Document webstatic
[cacert-infradocs.git] / docs / systems / template.rst
1 .. index::
2 single: Systems; <host>
3
4 ==================
5 Systems - TEMPLATE
6 ==================
7
8 Purpose
9 =======
10
11 .. <SHORT DESCRIPTION>
12
13 Application Links
14 -----------------
15
16 .. link1
17 https://<hostname>/<path>
18
19 link2
20 https://<hostname>/<path2>
21
22
23 Administration
24 ==============
25
26 System Administration
27 ---------------------
28
29 .. people_<name> are defined in people.rst
30
31 * Primary: :ref:`people_primary`
32 * Secondary: :ref:`people_secondary`
33
34 Application Administration
35 --------------------------
36
37 +---------------+---------------------+
38 | Application | Administrator(s) |
39 +===============+=====================+
40 | <application> | :ref:`people_admin` |
41 +---------------+---------------------+
42
43 Contact
44 -------
45
46 * <system>-admin@cacert.org
47
48 Additional People
49 -----------------
50
51 :ref:`people_a` and :ref:`people_b` have :program:`sudo` access on that machine too.
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 .. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
60
61 .. ## Use the following for containers on Infra02:
62
63 This system is located in an :term:`LXC` container on physical machine
64 :doc:`infra02`.
65
66 Physical Configuration
67 ----------------------
68
69 .. seealso::
70
71 See :wiki:`SystemAdministration/EquipmentList`
72
73 Logical Location
74 ----------------
75
76 :IP Internet: :ip:v4:`<IP>`
77 :IP Intranet: :ip:v4:`<IP>`
78 :IP Internal: :ip:v4:`<IP>`
79 :MAC address: :mac:`<MAC>` (interfacename)
80
81 .. seealso::
82
83 See :doc:`../network`
84
85 DNS
86 ---
87
88 .. index::
89 single: DNS records; <machine>
90
91 ========================== ======== ==========================================
92 Name Type Content
93 ========================== ======== ==========================================
94 <HOST>.cacert.org. IN A <IP>
95 <HOST>.intra.cacert.org. IN A <IP>
96 ========================== ======== ==========================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Codename
107 single: Debian GNU/Linux; x.y
108
109 * Debian GNU/Linux x.y
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 .. use the values from this table or add new lines if applicable
123
124 +----------+-----------+-----------+-----------------------------------------+
125 | Port | Service | Origin | Purpose |
126 +==========+===========+===========+=========================================+
127 | 22/tcp | ssh | ANY | admin console access |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 25/tcp | smtp | local | mail delivery to local MTA |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 80/tcp | http | ANY | application |
132 +----------+-----------+-----------+-----------------------------------------+
133 | 443/tcp | https | ANY | application |
134 +----------+-----------+-----------+-----------------------------------------+
135 | 5666/tcp | nrpe | monitor | remote monitoring service |
136 +----------+-----------+-----------+-----------------------------------------+
137 | 3306/tcp | mysql | local | MySQL database for ... |
138 +----------+-----------+-----------+-----------------------------------------+
139 | 5432/tcp | pgsql | local | PostgreSQL database for ... |
140 +----------+-----------+-----------+-----------------------------------------+
141 | 465/udp | syslog | local | syslog port |
142 +----------+-----------+-----------+-----------------------------------------+
143
144 Running services
145 ----------------
146
147 .. index::
148 single: Apache
149 single: Icinga2
150 single: MySQL
151 single: OpenERP
152 single: Postfix
153 single: PostgreSQL
154 single: cron
155 single: nginx
156 single: nrpe
157 single: openssh
158
159 +--------------------+--------------------+----------------------------------------+
160 | Service | Usage | Start mechanism |
161 +====================+====================+========================================+
162 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
163 | | remote | |
164 | | administration | |
165 +--------------------+--------------------+----------------------------------------+
166 | Apache httpd | Webserver for ... | init script |
167 | | | :file:`/etc/init.d/apache2` |
168 +--------------------+--------------------+----------------------------------------+
169 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
170 +--------------------+--------------------+----------------------------------------+
171 | rsyslog | syslog daemon | init script |
172 | | | :file:`/etc/init.d/syslog` |
173 +--------------------+--------------------+----------------------------------------+
174 | PostgreSQL | PostgreSQL | init script |
175 | | database server | :file:`/etc/init.d/postgresql` |
176 | | for ... | |
177 +--------------------+--------------------+----------------------------------------+
178 | MySQL | MySQL database | init script |
179 | | server for ... | :file:`/etc/init.d/mysql` |
180 +--------------------+--------------------+----------------------------------------+
181 | Postfix | SMTP server for | init script |
182 | | local mail | :file:`/etc/init.d/postfix` |
183 | | submission, ... | |
184 +--------------------+--------------------+----------------------------------------+
185 | Exim | SMTP server for | init script |
186 | | local mail | :file:`/etc/init.d/exim4` |
187 | | submission, ... | |
188 +--------------------+--------------------+----------------------------------------+
189 | Nagios NRPE server | remote monitoring | init script |
190 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
191 | | :doc:`monitor` | |
192 +--------------------+--------------------+----------------------------------------+
193
194 Databases
195 ---------
196
197 +-------------+--------------+---------------------------+
198 | RDBMS | Name | Used for |
199 +=============+==============+===========================+
200 | MySQL | application1 | fictional application one |
201 +-------------+--------------+---------------------------+
202 | PostgreSQL | application2 | fictional application two |
203 +-------------+--------------+---------------------------+
204
205 Running Guests
206 --------------
207
208 +----------------+-------------+---------------+---------+---------------+
209 | Machine | IP Intranet | IP Internet | Ports | Purpose |
210 +================+=============+===============+=========+===============+
211 | :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
212 +----------------+-------------+---------------+---------+---------------+
213
214 Connected Systems
215 -----------------
216
217 * :doc:`monitor`
218
219 Outbound network connections
220 ----------------------------
221
222 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
223 * :doc:`emailout` as SMTP relay
224 * :doc:`proxyout` as HTTP proxy for APT
225 * crl.cacert.org (rsync) for getting CRLs
226
227 Security
228 ========
229
230 .. add the MD5 fingerprints of the SSH host keys
231
232 .. sshkeys::
233 :RSA:
234 :DSA:
235 :ECDSA:
236 :ED25519:
237
238 Dedicated user roles
239 --------------------
240
241 .. If the system has some dedicated user groups besides the sudo group used for
242 administration it should be documented here Regular operating system groups
243 should not be documented
244
245 +-------------+-----------------------------+
246 | Group | Purpose |
247 +=============+=============================+
248 | <groupname> | <short purpose description> |
249 +-------------+-----------------------------+
250
251 Non-distribution packages and modifications
252 -------------------------------------------
253
254 .. * None
255 or
256 * List of non-distribution packages and modifications (with some
257 explaination why no distribution package could be used)
258
259 Risk assessments on critical packages
260 -------------------------------------
261
262 .. add a paragraph for each known risk. The risk has to be described.
263 Mitigation or risk acceptance has to be documented.
264
265 Critical Configuration items
266 ============================
267
268 Keys and X.509 certificates
269 ---------------------------
270
271 .. use the sslcert directive to have certificates added to the certificate list
272 automatically
273
274 .. sslcert:: template.cacert.org
275 :altnames:
276 :certfile:
277 :keyfile:
278 :serial:
279 :expiration:
280 :sha1fp:
281 :issuer:
282
283 .. for certificates that are orginally created on another host use
284
285 .. sslcert:: other.cacert.org
286 :certfile:
287 :keyfile:
288 :serial:
289 :secondary:
290
291 .. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
292 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
293
294 .. seealso::
295
296 * :wiki:`SystemAdministration/CertificateList`
297
298 <service_x> configuration
299 -------------------------
300
301 .. add a section for the configuration of each service where configuration
302 deviates from OS package defaults
303
304 Tasks
305 =====
306
307 Planned
308 -------
309
310 .. add a paragraph or todo directive for each larger planned task. You may want
311 to link to specific issues if you use some issue tracker.
312
313 Changes
314 =======
315
316 System Future
317 -------------
318
319 .. use this section to describe any plans for the system future. These are
320 larger plans like moving to another host, abandoning the system or replacing
321 its functionality with something else.
322
323 .. * No plans
324
325 Additional documentation
326 ========================
327
328 .. add inline documentation
329
330 .. remove unneeded links from the list below, add other links that apply
331
332 .. seealso::
333
334 * :wiki:`Exim4Configuration`
335 * :wiki:`PostfixConfiguration`
336 * :wiki:`QmailConfiguration`
337 * :wiki:`SendmailConfiguration`
338 * :wiki:`StunnelConfiguration`
339
340 References
341 ----------
342
343 .. can be used to provide links to reference documentation
344 * http://product.site.com/docs/
345 * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]