Fix minor issues in system template
[cacert-infradocs.git] / docs / systems / arbitration.rst
1 .. index::
2 single: Systems; Arbitration
3
4 ===========
5 Arbitration
6 ===========
7
8 Purpose
9 =======
10
11 This system is planned to host a future collaboration platform for arbitrators.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_martin`
20 * Secondary: None
21
22 .. todo:: find an additional admin
23
24 Application Administration
25 --------------------------
26
27 There is no application yet.
28
29 .. todo:: setup application(s) and document admins
30
31 .. * <application>: <sysadmin's name>
32
33 Contact
34 -------
35
36 * arbitration-admin@cacert.org
37
38 Additional People
39 -----------------
40
41 :ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
42 machine too.
43
44 Basics
45 ======
46
47 Physical Location
48 -----------------
49
50 This system is located in an :term:`LXC` container on physical machine
51 :doc:`infra02`.
52
53 Logical Location
54 ----------------
55
56 :IP Internet: :ip:v4:`213.154.225.241`
57 :IP Intranet: :ip:v4:`172.16.2.241`
58 :IP Internal: :ip:v4:`10.0.0.241`
59 :MAC address: :mac:`00:ff:5b:e0:cd:8a` (eth0)
60
61 .. seealso::
62
63 See :doc:`../network`
64
65 DNS
66 ---
67
68 .. index::
69 single: DNS records; Arbitration
70
71 ============================= ======== ============================================
72 Name Type Content
73 ============================= ======== ============================================
74 arbitration.cacert.org. IN A 213.154.225.241
75 arbitration.cacert.org. IN SSHFP 1 1 40D9C8EBCF8D41A04B990FBC5308675D029BF4EF
76 arbitration.cacert.org. IN SSHFP 2 1 7474BFB01AF775511805BF15C45BB9D7591D0CE6
77 arbitration.intra.cacert.org. IN A 172.16.2.241
78 ============================= ======== ============================================
79
80 .. seealso::
81
82 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
83
84 Operating System
85 ----------------
86
87 .. index::
88 single: Debian GNU/Linux; Jessie
89 single: Debian GNU/Linux; 8.4
90
91 * Debian GNU/Linux 8.4
92
93 Applicable Documentation
94 ------------------------
95
96 This is it :-) There is nothing usable on this system yet.
97
98 Services
99 ========
100
101 Listening services
102 ------------------
103
104 +----------+-----------+-----------+-----------------------------------------+
105 | Port | Service | Origin | Purpose |
106 +==========+===========+===========+=========================================+
107 | 22/tcp | ssh | ANY | admin console access |
108 +----------+-----------+-----------+-----------------------------------------+
109 | 25/tcp | smtp | local | mail delivery to local MTA |
110 +----------+-----------+-----------+-----------------------------------------+
111 | 80/tcp | http | ANY | application |
112 +----------+-----------+-----------+-----------------------------------------+
113 | 5666/tcp | nrpe | monitor | remote monitoring service |
114 +----------+-----------+-----------+-----------------------------------------+
115 | 3306/tcp | mysql | local | MySQL database for ... |
116 +----------+-----------+-----------+-----------------------------------------+
117 | 5432/tcp | pgsql | local | PostgreSQL database for ... |
118 +----------+-----------+-----------+-----------------------------------------+
119
120 .. todo:: add TLS/SSL to nginx and add HTTPS port
121 .. todo:: clarify whether both MySQL and PostgreSQL are used
122
123 Running services
124 ----------------
125
126 .. index::
127 single: openssh
128 single: nginx
129 single: cron
130 single: PostgreSQL
131 single: MySQL
132 single: Exim
133 single: nrpe
134
135 +--------------------+--------------------+----------------------------------------+
136 | Service | Usage | Start mechanism |
137 +====================+====================+========================================+
138 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
139 | | remote | |
140 | | administration | |
141 +--------------------+--------------------+----------------------------------------+
142 | nginx | Webserver for ... | init script |
143 | | | :file:`/etc/init.d/nginx` |
144 +--------------------+--------------------+----------------------------------------+
145 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
146 +--------------------+--------------------+----------------------------------------+
147 | PostgreSQL | PostgreSQL | init script |
148 | | database server | :file:`/etc/init.d/postgresql` |
149 | | for ... | |
150 +--------------------+--------------------+----------------------------------------+
151 | MySQL | MySQL database | init script |
152 | | server for ... | :file:`/etc/init.d/mysql` |
153 +--------------------+--------------------+----------------------------------------+
154 | Exim | SMTP server for | init script |
155 | | local mail | :file:`/etc/init.d/exim4` |
156 | | submission, ... | |
157 +--------------------+--------------------+----------------------------------------+
158 | Nagios NRPE server | remote monitoring | init script |
159 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
160 | | :doc:`monitor` | |
161 +--------------------+--------------------+----------------------------------------+
162
163 Databases
164 ---------
165
166 +-------------+----------+------------------------------+
167 | RDBMS | Name | Used for |
168 +=============+==========+==============================+
169 | MySQL | etherpad | future etherpad installation |
170 +-------------+----------+------------------------------+
171
172 .. todo:: setup databases
173
174 .. note::
175 There is a PostgreSQL server setup in this container but it contains
176 no database yet.
177
178 Connected Systems
179 -----------------
180
181 * :doc:`monitor`
182
183 Outbound network connections
184 ----------------------------
185
186 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
187 * :doc:`emailout` as SMTP relay
188 * ftp.nl.debian.org as Debian mirror
189 * security.debian.org for Debian security updates
190
191 Security
192 ========
193
194 SSH host keys
195 -------------
196
197 +-----------+-----------------------------------------------------+
198 | Algorithm | Fingerprint |
199 +===========+=====================================================+
200 | RSA | ``a3:6c:f1:f8:8c:81:7c:f7:3b:4e:e4:0e:a3:02:8e:18`` |
201 +-----------+-----------------------------------------------------+
202 | DSA | ``eb:66:0e:0d:d1:f3:d8:02:3a:ed:71:7a:b2:04:db:75`` |
203 +-----------+-----------------------------------------------------+
204 | ECDSA | ``54:a3:76:46:66:fc:3f:2d:9b:e4:bd:49:ba:fe:98:09`` |
205 +-----------+-----------------------------------------------------+
206 | ED25519 | \- |
207 +-----------+-----------------------------------------------------+
208
209 .. todo:: setup ED25519 host key
210
211 .. seealso::
212
213 See :doc:`../sshkeys`
214
215 Dedicated user roles
216 --------------------
217
218 .. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
219 Regular operating system groups should not be documented
220
221 .. '''Group''' || '''Purpose''' ||
222 goodguys || Shell access for the good guys ||
223
224 Non-distribution packages and modifications
225 -------------------------------------------
226
227 * some experimental nmp/nodejs/etherpad things in :file:`/home/magu` not
228 running yet
229
230 ..
231 or
232 * List of non-distribution packages and modifications
233
234 Risk assessments on critical packages
235 -------------------------------------
236
237 * No exposed services yet.
238
239 Critical Configuration items
240 ============================
241
242 Keys and X.509 certificates
243 ---------------------------
244
245 * No keys or certificates setup yet
246
247 ..
248 * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
249 * :file:`/etc/apache2/ssl/<path to server key>` server key
250 * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
251 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
252
253 .. seealso::
254
255 * :doc:`../certlist`
256 * https://wiki.cacert.org/SystemAdministration/CertificateList
257
258 Nginx configuration
259 -------------------
260
261 * :file:`/etc/nginx/sites/available/default` default nginx configuration
262
263 Tasks
264 =====
265
266 Planned
267 -------
268
269 .. todo:: Evaluate and setup a collaboration system for arbitrators.
270 .. todo:: setup IPv6
271
272 Changes
273 =======
274
275 System Future
276 -------------
277
278 The system should be setup properly or should be removed it is not required
279 anymore.
280
281 Additional documentation
282 ========================
283
284 .. add inline documentation
285
286 .. seealso::
287
288 * https://wiki.cacert.org/Exim4Configuration
289
290 References
291 ----------
292
293 Arbitration nginx welcome page
294 http://arbitration.cacert.org/