diff options
Diffstat (limited to 'docs/template.rst')
| -rw-r--r-- | docs/template.rst | 270 |
1 files changed, 270 insertions, 0 deletions
diff --git a/docs/template.rst b/docs/template.rst new file mode 100644 index 0000000..8d0e090 --- /dev/null +++ b/docs/template.rst @@ -0,0 +1,270 @@ +================== +Systems - TEMPLATE +================== + +Basics +====== + +Purpose +------- + +.. <SHORT DESCRIPTION> + +Physical Location +----------------- + +.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.> + +.. ## Use the following for containers on Infra02: + +This system is located in an LXC_ container on physical machine :doc:`infra02`. + +Physical Configuration +---------------------- + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/EquipmentList + +Logical location +---------------- + + * IP Internet: <IP> + * IP Intranet: <IP> + * IP Internal: <IP> + * MAC address: <MAC> (interfacename) + +.. seealso:: + + See :doc:`network` + +DNS +--- + + * <HOSTNAME>.cacert.org. IN A <IP> + * <HOSTNAME>.intra.cacert.org. IN A <IP> + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges + +Operating System +---------------- + + * Debian GNU/Linux x.y + +Applicable Documentation +------------------------ + +This is it :-) + +Administration +-------------- + +System Admin: + * <SYSADMIN's NAME> + +Contact: + * <system>-admin@cacert.org + +Services +======== + +Listening services +------------------ + ++----------+-----------+-----------+-----------------------------------------+ +| Port | Service | Users | Purpose | ++==========+===========+===========+=========================================+ +| 22/tcp | ssh | sysadmins | admin console access | ++----------+-----------+-----------+-----------------------------------------+ +| 25/tcp | smtp | local | local mail pickup in order to send out | +| | | | notifications | ++----------+-----------+-----------+-----------------------------------------+ +| 80/tcp | http | all | application | ++----------+-----------+-----------+-----------------------------------------+ +| 443/tcp | https | all | application | ++----------+-----------+-----------+-----------------------------------------+ +| 5666/tcp | nrpe | sysadmins | remote monitoring service | ++----------+-----------+-----------+-----------------------------------------+ + +.. below are some definitions of commonly open ports, choose those that are applicable and order the table by port number + || 3306/tcp || mysql || local || MySQL database for ... || + || 5432/tcp || pgsql || local || PostgreSQL database for ... || + || 465/udp || syslog || local || syslog port || + +Running services +---------------- + ++--------------------+--------------------+----------------------------------+ +| Service | Usage | Start mechanism | ++====================+====================+==================================+ +| openssh server | ssh daemon for | init script `/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+--------------------+----------------------------------+ +| Apache httpd | Webserver for ... | init script | +| | | `/etc/init.d/apache2` | ++--------------------+--------------------+----------------------------------+ +| cron | job scheduler | init script `/etc/init.d/cron` | ++--------------------+--------------------+----------------------------------+ +| rsyslog | syslog daemon | init script `/etc/init.d/syslog` | ++--------------------+--------------------+----------------------------------+ +| PostgreSQL | PostgreSQL | init script | +| | database server | `/etc/init.d/postgresql` | +| | for ... | | ++--------------------+--------------------+----------------------------------+ +| MySQL | MySQL database | init script `/etc/init.d/mysql` | +| | server for ... | | ++--------------------+--------------------+----------------------------------+ +| Postfix | SMTP server for | init script | +| | local mail | `/etc/init.d/postfix` | +| | submission, ... | | ++--------------------+--------------------+----------------------------------+ +| Exim | SMTP server for | init script `/etc/init.d/exim4` | +| | local mail | | +| | submission, ... | | ++--------------------+--------------------+----------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | `/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+--------------------+----------------------------------+ + +Databases +--------- + ++-------------+--------------+---------------------------+ +| RDBMS | Name | Used for | ++=============+==============+===========================+ +| MySQL | application1 | fictional application one | ++-------------+--------------+---------------------------+ +| PostgreSQL | application2 | fictional application two | ++-------------+--------------+---------------------------+ + +Running Guests +-------------- + ++----------------+-------------+---------------+---------+---------------+ +| Machine | IP Intranet | IP Internet | Ports | Purpose | ++================+=============+===============+=========+===============+ +| :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> | ++----------------+-------------+---------------+---------+---------------+ + +Connected Systems +----------------- + +* :doc:`monitor` + +Outbound network connections +............................ + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates +* crl.cacert.org (rsync) for getting CRLs + +Security +======== + +SSH host keys +------------- + ++-----------+-------------+ +| Algorithm | Fingerprint | ++===========+=============+ +| RSA | | ++-----------+-------------+ +| DSA | | ++-----------+-------------+ +| ECDSA | | ++-----------+-------------+ + +.. seealso:: + + See :doc:`sshkeys` + +Dedicated user roles +-------------------- + +.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here + Regular operating system groups should not be documented + +.. || '''Group''' || '''Purpose''' || + || goodguys || Shell access for the good guys || + +Non-distribution packages and modifications +------------------------------------------- + +.. * None + or + * List of non-distribution packages and modifications + +Risk assessments on critical packages +------------------------------------- + +Tasks +===== + +Critical Configuration items +============================ + +Keys and X.509 certificates +--------------------------- + +* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>) +* :file:`/etc/apache2/ssl/<path to server key>` server key + +.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates) + * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate) + +.. seealso:: + + See :doc:`certlist` + +Changes +======= + +Planned +------- + +System Future +............. + +.. * No plans + +Document Stuff +.............. + +.. add a paragraph for each larger planned task that seems to be worth + mentioning. You may want to link to specific issues if you use some issue + tracker. + +Potential Similiar Configurations +................................. + +* https://wiki.cacert.org/Exim4Configuration +* https://wiki.cacert.org/PostfixConfiguration +* https://wiki.cacert.org/QmailConfiguration +* https://wiki.cacert.org/SendmailConfiguration +* https://wiki.cacert.org/StunnelConfiguration + +Potential System Procedures +........................... + +* https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges +* https://wiki.cacert.org/SystemAdministration/CertificateList + +References +========== + +.. can be used to provide links to reference documentation + * http://product.site.com/docs/ + * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]] + +Links +===== + +.. || [[https://<system>.cacert.org/]] || <System> URL || + may contain more URLs if there are multiple useful entry points + |