diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/conf.py | 8 | ||||
| -rw-r--r-- | docs/index.rst | 2 | ||||
| -rw-r--r-- | docs/infra02.rst | 50 | ||||
| -rw-r--r-- | docs/iplist.rst | 35 | ||||
| -rw-r--r-- | docs/network.rst | 25 | ||||
| -rw-r--r-- | docs/template.rst | 270 |
6 files changed, 376 insertions, 14 deletions
diff --git a/docs/conf.py b/docs/conf.py index 581c02c..5ce9729 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -18,7 +18,7 @@ import os # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. -#sys.path.insert(0, os.path.abspath('.')) +sys.path.insert(0, os.path.abspath('.')) # -- General configuration ------------------------------------------------ @@ -30,6 +30,8 @@ import os # ones. extensions = [ 'sphinx.ext.todo', + 'jandd.sphinxext.ip', + 'jandd.sphinxext.mac', ] # Add any paths that contain templates here, relative to this directory. @@ -75,7 +77,7 @@ language = None # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. -exclude_patterns = ['_build'] +exclude_patterns = ['_build', 'template.rst'] # The reST default role (used for this markup: `text`) to use for all # documents. @@ -109,7 +111,7 @@ todo_include_todos = True # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'alabaster' +html_theme = 'classic' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the diff --git a/docs/index.rst b/docs/index.rst index a9f7b67..14780af 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -17,12 +17,12 @@ Contents: network infra02 + iplist Indices and tables ================== * :ref:`genindex` -* :ref:`modindex` * :ref:`search` diff --git a/docs/infra02.rst b/docs/infra02.rst index 35f59e9..d47345d 100644 --- a/docs/infra02.rst +++ b/docs/infra02.rst @@ -1,9 +1,33 @@ +======= Infra02 ======= +Basics +====== + +Purpose +------- + The infrastructure host system Infra02 is a dedicated machine for the CAcert -infrastructure. The machine has been sponsored by Thomas Krenn and has the -following hardware parameters: +infrastructure. + +Infra02 is the host system for all infrastructure containers. The containers +are setup using the Linux kernel's LXC_ system. The firewall for infrastructure +is maintained on this machine using Ferm_. + +.. _LXC: https://linuxcontainers.org/ +.. _Ferm: http://ferm.foo-projects.org/ + +Physical Location +----------------- + +The machine is located in a server rack at BIT B.V. in the Netherlands. + +Physical Configuration +---------------------- + +The machine has been sponsored by Thomas Krenn and has the following hardware +parameters: :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A :CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz @@ -16,8 +40,24 @@ following hardware parameters: There is a 2 TB USB backup disk attached to the system -Infra02 is the host system for all infrastructure containers. The containers -are setup using the Linux kernel's LXC_ system. +.. seealso:: -.. _LXC: https://linuxcontainers.org/ + See https://wiki.cacert.org/SystemAdministration/EquipmentList + +Logical Location +---------------- + +:IP Internet: :ip:v4:`213.154.225.230` +:IP Intranet: :ip:v4:`172.16.2.10` +:IP internal: :ip:v4:`10.0.0.1` +:IPv6: :ip:v6:`2001:7b8:616:162:1::10` +:IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10` +:MAC address: + + * :mac:`00:25:90:a9:66:e9` (eth0) + * :mac:`fe:0e:ee:75:a3:a5` (br0) + +.. seealso:: + + :doc:`network`. diff --git a/docs/iplist.rst b/docs/iplist.rst new file mode 100644 index 0000000..a3abc16 --- /dev/null +++ b/docs/iplist.rst @@ -0,0 +1,35 @@ +IP address list +=============== + +Internet IP addresses +--------------------- + +.. ip:v4range:: 213.154.225.0/24 + + This is the public CAcert IPv4 address range + +.. ip:v4:: 213.154.225.230 + +.. ip:v6range:: 2001:7b8:616:162:1::/80 + +.. ip:v6:: 2001:7b8:616:162:1::10 + +.. ip:v6range:: 2001:7b8:616:162:2::/80 + +.. ip:v6:: 2001:7b8:616:162:2::10 + + +Intranet IP addresses +--------------------- + +.. ip:v4range:: 172.16.2.0/24 + +.. ip:v4:: 172.16.2.10 + + +Internal IP addresses +--------------------- + +.. ip:v4range:: 10.0.0.0/24 + +.. ip:v4:: 10.0.0.1 diff --git a/docs/network.rst b/docs/network.rst index d9697ac..834e219 100644 --- a/docs/network.rst +++ b/docs/network.rst @@ -4,26 +4,41 @@ Network .. this page contains information from the IP address list at https://wiki.cacert.org/SystemAdministration/IPList +.. seealso:: + + https://wiki.cacert.org/SystemAdministration/IPList + Internet -------- -CAcert has a public Internet IP address range and some of the Internet IP +CAcert has a public Internet IPv4 address range and some of the Internet IP addresses are mapped to the infrastructure systems. +The infrastructure systems use IPv4 addresses from the +:ip:v4range:`213.154.225.0/24` subnet. + +IPv6 connectivity is also available. The infrastructure IPv6 addresses are +taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and +:ip:v6range:`2001:7b8:616:162:2::/80` ranges. + Intranet -------- CAcert's infrastructure systems are using a private network range that is -accessible from other CAcert systems. +accessible from other CAcert systems. The Intranet IPv4 addresses are in the +:ip:v4range:`172.16.2.0/24` subnet. Internal -------- -The infrastructure host :doc:`infra02` has a local bridge interface that is -used to connect the containers on that machine and allows explicit routing as -well as services that are purely internal and are not reachable from the +The infrastructure host :doc:`infra02` has a local bridge interface *br0* that +is used to connect the containers on that machine and allows explicit routing +as well as services that are purely internal and are not reachable from the Internet or Intranet machines in the IP range mentioned above. +The local bridge uses IPv4 addresses from the :ip:v4range:`10.0.0.0/24` range. +IPv6 addresses are directly assigned to containers from the +:ip:v6range:`2001:7b8:616:162:2::/80` range. diff --git a/docs/template.rst b/docs/template.rst new file mode 100644 index 0000000..8d0e090 --- /dev/null +++ b/docs/template.rst @@ -0,0 +1,270 @@ +================== +Systems - TEMPLATE +================== + +Basics +====== + +Purpose +------- + +.. <SHORT DESCRIPTION> + +Physical Location +----------------- + +.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.> + +.. ## Use the following for containers on Infra02: + +This system is located in an LXC_ container on physical machine :doc:`infra02`. + +Physical Configuration +---------------------- + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/EquipmentList + +Logical location +---------------- + + * IP Internet: <IP> + * IP Intranet: <IP> + * IP Internal: <IP> + * MAC address: <MAC> (interfacename) + +.. seealso:: + + See :doc:`network` + +DNS +--- + + * <HOSTNAME>.cacert.org. IN A <IP> + * <HOSTNAME>.intra.cacert.org. IN A <IP> + +.. seealso:: + + See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges + +Operating System +---------------- + + * Debian GNU/Linux x.y + +Applicable Documentation +------------------------ + +This is it :-) + +Administration +-------------- + +System Admin: + * <SYSADMIN's NAME> + +Contact: + * <system>-admin@cacert.org + +Services +======== + +Listening services +------------------ + ++----------+-----------+-----------+-----------------------------------------+ +| Port | Service | Users | Purpose | ++==========+===========+===========+=========================================+ +| 22/tcp | ssh | sysadmins | admin console access | ++----------+-----------+-----------+-----------------------------------------+ +| 25/tcp | smtp | local | local mail pickup in order to send out | +| | | | notifications | ++----------+-----------+-----------+-----------------------------------------+ +| 80/tcp | http | all | application | ++----------+-----------+-----------+-----------------------------------------+ +| 443/tcp | https | all | application | ++----------+-----------+-----------+-----------------------------------------+ +| 5666/tcp | nrpe | sysadmins | remote monitoring service | ++----------+-----------+-----------+-----------------------------------------+ + +.. below are some definitions of commonly open ports, choose those that are applicable and order the table by port number + || 3306/tcp || mysql || local || MySQL database for ... || + || 5432/tcp || pgsql || local || PostgreSQL database for ... || + || 465/udp || syslog || local || syslog port || + +Running services +---------------- + ++--------------------+--------------------+----------------------------------+ +| Service | Usage | Start mechanism | ++====================+====================+==================================+ +| openssh server | ssh daemon for | init script `/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+--------------------+----------------------------------+ +| Apache httpd | Webserver for ... | init script | +| | | `/etc/init.d/apache2` | ++--------------------+--------------------+----------------------------------+ +| cron | job scheduler | init script `/etc/init.d/cron` | ++--------------------+--------------------+----------------------------------+ +| rsyslog | syslog daemon | init script `/etc/init.d/syslog` | ++--------------------+--------------------+----------------------------------+ +| PostgreSQL | PostgreSQL | init script | +| | database server | `/etc/init.d/postgresql` | +| | for ... | | ++--------------------+--------------------+----------------------------------+ +| MySQL | MySQL database | init script `/etc/init.d/mysql` | +| | server for ... | | ++--------------------+--------------------+----------------------------------+ +| Postfix | SMTP server for | init script | +| | local mail | `/etc/init.d/postfix` | +| | submission, ... | | ++--------------------+--------------------+----------------------------------+ +| Exim | SMTP server for | init script `/etc/init.d/exim4` | +| | local mail | | +| | submission, ... | | ++--------------------+--------------------+----------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | `/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+--------------------+----------------------------------+ + +Databases +--------- + ++-------------+--------------+---------------------------+ +| RDBMS | Name | Used for | ++=============+==============+===========================+ +| MySQL | application1 | fictional application one | ++-------------+--------------+---------------------------+ +| PostgreSQL | application2 | fictional application two | ++-------------+--------------+---------------------------+ + +Running Guests +-------------- + ++----------------+-------------+---------------+---------+---------------+ +| Machine | IP Intranet | IP Internet | Ports | Purpose | ++================+=============+===============+=========+===============+ +| :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> | ++----------------+-------------+---------------+---------+---------------+ + +Connected Systems +----------------- + +* :doc:`monitor` + +Outbound network connections +............................ + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates +* crl.cacert.org (rsync) for getting CRLs + +Security +======== + +SSH host keys +------------- + ++-----------+-------------+ +| Algorithm | Fingerprint | ++===========+=============+ +| RSA | | ++-----------+-------------+ +| DSA | | ++-----------+-------------+ +| ECDSA | | ++-----------+-------------+ + +.. seealso:: + + See :doc:`sshkeys` + +Dedicated user roles +-------------------- + +.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here + Regular operating system groups should not be documented + +.. || '''Group''' || '''Purpose''' || + || goodguys || Shell access for the good guys || + +Non-distribution packages and modifications +------------------------------------------- + +.. * None + or + * List of non-distribution packages and modifications + +Risk assessments on critical packages +------------------------------------- + +Tasks +===== + +Critical Configuration items +============================ + +Keys and X.509 certificates +--------------------------- + +* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>) +* :file:`/etc/apache2/ssl/<path to server key>` server key + +.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates) + * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate) + +.. seealso:: + + See :doc:`certlist` + +Changes +======= + +Planned +------- + +System Future +............. + +.. * No plans + +Document Stuff +.............. + +.. add a paragraph for each larger planned task that seems to be worth + mentioning. You may want to link to specific issues if you use some issue + tracker. + +Potential Similiar Configurations +................................. + +* https://wiki.cacert.org/Exim4Configuration +* https://wiki.cacert.org/PostfixConfiguration +* https://wiki.cacert.org/QmailConfiguration +* https://wiki.cacert.org/SendmailConfiguration +* https://wiki.cacert.org/StunnelConfiguration + +Potential System Procedures +........................... + +* https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges +* https://wiki.cacert.org/SystemAdministration/CertificateList + +References +========== + +.. can be used to provide links to reference documentation + * http://product.site.com/docs/ + * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]] + +Links +===== + +.. || [[https://<system>.cacert.org/]] || <System> URL || + may contain more URLs if there are multiple useful entry points + |