Add glossary and indexing
[cacert-infradocs.git] / docs / systems / arbitration.rst
1 .. index::
2 single: Systems; Arbitration
3
4 ===========
5 Arbitration
6 ===========
7
8 Purpose
9 =======
10
11 This system is planned to host a future collaboration platform for arbitrators.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: `Martin Gummi`_
20 * Secondary: None
21
22 .. todo:: find an additional admin
23
24 .. _Martin Gummi: martin.gummi@cacert.org
25
26 Application Administration
27 --------------------------
28
29 There is no application yet.
30
31 .. todo:: setup application(s) and document admins
32
33 .. * <application>: <sysadmin's name>
34
35 Contact
36 -------
37
38 * arbitration-admin@cacert.org
39
40 Additional People
41 -----------------
42
43 `Jan Dittberner`_ and `Mario Lipinski`_ have :program:`sudo` access on that
44 machine too.
45
46 .. _Jan Dittberner: jandd@cacert.org
47 .. _Mario Lipinski: mario@cacert.org
48
49 Basics
50 ======
51
52 Physical Location
53 -----------------
54
55 This system is located in an :term:`LXC` container on physical machine
56 :doc:`infra02`.
57
58 Logical Location
59 ----------------
60
61 :IP Internet: :ip:v4:`213.154.225.241`
62 :IP Intranet: :ip:v4:`172.16.2.241`
63 :IP Internal: :ip:v4:`10.0.0.241`
64 :MAC address: :mac:`00:ff:5b:e0:cd:8a` (eth0)
65
66 .. seealso::
67
68 See :doc:`../network`
69
70 DNS
71 ---
72
73 .. index::
74 single: DNS records; Arbitration
75
76 ============================= ======== ============================================
77 Name Type Content
78 ============================= ======== ============================================
79 arbitration.cacert.org. IN A 213.154.225.241
80 arbitration.cacert.org. IN SSHFP 1 1 40D9C8EBCF8D41A04B990FBC5308675D029BF4EF
81 arbitration.cacert.org. IN SSHFP 2 1 7474BFB01AF775511805BF15C45BB9D7591D0CE6
82 arbitration.intra.cacert.org. IN A 172.16.2.241
83 ============================= ======== ============================================
84
85 .. seealso::
86
87 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
88
89 Operating System
90 ----------------
91
92 .. index::
93 single: Debian GNU/Linux; Jessie
94 single: Debian GNU/Linux; 8.4
95
96 * Debian GNU/Linux 8.4
97
98 Applicable Documentation
99 ------------------------
100
101 This is it :-) There is nothing usable on this system yet.
102
103 Services
104 ========
105
106 Listening services
107 ------------------
108
109 +----------+-----------+-----------+-----------------------------------------+
110 | Port | Service | Origin | Purpose |
111 +==========+===========+===========+=========================================+
112 | 22/tcp | ssh | ANY | admin console access |
113 +----------+-----------+-----------+-----------------------------------------+
114 | 25/tcp | smtp | local | mail delivery to local MTA |
115 +----------+-----------+-----------+-----------------------------------------+
116 | 80/tcp | http | ANY | application |
117 +----------+-----------+-----------+-----------------------------------------+
118 | 5666/tcp | nrpe | monitor | remote monitoring service |
119 +----------+-----------+-----------+-----------------------------------------+
120 | 3306/tcp | mysql | local | MySQL database for ... |
121 +----------+-----------+-----------+-----------------------------------------+
122 | 5432/tcp | pgsql | local | PostgreSQL database for ... |
123 +----------+-----------+-----------+-----------------------------------------+
124
125 .. todo:: add TLS/SSL to nginx and add HTTPS port
126 .. todo:: clarify whether both MySQL and PostgreSQL are used
127
128 Running services
129 ----------------
130
131 +--------------------+--------------------+----------------------------------------+
132 | Service | Usage | Start mechanism |
133 +====================+====================+========================================+
134 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
135 | | remote | |
136 | | administration | |
137 +--------------------+--------------------+----------------------------------------+
138 | nginx | Webserver for ... | init script |
139 | | | :file:`/etc/init.d/nginx` |
140 +--------------------+--------------------+----------------------------------------+
141 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
142 +--------------------+--------------------+----------------------------------------+
143 | PostgreSQL | PostgreSQL | init script |
144 | | database server | :file:`/etc/init.d/postgresql` |
145 | | for ... | |
146 +--------------------+--------------------+----------------------------------------+
147 | MySQL | MySQL database | init script |
148 | | server for ... | :file:`/etc/init.d/mysql` |
149 +--------------------+--------------------+----------------------------------------+
150 | Exim | SMTP server for | init script |
151 | | local mail | :file:`/etc/init.d/exim4` |
152 | | submission, ... | |
153 +--------------------+--------------------+----------------------------------------+
154 | Nagios NRPE server | remote monitoring | init script |
155 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
156 | | :doc:`monitor` | |
157 +--------------------+--------------------+----------------------------------------+
158
159 Databases
160 ---------
161
162 +-------------+----------+------------------------------+
163 | RDBMS | Name | Used for |
164 +=============+==========+==============================+
165 | MySQL | etherpad | future etherpad installation |
166 +-------------+----------+------------------------------+
167
168 .. todo:: setup databases
169
170 Connected Systems
171 -----------------
172
173 * :doc:`monitor`
174
175 Outbound network connections
176 ----------------------------
177
178 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
179 * :doc:`emailout` as SMTP relay
180 * ftp.nl.debian.org as Debian mirror
181 * security.debian.org for Debian security updates
182
183 Security
184 ========
185
186 SSH host keys
187 -------------
188
189 +-----------+-----------------------------------------------------+
190 | Algorithm | Fingerprint |
191 +===========+=====================================================+
192 | RSA | ``a3:6c:f1:f8:8c:81:7c:f7:3b:4e:e4:0e:a3:02:8e:18`` |
193 +-----------+-----------------------------------------------------+
194 | DSA | ``eb:66:0e:0d:d1:f3:d8:02:3a:ed:71:7a:b2:04:db:75`` |
195 +-----------+-----------------------------------------------------+
196 | ECDSA | ``54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09`` |
197 +-----------+-----------------------------------------------------+
198 | ED25519 | - |
199 +-----------+-----------------------------------------------------+
200
201 .. todo:: setup ED255519 host key
202
203 .. seealso::
204
205 See :doc:`../sshkeys`
206
207 Dedicated user roles
208 --------------------
209
210 .. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
211 Regular operating system groups should not be documented
212
213 .. '''Group''' || '''Purpose''' ||
214 goodguys || Shell access for the good guys ||
215
216 Non-distribution packages and modifications
217 -------------------------------------------
218
219 .. * None
220 or
221 * List of non-distribution packages and modifications
222
223 Risk assessments on critical packages
224 -------------------------------------
225
226 Tasks
227 =====
228
229 Critical Configuration items
230 ============================
231
232 Keys and X.509 certificates
233 ---------------------------
234
235 * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
236 * :file:`/etc/apache2/ssl/<path to server key>` server key
237
238 .. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
239 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
240
241 .. seealso::
242
243 * :doc:`../certlist`
244 * https://wiki.cacert.org/SystemAdministration/CertificateList
245
246 Tasks
247 =====
248
249 Planned
250 -------
251
252 .. todo:: install application
253 .. todo:: setup IPv6
254
255 Changes
256 =======
257
258 System Future
259 -------------
260
261 The system should be setup properly or should be removed it is not required
262 anymore.
263
264 Additional documentation
265 ========================
266
267 .. add inline documentation
268
269 .. remove unneeded links from the list below, add other links that apply
270
271 .. seealso:
272
273 * https://wiki.cacert.org/Exim4Configuration
274 * https://wiki.cacert.org/PostfixConfiguration
275 * https://wiki.cacert.org/QmailConfiguration
276 * https://wiki.cacert.org/SendmailConfiguration
277 * https://wiki.cacert.org/StunnelConfiguration
278
279 References
280 ----------
281
282 .. can be used to provide links to reference documentation
283 * http://product.site.com/docs/
284 * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]