summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc-requirements.txt58
-rw-r--r--docs/Pipfile4
-rw-r--r--docs/Pipfile.lock261
-rw-r--r--docs/conf.py6
-rw-r--r--docs/external/extmon.rst22
-rw-r--r--docs/network.rst49
-rw-r--r--docs/systems/blog.rst170
-rw-r--r--docs/systems/community.rst4
-rw-r--r--docs/systems/git.rst23
-rw-r--r--docs/systems/infra02.rst2
-rw-r--r--docs/systems/monitor.rst174
-rw-r--r--docs/systems/puppet.rst135
-rw-r--r--docs/systems/template.rst29
-rw-r--r--docs/systems/web.rst127
-rw-r--r--docs/systems/wiki.rst144
15 files changed, 703 insertions, 505 deletions
diff --git a/doc-requirements.txt b/doc-requirements.txt
index 1874ac8..acb03f4 100644
--- a/doc-requirements.txt
+++ b/doc-requirements.txt
@@ -1,34 +1,46 @@
alabaster==0.7.12
attrs==19.1.0
-Babel==2.7.0
-certifi==2019.6.16
+Babel==2.8.0
+blockdiag==2.0.1
+certifi==2020.4.5.1
chardet==3.0.4
-dateutils==0.6.6
-docutils==0.15.2
+dateutils==0.6.8
+docutils==0.16
+funcparserlib==0.3.6
+gitdb==4.0.5
gitdb2==2.0.5
-GitPython==2.1.13
-idna==2.8
-imagesize==1.1.0
+GitPython==3.1.2
+idna==2.9
+imagesize==1.2.0
ipcalc==1.99.0
jandd.sphinxext.ip==0.3.0
jandd.sphinxext.mac==0.1.0
-Jinja2==2.10.1
+Jinja2==2.11.2
MarkupSafe==1.1.1
-packaging==19.1
-Pygments==2.4.2
-pyparsing==2.4.2
-python-dateutil==2.8.0
-pytz==2019.1
-requests==2.22.0
-six==1.12.0
+nwdiag==2.0.0
+packaging==20.4
+Pillow==7.1.2
+pkg-resources==0.0.0
+Pygments==2.6.1
+pyparsing==2.4.7
+python-dateutil==2.8.1
+pytz==2020.1
+requests==2.23.0
+seqdiag==2.0.0
+six==1.15.0
+smmap==3.0.4
smmap2==2.0.5
-snowballstemmer==1.9.0
-Sphinx==2.1.2
-sphinxcontrib-applehelp==1.0.1
-sphinxcontrib-devhelp==1.0.1
-sphinxcontrib-htmlhelp==1.0.2
+snowballstemmer==2.0.0
+Sphinx==3.0.4
+sphinxcontrib-applehelp==1.0.2
+sphinxcontrib-blockdiag==2.0.0
+sphinxcontrib-devhelp==1.0.2
+sphinxcontrib-htmlhelp==1.0.3
sphinxcontrib-jsmath==1.0.1
-sphinxcontrib-qthelp==1.0.2
-sphinxcontrib-serializinghtml==1.1.3
-urllib3==1.25.3
+sphinxcontrib-nwdiag==2.0.0
+sphinxcontrib-qthelp==1.0.3
+sphinxcontrib-seqdiag==2.0.0
+sphinxcontrib-serializinghtml==1.1.4
+urllib3==1.25.9
validate-email==1.3
+webcolors==1.11.1
diff --git a/docs/Pipfile b/docs/Pipfile
index 033398a..74bf317 100644
--- a/docs/Pipfile
+++ b/docs/Pipfile
@@ -5,11 +5,13 @@ name = "pypi"
[packages]
sphinx = "*"
-gitpython = "*"
+GitPython = "*"
"jandd.sphinxext.ip" = "*"
"jandd.sphinxext.mac" = "*"
dateutils = "*"
validate-email = "*"
+sphinxcontrib-blockdiag = "*"
+sphinxcontrib-nwdiag = "*"
[dev-packages]
diff --git a/docs/Pipfile.lock b/docs/Pipfile.lock
index 71839c7..5bd68e1 100644
--- a/docs/Pipfile.lock
+++ b/docs/Pipfile.lock
@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
- "sha256": "3f84f87945441353b07733193713bf3883f2fea908413e6e1617c5d5f54a0aa2"
+ "sha256": "684069be3643f81d1a97cb64cc9ddc4af9926b54eb3694c65022e366f87ece26"
},
"pipfile-spec": 6,
"requires": {
@@ -30,26 +30,28 @@
],
"version": "==1.4.0"
},
- "attrs": {
+ "babel": {
"hashes": [
- "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79",
- "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399"
+ "sha256:1aac2ae2d0d8ea368fa90906567f5c08463d98ade155c0c4bfedd6a0f7160e38",
+ "sha256:d670ea0b10f8b723672d3a6abeb87b565b244da220d76b4dba1b66269ec152d4"
],
- "version": "==19.1.0"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==2.8.0"
},
- "babel": {
+ "blockdiag": {
"hashes": [
- "sha256:af92e6106cb7c55286b25b38ad7695f8b4efb36a90ba483d7f7a6628c46158ab",
- "sha256:e86135ae101e31e2c8ec20a4e0c5220f4eed12487d5cf3f78be7e98d3a57fc28"
+ "sha256:16a69dd9f3b44c9e0869999ce82aa968586698febc86ece9ca0c902dba772397",
+ "sha256:fa0b47cf25bfc4d546b7fc284c70c3bac875a066e744b4a6b1d9ba457e4ed077"
],
- "version": "==2.7.0"
+ "markers": "python_version >= '3.5'",
+ "version": "==2.0.1"
},
"certifi": {
"hashes": [
- "sha256:046832c04d4e752f37383b628bc601a7ea7211496b4638f6514d0e5b9acc4939",
- "sha256:945e3ba63a0b9f577b1395204e13c3a231f9bc0223888be653286534e5873695"
+ "sha256:1d987a998c75633c40847cc966fcf5904906c920a7f17ef374f5aa4282abd304",
+ "sha256:51fcb31174be6e6664c5f69e3e1691a2d72a1a12e90f872cbdb1567eb47b6519"
],
- "version": "==2019.6.16"
+ "version": "==2020.4.5.1"
},
"chardet": {
"hashes": [
@@ -60,47 +62,56 @@
},
"dateutils": {
"hashes": [
- "sha256:c94a8e77d743abac79ed91f99f5ef594a972a527e05145cbb7aba59beced8a71"
+ "sha256:15e564d9cd34e4260cf96625a3249c938c3aada2e5eaddf8218dd3fbc8dbdba4"
],
"index": "pypi",
- "version": "==0.6.6"
+ "version": "==0.6.8"
},
"docutils": {
"hashes": [
- "sha256:6c4f696463b79f1fb8ba0c594b63840ebd41f059e92b31957c46b74a4599b6d0",
- "sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827",
- "sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99"
+ "sha256:0c5b78adfbf7762415433f5515cd5c9e762339e23369dbe8000d84a4bf4ab3af",
+ "sha256:c2de3a60e9e7d07be26b7f2b00ca0309c207e06c100f9cc2a94931fc75a478fc"
+ ],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+ "version": "==0.16"
+ },
+ "funcparserlib": {
+ "hashes": [
+ "sha256:b7992eac1a3eb97b3d91faa342bfda0729e990bd8a43774c1592c091e563c91d"
],
- "version": "==0.15.2"
+ "version": "==0.3.6"
},
- "gitdb2": {
+ "gitdb": {
"hashes": [
- "sha256:83361131a1836661a155172932a13c08bda2db3674e4caa32368aa6eb02f38c2",
- "sha256:e3a0141c5f2a3f635c7209d56c496ebe1ad35da82fe4d3ec4aaa36278d70648a"
+ "sha256:91f36bfb1ab7949b3b40e23736db18231bf7593edada2ba5c3a174a7b23657ac",
+ "sha256:c9e1f2d0db7ddb9a704c2a0217be31214e91a4fe1dea1efad19ae42ba0c285c9"
],
- "version": "==2.0.5"
+ "markers": "python_version >= '3.4'",
+ "version": "==4.0.5"
},
"gitpython": {
"hashes": [
- "sha256:c15c55ff890cd3a6a8330059e80885410a328f645551b55a91d858bfb3eb2573",
- "sha256:df752b6b6f06f11213e91c4925aea7eaf9e37e88fb71c8a7a1aa0a5c10852120"
+ "sha256:864a47472548f3ba716ca202e034c1900f197c0fb3a08f641c20c3cafd15ed94",
+ "sha256:da3b2cf819974789da34f95ac218ef99f515a928685db141327c09b73dd69c09"
],
"index": "pypi",
- "version": "==2.1.13"
+ "version": "==3.1.2"
},
"idna": {
"hashes": [
- "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
- "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
+ "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb",
+ "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa"
],
- "version": "==2.8"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==2.9"
},
"imagesize": {
"hashes": [
- "sha256:3f349de3eb99145973fefb7dbe38554414e5c30abd0c8e4b970a7c9d09f3a1d8",
- "sha256:f3832918bc3c66617f92e35f5d70729187676313caa60c187eb0f28b8fe5e3b5"
+ "sha256:6965f19a6a2039c7d48bca7dba2473069ff854c36ae6f19d2cde309d998228a1",
+ "sha256:b1f6b5a4eab1f73479a50fb79fcf729514a900c341d8503d62a62dbc4127a2b1"
],
- "version": "==1.1.0"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==1.2.0"
},
"ipcalc": {
"hashes": [
@@ -126,10 +137,11 @@
},
"jinja2": {
"hashes": [
- "sha256:065c4f02ebe7f7cf559e49ee5a95fb800a9e4528727aec6f24402a5374c65013",
- "sha256:14dd6caf1527abb21f08f86c784eac40853ba93edb79552aa1e4b8aef1b61c7b"
+ "sha256:89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0",
+ "sha256:f0a4641d3cf955324a89c04f3d94663aa4d638abe8f733ecd3582848e1c37035"
],
- "version": "==2.10.1"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+ "version": "==2.11.2"
},
"markupsafe": {
"hashes": [
@@ -137,13 +149,16 @@
"sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161",
"sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235",
"sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5",
+ "sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42",
"sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff",
"sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b",
"sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1",
"sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e",
"sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183",
"sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66",
+ "sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b",
"sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1",
+ "sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15",
"sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1",
"sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e",
"sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b",
@@ -160,128 +175,198 @@
"sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
"sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
"sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
- "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7"
+ "sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2",
+ "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7",
+ "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be"
],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.1.1"
},
- "packaging": {
+ "nwdiag": {
"hashes": [
- "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9",
- "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe"
+ "sha256:5cd7fafd6085cd762ca9171234d07d2a33c6e81f5c66a1b233992e76300d74e2",
+ "sha256:76b9a734d93e6c72efd357efd973094a84648b2b727a06e982e229ec9384336e"
],
- "version": "==19.1"
+ "version": "==2.0.0"
+ },
+ "packaging": {
+ "hashes": [
+ "sha256:4357f74f47b9c12db93624a82154e9b120fa8293699949152b22065d556079f8",
+ "sha256:998416ba6962ae7fbd6596850b80e17859a5753ba17c32284f67bfff33784181"
+ ],
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==20.4"
+ },
+ "pillow": {
+ "hashes": [
+ "sha256:04766c4930c174b46fd72d450674612ab44cca977ebbcc2dde722c6933290107",
+ "sha256:4b02b9c27fad2054932e89f39703646d0c543f21d3cc5b8e05434215121c28cd",
+ "sha256:f455efb7a98557412dc6f8e463c1faf1f1911ec2432059fa3e582b6000fc90e2",
+ "sha256:9744350687459234867cbebfe9df8f35ef9e1538f3e729adbd8fde0761adb705",
+ "sha256:1f694e28c169655c50bb89a3fa07f3b854d71eb47f50783621de813979ba87f3",
+ "sha256:b532bcc2f008e96fd9241177ec580829dee817b090532f43e54074ecffdcd97f",
+ "sha256:d23e2aa9b969cf9c26edfb4b56307792b8b374202810bd949effd1c6e11ebd6d",
+ "sha256:ccc9ad2460eb5bee5642eaf75a0438d7f8887d484490d5117b98edd7f33118b7",
+ "sha256:12e4bad6bddd8546a2f9771485c7e3d2b546b458ae8ff79621214119ac244523",
+ "sha256:f46e0e024346e1474083c729d50de909974237c72daca05393ee32389dabe457",
+ "sha256:f784aad988f12c80aacfa5b381ec21fd3f38f851720f652b9f33facc5101cf4d",
+ "sha256:ae2b270f9a0b8822b98655cb3a59cdb1bd54a34807c6c56b76dd2e786c3b7db3",
+ "sha256:b943e71c2065ade6fef223358e56c167fc6ce31c50bc7a02dd5c17ee4338e8ac",
+ "sha256:3d25dd8d688f7318dca6d8cd4f962a360ee40346c15893ae3b95c061cdbc4079",
+ "sha256:b67a6c47ed963c709ed24566daa3f95a18f07d3831334da570c71da53d97d088",
+ "sha256:ee94fce8d003ac9fd206496f2707efe9eadcb278d94c271f129ab36aa7181344",
+ "sha256:eaa83729eab9c60884f362ada982d3a06beaa6cc8b084cf9f76cae7739481dfa",
+ "sha256:f54be399340aa602066adb63a86a6a5d4f395adfdd9da2b9a0162ea808c7b276",
+ "sha256:b37bb3bd35edf53125b0ff257822afa6962649995cbdfde2791ddb62b239f891",
+ "sha256:a0b49960110bc6ff5fead46013bcb8825d101026d466f3a4de3476defe0fb0dd",
+ "sha256:70e3e0d99a0dcda66283a185f80697a9b08806963c6149c8e6c5f452b2aa59c0",
+ "sha256:0f01e63c34f0e1e2580cc0b24e86a5ccbbfa8830909a52ee17624c4193224cd9",
+ "sha256:0e2a3bceb0fd4e0cb17192ae506d5f082b309ffe5fc370a5667959c9b2f85fa3"
+ ],
+ "markers": "python_version >= '3.5'",
+ "version": "==7.1.2"
},
"pygments": {
"hashes": [
- "sha256:71e430bc85c88a430f000ac1d9b331d2407f681d6f6aec95e8bcfbc3df5b0127",
- "sha256:881c4c157e45f30af185c1ffe8d549d48ac9127433f2c380c24b84572ad66297"
+ "sha256:647344a061c249a3b74e230c739f434d7ea4d8b1d5f3721bc0f3558049b38f44",
+ "sha256:ff7a40b4860b727ab48fad6360eb351cc1b33cbf9b15a0f689ca5353e9463324"
],
- "version": "==2.4.2"
+ "markers": "python_version >= '3.5'",
+ "version": "==2.6.1"
},
"pyparsing": {
"hashes": [
- "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80",
- "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4"
+ "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
+ "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
- "version": "==2.4.2"
+ "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==2.4.7"
},
"python-dateutil": {
"hashes": [
- "sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb",
- "sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"
+ "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
+ "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
],
- "version": "==2.8.0"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==2.8.1"
},
"pytz": {
"hashes": [
- "sha256:303879e36b721603cc54604edcac9d20401bdbe31e1e4fdee5b9f98d5d31dfda",
- "sha256:d747dd3d23d77ef44c6a3526e274af6efeb0a6f1afd5a69ba4d5be4098c8e141"
+ "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
+ "sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048"
],
- "version": "==2019.1"
+ "version": "==2020.1"
},
"requests": {
"hashes": [
- "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
- "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
+ "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee",
+ "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6"
],
- "version": "==2.22.0"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+ "version": "==2.23.0"
},
"six": {
"hashes": [
- "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
- "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
+ "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
+ "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
],
- "version": "==1.12.0"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==1.15.0"
},
- "smmap2": {
+ "smmap": {
"hashes": [
- "sha256:0555a7bf4df71d1ef4218e4807bbf9b201f910174e6e08af2e138d4e517b4dde",
- "sha256:29a9ffa0497e7f2be94ca0ed1ca1aa3cd4cf25a1f6b4f5f87f74b46ed91d609a"
+ "sha256:54c44c197c819d5ef1991799a7e30b662d1e520f2ac75c9efbeb54a742214cf4",
+ "sha256:9c98bbd1f9786d22f14b3d4126894d56befb835ec90cef151af566c7e19b5d24"
],
- "version": "==2.0.5"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+ "version": "==3.0.4"
},
"snowballstemmer": {
"hashes": [
- "sha256:9f3b9ffe0809d174f7047e121431acf99c89a7040f0ca84f94ba53a498e6d0c9"
+ "sha256:209f257d7533fdb3cb73bdbd24f436239ca3b2fa67d56f6ff88e86be08cc5ef0",
+ "sha256:df3bac3df4c2c01363f3dd2cfa78cce2840a79b9f1c2d2de9ce8d31683992f52"
],
- "version": "==1.9.0"
+ "version": "==2.0.0"
},
"sphinx": {
"hashes": [
- "sha256:22538e1bbe62b407cf5a8aabe1bb15848aa66bb79559f42f5202bbce6b757a69",
- "sha256:f9a79e746b87921cabc3baa375199c6076d1270cee53915dbd24fdbeaaacc427"
+ "sha256:779a519adbd3a70fc7c468af08c5e74829868b0a5b34587b33340e010291856c",
+ "sha256:ea64df287958ee5aac46be7ac2b7277305b0381d213728c3a49d8bb9b8415807"
],
"index": "pypi",
- "version": "==2.1.2"
+ "version": "==3.0.4"
},
"sphinxcontrib-applehelp": {
"hashes": [
- "sha256:edaa0ab2b2bc74403149cb0209d6775c96de797dfd5b5e2a71981309efab3897",
- "sha256:fb8dee85af95e5c30c91f10e7eb3c8967308518e0f7488a2828ef7bc191d0d5d"
+ "sha256:806111e5e962be97c29ec4c1e7fe277bfd19e9652fb1a4392105b43e01af885a",
+ "sha256:a072735ec80e7675e3f432fcae8610ecf509c5f1869d17e2eecff44389cdbc58"
],
- "version": "==1.0.1"
+ "markers": "python_version >= '3.5'",
+ "version": "==1.0.2"
+ },
+ "sphinxcontrib-blockdiag": {
+ "hashes": [
+ "sha256:51ce7cff8d25dfd4c8a753d5aa5491e6dbf280004719c49e8001e583ecda7d91",
+ "sha256:91fd35b64f1f25db59d80b8a5196ed4ffadf57a81f63ee207e34d53ec36d8f97"
+ ],
+ "index": "pypi",
+ "version": "==2.0.0"
},
"sphinxcontrib-devhelp": {
"hashes": [
- "sha256:6c64b077937330a9128a4da74586e8c2130262f014689b4b89e2d08ee7294a34",
- "sha256:9512ecb00a2b0821a146736b39f7aeb90759834b07e81e8cc23a9c70bacb9981"
+ "sha256:8165223f9a335cc1af7ffe1ed31d2871f325254c0423bc0c4c7cd1c1e4734a2e",
+ "sha256:ff7f1afa7b9642e7060379360a67e9c41e8f3121f2ce9164266f61b9f4b338e4"
],
- "version": "==1.0.1"
+ "markers": "python_version >= '3.5'",
+ "version": "==1.0.2"
},
"sphinxcontrib-htmlhelp": {
"hashes": [
- "sha256:4670f99f8951bd78cd4ad2ab962f798f5618b17675c35c5ac3b2132a14ea8422",
- "sha256:d4fd39a65a625c9df86d7fa8a2d9f3cd8299a3a4b15db63b50aac9e161d8eff7"
+ "sha256:3c0bc24a2c41e340ac37c85ced6dafc879ab485c095b1d65d2461ac2f7cca86f",
+ "sha256:e8f5bb7e31b2dbb25b9cc435c8ab7a79787ebf7f906155729338f3156d93659b"
],
- "version": "==1.0.2"
+ "markers": "python_version >= '3.5'",
+ "version": "==1.0.3"
},
"sphinxcontrib-jsmath": {
"hashes": [
"sha256:2ec2eaebfb78f3f2078e73666b1415417a116cc848b72e5172e596c871103178",
"sha256:a9925e4a4587247ed2191a22df5f6970656cb8ca2bd6284309578f2153e0c4b8"
],
+ "markers": "python_version >= '3.5'",
"version": "==1.0.1"
},
+ "sphinxcontrib-nwdiag": {
+ "hashes": [
+ "sha256:5aae8c83b19e940409554b69249cf97e4f565331effd208cca9fddbc90b6ea36",
+ "sha256:6ee95ad43bad46fe8dc1f65185c8997cb1d16665eee36a7eaaf6de13137ff859"
+ ],
+ "index": "pypi",
+ "version": "==2.0.0"
+ },
"sphinxcontrib-qthelp": {
"hashes": [
- "sha256:513049b93031beb1f57d4daea74068a4feb77aa5630f856fcff2e50de14e9a20",
- "sha256:79465ce11ae5694ff165becda529a600c754f4bc459778778c7017374d4d406f"
+ "sha256:4c33767ee058b70dba89a6fc5c1892c0d57a54be67ddd3e7875a18d14cba5a72",
+ "sha256:bd9fc24bcb748a8d51fd4ecaade681350aa63009a347a8c14e637895444dfab6"
],
- "version": "==1.0.2"
+ "markers": "python_version >= '3.5'",
+ "version": "==1.0.3"
},
"sphinxcontrib-serializinghtml": {
"hashes": [
- "sha256:c0efb33f8052c04fd7a26c0a07f1678e8512e0faec19f4aa8f2473a8b81d5227",
- "sha256:db6615af393650bf1151a6cd39120c29abaf93cc60db8c48eb2dddbfdc3a9768"
+ "sha256:eaa0eccc86e982a9b939b2b82d12cc5d013385ba5eadcc7e4fed23f4405f77bc",
+ "sha256:f242a81d423f59617a8e5cf16f5d4d74e28ee9a66f9e5b637a18082991db5a9a"
],
- "version": "==1.1.3"
+ "markers": "python_version >= '3.5'",
+ "version": "==1.1.4"
},
"urllib3": {
"hashes": [
- "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1",
- "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232"
+ "sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527",
+ "sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115"
],
- "version": "==1.25.3"
+ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'",
+ "version": "==1.25.9"
},
"validate-email": {
"hashes": [
@@ -289,6 +374,14 @@
],
"index": "pypi",
"version": "==1.3"
+ },
+ "webcolors": {
+ "hashes": [
+ "sha256:76f360636957d1c976db7466bc71dcb713bb95ac8911944dffc55c01cb516de6",
+ "sha256:b8cd5d865a25c51ff1218f0c90d0c0781fc64312a49b746b320cf50de1648f6e"
+ ],
+ "markers": "python_version >= '3.5'",
+ "version": "==1.11.1"
}
},
"develop": {}
diff --git a/docs/conf.py b/docs/conf.py
index a9b4ace..93b35d3 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -38,6 +38,8 @@ extensions = [
"sphinx.ext.extlinks",
"jandd.sphinxext.ip",
"jandd.sphinxext.mac",
+ "sphinxcontrib.blockdiag",
+ "sphinxcontrib.nwdiag",
"sphinxext.cacert",
]
@@ -57,7 +59,7 @@ master_doc = "index"
# General information about the project.
project = u"CAcert infrastructure"
-copyright = u"2016, 2017, 2018 Jan Dittberner, CAcert"
+copyright = u"2016-2020 Jan Dittberner, CAcert"
author = u"CAcert infrastructure team"
# The version info for the project you're documenting, acts as replacement for
@@ -384,6 +386,8 @@ epub_exclude_files = ["search.html"]
# If false, no index is generated.
# epub_use_index = True
+nwdiag_html_image_format = "svg"
+
extlinks = {
"wiki": ("https://wiki.cacert.org/%s", "Wiki "),
diff --git a/docs/external/extmon.rst b/docs/external/extmon.rst
index 1b9cb4e..6a52ca9 100644
--- a/docs/external/extmon.rst
+++ b/docs/external/extmon.rst
@@ -29,11 +29,11 @@ System Administration
Application Administration
--------------------------
-+---------------+---------------------+
-| Application | Administrator(s) |
-+===============+=====================+
-| icinga2 agent | :ref:`people_jandd` |
-+---------------+---------------------+
++----------------+---------------------+
+| Application | Administrator(s) |
++================+=====================+
+| Icinga 2 agent | :ref:`people_jandd` |
++----------------+---------------------+
Contact
-------
@@ -90,9 +90,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Buster
- single: Debian GNU/Linux; 10.0
+ single: Debian GNU/Linux; 10.3
-* Debian GNU/Linux 10.0
+* Debian GNU/Linux 10.3
Services
========
@@ -180,7 +180,9 @@ Dedicated user roles
Non-distribution packages and modifications
-------------------------------------------
-* None
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
Risk assessments on critical packages
-------------------------------------
@@ -188,10 +190,6 @@ Risk assessments on critical packages
The system provides no public services besides an Icinga2 agent that executes
commands sent from :doc:`../systems/monitor`.
-The Puppet agent package and a few dependencies are installed from the
-official Puppet APT repository because the versions in Debian are too old to
-use modern Puppet features.
-
Critical Configuration items
============================
diff --git a/docs/network.rst b/docs/network.rst
index 99e9c57..9003cdd 100644
--- a/docs/network.rst
+++ b/docs/network.rst
@@ -8,6 +8,54 @@ Network
:wiki:`SystemAdministration/IPList`
+.. nwdiag::
+ :caption: IPv4 network
+
+ nwdiag {
+ network internet {
+ extmon [address="116.203.192.12"]
+ router [address="213.154.225.224/27"]
+ }
+ network intranet {
+ address = "172.16.2.0/24"
+
+ router [address="172.17.2.3"]
+ infra02 [address="172.16.2.10"]
+ }
+ network br0 {
+ address = "10.0.0.0/24"
+
+ infra02 [address="10.0.0.1"]
+ container1;
+ container2;
+ containerX;
+ }
+ }
+
+.. nwdiag::
+ :caption: IPv6 network
+
+ nwdiag {
+ network internet {
+ extmon [address="2a01:4f8:c2c:a5b9::1"]
+ router;
+ }
+ network intranet {
+ address = "2001:7b8:616:162:1::/80"
+
+ router;
+ infra02 [address="...:1::10"]
+ }
+ network br0 {
+ address = "2001:7b8:616:162:2::/80"
+
+ infra02 [address="...:2::1"]
+ container1;
+ container2;
+ containerX;
+ }
+ }
+
Internet
--------
@@ -25,6 +73,7 @@ taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
External monitoring is provided from the ranges :ip:v4range:`116.203.192.12/32`
and :ip:v6range:`2a01:4f8:c2c:a5b9::1/128`.
+
Intranet
--------
diff --git a/docs/systems/blog.rst b/docs/systems/blog.rst
index 5caf97b..7e117fa 100644
--- a/docs/systems/blog.rst
+++ b/docs/systems/blog.rst
@@ -26,8 +26,8 @@ Administration
System Administration
---------------------
-* Primary: :ref:`people_dirk`
-* Secondary: None
+* Primary: :ref:`people_dirk`
+* Secondary: :ref:`people_jandd`
.. todo:: find an additional admin
@@ -61,8 +61,8 @@ Contact
Additional People
-----------------
-:ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
-have :program:`sudo` access on that machine too.
+:ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
+too.
Basics
======
@@ -79,6 +79,7 @@ Logical Location
:IP Internet: :ip:v4:`213.154.225.234`
:IP Intranet: :ip:v4:`172.16.2.13`
:IP Internal: :ip:v4:`10.0.0.13`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::13`
:MAC address: :mac:`00:ff:fa:af:b2:9b` (eth0)
.. seealso::
@@ -99,20 +100,27 @@ DNS
.. index::
single: DNS records; Blog
-====================== ======== ====================================================================
-Name Type Content
-====================== ======== ====================================================================
-blog.cacert.org. IN A 213.154.225.234
-blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
-blog.cacert.org. IN SSHFP 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6
-blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
-blog.cacert.org. IN SSHFP 2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680
-blog.cacert.org. IN SSHFP 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86
-blog.cacert.org. IN SSHFP 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047
-blog.cacert.org. IN SSHFP 4 1 90903e8f4b35457bf41235f070adf592d7f724dd
-blog.cacert.org. IN SSHFP 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b
-blog.intra.cacert.org. IN A 172.16.2.13
-====================== ======== ====================================================================
++------------------------+----------+----------------------------------------------------------------------+
+| Name | Type | Content |
++========================+==========+======================================================================+
+| blog.cacert.org. | IN A | 213.154.225.234 |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.cacert.org. | IN AAAA | 2001:7b8:616:162:2::13 |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.cacert.org. | IN SSHFP | 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8 |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.cacert.org. | IN SSHFP | 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6 |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.cacert.org. | IN SSHFP | 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86 |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.cacert.org. | IN SSHFP | 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047 |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.cacert.org. | IN SSHFP | 4 1 90903e8f4b35457bf41235f070adf592d7f724dd |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.cacert.org. | IN SSHFP | 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b |
++------------------------+----------+----------------------------------------------------------------------+
+| blog.intra.cacert.org. | IN A | 172.16.2.13 |
++------------------------+----------+----------------------------------------------------------------------+
.. seealso::
@@ -122,10 +130,10 @@ Operating System
----------------
.. index::
- single: Debian GNU/Linux; Jessie
- single: Debian GNU/Linux; 8.11
+ single: Debian GNU/Linux; Buster
+ single: Debian GNU/Linux; 10.3
-* Debian GNU/Linux 8.11
+* Debian GNU/Linux 10.3
Applicable Documentation
------------------------
@@ -138,23 +146,21 @@ Services
Listening services
------------------
-+----------+---------+---------+----------------------------+
-| Port | Service | Origin | Purpose |
-+==========+=========+=========+============================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+---------+---------+----------------------------+
-| 25/tcp | smtp | local | mail delivery to local MTA |
-+----------+---------+---------+----------------------------+
-| 80/tcp | http | ANY | application |
-+----------+---------+---------+----------------------------+
-| 443/tcp | https | ANY | application |
-+----------+---------+---------+----------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+---------+---------+----------------------------+
-| 3306/tcp | mysql | local | MySQL database for blog |
-+----------+---------+---------+----------------------------+
-| 9000/tcp | php-fpm | local | PHP FPM executor |
-+----------+---------+---------+----------------------------+
++----------+---------+----------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+==========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+----------+----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+----------+----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+----------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+---------+----------+----------------------------+
+| 3306/tcp | mariadb | local | MariaDB database for blog |
++----------+---------+----------+----------------------------+
Running services
----------------
@@ -163,47 +169,48 @@ Running services
single: apache httpd
single: cron
single: dbus
- single: mysql
- single: nrpe
+ single: icinga2
+ single: mariadb
single: openssh
single: postfix
-
-+--------------------+--------------------+-------------------------------------------------+
-| Service | Usage | Start mechanism |
-+====================+====================+=================================================+
-| Apache httpd | Webserver for blog | systemd unit ``apache2.service`` |
-+--------------------+--------------------+-------------------------------------------------+
-| cron | job scheduler | systemd unit ``cron.service`` |
-+--------------------+--------------------+-------------------------------------------------+
-| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
-| | daemon | |
-+--------------------+--------------------+-------------------------------------------------+
-| MySQL | MySQL database | systemd unit ``mysql.service`` |
-| | server for blog | |
-+--------------------+--------------------+-------------------------------------------------+
-| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
-| | remote | |
-| | administration | |
-+--------------------+--------------------+-------------------------------------------------+
-| Postfix | SMTP server for | systemd unit ``postfix.service`` |
-| | local mail | |
-| | submission | |
-+--------------------+--------------------+-------------------------------------------------+
-| Nagios NRPE server | remote monitoring | systemd unit ``/etc/init.d/nagios-nrpe-server`` |
-| | service queried by | |
-| | :doc:`monitor` | |
-+--------------------+--------------------+-------------------------------------------------+
+ single: puppet agent
+ single: rsyslog
+
++----------------+--------------------------+----------------------------------+
+| Service | Usage | Start mechanism |
++================+==========================+==================================+
+| Apache httpd | Webserver for blog | systemd unit ``apache2.service`` |
++----------------+--------------------------+----------------------------------+
+| cron | job scheduler | systemd unit ``cron.service`` |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
++----------------+--------------------------+----------------------------------+
+| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| MariaDB | MariaDB database | systemd unit ``mariadb.service`` |
+| | server for blog | |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote administration | |
++----------------+--------------------------+----------------------------------+
+| Postfix | SMTP server for | systemd unit ``postfix.service`` |
+| | local mail | |
+| | submission | |
++----------------+--------------------------+----------------------------------+
+| Puppet agent | configuration | systemd unit ``puppet.service`` |
+| | management agent | |
++----------------+--------------------------+----------------------------------+
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
Databases
---------
-+-------+------------+------------------------------+
-| RDBMS | Name | Used for |
-+=======+============+==============================+
-| MySQL | blog | Wordpress blog |
-+-------+------------+------------------------------+
-| MySQL | phpmyadmin | PHPMyAdmin settings database |
-+-------+------------+------------------------------+
++---------+------+----------------+
+| RDBMS | Name | Used for |
++=========+======+================+
+| MariaDB | blog | Wordpress blog |
++---------+------+----------------+
Connected Systems
-----------------
@@ -219,6 +226,7 @@ Outbound network connections
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`puppet` (tcp/8140) as Puppet master
* crl.cacert.org (rsync) for getting CRLs
.. _Ping-o-matic: http://rpc.pingomatic.com/
@@ -232,7 +240,6 @@ Security
.. sshkeys::
:RSA: SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
- :DSA: SHA256:TUOE69GQYSWuJtL6l2WWr5FLSzWH8iBKDgE2ijZA9oA MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
:ECDSA: SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
:ED25519: SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
@@ -272,6 +279,11 @@ Risk assessments on critical packages
Critical Configuration items
============================
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+.. todo:: move configuration of :doc:`blog` to Puppet code
+
Keys and X.509 certificates
---------------------------
@@ -347,11 +359,7 @@ Changes
Planned
-------
-.. todo:: switch to Puppet management
-.. todo:: replace nrpe with icinga2 agent
-.. todo:: update wordpress to 5.x
-.. todo:: update to Debian 9/10
-.. todo:: setup IPv6
+.. todo:: manage the blog system using Puppet
.. todo::
setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
@@ -371,5 +379,5 @@ Additional documentation
References
----------
-Wordpress website
- https://wordpress.org/
+* https://wordpress.org/
+* http://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/community.rst b/docs/systems/community.rst
index b183068..ca49866 100644
--- a/docs/systems/community.rst
+++ b/docs/systems/community.rst
@@ -44,8 +44,8 @@ Contact
Additional People
-----------------
-:ref:`people_mario` and :ref:`people_jselzer` have :program:`sudo` access on
-that machine too.
+:ref:`people_mario`, :ref:`people_dirk` and :ref:`people_jselzer` have
+:program:`sudo` access on that machine too.
Basics
======
diff --git a/docs/systems/git.rst b/docs/systems/git.rst
index 7e8862f..62f8e5b 100644
--- a/docs/systems/git.rst
+++ b/docs/systems/git.rst
@@ -111,9 +111,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Stretch
- single: Debian GNU/Linux; 9.4
+ single: Debian GNU/Linux; 10.4
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 10.4
Services
========
@@ -232,24 +232,7 @@ Dedicated user roles
Non-distribution packages and modifications
-------------------------------------------
-Gitweb has been modified to use https for `Gravatar`_ lookups:
-
-.. code-block:: diff
-
- --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
- +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
- @@ -2064,7 +2064,7 @@
- my $email = lc shift;
- my $size = shift;
- $avatar_cache{$email} ||=
- - "http://www.gravatar.com/avatar/" .
- + "https://secure.gravatar.com/avatar/" .
- Digest::MD5::md5_hex($email) . "?s=";
- return $avatar_cache{$email} . $size;
- }
-
-.. _Gravatar: http://www.gravatar.com/
-
+* None
Risk assessments on critical packages
-------------------------------------
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst
index 9e2eeb0..bae9a5b 100644
--- a/docs/systems/infra02.rst
+++ b/docs/systems/infra02.rst
@@ -15,7 +15,7 @@ CAcert infrastructure.
single: Ferm
Infra02 is the host system for all infrastructure :term:`containers
-<container>`. The containers are setup using the Linux kernel's :term:`LXC`
+<Container>`. The containers are setup using the Linux kernel's :term:`LXC`
system. The firewall for infrastructure is maintained on this machine using
Ferm_. The machine provides a DNS resolver based on dnsmasq_ and gives answers
for the internal zone infra.cacert.org.
diff --git a/docs/systems/monitor.rst b/docs/systems/monitor.rst
index 0340857..47adb94 100644
--- a/docs/systems/monitor.rst
+++ b/docs/systems/monitor.rst
@@ -8,8 +8,8 @@ Monitor
Purpose
=======
-This system hosts an `Icinga`_ instance to centrally monitor the services in
-the CAcert network (especially for security updates and certificate
+This system hosts an `Icinga 2`_ instance to centrally monitor the
+services in the CAcert network (especially for security updates and certificate
expiry).
.. note::
@@ -24,12 +24,12 @@ expiry).
acknowledgement, adding notes, rescheduling checks or setting downtimes for
your service.
-.. _Icinga: https://www.icinga.org/
+.. _Icinga 2: https://www.icinga.org/
Application Links
-----------------
-The Icinga classic frontend
+The Icingaweb 2 frontend
https://monitor.cacert.org/
Administration
@@ -44,11 +44,11 @@ System Administration
Application Administration
--------------------------
-+-------------+-----------------------+
-| Application | Administrator(s) |
-+=============+=======================+
-| Icinga | :ref:`people_jandd` |
-+-------------+-----------------------+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Icinga 2 | :ref:`people_jandd` |
++-------------+---------------------+
Contact
-------
@@ -111,10 +111,10 @@ Operating System
----------------
.. index::
- single: Debian GNU/Linux; Stretch
- single: Debian GNU/Linux; 9.4
+ single: Debian GNU/Linux; Buster
+ single: Debian GNU/Linux; 10.3
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 10.3
Applicable Documentation
------------------------
@@ -132,21 +132,23 @@ Services
Listening services
------------------
-+----------+---------+---------+-----------------------------+
-| Port | Service | Origin | Purpose |
-+==========+=========+=========+=============================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+---------+---------+-----------------------------+
-| 25/tcp | smtp | local | mail delivery to local MTA |
-+----------+---------+---------+-----------------------------+
-| 80/tcp | http | ANY | Icinga classic web frontend |
-+----------+---------+---------+-----------------------------+
-| 443/tcp | https | ANY | Icinga classic web frontend |
-+----------+---------+---------+-----------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+---------+---------+-----------------------------+
-| 5432/tcp | pgsql | local | PostgreSQL database for IDO |
-+----------+---------+---------+-----------------------------+
++----------+----------+----------+---------------------------------+
+| Port | Service | Origin | Purpose |
++==========+==========+==========+=================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+----------+----------+---------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+----------+----------+---------------------------------+
+| 80/tcp | http | ANY | Redirect to https |
++----------+----------+----------+---------------------------------+
+| 443/tcp | https | ANY | Icingaweb 2 frontend |
++----------+----------+----------+---------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+----------+----------+---------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for IDO |
++----------+----------+----------+---------------------------------+
+| 8000/tcp | git-hook | internal | HTTP endpoint for git-pull-hook |
++----------+----------+----------+---------------------------------+
.. note::
@@ -159,78 +161,82 @@ Running services
.. index::
single: apache httpd
single: cron
- single: icinga
- single: ido2db
- single: nrpe
+ single: dbus
+ single: git-pull-hook
+ single: icinga2
single: openssh
single: postfix
single: postgresql
single: puppet agent
single: rsyslog
-+--------------------+--------------------+----------------------------------------+
-| Service | Usage | Start mechanism |
-+====================+====================+========================================+
-| Apache httpd | Webserver for | init script |
-| | Icinga classic | :file:`/etc/init.d/apache2` |
-+--------------------+--------------------+----------------------------------------+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
-+--------------------+--------------------+----------------------------------------+
-| Icinga | Icinga monitoring | init script |
-| | daemon | :file:`/etc/init.d/icinga` |
-+--------------------+--------------------+----------------------------------------+
-| IDO2DB | IDO database | init script |
-| | writer daemon | :file:`/etc/init.d/ido2db` |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring | init script |
-| | service by | :file:`/etc/init.d/nagios-nrpe-server` |
-| | this system itself | |
-+--------------------+--------------------+----------------------------------------+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+--------------------+----------------------------------------+
-| Postfix | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/postfix` |
-| | submission | |
-+--------------------+--------------------+----------------------------------------+
-| PostgreSQL | PostgreSQL | init script |
-| | database server | :file:`/etc/init.d/postgresql` |
-| | for IDO | |
-+--------------------+--------------------+----------------------------------------+
-| Puppet agent | configuration | init script |
-| | management agent | :file:`/etc/init.d/puppet` |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+--------------------+----------------------------------------+
++----------------+-----------------------+------------------------------------------------+
+| Service | Usage | Start mechanism |
++================+=======================+================================================+
+| Apache httpd | Webserver for | systemd unit ``apache2.service`` |
+| | Icingaweb 2 | |
++----------------+-----------------------+------------------------------------------------+
+| cron | job scheduler | systemd unit ``cron.service`` |
++----------------+-----------------------+------------------------------------------------+
+| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
+| | daemon | |
++----------------+-----------------------+------------------------------------------------+
+| git-pull-hook | Custom Python3 | systemd unit ``icinga2-git-pull-hook.service`` |
+| | hook to pull git | |
+| | changes from the | |
+| | cacert-icinga2-conf_d | |
+| | repository | |
++----------------+-----------------------+------------------------------------------------+
+| Icinga2 | Icinga2 monitoring | systemd unit ``icinga2.service`` |
+| | daemon | |
++----------------+-----------------------+------------------------------------------------+
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote | |
+| | administration | |
++----------------+-----------------------+------------------------------------------------+
+| Postfix | SMTP server for | systemd unit ``postfix.service`` |
+| | local mail | |
+| | submission | |
++----------------+-----------------------+------------------------------------------------+
+| PostgreSQL | PostgreSQL | systemd unit ``postgresql.service`` |
+| | database server | |
++----------------+-----------------------+------------------------------------------------+
+| Puppet agent | configuration | systemd unit ``puppet.service`` |
+| | management agent | |
++----------------+-----------------------+------------------------------------------------+
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
++----------------+-----------------------+------------------------------------------------+
Databases
---------
-+------------+--------+-----------------+
-| RDBMS | Name | Used for |
-+============+========+=================+
-| PostgreSQL | icinga | Icinga IDO data |
-+------------+--------+-----------------+
++------------+------------+--------------------------------------------+
+| RDBMS | Name | Used for |
++============+============+============================================+
+| PostgreSQL | icinga2 | Icinga 2 performance and alerting data |
++------------+------------+--------------------------------------------+
+| PostgreSQL | icingaweb2 | Icingaweb 2 group and user preference data |
++------------+------------+--------------------------------------------+
Connected Systems
-----------------
-None
+* :doc:`../external/extmon`
+* :doc:`git` for triggering the git-pull-hook on newly pushed commits to the
+ cacert-icinga2-conf_d repository
Outbound network connections
----------------------------
* :doc:`infra02` as resolving nameserver
* :doc:`emailout` as SMTP relay
+* :doc:`git` to fetch new commits from the cacert-icinga2-conf_d repository
* :doc:`puppet` (tcp/8140) as Puppet master
* :doc:`proxyout` as HTTP proxy for APT
* crl.cacert.org (rsync) for getting CRLs
-* all :ip:v4range:`10.0.0.0/24` and :ip:v4range:`172.16.2.0/24` systems for
- monitoring their services
+* all :ip:v4range:`10.0.0.0/24`, :ip:v4range:`172.16.2.0/24` and
+ :ip:v6range:`2001:7b8:616:162:2::/80` systems for monitoring their services
-.. todo:: add IPv6 ranges when they are monitored
Security
========
@@ -252,14 +258,11 @@ Puppet features.
Risk assessments on critical packages
-------------------------------------
-Icinga and the classic frontend are a bit aged but have a good security track
-record.
+Icinga 2 and Icingaweb 2 are well maintained community projects with a good
+security track record.
Apache httpd has a good reputation and is a low risk package.
-NRPE is flawed and should be replaced. The risk is somewhat mitigated by
-firewalling on :doc:`the infrastructure host <infra02>`.
-
The system uses third party packages with a good security track record and
regular updates. The attack surface is small due to the tightly restricted
access to the system. The puppet agent is not exposed for access from outside
@@ -271,7 +274,7 @@ Critical Configuration items
The system configuration is managed via Puppet profiles. There should be no
configuration items outside of the Puppet repository.
-.. todo:: move configuration of :doc:`monitor` to Puppet code
+.. todo:: move more configuration of :doc:`monitor` to Puppet code
Keys and X.509 certificates
---------------------------
@@ -311,10 +314,11 @@ the HTTPS VirtualHost.
Icinga configuration
--------------------
-The Icinga configuration is stored in the :file:`/etc/icinga/` directory.
-Database configuration for IDO is stored in :file:`ido2db.cfg`. The Icinga
-classic frontend configuration is stored in :file:`cgi.cfg`. Host and service
-configurations are defined in the :file:`objects/` subdirectory.
+The Icinga 2 configuration is stored in the :file:`/etc/icinga2/` directory.
+The :file:`/etc/icinga2/conf.d/` directory is managed in
+:cacertgit:`cacert-icinga2-conf_d` repository which has a post-receive hook to
+trigger updates of the Icinga 2 configuration and performs a graceful reload
+when configuration has changed.
Tasks
=====
diff --git a/docs/systems/puppet.rst b/docs/systems/puppet.rst
index 81f78cf..1b9da73 100644
--- a/docs/systems/puppet.rst
+++ b/docs/systems/puppet.rst
@@ -86,7 +86,11 @@ DNS
.. index::
single: DNS records; Puppet
-.. todo:: setup DNS records (in infra.cacert.org zone)
++--------------------------+------+------------+
+| Name | Type | Content |
++==========================+======+============+
+| puppet.infra.cacert.org. | IN A | 10.0.0.200 |
++--------------------------+------+------------+
.. seealso::
@@ -97,9 +101,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Buster
- single: Debian GNU/Linux; 10.0
+ single: Debian GNU/Linux; 10.3
-* Debian GNU/Linux 10.0
+* Debian GNU/Linux 10.3
Services
========
@@ -107,89 +111,91 @@ Services
Listening services
------------------
-+----------+-----------+-----------+------------------------------------------+
-| Port | Service | Origin | Purpose |
-+==========+===========+===========+==========================================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+-----------+-----------+------------------------------------------+
-| 25/tcp | smtp | local | mail delivery to local MTA |
-+----------+-----------+-----------+------------------------------------------+
-| 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
-+----------+-----------+-----------+------------------------------------------+
-| 8000/tcp | git-hook | internal | HTTP endpoint for git-pull-hook |
-+----------+-----------+-----------+------------------------------------------+
-| 8140/tcp | puppet | internal | Puppet master |
-+----------+-----------+-----------+------------------------------------------+
-| 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
-+----------+-----------+-----------+------------------------------------------+
-| 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
-+----------+-----------+-----------+------------------------------------------+
++----------+----------+----------+------------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+==========+==========+==========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+----------+----------+------------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+----------+----------+------------------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
++----------+----------+----------+------------------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+----------+----------+------------------------------------------+
+| 8000/tcp | git-hook | internal | HTTP endpoint for git-pull-hook |
++----------+----------+----------+------------------------------------------+
+| 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
++----------+----------+----------+------------------------------------------+
+| 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
++----------+----------+----------+------------------------------------------+
+| 8140/tcp | puppet | internal | Puppet master |
++----------+----------+----------+------------------------------------------+
Running services
----------------
.. index::
single: cron
+ single: dbus
single: exim
single: git-pull-hook
+ single: icinga2
single: openssh
single: postgresql
single: puppet agent
- single: puppet server
single: puppetdb
+ single: puppetserver
single: rsyslog
-+--------------------+--------------------+----------------------------------------+
-| Service | Usage | Start mechanism |
-+====================+====================+========================================+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
-+--------------------+--------------------+----------------------------------------+
-| Exim | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/exim4` |
-| | submission | |
-+--------------------+--------------------+----------------------------------------+
-| git-pull-hook | Custom Python3 | init script |
-| | hook to pull git | :file:`/etc/init.d/git-pull-hook` |
-| | changes from the | |
-| | cacert-puppet | |
-| | repository | |
-+--------------------+--------------------+----------------------------------------+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+--------------------+----------------------------------------+
-| PostgreSQL | PostgreSQL | init script |
-| | database server | :file:`/etc/init.d/postgresql` |
-| | for PuppetDB | |
-+--------------------+--------------------+----------------------------------------+
-| Puppet server | Puppet master for | init script |
-| | infrastructure | :file:`/etc/init.d/puppetserver` |
-| | systems | |
-+--------------------+--------------------+----------------------------------------+
-| Puppet agent | local Puppet agent | init script |
-| | | :file:`/etc/init.d/puppet` |
-+--------------------+--------------------+----------------------------------------+
-| PuppetDB | PuppetDB for | init script |
-| | querying Puppet | :file:`/etc/init.d/puppetdb` |
-| | facts and nodes | |
-| | and resources | |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+--------------------+----------------------------------------+
++----------------+--------------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++================+==========================+========================================+
+| cron | job scheduler | systemd unit ``cron.service`` |
++----------------+--------------------------+----------------------------------------+
+| dbus | system message bus | systemd unit ``dbus.service`` |
++----------------+--------------------------+----------------------------------------+
+| Exim | SMTP server for | systemd unit ``exim4.service`` |
+| | local mail submission | |
++----------------+--------------------------+----------------------------------------+
+| git-pull-hook | Custom Python3 hook | systemd unit ``git-pull-hook.service`` |
+| | to pull git changes | |
+| | from the cacert-puppet | |
+| | repository | |
++----------------+--------------------------+----------------------------------------+
+| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------------+
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote administration | |
++----------------+--------------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL database | systemd unit ``postgresql.service`` |
+| | server for PuppetDB | |
++----------------+--------------------------+----------------------------------------+
+| Puppet agent | local Puppet agent | systemd unit ``puppet.service`` |
++----------------+--------------------------+----------------------------------------+
+| PuppetDB | PuppetDB for querying | systemd unit ``puppetdb.service`` |
+| | Puppet facts, nodes | |
+| | and resources | |
++----------------+--------------------------+----------------------------------------+
+| Puppet server | Puppet master for | systemd unit ``puppetserver.service`` |
+| | infrastructure systems | |
++----------------+--------------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++----------------+--------------------------+----------------------------------------+
Databases
---------
-+-------------+----------+-------------------+
-| RDBMS | Name | Used for |
-+=============+==========+===================+
-| PostgreSQL | puppetdb | PuppetDB database |
-+-------------+----------+-------------------+
++------------+----------+-------------------+
+| RDBMS | Name | Used for |
++============+==========+===================+
+| PostgreSQL | puppetdb | PuppetDB database |
++------------+----------+-------------------+
Connected Systems
-----------------
+* :doc:`blog`
* :doc:`bugs`
* :doc:`emailout`
* :doc:`ircserver`
@@ -203,6 +209,7 @@ Connected Systems
* :doc:`translations`
* :doc:`web`
* :doc:`webstatic`
+* :doc:`wiki`
* :doc:`git` for triggering the git-pull-hook on newly pushed commits to the
cacert-puppet repository
diff --git a/docs/systems/template.rst b/docs/systems/template.rst
index 8ddf96a..5e12ac7 100644
--- a/docs/systems/template.rst
+++ b/docs/systems/template.rst
@@ -182,23 +182,20 @@ Running services
+--------------------+--------------------------+----------------------------------------+
| Service | Usage | Start mechanism |
+====================+==========================+========================================+
-| Apache httpd | Webserver for ... | init script |
-| | | :file:`/etc/init.d/apache2` |
+| Apache httpd | Webserver for ... | systemd unit ``apache2.service`` |
+--------------------+--------------------------+----------------------------------------+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
+| cron | job scheduler | systemd unit ``cron.service`` |
+--------------------+--------------------------+----------------------------------------+
| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
-| | daemon | |
+--------------------+--------------------------+----------------------------------------+
-| Exim | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/exim4` |
+| Exim | SMTP server for | systemd unit ``exim4.service`` |
+| | local mail | |
| | submission, ... | |
+--------------------+--------------------------+----------------------------------------+
| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
+--------------------+--------------------------+----------------------------------------+
| MariaDB | MariaDB database | systemd unit ``mariadb.service`` |
-| | server for bug | |
-| | tracker | |
+| | server for ... | |
+--------------------+--------------------------+----------------------------------------+
| MySQL | MySQL database | init script |
| | server for ... | :file:`/etc/init.d/mysql` |
@@ -207,23 +204,21 @@ Running services
| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
| | :doc:`monitor` | |
+--------------------+--------------------------+----------------------------------------+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote administration | |
+--------------------+--------------------------+----------------------------------------+
-| Postfix | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/postfix` |
+| Postfix | SMTP server for | systemd unit ``postfix.service`` |
+| | local mail | |
| | submission, ... | |
+--------------------+--------------------------+----------------------------------------+
-| PostgreSQL | PostgreSQL | init script |
-| | database server | :file:`/etc/init.d/postgresql` |
+| PostgreSQL | PostgreSQL | systemd unit ``postgresql.service`` |
+| | database server | |
| | for ... | |
+--------------------+--------------------------+----------------------------------------+
| Puppet agent | configuration | systemd unit ``puppet.service`` |
| | management agent | |
+--------------------+--------------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
+--------------------+--------------------------+----------------------------------------+
Databases
diff --git a/docs/systems/web.rst b/docs/systems/web.rst
index b0607e0..47d8e65 100644
--- a/docs/systems/web.rst
+++ b/docs/systems/web.rst
@@ -62,6 +62,7 @@ Logical Location
:IP Internet: :ip:v4:`213.154.225.242`
:IP Intranet: :ip:v4:`172.16.2.26`
:IP Internal: :ip:v4:`10.0.0.26`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::26`
:MAC address: :mac:`00:ff:c7:e5:66:ae` (eth0)
.. seealso::
@@ -82,18 +83,27 @@ DNS
.. index::
single: DNS records; Web
-===================== ======== ====================================================================
-Name Type Content
-===================== ======== ====================================================================
-web.cacert.org. IN A 213.154.225.242
-web.cacert.org. IN SSHFP 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22
-web.cacert.org. IN SSHFP 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E
-web.cacert.org. IN SSHFP 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2
-web.cacert.org. IN SSHFP 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F
-web.cacert.org. IN SSHFP 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE
-web.cacert.org. IN SSHFP 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B
-web.intra.cacert.org. IN A 172.16.2.26
-===================== ======== ====================================================================
++-----------------------+----------+----------------------------------------------------------------------+
+| Name | Type | Content |
++=======================+==========+======================================================================+
+| web.cacert.org. | IN A | 213.154.225.242 |
++-----------------------+----------+----------------------------------------------------------------------+
+| web.cacert.org. | IN SSHFP | 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22 |
++-----------------------+----------+----------------------------------------------------------------------+
+| web.cacert.org. | IN SSHFP | 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E |
++-----------------------+----------+----------------------------------------------------------------------+
+| web.cacert.org. | IN SSHFP | 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2 |
++-----------------------+----------+----------------------------------------------------------------------+
+| web.cacert.org. | IN SSHFP | 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F |
++-----------------------+----------+----------------------------------------------------------------------+
+| web.cacert.org. | IN SSHFP | 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE |
++-----------------------+----------+----------------------------------------------------------------------+
+| web.cacert.org. | IN SSHFP | 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B |
++-----------------------+----------+----------------------------------------------------------------------+
+| web.intra.cacert.org. | IN A | 172.16.2.26 |
++-----------------------+----------+----------------------------------------------------------------------+
+
+.. todo:: add SSHFP for ED25519 key, remove SSHFP for DSA key, add AAAA record for IPv6
.. seealso::
@@ -104,9 +114,11 @@ Operating System
.. index::
single: Debian GNU/Linux; Stretch
- single: Debian GNU/Linux; 9.4
+ single: Debian GNU/Linux; 9.12
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 9.12
+
+.. todo:: upgrade to Debian 10 Buster
Services
========
@@ -114,19 +126,19 @@ Services
Listening services
------------------
-+----------+-----------+-----------+-----------------------------------------+
-| Port | Service | Origin | Purpose |
-+==========+===========+===========+=========================================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp | smtp | local | mail delivery to local MTA |
-+----------+-----------+-----------+-----------------------------------------+
-| 80/tcp | http | ANY | redirects to https |
-+----------+-----------+-----------+-----------------------------------------+
-| 443/tcp | https | ANY | https termination and reverse proxy |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+---------+-------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=====================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-------------------------------------+
+| 80/tcp | http | ANY | redirects to https |
++----------+---------+---------+-------------------------------------+
+| 443/tcp | https | ANY | https termination and reverse proxy |
++----------+---------+---------+-------------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+---------+---------+-------------------------------------+
Running services
----------------
@@ -134,38 +146,38 @@ Running services
.. index::
single: apache httpd
single: cron
- single: nrpe
+ single: icinga2
single: openssh
single: postfix
single: puppet agent
single: rsyslog
-+--------------------+---------------------+----------------------------------------+
-| Service | Usage | Start mechanism |
-+====================+=====================+========================================+
-| Apache httpd | http redirector, | init script |
-| | https reverse proxy | :file:`/etc/init.d/apache2` |
-+--------------------+---------------------+----------------------------------------+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
-+--------------------+---------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring | init script |
-| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-| | :doc:`monitor` | |
-+--------------------+---------------------+----------------------------------------+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+---------------------+----------------------------------------+
-| Postfix | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/postfix` |
-| | submission | |
-+--------------------+---------------------+----------------------------------------+
-| Puppet agent | configuration | init script |
-| | management agent | :file:`/etc/init.d/puppet` |
-+--------------------+---------------------+----------------------------------------+
-| rsyslog | syslog daemon | init script |
-| | | :file:`/etc/init.d/syslog` |
-+--------------------+---------------------+----------------------------------------+
++----------------+--------------------------+-----------------------------------------+
+| Service | Usage | Start mechanism |
++================+==========================+=========================================+
+| Apache httpd | http redirector, | init script |
+| | https reverse proxy | :file:`/etc/init.d/apache2` |
++----------------+--------------------------+-----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++----------------+--------------------------+-----------------------------------------+
+| icinga2 | Icinga2 monitoring agent | init script :file:`/etc/init.d/icinga2` |
++----------------+--------------------------+-----------------------------------------+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++----------------+--------------------------+-----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++----------------+--------------------------+-----------------------------------------+
+| Puppet agent | configuration | init script |
+| | management agent | :file:`/etc/init.d/puppet` |
++----------------+--------------------------+-----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++----------------+--------------------------+-----------------------------------------+
+
+.. todo:: switch to systemd
Connected Systems
-----------------
@@ -188,7 +200,6 @@ Security
.. sshkeys::
:RSA: SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4 MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81
- :DSA: SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8 MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16
:ECDSA: SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18
:ED25519: SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61
@@ -243,9 +254,9 @@ Keys and X.509 certificates
:altnames: DNS:infradocs.cacert.org
:certfile: /etc/ssl/certs/infradocs.cacert.org.crt
:keyfile: /etc/ssl/private/infradocs.cacert.org.key
- :serial: 02C448
- :expiration: May 18 08:21:31 2020 GMT
- :sha1fp: 87:E7:21:19:24:61:D9:82:60:DB:65:41:7C:6C:0A:4E:63:0E:27:F7
+ :serial: 02E102
+ :expiration: May 04 18:37:30 2022 GMT
+ :sha1fp: 29:9C:00:5E:14:27:C8:4F:5C:BE:07:F8:96:5B:0B:1F:B5:97:9F:64
:issuer: CAcert Class 3 Root
.. sslcert:: jenkins.cacert.org
diff --git a/docs/systems/wiki.rst b/docs/systems/wiki.rst
index 16cbc2f..c5d9f1d 100644
--- a/docs/systems/wiki.rst
+++ b/docs/systems/wiki.rst
@@ -23,9 +23,7 @@ System Administration
---------------------
* Primary: :ref:`people_dirk`
-* Secondary: None
-
-.. todo:: find an additional admin
+* Secondary: :ref:`people_jandd`
Application Administration
--------------------------
@@ -40,7 +38,7 @@ Contact
Additional People
-----------------
-:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that machine too.
+:ref:`people_mario` has :program:`sudo` access on that machine too.
Basics
======
@@ -78,16 +76,31 @@ DNS
.. index::
single: DNS records; Wiki
-+------------------------+----------+----------------------------------------------+
-| Name | Type | Content |
-+========================+==========+==============================================+
-| wiki.cacert.org. | IN SSHFP | 2 1 04F7AB767579F004CC3AB2CC42A4CCAA24E51154 |
-| wiki.cacert.org. | IN SSHFP | 1 1 5C3E0D3265782405E0141C47BF0E16EC14B12E08 |
-| wiki.cacert.org. | IN A | 213.154.225.235 |
-| wiki.intra.cacert.org. | IN A | 172.16.2.12 |
-| wiki.infra.cacert.org. | IN AAAA | 2001:7b8:616:162:2::12 |
-| wiki.infra.cacert.org. | IN MX | 1 emailout.infra.cacert.org. |
-+------------------------+----------+----------------------------------------------+
++------------------------+----------+----------------------------------------------------------------------+
+| Name | Type | Content |
++========================+==========+======================================================================+
+| wiki.cacert.org. | IN A | 213.154.225.235 |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.cacert.org. | IN AAAA | 2001:7b8:616:162:2::12 |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.cacert.org. | IN SSHFP | 1 1 5C3E0D3265782405E0141C47BF0E16EC14B12E08 |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.cacert.org. | IN SSHFP | 1 2 69101872cb629e30a78ca4aac781720e1217c3733f6bb8d659034e9c23c890df |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.cacert.org. | IN SSHFP | 3 1 73113627b9e77be383e4da3a8c4b4a0ae07df5ba |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.cacert.org. | IN SSHFP | 3 2 88d73c828d56d3cccac530558bf0a1b2678c238f285c3ef6b61fa05ea782fd60 |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.cacert.org. | IN SSHFP | 4 1 c1d79ceb8986b02b6b477f8c9e50b2623a15cfe8 |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.cacert.org. | IN SSHFP | 4 2 6cfa531e0eebbb01b226444d33c238b83c96cc134d23662f95a36c095c4dfbdf |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.infra.cacert.org. | IN AAAA | 2001:7b8:616:162:2::12 |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.infra.cacert.org. | IN MX | 1 emailout.infra.cacert.org. |
++------------------------+----------+----------------------------------------------------------------------+
+| wiki.intra.cacert.org. | IN A | 172.16.2.12 |
++------------------------+----------+----------------------------------------------------------------------+
.. seealso::
@@ -97,10 +110,10 @@ Operating System
----------------
.. index::
- single: Debian GNU/Linux; Wheezy
- single: Debian GNU/Linux; 7.11
+ single: Debian GNU/Linux; Buster
+ single: Debian GNU/Linux; 10.3
-* Debian GNU/Linux 7.11
+* Debian GNU/Linux 10.3
Services
========
@@ -108,19 +121,19 @@ Services
Listening services
------------------
-+----------+---------+---------+----------------------------+
-| Port | Service | Origin | Purpose |
-+==========+=========+=========+============================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+---------+---------+----------------------------+
-| 25/tcp | smtp | local | mail delivery to local MTA |
-+----------+---------+---------+----------------------------+
-| 80/tcp | http | ANY | application |
-+----------+---------+---------+----------------------------+
-| 443/tcp | https | ANY | application |
-+----------+---------+---------+----------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+---------+---------+----------------------------+
++----------+---------+----------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+==========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+----------+----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+----------+----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+----------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service |
++----------+---------+----------+----------------------------+
Running services
----------------
@@ -128,28 +141,36 @@ Running services
.. index::
single: apache httpd
single: cron
- single: exim4
- single: nginx
- single: nrpe
+ single: dbus
+ single: icinga2
single: openssh
single: postfix
- single: syslog-ng
-
-+--------------------+-----------------------------------------------------+----------------------------------------------------+
-| Service | Usage | Start mechanism |
-+====================+=====================================================+====================================================+
-| Apache httpd | Webserver for the Wiki | init script :file:`/etc/init.d/apache2` |
-+--------------------+-----------------------------------------------------+----------------------------------------------------+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
-+--------------------+-----------------------------------------------------+----------------------------------------------------+
-| Nagios NRPE server | remote monitoring service queried by :doc:`monitor` | init script :file:`/etc/init.d/nagios-nrpe-server` |
-+--------------------+-----------------------------------------------------+----------------------------------------------------+
-| openssh server | ssh daemon for remote administration | init script :file:`/etc/init.d/ssh` |
-+--------------------+-----------------------------------------------------+----------------------------------------------------+
-| Postfix | SMTP server for local mail submission | init script :file:`/etc/init.d/postfix` |
-+--------------------+-----------------------------------------------------+----------------------------------------------------+
-| syslog-ng | syslog daemon | init script :file:`/etc/init.d/syslog-ng` |
-+--------------------+-----------------------------------------------------+----------------------------------------------------+
+ single: puppet agent
+ single: rsyslog
+
++----------------+--------------------------+----------------------------------+
+| Service | Usage | Start mechanism |
++================+==========================+==================================+
+| Apache httpd | Webserver for the Wiki | systemd unit ``apache2.service`` |
++----------------+--------------------------+----------------------------------+
+| cron | job scheduler | systemd unit ``cron.service`` |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
++----------------+--------------------------+----------------------------------+
+| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for | systemd unit ``ssh.service`` |
+| | remote administration | |
++----------------+--------------------------+----------------------------------+
+| Postfix | SMTP server for | systemd unit ``postfix.service`` |
+| | local mail | |
+| | submission | |
++----------------+--------------------------+----------------------------------+
+| Puppet agent | configuration | systemd unit ``puppet.service`` |
+| | management agent | |
++----------------+--------------------------+----------------------------------+
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
Connected Systems
-----------------
@@ -162,14 +183,15 @@ Outbound network connections
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`puppet` (tcp/8140) as Puppet master
Security
========
.. sshkeys::
:RSA: SHA256:aRAYcstinjCnjKSqx4FyDhIXw3M/a7jWWQNOnCPIkN8 MD5:f8:16:e5:40:91:42:10:a6:ba:aa:e3:f9:1a:71:d7:09
- :DSA: SHA256:cgJn47gOMu4RSqz9DUvWvnHh0v3pFNfD9hrBmOYQ9ZI MD5:d5:36:2d:0c:bb:73:da:43:0c:23:61:df:b6:b9:8c:c9
:ECDSA: SHA256:iNc8go1W08zKxTBVi/ChsmeMI48oXD72th+gXqeC/WA MD5:09:ea:70:41:1b:bb:a4:6a:fa:fd:37:c2:29:05:35:0e
+ :ED25519: SHA256:bPpTHg7ruwGyJkRNM8I4uDyWzBNNI2YvlaNsCVxN+98 MD5:1e:4f:70:ff:65:c2:d5:8a:e2:24:09:04:77:94:9b:a0
Non-distribution packages and modifications
-------------------------------------------
@@ -181,11 +203,19 @@ MoinMoin in :file:`/srv/www/wiki/`.
Risk assessments on critical packages
-------------------------------------
-The whole system is outdated an end of life and must be updated.
+The MoinMoin 1.x wiki software is based on Python 2 which is EOL. The software
+should be replaced when MoinMoin 2.x comes out with support for Python 3.
+
+.. todo:: upgrade to MoinMoin 2.x when it is available
Critical Configuration items
============================
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+.. todo:: move configuration of :doc:`wiki` to Puppet code
+
Keys and X.509 certificates
---------------------------
@@ -215,13 +245,11 @@ Apache is configured using files in :file:`/etc/apache2` integrating the MoinMoi
Changes
=======
+.. todo:: manage the blog system using Puppet
+
System Future
-------------
-.. todo:: update the OS of :doc:`wiki`
-
-.. todo:: introduce Puppet management for :doc:`wiki`
-
Additional documentation
========================
@@ -229,7 +257,11 @@ Additional documentation
* :wiki:`PostfixConfiguration`
+* No plans
+
References
----------
* http://moinmo.in/
+* https://modwsgi.readthedocs.io/en/master/index.html
+* http://httpd.apache.org/docs/2.4/