Add more info for infra02
[cacert-infradocs.git] / docs / template.rst
1 ==================
2 Systems - TEMPLATE
3 ==================
4
5 Purpose
6 =======
7
8 .. <SHORT DESCRIPTION>
9
10 Basics
11 ======
12
13 Physical Location
14 -----------------
15
16 .. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
17
18 .. ## Use the following for containers on Infra02:
19
20 This system is located in an LXC_ container on physical machine :doc:`infra02`.
21
22 Physical Configuration
23 ----------------------
24
25 .. seealso::
26
27 See https://wiki.cacert.org/SystemAdministration/EquipmentList
28
29 Logical location
30 ----------------
31
32 * IP Internet: <IP>
33 * IP Intranet: <IP>
34 * IP Internal: <IP>
35 * MAC address: <MAC> (interfacename)
36
37 .. seealso::
38
39 See :doc:`network`
40
41 DNS
42 ---
43
44 * <HOSTNAME>.cacert.org. IN A <IP>
45 * <HOSTNAME>.intra.cacert.org. IN A <IP>
46
47 .. seealso::
48
49 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
50
51 Operating System
52 ----------------
53
54 * Debian GNU/Linux x.y
55
56 Applicable Documentation
57 ------------------------
58
59 This is it :-)
60
61 Administration
62 ==============
63
64 System Administration
65 ---------------------
66
67 * Primary: <SYSADMIN's NAME>
68 * Secondary: <secondary name>
69
70 Contact
71 -------
72
73 * <system>-admin@cacert.org
74
75 Services
76 ========
77
78 Listening services
79 ------------------
80
81 +----------+-----------+-----------+-----------------------------------------+
82 | Port | Service | Origin | Purpose |
83 +==========+===========+===========+=========================================+
84 | 22/tcp | ssh | ANY | admin console access |
85 +----------+-----------+-----------+-----------------------------------------+
86 | 25/tcp | smtp | local | mail delivery to local MTA |
87 +----------+-----------+-----------+-----------------------------------------+
88 | 80/tcp | http | ANY | application |
89 +----------+-----------+-----------+-----------------------------------------+
90 | 443/tcp | https | ANY | application |
91 +----------+-----------+-----------+-----------------------------------------+
92 | 5666/tcp | nrpe | monitor | remote monitoring service |
93 +----------+-----------+-----------+-----------------------------------------+
94
95 .. below are some definitions of commonly open ports, choose those that are applicable and order the table by port number
96 || 3306/tcp || mysql || local || MySQL database for ... ||
97 || 5432/tcp || pgsql || local || PostgreSQL database for ... ||
98 || 465/udp || syslog || local || syslog port ||
99
100 Running services
101 ----------------
102
103 +--------------------+--------------------+----------------------------------------+
104 | Service | Usage | Start mechanism |
105 +====================+====================+========================================+
106 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
107 | | remote | |
108 | | administration | |
109 +--------------------+--------------------+----------------------------------------+
110 | Apache httpd | Webserver for ... | init script |
111 | | | :file:`/etc/init.d/apache2` |
112 +--------------------+--------------------+----------------------------------------+
113 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
114 +--------------------+--------------------+----------------------------------------+
115 | rsyslog | syslog daemon | init script |
116 | | | :file:`/etc/init.d/syslog` |
117 +--------------------+--------------------+----------------------------------------+
118 | PostgreSQL | PostgreSQL | init script |
119 | | database server | :file:`/etc/init.d/postgresql` |
120 | | for ... | |
121 +--------------------+--------------------+----------------------------------------+
122 | MySQL | MySQL database | init script |
123 | | server for ... | :file:`/etc/init.d/mysql` |
124 +--------------------+--------------------+----------------------------------------+
125 | Postfix | SMTP server for | init script |
126 | | local mail | :file:`/etc/init.d/postfix` |
127 | | submission, ... | |
128 +--------------------+--------------------+----------------------------------------+
129 | Exim | SMTP server for | init script |
130 | | local mail | :file:`/etc/init.d/exim4` |
131 | | submission, ... | |
132 +--------------------+--------------------+----------------------------------------+
133 | Nagios NRPE server | remote monitoring | init script |
134 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
135 | | :doc:`monitor` | |
136 +--------------------+--------------------+----------------------------------------+
137
138 Databases
139 ---------
140
141 +-------------+--------------+---------------------------+
142 | RDBMS | Name | Used for |
143 +=============+==============+===========================+
144 | MySQL | application1 | fictional application one |
145 +-------------+--------------+---------------------------+
146 | PostgreSQL | application2 | fictional application two |
147 +-------------+--------------+---------------------------+
148
149 Running Guests
150 --------------
151
152 +----------------+-------------+---------------+---------+---------------+
153 | Machine | IP Intranet | IP Internet | Ports | Purpose |
154 +================+=============+===============+=========+===============+
155 | :doc:`machine` | <LOCAL IP> | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
156 +----------------+-------------+---------------+---------+---------------+
157
158 Connected Systems
159 -----------------
160
161 * :doc:`monitor`
162
163 Outbound network connections
164 ----------------------------
165
166 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
167 * :doc:`emailout` as SMTP relay
168 * ftp.nl.debian.org as Debian mirror
169 * security.debian.org for Debian security updates
170 * crl.cacert.org (rsync) for getting CRLs
171
172 Security
173 ========
174
175 SSH host keys
176 -------------
177
178 +-----------+-----------------------------------------------------+
179 | Algorithm | Fingerprint |
180 +===========+=====================================================+
181 | RSA | |
182 +-----------+-----------------------------------------------------+
183 | DSA | |
184 +-----------+-----------------------------------------------------+
185 | ECDSA | |
186 +-----------+-----------------------------------------------------+
187 | ED25519 | |
188 +-----------+-----------------------------------------------------+
189
190 .. seealso::
191
192 See :doc:`sshkeys`
193
194 Dedicated user roles
195 --------------------
196
197 .. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
198 Regular operating system groups should not be documented
199
200 .. || '''Group''' || '''Purpose''' ||
201 || goodguys || Shell access for the good guys ||
202
203 Non-distribution packages and modifications
204 -------------------------------------------
205
206 .. * None
207 or
208 * List of non-distribution packages and modifications
209
210 Risk assessments on critical packages
211 -------------------------------------
212
213 Tasks
214 =====
215
216 Critical Configuration items
217 ============================
218
219 Keys and X.509 certificates
220 ---------------------------
221
222 * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
223 * :file:`/etc/apache2/ssl/<path to server key>` server key
224
225 .. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
226 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
227
228 .. seealso::
229
230 See :doc:`certlist`
231
232 Changes
233 =======
234
235 Planned
236 -------
237
238 System Future
239 .............
240
241 .. * No plans
242
243 Document Stuff
244 ..............
245
246 .. add a paragraph for each larger planned task that seems to be worth
247 mentioning. You may want to link to specific issues if you use some issue
248 tracker.
249
250 Potential Similiar Configurations
251 .................................
252
253 * https://wiki.cacert.org/Exim4Configuration
254 * https://wiki.cacert.org/PostfixConfiguration
255 * https://wiki.cacert.org/QmailConfiguration
256 * https://wiki.cacert.org/SendmailConfiguration
257 * https://wiki.cacert.org/StunnelConfiguration
258
259 Potential System Procedures
260 ...........................
261
262 * https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
263 * https://wiki.cacert.org/SystemAdministration/CertificateList
264
265 References
266 ==========
267
268 .. can be used to provide links to reference documentation
269 * http://product.site.com/docs/
270 * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
271
272 Links
273 =====
274
275 .. || [[https://<system>.cacert.org/]] || <System> URL ||
276 may contain more URLs if there are multiple useful entry points
277