Add web and webstatic to Puppet
authorJan Dittberner <jandd@cacert.org>
Mon, 2 Apr 2018 11:12:10 +0000 (13:12 +0200)
committerJan Dittberner <jandd@cacert.org>
Mon, 2 Apr 2018 11:12:10 +0000 (13:12 +0200)
- update information on puppet managed systems
- sort service tables for changed systems alphabetically
- add puppet agent as third party package where this was not documented
  yet
- document DNS resolution via infra02 on Puppet managed systems

docs/lxcsetup.rst
docs/systems/ircserver.rst
docs/systems/jenkins.rst
docs/systems/proxyout.rst
docs/systems/puppet.rst
docs/systems/svn.rst
docs/systems/translations.rst
docs/systems/web.rst
docs/systems/webstatic.rst

index 3deaa5a..af79cea 100644 (file)
@@ -56,11 +56,13 @@ Setup puppet-agent
   the `cacert-puppet Repository`_ on :doc:`systems/git`
 - see `Puppet agent installation`_ for agent setup (install the agent from
   official Puppet repositories)
-- define the puppet master IP address in :file:`/etc/hosts`:
+- make sure that DNS resolution is performed by :doc:`systems/infra02`. The
+  :file:`/etc/resolv.conf` should contain the following lines:
 
   .. code-block:: text
 
-     10.0.0.200        puppet
+     search infra.cacert.org intra.cacert.org
+     nameserver 10.0.0.1
 
 - set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
   the name of the file in :file:`hieradata/nodes/` for the system:
index 50852ad..7f33763 100644 (file)
@@ -155,40 +155,33 @@ Running services
 ----------------
 
 .. index::
+   single: atheme-services
    single: cron
    single: exim
+   single: inspircd
+   single: kiwiirc
+   single: nginx
    single: nrpe
    single: openssh
-   single: inspircd
-   single: atheme-services
+   single: puppet agent
+   single: rsyslog
    single: votebot
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
+| atheme-services    | IRC services       | init script                            |
+|                    |                    | :file:`/etc/init.d/atheme-services`    |
 +--------------------+--------------------+----------------------------------------+
 | cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
 +--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
 | Exim               | SMTP server for    | init script                            |
 |                    | local mail         | :file:`/etc/init.d/exim4`              |
 |                    | submission         |                                        |
 +--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
 | inspircd           | IRC daemon         | init script                            |
 |                    |                    | :file:`/etc/init.d/inspircd`           |
 +--------------------+--------------------+----------------------------------------+
-| atheme-services    | IRC services       | init script                            |
-|                    |                    | :file:`/etc/init.d/atheme-services`    |
-+--------------------+--------------------+----------------------------------------+
 | kiwiirc            | IRC web client     | start script                           |
 |                    |                    | :file:`/home/kiwiirc/KiwiIRC/kiwi`     |
 |                    |                    | started by user kiwiirc                |
@@ -196,6 +189,20 @@ Running services
 | nginx              | Reverse proxy for  | init script                            |
 |                    | kiwiirc            | :file:`/etc/init.d/nginx`              |
 +--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring  | init script                            |
+|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`     |                                        |
++--------------------+--------------------+----------------------------------------+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
+| Puppet agent       | configuration      | init script                            |
+|                    | management agent   | :file:`/etc/init.d/puppet`             |
++--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
 | votebot            | CAcert vote bot    | init script (spring-boot)              |
 |                    |                    | :file:`/etc/init.d/cacert-votebot`     |
 +--------------------+--------------------+----------------------------------------+
@@ -208,7 +215,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
@@ -236,6 +243,10 @@ Dedicated user roles
 Non-distribution packages and modifications
 -------------------------------------------
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 Votebot
 ~~~~~~~
 
@@ -275,6 +286,10 @@ that available updates are applied.
 
 .. todo:: implement some update monitoring for Kiwi IRC
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
 
 Critical Configuration items
 ============================
index d7c67fd..0ccf7bf 100644 (file)
@@ -131,35 +131,39 @@ Running services
 ----------------
 
 .. index::
-   single: Exim
-   single: Jenkins
    single: cron
+   single: exim
+   single: jenkins
    single: nrpe
    single: openssh
+   single: puppet agent
    single: rsyslog
 
 +--------------------+--------------------+-----------------------------------------+
 | Service            | Usage              | Start mechanism                         |
 +====================+====================+=========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
-|                    | remote             |                                         |
-|                    | administration     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Jenkins            | Jenkins CI server  | init script :file:`/etc/init.d/jenkins` |
-+--------------------+--------------------+-----------------------------------------+
 | cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
 +--------------------+--------------------+-----------------------------------------+
-| rsyslog            | syslog daemon      | init script                             |
-|                    |                    | :file:`/etc/init.d/syslog`              |
-+--------------------+--------------------+-----------------------------------------+
 | Exim               | SMTP server for    | init script                             |
 |                    | local mail         | :file:`/etc/init.d/exim4`               |
 |                    | submission         |                                         |
 +--------------------+--------------------+-----------------------------------------+
+| Jenkins            | Jenkins CI server  | init script :file:`/etc/init.d/jenkins` |
++--------------------+--------------------+-----------------------------------------+
 | Nagios NRPE server | remote monitoring  | init script                             |
 |                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
 |                    | :doc:`monitor`     |                                         |
 +--------------------+--------------------+-----------------------------------------+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
+|                    | remote             |                                         |
+|                    | administration     |                                         |
++--------------------+--------------------+-----------------------------------------+
+| Puppet agent       | configuration      | init script                             |
+|                    | management agent   | :file:`/etc/init.d/puppet`              |
++--------------------+--------------------+-----------------------------------------+
+| rsyslog            | syslog daemon      | init script                             |
+|                    |                    | :file:`/etc/init.d/syslog`              |
++--------------------+--------------------+-----------------------------------------+
 
 Connected Systems
 -----------------
@@ -173,7 +177,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`git` for fetching source code
 * :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
@@ -218,6 +222,8 @@ Critical Configuration items
 The system configuration is managed via Puppet profiles. There should be no
 configuration items outside of the Puppet repository.
 
+.. todo:: move configuration of :doc:`jenkins` to Puppet code
+
 Jenkins configuration
 ---------------------
 
index c538bbf..a72ced5 100644 (file)
@@ -117,28 +117,32 @@ Running services
 ----------------
 
 .. index::
-   single: puppet agent
    single: cron
-   single: exim4
-   single: squid
+   single: exim
    single: openssh
+   single: puppet agent
+   single: rsyslog
+   single: squid
 
 +----------------+--------------------+--------------------------------------+
 | Service        | Usage              | Start mechanism                      |
 +================+====================+======================================+
-| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
-|                | remote             |                                      |
-|                | administration     |                                      |
-+----------------+--------------------+--------------------------------------+
 | cron           | job scheduler      | init script :file:`/etc/init.d/cron` |
 +----------------+--------------------+--------------------------------------+
 | Exim           | SMTP server for    | init script                          |
 |                | local mail         | :file:`/etc/init.d/exim4`            |
 |                | submission         |                                      |
 +----------------+--------------------+--------------------------------------+
+| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
+|                | remote             |                                      |
+|                | administration     |                                      |
++----------------+--------------------+--------------------------------------+
 | Puppet agent   | local Puppet agent | init script                          |
 |                |                    | :file:`/etc/init.d/puppet`           |
 +----------------+--------------------+--------------------------------------+
+| rsyslog        | syslog daemon      | init script                          |
+|                |                    | :file:`/etc/init.d/syslog`           |
++----------------+--------------------+--------------------------------------+
 | Squid          | Caching and        | init script                          |
 |                | filtering http/    | :file:`/etc/init.d/squid`            |
 |                | https proxy for    |                                      |
@@ -171,7 +175,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * .debian.org Debian mirrors
@@ -182,9 +186,9 @@ Security
 ========
 
 .. sshkeys::
-   :ECDSA:   74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
-   :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
-   :RSA:     1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+   :RSA:     SHA256:TfsDuQ2tuWnTlpLnFILxlZa+IOpC97QmxDAlGgCa0/I MD5:1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+   :ECDSA:   SHA256:d79XAVk0pspIVoI7i4ffohM7PjaBMJdh1J4yv+4Z5ms MD5:74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
+   :ED25519: SHA256:26yiJUT3NfqpFDLgAgXSsRL7ppMiIpNqKmfDiMxpAqc MD5:43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
 
 Non-distribution packages and modifications
 -------------------------------------------
@@ -199,6 +203,11 @@ Risk assessments on critical packages
 Squid is a proven http and https proxy installed from distribution packages
 with low risk.
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Critical Configuration items
 ============================
 
index 0d4dc8c..986c117 100644 (file)
@@ -124,35 +124,32 @@ Running services
 ----------------
 
 .. index::
-   single: Exim
-   single: PostgreSQL
-   single: Puppet agent
-   single: Puppet server
-   single: Puppetdb
    single: cron
+   single: exim
    single: openssh
+   single: postgresql
+   single: puppet agent
+   single: puppet server
+   single: puppetdb
    single: rsyslog
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
+| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------+----------------------------------------+
+| Exim               | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/exim4`              |
+|                    | submission         |                                        |
++--------------------+--------------------+----------------------------------------+
 | openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
 |                    | remote             |                                        |
 |                    | administration     |                                        |
 +--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
 | PostgreSQL         | PostgreSQL         | init script                            |
 |                    | database server    | :file:`/etc/init.d/postgresql`         |
 |                    | for PuppetDB       |                                        |
 +--------------------+--------------------+----------------------------------------+
-| Exim               | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/exim4`              |
-|                    | submission         |                                        |
-+--------------------+--------------------+----------------------------------------+
 | Puppet server      | Puppet master for  | init script                            |
 |                    | infrastructure     | :file:`/etc/init.d/puppetserver`       |
 |                    | systems            |                                        |
@@ -160,11 +157,14 @@ Running services
 | Puppet agent       | local Puppet agent | init script                            |
 |                    |                    | :file:`/etc/init.d/puppet`             |
 +--------------------+--------------------+----------------------------------------+
-| Puppet DB          | PuppetDB for       | init script                            |
+| PuppetDB           | PuppetDB for       | init script                            |
 |                    | querying Puppet    | :file:`/etc/init.d/puppetdb`           |
 |                    | facts and nodes    |                                        |
 |                    | and resources      |                                        |
 +--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
 
 Databases
 ---------
@@ -185,11 +185,13 @@ Connected Systems
 * :doc:`proxyout`
 * :doc:`svn`
 * :doc:`translations`
+* :doc:`web`
+* :doc:`webstatic`
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`proxyout` as HTTP proxy for APT
 * forgeapi.puppet.com for Puppet forge access
@@ -216,7 +218,6 @@ advanced Puppet functionality like hiera-eyaml.
 All puppet related code is installed in the Puppet specific /opt/puppetlabs
 tree.
 
-
 Risk assessments on critical packages
 -------------------------------------
 
@@ -224,7 +225,6 @@ The system uses third party packages with a good security track record and
 regular updates. The attack surface is small due to the tightly restricted
 access to the system.
 
-
 Critical Configuration items
 ============================
 
index 398ef1a..cdfcbdb 100644 (file)
@@ -144,20 +144,17 @@ Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: Exim
-   single: Puppet agent
+   single: apache httpd
    single: cron
+   single: exim
    single: nrpe
    single: openssh
+   single: puppet agent
+   single: rsyslog
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
 | Apache httpd       | Webserver for      | init script                            |
 |                    | Subversion         | :file:`/etc/init.d/apache2`            |
 +--------------------+--------------------+----------------------------------------+
@@ -171,9 +168,16 @@ Running services
 |                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
 |                    | :doc:`monitor`     |                                        |
 +--------------------+--------------------+----------------------------------------+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
 | Puppet agent       | configuration      | init script                            |
 |                    | management agent   | :file:`/etc/init.d/puppet`             |
 +--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
 
 Connected Systems
 -----------------
@@ -186,7 +190,7 @@ Outbound network connections
 ----------------------------
 
 * crl.cacert.org (rsync) for getting CRLs
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
@@ -222,6 +226,11 @@ the system.
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`svn` to Puppet code
+
 Keys and X.509 certificates
 ---------------------------
 
index 6e5aa6c..d70680f 100644 (file)
@@ -131,31 +131,25 @@ Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: MariaDB
-   single: Postfix
-   single: Redis
+   single: apache httpd
    single: cron
+   single: mariadb
    single: nrpe
    single: openssh
+   single: postfix
+   single: puppet agent
+   single: redis
    single: rsyslog
    single: supervisord
 
 +--------------------+------------------------------+-----------------------------------------------------+
 | Service            | Usage                        | Start mechanism                                     |
 +====================+==============================+=====================================================+
-| openssh server     | ssh daemon for               | init script :file:`/etc/init.d/ssh`                 |
-|                    | remote                       |                                                     |
-|                    | administration               |                                                     |
-+--------------------+------------------------------+-----------------------------------------------------+
 | Apache httpd       | Webserver for                | init script                                         |
 |                    | Pootle                       | :file:`/etc/init.d/apache2`                         |
 +--------------------+------------------------------+-----------------------------------------------------+
 | cron               | job scheduler                | init script :file:`/etc/init.d/cron`                |
 +--------------------+------------------------------+-----------------------------------------------------+
-| rsyslog            | syslog daemon                | init script                                         |
-|                    |                              | :file:`/etc/init.d/syslog`                          |
-+--------------------+------------------------------+-----------------------------------------------------+
 | MySQL              | MySQL database               | init script                                         |
 |                    | server for Pootle            | :file:`/etc/init.d/mysql`                           |
 +--------------------+------------------------------+-----------------------------------------------------+
@@ -163,12 +157,22 @@ Running services
 |                    | local mail                   | :file:`/etc/init.d/postfix`                         |
 |                    | submission                   |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
+| Puppet agent       | local Puppet agent           | init script                                         |
+|                    |                              | :file:`/etc/init.d/puppet`                          |
++--------------------+------------------------------+-----------------------------------------------------+
 | Nagios NRPE server | remote monitoring            | init script                                         |
 |                    | service queried by           | :file:`/etc/init.d/nagios-nrpe-server`              |
 |                    | :doc:`monitor`               |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
+| openssh server     | ssh daemon for               | init script :file:`/etc/init.d/ssh`                 |
+|                    | remote                       |                                                     |
+|                    | administration               |                                                     |
++--------------------+------------------------------+-----------------------------------------------------+
 | Redis              | Job queue for Pootle         | init script :file:`/etc/init.d/redis-server`        |
 +--------------------+------------------------------+-----------------------------------------------------+
+| rsyslog            | syslog daemon                | init script                                         |
+|                    |                              | :file:`/etc/init.d/syslog`                          |
++--------------------+------------------------------+-----------------------------------------------------+
 | Supervisord        | Supervisor for background    | init script :file:`/etc/init.d/supervisor`          |
 |                    | tasks                        |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
@@ -193,7 +197,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
@@ -248,12 +252,21 @@ packages.
    consider building the virtualenv on :doc:`jenkins` to avoid development tools
    on this system
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 Risk assessments on critical packages
 -------------------------------------
 
 System access is limited to http/https via Apache httpd which is restricted to
 a minimal set of modules.
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Pootle is based on Django 1.10 and should be updated to a newer version when it
 becomes available. Pootle is run as a dedicated system user `pootle` that is
 restricted via filesystem permissions.
index f1851a1..d5c51ed 100644 (file)
@@ -128,35 +128,39 @@ Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: Postfix
+   single: apache httpd
    single: cron
    single: nrpe
    single: openssh
+   single: postfix
+   single: puppet agent
    single: rsyslog
 
 +--------------------+---------------------+----------------------------------------+
 | Service            | Usage               | Start mechanism                        |
 +====================+=====================+========================================+
-| openssh server     | ssh daemon for      | init script :file:`/etc/init.d/ssh`    |
-|                    | remote              |                                        |
-|                    | administration      |                                        |
-+--------------------+---------------------+----------------------------------------+
 | Apache httpd       | http redirector,    | init script                            |
 |                    | https reverse proxy | :file:`/etc/init.d/apache2`            |
 +--------------------+---------------------+----------------------------------------+
 | cron               | job scheduler       | init script :file:`/etc/init.d/cron`   |
 +--------------------+---------------------+----------------------------------------+
-| rsyslog            | syslog daemon       | init script                            |
-|                    |                     | :file:`/etc/init.d/syslog`             |
+| Nagios NRPE server | remote monitoring   | init script                            |
+|                    | service queried by  | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`      |                                        |
++--------------------+---------------------+----------------------------------------+
+| openssh server     | ssh daemon for      | init script :file:`/etc/init.d/ssh`    |
+|                    | remote              |                                        |
+|                    | administration      |                                        |
 +--------------------+---------------------+----------------------------------------+
 | Postfix            | SMTP server for     | init script                            |
 |                    | local mail          | :file:`/etc/init.d/postfix`            |
 |                    | submission          |                                        |
 +--------------------+---------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring   | init script                            |
-|                    | service queried by  | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`      |                                        |
+| Puppet agent       | configuration       | init script                            |
+|                    | management agent    | :file:`/etc/init.d/puppet`             |
++--------------------+---------------------+----------------------------------------+
+| rsyslog            | syslog daemon       | init script                            |
+|                    |                     | :file:`/etc/init.d/syslog`             |
 +--------------------+---------------------+----------------------------------------+
 
 Connected Systems
@@ -167,8 +171,9 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 * :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
 * :doc:`webstatic` as backend for the funding.cacert.org and
@@ -186,7 +191,9 @@ Security
 Non-distribution packages and modifications
 -------------------------------------------
 
-* None
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
 
 Risk assessments on critical packages
 -------------------------------------
@@ -194,9 +201,19 @@ Risk assessments on critical packages
 Apache httpd is configured with a minimum of enabled modules to allow proxying
 and TLS handling only to reduce potential security risks.
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`web` to Puppet code
+
 Keys and X.509 certificates
 ---------------------------
 
index 7b96d44..4d35c44 100644 (file)
@@ -135,30 +135,22 @@ Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: Exim
+   single: apache httpd
    single: cron
-   single: nginx
+   single: exim
    single: nrpe
    single: openssh
+   single: puppet agent
    single: rsyslog
 
 +--------------------+----------------------+----------------------------------------+
 | Service            | Usage                | Start mechanism                        |
 +====================+======================+========================================+
-| openssh server     | ssh daemon for       | init script :file:`/etc/init.d/ssh`    |
-|                    | remote               |                                        |
-|                    | administration       |                                        |
-|                    | and git access       |                                        |
-+--------------------+----------------------+----------------------------------------+
 | Apache httpd       | Webserver for static | init script                            |
 |                    | content              | :file:`/etc/init.d/apache2`            |
 +--------------------+----------------------+----------------------------------------+
 | cron               | job scheduler        | init script :file:`/etc/init.d/cron`   |
 +--------------------+----------------------+----------------------------------------+
-| rsyslog            | syslog daemon        | init script                            |
-|                    |                      | :file:`/etc/init.d/syslog`             |
-+--------------------+----------------------+----------------------------------------+
 | Exim               | SMTP server for      | init script                            |
 |                    | local mail           | :file:`/etc/init.d/exim4`              |
 |                    | submission           |                                        |
@@ -167,6 +159,17 @@ Running services
 |                    | service queried by   | :file:`/etc/init.d/nagios-nrpe-server` |
 |                    | :doc:`monitor`       |                                        |
 +--------------------+----------------------+----------------------------------------+
+| openssh server     | ssh daemon for       | init script :file:`/etc/init.d/ssh`    |
+|                    | remote               |                                        |
+|                    | administration       |                                        |
+|                    | and git access       |                                        |
++--------------------+----------------------+----------------------------------------+
+| Puppet agent       | configuration        | init script                            |
+|                    | management agent     | :file:`/etc/init.d/puppet`             |
++--------------------+----------------------+----------------------------------------+
+| rsyslog            | syslog daemon        | init script                            |
+|                    |                      | :file:`/etc/init.d/syslog`             |
++--------------------+----------------------+----------------------------------------+
 
 Connected Systems
 -----------------
@@ -180,8 +183,9 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 
 Security
@@ -208,6 +212,10 @@ Dedicated user roles
 Non-distribution packages and modifications
 -------------------------------------------
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 The used :program:`gitolite` version is from Debian Jessie and should either
 be replaced by :program:`gitolite3` from Debian Stretch or a combination of
 git repositories on :doc:`git` and web hooks for triggering updates.
@@ -225,9 +233,19 @@ defined set of ssh keys.
 
 .. todo:: check access on gitolite repositories
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`webstatic` to Puppet code
+
 Keys and X.509 certificates
 ---------------------------