89319c89a94bbe38fb5f0a8bedd449f443716295
[cacert-infradocs.git] / docs / systems / template.rst
1 .. index::
2 single: Systems; <host>
3
4 ==================
5 Systems - TEMPLATE
6 ==================
7
8 Purpose
9 =======
10
11 .. <SHORT DESCRIPTION>
12
13 Application Links
14 -----------------
15
16 .. link1
17 https://<hostname>/<path>
18
19 link2
20 https://<hostname>/<path2>
21
22
23 Administration
24 ==============
25
26 System Administration
27 ---------------------
28
29 .. people_<name> are defined in people.rst
30
31 * Primary: :ref:`people_primary`
32 * Secondary: :ref:`people_secondary`
33
34 Application Administration
35 --------------------------
36
37 +---------------+---------------------+
38 | Application | Administrator(s) |
39 +===============+=====================+
40 | <application> | :ref:`people_admin` |
41 +---------------+---------------------+
42
43 Contact
44 -------
45
46 * <system>-admin@cacert.org
47
48 Additional People
49 -----------------
50
51 :ref:`people_a` and :ref:`people_b` have :program:`sudo` access on that machine too.
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 .. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
60
61 .. ## Use the following for containers on Infra02:
62
63 This system is located in an :term:`LXC` container on physical machine
64 :doc:`infra02`.
65
66 Physical Configuration
67 ----------------------
68
69 .. seealso::
70
71 See :wiki:`SystemAdministration/EquipmentList`
72
73 Logical Location
74 ----------------
75
76 :IP Internet: :ip:v4:`<IP>`
77 :IP Intranet: :ip:v4:`<IP>`
78 :IP Internal: :ip:v4:`<IP>`
79 :MAC address: :mac:`<MAC>` (interfacename)
80
81 .. seealso::
82
83 See :doc:`../network`
84
85 DNS
86 ---
87
88 .. index::
89 single: DNS records; <machine>
90
91 ========================== ======== ==========================================
92 Name Type Content
93 ========================== ======== ==========================================
94 <HOST>.cacert.org. IN A <IP>
95 <HOST>.intra.cacert.org. IN A <IP>
96 ========================== ======== ==========================================
97
98 .. seealso::
99
100 See :wiki:`SystemAdministration/Procedures/DNSChanges`
101
102 Operating System
103 ----------------
104
105 .. index::
106 single: Debian GNU/Linux; Codename
107 single: Debian GNU/Linux; x.y
108
109 * Debian GNU/Linux x.y
110
111 Applicable Documentation
112 ------------------------
113
114 This is it :-)
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 .. use the values from this table or add new lines if applicable
123
124 +----------+-----------+-----------+-----------------------------------------+
125 | Port | Service | Origin | Purpose |
126 +==========+===========+===========+=========================================+
127 | 22/tcp | ssh | ANY | admin console access |
128 +----------+-----------+-----------+-----------------------------------------+
129 | 25/tcp | smtp | local | mail delivery to local MTA |
130 +----------+-----------+-----------+-----------------------------------------+
131 | 80/tcp | http | ANY | application |
132 +----------+-----------+-----------+-----------------------------------------+
133 | 443/tcp | https | ANY | application |
134 +----------+-----------+-----------+-----------------------------------------+
135 | 5666/tcp | nrpe | monitor | remote monitoring service |
136 +----------+-----------+-----------+-----------------------------------------+
137 | 3306/tcp | mysql | local | MySQL database for ... |
138 +----------+-----------+-----------+-----------------------------------------+
139 | 5432/tcp | pgsql | local | PostgreSQL database for ... |
140 +----------+-----------+-----------+-----------------------------------------+
141 | 465/udp | syslog | local | syslog port |
142 +----------+-----------+-----------+-----------------------------------------+
143
144 Running services
145 ----------------
146
147 .. index::
148 single: Apache
149 single: Icinga2
150 single: MySQL
151 single: OpenERP
152 single: Postfix
153 single: PostgreSQL
154 single: cron
155 single: nginx
156 single: nrpe
157 single: openssh
158
159 +--------------------+--------------------+----------------------------------------+
160 | Service | Usage | Start mechanism |
161 +====================+====================+========================================+
162 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
163 | | remote | |
164 | | administration | |
165 +--------------------+--------------------+----------------------------------------+
166 | Apache httpd | Webserver for ... | init script |
167 | | | :file:`/etc/init.d/apache2` |
168 +--------------------+--------------------+----------------------------------------+
169 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
170 +--------------------+--------------------+----------------------------------------+
171 | rsyslog | syslog daemon | init script |
172 | | | :file:`/etc/init.d/syslog` |
173 +--------------------+--------------------+----------------------------------------+
174 | PostgreSQL | PostgreSQL | init script |
175 | | database server | :file:`/etc/init.d/postgresql` |
176 | | for ... | |
177 +--------------------+--------------------+----------------------------------------+
178 | MySQL | MySQL database | init script |
179 | | server for ... | :file:`/etc/init.d/mysql` |
180 +--------------------+--------------------+----------------------------------------+
181 | Postfix | SMTP server for | init script |
182 | | local mail | :file:`/etc/init.d/postfix` |
183 | | submission, ... | |
184 +--------------------+--------------------+----------------------------------------+
185 | Exim | SMTP server for | init script |
186 | | local mail | :file:`/etc/init.d/exim4` |
187 | | submission, ... | |
188 +--------------------+--------------------+----------------------------------------+
189 | Nagios NRPE server | remote monitoring | init script |
190 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
191 | | :doc:`monitor` | |
192 +--------------------+--------------------+----------------------------------------+
193
194 Databases
195 ---------
196
197 +-------------+--------------+---------------------------+
198 | RDBMS | Name | Used for |
199 +=============+==============+===========================+
200 | MySQL | application1 | fictional application one |
201 +-------------+--------------+---------------------------+
202 | PostgreSQL | application2 | fictional application two |
203 +-------------+--------------+---------------------------+
204
205 Running Guests
206 --------------
207
208 +----------------+-------------+---------------+---------+---------------+
209 | Machine | IP Intranet | IP Internet | Ports | Purpose |
210 +================+=============+===============+=========+===============+
211 | :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
212 +----------------+-------------+---------------+---------+---------------+
213
214 Connected Systems
215 -----------------
216
217 * :doc:`monitor`
218
219 Outbound network connections
220 ----------------------------
221
222 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
223 * :doc:`emailout` as SMTP relay
224 * ftp.nl.debian.org as Debian mirror
225 * security.debian.org for Debian security updates
226 * crl.cacert.org (rsync) for getting CRLs
227
228 Security
229 ========
230
231 .. add the MD5 fingerprints of the SSH host keys
232
233 .. sshkeys::
234 :RSA:
235 :DSA:
236 :ECDSA:
237 :ED25519:
238
239 Dedicated user roles
240 --------------------
241
242 .. If the system has some dedicated user groups besides the sudo group used for
243 administration it should be documented here Regular operating system groups
244 should not be documented
245
246 +-------------+-----------------------------+
247 | Group | Purpose |
248 +=============+=============================+
249 | <groupname> | <short purpose description> |
250 +-------------+-----------------------------+
251
252 Non-distribution packages and modifications
253 -------------------------------------------
254
255 .. * None
256 or
257 * List of non-distribution packages and modifications (with some
258 explaination why no distribution package could be used)
259
260 Risk assessments on critical packages
261 -------------------------------------
262
263 .. add a paragraph for each known risk. The risk has to be described.
264 Mitigation or risk acceptance has to be documented.
265
266 Critical Configuration items
267 ============================
268
269 Keys and X.509 certificates
270 ---------------------------
271
272 .. use the sslcert directive to have certificates added to the certificate list
273 automatically
274
275 .. sslcert:: template.cacert.org
276 :altnames:
277 :certfile:
278 :keyfile:
279 :serial:
280 :expiration:
281 :sha1fp:
282 :issuer:
283
284 .. for certificates that are orginally created on another host use
285
286 .. sslcert:: other.cacert.org
287 :certfile:
288 :keyfile:
289 :serial:
290 :secondary:
291
292 .. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
293 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
294
295 .. seealso::
296
297 * :wiki:`SystemAdministration/CertificateList`
298
299 <service_x> configuration
300 -------------------------
301
302 .. add a section for the configuration of each service where configuration
303 deviates from OS package defaults
304
305 Tasks
306 =====
307
308 Planned
309 -------
310
311 .. add a paragraph or todo directive for each larger planned task. You may want
312 to link to specific issues if you use some issue tracker.
313
314 Changes
315 =======
316
317 System Future
318 -------------
319
320 .. use this section to describe any plans for the system future. These are
321 larger plans like moving to another host, abandoning the system or replacing
322 its functionality with something else.
323
324 .. * No plans
325
326 Additional documentation
327 ========================
328
329 .. add inline documentation
330
331 .. remove unneeded links from the list below, add other links that apply
332
333 .. seealso::
334
335 * :wiki:`Exim4Configuration`
336 * :wiki:`PostfixConfiguration`
337 * :wiki:`QmailConfiguration`
338 * :wiki:`SendmailConfiguration`
339 * :wiki:`StunnelConfiguration`
340
341 References
342 ----------
343
344 .. can be used to provide links to reference documentation
345 * http://product.site.com/docs/
346 * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]