Fix minor issues in system template
[cacert-infradocs.git] / docs / systems / board.rst
1 .. index::
2 single: Systems; Board
3
4 =====
5 Board
6 =====
7
8 Purpose
9 =======
10
11 This systems hosts an OpenERP instance available at board.cacert.org.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_gero`
20 * Secondary: None
21
22 .. todo:: find an additional admin
23
24 Application Administration
25 --------------------------
26
27 * OpenERP: :ref:`people_gero`, :ref:`people_neo`, Treasurer
28
29 .. note:: use personalized accounts only
30
31 Contact
32 -------
33
34 * board-admin@cacert.org
35
36 Additional People
37 -----------------
38
39 :ref:`people_jandd`, :ref:`people_mario` and :ref:`people_neo` have
40 :program:`sudo` access on that machine too.
41
42 Basics
43 ======
44
45 Physical Location
46 -----------------
47
48 This system is located in an :term:`LXC` container on physical machine
49 :doc:`infra02`.
50
51 Logical Location
52 ----------------
53
54 :IP Internet: :ip:v4:`213.154.225.252`
55 :IP Intranet: :ip:v4:`172.16.2.34`
56 :IP Internal: :ip:v4:`10.0.0.34`
57 :MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
58
59 .. seealso::
60
61 See :doc:`../network`
62
63 DNS
64 ---
65
66 .. index::
67 single: DNS records; Board
68
69 ====================== ======== ============================================
70 Name Type Content
71 ====================== ======== ============================================
72 board.cacert.org. IN A 213.154.225.252
73 board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
74 board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
75 board.intra.cacert.org IN A 172.16.2.34
76 ====================== ======== ============================================
77
78 .. seealso::
79
80 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
81
82 Operating System
83 ----------------
84
85 .. index::
86 single: Debian GNU/Linux; Wheezy
87 single: Debian GNU/Linux; 7.10
88
89 * Debian GNU/Linux 7.10
90
91 Applicable Documentation
92 ------------------------
93
94 This is it :-)
95
96 Services
97 ========
98
99 Listening services
100 ------------------
101
102 +----------+---------+---------+---------------------------------+
103 | Port | Service | Origin | Purpose |
104 +==========+=========+=========+=================================+
105 | 22/tcp | ssh | ANY | admin console access |
106 +----------+---------+---------+---------------------------------+
107 | 25/tcp | smtp | local | mail delivery to local MTA |
108 +----------+---------+---------+---------------------------------+
109 | 80/tcp | http | ANY | Webserver redirecting to HTTPS |
110 +----------+---------+---------+---------------------------------+
111 | 443/tcp | https | ANY | Webserver for OpenERP |
112 +----------+---------+---------+---------------------------------+
113 | 5666/tcp | nrpe | monitor | remote monitoring service |
114 +----------+---------+---------+---------------------------------+
115 | 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
116 +----------+---------+---------+---------------------------------+
117 | 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
118 +----------+---------+---------+---------------------------------+
119
120 Running services
121 ----------------
122
123 .. index::
124 single: openssh
125 single: Apache
126 single: cron
127 single: PostgreSQL
128 single: OpenERP
129 single: Postfix
130 single: nrpe
131
132 +--------------------+--------------------+----------------------------------------+
133 | Service | Usage | Start mechanism |
134 +====================+====================+========================================+
135 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
136 | | remote | |
137 | | administration | |
138 +--------------------+--------------------+----------------------------------------+
139 | Apache httpd | Webserver for | init script |
140 | | OpenERP | :file:`/etc/init.d/apache2` |
141 +--------------------+--------------------+----------------------------------------+
142 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
143 +--------------------+--------------------+----------------------------------------+
144 | rsyslog | syslog daemon | init script |
145 | | | :file:`/etc/init.d/syslog` |
146 +--------------------+--------------------+----------------------------------------+
147 | PostgreSQL | PostgreSQL | init script |
148 | | database server | :file:`/etc/init.d/postgresql` |
149 | | for OpenERP | |
150 +--------------------+--------------------+----------------------------------------+
151 | Postfix | SMTP server for | init script |
152 | | local mail | :file:`/etc/init.d/postfix` |
153 | | submission | |
154 +--------------------+--------------------+----------------------------------------+
155 | Nagios NRPE server | remote monitoring | init script |
156 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
157 | | :doc:`monitor` | |
158 +--------------------+--------------------+----------------------------------------+
159 | OpenERP server | OpenERP WSGI | init script |
160 | | application | :file:`/etc/init.d/openerp` |
161 +--------------------+--------------------+----------------------------------------+
162
163 Databases
164 ---------
165
166 +------------+---------+----------+
167 | RDBMS | Name | Used for |
168 +============+=========+==========+
169 | PostgreSQL | openerp | OpenERP |
170 +------------+---------+----------+
171
172 Connected Systems
173 -----------------
174
175 * :doc:`monitor`
176
177 Outbound network connections
178 ----------------------------
179
180 * HTTP (80/tcp) to nightly.openerp.com
181 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
182 * :doc:`emailout` as SMTP relay
183 * ftp.nl.debian.org as Debian mirror
184 * security.debian.org for Debian security updates
185 * crl.cacert.org (rsync) for getting CRLs
186
187 Security
188 ========
189
190 SSH host keys
191 -------------
192
193 +-----------+-----------------------------------------------------+
194 | Algorithm | Fingerprint |
195 +===========+=====================================================+
196 | RSA | ``c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1`` |
197 +-----------+-----------------------------------------------------+
198 | DSA | ``f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3`` |
199 +-----------+-----------------------------------------------------+
200 | ECDSA | ``0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac`` |
201 +-----------+-----------------------------------------------------+
202 | ED25519 | \- |
203 +-----------+-----------------------------------------------------+
204
205 .. todo:: setup ED25519 host key
206
207 .. seealso::
208
209 See :doc:`../sshkeys`
210
211 Non-distribution packages and modifications
212 -------------------------------------------
213
214 :program:`OpenERP` is installed from non-distribution packages from
215 http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
216 :file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
217 cause damage to the customization.
218
219 Local modifications to OpenERP
220 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
221
222 OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
223 following line added to the :func:`do_start()` function to make a request to
224 the OpenERP daemon that causes that daemon to load its configuration and start
225 regular cleanup tasks (like sending scheduled mails):
226
227 .. code:: bash
228
229 sleep 1; curl --silent localhost:8069 > /dev/null
230
231 Some files have been patched to either fix bugs in the upstream OpenERP code or
232 to add customizations for CAcert's needs.
233
234 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
235
236 .. literalinclude:: ../patches/openerp/py.js.patch
237 :language: diff
238
239 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
240
241 .. literalinclude:: ../patches/openerp/account.py.patch
242 :language: diff
243
244 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
245
246 .. literalinclude:: ../patches/openerp/invoice.py.patch
247 :language: diff
248
249 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
250
251 This patch includes a Paypal link in payment reminders.
252
253 .. literalinclude:: ../patches/openerp/account_followup_paypal.patch
254 :language: diff
255
256 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
257
258 This patch causes OpenERP to include non-overdue but open payments in reminders.
259
260 .. literalinclude:: ../patches/openerp/account_followup_print.patch
261 :language: diff
262
263 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
264
265 Fix form display.
266
267 .. todo:: check whether the form display issue has been fixed upstream
268
269 .. literalinclude:: ../patches/openerp/view_form.js.patch
270 :language: diff
271
272 Risk assessments on critical packages
273 -------------------------------------
274
275 Using a customized OpenERP version that is not updated causes a small risk to
276 miss upstream security updates. The risk is mitigated by restricting the access
277 to the system to a very small group of users that are authenticated using
278 personalized client certificates.
279
280 Critical Configuration items
281 ============================
282
283 Keys and X.509 certificates
284 ---------------------------
285
286 .. index::
287 single: Certificate; Board
288
289 * :file:`/etc/ssl/certs/board.crt` server certificate
290 * :file:`/etc/ssl/private/board.key` server key
291 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
292 certificates (allowed CA certificates for client certificates)
293
294 .. seealso::
295
296 * :ref:`cert_board_cacert_org` in :doc:`../certlist`
297 * https://wiki.cacert.org/SystemAdministration/CertificateList
298
299 Apache configuration files
300 --------------------------
301
302 * :file:`/etc/apache2/conf.d/openerp-httpd.conf`
303
304 Defines the WSGI setup for OpenERP
305
306 * :file:`/etc/apache2/sites-available/default`
307
308 Defines the HTTP to HTTPS redirection
309
310 * :file:`/etc/apache2/sites-available/default-ssl`
311
312 Defines the HTTPS and client authentication configuration
313
314 * :file:`/var/local/ssl/http_fake_auth.passwd`
315
316 Defines the authorized users based on the DN in their client certificate
317
318 CRL update job
319 --------------
320
321 :file:`/etc/cron.hourly/update-crls`
322
323 OpenERP configuration
324 ---------------------
325
326 :file:`/etc/openerp/openerp-server.conf`
327
328 This file configures the database that is used by OpenERP and the interface
329 that the XML-RPC service binds to.
330
331 Tasks
332 =====
333
334 Planned
335 -------
336
337 .. todo:: disable unneeded Apache modules
338
339 .. todo:: setup IPv6
340
341 .. todo:: consider using a centralized PostgreSQL instance
342
343 Changes
344 =======
345
346 System Future
347 -------------
348
349 .. todo:: system should be updated to Debian 8
350
351 Additional documentation
352 ========================
353
354 .. seealso::
355
356 * https://wiki.cacert.org/PostfixConfiguration
357
358 References
359 ----------
360
361 OpenERP URL
362 https://board.cacert.org/