Manage emailout and issue with puppet
[cacert-infradocs.git] / docs / systems / puppet.rst
1 .. index::
2 single: Systems; Puppet
3
4 ======
5 Puppet
6 ======
7
8 Purpose
9 =======
10
11 This system acts as `Puppet`_ master for infrastructure systems.
12
13 .. _Puppet: https://docs.puppet.com/puppet/
14
15 Application Links
16 -----------------
17
18 This system has no publicly visible URLs.
19
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +---------------+---------------------+
36 | Application | Administrator(s) |
37 +===============+=====================+
38 | Puppet server | :ref:`people_jandd` |
39 +---------------+---------------------+
40 | PuppetDB | :ref:`people_jandd` |
41 +---------------+---------------------+
42
43 Contact
44 -------
45
46 * puppet-admin@cacert.org
47
48 Additional People
49 -----------------
50
51 * None
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: None
66 :IP Intranet: None
67 :IP Internal: :ip:v4:`10.0.0.200`
68 :IPv6: :ip:v6:`2001:7b8:616:162:2::200`
69 :MAC address: :mac:`00:ff:f9:32:9d:2a` (eth0)
70
71 .. seealso::
72
73 See :doc:`../network`
74
75 DNS
76 ---
77
78 .. index::
79 single: DNS records; Puppet
80
81 .. todo:: setup DNS records (in infra.cacert.org zone)
82
83 .. seealso::
84
85 See :wiki:`SystemAdministration/Procedures/DNSChanges`
86
87 Operating System
88 ----------------
89
90 .. index::
91 single: Debian GNU/Linux; Stretch
92 single: Debian GNU/Linux; 9.4
93
94 * Debian GNU/Linux 9.4
95
96 Applicable Documentation
97 ------------------------
98
99 This is it :-)
100
101 Services
102 ========
103
104 Listening services
105 ------------------
106
107 +----------+-----------+-----------+------------------------------------------+
108 | Port | Service | Origin | Purpose |
109 +==========+===========+===========+==========================================+
110 | 22/tcp | ssh | ANY | admin console access |
111 +----------+-----------+-----------+------------------------------------------+
112 | 25/tcp | smtp | local | mail delivery to local MTA |
113 +----------+-----------+-----------+------------------------------------------+
114 | 5432/tcp | pgsql | local | PostgreSQL database for PuppetDB |
115 +----------+-----------+-----------+------------------------------------------+
116 | 8000/tcp | git-hook | internal | HTTP endpoint for git-pull-hook |
117 +----------+-----------+-----------+------------------------------------------+
118 | 8140/tcp | puppet | internal | Puppet master |
119 +----------+-----------+-----------+------------------------------------------+
120 | 8080/tcp | puppetdb | local | HTTP endpoint for local PuppetDB queries |
121 +----------+-----------+-----------+------------------------------------------+
122 | 8081/tcp | puppetdb | internal | HTTPS endpoint for PuppetDB |
123 +----------+-----------+-----------+------------------------------------------+
124
125 Running services
126 ----------------
127
128 .. index::
129 single: cron
130 single: exim
131 single: git-pull-hook
132 single: openssh
133 single: postgresql
134 single: puppet agent
135 single: puppet server
136 single: puppetdb
137 single: rsyslog
138
139 +--------------------+--------------------+----------------------------------------+
140 | Service | Usage | Start mechanism |
141 +====================+====================+========================================+
142 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
143 +--------------------+--------------------+----------------------------------------+
144 | Exim | SMTP server for | init script |
145 | | local mail | :file:`/etc/init.d/exim4` |
146 | | submission | |
147 +--------------------+--------------------+----------------------------------------+
148 | git-pull-hook | Custom Python3 | init script |
149 | | hook to pull git | :file:`/etc/init.d/git-pull-hook` |
150 | | changes from the | |
151 | | cacert-puppet | |
152 | | repository | |
153 +--------------------+--------------------+----------------------------------------+
154 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
155 | | remote | |
156 | | administration | |
157 +--------------------+--------------------+----------------------------------------+
158 | PostgreSQL | PostgreSQL | init script |
159 | | database server | :file:`/etc/init.d/postgresql` |
160 | | for PuppetDB | |
161 +--------------------+--------------------+----------------------------------------+
162 | Puppet server | Puppet master for | init script |
163 | | infrastructure | :file:`/etc/init.d/puppetserver` |
164 | | systems | |
165 +--------------------+--------------------+----------------------------------------+
166 | Puppet agent | local Puppet agent | init script |
167 | | | :file:`/etc/init.d/puppet` |
168 +--------------------+--------------------+----------------------------------------+
169 | PuppetDB | PuppetDB for | init script |
170 | | querying Puppet | :file:`/etc/init.d/puppetdb` |
171 | | facts and nodes | |
172 | | and resources | |
173 +--------------------+--------------------+----------------------------------------+
174 | rsyslog | syslog daemon | init script |
175 | | | :file:`/etc/init.d/syslog` |
176 +--------------------+--------------------+----------------------------------------+
177
178 Databases
179 ---------
180
181 +-------------+----------+-------------------+
182 | RDBMS | Name | Used for |
183 +=============+==========+===================+
184 | PostgreSQL | puppetdb | PuppetDB database |
185 +-------------+----------+-------------------+
186
187 Connected Systems
188 -----------------
189
190 * :doc:`bugs`
191 * :doc:`emailout`
192 * :doc:`ircserver`
193 * :doc:`issue`
194 * :doc:`jenkins`
195 * :doc:`monitor`
196 * :doc:`motion`
197 * :doc:`proxyin`
198 * :doc:`proxyout`
199 * :doc:`svn`
200 * :doc:`translations`
201 * :doc:`web`
202 * :doc:`webstatic`
203 * :doc:`git` for triggering the git-pull-hook on newly pushed commits to the
204 cacert-puppet repository
205
206 Outbound network connections
207 ----------------------------
208
209 * :doc:`infra02` as resolving nameserver
210 * :doc:`emailout` as SMTP relay
211 * :doc:`git` to fetch new commits from the cacert-puppet repository
212 * :doc:`proxyout` as HTTP proxy for APT
213 * forgeapi.puppet.com for Puppet forge access
214 * rubygems.org for Puppet specific Ruby gems
215
216 Security
217 ========
218
219 .. sshkeys::
220 :RSA: SHA256:PPEZkD7ezGStENYmE9/RftHqJyy6cC9IN6zw63OvJTM MD5:54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
221 :ECDSA: SHA256:3U1CVC9YAKmF9W5SDLibwP1A9MVSb5ltVN7nYNOE15o MD5:29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
222 :ED25519: SHA256:AkqMLLEtMbAEuxniRRDgd7TItD+pb9hsbpn5Ab81+IM MD5:53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d
223
224 Non-distribution packages and modifications
225 -------------------------------------------
226
227 The Puppet server, Puppet agent and PuppetDB packages and a few dependencies
228 are installed from the official Puppet APT repository because the versions
229 in Debian are too old to use modern Puppet features.
230
231 Some rubygems are installed via the puppet specific ruby gem binary to support
232 advanced Puppet functionality like hiera-eyaml.
233
234 All puppet related code is installed in the Puppet specific /opt/puppetlabs
235 tree.
236
237 Risk assessments on critical packages
238 -------------------------------------
239
240 The system uses third party packages with a good security track record and
241 regular updates. The attack surface is small due to the tightly restricted
242 access to the system.
243
244 Critical Configuration items
245 ============================
246
247 Keys and X.509 certificates
248 ---------------------------
249
250 Puppet comes with its own inbuilt special purpose CA that is used to sign the
251 Puppet server and Puppet DB certificates as well as the certificates of all
252 trusted Puppet agents.
253
254 The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
255 puppet itself.
256
257
258 Eyaml private key
259 -----------------
260
261 All sensitive data like passwords in Hiera data is encrypted using the public
262 key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
263 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_. The corresponding
264 private key is stored in
265 :file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
266
267
268 hiera configuration
269 -------------------
270
271 Puppet uses Hiera for hierarchical information retrieval. The global hiera
272 configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
273 defines the hierarchy lookup as well as the eyaml key locations.
274
275
276 puppet configuration
277 --------------------
278
279 All puppet configuration is stored in :file:`/etc/puppetlabs/`. The CAcert
280 specific puppet code is taken from the `CAcert puppet Git repository
281 <ssh://git.cacert.org/var/cache/git/cacert-puppet.git>`_ and cloned to
282 :file:`/etc/puppetlabs/code/environments/production/` directory. Required
283 Puppet modules are installed by :program:`/opt/puppetlabs/puppet/bin/r10k`.
284
285 The puppet code should follow best practices like the Roles and profiles
286 pattern (see references below) and code/data separation via Hiera.
287
288 Updates to the cacert-puppet repository trigger a web hook listening on tcp
289 port 8000 that automatically updates the production environment directory.
290
291
292 Tasks
293 =====
294
295 Planned
296 -------
297
298 * migrate as many systems as possible to use Puppet for a more
299 reproducible/auditable system setup
300 * automate updates of the Puppet code from Git
301
302 .. todo:: improve Webhook to run r10k after git pull
303
304 Changes
305 =======
306
307 System Future
308 -------------
309
310 * Improve setup, use more widely
311
312 Additional documentation
313 ========================
314
315 .. seealso::
316
317 * :wiki:`Exim4Configuration`
318
319 References
320 ----------
321
322 * https://docs.puppet.com/puppet/
323 * https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml
324 * https://docs.puppet.com/pe/2016.5/r_n_p_full_example.html