------------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+===================================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+-----------------------------------+----------------------------------------+
+| Apache httpd | Webserver for OTRS | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+-----------------------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+-----------------------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+-----------------------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for OTRS | :file:`/etc/init.d/mysql` |
++--------------------+-----------------------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission and for receiving mail | |
+| | directed to OTRS addresses | |
++--------------------+-----------------------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+-----------------------------------+----------------------------------------+
+
+Databases
+---------
+
++-------+------+-------------------+
+| RDBMS | Name | Used for |
++=======+======+===================+
+| MySQL | otrs | database for OTRS |
++-------+------+-------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`email`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`email` as SMTP submission relay (587, tcp) for specific addresses (see
+ :ref:`postfix_configuration` below)
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+.. add the MD5 fingerprints of the SSH host keys
+
+.. sshkeys::
+ :RSA: 61:32:04:12:e3:4f:0b:b7:14:2d:d1:8f:82:b2:c7:47
+ :DSA: a8:57:20:2f:09:a2:f3:d6:24:7a:29:35:2f:28:5e:4e
+ :ECDSA: f1:a9:da:27:1a:ef:a8:67:51:d1:b4:e2:b7:83:c8:82
+
+.. todo:: setup ED25519 host key
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:program:`OTRS` is installed from Debian packages but has been patched. The
+OTRS packages must not be updated from Debian packages without reapplying the
+patch.
+
+:file:`/usr/share/otrs/Kernel/Output/HTML/Layout.pm`
+
+.. literalinclude:: ../patches/otrs/Layout.pm.patch
+ :language: diff
+
+Risk assessments on critical packages
+-------------------------------------
+
+Patching OTRS implies the danger of delayed security updates. The package is
+set on hold via :command:`echo otrs hold | dpkg --set-selections` and must be
+updated explicitly. OTRS 3.1 is not supported by upstream anymore.
+
+The used Apache httpd has a good reputation. OTRS is integrated into Apache
+httpd via mod_perl2.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+The following certificate and its corresponding private key is used by Apache
+httpd and Postfix:
+
+.. sslcert:: issue.cacert.org
+ :altnames: DNS:issue.cacert.org
+ :certfile: /etc/ssl/certs/issue.cacert.org.pem
+ :keyfile: /etc/ssl/private/issue.cacert.org.key
+ :serial: 1381E9
+ :expiration: Mar 16 09:54:12 2020 GMT
+ :sha1fp: 90:67:C0:57:17:BD:98:66:B1:E2:62:A6:11:59:E4:C3:3E:E3:C0:E4
+ :issuer: CA Cert Signing Authority
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/sites-available/default`
+
+ HTTP virtualhost configuration that redirects to HTTPS
+
+* :file:`/etc/apache2/sites-available/default-ssl`
+
+ HTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/
+ which contains a symbolic link to the OTRS CGIs
+
+OTRS configuration
+------------------
+
+* :file:`/etc/otrs/`
+
+ OTRS configuration
+
+* :file:`/etc/otrs/database.pm`
+
+ OTRS's database configuration
+
+
+.. _postfix_configuration:
+
+Postfix configuration
+---------------------
+
+* :file:`/etc/postfix`
+
+ Postfix configuration
+
+* :file:`/etc/postfix/sender_relay`
+
+ Defines a list of sender addresses that are relayed via :doc:`email`
+
+* :file:`/etc/postfix/sender_rewrite`
+
+ Configures rewriting of all but a short list of addresses to
+ returns@cacert.org
+
+Tasks
+=====
+
+Planned
+-------
+
+Ideas
+-----
+
+* The system should be upgraded to a newer Debian release.
+
+* Deployment
+
+ * implement access for other teams
+
+* OTRS
+
+ * change to CAcert corporate design (low priority)
+ * should be updated to a newer release that is supported by upstream
+
+* Monitoring
+
+ * create a list of services to monitor
+
+* Configuration management
+
+ * Implement :wiki:`SystemAdministration/Procedures/OperatingSystemPatches`,
+ see also
+ https://lists.cacert.org/wws/arc/cacert-sysadm/2009-08/msg00007.html
+
+* X.509 Authentication
+
+* Use centralised logging
+
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+Creating new OTRS user accounts
+-------------------------------
+
+* Go to Admin -> Users -> Add
+* Fill out user details
+
+ * Use a securely random generated password (min. 12 chars, mixed of capital-
+ non-capital letters, numbers and special chars), send it to the user via
+ encrypted mail (also include URL of the issue tracking system, username and
+ some initial instructions or a link to documentation if available)
+ * Use CAcert email addresses only
+
+* Set the preferences for the user. Good standards are:
+
+ * Show tickets: 25
+ * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
+ * Follow up notification: Yes
+ * Ticket lock timeout notification: Yes
+ * Move notification: Yes (or No if the queues for the user get many new tickets)
+ * Spelling Dictionary: English
+
+* Submit
+* Do NOT set any groups for the user.
+* Go to Admin -> Users -> Roles <-> Users
+* Choose the newly created user
+* Set the roles the user has
+* Submit
+* Now you are done :)
+
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+* http://doc.otrs.com/doc/manual/admin/3.2/en/html/index.html
diff --git a/docs/systems/jenkins.rst b/docs/systems/jenkins.rst
new file mode 100644
index 0000000..d7c67fd
--- /dev/null
+++ b/docs/systems/jenkins.rst
@@ -0,0 +1,246 @@
+.. index::
+ single: Systems; Jenkins
+
+=======
+Jenkins
+=======
+
+Purpose
+=======
+
+`Jenkins`_ continuous integration server for building software artifacts for
+CAcert.org and this documentation.
+
+.. _Jenkins: https://jenkins.io
+
+Application Links
+-----------------
+
+Jenkins web interface
+ https://jenkins.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Jenkins | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* jenkins-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: reverse proxied from :doc:`web`
+:IP Intranet: :ip:v4:`172.16.2.115`
+:IP Internal: :ip:v4:`10.0.0.115`
+:MAC address: :mac:`00:ff:a4:c9:aa:49` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Jenkins
+
+========================= ======== ====================================================================
+Name Type Content
+========================= ======== ====================================================================
+jenkins.cacert.org. IN A 213.154.225.242
+jenkins.cacert.org. IN SSHFP 1 1 2CAEBE197C0F1C25404890ADFEDABB371FB05650
+jenkins.cacert.org. IN SSHFP 1 2 6110A42530A5197AB1180417EE32B2EB581813CA773498177481B11D969BB529
+jenkins.cacert.org. IN SSHFP 2 1 4CE4EEF515BDEE033D68B92419F71679880B2FD5
+jenkins.cacert.org. IN SSHFP 2 2 7E76D01B8DC48178535F3F6164C07EF35D3436F352DB8C62FFACD5B8E3C106A7
+jenkins.cacert.org. IN SSHFP 3 1 1CE55A42B27BF42A78E281440F146DA17255A97D
+jenkins.cacert.org. IN SSHFP 3 2 20763231FECF9518C2CECAB05AC76E4483F563C0853F8B8A53E469316DA75381
+jenkins.intra.cacert.org. IN A 172.16.2.115
+========================= ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
+.. use the values from this table or add new lines if applicable
+
++----------+---------+----------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+==========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+----------+----------------------------+
+| 2022/tcp | Jenkins | internal | Jenkins ssh port |
++----------+---------+----------+----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+----------+----------------------------+
+| 8080/tcp | Jenkins | internal | Jenkins web interface |
++----------+---------+----------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Exim
+ single: Jenkins
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+--------------------+-----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+=========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+-----------------------------------------+
+| Jenkins | Jenkins CI server | init script :file:`/etc/init.d/jenkins` |
++--------------------+--------------------+-----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+-----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+-----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+-----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+-----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`git` for triggering Jenkins web hooks
+* :doc:`monitor`
+* :doc:`web` as reverse proxy for hostnames funding.cacert.org and
+ infradocs.cacert.org
+
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`git` for fetching source code
+* :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
+* :doc:`puppet` for configuration management
+* :doc:`webstatic` for publishing infrastructure documentation to
+ infradocs.cacert.org
+* arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching source
+ code and build dependencies (via ``&CONTAINER_OUT_ELEVATED("jenkins");`` in
+ :file:`/etc/ferm/ferm.d/jenkins.conf` on :doc:`infra02`).
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:YRCkJTClGXqxGAQX7jKy61gYE8p3NJgXdIGxHZabtSk MD5:75:83:f5:8f:81:4b:08:bd:fd:6b:ff:12:bc:d7:17:48
+ :DSA: SHA256:fnbQG43EgXhTXz9hZMB+8100NvNS24xi/6zVuOPBBqc MD5:cf:8a:2d:83:53:8d:42:5a:c9:21:7c:c4:6a:3b:81:71
+ :ECDSA: SHA256:IHYyMf7PlRjCzsqwWsduRIP1Y8CFP4uKU+RpMW2nU4E MD5:77:18:34:2b:25:4a:e5:f3:cd:d7:2e:c9:9d:6b:03:01
+ :ED25519: SHA256:25iP8jSklIu8saYf8hwIDv7UVIJRQbCh0EGSH3hXNWI MD5:4a:e0:9f:06:d5:c3:c8:36:b9:1e:ef:2e:0b:54:82:58
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* The Puppet agent package and a few dependencies are installed from the
+ official Puppet APT repository because the versions in Debian are too old to
+ use modern Puppet features.
+* Jenkins from pkg.jenkins-ci.org
+
+ package source is defined in :file:`/etc/apt/sources.list.d/jenkins.list`
+* Few packages (i.e. go toolchain) from Debian testing
+
+ package source is defined in :file:`/etc/apt/sources.list.d/buster.list`
+
+Risk assessments on critical packages
+-------------------------------------
+
+Jenkins is a widely used CI server with regular updates. Security issues are
+handled quickly by the upstream developers.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+Jenkins configuration
+---------------------
+
+Jenkins stores its configuration and working directories in
+:file:`/var/lib/jenkins`. Jenkins administration is performed via an integrated
+management web interface with role based access control.
+
+Tasks
+=====
+
+Planned
+-------
+
+* build more of CAcert's software on the Jenkins instance
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://jenkins.io/
diff --git a/docs/systems/lists.rst b/docs/systems/lists.rst
new file mode 100644
index 0000000..02e4be1
--- /dev/null
+++ b/docs/systems/lists.rst
@@ -0,0 +1,412 @@
+.. index::
+ single: Systems; Lists
+
+=====
+Lists
+=====
+
+Purpose
+=======
+
+The system provides mailing list services under the lists.cacert.org hostname.
+
+Application Links
+-----------------
+
+* Mailing list management and archives
+
+ https://lists.cacert.org/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_mario`
+* Secondary: :ref:`people_jandd`
+
+Application Administration
+--------------------------
+
++--------------+---------------------------------------------+
+| Application | Administrator(s) |
++==============+=============================================+
+| Sympa | :ref:`people_jandd`, :ref:`people_mario`, |
+| | :ref:`people_ulrich`, :ref:`people_philipp` |
++--------------+---------------------------------------------+
+
+Contact
+-------
+
+* email-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jselzer` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.231`
+:IP Intranet: :ip:v4:`172.16.2.17`
+:IP Internal: :ip:v4:`10.0.0.17`
+:MAC address: :mac:`00:ff:d0:13:9a:22` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Lists
+
+=================================== ======== ============================================
+Name Type Content
+=================================== ======== ============================================
+lists.cacert.org. IN A 213.154.225.231
+lists.cacert.org. IN MX 10 email.cacert.org.
+lists.cacert.org. IN SSHFP 1 1 87F75B9124326B566ED22DCF65A9740EEDE8F0FF
+lists.cacert.org. IN SSHFP 2 1 8D79E68E731ED72667F3D286C477245DF653083B
+lists.cacert.org. IN TXT "v=spf1 ip4:213.154.225.231 -all"
+cert.lists.cacert.org. IN CNAME lists.cacert.org.
+nocert.lists.cacert.org. IN CNAME lists.cacert.org.
+lists.intra.cacert.org. IN A 172.16.2.17
+17.2.16.172.in-addr.arpa IN PTR lists.intra.cacert.org.
+231.225.154.213.in-addr.arpa IN CNAME 231.224-27.225.154.213.in-addr.arpa.
+231.224-27.225.154.213.in-addr.arpa IN PTR lists.cacert.org.
+=================================== ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+This is the administration documentation.
+
+.. seealso::
+
+ :wiki:`EmailListOverview` for user documentation
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+-----------+-------------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=================+=====================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+-----------+-------------------------------------------+
+| 25/tcp | smtp | monitor, | mail delivery to local MTA/sympa |
+| | | email | |
++----------+---------+-----------+-------------------------------------------+
+| 80/tcp | http | ANY | redirect to https |
++----------+---------+-----------+-------------------------------------------+
+| 443/tcp | https | ANY | Sympa mailing list manager and archive |
++----------+---------+-----------+-------------------------------------------+
+| 4433/tcp | https | LOCAL | phpmyadmin access via ssh port forwarding |
++----------+---------+-----------+-------------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+-----------+-------------------------------------------+
+| 3306/tcp | mysql | local | MySQL database for Sympa |
++----------+---------+-----------+-------------------------------------------+
+
+.. topic:: PHPMyAdmin access
+
+ Administrators can use ssh to forward the Apache httpd port 4433 to their
+ own machine:
+
+ .. code-block:: bash
+
+ ssh -L 4433:localhost:4433 -l username lists.cacert.org
+
+ and access PHPMyAdmin at https://localhost:4433/phpmyadmin
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: Sympa
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd | Webserver for Sympa | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for Sympa | :file:`/etc/init.d/mysql` |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission and | |
+| | incoming list mail | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| Sympa mailing list | mail list handling | init script |
+| services | | :file:`/etc/init.d/sympa` |
++--------------------+---------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+-------+-------------------------------+
+| RDBMS | Name | Used for |
++=============+=======+===============================+
+| MySQL | sympa | Sympa mailing list management |
++-------------+-------+-------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`email`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`proxyout` as HTTP proxy for APT
+* arbitrary Internet SMTP servers for delivery of list mails
+
+Security
+========
+
+.. sshkeys::
+ :RSA: MD5:9a:64:3d:ab:38:91:90:88:2b:73:cb:05:8c:56:f9:c9
+ :DSA: MD5:dd:ab:a6:c2:29:91:e9:81:fa:29:3c:f7:88:76:1f:f6
+ :ECDSA: MD5:3c:8d:f2:a7:e8:75:1c:9a:11:13:11:2a:58:aa:9b:d1
+
+.. todo:: setup ED25519 host key (needs update to Jessie)
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd, Postfix and Sympa have a good security track record. Apache httpd
+is configured with the minimum of required modules. PHPMyAdmin is only reachable
+via ssh port forwarding.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:
+
+.. sslcert:: lists.cacert.org
+ :altnames: DNS:cert.lists.cacert.org, DNS:lists.cacert.org, DNS:nocert.lists.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem
+ :keyfile: /etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem
+ :serial: 1381F2
+ :expiration: Mar 16 10:15:10 2020 GMT
+ :sha1fp: 53:D8:D7:96:AC:C6:87:B6:2F:D7:58:A7:F3:F4:33:32:A7:25:02:A9
+ :issuer: CA Cert Signing Authority
+
+* :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt`
+ CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
+ client certificates)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/sites-available/000-default.conf`
+
+ default HTTP VirtualHost configuration that redirects to
+ https://lists.cacert.org/
+
+* :file:`/etc/apache2/sites-available/sympa-include.conf`
+
+ common configuration for the three Sympa VirtualHost definitions
+
+* :file:`/etc/apache2/sites-available/lists.cacert.org.conf`
+
+ HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports
+ optional client certificate authentication
+
+* :file:`/etc/apache2/sites-available/cert.lists.cacert.org.conf`
+
+ HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that
+ requires client certificate authentication
+
+* :file:`/etc/apache2/sites-available/nocert.lists.cacert.org.conf`
+
+ HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that
+ does not support client certificates
+
+* :file:`/etc/apache2/sites-available/localhost_4433_phpmyadmin.conf`
+
+ HTTPS VirtualHost configuration for https://localhost:4433/phpmyadmin
+
+Sympa configuration
+-------------------
+
+Sympa configuration is stored in :file:`/etc/sympa/`.
+
+* :file:`/etc/sympa/aliases`
+
+ generated by Sympa and included in Postfix's :file:`/etc/postfix/main.cf`.
+ The file contains alias definitions that pipe list emails into Sympa
+ processes.
+
+* :file:`/etc/sympa/data_sources/`
+
+ data sources shared accross lists (things we didn't want to define more than
+ once). The `board` data source is defined in
+ :file:`/etc/sympa/data_sources/board.incl`
+
+ .. seealso::
+
+ `Sympa manual`_
+
+* :file:`/etc/sympa/sympa.conf`
+
+ main Sympa configuration file. S/MIME configuration items must be set even if
+ they appear to be the default values. Supported_lang must be a subset of the
+ supported system locales (see :file:`/usr/lib/sympa/locale/`) otherwise user's
+ cannot change their locale in Sympa.
+
+* :file:`/etc/sympa/wwsympa.conf`
+
+ configuration for the Sympa web interface
+
+* :file:`/var/lib/sympa/expl/{listname}/{cert.pem,private_key}`
+
+ list private key and certificate for `listname`
+
+* :file:`/var/lib/sympa/x509-user-certs/{emailaddress}`
+
+ user X.509 certificates used by Sympa
+
+
+Postfix configuration
+---------------------
+
+Postfix configuration is stored in :file:`/etc/postfix/`
+
+.. note::
+
+ The file :file:`/etc/aliases.db` must be writable by the `sympa` group to
+ allow running :program:`newaliases` when defining new lists.
+
+Tasks
+=====
+
+Adding a list
+-------------
+
+1. Login to Sympa https://lists.cacert.org/wws using the
+ listmaster@lists.cacert.org (password stored in
+ :file:`/root/sympa-listmanagerpassword.txt`)
+
+2. Use the GUI to create the list. Set the list so that support@cacert.org can
+ send email to the list without confirmation using the cacert main web
+ interface, login and validate the list address issue a WoT certificate for
+ the list user export/backup the WoT certificate out of your browser copy the
+ p12 exported certificate to the list server.
+
+3. use::
+
+ openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
+
+ to export the certificate without a password.
+
+4. copy the certificate and private key to the location described below and
+ setup permissions::
+
+ chown sympa:sympa /var/lib/sympa/expl/<list>/cert.pem
+ chown sympa:sympa /var/lib/sympa/expl/<list>/private_key
+ chmod 0600 /var/lib/sympa/expl/<list>/private_key
+ chmod 0644 /var/lib/sympa/expl/<list>/cert.pem
+
+5. add subscribers/ other owners
+
+Planned
+-------
+
+.. todo:: upgrade the lists system OS to Debian 9 (Stretch)
+
+.. todo:: manage the lists system using Puppet
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+ http://httpd.apache.org/docs/2.4/
+Sympa manual
+ http://www.sympa.org/manual/
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+
+.. _Sympa manual: http://www.sympa.org/manual/list-definition#data_inclusion_file
diff --git a/docs/systems/monitor.rst b/docs/systems/monitor.rst
new file mode 100644
index 0000000..effeb80
--- /dev/null
+++ b/docs/systems/monitor.rst
@@ -0,0 +1,313 @@
+.. index::
+ single: Systems; Monitor
+
+=======
+Monitor
+=======
+
+Purpose
+=======
+
+This system hosts an `Icinga`_ instance to centrally monitor the services in
+the CAcert network (especially for security updates and certificate
+expiry).
+
+.. note::
+
+ To access the system you need a client certificate where the first email
+ address in the Subject Distinguished Name field is a cacert.org address.
+ Subject Alternative Names are not checked.
+
+ If you are the administrator of a service please ask the monitor admins to
+ add your system to the monitoring configuration and add you as system
+ contact to allow for notifications and tasks like service outage
+ acknowledgement, adding notes, rescheduling checks or setting downtimes for
+ your service.
+
+.. _Icinga: https://www.icinga.org/
+
+Application Links
+-----------------
+
+The Icinga classic frontend
+ https://monitor.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++-------------+-----------------------+
+| Application | Administrator(s) |
++=============+=======================+
+| Icinga | :ref:`people_jandd` |
++-------------+-----------------------+
+
+Contact
+-------
+
+* monitor-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.230`
+:IP Intranet: :ip:v4:`172.16.2.18`
+:IP Internal: :ip:v4:`10.0.0.18`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::18`
+:MAC address: :mac:`00:ff:73:b3:17:43` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Monitor
+
+=================== ======== =========================
+Name Type Content
+=================== ======== =========================
+monitor.cacert.org. IN CNAME infrastructure.cacert.org
+=================== ======== =========================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+.. seealso::
+
+ :ref:`Setup package update monitoring for a new container
+ <setup_apt_checking>`
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-----------------------------+
+| 80/tcp | http | ANY | Icinga classic web frontend |
++----------+---------+---------+-----------------------------+
+| 443/tcp | https | ANY | Icinga classic web frontend |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+-----------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for IDO |
++----------+---------+---------+-----------------------------+
+
+.. note::
+
+ The ssh port is reachable via NAT on infrastructure.cacert.org:11822
+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Icinga
+ single: IDO2DB
+ single: Postfix
+ single: PostgreSQL
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | Icinga classic | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| Icinga | Icinga monitoring | init script |
+| | daemon | :file:`/etc/init.d/icinga` |
++--------------------+--------------------+----------------------------------------+
+| IDO2DB | IDO database | init script |
+| | writer daemon | :file:`/etc/init.d/ido2db` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for IDO | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | this system itself | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++------------+--------+-----------------+
+| RDBMS | Name | Used for |
++============+========+=================+
+| PostgreSQL | icinga | Icinga IDO data |
++------------+--------+-----------------+
+
+Connected Systems
+-----------------
+
+None
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+* all :ip:v4range:`10.0.0.0/24` and :ip:v4range:`172.16.2.0/24` systems for
+ monitoring their services
+
+.. todo:: add IPv6 ranges when they are monitored
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0 MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
+ :DSA: SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
+ :ECDSA: SHA256:GWvYqhQUt9INh/7VRVu6Z2YORoy/YzgBxNBmX+ZvMsk MD5:48:46:b1:5a:4e:05:64:8a:c3:76:33:77:20:91:14:70
+ :ED25519: SHA256:L5roC867bvxDJ0ckbhIQOt2A9Nh1RQBVuIJFWwrPLG0 MD5:10:94:56:09:5b:a2:28:ab:11:e0:0f:6e:e4:0c:38:bb
+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Icinga and the classic frontend are a bit aged but have a good security track
+record.
+
+Apache httpd has a good reputation and is a low risk package.
+
+NRPE is flawed and should be replaced. The risk is somewhat mitigated by
+firewalling on :doc:`the infrastructure host <infra02>`.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+* :file:`/etc/ssl/certs/monitor.c.o.pem` server certificate
+* :file:`/etc/ssl/private/monitor.c.o.priv` server key
+* :file:`/etc/ssl/certs/cacert.allcerts.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates and the
+ certificate chain for the server certificate)
+* :file:`/var/local/ssl/crls/`
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+CRL fetch job
+-------------
+
+The script :file:`/etc/cron.hourly/update-crls` is used to fetch CRLs once per
+hour.
+
+Apache httpd configuration
+--------------------------
+
+The HTTP and HTTPS VirtualHost configuration is defined in
+:file:`/etc/apache2/sites-available/icinga-nossl` and
+:file:`/etc/apache2/sites-available/icinga` the HTTP VirtualHost redirects to
+the HTTPS VirtualHost.
+
+Icinga configuration
+--------------------
+
+The Icinga configuration is stored in the :file:`/etc/icinga/` directory.
+Database configuration for IDO is stored in :file:`ido2db.cfg`. The Icinga
+classic frontend configuration is stored in :file:`cgi.cfg`. Host and service
+configurations are defined in the :file:`objects/` subdirectory.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: switch to Icinga2 and Icingaweb2
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Wiki page for this system
+ :wiki:`SystemAdministration/Systems/Monitor`
diff --git a/docs/systems/proxyout.rst b/docs/systems/proxyout.rst
new file mode 100644
index 0000000..c538bbf
--- /dev/null
+++ b/docs/systems/proxyout.rst
@@ -0,0 +1,229 @@
+.. index::
+ single: Systems; Proxyout
+
+========
+Proxyout
+========
+
+Purpose
+=======
+
+This system provides an outgoing http/https proxy for controlled access to
+external resources like APT repositories and code repositories. The decision
+to setup this system has been made due to often changing IP addresses of
+external repositories that lead to update problems on several other machines.
+
+Application Links
+-----------------
+
+This machine has no externaly exposed URLs.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Squid | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* proxyout-admin@cacert.org
+
+Additional People
+-----------------
+
+* None
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.201`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::201`
+:MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Proxyout
+
+.. todo:: setup DNS records (in infra.cacert.org zone)
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+The system is managed by :doc:`puppet`. The puppet repository is browsable at
+https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 3128/tcp | http | internal | squid http/https proxy |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: puppet agent
+ single: cron
+ single: exim4
+ single: squid
+ single: openssh
+
++----------------+--------------------+--------------------------------------+
+| Service | Usage | Start mechanism |
++================+====================+======================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++----------------+--------------------+--------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++----------------+--------------------+--------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++----------------+--------------------+--------------------------------------+
+| Puppet agent | local Puppet agent | init script |
+| | | :file:`/etc/init.d/puppet` |
++----------------+--------------------+--------------------------------------+
+| Squid | Caching and | init script |
+| | filtering http/ | :file:`/etc/init.d/squid` |
+| | https proxy for | |
+| | internal machines | |
++----------------+--------------------+--------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`blog`
+* :doc:`board`
+* :doc:`bugs`
+* :doc:`cats`
+* :doc:`email`
+* :doc:`emailout`
+* :doc:`git`
+* :doc:`irc`
+* :doc:`ircserver`
+* :doc:`jenkins`
+* :doc:`lists`
+* :doc:`monitor`
+* :doc:`motion`
+* :doc:`proxyin`
+* :doc:`puppet`
+* :doc:`svn`
+* :doc:`translations`
+* :doc:`web`
+* :doc:`webstatic`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* .debian.org Debian mirrors
+* apt.puppetlabs.com as Debian repository for puppet packages
+* HTTP and HTTPS servers specified in the squid configuration
+
+Security
+========
+
+.. sshkeys::
+ :ECDSA: 74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
+ :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
+ :RSA: 1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+Risk assessments on critical packages
+-------------------------------------
+
+Squid is a proven http and https proxy installed from distribution packages
+with low risk.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: Change all infrastructure hosts to use this machine as APT proxy to
+ avoid flaky firewall configurations on :doc:`infra02`.
+
+.. todo:: Add more APT repositories and ACLs if needed
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* http://www.squid-cache.org/
diff --git a/docs/systems/puppet.rst b/docs/systems/puppet.rst
new file mode 100644
index 0000000..c760d1e
--- /dev/null
+++ b/docs/systems/puppet.rst
@@ -0,0 +1,304 @@
+.. index::
+ single: Systems; Puppet
+
+======
+Puppet
+======
+
+Purpose
+=======
+
+This system acts as `Puppet`_ master for infrastructure systems.
+
+.. _Puppet: https://docs.puppet.com/puppet/
+
+Application Links
+-----------------
+
+This system has no publicly visible URLs.
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Puppet server | :ref:`people_jandd` |
++---------------+---------------------+
+| PuppetDB | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* puppet-admin@cacert.org
+
+Additional People
+-----------------
+
+* None
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.200`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::200`
+:MAC address: :mac:`00:ff:f9:32:9d:2a` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Puppet
+
+.. todo:: setup DNS records (in infra.cacert.org zone)
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+------------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+==========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+------------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+------------------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
++----------+-----------+-----------+------------------------------------------+
+| 8140/tcp | puppet | internal | Puppet master |
++----------+-----------+-----------+------------------------------------------+
+| 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
++----------+-----------+-----------+------------------------------------------+
+| 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
++----------+-----------+-----------+------------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Exim
+ single: PostgreSQL
+ single: Puppet agent
+ single: Puppet server
+ single: Puppetdb
+ single: cron
+ single: openssh
+ single: rsyslog
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for PuppetDB | |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Puppet server | Puppet master for | init script |
+| | infrastructure | :file:`/etc/init.d/puppetserver` |
+| | systems | |
++--------------------+--------------------+----------------------------------------+
+| Puppet agent | local Puppet agent | init script |
+| | | :file:`/etc/init.d/puppet` |
++--------------------+--------------------+----------------------------------------+
+| Puppet DB | PuppetDB for | init script |
+| | querying Puppet | :file:`/etc/init.d/puppetdb` |
+| | facts and nodes | |
+| | and resources | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+----------+-------------------+
+| RDBMS | Name | Used for |
++=============+==========+===================+
+| PostgreSQL | puppetdb | PuppetDB database |
++-------------+----------+-------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`jenkins`
+* :doc:`motion`
+* :doc:`proxyin`
+* :doc:`proxyout`
+* :doc:`svn`
+* :doc:`translations`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* forgeapi.puppet.com for Puppet forge access
+* rubygems.org for Puppet specific Ruby gems
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:PPEZkD7ezGStENYmE9/RftHqJyy6cC9IN6zw63OvJTM MD5:54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
+ :ECDSA: SHA256:3U1CVC9YAKmF9W5SDLibwP1A9MVSb5ltVN7nYNOE15o MD5:29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
+ :ED25519: SHA256:AkqMLLEtMbAEuxniRRDgd7TItD+pb9hsbpn5Ab81+IM MD5:53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The Puppet server, Puppet agent and PuppetDB packages and a few dependencies
+are installed from the official Puppet APT repository because the versions
+in Debian are too old to use modern Puppet features.
+
+Some rubygems are installed via the puppet specific ruby gem binary to support
+advanced Puppet functionality like hiera-eyaml.
+
+All puppet related code is installed in the Puppet specific /opt/puppetlabs
+tree.
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system.
+
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+Puppet comes with its own inbuilt special purpose CA that is used to sign the
+Puppet server and Puppet DB certificates as well as the certificates of all
+trusted Puppet agents.
+
+The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
+puppet itself.
+
+
+Eyaml private key
+-----------------
+
+All sensitive data like passwords in Hiera data is encrypted using the public
+key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
+<ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_. The corresponding
+private key is stored in
+:file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
+
+
+hiera configuration
+-------------------
+
+Puppet uses Hiera for hierarchical information retrieval. The global hiera
+configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
+defines the hierarchy lookup as well as the eyaml key locations.
+
+
+puppet configuration
+--------------------
+
+All puppet configuration is stored in :file:`/etc/puppetlabs/`. The CAcert
+specific puppet code is taken from the `CAcert puppet Git repository
+<ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_ and cloned to
+:file:`/etc/puppetlabs/code/environments/production/` directory. Required
+Puppet modules are installed by :program:`/opt/puppetlabs/puppet/bin/r10k`.
+
+The puppet code should follow best practices like the Roles and profiles
+pattern (see references below) and code/data separation via Hiera.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+* migrate as many systems as possible to use Puppet for a more
+ reproducible/auditable system setup
+* automate updates of the Puppet code from Git
+
+.. todo:: implement Webhook on the puppet machine that triggers git pull and r10k run
+
+Changes
+=======
+
+System Future
+-------------
+
+* Improve setup, use more widely
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://docs.puppet.com/puppet/
+* https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
+* https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html
diff --git a/docs/systems/svn.rst b/docs/systems/svn.rst
new file mode 100644
index 0000000..398ef1a
--- /dev/null
+++ b/docs/systems/svn.rst
@@ -0,0 +1,348 @@
+.. index::
+ single: Systems; Svn
+
+===
+Svn
+===
+
+Purpose
+=======
+
+This system hosts the `Subversion`_ repository that is used for some CAcert
+documents and code that has not been moved to :doc:`git` yet, for example:
+
+* Events
+* Policy development
+* Documentation
+
+.. _Subversion: http://subversion.apache.org/
+
+Application Links
+-----------------
+
+The subversion repository
+ https://svn.cacert.org/CAcert/
+
+Anonymous read-only HTTP access
+ http://svn.cacert.org/CAcert/
+
+Username/password authenticated HTTPS access
+ https://nocert.svn.cacert.org/CAcert/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Subversion | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* svn-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
+too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.238`
+:IP Intranet: :ip:v4:`172.16.2.15`
+:IP Internal: :ip:v4:`10.0.0.20`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::15`
+:MAC address: :mac:`00:16:3e:13:87:bb` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Svn
+
+========================== ======== ============================================
+Name Type Content
+========================== ======== ============================================
+svn.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
+svn.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
+svn.cacert.org. IN A 213.154.225.238
+cert.svn.cacert.org. IN CNAME svn.cacert.org.
+nocert.svn.cacert.org IN CNAME svn.cacert.org
+========================== ======== ============================================
+
+.. todo:: add AAAA record for IPv6 address
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+Access to specific paths in the repository is granted on request if approved by
+team leaders/officers.
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Exim
+ single: Puppet agent
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | Subversion | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| Puppet agent | configuration | init script |
+| | management agent | :file:`/etc/init.d/puppet` |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* Connection from :doc:`blog` because blog uses some resources served from svn
+* Connection from https://www.cacert.org/ because blog posts are embedded there
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* crl.cacert.org (rsync) for getting CRLs
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0 MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
+ :DSA: SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
+ :ECDSA: SHA256:VvsTuiTYiz3P194MM9bwteZcKwyLi/RMWHd0a3TEmYY MD5:f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54
+ :ED25519: SHA256:Oga06gc4LasN/lTb6SZzlYfg6HFeMn5Rgnm+G9hHtzw MD5:56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5
+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd is configured with a minimum of enabled modules to allow TLS and
+Subversion but nothing else to reduce potential security risks.
+
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: svn.cacert.org
+ :altnames: DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org, DNS:svn.cacert.org
+ :certfile: /etc/apache2/ssl/svn.cacert.org.crt.pem
+ :keyfile: /etc/apache2/ssl/svn.cacert.org.key.pem
+ :serial: 02C023
+ :expiration: Mar 16 10:36:50 2020 GMT
+ :sha1fp: 54:5D:E2:B8:81:1A:A8:79:43:55:79:E9:5B:B8:FC:0F:A0:F5:C7:D3
+ :issuer: CAcert Class 3 Root
+
+* `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+* `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The main configuration files for Apache httpd are:
+
+* :file:`/etc/apache2/sites-available/cert.svn.cacert.org`
+
+ Defines the https VirtualHost for IPv4 and IPv6 on port 443 using client
+ certificate authentication. The SNI server names svn.cacert.org and
+ cert.svn.cacert.org are handled by the VirtualHost configuration in this
+ file.
+
+* :file:`/etc/apache2/sites-available/nocert.svn.cacert.org`
+
+ Defines the https VirtualHost for IPv4 and IPv6 on port 443 using
+ username/password authentication. The SNI server name nocert.svn.cacert.org
+ is handled by the VirtualHost configuration in this file.
+
+* :file:`/etc/apache2/sites-available/000-default`
+
+ Defines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
+
+These files include the following files to configure Subversion and
+authentication/authorization:
+
+* :file:`/etc/apache2/sites-available/ssl_config.include`
+
+ contains VirtualHost specific TLS configuration
+
+* :file:`/etc/apache2/sites-available/svn_anonymous_config.include`
+
+ configure anonymous SVN access without defining a password file and thus
+ restricting SVN paths that require authentication
+
+* :file:`/etc/apache2/sites-available/svn_pwauth_config.include`
+
+ configure username/password authenticated access to SVN using the password
+ file :file:`/srv/dav_svn.passwd`.
+
+* :file:`/etc/apache2/sites-available/svn_certauth_config.include`
+
+ configure TLS client certificate authenticated access to SVN using the first
+ email address in the client certificate's Subject Distinguished name as user
+ name
+
+Subversion configuration
+------------------------
+
+Subversion authorization (aliases, groups and ACLs) is configured in
+:file:`/srv/dav_svn.authz` in the format specified in `path based authorization
+<http://svnbook.red-bean.com/de/1.8/svn.serverconfig.pathbasedauthz.html>`_ in
+the Subversion book.
+
+The repository data is stored in :file:`/srv/svnrepo`.
+
+CRL update job
+--------------
+
+CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+The configuration of this system will be migrated to a setup fully managed by
+Puppet.
+
+X.509 Auth for policy
+---------------------
+
+* Documentation officer has endorsed
+* Waiting on Org-assurer word as to org-assurer policy stuff
+
+Mail notifications
+------------------
+
+* commit hooks on policy to policy list?
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+ * :wiki:`Technology/KnowledgeBase/ClientCerts#SVN`
+ * :wiki:`SystemAdministration/Systems/Svn/Setup`
+
+References
+----------
+
+* http://svnbook.red-bean.com/en/1.8/svn.reposadmin.html
diff --git a/docs/systems/template.rst b/docs/systems/template.rst
new file mode 100644
index 0000000..35ca202
--- /dev/null
+++ b/docs/systems/template.rst
@@ -0,0 +1,345 @@
+.. index::
+ single: Systems; <host>
+
+==================
+Systems - TEMPLATE
+==================
+
+Purpose
+=======
+
+.. <SHORT DESCRIPTION>
+
+Application Links
+-----------------
+
+.. link1
+ https://<hostname>/<path>
+
+ link2
+ https://<hostname>/<path2>
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+.. people_<name> are defined in people.rst
+
+* Primary: :ref:`people_primary`
+* Secondary: :ref:`people_secondary`
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| <application> | :ref:`people_admin` |
++---------------+---------------------+
+
+Contact
+-------
+
+* <system>-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_a` and :ref:`people_b` have :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
+
+.. ## Use the following for containers on Infra02:
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Physical Configuration
+----------------------
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/EquipmentList`
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`<IP>`
+:IP Intranet: :ip:v4:`<IP>`
+:IP Internal: :ip:v4:`<IP>`
+:MAC address: :mac:`<MAC>` (interfacename)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; <machine>
+
+========================== ======== ==========================================
+Name Type Content
+========================== ======== ==========================================
+<HOST>.cacert.org. IN A <IP>
+<HOST>.intra.cacert.org. IN A <IP>
+========================== ======== ==========================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Codename
+ single: Debian GNU/Linux; x.y
+
+* Debian GNU/Linux x.y
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
+.. use the values from this table or add new lines if applicable
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+| 3306/tcp | mysql | local | MySQL database for ... |
++----------+-----------+-----------+-----------------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for ... |
++----------+-----------+-----------+-----------------------------------------+
+| 465/udp | syslog | local | syslog port |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Icinga2
+ single: MySQL
+ single: OpenERP
+ single: Postfix
+ single: PostgreSQL
+ single: cron
+ single: nginx
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for ... | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for ... | |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for ... | :file:`/etc/init.d/mysql` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission, ... | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+--------------+---------------------------+
+| RDBMS | Name | Used for |
++=============+==============+===========================+
+| MySQL | application1 | fictional application one |
++-------------+--------------+---------------------------+
+| PostgreSQL | application2 | fictional application two |
++-------------+--------------+---------------------------+
+
+Running Guests
+--------------
+
++----------------+-------------+---------------+---------+---------------+
+| Machine | IP Intranet | IP Internet | Ports | Purpose |
++================+=============+===============+=========+===============+
+| :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
++----------------+-------------+---------------+---------+---------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+.. add the MD5 fingerprints of the SSH host keys
+
+.. sshkeys::
+ :RSA:
+ :DSA:
+ :ECDSA:
+ :ED25519:
+
+Dedicated user roles
+--------------------
+
+.. If the system has some dedicated user groups besides the sudo group used for
+ administration it should be documented here Regular operating system groups
+ should not be documented
+
++-------------+-----------------------------+
+| Group | Purpose |
++=============+=============================+
+| <groupname> | <short purpose description> |
++-------------+-----------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. * None
+ or
+ * List of non-distribution packages and modifications (with some
+ explaination why no distribution package could be used)
+
+Risk assessments on critical packages
+-------------------------------------
+
+.. add a paragraph for each known risk. The risk has to be described.
+ Mitigation or risk acceptance has to be documented.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. for certificates that are orginally created on another host use
+
+.. sslcert:: other.cacert.org
+ :certfile:
+ :keyfile:
+ :serial:
+ :secondary:
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+<service_x> configuration
+-------------------------
+
+.. add a section for the configuration of each service where configuration
+ deviates from OS package defaults
+
+Tasks
+=====
+
+Planned
+-------
+
+.. add a paragraph or todo directive for each larger planned task. You may want
+ to link to specific issues if you use some issue tracker.
+
+Changes
+=======
+
+System Future
+-------------
+
+.. use this section to describe any plans for the system future. These are
+ larger plans like moving to another host, abandoning the system or replacing
+ its functionality with something else.
+
+.. * No plans
+
+Additional documentation
+========================
+
+.. add inline documentation
+
+.. remove unneeded links from the list below, add other links that apply
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+ * :wiki:`PostfixConfiguration`
+ * :wiki:`QmailConfiguration`
+ * :wiki:`SendmailConfiguration`
+ * :wiki:`StunnelConfiguration`
+
+References
+----------
+
+.. can be used to provide links to reference documentation
+ * http://product.site.com/docs/
+ * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
diff --git a/docs/systems/translations.rst b/docs/systems/translations.rst
new file mode 100644
index 0000000..bdca11b
--- /dev/null
+++ b/docs/systems/translations.rst
@@ -0,0 +1,423 @@
+.. index::
+ single: Systems; Translations
+
+============
+Translations
+============
+
+Purpose
+=======
+
+This system runs a `Pootle`_ translation server.
+
+.. _Pootle: http://pootle.translatehouse.org/
+
+
+Application Links
+-----------------
+
+Pootle web interface
+ https://translations.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Pootle | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* translations-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.240`
+:IP Intranet: :ip:v4:`172.16.2.31`
+:IP Internal: :ip:v4:`10.0.0.31`
+:MAC address: :mac:`00:ff:6c:7d:5b:c5` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Translations
+
+============================== ======== ==========================================
+Name Type Content
+============================== ======== ==========================================
+translations.cacert.org. IN A 213.154.225.240
+translations.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
+translations.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
+translations.intra.cacert.org. IN A 172.16.2.31
+============================== ======== ==========================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 80/tcp | http | ANY | redirect to https |
++----------+---------+---------+----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+---------+----------------------------+
+| 3306/tcp | mysql | local | MySQL database for Pootle |
++----------+---------+---------+----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+----------------------------+
+| 6379/tcp | redis | local | Redis in memory cache |
++----------+---------+---------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MariaDB
+ single: Postfix
+ single: Redis
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+ single: supervisord
+
++--------------------+------------------------------+-----------------------------------------------------+
+| Service | Usage | Start mechanism |
++====================+==============================+=====================================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+------------------------------+-----------------------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | Pootle | :file:`/etc/init.d/apache2` |
++--------------------+------------------------------+-----------------------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+------------------------------+-----------------------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+------------------------------+-----------------------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for Pootle | :file:`/etc/init.d/mysql` |
++--------------------+------------------------------+-----------------------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+------------------------------+-----------------------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+------------------------------+-----------------------------------------------------+
+| Redis | Job queue for Pootle | init script :file:`/etc/init.d/redis-server` |
++--------------------+------------------------------+-----------------------------------------------------+
+| Supervisord | Supervisor for background | init script :file:`/etc/init.d/supervisor` |
+| | tasks | |
++--------------------+------------------------------+-----------------------------------------------------+
+| Pootle rqworker | Worker for Pootle background | supervisor task in |
+| | tasks | :file:`/etc/supervisor/conf.d/pootle-rqworker.conf` |
++--------------------+------------------------------+-----------------------------------------------------+
+
+Databases
+---------
+
++-------+--------+----------+
+| RDBMS | Name | Used for |
++=======+========+==========+
+| MySQL | pootle | Pootle |
++-------+--------+----------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT
+* arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching Pootle
+ dependencies (via ``&CONTAINER_OUT_ELEVATED("translations");`` in
+ :file:`/etc/ferm/ferm.d/translations.conf` on :doc:`infra02`).
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0 MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
+ :DSA: SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
+ :ECDSA: SHA256:RB1262UQIqjFgQxpRsvexHUE6XrWabBz7J1uJ3kafE0 MD5:0a:39:d9:22:39:3a:48:5d:fb:a3:27:15:d9:30:a8:64
+ :ED25519: SHA256:b+MzS1Hmj59lCwDRP1BDBgKbcadsWv9Uhz1ysk7RndU MD5:ca:a6:93:70:8c:38:23:26:16:68:5b:87:16:ee:70:17
+
+Dedicated user roles
+--------------------
+
++---------------+----------------------------------+
+| Group | Purpose |
++===============+==================================+
+| pootle-update | Planned translation update group |
++---------------+----------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Pootle is a Python/Django application that has been installed in a Python
+virtualenv. Pootle and all its dependencies have been installed using:
+
+ .. code-block:: bash
+
+ cd /var/www/pootle
+ virtualenv pootle-2.8.2
+ ln -s pootle-2.8.2 current
+ chown -R pootle.www-data pootle-2.8.2
+ sudo -s -u pootle
+ . pootle-2.8.2/bin/activate
+ pip install --process-dependency-links Pootle[mysql]
+ pootle migrate
+
+Pootle is installed in a versioned directory. The used version is a symlink in
+:file:`/var/www/pootle/current`. The rationale is to avoid changes to many
+different configuration files when updating to a newer Pootle version.
+
+The installation needs an installed :program:`gcc` and a few library development
+packages.
+
+.. todo::
+
+ consider building the virtualenv on :doc:`jenkins` to avoid development tools
+ on this system
+
+Risk assessments on critical packages
+-------------------------------------
+
+System access is limited to http/https via Apache httpd which is restricted to
+a minimal set of modules.
+
+Pootle is based on Django 1.10 and should be updated to a newer version when it
+becomes available. Pootle is run as a dedicated system user `pootle` that is
+restricted via filesystem permissions.
+
+The following change has been made to the translation toolkit filters that are
+used by Pootle in :file:`/var/www/pootle/pootle-2.8.2/lib/python2.7/site-packages/translate/filters/checks.py`
+to add CAcert specific translation checks:
+
+ .. code-block:: diff
+
+ commit 4d107e5019f4794b4581cadaf4e9a8339868f6a4
+ Author: Jan Dittberner <jandd@cacert.org>
+ Date: Fri Feb 23 20:39:03 2018 +0000
+
+ Add CAcert checkers
+
+ Signed-off-by: Jan Dittberner <jandd@cacert.org>
+
+ diff --git a/filters/checks.py b/filters/checks.py
+ index db10937..45b464c 100644
+ --- a/filters/checks.py
+ +++ b/filters/checks.py
+ @@ -2475,6 +2475,24 @@ class IOSChecker(StandardChecker):
+ StandardChecker.__init__(self, **kwargs)
+
+
+ +cacertconfig = CheckerConfig(
+ + notranslatewords = ["CAcert", "Assurer"],
+ + criticaltests = ["printf"],
+ +)
+ +
+ +
+ +class CAcertChecker(StandardChecker):
+ +
+ + def __init__(self, **kwargs):
+ + checkerconfig = kwargs.get("checkerconfig", None)
+ + if checkerconfig is None:
+ + checkerconfig = CheckerConfig()
+ + kwargs["checkerconfig"] = checkerconfig
+ +
+ + checkerconfig.update(cacertconfig)
+ + StandardChecker.__init__(self, **kwargs)
+ +
+ +
+ projectcheckers = {
+ "minimal": MinimalChecker,
+ "standard": StandardChecker,
+ @@ -2490,6 +2508,7 @@ projectcheckers = {
+ "terminology": TermChecker,
+ "l20n": L20nChecker,
+ "ios": IOSChecker,
+ + "cacert": CAcertChecker,
+ }
+
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`translations` to Puppet code
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: translations.cacert.org
+ :altnames: DNS:l10n.cacert.org, DNS:translations.cacert.org
+ :certfile: /etc/ssl/public/translations.c.o.chain.crt
+ :keyfile: /etc/ssl/private/translations.c.o.key
+ :serial: 11E887
+ :expiration: Mar 31 21:26:56 18 GMT
+ :sha1fp: 44:44:42:E5:4F:A9:29:94:18:71:BC:C9:7C:06:3C:EA:01:7E:75:DB
+ :issuer: CA Cert Signing Authority
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache configuration
+--------------------
+
+The main configuration files for Apache httpd are:
+
+* :file:`/etc/apache2/sites-available/pootle-nossl.conf`
+
+ defines the HTTP VirtualHost that redirects all requests to
+ https://translations.cacert.org/
+
+* :file:`/etc/apache2/sites-available/pootle-ssl.conf`
+
+ defines the HTTPS VirtualHost for Pootle including the TLS and WSGI setup
+
+Pootle configuration
+--------------------
+
+The main Pootle configuration file is
+:file:`/var/www/pootle/current/pootle.conf`. The file defines the database
+and CAcert specific settings.
+
+Pootle runs some background jobs that are queued via redis and run from a
+worker process. The worker process lifecycle is managed via
+:program:`supervisord`. The supervisor configuration for this worker is in
+:file:`/etc/supervisor/conf.d/pootle-rqworker.conf`.
+
+The WSGI_ runner for Pootle is contained in :file:`/var/www/pootle/wsgi.py`
+it references the symlinked Pootle instance directory
+:file:`/var/www/pootle/current` and should not need changes when a new
+Pootle version is installed.
+
+.. _WSGI: https://en.wikipedia.org/wiki/Web_Server_Gateway_Interface
+
+There are scripts in :file:`/usr/local/bin` that were implemented for an older
+Pootle version and have to be checked/updated.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo::
+
+ integrate the pootle projects with version control systems. The templates
+ (.pot files) in :file:`/var/www/pootle/po` can be updated and loaded into
+ Pootle by invoking::
+
+ pootle update_stores --project=<project_id> --language=templates
+
+ see the `Pootle documentation <http://docs.translatehouse.org/projects/pootle/en/stable-2.8.x/server/project_setup.html#project-setup-updating-strings>`_
+
+.. todo::
+
+ update and improve the scripts in :file:`/usr/local/bin` and integrate
+ them with the :program:`sudo` system to allow members of the `pootle-update`
+ group to run them in the context of the `pootle` system user
+
+Changes
+=======
+
+System Future
+-------------
+
+* keep Pootle up to date
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+ http://httpd.apache.org/docs/2.4/
+MariaDB knowledge base
+ https://mariadb.com/kb/en/
+mod_wsgi documentation
+ https://modwsgi.readthedocs.io/en/develop/
+Pootle documentation
+ http://docs.translatehouse.org/projects/pootle/en/stable-2.8.x/
+Redis documentation
+ https://redis.io/documentation
+Supervisord documentation
+ http://supervisord.org/
diff --git a/docs/systems/web.rst b/docs/systems/web.rst
new file mode 100644
index 0000000..f1851a1
--- /dev/null
+++ b/docs/systems/web.rst
@@ -0,0 +1,308 @@
+.. index::
+ single: Systems; Web
+
+===
+Web
+===
+
+Purpose
+=======
+
+Reverse proxy for different websites that handles http to https redirection and
+TLS handshakes. The following services are currently proxied by this system:
+
+* Jenkins on :doc:`jenkins`
+* funding.cacert.org and infradocs.cacert.org on :doc:`webstatic`
+
+The proxy should be used for all web applications that do not need access to the
+TLS parameters (client certificates, other peer information). Applications that
+need to perform TLS handshakes themselves can be proxied through :doc:`proxyin`.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Apache httpd | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* web-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.242`
+:IP Intranet: :ip:v4:`172.16.2.26`
+:IP Internal: :ip:v4:`10.0.0.26`
+:MAC address: :mac:`00:ff:c7:e5:66:ae` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Web
+
+===================== ======== ====================================================================
+Name Type Content
+===================== ======== ====================================================================
+web.cacert.org. IN A 213.154.225.242
+web.cacert.org. IN SSHFP 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22
+web.cacert.org. IN SSHFP 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E
+web.cacert.org. IN SSHFP 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2
+web.cacert.org. IN SSHFP 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F
+web.cacert.org. IN SSHFP 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE
+web.cacert.org. IN SSHFP 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B
+web.intra.cacert.org. IN A 172.16.2.26
+===================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | redirects to https |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | ANY | https termination and reverse proxy |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd | http redirector, | init script |
+| | https reverse proxy | :file:`/etc/init.d/apache2` |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
+* :doc:`webstatic` as backend for the funding.cacert.org and
+ infradocs.cacert.org VirtualHosts
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4 MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81
+ :DSA: SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8 MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16
+ :ECDSA: SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18
+ :ED25519: SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd is configured with a minimum of enabled modules to allow proxying
+and TLS handling only to reduce potential security risks.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: funding.cacert.org
+ :altnames: DNS:funding.cacert.org
+ :certfile: /etc/ssl/certs/funding.cacert.org.crt
+ :keyfile: /etc/ssl/private/funding.cacert.org.key
+ :serial: 02A770
+ :expiration: Feb 16 12:07:35 19 GMT
+ :sha1fp: 36:E0:A1:86:7A:FA:C6:F4:86:9F:CC:9C:61:4D:B9:A4:7C:0F:9F:C9
+ :issuer: CAcert Class 3 Root
+
+.. sslcert:: infradocs.cacert.org
+ :altnames: DNS:infradocs.cacert.org
+ :certfile: /etc/ssl/certs/infradocs.cacert.org.crt
+ :keyfile: /etc/ssl/private/infradocs.cacert.org.key
+ :serial: 029159
+ :expiration: May 06 07:46:25 18 GMT
+ :sha1fp: BA:79:60:5E:8C:21:F0:14:FF:64:6B:44:64:A0:23:F9:C3:A1:F0:C6
+ :issuer: CAcert Class 3 Root
+
+.. sslcert:: jenkins.cacert.org
+ :altnames: DNS:jenkins.cacert.org
+ :certfile: /etc/ssl/certs/jenkins.cacert.org.crt
+ :keyfile: /etc/ssl/private/jenkins.cacert.org.key
+ :serial: 02A76F
+ :expiration: Feb 16 12:07:29 19 GMT
+ :sha1fp: D1:E3:5B:73:63:28:C6:31:0F:35:4A:2F:0D:12:B5:6C:3F:72:08:3D
+ :issuer: CAcert Class 3 Root
+
+.. sslcert:: web.cacert.org
+ :altnames: DNS:web.cacert.org
+ :certfile: /etc/ssl/certs/web.cacert.org.crt
+ :keyfile: /etc/ssl/private/web.cacert.org.key
+ :serial: 02BE3D
+ :expiration: Feb 19 11:44:47 20 GMT
+ :sha1fp: D5:20:E8:4D:C1:FC:6E:DF:7E:D3:5D:03:03:3D:1B:CB:27:4B:3D:85
+ :issuer: CAcert Class 3 Root
+
+* :file:`/usr/share/ca-certificates/CAcert/class3.crt` CAcert.org Class 3
+ certificate for server certificate chains. The Apache httpd configuration
+ files reference the symlinked version at :file:`/etc/ssl/certs/class3.pem`.
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/sites-available/000-default.conf`
+
+ Defines the default VirtualHost for requests reaching this host with no
+ specifically handled host name.
+
+* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
+
+ Defines the VirtualHost http://funding.cacert.org/ that redirects to
+ https://funding.cacert.org/ and the VirtualHost https://funding.cacert.org/
+ that provides reverse proxy functionality for the same host name on
+ :doc:`webstatic`.
+
+* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
+
+ Defines the VirtualHost http://infradocs.cacert.org/ that redirects to
+ https://infradocs.cacert.org/ and the VirtualHost
+ https://infradocs.cacert.org/ that provides reverse proxy functionality for
+ the same host name on :doc:`webstatic`.
+
+* :file:`/etc/apache2/sites-available/jenkins.cacert.org.conf`
+
+ Defines the VirtualHost http://jenkins.cacert.org/ that redirects to
+ https://jenkins.cacert.org/ and the VirtualHost https://jenkins.cacert.org/
+ that provides reverse proxy functionality for the Jenkins instance on
+ :doc:`jenkins`.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: manage the web system using Puppet
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. note::
+ The system hosted the Drupal based community portal https://www.cacert.eu/
+ in the past. The DNS records for this portal have been changed to point to
+ the regular https://www.cacert.org/ site. All unreachable VirtualHosts have
+ been archived to the backup disk at :doc:`infra02`.
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+* http://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/webmail.rst b/docs/systems/webmail.rst
new file mode 100644
index 0000000..7878236
--- /dev/null
+++ b/docs/systems/webmail.rst
@@ -0,0 +1,358 @@
+.. index::
+ single: Systems; Webmail
+
+===================
+Webmail (Community)
+===================
+
+Purpose
+=======
+
+This container hosts the webmail system available at
+https://community.cacert.org/ that provides web based mail access to users with
+a @cacert.org email address.
+
+The system also hosts the `board voting system`_, `staff list`_ and `email
+password reset`_.
+
+.. todo:: move `board voting system`_ to a separate container
+
+.. todo::
+ move `staff list`_ to a separate container or integrate it into some
+ new self service system
+
+.. _board voting system: https://community.cacert.org/board
+.. _staff list: https://community.cacert.org/staff.php
+.. _email password reset: https://community.cacert.org/password.php
+
+Application Links
+-----------------
+
+Webmail URL
+ https://community.cacert.org/ (redirects to
+ https://community.cacert.org/roundcubemail/)
+
+Board Voting System URL
+ https://community.cacert.org/board/
+
+Password reset
+ https://community.cacert.org/password.php
+
+Staff list
+ https://community.cacert.org/staff.php
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: None
+* Secondary: None
+
+.. todo:: find admins for webmail
+
+Application Administration
+--------------------------
+
++---------------------+-----------------------+
+| Application | Administrators |
++=====================+=======================+
+| Webmail | :ref:`people_ulrich`, |
+| | :ref:`people_jselzer` |
++---------------------+-----------------------+
+| Board voting system | :ref:`people_jandd` |
++---------------------+-----------------------+
+| Staff list | None |
++---------------------+-----------------------+
+| Password reset | None |
++---------------------+-----------------------+
+
+Contact
+-------
+
+* webmail-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd`, :ref:`people_mario` and :ref:`people_jselzer` have
+:program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.228`
+:IP Intranet: :ip:v4:`172.16.2.20`
+:IP Internal: :ip:v4:`10.0.0.120`
+:MAC address: :mac:`00:ff:9a:a7:64:78` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Webmail
+ single: DNS records; Community
+
+===================== ======== ================
+Name Type Content
+===================== ======== ================
+community.cacert.org. IN CNAME email.cacert.org
+===================== ======== ================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Etch
+ single: Debian GNU/Linux; 4.0
+
+* Debian GNU/Linux 4.0
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+.. seealso::
+
+ * :wiki:`CommunityEmail`
+ * :wiki:`EmailAccountPolicy`
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+---------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+===========================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+---------------------------+
+| 443/tcp | https | ANY | Web server |
++----------+---------+---------+---------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+---------------------------+
+
+.. note::
+
+ The ssh port is reachable via NAT on email.cacert.org:12022
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: Apache
+ single: cron
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | Applications | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* archive.debian.org as Debian mirror
+* :doc:`email` for MySQL (3306/tcp) for webmail, password reset and staff list
+* :doc:`email` IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS
+ (465/tcp) and SMTP Submission (587/tcp) for the webmail system
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48
+ :DSA: 6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd
+
+.. warning::
+
+ The system is too old to support ECDSA or ED25519 keys.
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:file:`/var/www/roundcubemail` contains a `Roundcube`_ 0.2.1 installation,
+probably with patches.
+
+.. todo::
+
+ Research wether Roundcube has been patched or not
+
+:file:`/var/www/staff.php` is a custom built PHP script to show a list of
+people with cacert.org email addresses.
+
+:file:`/var/www/password.php` is a custom build PHP script to allow users to
+reset their email password.
+
+:file:`/var/www/board` contains the board voting system.
+
+.. _Roundcube: https://roundcube.net/
+
+Risk assessments on critical packages
+-------------------------------------
+
+The whole system is outdated, the PHP version is ancient, Roundcube is old.
+Needs to be replaced as soon as possible.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: community.cacert.org
+ :altnames: DNS:cert.community.cacert.org, DNS:cert.email.cacert.org,
+ DNS:community.cacert.org, DNS:email.cacert.org,
+ DNS:nocert.community.cacert.org, DNS:nocert.email.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-community-cacert.crt
+ :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
+ :serial: 1381F8
+ :expiration: Mar 16 11:13:16 2020 GMT
+ :sha1fp: 74:67:9E:C7:48:E1:CC:4F:42:C5:4D:C9:13:B9:07:CA:9F:F9:77:C1
+ :issuer: CA Cert Signing Authority
+
+* :file:`/usr/share/ca-certificates/cacert.org/` directory containing the
+ CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
+ client authentication and certificate chain for server certificate) with
+ symbolic links with the :command:`openssl` hashed certificate names
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The Apache httpd configuration is stored in
+:file:`/etc/apache2/sites-available/webmail`.
+
+:file:`/etc/hosts`
+------------------
+
+Defines some aliases for :doc:`email` that are used by Roundcube, the password
+reset script and the staff list script.
+
+.. index::
+ pair: Roundcube; configuration
+
+Roundcube configuration
+-----------------------
+
+The Roundcube configuration is stored in files in the
+:file:`/var/www/roundcubemail/config/` directory.
+
+
+Staff list script
+-----------------
+
+The staff list contains its configuration in :file:`/var/www/staff.php` itself.
+
+.. todo::
+
+ Put the staff list script in a git repository
+
+Password reset script
+---------------------
+
+The password reset script contains it configuration in
+:file:`/var/www/password.php` itself.
+
+.. todo::
+
+ Put the password reset script in a git repository
+
+Board voting system configuration
+---------------------------------
+
+The board voting system uses a SQLite database in
+:file:`/var/www/board/database.sqlite`.
+
+.. warning::
+
+ The board voting system software seems to be checked out from a Subversion
+ repository at https://svn.cacert.cl/Software/Voting/vote that does not exist
+ anymore
+
+.. todo::
+
+ Put the current version of the board voting system in a git repository
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: implement CRL checking
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo::
+ The system has to be replaced with a new system using a current operating
+ system version
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Wiki page for this system
+ :wiki:`SystemAdministration/Systems/Community`
diff --git a/docs/systems/webstatic.rst b/docs/systems/webstatic.rst
new file mode 100644
index 0000000..7b96d44
--- /dev/null
+++ b/docs/systems/webstatic.rst
@@ -0,0 +1,285 @@
+.. index::
+ single: Systems; Webstatic
+
+=========
+Webstatic
+=========
+
+Purpose
+=======
+
+This system provides a web server for serving static content. HTTP requests
+for this system are proxied through :doc:`web` which also handles TLS
+termination and redirects from http scheme URLs to https.
+
+Application Links
+-----------------
+
+Funding
+ https://funding.cacert.org/
+
+Infrastructure Documentation
+ https://infradocs.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Apache httpd | :ref:`people_jandd` |
++---------------+---------------------+
+| Gitolite | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* webstatic-admin@cacert.org
+
+Additional People
+-----------------
+
+No additional people have access to this machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: reverse proxied from :doc:`web`
+:IP Intranet: :ip:v4:`172.16.2.116`
+:IP Internal: :ip:v4:`10.0.0.116`
+:MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Webstatic
+
+=========================== ======== ====================================================================
+Name Type Content
+=========================== ======== ====================================================================
+funding.cacert.org. IN CNAME webstatic.cacert.org.
+infradocs.cacert.org. IN CNAME webstatic.cacert.org.
+webstatic.cacert.org. IN A 213.154.225.242
+webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
+webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
+webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
+webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
+webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
+webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
+webstatic.intra.cacert.org. IN A 172.16.2.116
+=========================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.4
+
+* Debian GNU/Linux 9.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console and gitolite access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Exim
+ single: cron
+ single: nginx
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+----------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+======================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
+| | and git access | |
++--------------------+----------------------+----------------------------------------+
+| Apache httpd | Webserver for static | init script |
+| | content | :file:`/etc/init.d/apache2` |
++--------------------+----------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+----------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+----------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+----------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+----------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`jenkins` for publishing infrastructure documentation to
+ infradocs.cacert.org
+* :doc:`monitor`
+* :doc:`web` as reverse proxy for hostnames funding.cacert.org and
+ infradocs.cacert.org
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
+ :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
+ :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
+ :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
+
+Dedicated user roles
+--------------------
+
++-------------------+---------------------------------------------------+
+| Group | Purpose |
++===================+===================================================+
+| git | User for :program:`gitolite` |
++-------------------+---------------------------------------------------+
+| jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
+| | :file:`/var/www/infradocs.cacert.org/html/` |
++-------------------+---------------------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The used :program:`gitolite` version is from Debian Jessie and should either
+be replaced by :program:`gitolite3` from Debian Stretch or a combination of
+git repositories on :doc:`git` and web hooks for triggering updates.
+
+.. todo:: replace :program:`gitolite` with a maintained service
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd is configured with a minimum of enabled modules to allow serving
+static content and nothing else to reduce potential security risks.
+
+Access to :program:`gitolite` and the jenkins-infradocs user is gated by a
+defined set of ssh keys.
+
+.. todo:: check access on gitolite repositories
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+The host does not provide TLS services and therefore has no certificates.
+
+.. todo::
+ move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
+
+Apache httpd configuration
+--------------------------
+
+The main configuration files for Apache httpd are:
+
+* :file:`/etc/apache2/sites-available/000-default.conf`
+
+ Defines the default VirtualHost for requests reaching this host with no
+ specifically handled host name.
+
+* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
+
+ Defines the VirtualHost for https://funding.cacert.org/
+
+* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
+
+ Defines the VirtualHost for https://infradocs.cacert.org/
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: manage the webstatic system using Puppet
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* http://httpd.apache.org/docs/2.4/
+* http://gitolite.com/gitolite/migr/
diff --git a/tools/ssh_host_keys.py b/tools/ssh_host_keys.py
new file mode 100755
index 0000000..df0c45a
--- /dev/null
+++ b/tools/ssh_host_keys.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python
+
+from glob import glob
+import argparse
+import os.path
+import subprocess
+
+
+SUPPORTED_SSH_KEYTYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=(
+ 'Convert a set of ssh host keys to the syntax expected by the '
+ 'sshkeys directive of the CAcert infrastructur documentation'))
+ parser.add_argument(
+ 'root', metavar='ROOT', type=str, help='root directory'
+ )
+ args = parser.parse_args()
+
+ keys = {}
+ for host_key in glob(os.path.join(
+ args.root, 'etc/ssh', 'ssh_host_*key.pub')
+ ):
+ fp = subprocess.check_output(
+ ['ssh-keygen', '-l', '-f', host_key]).strip().split()
+ keys[fp[3][1:-1]] = fp[1]
+
+ maxlen = max([len(key) for key in keys.keys() if key in SUPPORTED_SSH_KEYTYPES])
+
+ print ".. sshkeys::"
+ for typ, key in [
+ (typ, keys[typ]) for typ in SUPPORTED_SSH_KEYTYPES
+ if typ in keys
+ ]:
+ print " :%s:%s %s" % (typ, ' ' * (maxlen - len(typ)), key)
diff --git a/tools/sslcert.py b/tools/sslcert.py
new file mode 100755
index 0000000..cb1dc78
--- /dev/null
+++ b/tools/sslcert.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python
+
+from __future__ import print_function
+
+from datetime import datetime
+from hashlib import sha1
+import argparse
+import os.path
+
+from pyasn1_modules import pem
+from pyx509.pkcs7.asn1_models.X509_certificate import Certificate
+from pyx509.pkcs7_models import X509Certificate
+from pyx509.pkcs7.asn1_models.decoder_workarounds import decode
+
+
+ALTNAME_MAP = (
+ ('dNSName', 'DNS'),
+ ('rfc822Name', 'EMAIL'),
+ ('iPAddress', 'IP')
+)
+
+
+def x509_parse(derData):
+ """Decodes certificate.
+ @param derData: DER-encoded certificate string
+ @returns: pkcs7_models.X509Certificate
+ """
+ cert = decode(derData, asn1Spec=Certificate())[0]
+ x509cert = X509Certificate(cert)
+ return x509cert
+
+
+def get_altnames(cert):
+ altnames = cert.tbsCertificate.subjAltNameExt.value.values
+ retval = []
+ for typ, data in [(field[1], altnames[field[0]]) for field in ALTNAME_MAP]:
+ for item in sorted(data):
+ retval.append("{typ}:{item}".format(typ=typ, item=item))
+ return ", ".join(retval)
+
+
+def get_serial(cert):
+ serial = "%X" % cert.tbsCertificate.serial_number
+ return "0" * (len(serial) % 2) + serial
+
+
+def get_expiration(cert):
+ return datetime.strptime(
+ cert.tbsCertificate.validity.valid_to, '%Y%m%d%H%M%SZ'
+ ).strftime('%b %d %H:%M:%S %Y GMT')
+
+
+def get_sha1fp(certdata):
+ hexhash = sha1(certdata).hexdigest().upper()
+ return ":".join([hexhash[i:i+2] for i in range(0, len(hexhash), 2)])
+
+
+def get_issuer(cert):
+ return cert.tbsCertificate.issuer.get_attributes()['CN'][0]
+
+
+def get_subject(cert):
+ return cert.tbsCertificate.subject.get_attributes()['CN'][0]
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=(
+ 'Create an sslcert directive from data taken from a PEM encoded '
+ 'X.509 certificate file and its corresponding PEM encoded RSA key '
+ 'file.'))
+ parser.add_argument(
+ 'cert', metavar='CERT', type=open,
+ help='PEM encoded X.509 certficate file')
+ parser.add_argument(
+ '--key', metavar='KEY', type=open,
+ help='PEM encoded RSA private key', default=None)
+ parser.add_argument(
+ '--root', metavar='ROOT', type=str,
+ help='Relative root directory for key and cert')
+
+ args = parser.parse_args()
+
+ certpem = pem.readPemFromFile(args.cert)
+ certpath = os.path.abspath(args.cert.name)
+ if args.root:
+ certpath = '/' + os.path.relpath(certpath, args.root)
+ if args.key:
+ haskey = True
+ keypem = pem.readPemFromFile(args.key)
+ keypath = os.path.abspath(args.key.name)
+ if args.root:
+ keypath = '/' + os.path.relpath(keypath, args.root)
+ else:
+ keypath = 'TODO: define key path'
+
+ cert = x509_parse(certpem)
+ data = {
+ 'altnames': get_altnames(cert),
+ 'certfile': certpath,
+ 'keyfile': keypath,
+ 'serial': get_serial(cert),
+ 'expiration': get_expiration(cert),
+ 'sha1fp': get_sha1fp(certpem),
+ 'issuer': get_issuer(cert),
+ 'subject': get_subject(cert),
+ }
+ print(""".. sslcert:: {subject}
+ :altnames: {altnames}
+ :certfile: {certfile}
+ :keyfile: {keyfile}
+ :serial: {serial}
+ :expiration: {expiration}
+ :sha1fp: {sha1fp}
+ :issuer: {issuer}
+""".format(**data))
diff --git a/tools/tool-requirements.txt b/tools/tool-requirements.txt
new file mode 100644
index 0000000..e00844f
--- /dev/null
+++ b/tools/tool-requirements.txt
@@ -0,0 +1,3 @@
+pyasn1==0.1.9
+pyasn1-modules==0.0.8
+git+https://github.com/hiviah/pyx509@a35702c3d514c96d75a1c3498307a16991cdd0d3#egg=pyx509