Add description how to setup apt update monitoring
[cacert-infradocs.git] / docs / systems / template.rst
1 .. index::
2 single: Systems; <host>
3
4 ==================
5 Systems - TEMPLATE
6 ==================
7
8 Purpose
9 =======
10
11 .. <SHORT DESCRIPTION>
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: `Primary Name`_
20 * Secondary: `Secondary Name`_
21
22 .. _Primary Name: primary@cacert.org
23 .. _Secondary Name: secondary@cacert.org
24
25 Application Administration
26 --------------------------
27
28 * <application>: <sysadmin's name>
29
30 Contact
31 -------
32
33 * <system>-admin@cacert.org
34
35 Additional People
36 -----------------
37
38 `Person A`_ and `Person B`_ have :program:`sudo` access on that machine too.
39
40 .. _Person A: persona@cacert.org
41 .. _Person B: personb@cacert.org
42
43 Basics
44 ======
45
46 Physical Location
47 -----------------
48
49 .. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
50
51 .. ## Use the following for containers on Infra02:
52
53 This system is located in an :term:`LXC` container on physical machine
54 :doc:`infra02`.
55
56 Physical Configuration
57 ----------------------
58
59 .. seealso::
60
61 See https://wiki.cacert.org/SystemAdministration/EquipmentList
62
63 Logical Location
64 ----------------
65
66 :IP Internet: :ip:v4:`<IP>`
67 :IP Intranet: :ip:v4:`<IP>`
68 :IP Internal: :ip:v4:`<IP>`
69 :MAC address: :mac:`<MAC>` (interfacename)
70
71 .. seealso::
72
73 See :doc:`../network`
74
75 DNS
76 ---
77
78 .. index::
79 single: DNS records; <machine>
80
81 ========================== ======== ====================================================================
82 Name Type Content
83 ========================== ======== ====================================================================
84 <HOST>.cacert.org. IN A <IP>
85 <HOST>.intra.cacert.org. IN A <IP>
86 ========================== ======== ====================================================================
87
88 .. seealso::
89
90 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
91
92 Operating System
93 ----------------
94
95 .. index::
96 single: Debian GNU/Linux; Codename
97 single: Debian GNU/Linux; x.y
98
99 * Debian GNU/Linux x.y
100
101 Applicable Documentation
102 ------------------------
103
104 This is it :-)
105
106 Services
107 ========
108
109 Listening services
110 ------------------
111
112 .. use the values from this table or add new lines if applicable
113
114 +----------+-----------+-----------+-----------------------------------------+
115 | Port | Service | Origin | Purpose |
116 +==========+===========+===========+=========================================+
117 | 22/tcp | ssh | ANY | admin console access |
118 +----------+-----------+-----------+-----------------------------------------+
119 | 25/tcp | smtp | local | mail delivery to local MTA |
120 +----------+-----------+-----------+-----------------------------------------+
121 | 80/tcp | http | ANY | application |
122 +----------+-----------+-----------+-----------------------------------------+
123 | 443/tcp | https | ANY | application |
124 +----------+-----------+-----------+-----------------------------------------+
125 | 5666/tcp | nrpe | monitor | remote monitoring service |
126 +----------+-----------+-----------+-----------------------------------------+
127 | 3306/tcp | mysql | local | MySQL database for ... |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 5432/tcp | pgsql | local | PostgreSQL database for ... |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 465/udp | syslog | local | syslog port |
132 +----------+-----------+-----------+-----------------------------------------+
133
134 Running services
135 ----------------
136
137 +--------------------+--------------------+----------------------------------------+
138 | Service | Usage | Start mechanism |
139 +====================+====================+========================================+
140 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
141 | | remote | |
142 | | administration | |
143 +--------------------+--------------------+----------------------------------------+
144 | Apache httpd | Webserver for ... | init script |
145 | | | :file:`/etc/init.d/apache2` |
146 +--------------------+--------------------+----------------------------------------+
147 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
148 +--------------------+--------------------+----------------------------------------+
149 | rsyslog | syslog daemon | init script |
150 | | | :file:`/etc/init.d/syslog` |
151 +--------------------+--------------------+----------------------------------------+
152 | PostgreSQL | PostgreSQL | init script |
153 | | database server | :file:`/etc/init.d/postgresql` |
154 | | for ... | |
155 +--------------------+--------------------+----------------------------------------+
156 | MySQL | MySQL database | init script |
157 | | server for ... | :file:`/etc/init.d/mysql` |
158 +--------------------+--------------------+----------------------------------------+
159 | Postfix | SMTP server for | init script |
160 | | local mail | :file:`/etc/init.d/postfix` |
161 | | submission, ... | |
162 +--------------------+--------------------+----------------------------------------+
163 | Exim | SMTP server for | init script |
164 | | local mail | :file:`/etc/init.d/exim4` |
165 | | submission, ... | |
166 +--------------------+--------------------+----------------------------------------+
167 | Nagios NRPE server | remote monitoring | init script |
168 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
169 | | :doc:`monitor` | |
170 +--------------------+--------------------+----------------------------------------+
171
172 Databases
173 ---------
174
175 +-------------+--------------+---------------------------+
176 | RDBMS | Name | Used for |
177 +=============+==============+===========================+
178 | MySQL | application1 | fictional application one |
179 +-------------+--------------+---------------------------+
180 | PostgreSQL | application2 | fictional application two |
181 +-------------+--------------+---------------------------+
182
183 Running Guests
184 --------------
185
186 +----------------+-------------+---------------+---------+---------------+
187 | Machine | IP Intranet | IP Internet | Ports | Purpose |
188 +================+=============+===============+=========+===============+
189 | :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
190 +----------------+-------------+---------------+---------+---------------+
191
192 Connected Systems
193 -----------------
194
195 * :doc:`monitor`
196
197 Outbound network connections
198 ----------------------------
199
200 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
201 * :doc:`emailout` as SMTP relay
202 * ftp.nl.debian.org as Debian mirror
203 * security.debian.org for Debian security updates
204 * crl.cacert.org (rsync) for getting CRLs
205
206 Security
207 ========
208
209 SSH host keys
210 -------------
211
212 +-----------+-----------------------------------------------------+
213 | Algorithm | Fingerprint |
214 +===========+=====================================================+
215 | RSA | |
216 +-----------+-----------------------------------------------------+
217 | DSA | |
218 +-----------+-----------------------------------------------------+
219 | ECDSA | |
220 +-----------+-----------------------------------------------------+
221 | ED25519 | |
222 +-----------+-----------------------------------------------------+
223
224 .. seealso::
225
226 See :doc:`../sshkeys`
227
228 Dedicated user roles
229 --------------------
230
231 .. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
232 Regular operating system groups should not be documented
233
234 ..
235 || '''Group''' || '''Purpose''' ||
236 || goodguys || Shell access for the good guys ||
237
238 Non-distribution packages and modifications
239 -------------------------------------------
240
241 .. * None
242 or
243 * List of non-distribution packages and modifications
244
245 Risk assessments on critical packages
246 -------------------------------------
247
248 .. add a paragraph for each known risk. The risk has to be described.
249 Mitigation or risk acceptance has to be documented.
250
251 Critical Configuration items
252 ============================
253
254 Keys and X.509 certificates
255 ---------------------------
256
257 * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
258 * :file:`/etc/apache2/ssl/<path to server key>` server key
259
260 .. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
261 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
262
263 .. seealso::
264
265 * :doc:`../certlist`
266 * https://wiki.cacert.org/SystemAdministration/CertificateList
267
268 Tasks
269 =====
270
271 Planned
272 -------
273
274 .. add a paragraph for each larger planned task that seems to be worth
275 mentioning. You may want to link to specific issues if you use some issue
276 tracker.
277
278 Changes
279 =======
280
281 System Future
282 -------------
283
284 .. * No plans
285
286 Additional documentation
287 ========================
288
289 .. add inline documentation
290
291 .. remove unneeded links from the list below, add other links that apply
292
293 .. seealso::
294
295 * https://wiki.cacert.org/Exim4Configuration
296 * https://wiki.cacert.org/PostfixConfiguration
297 * https://wiki.cacert.org/QmailConfiguration
298 * https://wiki.cacert.org/SendmailConfiguration
299 * https://wiki.cacert.org/StunnelConfiguration
300
301 References
302 ----------
303
304 .. can be used to provide links to reference documentation
305 * http://product.site.com/docs/
306 * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]