summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore6
-rw-r--r--doc-requirements.txt21
-rw-r--r--docs/building.rst2
-rw-r--r--docs/certlist.rst5
-rw-r--r--docs/conf.py12
-rw-r--r--docs/configdiff/bugs/apache/bugs-apache-config.diff47
-rw-r--r--docs/configdiff/cats/apache/cats-apache-config.diff63
-rw-r--r--docs/configdiff/cats/logrotate/cats18
-rw-r--r--docs/configdiff/emailout/canonical_maps2
-rw-r--r--docs/configdiff/emailout/postfix-main.cf52
-rw-r--r--docs/configdiff/emailout/transport3
-rw-r--r--docs/configdiff/git/git-apache-config.diff121
-rw-r--r--docs/configdiff/git/git-daemon-run.diff8
-rw-r--r--docs/configdiff/git/gitweb.conf.diff40
-rw-r--r--docs/critical/template.rst47
-rw-r--r--docs/downloads/template_new_community_mailaddress.rfc82219
-rw-r--r--docs/glossary.rst19
-rw-r--r--docs/index.rst1
-rw-r--r--docs/iplist.rst2
-rw-r--r--docs/lxcsetup.rst117
-rw-r--r--docs/network.rst2
-rw-r--r--docs/patches/otrs/Layout.pm.patch54
-rw-r--r--docs/people.rst61
-rw-r--r--docs/sphinxext/cacert.py452
-rw-r--r--docs/sshkeys.rst2
-rw-r--r--docs/systems.rst15
-rw-r--r--docs/systems/arbitration.rst298
-rw-r--r--docs/systems/blog.rst77
-rw-r--r--docs/systems/board.rst55
-rw-r--r--docs/systems/bugs.rst359
-rw-r--r--docs/systems/cats.rst380
-rw-r--r--docs/systems/email.rst255
-rw-r--r--docs/systems/emailout.rst327
-rw-r--r--docs/systems/git.rst374
-rw-r--r--docs/systems/infra02.rst44
-rw-r--r--docs/systems/irc.rst366
-rw-r--r--docs/systems/ircserver.rst376
-rw-r--r--docs/systems/issue.rst382
-rw-r--r--docs/systems/lists.rst412
-rw-r--r--docs/systems/monitor.rst43
-rw-r--r--docs/systems/proxyout.rst214
-rw-r--r--docs/systems/puppet.rst299
-rw-r--r--docs/systems/svn.rst348
-rw-r--r--docs/systems/template.rst50
-rw-r--r--docs/systems/web.rst308
-rw-r--r--docs/systems/webmail.rst32
-rw-r--r--docs/systems/webstatic.rst285
-rwxr-xr-xtools/ssh_host_keys.py37
-rwxr-xr-xtools/sslcert.py116
-rw-r--r--tools/tool-requirements.txt3
50 files changed, 5971 insertions, 660 deletions
diff --git a/.gitignore b/.gitignore
index 47dc4ed..7285178 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,9 @@
*.pyc
*.pyo
.*.swp
+.ropeproject/
.swp
-venv/
_build/
-.ropeproject/
+py2venv/
+venv/
+.idea/ \ No newline at end of file
diff --git a/doc-requirements.txt b/doc-requirements.txt
index fdbe2c3..7752ffe 100644
--- a/doc-requirements.txt
+++ b/doc-requirements.txt
@@ -1,15 +1,16 @@
-Babel==2.3.3
-Jinja2==2.8
-MarkupSafe==0.23
-Pygments==2.1.3
-Sphinx==1.4.1
-alabaster==0.7.7
-docutils==0.12
-imagesize==0.7.0
-pytz==2016.3
-six==1.10.0
+Babel==2.5.1
+Jinja2==2.10
+MarkupSafe==1.0
+Pygments==2.2.0
+Sphinx==1.6.6
+alabaster==0.7.10
+docutils==0.14
+imagesize==0.7.1
+pytz==2017.3
+six==1.11.0
snowballstemmer==1.2.1
jandd.sphinxext.ip==0.2.4
jandd.sphinxext.mac==0.1.0
py-dateutil==2.2
validate-email==1.3
+GitPython==2.1.8
diff --git a/docs/building.rst b/docs/building.rst
index 573ac67..733c6da 100644
--- a/docs/building.rst
+++ b/docs/building.rst
@@ -77,5 +77,5 @@ to browse the documentation (there are some JavaScript and SVG glitches due to
Content-Security-Policy settings).
If the documentation build is successful the result is pushed to a webserver
-document root on :doc:`webstatic` and is publicly available at
+document root on :doc:`systems/webstatic` and is publicly available at
https://infradocs.cacert.org/.
diff --git a/docs/certlist.rst b/docs/certlist.rst
index 44651c3..68f5bf0 100644
--- a/docs/certlist.rst
+++ b/docs/certlist.rst
@@ -2,4 +2,9 @@
X.509 Certificates
==================
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+ * :wiki:`SystemAdministration/Procedures/CertificateIssuing`
+
.. sslcertlist::
diff --git a/docs/conf.py b/docs/conf.py
index d612007..dcc539f 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -14,7 +14,10 @@
import sys
import os
+from datetime import datetime
from urllib.parse import urljoin
+
+from git import repo
from docutils import nodes, utils
# If extensions (or modules to document with autodoc) are in another directory,
@@ -54,8 +57,8 @@ master_doc = 'index'
# General information about the project.
project = u'CAcert infrastructure'
-copyright = u'2016, Jan Dittberner'
-author = u'Jan Dittberner'
+copyright = u'2016, 2017, 2018 Jan Dittberner, CAcert'
+author = u'CAcert infrastructure team'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
@@ -64,7 +67,10 @@ author = u'Jan Dittberner'
# The short X.Y version.
version = u'0.1'
# The full version, including alpha/beta/rc tags.
-release = u'0.1'
+release = "{}-git:{} built:{}".format(
+ version,
+ repo.Repo('..').git.describe('--always', '--dirty'),
+ datetime.utcnow().replace(microsecond=0))
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
diff --git a/docs/configdiff/bugs/apache/bugs-apache-config.diff b/docs/configdiff/bugs/apache/bugs-apache-config.diff
new file mode 100644
index 0000000..355b796
--- /dev/null
+++ b/docs/configdiff/bugs/apache/bugs-apache-config.diff
@@ -0,0 +1,47 @@
+diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf
+--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
++++ bugs/etc/apache2/conf-available/security.conf 2016-05-08 14:04:46.335145675 +0200
+@@ -5,11 +5,11 @@
+ # This currently breaks the configurations that come with some web application
+ # Debian packages.
+ #
+-#<Directory />
+-# AllowOverride None
+-# Order Deny,Allow
+-# Deny from all
+-#</Directory>
++<Directory />
++ AllowOverride None
++ Order Deny,Allow
++ Deny from all
++</Directory>
+
+
+ # Changing the following options will not really affect the security of the
+@@ -61,14 +61,24 @@
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+-#Header set X-Content-Type-Options: "nosniff"
++Header set X-Content-Type-Options: "nosniff"
++
++#
++# Some browsers have a built-in XSS filter that will detect some cross site
++# scripting attacks. By default, these browsers modify the suspicious part of
++# the page and display the result. This behavior can create various problems
++# including new security issues. This header will tell the XSS filter to
++# completely block access to the page instead.
++# Requires mod_headers to be enabled.
++#
++Header set X-XSS-Protection: "1; mode=block"
+
+ #
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+-#Header set X-Frame-Options: "sameorigin"
++Header set X-Frame-Options: "sameorigin"
+
+
+ # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/docs/configdiff/cats/apache/cats-apache-config.diff b/docs/configdiff/cats/apache/cats-apache-config.diff
new file mode 100644
index 0000000..355722e
--- /dev/null
+++ b/docs/configdiff/cats/apache/cats-apache-config.diff
@@ -0,0 +1,63 @@
+diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf cats/etc/apache2/mods-available/ssl.conf
+--- orig/etc/apache2/mods-available/ssl.conf 2015-08-18 09:35:40.000000000 +0200
++++ cats/etc/apache2/mods-available/ssl.conf 2014-10-21 15:38:01.894358956 +0200
+@@ -53,7 +53,7 @@
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
++#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+ # Speed-optimized SSL Cipher configuration:
+ # If speed is your main concern (on busy HTTPS servers e.g.),
+@@ -66,10 +66,11 @@
+ # compromised, captures of past or future traffic must be
+ # considered compromised, too.
+ #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+-#SSLHonorCipherOrder on
++SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
++SSLHonorCipherOrder on
+
+ # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
+-SSLProtocol all -SSLv2
++SSLProtocol all -SSLv2 -SSLv3
+
+ # Allow insecure renegotiation with clients which do not yet support the
+ # secure renegotiation protocol. Default: Off
+diff -urwN -X diffignore-apache2 orig/etc/apache2/ports.conf cats/etc/apache2/ports.conf
+--- orig/etc/apache2/ports.conf 2015-08-18 09:35:40.000000000 +0200
++++ cats/etc/apache2/ports.conf 2016-05-16 16:53:43.551587545 +0200
+@@ -14,6 +14,7 @@
+ # to <VirtualHost *:443>
+ # Server Name Indication for SSL named virtual hosts is currently not
+ # supported by MSIE on Windows XP.
++ NameVirtualHost *:443
+ Listen 443
+ </IfModule>
+
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/cats cats/etc/apache2/sites-available/cats
+--- orig/etc/apache2/sites-available/cats 1970-01-01 01:00:00.000000000 +0100
++++ cats/etc/apache2/sites-available/cats 2016-05-16 16:56:53.220765336 +0200
+@@ -0,0 +1,22 @@
++<VirtualHost *:80>
++ ServerAdmin support@cacert.org
++ DocumentRoot /home/cats/public_html
++ ServerName cats.cacert.org
++ ErrorLog /home/cats/logs/error.log
++ CustomLog /home/cats/logs/access.log combined
++</VirtualHost>
++<VirtualHost *:443>
++ SSLEngine On
++ SSLCertificateFile /home/cats/ssl/certs/cats_cert.pem
++ SSLCertificateKeyFile /home/cats/ssl/private/cats_privatekey.pem
++ SSLCACertificateFile /usr/share/ca-certificates/cacert.org/cacert.org.crt
++ SSLVerifyDepth 10
++ SSLOptions +StdEnvVars +ExportCertData +StrictRequire
++ SSLVerifyClient require
++
++ ServerAdmin support@cacert.org
++ DocumentRoot /home/cats/public_html
++ ServerName cats.cacert.org
++ ErrorLog /home/cats/logs/error.log
++ CustomLog /home/cats/logs/access.log "%h %l %{SSL_CLIENT_S_DN_Email}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
++</VirtualHost>
diff --git a/docs/configdiff/cats/logrotate/cats b/docs/configdiff/cats/logrotate/cats
new file mode 100644
index 0000000..e43b163
--- /dev/null
+++ b/docs/configdiff/cats/logrotate/cats
@@ -0,0 +1,18 @@
+/home/cats/logs/*.log {
+ weekly
+ missingok
+ rotate 52
+ compress
+ delaycompress
+ notifempty
+ create 640 root cats
+ sharedscripts
+ postrotate
+ /etc/init.d/apache2 reload > /dev/null
+ endscript
+ prerotate
+ if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+ run-parts /etc/logrotate.d/httpd-prerotate; \
+ fi; \
+ endscript
+}
diff --git a/docs/configdiff/emailout/canonical_maps b/docs/configdiff/emailout/canonical_maps
new file mode 100644
index 0000000..4b8c021
--- /dev/null
+++ b/docs/configdiff/emailout/canonical_maps
@@ -0,0 +1,2 @@
+/@(.*).intra.cacert.org$/ $1-admin@cacert.org
+/@(.*).infra.cacert.org$/ $1-admin@cacert.org
diff --git a/docs/configdiff/emailout/postfix-main.cf b/docs/configdiff/emailout/postfix-main.cf
new file mode 100644
index 0000000..90c57a1
--- /dev/null
+++ b/docs/configdiff/emailout/postfix-main.cf
@@ -0,0 +1,52 @@
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+
+compatibility_level = 2
+
+mydomain = emailout.intra.cacert.org
+myorigin = /etc/mailname
+
+mydestination = emailout.cacert.org, emailout, localhost.localdomain, localhost
+myhostname = emailout.intra.cacert.org
+
+mynetworks = 172.16.2.0/24 10.0.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+
+biff = no
+
+smtp_helo_name = infrastructure.cacert.org
+
+# TLS parameters
+#
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# map internal host names to their corresponding admin addresses
+canonical_maps = pcre:/etc/postfix/canonical_maps
+
+mailbox_size_limit = 0
+recipient_delimiter = +
+
+# DKIM milter
+# http://www.postfix.org/MILTER_README.html
+# TODO: enable DKIM once the DNS record is in place
+#smtpd_milters = unix:/opendkim/opendkim.sock
+#non_smtpd_milters = $smtpd_milters
+
+# what to do if the dkim filter fails
+#milter_default_action = accept
+#milter_command_timeout = 5s
+#milter_connect_timeout = $milter_command_timeout
+#milter_content_timeout = 45s
+
+transport_maps = hash:/etc/postfix/transport
+local_transport = error:local delivery is disabled
diff --git a/docs/configdiff/emailout/transport b/docs/configdiff/emailout/transport
new file mode 100644
index 0000000..8c4f3d1
--- /dev/null
+++ b/docs/configdiff/emailout/transport
@@ -0,0 +1,3 @@
+lists.cacert.org smtp:[lists.intra.cacert.org]
+issue.cacert.org smtp:[issue.intra.cacert.org]
+cacert.org smtp:[email.intra.cacert.org]
diff --git a/docs/configdiff/git/git-apache-config.diff b/docs/configdiff/git/git-apache-config.diff
new file mode 100644
index 0000000..ad2c182
--- /dev/null
+++ b/docs/configdiff/git/git-apache-config.diff
@@ -0,0 +1,121 @@
+diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
+--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
++++ git/etc/apache2/conf-available/security.conf 2016-05-20 00:15:49.874994024 +0200
+@@ -10,6 +10,17 @@
+ # Order Deny,Allow
+ # Deny from all
+ #</Directory>
++<Directory />
++ Options FollowSymLinks
++ AllowOverride None
++</Directory>
++
++<Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++</Directory>
+
+
+ # Changing the following options will not really affect the security of the
+diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
+--- orig/etc/apache2/mods-available/ssl.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/mods-available/ssl.conf 2016-01-02 16:13:42.695785273 +0100
+@@ -56,7 +56,8 @@
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+- SSLCipherSuite HIGH:!aNULL
++ #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
++ SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
+
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+@@ -65,7 +66,7 @@
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
+- #SSLHonorCipherOrder on
++ SSLHonorCipherOrder on
+
+ # The protocols to enable.
+ # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
+--- orig/etc/apache2/sites-available/000-default.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/sites-available/000-default.conf 2016-05-20 00:21:02.697250540 +0200
+@@ -11,11 +11,19 @@
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
++ RewriteEngine on
++ RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
++ RewriteCond %{HTTP_HOST} !^$
++ RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE]
++
++ Redirect / https://git.cacert.org/gitweb
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
+--- orig/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:05:51.022493172 +0200
++++ git/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:14:50.350565644 +0200
+@@ -2,13 +2,27 @@
+ <VirtualHost _default_:443>
+ ServerAdmin webmaster@localhost
+
++ Redirect /index.html /gitweb/
++
+ DocumentRoot /var/www/html
+
++ <Directory />
++ Options FollowSymLinks
++ AllowOverride None
++ </Directory>
++ <Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++ </Directory>
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+@@ -29,8 +43,8 @@
+ # /usr/share/doc/apache2/README.Debian.gz for more info.
+ # If both key and certificate are stored in the same file, only the
+ # SSLCertificateFile directive is needed.
+- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++ SSLCertificateFile /etc/ssl/public/git.c.o.chain.crt
++ SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+@@ -130,6 +144,12 @@
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
++ # HSTS
++ Header always set Strict-Transport-Security "max-age=31536000"
++ Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
++ Header always set X-Frame-Options "DENY"
++ Header always set X-XSS-Protection "1; mode=block"
++ Header always set X-Content-Type-Options "nosniff"
+ </VirtualHost>
+ </IfModule>
+
diff --git a/docs/configdiff/git/git-daemon-run.diff b/docs/configdiff/git/git-daemon-run.diff
new file mode 100644
index 0000000..abcca5a
--- /dev/null
+++ b/docs/configdiff/git/git-daemon-run.diff
@@ -0,0 +1,8 @@
+--- orig/etc/sv/git-daemon/run 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/sv/git-daemon/run 2014-02-06 01:46:55.424870926 +0100
+@@ -3,4 +3,4 @@
+ echo 'git-daemon starting.'
+ exec chpst -ugitdaemon \
+ "$(git --exec-path)"/git-daemon --verbose --reuseaddr \
+- --base-path=/var/lib /var/lib/git
++ --base-path=/var/cache/git /var/cache/git
diff --git a/docs/configdiff/git/gitweb.conf.diff b/docs/configdiff/git/gitweb.conf.diff
new file mode 100644
index 0000000..0e8e957
--- /dev/null
+++ b/docs/configdiff/git/gitweb.conf.diff
@@ -0,0 +1,40 @@
+--- orig/etc/gitweb.conf 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/gitweb.conf 2014-02-17 02:25:18.281157394 +0100
+@@ -1,5 +1,8 @@
+ # path to git projects (<project>.git)
+-$projectroot = "/var/lib/git";
++$projectroot = "/var/cache/git";
++
++# only show repos that are also served via git-daemon
++$export_ok = "git-daemon-export-ok";
+
+ # directory to use for temp files
+ $git_temp = "/tmp";
+@@ -13,6 +16,9 @@
+ # file with project list; by default, simply scan the projectroot dir.
+ #$projects_list = $projectroot;
+
++# Enable categories
++$projects_list_group_categories = 1;
++
+ # stylesheet to use
+ #@stylesheets = ("static/gitweb.css");
+
+@@ -28,3 +34,17 @@
+ # git-diff-tree(1) options to use for generated patches
+ #@diff_opts = ("-M");
+ @diff_opts = ();
++
++# auto generate fetch URLs
++@git_base_url_list = (
++ "git://git.cacert.org",
++ "ssh://git.cacert.org/var/cache/git");
++
++# Prevent XSS attacks
++$prevent_xss = 1;
++
++# enable gravatar support
++$feature{'avatar'}{'default'} = ['gravatar'];
++
++# enable syntax highlighting
++$feature{'highlight'}{'default'} = [1];
diff --git a/docs/critical/template.rst b/docs/critical/template.rst
index 006f7ed..89319c8 100644
--- a/docs/critical/template.rst
+++ b/docs/critical/template.rst
@@ -228,24 +228,13 @@ Outbound network connections
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | |
-+-----------+-----------------------------------------------------+
-| DSA | |
-+-----------+-----------------------------------------------------+
-| ECDSA | |
-+-----------+-----------------------------------------------------+
-| ED25519 | |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
+.. add the MD5 fingerprints of the SSH host keys
- See :doc:`../sshkeys`
+.. sshkeys::
+ :RSA:
+ :DSA:
+ :ECDSA:
+ :ED25519:
Dedicated user roles
--------------------
@@ -280,15 +269,31 @@ Critical Configuration items
Keys and X.509 certificates
---------------------------
-* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
-* :file:`/etc/apache2/ssl/<path to server key>` server key
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. for certificates that are orginally created on another host use
+
+.. sslcert:: other.cacert.org
+ :certfile:
+ :keyfile:
+ :serial:
+ :secondary:
.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
* `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
.. seealso::
- * :doc:`../certlist`
* :wiki:`SystemAdministration/CertificateList`
<service_x> configuration
@@ -314,7 +319,7 @@ System Future
.. use this section to describe any plans for the system future. These are
larger plans like moving to another host, abandoning the system or replacing
- its funtionality with something else.
+ its functionality with something else.
.. * No plans
diff --git a/docs/downloads/template_new_community_mailaddress.rfc822 b/docs/downloads/template_new_community_mailaddress.rfc822
new file mode 100644
index 0000000..3dd8118
--- /dev/null
+++ b/docs/downloads/template_new_community_mailaddress.rfc822
@@ -0,0 +1,19 @@
+Subject: Your new cacert.org address
+Reply-To: email-admin@cacert.org
+
+Hello,
+
+your new address <firstname.lastname>@cacert.org has just been setup in the
+cacert email system.
+
+The initial password is <password>.
+
+Please get a client certificate for this address and reset your password via
+[1] as documented in the wiki [2].
+
+[1] https://community.cacert.org/password.php as documented in
+[2] https://wiki.cacert.org/Technology/TechnicalSupport/EndUserSupport/CommunityE-Mail
+
+
+Best regards
+<mail admin name>
diff --git a/docs/glossary.rst b/docs/glossary.rst
index 047a245..95344ea 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -5,7 +5,10 @@ Glossary
:sorted:
LXC
- `Linux Containers <https://linuxcontainers.org/>`_
+ LXC is a userspace interface to the Linux kernel containment features.
+ See `The LXC introduction
+ <https://linuxcontainers.org/lxc/introduction/>`_ on the Linux containers
+ website for more information
Container
A container is an isolated system with a separate root file system and
@@ -43,3 +46,17 @@ Glossary
more server applications. Application Administrators do not necessarily
need system level access if the managed application has other means of
administration, for example a web based administration frontend.
+
+ DKIM
+ Domain Key Identified Mail
+ A mechanism where legitimate mail for a domain is verifiable by a
+ signature in a mail header and a corresponding public key in a specific
+ :term:`DNS` record. Outgoing mail servers for the domain have to be
+ configured to add the necessary signature to mails for their domains.
+
+ DNS
+ Domain Name System
+ DNS maps names to other information, the most well known use case is
+ mapping human readable names to IP addresses, but their are more
+ applications for DNS like service discovery, storage of public keys and
+ other public information.
diff --git a/docs/index.rst b/docs/index.rst
index 271aefc..d6200dc 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -12,6 +12,7 @@ Table of Contents
critical
systems
+ lxcsetup
network
iplist
sshkeys
diff --git a/docs/iplist.rst b/docs/iplist.rst
index 26722c2..f20050c 100644
--- a/docs/iplist.rst
+++ b/docs/iplist.rst
@@ -4,7 +4,7 @@ IP address list
Internet IP addresses
---------------------
-.. ip:v4range:: 213.154.225.0/24
+.. ip:v4range:: 213.154.225.224/27
This is the public CAcert IPv4 address range
diff --git a/docs/lxcsetup.rst b/docs/lxcsetup.rst
new file mode 100644
index 0000000..3deaa5a
--- /dev/null
+++ b/docs/lxcsetup.rst
@@ -0,0 +1,117 @@
+=====================================================
+Setup of a new CAcert LXC container with Puppet agent
+=====================================================
+
+Preparation
+===========
+
+Network considerations
+----------------------
+
+- Decide on a hostname for the container. The hostname should be short and
+ correspond to the functionality provided by the container.
+- Define an IPv4 address from the :ip:v4range:`213.154.225.224/27` subnet if
+ the container should be reachable from the outside via IPv4. If the services
+ provide HTTP or HTTPS services you will not need a dedicated IP address
+ because virtual hosting and SNI can be used via :doc:`systems/proxyin`
+- Define an IPv6 address in the :ip:v6range:`2001:7b8:616:162:2::/80` subnet.
+ There is no reason not to use IPv6 for new services.
+- Define an IPv4 address in the :ip:v4range:`172.16.2.0/24` subnet if the
+ container should be reachable from other CAcert machines than
+ :doc:`systems/infra02` or other :doc:`systems`.
+- Define an IPv4 address in the :ip:v4range:`10.0.0.0/24` subnet. Containers
+ that are only used by other containers do not need any other IP addresses
+ than this one.
+
+.. note::
+
+ Please use the same last octet for all IP addresses of a container if
+ possible
+
+Storage considerations
+----------------------
+
+- Define the size of the LVM volume for the root filesystem. Be conservative,
+ volume size can be increased on demand.
+
+OS considerations
+-----------------
+
+- Define the OS userland version for the container. Use the latest Debian
+ stable release if there are no good reasons not to.
+
+Setup
+=====
+
+- Define machine parameters for in lxc-setup.ini
+- Run :command:`lxc-setup` (uses lxc-create/debootstrap and makes sure that
+ systemd-sysv is not setup in the containers)
+- Define firewall rules in a separate file in :file:`/etc/ferm/ferm.d/` on
+ :doc:`systems/infra02`.
+
+Setup puppet-agent
+------------------
+
+- define puppet configuration for the new container in Hiera / sitemodules in
+ the `cacert-puppet Repository`_ on :doc:`systems/git`
+- see `Puppet agent installation`_ for agent setup (install the agent from
+ official Puppet repositories)
+- define the puppet master IP address in :file:`/etc/hosts`:
+
+ .. code-block:: text
+
+ 10.0.0.200 puppet
+
+- set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
+ the name of the file in :file:`hieradata/nodes/` for the system:
+
+ .. code-block:: ini
+
+ [main]
+ certname = <system>
+
+- run:
+
+ .. code-block:: sh
+
+ root@system: puppet agent --test --noop
+
+ to create a new certificate for the system and send a signing request to the
+ :doc:`puppet master <systems/puppet>`
+- sign the system certificate on the :doc:`puppet master <systems/puppet>`
+ using:
+
+ .. code-block:: sh
+
+ root@puppet: puppet cert sign <system>
+
+- run:
+
+ .. code-block:: sh
+
+ root@system: puppet agent --test --noop
+
+ on the system to see whether the catalog for the machine compiles and what it
+ would change
+- apply the catalog with:
+
+ .. code-block:: sh
+
+ root@system: puppet agent --test
+
+- start the puppet agent using:
+
+ .. code-block:: sh
+
+ root@system: /etc/init.d/puppet start
+
+.. _Puppet agent installation: https://puppet.com/docs/puppet/5.4/install_linux.html
+.. _cacert-puppet Repository: https://git.cacert.org/gitweb/?p=cacert-puppet.git
+
+Post-Setup task
+===============
+
+- Document the new container in a file of the :file:`docs/systems` directory of
+ the `Infrastructure documentation
+ <https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=tree;f=docs/systems>`_.
+- Setup machine-admin alias on :doc:`systems/email`.
diff --git a/docs/network.rst b/docs/network.rst
index b8262f0..078f3ad 100644
--- a/docs/network.rst
+++ b/docs/network.rst
@@ -16,7 +16,7 @@ CAcert has a public Internet IPv4 address range and some of the Internet IP
addresses are mapped to the infrastructure systems.
The infrastructure systems use IPv4 addresses from the
-:ip:v4range:`213.154.225.0/24` subnet.
+:ip:v4range:`213.154.225.224/27` subnet.
IPv6 connectivity is also available. The infrastructure IPv6 addresses are
taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
diff --git a/docs/patches/otrs/Layout.pm.patch b/docs/patches/otrs/Layout.pm.patch
new file mode 100644
index 0000000..05ce2a2
--- /dev/null
+++ b/docs/patches/otrs/Layout.pm.patch
@@ -0,0 +1,54 @@
+--- otrs_orig/Layout.pm 2015-01-11 03:13:29.049626928 +0000
++++ /usr/share/otrs/Kernel/Output/HTML/Layout.pm 2015-01-11 03:18:55.736035997 +0000
+@@ -369,7 +369,21 @@
+ }
+
+ # locate template files
+- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
++ $Self->{TemplateDir}
++ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
++ $Self->{StandardTemplateDir}
++ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . 'Standard';
++
++ # Check if 'Standard' fallback exists
++ if ( !-e $Self->{StandardTemplateDir} ) {
++ $Self->{LogObject}->Log(
++ Priority => 'error',
++ Message =>
++ "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
++ );
++ $Self->FatalDie();
++ }
++
+ if ( !-e $Self->{TemplateDir} ) {
+ $Self->{LogObject}->Log(
+ Priority => 'error',
+@@ -378,17 +392,9 @@
+ Default theme used instead.",
+ );
+
+- # Set TemplateDir to 'Standard' as a fallback and check if it exists.
++ # Set TemplateDir to 'Standard' as a fallback.
+ $Theme = 'Standard';
+- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+- if ( !-e $Self->{TemplateDir} ) {
+- $Self->{LogObject}->Log(
+- Priority => 'error',
+- Message =>
+- "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
+- );
+- $Self->FatalDie();
+- }
++ $Self->{TemplateDir} = $Self->{StandardTemplateDir};
+ }
+
+ # load sub layout files
+@@ -531,7 +537,7 @@
+ $File = "$Self->{TemplateDir}/$Param{TemplateFile}.dtl";
+ }
+ else {
+- $File = "$Self->{TemplateDir}/../Standard/$Param{TemplateFile}.dtl";
++ $File = "$Self->{StandardTemplateDir}/$Param{TemplateFile}.dtl";
+ }
+ if ( open my $TEMPLATEIN, '<', $File ) {
+ $TemplateString = do { local $/; <$TEMPLATEIN> };
diff --git a/docs/people.rst b/docs/people.rst
index 91d2a92..b6d8220 100644
--- a/docs/people.rst
+++ b/docs/people.rst
@@ -2,6 +2,19 @@
People list
===========
+The following list shows information for people in charge of some systems or
+applications. The list of roles is known to not be complete.
+
+.. maybe this can be improved by some automation later
+
+.. _people_dirk:
+
+Dirk Astrath
+============
+
+:roles: :term:`Application Administrator` on :doc:`systems/bugs`,
+ :term:`Infrastructure Administrator`
+
.. _people_abahlo:
Alexander Bahlo
@@ -10,6 +23,21 @@ Alexander Bahlo
:roles: :term:`Application Administrator` on :doc:`systems/blog`
:contact: alexander.bahlo@cacert.org
+.. _people_benbe:
+
+Benny Baumann
+=============
+
+:roles: :term:`Infrastructure Administrator`, :term:`Application Administrator`
+ on :doc:`systems/bugs`
+
+.. _people_ian:
+
+Ian Grigg
+=========
+
+:contact: ian.grigg@cacert.org
+
.. _people_jandd:
Jan Dittberner
@@ -20,6 +48,13 @@ Jan Dittberner
:wiki: :wiki:`JanDittberner`
:irc: jandd
+.. _people_ted:
+
+Bernhard Fröhlich
+=================
+
+:roles: :term:`Application Administrator` on :doc:`systems/bugs`
+
.. _people_martin:
Martin Gummi
@@ -28,6 +63,13 @@ Martin Gummi
:roles: :term:`Infrastructure Administrator`
:contact: martin.gummi@cacert.org
+.. _people_philipp:
+
+Philipp Gühring
+===============
+
+:roles: :term:`Application Administrator` on :doc:`systems/bugs`
+
.. _people_mario:
Mario Lipinski
@@ -52,13 +94,30 @@ Mendel Mobach
:roles: :term:`Critical System Administrator`
:contact: mendel@cacert.org
+.. _people_msimons:
+
+Martin Simons
+=============
+
+:roles: :term:`Critical System Administrator`
+:contact: msimons@cacert.org
+
.. _people_neo:
Michael Tänzer
==============
-:roles: :term:`Infrastructure Administrator`
+:roles: :term:`Infrastructure Administrator`
:contact: michael.taenzer@cacert.org
+:wiki: :wiki:`MichaelTänzer`
+
+
+.. _people_nick:
+
+Nicolas Bebout
+==============
+
+:contact: nick.bebout@cacert.org
.. _people_gero:
diff --git a/docs/sphinxext/cacert.py b/docs/sphinxext/cacert.py
index bde161f..fe8e7ff 100644
--- a/docs/sphinxext/cacert.py
+++ b/docs/sphinxext/cacert.py
@@ -6,23 +6,28 @@
# sshkeys
# sshkeylist
-__version__ = '0.1.0'
-
+import binascii
import re
+import os.path
from ipaddress import ip_address
from docutils import nodes
from docutils.parsers.rst import Directive
from docutils.parsers.rst import directives
-from docutils.parsers.rst import roles
from sphinx import addnodes
from sphinx.errors import SphinxError
-from sphinx.util.nodes import set_source_info, make_refnode
+from sphinx.util.nodes import set_source_info, make_refnode, traverse_parent
from dateutil.parser import parse as date_parse
+from base64 import b64decode
from validate_email import validate_email
+__version__ = '0.1.0'
+
+SUPPORTED_SSH_KEYTYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+SSH_MD5_RE = r'^([0-9a-f]{2}:){15}[0-9a-f]{2}$'
+
class sslcert_node(nodes.General, nodes.Element):
pass
@@ -32,11 +37,50 @@ class sslcertlist_node(nodes.General, nodes.Element):
pass
+class sshkeys_node(nodes.General, nodes.Element):
+ pass
+
+
+class sshkeylist_node(nodes.General, nodes.Element):
+ pass
+
+
+# mapping and validation functions for directive options
+
def hex_int(argument):
value = int(argument, base=16)
return value
+def ssh_fingerprint(argument):
+ value = argument.strip().split(" ")
+ result = {}
+ for k in value:
+ if k.startswith('SHA256:'):
+ sha256_encoded = k[len('SHA256:'):]
+ try:
+ sha256_decoded = b64decode(sha256_encoded + "=", validate=True)
+ if len(sha256_decoded) != 32:
+ raise ValueError(
+ '{} is no correctly formatted SHA256 fingerprint'.format(
+ k))
+ except binascii.Error:
+ raise ValueError(
+ '{} is no correctly formatted SHA256 fingerprint'.format(k))
+ result['sha256'] = sha256_encoded
+ elif k.startswith('MD5:'):
+ if not re.match(SSH_MD5_RE, k[len('MD5:'):].lower()):
+ raise ValueError(
+ '{} is no correctly formatted MD5 fingerprint'.format(k))
+ result['md5'] = k[len('MD5:'):]
+ else:
+ if not re.match(SSH_MD5_RE, k.lower()):
+ raise ValueError(
+ '{} is no correctly formatted MD5 fingerprint'.format(k))
+ result['md5'] = k.lower()
+ return result
+
+
def sha1_fingerprint(argument):
value = argument.strip().lower()
if not re.match(r'^([0-9a-f]{2}:){19}[0-9a-f]{2}$', value):
@@ -44,15 +88,6 @@ def sha1_fingerprint(argument):
return value
-def create_table_row(rowdata):
- row = nodes.row()
- for cell in rowdata:
- entry = nodes.entry()
- row += entry
- entry += cell
- return row
-
-
def is_valid_hostname(hostname):
if len(hostname) > 255:
return False
@@ -143,32 +178,138 @@ class CAcertSSLCert(Directive):
para.append(sslcert)
return [para]
+
class CAcertSSLCertList(Directive):
"""
The sslcertlist directive implementation
"""
+
def run(self):
return [sslcertlist_node()]
+
class CAcertSSHKeys(Directive):
"""
The sshkeys directive implementation that can be used to specify the ssh
host keys for a host.
"""
+ option_spec = {
+ keytype.lower(): ssh_fingerprint for keytype in SUPPORTED_SSH_KEYTYPES
+ }
+
def run(self):
- return []
+ if len(self.options) == 0:
+ raise self.error(
+ "at least one ssh key fingerprint must be specified. The "
+ "following formats are supported: %s" % ", ".join(
+ SUPPORTED_SSH_KEYTYPES))
+ sshkeys = sshkeys_node()
+ sshkeys.attributes['keys'] = self.options.copy()
+ set_source_info(self, sshkeys)
+
+ env = self.state.document.settings.env
+ secid = 'sshkeys-%s' % env.new_serialno('sshkeys')
+
+ section = nodes.section(ids=[secid])
+ section += nodes.title(text='SSH host keys')
+ section += sshkeys
+ return [section]
+
class CAcertSSHKeyList(Directive):
"""
The sshkeylist directive implementation
"""
+
def run(self):
- return []
+ return [sshkeylist_node()]
+
+
+def create_table_row(rowdata):
+ row = nodes.row()
+ for cell in rowdata:
+ entry = nodes.entry()
+ row += entry
+ entry += cell
+ return row
+
+
+def _sslcert_item_key(item):
+ return "%s-%d" % (item['cn'], item['serial'])
-def _create_interpreted_file_node(text, line=0):
- return roles._roles['file']('', ':file:`%s`' % text,
- text, line, None)[0][0]
+def _sshkeys_item_key(item):
+ return "%s" % os.path.basename(item['docname'])
+
+
+def _build_cert_anchor_name(cn, serial):
+ return 'cert_%s_%d' % (cn.replace('.', '_'), serial)
+
+
+def _format_subject_alternative_names(altnames):
+ return nodes.paragraph(text=", ".join(
+ [content for _, content in altnames]
+ ))
+
+
+def _place_sort_key(place):
+ return "%s-%d" % (place['docname'], place['lineno'])
+
+
+def _file_ref_paragraph(cert_info, filekey, app, env, docname):
+ para = nodes.paragraph()
+
+ places = [place for place in cert_info['places'] if place['primary']]
+ places.extend(sorted([
+ place for place in cert_info['places'] if not place['primary']],
+ key=_place_sort_key))
+
+ for pos in range(len(places)):
+ place = places[pos]
+ title = env.titles[place['docname']].astext().lower()
+ if place['primary'] and len(places) > 1:
+ reftext = nodes.strong(text=title)
+ else:
+ reftext = nodes.Text(title)
+ para += make_refnode(
+ app.builder, docname, place['docname'], place['target']['ids'][0],
+ reftext)
+ para += nodes.Text(":")
+ para += addnodes.literal_emphasis(text=place[filekey])
+ if pos + 1 < len(places):
+ para += nodes.Text(", ")
+ return para
+
+
+def _format_serial_number(serial):
+ return nodes.paragraph(text="%d (0x%0x)" % (serial, serial))
+
+
+def _format_expiration_date(expiration):
+ return nodes.paragraph(text=expiration)
+
+
+def _format_fingerprint(fingerprint):
+ para = nodes.paragraph()
+ para += nodes.literal(text=fingerprint, classes=['fingerprint'])
+ return para
+
+
+def _get_cert_index_text(cert_info):
+ return "Certificate; %s" % cert_info['cn']
+
+
+def _get_formatted_keyentry(keys_info, algorithm, fptype):
+ entry = nodes.entry()
+ algkey = algorithm.lower()
+ if algkey in keys_info and fptype in keys_info[algkey]:
+ para = nodes.paragraph()
+ keyfp = nodes.literal(text=keys_info[algkey][fptype])
+ para += keyfp
+ else:
+ para = nodes.paragraph(text="-")
+ entry += para
+ return entry
def process_sslcerts(app, doctree):
@@ -179,8 +320,8 @@ def process_sslcerts(app, doctree):
for node in doctree.traverse(sslcertlist_node):
if hasattr(env, 'cacert_certlistdoc'):
raise SphinxError(
- "There must only be one sslcertlist directive present in "
- "the document tree.")
+ "There must be one sslcertlist directive present in "
+ "the document tree only.")
env.cacert_certlistdoc = env.docname
for node in doctree.traverse(sslcert_node):
@@ -223,7 +364,7 @@ def process_sslcerts(app, doctree):
if 'altnames' in certdata:
info['altnames'] = certdata['altnames'].copy()
indexnode = addnodes.index(entries=[
- ('single', _get_cert_index_text(info), targetnode['ids'][0],
+ ('pair', _get_cert_index_text(info), targetnode['ids'][0],
'', None)
])
@@ -246,79 +387,100 @@ def process_sslcerts(app, doctree):
item = nodes.list_item()
subbullets += item
certfile = nodes.paragraph(text="certificate in file ")
- certfile += _create_interpreted_file_node(
- certdata['certfile'], node.line)
+ certfile += addnodes.literal_emphasis(
+ text=certdata['certfile']) # , node.line)
item += certfile
item = nodes.list_item()
subbullets += item
keyfile = nodes.paragraph(text="private key in file ")
- keyfile += _create_interpreted_file_node(
- certdata['keyfile'], node.line)
+ keyfile += addnodes.literal_emphasis(text=certdata['keyfile'])
+ # keyfile += _create_interpreted_file_node(
+ # certdata['keyfile'], node.line)
item += keyfile
node.parent.replace_self([targetnode, indexnode, bullets])
- env.note_indexentries_from(env.docname, doctree)
+ # env.note_indexentries_from(env.docname, doctree)
-def _sslcert_item_key(item):
- return "%s-%d" % (item['cn'], item['serial'])
-
-
-def _build_cert_anchor_name(cn, serial):
- return 'cert_%s_%d' % (cn.replace('.', '_'), serial)
-
-
-def _format_subject_alternative_names(altnames):
- return nodes.paragraph(text = ", ".join([
- content for _, content in altnames
- ]))
-
-
-def _place_sort_key(place):
- return "%s-%d" % (place['docname'], place['lineno'])
-
-
-def _file_ref_paragraph(cert_info, filekey, app, env, docname):
- para = nodes.paragraph()
-
- places = [place for place in cert_info['places'] if place['primary']]
- places.extend(sorted([
- place for place in cert_info['places'] if not place['primary']],
- key=_place_sort_key))
-
- for pos in range(len(places)):
- place = places[pos]
- title = env.titles[place['docname']].astext().lower()
- if place['primary'] and len(places) > 1:
- reftext = nodes.strong(text=title)
- else:
- reftext = nodes.Text(title)
- para += make_refnode(
- app.builder, docname, place['docname'], place['target']['ids'][0],
- reftext)
- para += nodes.Text(":")
- para += _create_interpreted_file_node(place[filekey])
- if pos + 1 < len(places):
- para += nodes.Text(", ")
- return para
-
-
-def _format_serial_number(serial):
- return nodes.paragraph(text="%d (0x%0x)" % (serial, serial))
-
-
-def _format_expiration_date(expiration):
- return nodes.paragraph(text=expiration)
-
+def process_sshkeys(app, doctree):
+ env = app.builder.env
+ if not hasattr(env, 'cacert_sshkeys'):
+ env.cacert_sshkeys = []
-def _format_fingerprint(fingerprint):
- para = nodes.paragraph()
- para += nodes.literal(text=fingerprint, classes=['fingerprint'])
- return para
+ for _ in doctree.traverse(sshkeylist_node):
+ if hasattr(env, 'cacert_sshkeylistdoc'):
+ raise SphinxError(
+ "There must be one sshkeylist directive present in "
+ "the document tree only.")
+ env.cacert_sshkeylistdoc = env.docname
+
+ for node in doctree.traverse(sshkeys_node):
+ # find section
+ section = [s for s in traverse_parent(node, nodes.section)][0]
+ doc_keys = {'docname': env.docname, 'secid': section['ids'][0]}
+ doc_keys.update(node['keys'])
+ env.cacert_sshkeys.append(doc_keys)
+
+ secparent = section.parent
+ pos = secparent.index(section)
+ # add index node for section
+ indextitle = 'SSH host key; %s' % (
+ env.docname in env.titles and env.titles[env.docname].astext()
+ or os.path.basename(env.docname)
+ )
+ secparent.insert(pos, addnodes.index(entries=[
+ ('pair', indextitle, section['ids'][0], '', None),
+ ]))
+ # add table
+ content = []
+ table = nodes.table()
+ content.append(table)
+ cols = (1, 4)
+ tgroup = nodes.tgroup(cols=len(cols))
+ table += tgroup
+ for col in cols:
+ tgroup += nodes.colspec(colwidth=col)
+ thead = nodes.thead()
+ tgroup += thead
+ thead += create_table_row([
+ nodes.paragraph(text='Algorithm'),
+ nodes.paragraph(text='Fingerprints'),
+ ])
+ tbody = nodes.tbody()
+ tgroup += tbody
+ for alg in SUPPORTED_SSH_KEYTYPES:
+ alg_key = alg.lower()
+ if alg_key in doc_keys:
+ result = []
+ fpparagraph = nodes.paragraph()
+ for ktype in ('sha256', 'md5'):
+ if ktype in doc_keys[alg_key]:
+ result.append("{}:{}".format(
+ ktype.upper(), doc_keys[alg_key][ktype]))
+ for idx in range(len(result)):
+ fpparagraph += nodes.literal(text=result[idx])
+ if idx < len(result) - 1:
+ fpparagraph += nodes.inline(text=", ")
+ else:
+ fpparagraph = nodes.paragraph(text='-')
+ tbody += create_table_row([
+ nodes.paragraph(text=alg),
+ fpparagraph,
+ ])
+ # add pending_xref for link to ssh key list
+ seealso = addnodes.seealso()
+ content.append(seealso)
+ detailref = addnodes.pending_xref(
+ reftype='sshkeyref', refdoc=env.docname, refid='sshkeylist',
+ reftarget='sshkeylist'
+ )
+ detailref += nodes.Text("SSH host key list")
+ seepara = nodes.paragraph()
+ seepara += detailref
+ seealso += seepara
-def _get_cert_index_text(cert_info):
- return "Certificate; %s" % cert_info['cn']
+ node.replace_self(content)
def process_sslcert_nodes(app, doctree, docname):
@@ -348,7 +510,7 @@ def process_sslcert_nodes(app, doctree, docname):
)
cert_sec += nodes.title(text=cert_info['cn'])
indexnode = addnodes.index(entries=[
- ('single', _get_cert_index_text(cert_info),
+ ('pair', _get_cert_index_text(cert_info),
cert_sec['ids'][0], '', None),
])
content.append(indexnode)
@@ -397,22 +559,112 @@ def process_sslcert_nodes(app, doctree, docname):
content.append(cert_sec)
node.replace_self(content)
- env.note_indexentries_from(docname, doctree)
+ # env.note_indexentries_from(docname, doctree)
+
+
+def process_sshkeys_nodes(app, doctree, docname):
+ env = app.builder.env
+
+ if not hasattr(env, 'cacert_sshkeys'):
+ env.cacert_sslcerts = []
+
+ for node in doctree.traverse(sshkeylist_node):
+ content = [nodes.target(ids=['sshkeylist'])]
+
+ if len(env.cacert_sshkeys) > 0:
+ table = nodes.table()
+ content.append(table)
+ tgroup = nodes.tgroup(cols=4)
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=1)
+ tgroup += nodes.colspec(colwidth=2)
+ tgroup += nodes.colspec(colwidth=2)
+ table += tgroup
+
+ thead = nodes.thead()
+ row = nodes.row()
+ entry = nodes.entry()
+ entry += nodes.paragraph(text="Host")
+ row += entry
+ entry = nodes.entry(morecols=2)
+ entry += nodes.paragraph(text="SSH Host Keys")
+ row += entry
+ thead += row
+ tgroup += thead
+
+ tbody = nodes.tbody()
+ tgroup += tbody
+
+ for keys_info in sorted(env.cacert_sshkeys, key=_sshkeys_item_key):
+ trow = nodes.row()
+ entry = nodes.entry(morerows=len(SUPPORTED_SSH_KEYTYPES))
+ para = nodes.paragraph()
+ para += make_refnode(
+ app.builder, docname, keys_info['docname'],
+ keys_info['secid'],
+ nodes.Text(env.titles[keys_info['docname']].astext())
+ )
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='Algorithm')
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='MD5 fingerprint')
+ entry += para
+ trow += entry
+
+ entry = nodes.entry()
+ para = nodes.paragraph()
+ para += nodes.strong(text='SHA256 fingerprint')
+ entry += para
+ trow += entry
+
+ tbody += trow
+
+ for algorithm in SUPPORTED_SSH_KEYTYPES:
+ trow = nodes.row()
+
+ entry = nodes.entry()
+ entry += nodes.paragraph(text=algorithm)
+ trow += entry
+
+ trow += _get_formatted_keyentry(keys_info, algorithm, 'md5')
+ trow += _get_formatted_keyentry(keys_info, algorithm,
+ 'sha256')
+ tbody += trow
+ else:
+ content.append(nodes.paragraph(
+ text="No ssh keys have been documented.")
+ )
+
+ node.replace_self(content)
def resolve_missing_reference(app, env, node, contnode):
- if not hasattr(env, 'cacert_certlistdoc'):
- return
if node['reftype'] == 'certlistref':
- return make_refnode(
- app.builder, node['refdoc'], env.cacert_certlistdoc,
- node['refid'], contnode)
+ if hasattr(env, 'cacert_certlistdoc'):
+ return make_refnode(
+ app.builder, node['refdoc'], env.cacert_certlistdoc,
+ node['refid'], contnode)
+ raise SphinxError('No certlist directive found in the document tree')
+ if node['reftype'] == 'sshkeyref':
+ if hasattr(env, 'cacert_sshkeylistdoc'):
+ return make_refnode(
+ app.builder, node['refdoc'], env.cacert_sshkeylistdoc,
+ node['refid'], contnode)
+ raise SphinxError('No sshkeylist directive found in the document tree')
def purge_sslcerts(app, env, docname):
if (
- hasattr(env, 'cacert_certlistdoc') and
- env.cacert_certlistdoc == docname
+ hasattr(env, 'cacert_certlistdoc') and
+ env.cacert_certlistdoc == docname
):
delattr(env, 'cacert_certlistdoc')
if not hasattr(env, 'cacert_sslcerts'):
@@ -424,9 +676,24 @@ def purge_sslcerts(app, env, docname):
]
+def purge_sshkeys(app, env, docname):
+ if (
+ hasattr(env, 'cacert_sshkeylistdoc') and
+ env.cacert_sshkeylistdoc == docname
+ ):
+ delattr(env, 'cacert_sshkeylistdoc')
+ if not hasattr(env, 'cacert_sshkeys'):
+ return
+ env.cacert_sshkeys = [
+ keys for keys in env.cacert_sshkeys if keys['docname'] != docname
+ ]
+
+
def setup(app):
app.add_node(sslcertlist_node)
app.add_node(sslcert_node)
+ app.add_node(sshkeylist_node)
+ app.add_node(sshkeys_node)
app.add_directive('sslcert', CAcertSSLCert)
app.add_directive('sslcertlist', CAcertSSLCertList)
@@ -434,7 +701,10 @@ def setup(app):
app.add_directive('sshkeylist', CAcertSSHKeyList)
app.connect('doctree-read', process_sslcerts)
+ app.connect('doctree-read', process_sshkeys)
app.connect('doctree-resolved', process_sslcert_nodes)
+ app.connect('doctree-resolved', process_sshkeys_nodes)
app.connect('missing-reference', resolve_missing_reference)
app.connect('env-purge-doc', purge_sslcerts)
+ app.connect('env-purge-doc', purge_sshkeys)
return {'version': __version__}
diff --git a/docs/sshkeys.rst b/docs/sshkeys.rst
index b9d8ec0..07efa21 100644
--- a/docs/sshkeys.rst
+++ b/docs/sshkeys.rst
@@ -1,3 +1,5 @@
=============
SSH Host Keys
=============
+
+.. sshkeylist::
diff --git a/docs/systems.rst b/docs/systems.rst
index 69b72a6..eaedc8c 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -9,13 +9,26 @@ administrator team.
:maxdepth: 1
systems/infra02
- systems/arbitration
systems/blog
systems/board
+ systems/bugs
+ systems/cats
systems/email
systems/emailout
+ systems/git
+ systems/irc
+ systems/ircserver
+ systems/issue
+ systems/lists
+ systems/jenkins
systems/monitor
+ systems/puppet
+ systems/proxyin
+ systems/proxyout
+ systems/svn
+ systems/web
systems/webmail
+ systems/webstatic
General
diff --git a/docs/systems/arbitration.rst b/docs/systems/arbitration.rst
deleted file mode 100644
index 7558690..0000000
--- a/docs/systems/arbitration.rst
+++ /dev/null
@@ -1,298 +0,0 @@
-.. index::
- single: Systems; Arbitration
-
-===========
-Arbitration
-===========
-
-Purpose
-=======
-
-This system is planned to host a future collaboration platform for arbitrators.
-
-Application Links
------------------
-
-Arbitration nginx welcome page
- http://arbitration.cacert.org/
-
-Administration
-==============
-
-System Administration
----------------------
-
-* Primary: :ref:`people_martin`
-* Secondary: None
-
-.. todo:: find an additional admin
-
-Application Administration
---------------------------
-
-There is no application yet.
-
-.. todo:: setup application(s) and document admins
-
-Contact
--------
-
-* arbitration-admin@cacert.org
-
-Additional People
------------------
-
-:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
-machine too.
-
-Basics
-======
-
-Physical Location
------------------
-
-This system is located in an :term:`LXC` container on physical machine
-:doc:`infra02`.
-
-Logical Location
-----------------
-
-:IP Internet: :ip:v4:`213.154.225.241`
-:IP Intranet: :ip:v4:`172.16.2.241`
-:IP Internal: :ip:v4:`10.0.0.241`
-:MAC address: :mac:`00:ff:5b:e0:cd:8a` (eth0)
-
-.. seealso::
-
- See :doc:`../network`
-
-DNS
----
-
-.. index::
- single: DNS records; Arbitration
-
-============================= ======== ============================================
-Name Type Content
-============================= ======== ============================================
-arbitration.cacert.org. IN A 213.154.225.241
-arbitration.cacert.org. IN SSHFP 1 1 40D9C8EBCF8D41A04B990FBC5308675D029BF4EF
-arbitration.cacert.org. IN SSHFP 2 1 7474BFB01AF775511805BF15C45BB9D7591D0CE6
-arbitration.intra.cacert.org. IN A 172.16.2.241
-============================= ======== ============================================
-
-.. seealso::
-
- See :wiki:`SystemAdministration/Procedures/DNSChanges`
-
-Operating System
-----------------
-
-.. index::
- single: Debian GNU/Linux; Jessie
- single: Debian GNU/Linux; 8.4
-
-* Debian GNU/Linux 8.4
-
-Applicable Documentation
-------------------------
-
-This is it :-) There is nothing usable on this system yet.
-
-Services
-========
-
-Listening services
-------------------
-
-+----------+-----------+-----------+-----------------------------------------+
-| Port | Service | Origin | Purpose |
-+==========+===========+===========+=========================================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp | smtp | local | mail delivery to local MTA |
-+----------+-----------+-----------+-----------------------------------------+
-| 80/tcp | http | ANY | application |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+-----------+-----------+-----------------------------------------+
-| 3306/tcp | mysql | local | MySQL database for ... |
-+----------+-----------+-----------+-----------------------------------------+
-| 5432/tcp | pgsql | local | PostgreSQL database for ... |
-+----------+-----------+-----------+-----------------------------------------+
-
-.. todo:: add TLS/SSL to nginx and add HTTPS port
-.. todo:: clarify whether both MySQL and PostgreSQL are used
-
-Running services
-----------------
-
-.. index::
- single: openssh
- single: nginx
- single: cron
- single: PostgreSQL
- single: MySQL
- single: Exim
- single: nrpe
-
-+--------------------+--------------------+----------------------------------------+
-| Service | Usage | Start mechanism |
-+====================+====================+========================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+--------------------+----------------------------------------+
-| nginx | Webserver for ... | init script |
-| | | :file:`/etc/init.d/nginx` |
-+--------------------+--------------------+----------------------------------------+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
-+--------------------+--------------------+----------------------------------------+
-| PostgreSQL | PostgreSQL | init script |
-| | database server | :file:`/etc/init.d/postgresql` |
-| | for ... | |
-+--------------------+--------------------+----------------------------------------+
-| MySQL | MySQL database | init script |
-| | server for ... | :file:`/etc/init.d/mysql` |
-+--------------------+--------------------+----------------------------------------+
-| Exim | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/exim4` |
-| | submission, ... | |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring | init script |
-| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-| | :doc:`monitor` | |
-+--------------------+--------------------+----------------------------------------+
-
-Databases
----------
-
-+-------------+----------+------------------------------+
-| RDBMS | Name | Used for |
-+=============+==========+==============================+
-| MySQL | etherpad | future etherpad installation |
-+-------------+----------+------------------------------+
-
-.. todo:: setup databases
-
-.. note::
- There is a PostgreSQL server setup in this container but it contains
- no database yet.
-
-Connected Systems
------------------
-
-* :doc:`monitor`
-
-Outbound network connections
-----------------------------
-
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
-
-Security
-========
-
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``a3:6c:f1:f8:8c:81:7c:f7:3b:4e:e4:0e:a3:02:8e:18`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``eb:66:0e:0d:d1:f3:d8:02:3a:ed:71:7a:b2:04:db:75`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
-
-.. todo:: setup ED25519 host key
-
-.. seealso::
-
- See :doc:`../sshkeys`
-
-Dedicated user roles
---------------------
-
-.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
- Regular operating system groups should not be documented
-
-.. '''Group''' || '''Purpose''' ||
- goodguys || Shell access for the good guys ||
-
-Non-distribution packages and modifications
--------------------------------------------
-
-* some experimental nmp/nodejs/etherpad things in :file:`/home/magu` not
- running yet
-
-..
- or
- * List of non-distribution packages and modifications
-
-Risk assessments on critical packages
--------------------------------------
-
-* No exposed services yet.
-
-Critical Configuration items
-============================
-
-Keys and X.509 certificates
----------------------------
-
-* No keys or certificates setup yet
-
-..
- * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
- * :file:`/etc/apache2/ssl/<path to server key>` server key
- * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
- * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
-
-.. seealso::
-
- * :doc:`../certlist`
- * :wiki:`SystemAdministration/CertificateList`
-
-Nginx configuration
--------------------
-
-* :file:`/etc/nginx/sites/available/default` default nginx configuration
-
-Tasks
-=====
-
-Planned
--------
-
-.. todo:: Evaluate and setup a collaboration system for arbitrators.
-.. todo:: setup IPv6
-
-Changes
-=======
-
-System Future
--------------
-
-The system should be setup properly or should be removed it is not required
-anymore.
-
-Additional documentation
-========================
-
-.. add inline documentation
-
-.. seealso::
-
- * :wiki:`Exim4Configuration`
-
-References
-----------
-
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Arbitration`
diff --git a/docs/systems/blog.rst b/docs/systems/blog.rst
index 46fc16c..931f2fc 100644
--- a/docs/systems/blog.rst
+++ b/docs/systems/blog.rst
@@ -26,7 +26,7 @@ Administration
System Administration
---------------------
-* Primary: :ref:`people_martin`
+* Primary: :ref:`people_dirk`
* Secondary: None
.. todo:: find an additional admin
@@ -37,10 +37,8 @@ Application Administration
+-----------------------+-------------------------------------------------+
| Role | Users |
+=======================+=================================================+
-| Wordpress Admin | :ref:`people_abahlo`, |
-| | :ref:`people_marcus`, |
+| Wordpress Admin | :ref:`people_dirk`, |
| | :ref:`people_mario`, |
-| | :ref:`people_martin` |
+-----------------------+-------------------------------------------------+
| Wordpress Editor | PR Team, |
| | `Support`_ |
@@ -63,8 +61,9 @@ Contact
Additional People
-----------------
-:ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
-have :program:`sudo` access on that machine too.
+:ref:`Jan Dittberner <people_jandd>`, :ref:`Mario Lipinski <people_mario>` and
+:ref:`Dirk Astrath <people_dirk>` have :program:`sudo` access on that machine
+too.
Basics
======
@@ -93,14 +92,20 @@ DNS
.. index::
single: DNS records; Blog
-====================== ======== ============================================
+====================== ======== ====================================================================
Name Type Content
-====================== ======== ============================================
+====================== ======== ====================================================================
blog.cacert.org. IN A 213.154.225.234
blog.cacert.org. IN SSHFP 1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8
+blog.cacert.org. IN SSHFP 1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6
blog.cacert.org. IN SSHFP 2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC
+blog.cacert.org. IN SSHFP 2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680
+blog.cacert.org. IN SSHFP 3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86
+blog.cacert.org. IN SSHFP 3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047
+blog.cacert.org. IN SSHFP 4 1 90903e8f4b35457bf41235f070adf592d7f724dd
+blog.cacert.org. IN SSHFP 4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b
blog.intra.cacert.org. IN A 172.16.2.13
-====================== ======== ============================================
+====================== ======== ====================================================================
.. seealso::
@@ -111,9 +116,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Jessie
- single: Debian GNU/Linux; 8.4
+ single: Debian GNU/Linux; 8.10
-* Debian GNU/Linux 8.4
+* Debian GNU/Linux 8.10
Applicable Documentation
------------------------
@@ -207,39 +212,23 @@ Outbound network connections
* HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
+* :doc:`proxyout` as HTTP proxy for APT
* crl.cacert.org (rsync) for getting CRLs
.. _Ping-o-matic: http://rpc.pingomatic.com/
.. [#f1] http://blog.cacert.org/wp-admin/options-writing.php
-.. [#f2]
- http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config - check
- network status
+.. [#f2] http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config
+
+.. - check network status
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
-
-.. todo:: setup ED25519 host key
-
-.. seealso::
-
- See :doc:`../sshkeys`
+.. sshkeys::
+ :RSA: MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
+ :DSA: MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
+ :ECDSA: MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
+ :ED25519: MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
Dedicated user roles
--------------------
@@ -298,8 +287,11 @@ Keys and X.509 certificates
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration
---------------------
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
* :file:`/etc/apache2/cacert/blog.inc.conf`
@@ -326,6 +318,9 @@ The following RewriteRule is used to redirect old blog URLs::
RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
+.. index::
+ pair: Wordpress; configuration
+
Wordpress configuration
-----------------------
@@ -350,7 +345,7 @@ Changes
System Future
-------------
-.. * No plans
+.. todo:: system should be upgraded to Debian 9
Additional documentation
========================
@@ -362,5 +357,5 @@ Additional documentation
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Blog`
+Wordpress website
+ https://wordpress.org/
diff --git a/docs/systems/board.rst b/docs/systems/board.rst
index b454b27..6779ccd 100644
--- a/docs/systems/board.rst
+++ b/docs/systems/board.rst
@@ -46,8 +46,8 @@ Contact
Additional People
-----------------
-:ref:`people_jandd`, :ref:`people_mario` and :ref:`people_neo` have
-:program:`sudo` access on that machine too.
+:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
+machine too.
Basics
======
@@ -94,9 +94,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Wheezy
- single: Debian GNU/Linux; 7.10
+ single: Debian GNU/Linux; 7.11
-* Debian GNU/Linux 7.10
+* Debian GNU/Linux 7.11
Applicable Documentation
------------------------
@@ -190,33 +190,18 @@ Outbound network connections
* HTTP (80/tcp) to nightly.openerp.com
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
+* :doc:`proxyout` as HTTP proxy for APT
* crl.cacert.org (rsync) for getting CRLs
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
-
-.. todo:: setup ED25519 host key
+.. sshkeys::
+ :RSA: c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
+ :DSA: f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
+ :ECDSA: 0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
-.. seealso::
-
- See :doc:`../sshkeys`
+.. todo:: setup ED25519 host key (needs update to Jessie)
Non-distribution packages and modifications
-------------------------------------------
@@ -226,6 +211,8 @@ http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
:file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
cause damage to the customization.
+.. todo:: update to Odoo (OpenERP successor)
+
Local modifications to OpenERP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -308,7 +295,10 @@ Keys and X.509 certificates
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration files
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
--------------------------
* :file:`/etc/apache2/conf.d/openerp-httpd.conf`
@@ -327,11 +317,18 @@ Apache configuration files
Defines the authorized users based on the DN in their client certificate
+.. index::
+ single: cron; CRL
+ single: CRL
+
CRL update job
--------------
:file:`/etc/cron.hourly/update-crls`
+.. index::
+ pair: OpenERP; configuration
+
OpenERP configuration
---------------------
@@ -358,7 +355,7 @@ Changes
System Future
-------------
-.. todo:: system should be updated to Debian 8
+.. todo:: system should be updated to Debian 8/9
Additional documentation
========================
@@ -370,5 +367,5 @@ Additional documentation
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Board`
+OpenERP 7.0 documentation
+ https://doc.odoo.com/
diff --git a/docs/systems/bugs.rst b/docs/systems/bugs.rst
new file mode 100644
index 0000000..558fc39
--- /dev/null
+++ b/docs/systems/bugs.rst
@@ -0,0 +1,359 @@
+.. index::
+ single: Systems; Bugs
+
+====
+Bugs
+====
+
+Purpose
+=======
+
+This system provides the public bug tracker for the CAcert community.
+
+Application Links
+-----------------
+
+Bugtracker
+ https://bugs.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_neo`
+* Secondary: :ref:`people_jandd`
+* Secondary: :ref:`people_dirk`
+
+Application Administration
+--------------------------
+
++----------------------+--------------------------------------------+
+| Application | Administrator(s) |
++======================+============================================+
+| Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
+| | :ref:`people_dirk`, :ref:`people_jandd`, |
+| | :ref:`people_ted`, :ref:`people_philipp` |
++----------------------+--------------------------------------------+
+| Mantis Manager | |
++----------------------+--------------------------------------------+
+
+Contact
+-------
+
+* bugs-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.232`
+:IP Intranet: :ip:v4:`172.16.2.16`
+:IP Internal: :ip:v4:`10.0.0.16`
+:MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Bugs
+
+======================== ======== ====================================================================
+Name Type Content
+======================== ======== ====================================================================
+bugs.cacert.org. IN A 213.154.225.232
+bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
+bugs.cacert.org IN SSHFP 1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a
+bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
+bugs.cacert.org IN SSHFP 2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892
+bugs.cacert.org IN SSHFP 3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7
+bugs.cacert.org IN SSHFP 3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44
+bugs.cacert.org IN SSHFP 4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1
+bugs.cacert.org IN SSHFP 4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15
+bugs.intra.cacert.org. IN A 172.16.2.16
+======================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.3
+
+* Debian GNU/Linux 9.3
+
+Applicable Documentation
+------------------------
+
+That's it
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+--------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+--------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+--------------------------------+
+| 80/tcp | http | ANY | web server for bug tracker |
++----------+---------+---------+--------------------------------+
+| 443/tcp | https | ANY | web server for bug tracker |
++----------+---------+---------+--------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+--------------------------------+
+| 3306/tcp | mysql | local | MySQL database for bug tracker |
++----------+---------+---------+--------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for bug | init script |
+| | tracker | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for bug | :file:`/etc/init.d/mysql` |
+| | tracker | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
+.. index::
+ pair: MySQL database; mantis
+
++-------+--------+--------------------+
+| RDBMS | Name | Used for |
++=======+========+====================+
+| MySQL | mantis | Mantis bug tracker |
++-------+--------+--------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+* HTTP (80/tcp) to :doc:`git`
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
+ :DSA: SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
+ :ECDSA: SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
+ :ED25519: SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. index::
+ pair: non-distribution package; Mantis
+
+* Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
+* custom built `certificate authentication`-plugin by :ref:`people_dirk`
+ https://github.com/dastrath/CertificateAuthentication_Mantis
+* For client certificate authentication a Class-3 client certificate issued by
+ CAcert is needed, 1st email-adress in certificate has to match email-adress in
+ account
+
+.. _mantis: https://www.mantisbt.org/
+
+Risk assessments on critical packages
+-------------------------------------
+
+Mantis as a PHP application is vulnerable to common PHP problems. The system
+has to be kept up-to-date with OS patches. The custom built mantis package has
+to be updated when new releases are provided upstream.
+
+Administrators for this system should subscribe to the
+mantisbt-announce@lists.sourceforge.net list to get notified when updates are
+released.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: bugs.cacert.org
+ :certfile: /etc/ssl/public/bugs.c.o.20160314.crt
+ :keyfile: /etc/ssl/private/bugs.c.o.20160314.key
+ :serial: 028A72
+ :expiration: Mar 14 13:12:13 2018 GMT
+ :sha1fp: 4D:1F:14:B2:BB:C8:59:68:D0:CF:86:36:DA:2F:B2:58:A7:90:E5:85
+ :issuer: CAcert.org Class 3 Root
+
+* :file:`/etc/ssl/public/bugs.c.o.20160314.crt.chain` contains the server
+ certificate and the Class 3 CA certificate
+
+* :file:`/etc/mantis/config_inc.php` contains the database settings for Mantis
+
+.. index::
+ pair: Mantis; configuration
+
+Mantis configuration
+--------------------
+
+The Mantis bug tracker configuration is stored in the directory
+:file:`/etc/mantis/`.
+
+* :file:`config_local.php` the main configuration file, including custom bug states
+* :file:`custom_constants_inc.php` defines custom constants. Required for the
+ non-default bug states
+* :file:`custom_strings_inc.php` defines custom string definitions. Required
+ for the non-default bug states
+
+.. note::
+
+ Localisation for these could go here but currently I would avoid that so all
+ developers have the same vocabulary.
+
+ -- :ref:`people_neo` 2011-07-04 02:44:45
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
+changed to add some additional headers to improve client security:
+
+.. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
+ :language: diff
+
+The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
+configured in :file:`/etc/apache2/sites-available/mantis` (shared
+configuration) that includes configuration from the mantis package provided
+:file:`/etc/apache2/conf.d/mantis` file,
+:file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
+:file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
+
+.. index::
+ pair: MySQL; configuration
+
+MySQL configuration
+-------------------
+
+MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+
+.. index::
+ pair: rsyslog; configuration
+
+Rsyslog configuration
+---------------------
+
+Rsyslog has been configured to disable draining the kernel log:
+
+.. code-block:: diff
+
+ --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
+ +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
+ @@ -9,7 +9,7 @@
+ #################
+
+ $ModLoad imuxsock # provides support for local system logging
+ -$ModLoad imklog # provides kernel logging support
+ +#$ModLoad imklog # provides kernel logging support
+ #$ModLoad immark # provides --MARK-- message capability
+
+ # provides UDP syslog reception
+
+The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
+add an additional logging socket in the Postfix chroot.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: setup IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Mantis Bugtracker documentation
+ https://www.mantisbt.org/documentation.php
+Apache httpd documentation
+ https://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/cats.rst b/docs/systems/cats.rst
new file mode 100644
index 0000000..5b6e5dd
--- /dev/null
+++ b/docs/systems/cats.rst
@@ -0,0 +1,380 @@
+.. index::
+ single: Systems; CATS
+
+====
+CATS
+====
+
+Purpose
+=======
+
+This system provides the CAcert Assurer Training System (CATS), which is used
+to perform the Assurer Challenge.
+
+Application Links
+-----------------
+
+CATS
+ https://cats.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_ted`
+* Secondary: :ref:`people_jandd`
+
+Application Administration
+--------------------------
+
++-------------+-------------------+
+| Application | Administrator(s) |
++=============+===================+
+| CATS | :ref:`people_ted` |
++-------------+-------------------+
+
+Contact
+-------
+
+* cats-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` and :ref:`people_wytze` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.243`
+:IP Intranet: :ip:v4:`172.16.2.27`
+:IP Internal: :ip:v4:`10.0.0.27`
+:MAC address: :mac:`00:ff:53:2d:a0:65` (interfacename)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; CATS
+
+====================== ======== ====================================================================
+Name Type Content
+====================== ======== ====================================================================
+cats.cacert.org. IN A 213.154.225.243
+cats.cacert.org. IN SSHFP 1 1 D29D4CC4662D5CB5F42C02823CA8677F05439589
+cats.cacert.org. IN SSHFP 1 2 605AF57CE0F1ECF8EEAC5C71901F1434BF65C06FC0796B932D0F10F21DDF65FE
+cats.cacert.org. IN SSHFP 2 1 0342EB1E7325EB90A1C0483DE3D6597E36E569C8
+cats.cacert.org. IN SSHFP 2 2 0835241A5B1905097C332B176FAEC92E05C690169BA125184F3FE2C9612D9718
+cats.cacert.org. IN SSHFP 3 1 CC7F9EDC6F2B9CE4A3F3953FF97C951572BA0F8C
+cats.cacert.org. IN SSHFP 3 2 1F54953C96DE0E93CD19E66CA25085D6773CEEFD3C376BE2E77C1A337CCD008D
+cats.intra.cacert.org. IN A 172.16.2.27
+====================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-----------------------------+
+| 80/tcp | http | ANY | CATS |
++----------+---------+---------+-----------------------------+
+| 443/tcp | https | ANY | CATS |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+-----------------------------+
+| 3306/tcp | mysql | local | MySQL database for CATS |
++----------+---------+---------+-----------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for CATS | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for CATS | :file:`/etc/init.d/mysql` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
+.. index::
+ pair: MySQL database; cats_cats
+
++------------+--------------+---------------------------+
+| RDBMS | Name | Used for |
++============+==============+===========================+
+| MySQL | cats_cats | CATS database |
++------------+--------------+---------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+* HTTPS (443/tcp) to :doc:`secure.cacert.org <../critical/webdb>` for pushing
+ test results
+* HTTPS (443/tcp) to :doc:`svn` for subversion access
+* HTTPS (443/tcp) to `github.com <https://github.com>`_
+
+.. todo:: disable subversion access
+
+Security
+========
+
+.. sshkeys::
+ :RSA: d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
+ :DSA: 0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
+ :ECDSA: bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
+
+.. todo:: setup ED25519 host key (needs update to Jessie)
+
+Dedicated user roles
+--------------------
+
++-------+----------------------------------------------------------+
+| Group | Purpose |
++=======+==========================================================+
+| cats | The cats group is meant to maintain the CATS application |
++-------+----------------------------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The CATS software is a custom PHP based system. The application is contained in
+:file:`/home/cats/public_html`. The current repository is at
+https://github.com/CAcertOrg/cats, historic versions are available at
+https://svn.cacert.org/CAcert/Education/CATS. `Instructions for CATS setup
+<https://github.com/CAcertOrg/cats/blob/release/INSTALL.txt>`_ can be found in
+the git repository.
+
+CATS requires client certificate authentication setup in the Apache httpd
+server.
+
+.. todo:: add a Vagrantfile to allow easy CATS testing setups
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+CATS as a PHP application is vulnerable to common PHP problems. The system
+has to be kept up-to-date with OS patches.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+The server certificate for the CATS web application.
+
+.. sslcert:: cats.cacert.org
+ :certfile: /home/cats/ssl/certs/cats_cert.pem
+ :keyfile: /home/cats/ssl/private/cats_privatekey.pem
+ :serial: 11E840
+ :expiration: Mar 31 18:11:48 2018 GMT
+ :sha1fp: 9B:9B:C5:8B:26:51:3A:CF:C1:11:7A:27:24:DB:DD:CF:AF:C3:61:C4
+ :issuer: CAcert.org Class 1 Root
+
+.. _cats_client_cert:
+
+Client certificate for pushing results to secure.cacert.org.
+
+.. sslcert:: cats@cacert.org
+ :altnames: EMAIL:cats@cacert.org
+ :certfile: /home/cats/private/cert_201605.pem
+ :keyfile: /home/cats/private/key_201605.pem
+ :serial: 0266AE
+ :expiration: May 7 21:14:39 2016 GMT
+ :sha1fp: F9:8D:DC:67:68:30:5D:46:84:DE:77:F1:70:1A:E1:F7:9C:F4:DC:9A
+ :issuer: CAcert Class 3 Root
+
+.. todo:: move certificates to :file:`/etc/ssl/public` and keys to
+ :file:`/etc/ssl/private`
+
+* :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt` CAcert.org Class
+ 1 and Class 3 CA certificates (allowed CA certificates for client certificates
+ and certificate chain for server certificate)
+* :file:`/home/cats/public_html/education.txt` is a symbolic link pointing to
+ the most current client certificate issued to the education@cacert.org
+ address.
+
+.. index::
+ pair: CATS; configuration
+
+CATS configuration
+------------------
+
+CATS configuration is stored in files in
+:file:`/home/cats/public_html/index.php` (roughly based on
+:file:`index.php.template` from git) and
+:file:`/home/cats/public_html/includes/db_connect.inc`.
+
+.. todo:: move CATS configuration to :file:`/etc/`
+.. todo:: refactor CATS to not store configuration in the PHP session
+
+CATS uses two cronjobs in the cats user's crontab::
+
+ # m h dom mon dow command
+ MAILTO=bernhard@cacert.org
+ */5 * * * * /home/cats/tools/do_upload
+ # Reduced upload rate during problems...
+ #0 * * * * /home/cats/tools/do_upload
+ 35 4 * * * /home/cats/tools/do_backup
+
+The :file:`do_upload` job uses the client :ref:`certificate for cats@cacert.org
+<cats_client_cert>` to authenticate to secure.cacert.org.
+
+The :file:`do_backup` job creates a backup of the *cats_cats* MySQL database.
+The backups are rotated (9 copies are kept) and encrypted to PGP keys of
+:ref:`people_ted` and :ref:`people_philipp`. The job also attempts to fetch a
+database dump from http://cats1.it-sls.de/dump.gz and store it in
+:file:`/home/cats/dumps/dump.dev.gz`. This functionality is broken.
+
+.. todo:: either fix fetching from the test system or remove this functionality
+.. todo:: use :file:`/etc/cron.d` instead of user specific crontab
+.. todo:: put the scripts in :file:`/home/cats/tools/` into git
+
+.. seealso::
+
+ Instructions for `CATS translation
+ <https://wiki.cacert.org/Brain/Study/EducationTraining/CATSTranslation>`_
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
+modified to improve TLS settings and define an HTTP and an HTTPS VirtualHost
+for cats.cacert.org.
+
+.. literalinclude:: ../configdiff/cats/apache/cats-apache-config.diff
+ :language: diff
+
+.. index::
+ pair: logrotate; configuration
+
+logrotate configuration
+-----------------------
+
+CATS specific Apache httpd logfiles are rotated by logrotate. The rotation is
+controlled by a separate configuration in :file:`/etc/logrotate.d/cats`:
+
+.. literalinclude:: ../configdiff/cats/logrotate/cats
+
+.. index::
+ pair: MySQL; configuration
+
+MySQL configuration
+-------------------
+
+MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+
+.. index::
+ pair: Postfix; configuration
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: update to Debian Jessie
+.. todo:: setup IPv6
+.. todo:: setup CRL checks
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: system should be updated to Debian 8/9
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+PHP documentation
+ https://secure.php.net/manual/en/
diff --git a/docs/systems/email.rst b/docs/systems/email.rst
index 1c801aa..197a9b9 100644
--- a/docs/systems/email.rst
+++ b/docs/systems/email.rst
@@ -99,37 +99,54 @@ Services
Listening services
------------------
-+----------+---------+----------------+-----------------------------------------------+
-| Port | Service | Origin | Purpose |
-+==========+=========+================+===============================================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+---------+----------------+-----------------------------------------------+
-| 25/tcp | smtp | ANY | mail receiver for cacert.org |
-+----------+---------+----------------+-----------------------------------------------+
-| 110/tcp | pop3 | ANY | POP3 access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 143/tcp | imap | ANY | IMAP access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 587/tcp | smtp | ANY | mail submission for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 993/tcp | imaps | ANY | IMAPS access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 995/tcp | pop3s | ANY | POP3S access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 2000/tcp | sieve | ANY | Sieve access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 2001/tcp | sieve | :doc:`webmail` | Sieve access for cacert.org mail |
-| | | | addresses without TLS, accessible from |
-| | | | ``172.16.2.20`` only |
-+----------+---------+----------------+-----------------------------------------------+
-| 3306/tcp | mysql | local | MySQL database server |
-+----------+---------+----------------+-----------------------------------------------+
-| 4433/tcp | http | internal | Apache httpd with phpmyadmin |
-+----------+---------+----------------+-----------------------------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+---------+----------------+-----------------------------------------------+
++----------+---------+----------------+----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+================+========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------------+----------------------------------------+
+| 25/tcp | smtp | ANY | mail receiver for cacert.org |
++----------+---------+----------------+----------------------------------------+
+| 110/tcp | pop3 | ANY | POP3 access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 143/tcp | imap | ANY | IMAP access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 587/tcp | smtp | ANY | mail submission for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 993/tcp | imaps | ANY | IMAPS access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 995/tcp | pop3s | ANY | POP3S access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 2000/tcp | sieve | ANY | Manage sieve access for cacert.org |
+| | | | mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 2001/tcp | sieve | :doc:`webmail` | Manage sieve access for cacert.org |
+| | | | mail addresses without TLS, accessible |
+| | | | from ``172.16.2.20`` only |
++----------+---------+----------------+----------------------------------------+
+| 3306/tcp | mysql | local | MySQL database server |
++----------+---------+----------------+----------------------------------------+
+| 4433/tcp | http | local | Apache httpd with phpmyadmin |
++----------+---------+----------------+----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+----------------+----------------------------------------+
+
+.. topic:: PHPMyAdmin access
+
+ Administrators can use ssh to forward the Apache httpd HTTPS port to their
+ own machine:
+
+ .. code-block:: bash
+
+ ssh -L 4433:localhost:4433 -l username email.cacert.org
+
+ and access PHPMyAdmin at https://localhost:4433/
Running services
----------------
@@ -201,42 +218,29 @@ Connected Systems
* :doc:`monitor`
* :doc:`webmail`
+* all @cacert.org address owners have access to POP3 (STARTTLS and POP3S), IMAP
+ (STARTTLS and IMAPS), SMTPS, SMTP submission (STARTTLS) and manage sieve
Outbound network connections
----------------------------
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* archive.debian.org as Debian mirror
+* :doc:`proxyout` as HTTP proxy for APT
* :doc:`issue` for OTRS mail
* :doc:`lists` for mailing lists
-* arbitrary internet smtp servers for outgoing mail
+* arbitrary Internet SMTP servers for outgoing mail
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | \- |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
+.. sshkeys::
+ :RSA: a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
+ :DSA: f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91
.. warning::
The system is too old to support ECDSA or ED25519 keys.
-.. seealso::
-
- See :doc:`../sshkeys`
-
Non-distribution packages and modifications
-------------------------------------------
@@ -288,13 +292,24 @@ Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
* :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
Diffie-Hellman parameter files for Postfix
+.. note::
+
+ Postfix uses the email.cacert.org certificate for client authentication if
+ requested by a target server.
+
+ .. todo::
+ check whether it makes sense to use a separate certificate for that
+ purpose
+
.. seealso::
- * :doc:`../certlist`
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration
---------------------
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
:file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
allows dedicated users to access a PHPMyAdmin instance. The allowed users are
@@ -320,11 +335,20 @@ authenticated by client certificates and are authorized by an entry in
<https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
directive in the mod_ssl reference documentation.
+.. index::
+ pair: MySQL; configuration
+
MySQL configuration
-------------------
MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+.. index::
+ pair: MySQL; NSS
+ single: libnss-mysql
+
+.. _nss:
+
NSS configuration
-----------------
@@ -333,11 +357,17 @@ group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
:file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
is configured in :file:`/etc/libnss-mysql-root.cfg`.
+.. index::
+ pair: PHPMyAdmin; configuration
+
PHPMyAdmin configuration
------------------------
PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
+.. index::
+ pair: dovecot; configuration
+
Dovecot configuration
---------------------
@@ -345,6 +375,24 @@ Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
database settings are stored in
:file:`dovecot-sql-masterpassword-webmail.conf`.
+.. index::
+ pair: dovecot; authentication
+
+.. topic:: Dovecot authentication
+
+ :file:`/etc/dovecot/dovecot.conf` refers to PAM mail. PAM mail is defined
+ :file:`/etc/pam.d/mail`. System users are defined by NSS which is a
+ combination of :file:`/etc/passwd` (for root and non-imap/pop users) and
+ :file:`/etc/libnss-mysql*` (see `nss`_).
+
+ There is a special master password so that webmail can do the authentication
+ for dovecot using certificates. This is defined in
+ :file:`/etc/dovecot/dovecot-sql-masterpassword-webmail.conf`. This special
+ password is restricted to the IP address of Community.
+
+.. index::
+ pair: Postfix; configuration
+
Postfix configuration
---------------------
@@ -377,12 +425,18 @@ following files are special for this setup:
.. todo:: remove unused transports from :file:`master.cf`
+.. index::
+ pair: pysieved; configuration
+
PySieved configuration
----------------------
-:file:`/usr/local/etc/pysieved.ini` and
-:file:`/usr/local/etc/pysieved-notls.ini`. Pysieved uses dovecot for
-authentication.
+:file:`/usr/local/etc/pysieved.ini` for regular manage sieve access and
+:file:`/usr/local/etc/pysieved-notls.ini` for use with Roundcube webmail.
+Pysieved uses dovecot for authentication.
+
+.. index::
+ pair: rsyslog; configuration
Rsyslog configuration
---------------------
@@ -396,6 +450,9 @@ non-existant remote syslog server.
.. todo:: setup remote logging when a central logging container is available
+.. index::
+ pair: xinetd; configuration
+
Xinetd configuration
--------------------
@@ -403,9 +460,74 @@ Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
:file:`/etc/xinetd.d/pysieved-notls`.
+Email storage
+-------------
+
+Mail for :samp:`{user}` is stored in :samp:`/home/{user}/Maildir`.
+
+.. todo::
+ move mail storage to a separate data volume to allow easier backup and OS
+ upgrades
+
Tasks
=====
+.. index::
+ single: add email users
+
+Adding email users
+------------------
+
+1. create user in the database table ``cacertusers.user``:
+
+ .. code-block:: bash
+
+ mysql -p cacertusers
+
+ .. code-block:: sql
+
+ INSERT INTO user (username, fullnamealias, realname, password)
+ VALUES ('user', 'user.name', 'User Name', '$1$salt$passwordhash')
+
+2. create the user's home directory and Maildir:
+
+ :samp:`install -o {user} -g {user} -m 0755 -d /home/{user}/Maildir`
+
+.. note::
+
+ * a valid password hash for the password ``secret`` is
+ ``$1$caea3837$gPafod/Do/8Jj5M9HehhM.``
+ * users can reset their password via
+ https://community.cacert.org/password.php on :doc:`webmail`
+ * use the :download:`mail template
+ <../downloads/template_new_community_mailaddress.rfc822>` to send out to a
+ user's non-cacert.org mail account and make sure to encrypt the mail to a
+ known public key of that user
+
+.. todo::
+ implement tooling to automate password salt generation and user creation
+
+Setting up mail aliases
+-----------------------
+
+There are two types of aliases.
+
+1. The first type are those that are never sent from. e.g.
+ postmaster@cacert.org. All these aliases are defined in
+ :file:`/etc/aliases`. Don't forget to run
+
+ .. code-block:: bash
+
+ postalias /etc/aliases
+
+ after any changes. Aliases for issue tracking are installed here as
+ :samp:`{issuetrackingaddress} : {issuetrackingaddress}@issue.cacert.org`.
+
+2. The second type are those aliases that are used to send email too, e.g
+ pr@cacert.org. These aliases are recorded in the aliases table on the
+ cacertusers database. The reason for this implementation is to only allow
+ the designated person to send email from this email address.
+
Planned
-------
@@ -413,6 +535,15 @@ Planned
.. todo:: setup IPv6
+.. todo::
+ throttle brute force attack attempts using fail2ban or similar mechanism
+
+.. todo::
+ consider to use LDAP to consolidate user, password and email information
+
+* there were plans for X.509 certificate authentication for mail services, but
+ there is no progress so far
+
Changes
=======
@@ -429,9 +560,15 @@ Additional documentation
.. seealso::
* :wiki:`PostfixConfiguration`
+ * :wiki:`SystemAdministration/Systems/Email` for some discussion on legal
+ implications related to mail archiving
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Email`
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+Dovecot 1.x wiki
+ http://wiki1.dovecot.org/FrontPage
diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst
index a6fb000..e17ab52 100644
--- a/docs/systems/emailout.rst
+++ b/docs/systems/emailout.rst
@@ -1,5 +1,332 @@
.. index::
single: Systems; Emailout
+========
Emailout
========
+
+Purpose
+=======
+
+This system is used as outgoing mail relay for other infrastructure services.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: :ref:`people_jselzer`
+
+Contact
+-------
+
+* emailout-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.239`
+:IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
+:IP Internal: :ip:v4:`10.0.0.32`
+:MAC address: :mac:`00:ff:12:01:65:02` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Emailout
+
+========================== ======== ====================================================================
+Name Type Content
+========================== ======== ====================================================================
+emailout.cacert.org. IN A 213.154.225.239
+emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
+emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
+emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
+emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
+emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
+emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
+emailout.intra.cacert.org. IN A 172.16.2.32
+========================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.3
+
+* Debian GNU/Linux 9.3
+
+Applicable Documentation
+------------------------
+
+The following packages where installed after the container setup::
+
+ apt-get install vim-nox screen aptitude git etckeeper postfix \
+ postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
+ heirloom-mailx netcat-openbsd swaks
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | intranet | mail delivery from intranet MTAs |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: OpenDKIM
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| OpenDKIM | DKIM signing | init script |
+| | daemon | :file:`/etc/init.d/opendkim` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, and | |
+| | mail relay for | |
+| | infrastructure | |
+| | systems | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* SMTP (25/tcp) from other infrastructure systems
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
+ :DSA: SHA256:p0AvAUtHuAVmPJBNq7yVkNt9jQ81DOptn2PhK8J7rAw MD5:6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
+ :ECDSA: SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20 MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
+ :ED25519: SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Postfix has a very good security reputation. The system is patched regularly.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. todo:: setup a proper certificate for incoming STARTTLS
+
+.. index::
+ pair: DKIM; Private Key
+ see: DKIM; OpenDKIM
+
+* :file:`/etc/dkim/2015.private` contains the RSA private key to be used for
+ :term:`DKIM` signing by OpenDKIM.
+
+.. index::
+ pair: DKIM; DNS
+ see: DNS; OpenDKIM
+
+* :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for
+ the public component of the DKIM signing key
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Postfix; configuration
+
+Postfix configuration
+---------------------
+
+Postfix has been configured as outgoing email relay with very little changes to
+the default configuration.
+
+The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`.
+
+Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to:
+
+* set infrastructure related host and network parameters
+* allow regular expressions in maps
+* activate opportunistic TLS
+* prepare for DKIM support
+* disable local delivery
+
+.. literalinclude:: ../configdiff/emailout/postfix-main.cf
+ :language: text
+
+Emails sent to specific intranet hostnames are rewritten to their respective
+admin addresses in :file:`/etc/postfix/canonical_maps`:
+
+.. literalinclude:: ../configdiff/emailout/canonical_maps
+ :language: text
+
+Emails sent to specific cacert.org hostnames are forwarded via
+:file:`/etc/postfix/transport`:
+
+.. literalinclude:: ../configdiff/emailout/transport
+ :language: text
+
+:file:`/etc/postfix/transport` has to be rehashed if it is changed because
+Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To
+perform the rehashing and restart Postfix use::
+
+ postmap hash:/etc/postfix/transport
+ service postfix restart
+
+.. index::
+ pair: OpenDKIM; configuration
+
+OpenDKIM configuration
+----------------------
+
+.. todo::
+ enable OpenDKIM in Postfix configuration when the DNS record is in place and
+ :doc:`email` is ready for DKIM too or is configured to send mail via
+ emailout.
+
+The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The
+following lines have been added:
+
+.. code:: diff
+
+ --- opendkim.conf.dpkg-dist 2017-09-04 00:17:50.000000000 +0000
+ +++ opendkim.conf 2018-02-16 13:38:55.545110292 +0000
+ @@ -13,6 +13,11 @@
+ #Domain example.com
+ #KeyFile /etc/dkimkeys/dkim.key
+ #Selector 2007
+ +Domain cacert.org
+ +KeyFile /etc/dkim/2015.private
+ +Selector 2015
+ +
+ +InternalHosts /etc/dkim/internalhosts
+
+ # Commonly-used options; the commented-out versions show the defaults.
+ #Canonicalization simple
+ @@ -31,7 +36,7 @@
+ # ## local:/path/to/socket to listen on a UNIX domain socket
+ #
+ #Socket inet:8892@localhost
+ -Socket local:/var/run/opendkim/opendkim.sock
+ +Socket local:/var/spool/postfix/opendkim/opendkim.sock
+
+ ## PidFile filename
+ ### default (none)
+
+The key has been generated with::
+
+ mkdir /etc/dkim
+ cd /etc/dkim
+ opendkim-genkey -d cacert.org -s 2015
+
+Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
+
+ 127.0.0.1
+ 10.0.0.0/24
+ 172.16.2.0/24
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: setup IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+OpenDKIM documentation
+ http://www.opendkim.org/docs.html
diff --git a/docs/systems/git.rst b/docs/systems/git.rst
new file mode 100644
index 0000000..93e21ef
--- /dev/null
+++ b/docs/systems/git.rst
@@ -0,0 +1,374 @@
+.. index::
+ single: Systems; Git
+
+===
+Git
+===
+
+Purpose
+=======
+
+`Git`_ server for the :wiki:`Software` development and :wiki:`System
+Administration <SystemAdministration/Team>` teams.
+
+.. _Git: https://www.git-scm.com/
+
+Application Links
+-----------------
+
+Gitweb
+ http://git.cacert.org/gitweb/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Git | :ref:`people_jandd` |
++-------------+---------------------+
+| Gitweb | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* git-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` and :ref:`people_neo` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.250`
+:IP Intranet: :ip:v4:`172.16.2.250`
+:IP Internal: :ip:v4:`10.0.0.250`
+:MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Git
+
+===================== ======== ============================================
+Name Type Content
+===================== ======== ============================================
+git.cacert.org. IN A 213.154.225.250
+git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
+git.cacert.org. IN SSHFP 1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5
+git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
+git.cacert.org. IN SSHFP 2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01
+git.cacert.org. IN SSHFP 3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED
+git.cacert.org. IN SSHFP 3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644
+git.cacert.org. IN SSHFP 4 1 13D611007B43D073CF4D89784510398116623EB7
+git.cacert.org. IN SSHFP 4 2 40A61A25488FE01C056EAAFF703EF0FF9C6B01BEE00580A91B95741DFAA59751
+git.intra.cacert.org. IN A 172.16.2.250
+===================== ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.3
+
+* Debian GNU/Linux 9.3
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+---------+-----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+-----------------------------+
+| 9418/tcp | git | ANY | Git daemon port |
++----------+---------+---------+-----------------------------+
+
+.. todo:: disable insecure git-daemon port and http for git, replace these with
+ https for read access and git+ssh for write access
+
+Running services
+----------------
+
+.. index::
+ single: Apache httpd
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+ single: git-daemon
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | gitweb | :file:`/etc/init.d/apache2` |
+| | | |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| runit | service supervision | :file:`/etc/inittab` entry |
+| | for git-daemon | |
++--------------------+---------------------+----------------------------------------+
+| git-daemon | Daemon for native | runit service description in |
+| | Git protocol | :file:`/etc/sv/git-daemon/run` |
+| | access | |
++--------------------+---------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`jenkins` for git repository access
+
+Outbound network connections
+----------------------------
+
+* crl.cacert.org (rsync) for getting CRLs
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`jenkins` for triggering web hooks
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:2rvhdmx5MwccTmlCod/HLCbZ2GfY3uhL7aIQyO+eosU MD5:b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
+ :DSA: SHA256:AMIMJra5oCa7sRtcRcvsXTq0SgOdwPCXytiDdNNWfQE MD5:27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
+ :ECDSA: SHA256:EyvZhINEAST2uBFxSLAqZmRUd/U8GPl05N7LMqdJVkQ MD5:b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
+ :ED25519: SHA256:QKYaJUiP4BwFbqr/cD7w/5xrAb7gBYCpG5V0Hfqll1E MD5:38:6b:90:f7:8b:c7:b2:cf:cd:86:29:5c:e4:03:fa:35
+
+Dedicated user roles
+--------------------
+
++-----------------+----------------------------------------------------+
+| Group | Purpose |
++=================+====================================================+
+| git-birdshack | access to :wiki:`BirdShack` git repositories |
++-----------------+----------------------------------------------------+
+| softass | Software assessors |
++-----------------+----------------------------------------------------+
+| git-boardvoting | access to board voting git repository |
++-----------------+----------------------------------------------------+
+| git-rccrtauth | access to Roundcube certificate authentication git |
+| | repository |
++-----------------+----------------------------------------------------+
+| git-infra | access to infrastructure git repositories |
++-----------------+----------------------------------------------------+
+
+.. todo:: think about regulating git access by a proper git repository manager
+ like gitolite or gitea
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Gitweb has been modified to use https for `Gravatar`_ lookups:
+
+.. code-block:: diff
+
+ --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
+ +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
+ @@ -2064,7 +2064,7 @@
+ my $email = lc shift;
+ my $size = shift;
+ $avatar_cache{$email} ||=
+ - "http://www.gravatar.com/avatar/" .
+ + "https://secure.gravatar.com/avatar/" .
+ Digest::MD5::md5_hex($email) . "?s=";
+ return $avatar_cache{$email} . $size;
+ }
+
+.. _Gravatar: http://www.gravatar.com/
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The package git-daemon-run exposes the git native protocol which is prone to
+man in the middle attacks that could hand out modified code to users. There are
+alternatives (ssh, https) and git-daemon support should be disabled.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: git.cacert.org
+ :altnames: DNS:git.cacert.org
+ :certfile: /etc/ssl/public/git.c.o.chain.crt
+ :keyfile: /etc/ssl/private/git.c.o.key
+ :serial: 11E84D
+ :expiration: Mar 31 20:07:57 18 GMT
+ :sha1fp: B8:F9:FF:4E:F3:F6:45:A9:44:7D:8A:1E:F5:D7:28:24:74:ED:48:46
+ :issuer: CA Cert Signing Authority
+
+The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
+certificate too.
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index:: Git repositories
+
+Git repositories
+----------------
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+Apache httpd serves the gitweb interface via http and https. The http
+VirtualHost redirects all traffic to https. The following changes have been
+applied to the Debian package's Apache httpd configuration:
+
+.. literalinclude:: ../configdiff/git/git-apache-config.diff
+ :language: diff
+
+.. index::
+ pair: Gitweb; configuration
+
+Gitweb configuration
+--------------------
+
+Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
+changes to the version contained in the distribution package:
+
+.. literalinclude:: ../configdiff/git/gitweb.conf.diff
+ :language: diff
+
+.. index::
+ pair: runit; configuration
+ pair: git-daemon; configuration
+
+git-daemon configuration
+------------------------
+
+The git-daemon is started by runit. The configuration is stored in
+:file:`/etc/sv/git-daemon/run` and has the following changes to the version
+contained in the distribution package git-daemon-run:
+
+.. literalinclude:: ../configdiff/git/git-daemon-run.diff
+ :language: diff
+
+The runit service handling is triggered through :file:`/etc/inittab`.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: enable IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+Adding a git repository
+-----------------------
+
+The git repositories are stored in :file:`/var/cache/git/`. To create a new
+repository use:
+
+.. code-block:: shell
+
+ cd /var/cache/git/
+ git init --bare --shared=group <reponame.git>
+ chgrp -R <groupname> <reponame.git>
+
+The gitweb index is built from all repositories that contain a file
+:file:`git-daemon-export-ok`. You should also put a description in the
+repository's :file:`description` file and set the repository owner via:
+
+.. code-block:: shell
+
+ cd <reponame.git>
+ git config gitweb.owner "Owner information"
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+ http://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst
index 76cc3b9..fe6f0c0 100644
--- a/docs/systems/infra02.rst
+++ b/docs/systems/infra02.rst
@@ -117,9 +117,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Wheezy
- single: Debian GNU/Linux; 7.10
+ single: Debian GNU/Linux; 7.11
-* Debian GNU/Linux 7.10
+* Debian GNU/Linux 7.11
Applicable Documentation
------------------------
@@ -203,27 +203,11 @@ Outbound network connections
Security
========
-SSH host keys
--------------
-
-.. index::
- single: SSH host keys; Infra02
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
-
- See :doc:`../sshkeys`
+.. sshkeys::
+ :RSA: 86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
+ :DSA: b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
+ :ECDSA: 79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
+ :ED25519: 25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
Dedictated user roles
---------------------
@@ -268,7 +252,8 @@ System Future
Critical Configuration items
============================
-.. index:: Ferm
+.. index::
+ pair: Ferm; configuration
Ferm firewall configuration
---------------------------
@@ -276,6 +261,9 @@ Ferm firewall configuration
The `Ferm`_ based firewall setup is located in :file:`/etc/ferm` and its
subdirectories.
+.. index::
+ pair: LXC; configuration
+
Container configuration
-----------------------
@@ -295,5 +283,9 @@ Additional documentation
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Infra02`
+Ferm documentation
+ http://ferm.foo-projects.org/download/2.3/ferm.html
+Ferm Debian Wiki page
+ https://wiki.debian.org/ferm
+LXC Debian Wiki page
+ https://wiki.debian.org/LXC
diff --git a/docs/systems/irc.rst b/docs/systems/irc.rst
new file mode 100644
index 0000000..14f78d1
--- /dev/null
+++ b/docs/systems/irc.rst
@@ -0,0 +1,366 @@
+.. index::
+ single: Systems; Irc
+
+===
+IRC
+===
+
+Purpose
+=======
+
+This system provides the CAcert IRC service for private communications,
+allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday
+chat, meetings, and general support.
+
+Application Links
+-----------------
+
+https://irc.cacert.org/
+ HTTPS secured Web based IRC access
+
+http://irc.cacert.org/
+ HTTP fallback for Web based IRC access
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: None
+* Secondary: :ref:`people_mario`, :ref:`people_jandd`
+
+Application Administration
+--------------------------
+
++--------------+------------------+
+| Application | Administrator(s) |
++==============+==================+
+| IRC server | None |
++--------------+------------------+
+| IRC services | None |
++--------------+------------------+
+| IRC webchat | None |
++--------------+------------------+
+
+.. todo::
+ find an administrator willing to properly setup/maintain IRC applications
+ and push the migration to :doc:`ircserver`.
+
+Contact
+-------
+
+* irc-admin@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.233`
+:IP Intranet: :ip:v4:`172.16.2.14`
+:IP Internal: :ip:v4:`10.0.0.14`
+:MAC address: :mac:`00:ff:8d:45:01:a4` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Irc
+
+======================= ======== ==========================================
+Name Type Content
+======================= ======== ==========================================
+irc.cacert.org. IN A 213.154.225.233
+irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
+irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
+irc.intra.cacert.org. IN A 172.16.2.14
+======================= ======== ==========================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+:wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+--------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+======================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+--------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+--------------------------------------+
+| 80/tcp | http | ANY | IRC webchat |
++----------+---------+---------+--------------------------------------+
+| 443/tcp | https | ANY | IRC webchat |
++----------+---------+---------+--------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+--------------------------------------+
+| 6667/tcp | ircd | ANY | IRC |
++----------+---------+---------+--------------------------------------+
+| 6668/tcp | ircd | ANY | IRC [#f1]_ |
++----------+---------+---------+--------------------------------------+
+| 7000/tcp | ircd | ANY | IRC |
++----------+---------+---------+--------------------------------------+
+
+ircd opens a random UDP port for some reason.
+
+.. [#f1] Not forwarded from :doc:`infra02` to container
+
+.. todo:: find out what the UDP port is used for
+
+Running services
+----------------
+
+.. index::
+ single: Postfix
+ single: cron
+ single: lighttpd
+ single: nrpe
+ single: openssh
+ single: oftc-hybrid-ircd
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| lighttpd | Webserver for | init script |
+| | IRC webchat | :file:`/etc/init.d/lighttpd` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| OFTC Hybrid IRCD | IRC server | start script |
+| | | :file:`/home/ircserver/ircd/bin/ircd` |
+| | | started manually |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 6e:7c:14:4b:a3:fe:8c:88:1b:d0:e8:3c:93:9c:33:2f
+ :DSA: e7:92:a5:80:49:a9:fe:d3:57:11:1d:ca:b8:0f:c0:44
+ :ECDSA: c5:6a:f5:cc:be:a5:94:03:b8:32:d0:97:ef:26:ac:35
+
+Dedicated user roles
+--------------------
+
++-----------+--------------+
+| Group | Purpose |
++===========+==============+
+| ircserver | IRC daemon |
++-----------+--------------+
+| services | IRC services |
++-----------+--------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. index::
+ pair: non-distribution; oftc-ircd
+
+OFTC Hybrid IRC daemon
+......................
+
+* The IRC server runs as a self compiled `OFTC Hybrid
+ <http://www.oftc.net/CodingProjects/#ircd>`_ from upstream's `GitHub
+ repository <https://github.com/oftc/oftc-hybrid>`_ at revision
+ 1435aa49a8b20d6ed816f53518ae5f22d0579cc4 (tag: oftc-hybrid-1.6.15).
+* The configured source code is available in
+ :file:`/home/ircserver/oftc-hybrid/`
+* The installed ircd is in :file:`/home/ircserver/ircd/`
+* The used configure options are contained in
+ :file:`/home/ircserver/configline`
+
+The IRC server is linked against system shared libraries and may not work
+anymore if these are updated to ABI incompatible versions.
+
+This is the listed of linked libraries as of 2014-10-24::
+
+ $ ldd ircd/bin/ircd
+ linux-gate.so.1 => (0xf7714000)
+ libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xf7709000)
+ libcrypt.so.1 => /lib/i386-linux-gnu/i686/cmov/libcrypt.so.1 (0xf76d7000)
+ libssl.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0 (0xf767d000)
+ libcrypto.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libcrypto.so.1.0.0 (0xf74bf000)
+ libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xf735a000)
+ /lib/ld-linux.so.2 (0xf7715000)
+ libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xf7341000)
+
+OFTC IRC services
+.................
+
+* The IRC services where self compiled `OFTC Services
+ <http://www.oftc.net/CodingProjects/#services>`_ from upstreams `release
+ tarballs <http://www.oftc.net/releases/oftc-ircservices/>`_ unfortunatelly
+ recompilation on the current Debian system does not produce a working binary.
+* The configured source code is available at
+ :file:`/home/services/oftc-services-1.5.8/`
+* The installed disfunctional IRC services are installed in
+ :file:`/home/services/services`
+* The used configure options are contained in :file:`/home/services/configline`
+
+.. warning::
+ There are no services running currently because loading the PostgreSQL
+ driver leads to a segmentation fault in the compiled binaries. PostgreSQL
+ has been uninstalled and the ircservices database has been backed up to
+ :file:`/home/ircserver/archive/pg_ircservices_dump-20180216-143937.sql.gz`.
+
+IRC Webchat
+...........
+
+* The used Web based IRC software is a self compiled `CGI:IRC
+ <http://cgiirc.sourceforge.net/>`_ version 0.5.9
+* The Web based IRC software is contained in :file:`/var/cgi/`
+
+Risk assessments on critical packages
+-------------------------------------
+
+The self compiled binaries of OFTC Hybrid ircd, OFTC Services and IRC webchat
+are not updated regularly. There is no administrator with good enough knowledge
+for these applications to properly maintain these.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: irc.cacert.org
+ :altnames: DNS:cert.irc.cacert.org, DNS:irc.cacert.org, DNS:nocert.irc.cacert.org
+ :certfile: /home/ircserver/ssl/cert2048.pem
+ :keyfile: /home/ircserver/ssl/rsa2048.key
+ :serial: 1375A2
+ :expiration: Feb 19 12:06:05 20 GMT
+ :sha1fp: 92:CA:56:74:C5:3B:C9:1E:A9:61:08:59:BE:B4:04:3D:AC:A0:F1:6A
+ :issuer: CA Cert Signing Authority
+
+.. sslcert:: irc.cacert.org
+ :certfile: /etc/lighttpd/ssl/server.pem
+ :keyfile: /etc/lighttpd/ssl/server.pem
+ :serial: 1375A2
+ :secondary:
+
+The :file:`/etc/lighttpd/ssl/server.pem` is a combined key and certificate file
+for lighttpd.
+
+.. index::
+ pair: lighttpd; configuration
+
+lighttpd configuration
+----------------------
+
+* :file:`/etc/lighttpd/lighttpd.conf` main configuration file
+* :file:`/etc/lighttpd/conf-enabled/10-cgi.conf` CGI path configuration
+* :file:`/etc/lighttpd/conf-enabled/10-ssl.conf` TLS configuration
+* :file:`/etc/lighttpd/conf-enabled/10-redirect-http.conf` redirect from http to
+ https
+
+Configure CGI and TLS support for lighttpd. CGI requests go to /var/cgi
+containing the CGI IRC client. Request to configuration and source code is
+restricted.
+
+.. index::
+ pair: oftc-hybrid-ircd; configuration
+ pair: ircd; configuration
+
+oftc-hybrid-ircd configuration
+------------------------------
+
+* :file:`/home/ircserver/ircd/etc/ircd.conf` main IRC server configuration,
+ defining settings, ports and TLS settings
+
+.. todo:: add more details
+
+.. todo::
+ there are a lot of ops users defined in :file:`ircd.conf` check whether
+ these are still valid
+
+.. index::
+ pair: IRC webchat; configuration
+
+IRC webchat configuration
+-------------------------
+
+* :file:`/var/cgi/cgiirc.config`
+
+The configuration defines the connection to the ircd and some defaults for the
+client like default user names and channel.
+
+Changes
+=======
+
+System Future
+-------------
+
+This system should be retired and replaced with the new :doc:`ircserver` that
+should be running packaged and properly supported software.
+
+.. note::
+
+ Current Debian releases contain packaged versions of some ircd/irc services
+ combinations:
+
+ * `ircd-hybrid <https://packages.debian.org/jessie/ircd-hybrid>`_ similar
+ to the current software
+ * `charybdis <https://packages.debian.org/jessie/charybdis>`_ with
+ `atheme-services <https://packages.debian.org/jessie/atheme-services>`_
+ (compatible with ircd-hybrid too)
+ * `ircd-ratbox <https://packages.debian.org/jessie/ircd-ratbox>`_ with
+ `ratbox-services
+ <https://packages.debian.org/jessie/ratbox-services-pgsql>`_ used by
+ EFNet
+
+ CGI:IRC has been removed from Debian because it had no active maintainer.
diff --git a/docs/systems/ircserver.rst b/docs/systems/ircserver.rst
new file mode 100644
index 0000000..d94b684
--- /dev/null
+++ b/docs/systems/ircserver.rst
@@ -0,0 +1,376 @@
+.. index::
+ single: Systems; Ircserver
+
+=========
+Ircserver
+=========
+
+Purpose
+=======
+
+This system is the planned replacement for :doc:`irc`.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++--------------+---------------------+
+| Application | Administrator(s) |
++==============+=====================+
+| IRC server | :ref:`people_jandd` |
++--------------+---------------------+
+| IRC services | :ref:`people_jandd` |
++--------------+---------------------+
+| Votebot | :ref:`people_jandd` |
++--------------+---------------------+
+
+Contact
+-------
+
+* irc-admin@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.233`
+:IP Intranet: :ip:v4:`172.16.2.24`
+:IP Internal: :ip:v4:`10.0.0.130`
+:MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
+
+.. todo:: setup IPv6
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Ircserver
+ single: DNS records; Irc
+
+======================= ======== ==========================================
+Name Type Content
+======================= ======== ==========================================
+irc.cacert.org. IN A 213.154.225.233
+irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
+irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
+irc.intra.cacert.org. IN A 172.16.2.14
+======================= ======== ==========================================
+
+.. todo:: setup new SSHFP records
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.3
+
+* Debian GNU/Linux 9.3
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+--------------+---------+----------------------------+
+| Port | Service | Origin | Purpose |
++==========+==============+=========+============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+--------------+---------+----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+--------------+---------+----------------------------+
+| 80/tcp | http | ANY | redirect to https |
++----------+--------------+---------+----------------------------+
+| 443/tcp | https | ANY | reverse proxy for kiwiirc |
++----------+--------------+---------+----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+--------------+---------+----------------------------+
+| 6667/tcp | ircd | ANY | IRC |
++----------+--------------+---------+----------------------------+
+| 7000/tcp | ircd | ANY | IRC (SSL) |
++----------+--------------+---------+----------------------------+
+| 7001/tcp | ircd | local | IRC (services) |
++----------+--------------+---------+----------------------------+
+| 7778/tcp | kiwiirc | local | kiwiirc process |
++----------+--------------+---------+----------------------------+
+| 8080/tcp | irc-services | ANY | IRC services |
++----------+--------------+---------+----------------------------+
+
+irc opens a random UDP port.
+
+The following port forwarding is setup on :doc:`infra02`
+
++-------------+-------+-----------------+
+| Intranet IP | Port | Target |
++=============+=======+=================+
+| 172.16.2.14 | 13022 | 10.0.0.130:22 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13080 | 10.0.0.130:80 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13443 | 10.0.0.130:443 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13667 | 10.0.0.130:6667 |
++-------------+-------+-----------------+
+| 172.16.2.14 | 13700 | 10.0.0.130:7000 |
++-------------+-------+-----------------+
+
+.. todo:: implement final forwarding to required ports from :doc:`infra02`
+
+Running services
+----------------
+
+.. index::
+ single: cron
+ single: exim
+ single: nrpe
+ single: openssh
+ single: inspircd
+ single: atheme-services
+ single: votebot
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| inspircd | IRC daemon | init script |
+| | | :file:`/etc/init.d/inspircd` |
++--------------------+--------------------+----------------------------------------+
+| atheme-services | IRC services | init script |
+| | | :file:`/etc/init.d/atheme-services` |
++--------------------+--------------------+----------------------------------------+
+| kiwiirc | IRC web client | start script |
+| | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
+| | | started by user kiwiirc |
++--------------------+--------------------+----------------------------------------+
+| nginx | Reverse proxy for | init script |
+| | kiwiirc | :file:`/etc/init.d/nginx` |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
+ :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
+ :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
+ :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
+
+Dedicated user roles
+--------------------
+
++---------+-------------------------------------+
+| User | Purpose |
++=========+=====================================+
+| votebot | used to run the votebot |
++---------+-------------------------------------+
+| kiwiirc | used to run the Kiwi IRC web client |
++---------+-------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Votebot
+~~~~~~~
+
+The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
+as a self contained Java jar archive. The bot is started manually as described
+above. For improved maintainability it should be packaged and provide a start
+mechanism that is better integrated with the system.
+
+.. _votebot:
+
+.. topic:: Votebot
+
+ The vote bot is a Java based IRC bot developed at
+ https://github.com/CAcertOrg/cacert-votebot. The bot is started manually by
+ running
+
+ .. code-block:: bash
+
+ java -DvoteBot.meetingChn=SGM -cp VoteBot.jar \
+ de.dogcraft.irc.CAcertVoteBot -u -h 10.0.0.14 -p 6667 --nick VoteBot
+
+.. todo:: use a CAcert git repository for votebot
+
+.. todo:: package votebot for Debian
+
+.. todo:: provide a proper init script/and or systemd unit for votebot
+
+
+Kiwi IRC
+~~~~~~~~
+
+Kiwi IRC is a nodejs based IRC web client. The software has been installed via
+`Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
+https://kiwiirc.com/docs/installing and
+https://kiwiirc.com/docs/installing/proxies. The software is running on the
+local loopback interface and Internet access is provided by an nginx reverse
+proxy that also provides https connectivity. NodeJS and npm have been installed
+from Debian packages.
+
+Risk assessments on critical packages
+-------------------------------------
+
+Votebot is a Java based application and therefore Java security patches should
+be applied as soon as they become available.
+
+Kiwi IRC is nodejs based and uses some third party npm packages. The
+application is kept behind a reverse proxy but it is advisable to make sure
+that available updates are applied.
+
+.. todo:: implement some update monitoring for Kiwi IRC
+
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: irc.cacert.org
+ :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
+ :certfile: /etc/ssl/public/irc.cacert.org.crt
+ :keyfile: /etc/ssl/private/irc.cacert.org.key
+ :serial: 0FBBE0
+ :expiration: Oct 22 15:27:04 16 GMT
+ :sha1fp: 82:F7:B8:08:FB:FD:C3:FA:21:6C:89:B7:07:69:3D:66:F8:BC:5F:AA
+ :issuer: CA Cert Signing Authority
+
+
+.. index::
+ pair: inspircd; configuration
+
+inspircd configuration
+----------------------
+
+Inspircd is installed from a Debian package. It is configured via files in
+:file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
+
+.. index::
+ pair: atheme-services; configuration
+
+atheme-services configuration
+-----------------------------
+
+Atheme-services is installed from a Debian package. It is configured via
+:file:`/etc/atheme/atheme.conf`.
+
+Kiwi IRC configuration
+----------------------
+
+Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
+the configuration is changed it can be applied by running:
+
+.. code-block:: bash
+
+ sudo -s -u kiwi
+ cd ~/KiwiIRC
+ ./kiwi reconfig
+
+nginx configuration
+-------------------
+
+The nginx configuration for reverse proxying Kiwi IRC is stored in
+:file:`/etc/nginx/sites-available/default`. The same certificate and private
+key are used for inspirced and nginx.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+- setup IPv6
+- setup DNS records
+
+Changes
+=======
+
+System Future
+-------------
+
+- replace :doc:`irc` by this system
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+ * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
+
+References
+----------
+
+Atheme services website
+ https://atheme.github.io/atheme.html
+
+Inspircd wiki
+ https://wiki.inspircd.org/
+
+Kiwi IRC documentation
+ https://kiwiirc.com/docs/
+
+nginx documentation
+ http://nginx.org/en/docs/
diff --git a/docs/systems/issue.rst b/docs/systems/issue.rst
new file mode 100644
index 0000000..fbda9e2
--- /dev/null
+++ b/docs/systems/issue.rst
@@ -0,0 +1,382 @@
+.. index::
+ single: Systems; Issue
+
+=====
+Issue
+=====
+
+Purpose
+=======
+
+The purpose of the issue server is to serve the issue tracking system,
+implemented with _`OTRS <https://www.otrs.com/>` used by :wiki:`Triage` and
+:wiki:`Support` for handling requests going to the support@cacert.org mail
+address. Usage for other teams e.g. Arbitration (currently used occasionally),
+Organisation Assurance is planned in future.
+
+Application Links
+-----------------
+
+OTRS URL
+ https://issue.cacert.org/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_mario`
+* Secondary: :ref:`people_neo`
+
+Application Administration
+--------------------------
+
++-------------+----------------------+
+| Application | Administrator(s) |
++=============+======================+
+| OTRS | :ref:`people_mario`, |
+| | :ref:`people_nick`, |
+| | :ref:`people_ian`, |
+| | :ref:`people_neo` |
++-------------+----------------------+
+
+Contact
+-------
+
+* issue-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd` and :ref:`people_dirk` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.244`
+:IP Intranet: :ip:v4:`172.16.2.28`
+:IP Internal: :ip:v4:`10.0.0.28`
+:MAC address: :mac:`00:ff:8c:94:e1:c8` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Issue
+
+======================= ======== ============================================
+Name Type Content
+======================= ======== ============================================
+issue.cacert.org. IN A 213.154.225.244
+issue.intra.cacert.org. IN A 172.16.2.28
+issue.cacert.org. IN SSHFP 2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB
+issue.cacert.org. IN SSHFP 1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E
+======================= ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+.. todo:: upgrade to Debian Jessie
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+----------+--------------------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+==========+==================================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------+--------------------------------------------------+
+| 25/tcp | smtp | localnet | local mail pickup in order to send out |
+| | | | notifications via |
+| | | | :doc:`emailout`, incoming mail from :doc:`email` |
++----------+---------+----------+--------------------------------------------------+
+| 80/tcp | http | ANY | HTTP access to issue, redirects to HTTPS |
++----------+---------+----------+--------------------------------------------------+
+| 443/tcp | https | ANY | HTTPS access to issue |
++----------+---------+----------+--------------------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+----------+--------------------------------------------------+
+| 3306/tcp | mysql | local | MySQL database for OTRS |
++----------+---------+----------+--------------------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+-----------------------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+===================================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+-----------------------------------+----------------------------------------+
+| Apache httpd | Webserver for OTRS | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+-----------------------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+-----------------------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+-----------------------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for OTRS | :file:`/etc/init.d/mysql` |
++--------------------+-----------------------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission and for receiving mail | |
+| | directed to OTRS addresses | |
++--------------------+-----------------------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+-----------------------------------+----------------------------------------+
+
+Databases
+---------
+
++-------+------+-------------------+
+| RDBMS | Name | Used for |
++=======+======+===================+
+| MySQL | otrs | database for OTRS |
++-------+------+-------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`email`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`email` as SMTP submission relay (587, tcp) for specific addresses (see
+ :ref:`postfix_configuration` below)
+* :doc:`proxyout` as HTTP proxy for APT
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+.. add the MD5 fingerprints of the SSH host keys
+
+.. sshkeys::
+ :RSA: 61:32:04:12:e3:4f:0b:b7:14:2d:d1:8f:82:b2:c7:47
+ :DSA: a8:57:20:2f:09:a2:f3:d6:24:7a:29:35:2f:28:5e:4e
+ :ECDSA: f1:a9:da:27:1a:ef:a8:67:51:d1:b4:e2:b7:83:c8:82
+
+.. todo:: setup ED25519 host key
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:program:`OTRS` is installed from Debian packages but has been patched. The
+OTRS packages must not be updated from Debian packages without reapplying the
+patch.
+
+:file:`/usr/share/otrs/Kernel/Output/HTML/Layout.pm`
+
+.. literalinclude:: ../patches/otrs/Layout.pm.patch
+ :language: diff
+
+Risk assessments on critical packages
+-------------------------------------
+
+Patching OTRS implies the danger of delayed security updates. The package is
+set on hold via :command:`echo otrs hold | dpkg --set-selections` and must be
+updated explicitly. OTRS 3.1 is not supported by upstream anymore.
+
+The used Apache httpd has a good reputation. OTRS is integrated into Apache
+httpd via mod_perl2.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+The following certificate and its corresponding private key is used by Apache
+httpd and Postfix:
+
+.. sslcert:: issue.cacert.org
+ :altnames: DNS:issue.cacert.org
+ :certfile: /etc/ssl/certs/issue.cacert.org.pem
+ :keyfile: /etc/ssl/private/issue.cacert.org.key
+ :serial: 11E87C
+ :expiration: Mar 31 20:51:43 18 GMT
+ :sha1fp: 03:78:A8:C2:2C:53:00:29:41:A2:94:34:3D:3B:53:F2:43:2E:1E:03
+ :issuer: CA Cert Signing Authority
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/sites-available/default`
+
+ HTTP virtualhost configuration that redirects to HTTPS
+
+* :file:`/etc/apache2/sites-available/default-ssl`
+
+ HTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/
+ which contains a symbolic link to the OTRS CGIs
+
+OTRS configuration
+------------------
+
+* :file:`/etc/otrs/`
+
+ OTRS configuration
+
+* :file:`/etc/otrs/database.pm`
+
+ OTRS's database configuration
+
+
+.. _postfix_configuration:
+
+Postfix configuration
+---------------------
+
+* :file:`/etc/postfix`
+
+ Postfix configuration
+
+* :file:`/etc/postfix/sender_relay`
+
+ Defines a list of sender addresses that are relayed via :doc:`email`
+
+* :file:`/etc/postfix/sender_rewrite`
+
+ Configures rewriting of all but a short list of addresses to
+ returns@cacert.org
+
+Tasks
+=====
+
+Planned
+-------
+
+Ideas
+-----
+
+* The system should be upgraded to a newer Debian release.
+
+* Deployment
+
+ * implement access for other teams
+
+* OTRS
+
+ * change to CAcert corporate design (low priority)
+ * should be updated to a newer release that is supported by upstream
+
+* Monitoring
+
+ * create a list of services to monitor
+
+* Configuration management
+
+ * Implement :wiki:`SystemAdministration/Procedures/OperatingSystemPatches`,
+ see also
+ https://lists.cacert.org/wws/arc/cacert-sysadm/2009-08/msg00007.html
+
+* X.509 Authentication
+
+* Use centralised logging
+
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+Creating new OTRS user accounts
+-------------------------------
+
+* Go to Admin -> Users -> Add
+* Fill out user details
+
+ * Use a securely random generated password (min. 12 chars, mixed of capital-
+ non-capital letters, numbers and special chars), send it to the user via
+ encrypted mail (also include URL of the issue tracking system, username and
+ some initial instructions or a link to documentation if available)
+ * Use CAcert email addresses only
+
+* Set the preferences for the user. Good standards are:
+
+ * Show tickets: 25
+ * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
+ * Follow up notification: Yes
+ * Ticket lock timeout notification: Yes
+ * Move notification: Yes (or No if the queues for the user get many new tickets)
+ * Spelling Dictionary: English
+
+* Submit
+* Do NOT set any groups for the user.
+* Go to Admin -> Users -> Roles <-> Users
+* Choose the newly created user
+* Set the roles the user has
+* Submit
+* Now you are done :)
+
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+* http://doc.otrs.com/doc/manual/admin/3.2/en/html/index.html
diff --git a/docs/systems/lists.rst b/docs/systems/lists.rst
new file mode 100644
index 0000000..a33b3e2
--- /dev/null
+++ b/docs/systems/lists.rst
@@ -0,0 +1,412 @@
+.. index::
+ single: Systems; Lists
+
+=====
+Lists
+=====
+
+Purpose
+=======
+
+The system provides mailing list services under the lists.cacert.org hostname.
+
+Application Links
+-----------------
+
+* Mailing list management and archives
+
+ https://lists.cacert.org/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_mario`
+* Secondary: :ref:`people_jandd`
+
+Application Administration
+--------------------------
+
++--------------+---------------------------------------------+
+| Application | Administrator(s) |
++==============+=============================================+
+| Sympa | :ref:`people_jandd`, :ref:`people_mario`, |
+| | :ref:`people_ulrich`, :ref:`people_philipp` |
++--------------+---------------------------------------------+
+
+Contact
+-------
+
+* email-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jselzer` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.231`
+:IP Intranet: :ip:v4:`172.16.2.17`
+:IP Internal: :ip:v4:`10.0.0.17`
+:MAC address: :mac:`00:ff:d0:13:9a:22` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Lists
+
+=================================== ======== ============================================
+Name Type Content
+=================================== ======== ============================================
+lists.cacert.org. IN A 213.154.225.231
+lists.cacert.org. IN MX 10 email.cacert.org.
+lists.cacert.org. IN SSHFP 1 1 87F75B9124326B566ED22DCF65A9740EEDE8F0FF
+lists.cacert.org. IN SSHFP 2 1 8D79E68E731ED72667F3D286C477245DF653083B
+lists.cacert.org. IN TXT "v=spf1 ip4:213.154.225.231 -all"
+cert.lists.cacert.org. IN CNAME lists.cacert.org.
+nocert.lists.cacert.org. IN CNAME lists.cacert.org.
+lists.intra.cacert.org. IN A 172.16.2.17
+17.2.16.172.in-addr.arpa IN PTR lists.intra.cacert.org.
+231.225.154.213.in-addr.arpa IN CNAME 231.224-27.225.154.213.in-addr.arpa.
+231.224-27.225.154.213.in-addr.arpa IN PTR lists.cacert.org.
+=================================== ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.11
+
+* Debian GNU/Linux 7.11
+
+Applicable Documentation
+------------------------
+
+This is the administration documentation.
+
+.. seealso::
+
+ :wiki:`EmailListOverview` for user documentation
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+-----------+-------------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=================+=====================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+-----------+-------------------------------------------+
+| 25/tcp | smtp | monitor, | mail delivery to local MTA/sympa |
+| | | email | |
++----------+---------+-----------+-------------------------------------------+
+| 80/tcp | http | ANY | redirect to https |
++----------+---------+-----------+-------------------------------------------+
+| 443/tcp | https | ANY | Sympa mailing list manager and archive |
++----------+---------+-----------+-------------------------------------------+
+| 4433/tcp | https | LOCAL | phpmyadmin access via ssh port forwarding |
++----------+---------+-----------+-------------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+-----------+-------------------------------------------+
+| 3306/tcp | mysql | local | MySQL database for Sympa |
++----------+---------+-----------+-------------------------------------------+
+
+.. topic:: PHPMyAdmin access
+
+ Administrators can use ssh to forward the Apache httpd port 4433 to their
+ own machine:
+
+ .. code-block:: bash
+
+ ssh -L 4433:localhost:4433 -l username lists.cacert.org
+
+ and access PHPMyAdmin at https://localhost:4433/phpmyadmin
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: MySQL
+ single: Postfix
+ single: Sympa
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd | Webserver for Sympa | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| MySQL | MySQL database | init script |
+| | server for Sympa | :file:`/etc/init.d/mysql` |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission and | |
+| | incoming list mail | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| Sympa mailing list | mail list handling | init script |
+| services | | :file:`/etc/init.d/sympa` |
++--------------------+---------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+-------+-------------------------------+
+| RDBMS | Name | Used for |
++=============+=======+===============================+
+| MySQL | sympa | Sympa mailing list management |
++-------------+-------+-------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`email`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`proxyout` as HTTP proxy for APT
+* arbitrary Internet SMTP servers for delivery of list mails
+
+Security
+========
+
+.. sshkeys::
+ :RSA: MD5:9a:64:3d:ab:38:91:90:88:2b:73:cb:05:8c:56:f9:c9
+ :DSA: MD5:dd:ab:a6:c2:29:91:e9:81:fa:29:3c:f7:88:76:1f:f6
+ :ECDSA: MD5:3c:8d:f2:a7:e8:75:1c:9a:11:13:11:2a:58:aa:9b:d1
+
+.. todo:: setup ED25519 host key (needs update to Jessie)
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd, Postfix and Sympa have a good security track record. Apache httpd
+is configured with the minimum of required modules. PHPMyAdmin is only reachable
+via ssh port forwarding.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:
+
+.. sslcert:: lists.cacert.org
+ :altnames: DNS:cert.lists.cacert.org, DNS:lists.cacert.org, DNS:nocert.lists.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem
+ :keyfile: /etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem
+ :serial: 11E87F
+ :expiration: Mar 31 21:00:36 18 GMT
+ :sha1fp: 6B:EE:7B:51:4A:E9:E7:E3:EF:C8:63:6D:51:97:F7:DC:BF:F1:4A:C9
+ :issuer: CA Cert Signing Authority
+
+* :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt`
+ CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
+ client certificates)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/sites-available/000-default.conf`
+
+ default HTTP VirtualHost configuration that redirects to
+ https://lists.cacert.org/
+
+* :file:`/etc/apache2/sites-available/sympa-include.conf`
+
+ common configuration for the three Sympa VirtualHost definitions
+
+* :file:`/etc/apache2/sites-available/lists.cacert.org.conf`
+
+ HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports
+ optional client certificate authentication
+
+* :file:`/etc/apache2/sites-available/cert.lists.cacert.org.conf`
+
+ HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that
+ requires client certificate authentication
+
+* :file:`/etc/apache2/sites-available/nocert.lists.cacert.org.conf`
+
+ HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that
+ does not support client certificates
+
+* :file:`/etc/apache2/sites-available/localhost_4433_phpmyadmin.conf`
+
+ HTTPS VirtualHost configuration for https://localhost:4433/phpmyadmin
+
+Sympa configuration
+-------------------
+
+Sympa configuration is stored in :file:`/etc/sympa/`.
+
+* :file:`/etc/sympa/aliases`
+
+ generated by Sympa and included in Postfix's :file:`/etc/postfix/main.cf`.
+ The file contains alias definitions that pipe list emails into Sympa
+ processes.
+
+* :file:`/etc/sympa/data_sources/`
+
+ data sources shared accross lists (things we didn't want to define more than
+ once). The `board` data source is defined in
+ :file:`/etc/sympa/data_sources/board.incl`
+
+ .. seealso::
+
+ `Sympa manual`_
+
+* :file:`/etc/sympa/sympa.conf`
+
+ main Sympa configuration file. S/MIME configuration items must be set even if
+ they appear to be the default values. Supported_lang must be a subset of the
+ supported system locales (see :file:`/usr/lib/sympa/locale/`) otherwise user's
+ cannot change their locale in Sympa.
+
+* :file:`/etc/sympa/wwsympa.conf`
+
+ configuration for the Sympa web interface
+
+* :file:`/var/lib/sympa/expl/{listname}/{cert.pem,private_key}`
+
+ list private key and certificate for `listname`
+
+* :file:`/var/lib/sympa/x509-user-certs/{emailaddress}`
+
+ user X.509 certificates used by Sympa
+
+
+Postfix configuration
+---------------------
+
+Postfix configuration is stored in :file:`/etc/postfix/`
+
+.. note::
+
+ The file :file:`/etc/aliases.db` must be writable by the `sympa` group to
+ allow running :program:`newaliases` when defining new lists.
+
+Tasks
+=====
+
+Adding a list
+-------------
+
+1. Login to Sympa https://lists.cacert.org/wws using the
+ listmaster@lists.cacert.org (password stored in
+ :file:`/root/sympa-listmanagerpassword.txt`)
+
+2. Use the GUI to create the list. Set the list so that support@cacert.org can
+ send email to the list without confirmation using the cacert main web
+ interface, login and validate the list address issue a WoT certificate for
+ the list user export/backup the WoT certificate out of your browser copy the
+ p12 exported certificate to the list server.
+
+3. use::
+
+ openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
+
+ to export the certificate without a password.
+
+4. copy the certificate and private key to the location described below and
+ setup permissions::
+
+ chown sympa:sympa /var/lib/sympa/expl/<list>/cert.pem
+ chown sympa:sympa /var/lib/sympa/expl/<list>/private_key
+ chmod 0600 /var/lib/sympa/expl/<list>/private_key
+ chmod 0644 /var/lib/sympa/expl/<list>/cert.pem
+
+5. add subscribers/ other owners
+
+Planned
+-------
+
+.. todo:: upgrade the lists system OS to Debian 9 (Stretch)
+
+.. todo:: manage the lists system using Puppet
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+ http://httpd.apache.org/docs/2.4/
+Sympa manual
+ http://www.sympa.org/manual/
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+
+.. _Sympa manual: http://www.sympa.org/manual/list-definition#data_inclusion_file
diff --git a/docs/systems/monitor.rst b/docs/systems/monitor.rst
index c206e43..2599c61 100644
--- a/docs/systems/monitor.rst
+++ b/docs/systems/monitor.rst
@@ -38,8 +38,8 @@ Administration
System Administration
---------------------
-* Primary: :ref:`people_martin`
-* Secondary: :ref:`people_neo`
+* Primary: :ref:`people_jandd`
+* Secondary: None
Application Administration
--------------------------
@@ -47,9 +47,7 @@ Application Administration
+-------------+-----------------------+
| Application | Administrator(s) |
+=============+=======================+
-| Icinga | :ref:`people_martin`, |
-| | :ref:`people_neo`, |
-| | :ref:`people_jandd` |
+| Icinga | :ref:`people_jandd` |
+-------------+-----------------------+
Contact
@@ -78,7 +76,7 @@ Logical Location
:IP Internet: :ip:v4:`213.154.225.230`
:IP Intranet: :ip:v4:`172.16.2.18`
:IP Internal: :ip:v4:`10.0.0.18`
-:MAC address: :mac:`10.0.0.18` (eth0)
+:MAC address: :mac:`00:ff:73:b3:17:43` (eth0)
.. seealso::
@@ -104,10 +102,10 @@ Operating System
----------------
.. index::
- single: Debian GNU/Linux; Wheezy
- single: Debian GNU/Linux; 7.10
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.3
-* Debian GNU/Linux 7.10
+* Debian GNU/Linux 9.3
Applicable Documentation
------------------------
@@ -212,8 +210,7 @@ Outbound network connections
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
+* :doc:`proxyout` as HTTP proxy for APT
* crl.cacert.org (rsync) for getting CRLs
* all :ip:v4range:`10.0.0.0/24` and :ip:v4range:`172.16.2.0/24` systems for
monitoring their services
@@ -223,24 +220,12 @@ Outbound network connections
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | ``48:46:b1:5a:4e:05:64:8a:c3:76:33:77:20:91:14:70`` |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
+.. sshkeys::
+ :RSA: SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0 MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
+ :DSA: SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
+ :ECDSA: SHA256:GWvYqhQUt9INh/7VRVu6Z2YORoy/YzgBxNBmX+ZvMsk MD5:48:46:b1:5a:4e:05:64:8a:c3:76:33:77:20:91:14:70
+ :ED25519: SHA256:L5roC867bvxDJ0ckbhIQOt2A9Nh1RQBVuIJFWwrPLG0 MD5:10:94:56:09:5b:a2:28:ab:11:e0:0f:6e:e4:0c:38:bb
- See :doc:`../sshkeys`
Non-distribution packages and modifications
-------------------------------------------
@@ -273,7 +258,6 @@ Keys and X.509 certificates
.. seealso::
- * :doc:`../certlist`
* :wiki:`SystemAdministration/CertificateList`
CRL fetch job
@@ -304,7 +288,6 @@ Tasks
Planned
-------
-.. todo:: upgrade to Debian Jessie
.. todo:: switch to Icinga2 and Icingaweb2
Changes
diff --git a/docs/systems/proxyout.rst b/docs/systems/proxyout.rst
new file mode 100644
index 0000000..8f38b43
--- /dev/null
+++ b/docs/systems/proxyout.rst
@@ -0,0 +1,214 @@
+.. index::
+ single: Systems; Proxyout
+
+========
+Proxyout
+========
+
+Purpose
+=======
+
+This system provides an outgoing http/https proxy for controlled access to
+external resources like APT repositories and code repositories. The decision
+to setup this system has been made due to often changing IP addresses of
+external repositories that lead to update problems on several other machines.
+
+Application Links
+-----------------
+
+This machine has no externaly exposed URLs.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Squid | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* proxyout-admin@cacert.org
+
+Additional People
+-----------------
+
+* None
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.201`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::201`
+:MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Proxyout
+
+.. todo:: setup DNS records (in infra.cacert.org zone)
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.1
+
+* Debian GNU/Linux 9.1
+
+Applicable Documentation
+------------------------
+
+The system is managed by :doc:`puppet`. The puppet repository is browsable at
+https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 3128/tcp | http | internal | squid http/https proxy |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: puppet agent
+ single: cron
+ single: exim4
+ single: squid
+ single: openssh
+
++----------------+--------------------+--------------------------------------+
+| Service | Usage | Start mechanism |
++================+====================+======================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++----------------+--------------------+--------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++----------------+--------------------+--------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++----------------+--------------------+--------------------------------------+
+| Puppet agent | local Puppet agent | init script |
+| | | :file:`/etc/init.d/puppet` |
++----------------+--------------------+--------------------------------------+
+| Squid | Caching and | init script |
+| | filtering http/ | :file:`/etc/init.d/squid` |
+| | https proxy for | |
+| | internal machines | |
++----------------+--------------------+--------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`motion`
+* :doc:`proxyin`
+* :doc:`puppet`
+* :doc:`svn`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* .debian.org Debian mirrors
+* apt.puppetlabs.com as Debian repository for puppet packages
+* HTTP and HTTPS servers specified in the squid configuration
+
+Security
+========
+
+.. sshkeys::
+ :ECDSA: 74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
+ :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
+ :RSA: 1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+Risk assessments on critical packages
+-------------------------------------
+
+Squid is a proven http and https proxy installed from distribution packages
+with low risk.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: Change all infrastructure hosts to use this machine as APT proxy to
+ avoid flaky firewall configurations on :doc:`infra02`.
+
+.. todo:: Add more APT repositories and ACLs if needed
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* http://www.squid-cache.org/
diff --git a/docs/systems/puppet.rst b/docs/systems/puppet.rst
new file mode 100644
index 0000000..eb9a9e9
--- /dev/null
+++ b/docs/systems/puppet.rst
@@ -0,0 +1,299 @@
+.. index::
+ single: Systems; Puppet
+
+======
+Puppet
+======
+
+Purpose
+=======
+
+This system acts as `Puppet`_ master for infrastructure systems.
+
+.. _Puppet: https://docs.puppet.com/puppet/
+
+Application Links
+-----------------
+
+This system has no publicly visible URLs.
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Puppet server | :ref:`people_jandd` |
++---------------+---------------------+
+| PuppetDB | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* puppet-admin@cacert.org
+
+Additional People
+-----------------
+
+* None
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.200`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::200`
+:MAC address: :mac:`00:ff:f9:32:9d:2a` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Puppet
+
+.. todo:: setup DNS records (in infra.cacert.org zone)
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Jessie
+ single: Debian GNU/Linux; 8.8
+
+* Debian GNU/Linux 8.8
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+------------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+==========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+------------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+------------------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
++----------+-----------+-----------+------------------------------------------+
+| 8140/tcp | puppet | internal | Puppet master |
++----------+-----------+-----------+------------------------------------------+
+| 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
++----------+-----------+-----------+------------------------------------------+
+| 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
++----------+-----------+-----------+------------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Exim
+ single: PostgreSQL
+ single: Puppet agent
+ single: Puppet server
+ single: Puppetdb
+ single: cron
+ single: openssh
+ single: rsyslogd
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for PuppetDB | |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Puppet server | Puppet master for | init script |
+| | infrastructure | :file:`/etc/init.d/puppetserver` |
+| | systems | |
++--------------------+--------------------+----------------------------------------+
+| Puppet agent | local Puppet agent | init script |
+| | | :file:`/etc/init.d/puppet` |
++--------------------+--------------------+----------------------------------------+
+| Puppet DB | PuppetDB for | init script |
+| | querying Puppet | :file:`/etc/init.d/puppetdb` |
+| | facts and nodes | |
+| | and resources | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+----------+-------------------+
+| RDBMS | Name | Used for |
++=============+==========+===================+
+| PostgreSQL | puppetdb | PuppetDB database |
++-------------+----------+-------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`svn`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* forgeapi.puppet.com for Puppet forge access
+* rubygems.org for Puppet specific Ruby gems
+
+Security
+========
+
+.. sshkeys::
+ :ECDSA: 29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
+ :ED25519: 53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d
+ :RSA: 54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The Puppet server, Puppet agent and PuppetDB packages and a few dependencies
+are installed from the official Puppet APT repository because the versions
+in Debian are too old to use modern Puppet features.
+
+Some rubygems are installed via the puppet specific ruby gem binary to support
+advanced Puppet functionality like hiera-eyaml.
+
+All puppet related code is installed in the Puppet specific /opt/puppetlabs
+tree.
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system.
+
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+Puppet comes with its own inbuilt special purpose CA that is used to sign the
+Puppet server and Puppet DB certificates as well as the certificates of all
+trusted Puppet agents.
+
+The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
+puppet itself.
+
+
+Eyaml private key
+-----------------
+
+All sensitive data like passwords in Hiera data is encrypted using the public
+key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
+<ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_. The corresponding
+private key is stored in
+:file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
+
+
+hiera configuration
+-------------------
+
+Puppet uses Hiera for hierarchical information retrieval. The global hiera
+configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
+defines the hierarchy lookup as well as the eyaml key locations.
+
+
+puppet configuration
+--------------------
+
+All puppet configuration is stored in :file:`/etc/puppetlabs/`. The CAcert
+specific puppet code is taken from the `CAcert puppet Git repository
+<ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_ and cloned to
+:file:`/etc/puppetlabs/code/environments/production/` directory. Required
+Puppet modules are installed by :program:`/opt/puppetlabs/puppet/bin/r10k`.
+
+The puppet code should follow best practices like the Roles and profiles
+pattern (see references below) and code/data separation via Hiera.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+* migrate as many systems as possible to use Puppet for a more
+ reproducible/auditable system setup
+* automate updates of the Puppet code from Git
+
+.. todo:: implement Webhook on the puppet machine that triggers git pull and r10k run
+
+Changes
+=======
+
+System Future
+-------------
+
+* Improve setup, use more widely
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://docs.puppet.com/puppet/
+* https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
+* https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html
diff --git a/docs/systems/svn.rst b/docs/systems/svn.rst
new file mode 100644
index 0000000..ea93245
--- /dev/null
+++ b/docs/systems/svn.rst
@@ -0,0 +1,348 @@
+.. index::
+ single: Systems; Svn
+
+===
+Svn
+===
+
+Purpose
+=======
+
+This system hosts the `Subversion`_ repository that is used for some CAcert
+documents and code that has not been moved to :doc:`git` yet, for example:
+
+* Events
+* Policy development
+* Documentation
+
+.. _Subversion: http://subversion.apache.org/
+
+Application Links
+-----------------
+
+The subversion repository
+ https://svn.cacert.org/CAcert/
+
+Anonymous read-only HTTP access
+ http://svn.cacert.org/CAcert/
+
+Username/password authenticated HTTPS access
+ https://nocert.svn.cacert.org/CAcert/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Subversion | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* svn-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
+too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.238`
+:IP Intranet: :ip:v4:`172.16.2.15`
+:IP Internal: :ip:v4:`10.0.0.20`
+:IPv6: :ip:v6:`2001:7b8:616:162:2::15`
+:MAC address: :mac:`00:16:3e:13:87:bb` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Svn
+
+========================== ======== ============================================
+Name Type Content
+========================== ======== ============================================
+svn.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
+svn.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
+svn.cacert.org. IN A 213.154.225.238
+cert.svn.cacert.org. IN CNAME svn.cacert.org.
+nocert.svn.cacert.org IN CNAME svn.cacert.org
+========================== ======== ============================================
+
+.. todo:: add AAAA record for IPv6 address
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Jessie
+ single: Debian GNU/Linux; 8.8
+
+* Debian GNU/Linux 8.8
+
+Applicable Documentation
+------------------------
+
+Access to specific paths in the repository is granted on request if approved by
+team leaders/officers.
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Exim
+ single: Puppet agent
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | Subversion | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| Puppet agent | configuration | init script |
+| | management agent | :file:`/etc/init.d/puppet` |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* Connection from :doc:`blog` because blog uses some resources served from svn
+* Connection from https://www.cacert.org/ because blog posts are embedded there
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* crl.cacert.org (rsync) for getting CRLs
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
+ :DSA: 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
+ :ECDSA: f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54
+ :ED25519: 56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5
+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd is configured with a minimum of enabled modules to allow TLS and
+Subversion but nothing else to reduce potential security risks.
+
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: svn.cacert.org
+ :altnames: DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org, DNS:svn.cacert.org
+ :certfile: /etc/apache2/ssl/svn.cacert.org.crt.pem
+ :keyfile: /etc/apache2/ssl/svn.cacert.org.key.pem
+ :serial: 028B8D
+ :expiration: Mar 24 10:57:53 18 GMT
+ :sha1fp: E2:E2:26:B3:5D:8A:FA:96:C0:94:A2:E5:11:9D:89:C7:AC:C7:B3:2D
+ :issuer: CAcert Class 3 Root
+
+* `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+* `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+The main configuration files for Apache httpd are:
+
+* :file:`/etc/apache2/sites-available/cert.svn.cacert.org`
+
+ Defines the https VirtualHost for IPv4 and IPv6 on port 443 using client
+ certificate authentication. The SNI server names svn.cacert.org and
+ cert.svn.cacert.org are handled by the VirtualHost configuration in this
+ file.
+
+* :file:`/etc/apache2/sites-available/nocert.svn.cacert.org`
+
+ Defines the https VirtualHost for IPv4 and IPv6 on port 443 using
+ username/password authentication. The SNI server name nocert.svn.cacert.org
+ is handled by the VirtualHost configuration in this file.
+
+* :file:`/etc/apache2/sites-available/000-default`
+
+ Defines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
+
+These files include the following files to configure Subversion and
+authentication/authorization:
+
+* :file:`/etc/apache2/sites-available/ssl_config.include`
+
+ contains VirtualHost specific TLS configuration
+
+* :file:`/etc/apache2/sites-available/svn_anonymous_config.include`
+
+ configure anonymous SVN access without defining a password file and thus
+ restricting SVN paths that require authentication
+
+* :file:`/etc/apache2/sites-available/svn_pwauth_config.include`
+
+ configure username/password authenticated access to SVN using the password
+ file :file:`/srv/dav_svn.passwd`.
+
+* :file:`/etc/apache2/sites-available/svn_certauth_config.include`
+
+ configure TLS client certificate authenticated access to SVN using the first
+ email address in the client certificate's Subject Distinguished name as user
+ name
+
+Subversion configuration
+------------------------
+
+Subversion authorization (aliases, groups and ACLs) is configured in
+:file:`/srv/dav_svn.authz` in the format specified in `path based authorization
+<http://svnbook.red-bean.com/de/1.8/svn.serverconfig.pathbasedauthz.html>`_ in
+the Subversion book.
+
+The repository data is stored in :file:`/srv/svnrepo`.
+
+CRL update job
+--------------
+
+CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
+
+
+Tasks
+=====
+
+Planned
+-------
+
+The configuration of this system will be migrated to a setup fully managed by
+Puppet.
+
+X.509 Auth for policy
+---------------------
+
+* Documentation officer has endorsed
+* Waiting on Org-assurer word as to org-assurer policy stuff
+
+Mail notifications
+------------------
+
+* commit hooks on policy to policy list?
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+ * :wiki:`Technology/KnowledgeBase/ClientCerts#SVN`
+ * :wiki:`SystemAdministration/Systems/Svn/Setup`
+
+References
+----------
+
+* http://svnbook.red-bean.com/en/1.5/svn.reposadmin.html
diff --git a/docs/systems/template.rst b/docs/systems/template.rst
index 006f7ed..35ca202 100644
--- a/docs/systems/template.rst
+++ b/docs/systems/template.rst
@@ -221,31 +221,19 @@ Outbound network connections
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
+* :doc:`proxyout` as HTTP proxy for APT
* crl.cacert.org (rsync) for getting CRLs
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | |
-+-----------+-----------------------------------------------------+
-| DSA | |
-+-----------+-----------------------------------------------------+
-| ECDSA | |
-+-----------+-----------------------------------------------------+
-| ED25519 | |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
+.. add the MD5 fingerprints of the SSH host keys
- See :doc:`../sshkeys`
+.. sshkeys::
+ :RSA:
+ :DSA:
+ :ECDSA:
+ :ED25519:
Dedicated user roles
--------------------
@@ -280,15 +268,31 @@ Critical Configuration items
Keys and X.509 certificates
---------------------------
-* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
-* :file:`/etc/apache2/ssl/<path to server key>` server key
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. for certificates that are orginally created on another host use
+
+.. sslcert:: other.cacert.org
+ :certfile:
+ :keyfile:
+ :serial:
+ :secondary:
.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
* `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
.. seealso::
- * :doc:`../certlist`
* :wiki:`SystemAdministration/CertificateList`
<service_x> configuration
@@ -314,7 +318,7 @@ System Future
.. use this section to describe any plans for the system future. These are
larger plans like moving to another host, abandoning the system or replacing
- its funtionality with something else.
+ its functionality with something else.
.. * No plans
diff --git a/docs/systems/web.rst b/docs/systems/web.rst
new file mode 100644
index 0000000..ee00d85
--- /dev/null
+++ b/docs/systems/web.rst
@@ -0,0 +1,308 @@
+.. index::
+ single: Systems; Web
+
+===
+Web
+===
+
+Purpose
+=======
+
+Reverse proxy for different websites that handles http to https redirection and
+TLS handshakes. The following services are currently proxied by this system:
+
+* Jenkins on :doc:`jenkins`
+* funding.cacert.org and infradocs.cacert.org on :doc:`webstatic`
+
+The proxy should be used for all web applications that do not need access to the
+TLS parameters (client certificates, other peer information). Applications that
+need to perform TLS handshakes themselves can be proxied through :doc:`proxyin`.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Apache httpd | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* web-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.242`
+:IP Intranet: :ip:v4:`172.16.2.26`
+:IP Internal: :ip:v4:`10.0.0.26`
+:MAC address: :mac:`00:ff:c7:e5:66:ae` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Web
+
+===================== ======== ====================================================================
+Name Type Content
+===================== ======== ====================================================================
+web.cacert.org. IN A 213.154.225.242
+web.cacert.org. IN SSHFP 1 1 85F5338D90930200CBBFCE1AAB56988B4C8F0F22
+web.cacert.org. IN SSHFP 1 2 D39CBD51588F322F7B4384274CF0166F25B10F54A6CD153ED7251FF30B5B516E
+web.cacert.org. IN SSHFP 2 1 906F0C17BB0E233B0F52CE33CFE64038D45AC4F2
+web.cacert.org. IN SSHFP 2 2 DBF6221A8A403B4C9F537B676305FDAE07FF45A1C18D88B1141031402AF0250F
+web.cacert.org. IN SSHFP 3 1 7B62D8D1E093C28CDA0F3D2444846128B41C10DE
+web.cacert.org. IN SSHFP 3 2 0917DA677C9E6CAF1818C1151EC2A813623A2B2955A1A850F260D64EF041400B
+web.intra.cacert.org. IN A 172.16.2.26
+===================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.3
+
+* Debian GNU/Linux 9.3
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | redirects to https |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp | https | ANY | https termination and reverse proxy |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd | http redirector, | init script |
+| | https reverse proxy | :file:`/etc/init.d/apache2` |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
+* :doc:`webstatic` as backend for the funding.cacert.org and
+ infradocs.cacert.org VirtualHosts
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:05y9UViPMi97Q4QnTPAWbyWxD1SmzRU+1yUf8wtbUW4 MD5:6d:e5:7e:1d:72:d5:5e:f8:43:80:94:a8:b1:0d:9b:81
+ :DSA: SHA256:2/YiGopAO0yfU3tnYwX9rgf/RaHBjYixFBAxQCrwJQ8 MD5:00:27:11:fe:58:9d:d8:e5:c5:35:34:27:bb:79:86:16
+ :ECDSA: SHA256:CRfaZ3yebK8YGMEVHsKoE2I6KylVoahQ8mDWTvBBQAs MD5:7f:91:92:80:f2:b5:2f:5d:8e:11:3f:9b:62:48:e7:18
+ :ED25519: SHA256:IHm9Gjf0u753ADO+WDYLFuHwPK3ReAe101xG/NeCwYk MD5:82:ab:13:33:ee:69:cf:09:18:20:d0:9c:b9:a0:0e:61
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd is configured with a minimum of enabled modules to allow proxying
+and TLS handling only to reduce potential security risks.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: funding.cacert.org
+ :altnames: DNS:funding.cacert.org
+ :certfile: /etc/ssl/certs/funding.cacert.org.crt
+ :keyfile: /etc/ssl/private/funding.cacert.org.key
+ :serial: 02A770
+ :expiration: Feb 16 12:07:35 19 GMT
+ :sha1fp: 36:E0:A1:86:7A:FA:C6:F4:86:9F:CC:9C:61:4D:B9:A4:7C:0F:9F:C9
+ :issuer: CAcert Class 3 Root
+
+.. sslcert:: infradocs.cacert.org
+ :altnames: DNS:infradocs.cacert.org
+ :certfile: /etc/ssl/certs/infradocs.cacert.org.crt
+ :keyfile: /etc/ssl/private/infradocs.cacert.org.key
+ :serial: 029159
+ :expiration: May 06 07:46:25 18 GMT
+ :sha1fp: BA:79:60:5E:8C:21:F0:14:FF:64:6B:44:64:A0:23:F9:C3:A1:F0:C6
+ :issuer: CAcert Class 3 Root
+
+.. sslcert:: jenkins.cacert.org
+ :altnames: DNS:jenkins.cacert.org
+ :certfile: /etc/ssl/certs/jenkins.cacert.org.crt
+ :keyfile: /etc/ssl/private/jenkins.cacert.org.key
+ :serial: 02A76F
+ :expiration: Feb 16 12:07:29 19 GMT
+ :sha1fp: D1:E3:5B:73:63:28:C6:31:0F:35:4A:2F:0D:12:B5:6C:3F:72:08:3D
+ :issuer: CAcert Class 3 Root
+
+.. sslcert:: web.cacert.org
+ :altnames: DNS:web.cacert.org
+ :certfile: /etc/ssl/certs/web.cacert.org.crt
+ :keyfile: /etc/ssl/private/web.cacert.org.key
+ :serial: 02BE3D
+ :expiration: Feb 19 11:44:47 20 GMT
+ :sha1fp: D5:20:E8:4D:C1:FC:6E:DF:7E:D3:5D:03:03:3D:1B:CB:27:4B:3D:85
+ :issuer: CAcert Class 3 Root
+
+* :file:`/usr/share/ca-certificates/CAcert/class3.crt` CAcert.org Class 3
+ certificate for server certificate chains. The Apache httpd configuration
+ files reference the symlinked version at :file:`/etc/ssl/certs/class3.pem`.
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+Apache httpd configuration
+--------------------------
+
+* :file:`/etc/apache2/sites-available/000-default.conf`
+
+ Defines the default VirtualHost for requests reaching this host with no
+ specifically handled host name.
+
+* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
+
+ Defines the VirtualHost http://funding.cacert.org/ that redirects to
+ https://funding.cacert.org/ and the VirtualHost https://funding.cacert.org/
+ that provides reverse proxy functionality for the same host name on
+ :doc:`webstatic`.
+
+* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
+
+ Defines the VirtualHost http://infradocs.cacert.org/ that redirects to
+ https://infradocs.cacert.org/ and the VirtualHost
+ https://infradocs.cacert.org/ that provides reverse proxy functionality for
+ the same host name on :doc:`webstatic`.
+
+* :file:`/etc/apache2/sites-available/jenkins.cacert.org.conf`
+
+ Defines the VirtualHost http://jenkins.cacert.org/ that redirects to
+ https://jenkins.cacert.org/ and the VirtualHost https://jenkins.cacert.org/
+ that provides reverse proxy functionality for the Jenkins instance on
+ :doc:`jenkins`.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: manage the web system using Puppet
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. note::
+ The system hosted the Drupal based community portal https://www.cacert.eu/
+ in the past. The DNS records for this portal have been changed to point to
+ the regular https://www.cacert.org/ site. All unreachable VirtualHosts have
+ been archived to the backup disk at :doc:`infra02`.
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+* http://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/webmail.rst b/docs/systems/webmail.rst
index 14eded6..6a4851e 100644
--- a/docs/systems/webmail.rst
+++ b/docs/systems/webmail.rst
@@ -206,29 +206,14 @@ Outbound network connections
Security
========
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint |
-+===========+=====================================================+
-| RSA | ``82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48`` |
-+-----------+-----------------------------------------------------+
-| DSA | ``6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd`` |
-+-----------+-----------------------------------------------------+
-| ECDSA | \- |
-+-----------+-----------------------------------------------------+
-| ED25519 | \- |
-+-----------+-----------------------------------------------------+
+.. sshkeys::
+ :RSA: 82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48
+ :DSA: 6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd
.. warning::
The system is too old to support ECDSA or ED25519 keys.
-.. seealso::
-
- See :doc:`../sshkeys`
-
Non-distribution packages and modifications
-------------------------------------------
@@ -279,11 +264,13 @@ Keys and X.509 certificates
.. seealso::
- * :doc:`../certlist`
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration
---------------------
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
The Apache httpd configuration is stored in
:file:`/etc/apache2/sites-available/webmail`.
@@ -294,6 +281,9 @@ The Apache httpd configuration is stored in
Defines some aliases for :doc:`email` that are used by Roundcube, the password
reset script and the staff list script.
+.. index::
+ pair: Roundcube; configuration
+
Roundcube configuration
-----------------------
diff --git a/docs/systems/webstatic.rst b/docs/systems/webstatic.rst
new file mode 100644
index 0000000..72aa710
--- /dev/null
+++ b/docs/systems/webstatic.rst
@@ -0,0 +1,285 @@
+.. index::
+ single: Systems; Webstatic
+
+=========
+Webstatic
+=========
+
+Purpose
+=======
+
+This system provides a web server for serving static content. HTTP requests
+for this system are proxied through :doc:`web` which also handles TLS
+termination and redirects from http scheme URLs to https.
+
+Application Links
+-----------------
+
+Funding
+ https://funding.cacert.org/
+
+Infrastructure Documentation
+ https://infradocs.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application | Administrator(s) |
++===============+=====================+
+| Apache httpd | :ref:`people_jandd` |
++---------------+---------------------+
+| Gitolite | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* webstatic-admin@cacert.org
+
+Additional People
+-----------------
+
+No additional people have access to this machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: reverse proxied from :doc:`web`
+:IP Intranet: :ip:v4:`172.16.2.116`
+:IP Internal: :ip:v4:`10.0.0.116`
+:MAC address: :mac:`00:ff:67:39:23:f2` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Webstatic
+
+=========================== ======== ====================================================================
+Name Type Content
+=========================== ======== ====================================================================
+funding.cacert.org. IN CNAME webstatic.cacert.org.
+infradocs.cacert.org. IN CNAME webstatic.cacert.org.
+webstatic.cacert.org. IN A 213.154.225.242
+webstatic.cacert.org. IN SSHFP 1 1 30897A7A984D8350495946D54C6374E9331237EF
+webstatic.cacert.org. IN SSHFP 1 2 32BB10C5CF48532D077066E012230058DDF3CCE731C561F228E310EB7A546E3F
+webstatic.cacert.org. IN SSHFP 2 1 868361A51EC60607BFD964D0F8F3E4EE5E803FC6
+webstatic.cacert.org. IN SSHFP 2 2 A173BB85EC19F63ECB273BCA130EF63501FE1B89FD55B62997195E6816CAB547
+webstatic.cacert.org. IN SSHFP 3 1 7FC847CEC20B9D65296D4A0EDAFBA22A14EE9DC4
+webstatic.cacert.org. IN SSHFP 3 2 68879264E0ED5D0914797BF2292436FB32CCA24683DCF5D927A53589C1BFB6D7
+webstatic.intra.cacert.org. IN A 172.16.2.116
+=========================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Stretch
+ single: Debian GNU/Linux; 9.3
+
+* Debian GNU/Linux 9.3
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console and gitolite access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: Exim
+ single: cron
+ single: nginx
+ single: nrpe
+ single: openssh
+ single: rsyslog
+
++--------------------+----------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+======================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
+| | and git access | |
++--------------------+----------------------+----------------------------------------+
+| Apache httpd | Webserver for static | init script |
+| | content | :file:`/etc/init.d/apache2` |
++--------------------+----------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+----------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+----------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+----------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+----------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`jenkins` for publishing infrastructure documentation to
+ infradocs.cacert.org
+* :doc:`monitor`
+* :doc:`web` as reverse proxy for hostnames funding.cacert.org and
+ infradocs.cacert.org
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`proxyout` as HTTP proxy for APT
+
+Security
+========
+
+.. sshkeys::
+ :RSA: SHA256:MrsQxc9IUy0HcGbgEiMAWN3zzOcxxWHyKOMQ63pUbj8 MD5:da:e7:16:f9:98:b0:77:4f:38:a6:49:35:a5:5a:2a:c2
+ :DSA: SHA256:oXO7hewZ9j7LJzvKEw72NQH+G4n9VbYplxleaBbKtUc MD5:12:a5:87:27:6b:2f:e3:cd:d6:e5:fb:f2:43:2f:7c:be
+ :ECDSA: SHA256:aIeSZODtXQkUeXvyKSQ2+zLMokaD3PXZJ6U1icG/ttc MD5:5e:94:ad:e8:84:3b:e2:b0:0b:7f:44:ec:a9:99:95:b2
+ :ED25519: SHA256:NC34l1qSufrBdjxjJk75oOnmhrQW1VkLILsOhJle77A MD5:da:58:d0:89:23:6f:ca:f7:b2:5f:a3:51:2f:6b:95:0d
+
+Dedicated user roles
+--------------------
+
++-------------------+---------------------------------------------------+
+| Group | Purpose |
++===================+===================================================+
+| git | User for :program:`gitolite` |
++-------------------+---------------------------------------------------+
+| jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
+| | :file:`/var/www/infradocs.cacert.org/html/` |
++-------------------+---------------------------------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+The used :program:`gitolite` version is from Debian Jessie and should either
+be replaced by :program:`gitolite3` from Debian Stretch or a combination of
+git repositories on :doc:`git` and web hooks for triggering updates.
+
+.. todo:: replace :program:`gitolite` with a maintained service
+
+Risk assessments on critical packages
+-------------------------------------
+
+Apache httpd is configured with a minimum of enabled modules to allow serving
+static content and nothing else to reduce potential security risks.
+
+Access to :program:`gitolite` and the jenkins-infradocs user is gated by a
+defined set of ssh keys.
+
+.. todo:: check access on gitolite repositories
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+The host does not provide TLS services and therefore has no certificates.
+
+.. todo::
+ move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
+
+Apache httpd configuration
+--------------------------
+
+The main configuration files for Apache httpd are:
+
+* :file:`/etc/apache2/sites-available/000-default.conf`
+
+ Defines the default VirtualHost for requests reaching this host with no
+ specifically handled host name.
+
+* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
+
+ Defines the VirtualHost for https://funding.cacert.org/
+
+* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
+
+ Defines the VirtualHost for https://infradocs.cacert.org/
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: manage the webstatic system using Puppet
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* http://httpd.apache.org/docs/2.4/
+* http://gitolite.com/gitolite/migr/ \ No newline at end of file
diff --git a/tools/ssh_host_keys.py b/tools/ssh_host_keys.py
new file mode 100755
index 0000000..df0c45a
--- /dev/null
+++ b/tools/ssh_host_keys.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python
+
+from glob import glob
+import argparse
+import os.path
+import subprocess
+
+
+SUPPORTED_SSH_KEYTYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=(
+ 'Convert a set of ssh host keys to the syntax expected by the '
+ 'sshkeys directive of the CAcert infrastructur documentation'))
+ parser.add_argument(
+ 'root', metavar='ROOT', type=str, help='root directory'
+ )
+ args = parser.parse_args()
+
+ keys = {}
+ for host_key in glob(os.path.join(
+ args.root, 'etc/ssh', 'ssh_host_*key.pub')
+ ):
+ fp = subprocess.check_output(
+ ['ssh-keygen', '-l', '-f', host_key]).strip().split()
+ keys[fp[3][1:-1]] = fp[1]
+
+ maxlen = max([len(key) for key in keys.keys() if key in SUPPORTED_SSH_KEYTYPES])
+
+ print ".. sshkeys::"
+ for typ, key in [
+ (typ, keys[typ]) for typ in SUPPORTED_SSH_KEYTYPES
+ if typ in keys
+ ]:
+ print " :%s:%s %s" % (typ, ' ' * (maxlen - len(typ)), key)
diff --git a/tools/sslcert.py b/tools/sslcert.py
new file mode 100755
index 0000000..531a5b5
--- /dev/null
+++ b/tools/sslcert.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python
+
+from __future__ import print_function
+
+from datetime import datetime
+from hashlib import sha1
+import argparse
+import os.path
+
+from pyasn1_modules import pem
+from pyx509.pkcs7.asn1_models.X509_certificate import Certificate
+from pyx509.pkcs7_models import X509Certificate
+from pyx509.pkcs7.asn1_models.decoder_workarounds import decode
+
+
+ALTNAME_MAP = (
+ ('dNSName', 'DNS'),
+ ('rfc822Name', 'EMAIL'),
+ ('iPAddress', 'IP')
+)
+
+
+def x509_parse(derData):
+ """Decodes certificate.
+ @param derData: DER-encoded certificate string
+ @returns: pkcs7_models.X509Certificate
+ """
+ cert = decode(derData, asn1Spec=Certificate())[0]
+ x509cert = X509Certificate(cert)
+ return x509cert
+
+
+def get_altnames(cert):
+ altnames = cert.tbsCertificate.subjAltNameExt.value.values
+ retval = []
+ for typ, data in [(field[1], altnames[field[0]]) for field in ALTNAME_MAP]:
+ for item in sorted(data):
+ retval.append("{typ}:{item}".format(typ=typ, item=item))
+ return ", ".join(retval)
+
+
+def get_serial(cert):
+ serial = "%X" % cert.tbsCertificate.serial_number
+ return "0" * (len(serial) % 2) + serial
+
+
+def get_expiration(cert):
+ return datetime.strptime(
+ cert.tbsCertificate.validity.valid_to, '%Y%m%d%H%M%SZ'
+ ).strftime('%b %d %H:%M:%S %y GMT')
+
+
+def get_sha1fp(certdata):
+ hexhash = sha1(certdata).hexdigest().upper()
+ return ":".join([hexhash[i:i+2] for i in range(0, len(hexhash), 2)])
+
+
+def get_issuer(cert):
+ return cert.tbsCertificate.issuer.get_attributes()['CN'][0]
+
+
+def get_subject(cert):
+ return cert.tbsCertificate.subject.get_attributes()['CN'][0]
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=(
+ 'Create an sslcert directive from data taken from a PEM encoded '
+ 'X.509 certificate file and its corresponding PEM encoded RSA key '
+ 'file.'))
+ parser.add_argument(
+ 'cert', metavar='CERT', type=open,
+ help='PEM encoded X.509 certficate file')
+ parser.add_argument(
+ '--key', metavar='KEY', type=open,
+ help='PEM encoded RSA private key', default=None)
+ parser.add_argument(
+ '--root', metavar='ROOT', type=str,
+ help='Relative root directory for key and cert')
+
+ args = parser.parse_args()
+
+ certpem = pem.readPemFromFile(args.cert)
+ certpath = os.path.abspath(args.cert.name)
+ if args.root:
+ certpath = '/' + os.path.relpath(certpath, args.root)
+ if args.key:
+ haskey = True
+ keypem = pem.readPemFromFile(args.key)
+ keypath = os.path.abspath(args.key.name)
+ if args.root:
+ keypath = '/' + os.path.relpath(keypath, args.root)
+ else:
+ keypath = 'TODO: define key path'
+
+ cert = x509_parse(certpem)
+ data = {
+ 'altnames': get_altnames(cert),
+ 'certfile': certpath,
+ 'keyfile': keypath,
+ 'serial': get_serial(cert),
+ 'expiration': get_expiration(cert),
+ 'sha1fp': get_sha1fp(certpem),
+ 'issuer': get_issuer(cert),
+ 'subject': get_subject(cert),
+ }
+ print(""".. sslcert:: {subject}
+ :altnames: {altnames}
+ :certfile: {certfile}
+ :keyfile: {keyfile}
+ :serial: {serial}
+ :expiration: {expiration}
+ :sha1fp: {sha1fp}
+ :issuer: {issuer}
+""".format(**data))
diff --git a/tools/tool-requirements.txt b/tools/tool-requirements.txt
new file mode 100644
index 0000000..e00844f
--- /dev/null
+++ b/tools/tool-requirements.txt
@@ -0,0 +1,3 @@
+pyasn1==0.1.9
+pyasn1-modules==0.0.8
+git+https://github.com/hiviah/pyx509@a35702c3d514c96d75a1c3498307a16991cdd0d3#egg=pyx509