Start arbitration documentation
[cacert-infradocs.git] / docs / systems / template.rst
1 .. index::
2 single: Systems; <host>
3
4 ==================
5 Systems - TEMPLATE
6 ==================
7
8 Purpose
9 =======
10
11 .. <SHORT DESCRIPTION>
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: `Primary Name`_
20 * Secondary: `Secondary Name`_
21
22 .. _Primary Name: primary@cacert.org
23 .. _Secondary Name: secondary@cacert.org
24
25 Application Administration
26 --------------------------
27
28 * <application>: <sysadmin's name>
29
30 Contact
31 -------
32
33 * <system>-admin@cacert.org
34
35 Additional People
36 -----------------
37
38 `Person A`_ and `Person B`_ have sudo access on that machine too.
39
40 .. _Person A: persona@cacert.org
41 .. _Person B: personb@cacert.org
42
43 Basics
44 ======
45
46 Physical Location
47 -----------------
48
49 .. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
50
51 .. ## Use the following for containers on Infra02:
52
53 This system is located in an LXC_ container on physical machine :doc:`infra02`.
54
55 .. _LXC: https://linuxcontainers.org/
56
57 Physical Configuration
58 ----------------------
59
60 .. seealso::
61
62 See https://wiki.cacert.org/SystemAdministration/EquipmentList
63
64 Logical Location
65 ----------------
66
67 :IP Internet: :ip:v4:`<IP>`
68 :IP Intranet: :ip:v4:`<IP>`
69 :IP Internal: :ip:v4:`<IP>`
70 :MAC address: :mac:`<MAC>` (interfacename)
71
72 .. seealso::
73
74 See :doc:`../network`
75
76 DNS
77 ---
78
79 .. index::
80 single: DNS records; <machine>
81
82 ========================== ======== ====================================================================
83 Name Type Content
84 ========================== ======== ====================================================================
85 <HOST>.cacert.org. IN A <IP>
86 <HOST>.intra.cacert.org. IN A <IP>
87 ========================== ======== ====================================================================
88
89 .. seealso::
90
91 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Codename
98 single: Debian GNU/Linux; x.y
99
100 * Debian GNU/Linux x.y
101
102 Applicable Documentation
103 ------------------------
104
105 This is it :-)
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 .. use the values from this table or add new lines if applicable
114
115 +----------+-----------+-----------+-----------------------------------------+
116 | Port | Service | Origin | Purpose |
117 +==========+===========+===========+=========================================+
118 | 22/tcp | ssh | ANY | admin console access |
119 +----------+-----------+-----------+-----------------------------------------+
120 | 25/tcp | smtp | local | mail delivery to local MTA |
121 +----------+-----------+-----------+-----------------------------------------+
122 | 80/tcp | http | ANY | application |
123 +----------+-----------+-----------+-----------------------------------------+
124 | 443/tcp | https | ANY | application |
125 +----------+-----------+-----------+-----------------------------------------+
126 | 5666/tcp | nrpe | monitor | remote monitoring service |
127 +----------+-----------+-----------+-----------------------------------------+
128 | 3306/tcp | mysql | local | MySQL database for ... |
129 +----------+-----------+-----------+-----------------------------------------+
130 | 5432/tcp | pgsql | local | PostgreSQL database for ... |
131 +----------+-----------+-----------+-----------------------------------------+
132 | 465/udp | syslog | local | syslog port |
133 +----------+-----------+-----------+-----------------------------------------+
134
135 Running services
136 ----------------
137
138 +--------------------+--------------------+----------------------------------------+
139 | Service | Usage | Start mechanism |
140 +====================+====================+========================================+
141 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
142 | | remote | |
143 | | administration | |
144 +--------------------+--------------------+----------------------------------------+
145 | Apache httpd | Webserver for ... | init script |
146 | | | :file:`/etc/init.d/apache2` |
147 +--------------------+--------------------+----------------------------------------+
148 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
149 +--------------------+--------------------+----------------------------------------+
150 | rsyslog | syslog daemon | init script |
151 | | | :file:`/etc/init.d/syslog` |
152 +--------------------+--------------------+----------------------------------------+
153 | PostgreSQL | PostgreSQL | init script |
154 | | database server | :file:`/etc/init.d/postgresql` |
155 | | for ... | |
156 +--------------------+--------------------+----------------------------------------+
157 | MySQL | MySQL database | init script |
158 | | server for ... | :file:`/etc/init.d/mysql` |
159 +--------------------+--------------------+----------------------------------------+
160 | Postfix | SMTP server for | init script |
161 | | local mail | :file:`/etc/init.d/postfix` |
162 | | submission, ... | |
163 +--------------------+--------------------+----------------------------------------+
164 | Exim | SMTP server for | init script |
165 | | local mail | :file:`/etc/init.d/exim4` |
166 | | submission, ... | |
167 +--------------------+--------------------+----------------------------------------+
168 | Nagios NRPE server | remote monitoring | init script |
169 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
170 | | :doc:`monitor` | |
171 +--------------------+--------------------+----------------------------------------+
172
173 Databases
174 ---------
175
176 +-------------+--------------+---------------------------+
177 | RDBMS | Name | Used for |
178 +=============+==============+===========================+
179 | MySQL | application1 | fictional application one |
180 +-------------+--------------+---------------------------+
181 | PostgreSQL | application2 | fictional application two |
182 +-------------+--------------+---------------------------+
183
184 Running Guests
185 --------------
186
187 +----------------+-------------+---------------+---------+---------------+
188 | Machine | IP Intranet | IP Internet | Ports | Purpose |
189 +================+=============+===============+=========+===============+
190 | :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
191 +----------------+-------------+---------------+---------+---------------+
192
193 Connected Systems
194 -----------------
195
196 * :doc:`monitor`
197
198 Outbound network connections
199 ----------------------------
200
201 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
202 * :doc:`emailout` as SMTP relay
203 * ftp.nl.debian.org as Debian mirror
204 * security.debian.org for Debian security updates
205 * crl.cacert.org (rsync) for getting CRLs
206
207 Security
208 ========
209
210 SSH host keys
211 -------------
212
213 +-----------+-----------------------------------------------------+
214 | Algorithm | Fingerprint |
215 +===========+=====================================================+
216 | RSA | |
217 +-----------+-----------------------------------------------------+
218 | DSA | |
219 +-----------+-----------------------------------------------------+
220 | ECDSA | |
221 +-----------+-----------------------------------------------------+
222 | ED25519 | |
223 +-----------+-----------------------------------------------------+
224
225 .. seealso::
226
227 See :doc:`../sshkeys`
228
229 Dedicated user roles
230 --------------------
231
232 .. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
233 Regular operating system groups should not be documented
234
235 .. || '''Group''' || '''Purpose''' ||
236 || goodguys || Shell access for the good guys ||
237
238 Non-distribution packages and modifications
239 -------------------------------------------
240
241 .. * None
242 or
243 * List of non-distribution packages and modifications
244
245 Risk assessments on critical packages
246 -------------------------------------
247
248 Tasks
249 =====
250
251 Critical Configuration items
252 ============================
253
254 Keys and X.509 certificates
255 ---------------------------
256
257 * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
258 * :file:`/etc/apache2/ssl/<path to server key>` server key
259
260 .. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
261 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
262
263 .. seealso::
264
265 * :doc:`../certlist`
266 * https://wiki.cacert.org/SystemAdministration/CertificateList
267
268 Tasks
269 =====
270
271 Planned
272 -------
273
274 .. add a paragraph for each larger planned task that seems to be worth
275 mentioning. You may want to link to specific issues if you use some issue
276 tracker.
277
278 Changes
279 =======
280
281 System Future
282 -------------
283
284 .. * No plans
285
286 Additional documentation
287 ========================
288
289 .. add inline documentation
290
291 .. remove unneeded links from the list below, add other links that apply
292
293 .. seealso:
294
295 * https://wiki.cacert.org/Exim4Configuration
296 * https://wiki.cacert.org/PostfixConfiguration
297 * https://wiki.cacert.org/QmailConfiguration
298 * https://wiki.cacert.org/SendmailConfiguration
299 * https://wiki.cacert.org/StunnelConfiguration
300
301 References
302 ----------
303
304 .. can be used to provide links to reference documentation
305 * http://product.site.com/docs/
306 * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]