Add web and webstatic to Puppet
authorJan Dittberner <jandd@cacert.org>
Mon, 2 Apr 2018 11:12:10 +0000 (13:12 +0200)
committerJan Dittberner <jandd@cacert.org>
Mon, 2 Apr 2018 11:12:10 +0000 (13:12 +0200)
- update information on puppet managed systems
- sort service tables for changed systems alphabetically
- add puppet agent as third party package where this was not documented
  yet
- document DNS resolution via infra02 on Puppet managed systems

docs/lxcsetup.rst
docs/systems/ircserver.rst
docs/systems/jenkins.rst
docs/systems/proxyout.rst
docs/systems/puppet.rst
docs/systems/svn.rst
docs/systems/translations.rst
docs/systems/web.rst
docs/systems/webstatic.rst

index 3deaa5a..af79cea 100644 (file)
@@ -56,11 +56,13 @@ Setup puppet-agent
   the `cacert-puppet Repository`_ on :doc:`systems/git`
 - see `Puppet agent installation`_ for agent setup (install the agent from
   official Puppet repositories)
   the `cacert-puppet Repository`_ on :doc:`systems/git`
 - see `Puppet agent installation`_ for agent setup (install the agent from
   official Puppet repositories)
-- define the puppet master IP address in :file:`/etc/hosts`:
+- make sure that DNS resolution is performed by :doc:`systems/infra02`. The
+  :file:`/etc/resolv.conf` should contain the following lines:
 
   .. code-block:: text
 
 
   .. code-block:: text
 
-     10.0.0.200        puppet
+     search infra.cacert.org intra.cacert.org
+     nameserver 10.0.0.1
 
 - set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
   the name of the file in :file:`hieradata/nodes/` for the system:
 
 - set the certname in :file:`/etc/puppetlabs/puppet/puppet.conf` to match
   the name of the file in :file:`hieradata/nodes/` for the system:
index 50852ad..7f33763 100644 (file)
@@ -155,40 +155,33 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
+   single: atheme-services
    single: cron
    single: exim
    single: cron
    single: exim
+   single: inspircd
+   single: kiwiirc
+   single: nginx
    single: nrpe
    single: openssh
    single: nrpe
    single: openssh
-   single: inspircd
-   single: atheme-services
+   single: puppet agent
+   single: rsyslog
    single: votebot
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
    single: votebot
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
+| atheme-services    | IRC services       | init script                            |
+|                    |                    | :file:`/etc/init.d/atheme-services`    |
 +--------------------+--------------------+----------------------------------------+
 | cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
 +--------------------+--------------------+----------------------------------------+
 +--------------------+--------------------+----------------------------------------+
 | cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
 +--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
 | Exim               | SMTP server for    | init script                            |
 |                    | local mail         | :file:`/etc/init.d/exim4`              |
 |                    | submission         |                                        |
 +--------------------+--------------------+----------------------------------------+
 | Exim               | SMTP server for    | init script                            |
 |                    | local mail         | :file:`/etc/init.d/exim4`              |
 |                    | submission         |                                        |
 +--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
 | inspircd           | IRC daemon         | init script                            |
 |                    |                    | :file:`/etc/init.d/inspircd`           |
 +--------------------+--------------------+----------------------------------------+
 | inspircd           | IRC daemon         | init script                            |
 |                    |                    | :file:`/etc/init.d/inspircd`           |
 +--------------------+--------------------+----------------------------------------+
-| atheme-services    | IRC services       | init script                            |
-|                    |                    | :file:`/etc/init.d/atheme-services`    |
-+--------------------+--------------------+----------------------------------------+
 | kiwiirc            | IRC web client     | start script                           |
 |                    |                    | :file:`/home/kiwiirc/KiwiIRC/kiwi`     |
 |                    |                    | started by user kiwiirc                |
 | kiwiirc            | IRC web client     | start script                           |
 |                    |                    | :file:`/home/kiwiirc/KiwiIRC/kiwi`     |
 |                    |                    | started by user kiwiirc                |
@@ -196,6 +189,20 @@ Running services
 | nginx              | Reverse proxy for  | init script                            |
 |                    | kiwiirc            | :file:`/etc/init.d/nginx`              |
 +--------------------+--------------------+----------------------------------------+
 | nginx              | Reverse proxy for  | init script                            |
 |                    | kiwiirc            | :file:`/etc/init.d/nginx`              |
 +--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring  | init script                            |
+|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`     |                                        |
++--------------------+--------------------+----------------------------------------+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
+| Puppet agent       | configuration      | init script                            |
+|                    | management agent   | :file:`/etc/init.d/puppet`             |
++--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
 | votebot            | CAcert vote bot    | init script (spring-boot)              |
 |                    |                    | :file:`/etc/init.d/cacert-votebot`     |
 +--------------------+--------------------+----------------------------------------+
 | votebot            | CAcert vote bot    | init script (spring-boot)              |
 |                    |                    | :file:`/etc/init.d/cacert-votebot`     |
 +--------------------+--------------------+----------------------------------------+
@@ -208,7 +215,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
@@ -236,6 +243,10 @@ Dedicated user roles
 Non-distribution packages and modifications
 -------------------------------------------
 
 Non-distribution packages and modifications
 -------------------------------------------
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 Votebot
 ~~~~~~~
 
 Votebot
 ~~~~~~~
 
@@ -275,6 +286,10 @@ that available updates are applied.
 
 .. todo:: implement some update monitoring for Kiwi IRC
 
 
 .. todo:: implement some update monitoring for Kiwi IRC
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
 
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
index d7c67fd..0ccf7bf 100644 (file)
@@ -131,35 +131,39 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Exim
-   single: Jenkins
    single: cron
    single: cron
+   single: exim
+   single: jenkins
    single: nrpe
    single: openssh
    single: nrpe
    single: openssh
+   single: puppet agent
    single: rsyslog
 
 +--------------------+--------------------+-----------------------------------------+
 | Service            | Usage              | Start mechanism                         |
 +====================+====================+=========================================+
    single: rsyslog
 
 +--------------------+--------------------+-----------------------------------------+
 | Service            | Usage              | Start mechanism                         |
 +====================+====================+=========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
-|                    | remote             |                                         |
-|                    | administration     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Jenkins            | Jenkins CI server  | init script :file:`/etc/init.d/jenkins` |
-+--------------------+--------------------+-----------------------------------------+
 | cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
 +--------------------+--------------------+-----------------------------------------+
 | cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
 +--------------------+--------------------+-----------------------------------------+
-| rsyslog            | syslog daemon      | init script                             |
-|                    |                    | :file:`/etc/init.d/syslog`              |
-+--------------------+--------------------+-----------------------------------------+
 | Exim               | SMTP server for    | init script                             |
 |                    | local mail         | :file:`/etc/init.d/exim4`               |
 |                    | submission         |                                         |
 +--------------------+--------------------+-----------------------------------------+
 | Exim               | SMTP server for    | init script                             |
 |                    | local mail         | :file:`/etc/init.d/exim4`               |
 |                    | submission         |                                         |
 +--------------------+--------------------+-----------------------------------------+
+| Jenkins            | Jenkins CI server  | init script :file:`/etc/init.d/jenkins` |
++--------------------+--------------------+-----------------------------------------+
 | Nagios NRPE server | remote monitoring  | init script                             |
 |                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
 |                    | :doc:`monitor`     |                                         |
 +--------------------+--------------------+-----------------------------------------+
 | Nagios NRPE server | remote monitoring  | init script                             |
 |                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
 |                    | :doc:`monitor`     |                                         |
 +--------------------+--------------------+-----------------------------------------+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
+|                    | remote             |                                         |
+|                    | administration     |                                         |
++--------------------+--------------------+-----------------------------------------+
+| Puppet agent       | configuration      | init script                             |
+|                    | management agent   | :file:`/etc/init.d/puppet`              |
++--------------------+--------------------+-----------------------------------------+
+| rsyslog            | syslog daemon      | init script                             |
+|                    |                    | :file:`/etc/init.d/syslog`              |
++--------------------+--------------------+-----------------------------------------+
 
 Connected Systems
 -----------------
 
 Connected Systems
 -----------------
@@ -173,7 +177,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`git` for fetching source code
 * :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
 * :doc:`emailout` as SMTP relay
 * :doc:`git` for fetching source code
 * :doc:`proxyout` as HTTP proxy for APT and Jenkins plugin updates
@@ -218,6 +222,8 @@ Critical Configuration items
 The system configuration is managed via Puppet profiles. There should be no
 configuration items outside of the Puppet repository.
 
 The system configuration is managed via Puppet profiles. There should be no
 configuration items outside of the Puppet repository.
 
+.. todo:: move configuration of :doc:`jenkins` to Puppet code
+
 Jenkins configuration
 ---------------------
 
 Jenkins configuration
 ---------------------
 
index c538bbf..a72ced5 100644 (file)
@@ -117,28 +117,32 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: puppet agent
    single: cron
    single: cron
-   single: exim4
-   single: squid
+   single: exim
    single: openssh
    single: openssh
+   single: puppet agent
+   single: rsyslog
+   single: squid
 
 +----------------+--------------------+--------------------------------------+
 | Service        | Usage              | Start mechanism                      |
 +================+====================+======================================+
 
 +----------------+--------------------+--------------------------------------+
 | Service        | Usage              | Start mechanism                      |
 +================+====================+======================================+
-| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
-|                | remote             |                                      |
-|                | administration     |                                      |
-+----------------+--------------------+--------------------------------------+
 | cron           | job scheduler      | init script :file:`/etc/init.d/cron` |
 +----------------+--------------------+--------------------------------------+
 | Exim           | SMTP server for    | init script                          |
 |                | local mail         | :file:`/etc/init.d/exim4`            |
 |                | submission         |                                      |
 +----------------+--------------------+--------------------------------------+
 | cron           | job scheduler      | init script :file:`/etc/init.d/cron` |
 +----------------+--------------------+--------------------------------------+
 | Exim           | SMTP server for    | init script                          |
 |                | local mail         | :file:`/etc/init.d/exim4`            |
 |                | submission         |                                      |
 +----------------+--------------------+--------------------------------------+
+| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
+|                | remote             |                                      |
+|                | administration     |                                      |
++----------------+--------------------+--------------------------------------+
 | Puppet agent   | local Puppet agent | init script                          |
 |                |                    | :file:`/etc/init.d/puppet`           |
 +----------------+--------------------+--------------------------------------+
 | Puppet agent   | local Puppet agent | init script                          |
 |                |                    | :file:`/etc/init.d/puppet`           |
 +----------------+--------------------+--------------------------------------+
+| rsyslog        | syslog daemon      | init script                          |
+|                |                    | :file:`/etc/init.d/syslog`           |
++----------------+--------------------+--------------------------------------+
 | Squid          | Caching and        | init script                          |
 |                | filtering http/    | :file:`/etc/init.d/squid`            |
 |                | https proxy for    |                                      |
 | Squid          | Caching and        | init script                          |
 |                | filtering http/    | :file:`/etc/init.d/squid`            |
 |                | https proxy for    |                                      |
@@ -171,7 +175,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * .debian.org Debian mirrors
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * .debian.org Debian mirrors
@@ -182,9 +186,9 @@ Security
 ========
 
 .. sshkeys::
 ========
 
 .. sshkeys::
-   :ECDSA:   74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
-   :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
-   :RSA:     1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+   :RSA:     SHA256:TfsDuQ2tuWnTlpLnFILxlZa+IOpC97QmxDAlGgCa0/I MD5:1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+   :ECDSA:   SHA256:d79XAVk0pspIVoI7i4ffohM7PjaBMJdh1J4yv+4Z5ms MD5:74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
+   :ED25519: SHA256:26yiJUT3NfqpFDLgAgXSsRL7ppMiIpNqKmfDiMxpAqc MD5:43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
 
 Non-distribution packages and modifications
 -------------------------------------------
 
 Non-distribution packages and modifications
 -------------------------------------------
@@ -199,6 +203,11 @@ Risk assessments on critical packages
 Squid is a proven http and https proxy installed from distribution packages
 with low risk.
 
 Squid is a proven http and https proxy installed from distribution packages
 with low risk.
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
 
index 0d4dc8c..986c117 100644 (file)
@@ -124,35 +124,32 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Exim
-   single: PostgreSQL
-   single: Puppet agent
-   single: Puppet server
-   single: Puppetdb
    single: cron
    single: cron
+   single: exim
    single: openssh
    single: openssh
+   single: postgresql
+   single: puppet agent
+   single: puppet server
+   single: puppetdb
    single: rsyslog
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
    single: rsyslog
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
+| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------+----------------------------------------+
+| Exim               | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/exim4`              |
+|                    | submission         |                                        |
++--------------------+--------------------+----------------------------------------+
 | openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
 |                    | remote             |                                        |
 |                    | administration     |                                        |
 +--------------------+--------------------+----------------------------------------+
 | openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
 |                    | remote             |                                        |
 |                    | administration     |                                        |
 +--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
 | PostgreSQL         | PostgreSQL         | init script                            |
 |                    | database server    | :file:`/etc/init.d/postgresql`         |
 |                    | for PuppetDB       |                                        |
 +--------------------+--------------------+----------------------------------------+
 | PostgreSQL         | PostgreSQL         | init script                            |
 |                    | database server    | :file:`/etc/init.d/postgresql`         |
 |                    | for PuppetDB       |                                        |
 +--------------------+--------------------+----------------------------------------+
-| Exim               | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/exim4`              |
-|                    | submission         |                                        |
-+--------------------+--------------------+----------------------------------------+
 | Puppet server      | Puppet master for  | init script                            |
 |                    | infrastructure     | :file:`/etc/init.d/puppetserver`       |
 |                    | systems            |                                        |
 | Puppet server      | Puppet master for  | init script                            |
 |                    | infrastructure     | :file:`/etc/init.d/puppetserver`       |
 |                    | systems            |                                        |
@@ -160,11 +157,14 @@ Running services
 | Puppet agent       | local Puppet agent | init script                            |
 |                    |                    | :file:`/etc/init.d/puppet`             |
 +--------------------+--------------------+----------------------------------------+
 | Puppet agent       | local Puppet agent | init script                            |
 |                    |                    | :file:`/etc/init.d/puppet`             |
 +--------------------+--------------------+----------------------------------------+
-| Puppet DB          | PuppetDB for       | init script                            |
+| PuppetDB           | PuppetDB for       | init script                            |
 |                    | querying Puppet    | :file:`/etc/init.d/puppetdb`           |
 |                    | facts and nodes    |                                        |
 |                    | and resources      |                                        |
 +--------------------+--------------------+----------------------------------------+
 |                    | querying Puppet    | :file:`/etc/init.d/puppetdb`           |
 |                    | facts and nodes    |                                        |
 |                    | and resources      |                                        |
 +--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
 
 Databases
 ---------
 
 Databases
 ---------
@@ -185,11 +185,13 @@ Connected Systems
 * :doc:`proxyout`
 * :doc:`svn`
 * :doc:`translations`
 * :doc:`proxyout`
 * :doc:`svn`
 * :doc:`translations`
+* :doc:`web`
+* :doc:`webstatic`
 
 Outbound network connections
 ----------------------------
 
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`proxyout` as HTTP proxy for APT
 * forgeapi.puppet.com for Puppet forge access
 * :doc:`emailout` as SMTP relay
 * :doc:`proxyout` as HTTP proxy for APT
 * forgeapi.puppet.com for Puppet forge access
@@ -216,7 +218,6 @@ advanced Puppet functionality like hiera-eyaml.
 All puppet related code is installed in the Puppet specific /opt/puppetlabs
 tree.
 
 All puppet related code is installed in the Puppet specific /opt/puppetlabs
 tree.
 
-
 Risk assessments on critical packages
 -------------------------------------
 
 Risk assessments on critical packages
 -------------------------------------
 
@@ -224,7 +225,6 @@ The system uses third party packages with a good security track record and
 regular updates. The attack surface is small due to the tightly restricted
 access to the system.
 
 regular updates. The attack surface is small due to the tightly restricted
 access to the system.
 
-
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
 
index 398ef1a..cdfcbdb 100644 (file)
@@ -144,20 +144,17 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Apache
-   single: Exim
-   single: Puppet agent
+   single: apache httpd
    single: cron
    single: cron
+   single: exim
    single: nrpe
    single: openssh
    single: nrpe
    single: openssh
+   single: puppet agent
+   single: rsyslog
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 +====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
 | Apache httpd       | Webserver for      | init script                            |
 |                    | Subversion         | :file:`/etc/init.d/apache2`            |
 +--------------------+--------------------+----------------------------------------+
 | Apache httpd       | Webserver for      | init script                            |
 |                    | Subversion         | :file:`/etc/init.d/apache2`            |
 +--------------------+--------------------+----------------------------------------+
@@ -171,9 +168,16 @@ Running services
 |                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
 |                    | :doc:`monitor`     |                                        |
 +--------------------+--------------------+----------------------------------------+
 |                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
 |                    | :doc:`monitor`     |                                        |
 +--------------------+--------------------+----------------------------------------+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
 | Puppet agent       | configuration      | init script                            |
 |                    | management agent   | :file:`/etc/init.d/puppet`             |
 +--------------------+--------------------+----------------------------------------+
 | Puppet agent       | configuration      | init script                            |
 |                    | management agent   | :file:`/etc/init.d/puppet`             |
 +--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
 
 Connected Systems
 -----------------
 
 Connected Systems
 -----------------
@@ -186,7 +190,7 @@ Outbound network connections
 ----------------------------
 
 * crl.cacert.org (rsync) for getting CRLs
 ----------------------------
 
 * crl.cacert.org (rsync) for getting CRLs
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
@@ -222,6 +226,11 @@ the system.
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`svn` to Puppet code
+
 Keys and X.509 certificates
 ---------------------------
 
 Keys and X.509 certificates
 ---------------------------
 
index 6e5aa6c..d70680f 100644 (file)
@@ -131,31 +131,25 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Apache
-   single: MariaDB
-   single: Postfix
-   single: Redis
+   single: apache httpd
    single: cron
    single: cron
+   single: mariadb
    single: nrpe
    single: openssh
    single: nrpe
    single: openssh
+   single: postfix
+   single: puppet agent
+   single: redis
    single: rsyslog
    single: supervisord
 
 +--------------------+------------------------------+-----------------------------------------------------+
 | Service            | Usage                        | Start mechanism                                     |
 +====================+==============================+=====================================================+
    single: rsyslog
    single: supervisord
 
 +--------------------+------------------------------+-----------------------------------------------------+
 | Service            | Usage                        | Start mechanism                                     |
 +====================+==============================+=====================================================+
-| openssh server     | ssh daemon for               | init script :file:`/etc/init.d/ssh`                 |
-|                    | remote                       |                                                     |
-|                    | administration               |                                                     |
-+--------------------+------------------------------+-----------------------------------------------------+
 | Apache httpd       | Webserver for                | init script                                         |
 |                    | Pootle                       | :file:`/etc/init.d/apache2`                         |
 +--------------------+------------------------------+-----------------------------------------------------+
 | cron               | job scheduler                | init script :file:`/etc/init.d/cron`                |
 +--------------------+------------------------------+-----------------------------------------------------+
 | Apache httpd       | Webserver for                | init script                                         |
 |                    | Pootle                       | :file:`/etc/init.d/apache2`                         |
 +--------------------+------------------------------+-----------------------------------------------------+
 | cron               | job scheduler                | init script :file:`/etc/init.d/cron`                |
 +--------------------+------------------------------+-----------------------------------------------------+
-| rsyslog            | syslog daemon                | init script                                         |
-|                    |                              | :file:`/etc/init.d/syslog`                          |
-+--------------------+------------------------------+-----------------------------------------------------+
 | MySQL              | MySQL database               | init script                                         |
 |                    | server for Pootle            | :file:`/etc/init.d/mysql`                           |
 +--------------------+------------------------------+-----------------------------------------------------+
 | MySQL              | MySQL database               | init script                                         |
 |                    | server for Pootle            | :file:`/etc/init.d/mysql`                           |
 +--------------------+------------------------------+-----------------------------------------------------+
@@ -163,12 +157,22 @@ Running services
 |                    | local mail                   | :file:`/etc/init.d/postfix`                         |
 |                    | submission                   |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
 |                    | local mail                   | :file:`/etc/init.d/postfix`                         |
 |                    | submission                   |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
+| Puppet agent       | local Puppet agent           | init script                                         |
+|                    |                              | :file:`/etc/init.d/puppet`                          |
++--------------------+------------------------------+-----------------------------------------------------+
 | Nagios NRPE server | remote monitoring            | init script                                         |
 |                    | service queried by           | :file:`/etc/init.d/nagios-nrpe-server`              |
 |                    | :doc:`monitor`               |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
 | Nagios NRPE server | remote monitoring            | init script                                         |
 |                    | service queried by           | :file:`/etc/init.d/nagios-nrpe-server`              |
 |                    | :doc:`monitor`               |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
+| openssh server     | ssh daemon for               | init script :file:`/etc/init.d/ssh`                 |
+|                    | remote                       |                                                     |
+|                    | administration               |                                                     |
++--------------------+------------------------------+-----------------------------------------------------+
 | Redis              | Job queue for Pootle         | init script :file:`/etc/init.d/redis-server`        |
 +--------------------+------------------------------+-----------------------------------------------------+
 | Redis              | Job queue for Pootle         | init script :file:`/etc/init.d/redis-server`        |
 +--------------------+------------------------------+-----------------------------------------------------+
+| rsyslog            | syslog daemon                | init script                                         |
+|                    |                              | :file:`/etc/init.d/syslog`                          |
++--------------------+------------------------------+-----------------------------------------------------+
 | Supervisord        | Supervisor for background    | init script :file:`/etc/init.d/supervisor`          |
 |                    | tasks                        |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
 | Supervisord        | Supervisor for background    | init script :file:`/etc/init.d/supervisor`          |
 |                    | tasks                        |                                                     |
 +--------------------+------------------------------+-----------------------------------------------------+
@@ -193,7 +197,7 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
@@ -248,12 +252,21 @@ packages.
    consider building the virtualenv on :doc:`jenkins` to avoid development tools
    on this system
 
    consider building the virtualenv on :doc:`jenkins` to avoid development tools
    on this system
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 Risk assessments on critical packages
 -------------------------------------
 
 System access is limited to http/https via Apache httpd which is restricted to
 a minimal set of modules.
 
 Risk assessments on critical packages
 -------------------------------------
 
 System access is limited to http/https via Apache httpd which is restricted to
 a minimal set of modules.
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Pootle is based on Django 1.10 and should be updated to a newer version when it
 becomes available. Pootle is run as a dedicated system user `pootle` that is
 restricted via filesystem permissions.
 Pootle is based on Django 1.10 and should be updated to a newer version when it
 becomes available. Pootle is run as a dedicated system user `pootle` that is
 restricted via filesystem permissions.
index f1851a1..d5c51ed 100644 (file)
@@ -128,35 +128,39 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Apache
-   single: Postfix
+   single: apache httpd
    single: cron
    single: nrpe
    single: openssh
    single: cron
    single: nrpe
    single: openssh
+   single: postfix
+   single: puppet agent
    single: rsyslog
 
 +--------------------+---------------------+----------------------------------------+
 | Service            | Usage               | Start mechanism                        |
 +====================+=====================+========================================+
    single: rsyslog
 
 +--------------------+---------------------+----------------------------------------+
 | Service            | Usage               | Start mechanism                        |
 +====================+=====================+========================================+
-| openssh server     | ssh daemon for      | init script :file:`/etc/init.d/ssh`    |
-|                    | remote              |                                        |
-|                    | administration      |                                        |
-+--------------------+---------------------+----------------------------------------+
 | Apache httpd       | http redirector,    | init script                            |
 |                    | https reverse proxy | :file:`/etc/init.d/apache2`            |
 +--------------------+---------------------+----------------------------------------+
 | cron               | job scheduler       | init script :file:`/etc/init.d/cron`   |
 +--------------------+---------------------+----------------------------------------+
 | Apache httpd       | http redirector,    | init script                            |
 |                    | https reverse proxy | :file:`/etc/init.d/apache2`            |
 +--------------------+---------------------+----------------------------------------+
 | cron               | job scheduler       | init script :file:`/etc/init.d/cron`   |
 +--------------------+---------------------+----------------------------------------+
-| rsyslog            | syslog daemon       | init script                            |
-|                    |                     | :file:`/etc/init.d/syslog`             |
+| Nagios NRPE server | remote monitoring   | init script                            |
+|                    | service queried by  | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`      |                                        |
++--------------------+---------------------+----------------------------------------+
+| openssh server     | ssh daemon for      | init script :file:`/etc/init.d/ssh`    |
+|                    | remote              |                                        |
+|                    | administration      |                                        |
 +--------------------+---------------------+----------------------------------------+
 | Postfix            | SMTP server for     | init script                            |
 |                    | local mail          | :file:`/etc/init.d/postfix`            |
 |                    | submission          |                                        |
 +--------------------+---------------------+----------------------------------------+
 +--------------------+---------------------+----------------------------------------+
 | Postfix            | SMTP server for     | init script                            |
 |                    | local mail          | :file:`/etc/init.d/postfix`            |
 |                    | submission          |                                        |
 +--------------------+---------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring   | init script                            |
-|                    | service queried by  | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`      |                                        |
+| Puppet agent       | configuration       | init script                            |
+|                    | management agent    | :file:`/etc/init.d/puppet`             |
++--------------------+---------------------+----------------------------------------+
+| rsyslog            | syslog daemon       | init script                            |
+|                    |                     | :file:`/etc/init.d/syslog`             |
 +--------------------+---------------------+----------------------------------------+
 
 Connected Systems
 +--------------------+---------------------+----------------------------------------+
 
 Connected Systems
@@ -167,8 +171,9 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 * :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
 * :doc:`webstatic` as backend for the funding.cacert.org and
 * :doc:`proxyout` as HTTP proxy for APT
 * :doc:`jenkins` as backend for the jenkins.cacert.org VirtualHost
 * :doc:`webstatic` as backend for the funding.cacert.org and
@@ -186,7 +191,9 @@ Security
 Non-distribution packages and modifications
 -------------------------------------------
 
 Non-distribution packages and modifications
 -------------------------------------------
 
-* None
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
 
 Risk assessments on critical packages
 -------------------------------------
 
 Risk assessments on critical packages
 -------------------------------------
@@ -194,9 +201,19 @@ Risk assessments on critical packages
 Apache httpd is configured with a minimum of enabled modules to allow proxying
 and TLS handling only to reduce potential security risks.
 
 Apache httpd is configured with a minimum of enabled modules to allow proxying
 and TLS handling only to reduce potential security risks.
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`web` to Puppet code
+
 Keys and X.509 certificates
 ---------------------------
 
 Keys and X.509 certificates
 ---------------------------
 
index 7b96d44..4d35c44 100644 (file)
@@ -135,30 +135,22 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Apache
-   single: Exim
+   single: apache httpd
    single: cron
    single: cron
-   single: nginx
+   single: exim
    single: nrpe
    single: openssh
    single: nrpe
    single: openssh
+   single: puppet agent
    single: rsyslog
 
 +--------------------+----------------------+----------------------------------------+
 | Service            | Usage                | Start mechanism                        |
 +====================+======================+========================================+
    single: rsyslog
 
 +--------------------+----------------------+----------------------------------------+
 | Service            | Usage                | Start mechanism                        |
 +====================+======================+========================================+
-| openssh server     | ssh daemon for       | init script :file:`/etc/init.d/ssh`    |
-|                    | remote               |                                        |
-|                    | administration       |                                        |
-|                    | and git access       |                                        |
-+--------------------+----------------------+----------------------------------------+
 | Apache httpd       | Webserver for static | init script                            |
 |                    | content              | :file:`/etc/init.d/apache2`            |
 +--------------------+----------------------+----------------------------------------+
 | cron               | job scheduler        | init script :file:`/etc/init.d/cron`   |
 +--------------------+----------------------+----------------------------------------+
 | Apache httpd       | Webserver for static | init script                            |
 |                    | content              | :file:`/etc/init.d/apache2`            |
 +--------------------+----------------------+----------------------------------------+
 | cron               | job scheduler        | init script :file:`/etc/init.d/cron`   |
 +--------------------+----------------------+----------------------------------------+
-| rsyslog            | syslog daemon        | init script                            |
-|                    |                      | :file:`/etc/init.d/syslog`             |
-+--------------------+----------------------+----------------------------------------+
 | Exim               | SMTP server for      | init script                            |
 |                    | local mail           | :file:`/etc/init.d/exim4`              |
 |                    | submission           |                                        |
 | Exim               | SMTP server for      | init script                            |
 |                    | local mail           | :file:`/etc/init.d/exim4`              |
 |                    | submission           |                                        |
@@ -167,6 +159,17 @@ Running services
 |                    | service queried by   | :file:`/etc/init.d/nagios-nrpe-server` |
 |                    | :doc:`monitor`       |                                        |
 +--------------------+----------------------+----------------------------------------+
 |                    | service queried by   | :file:`/etc/init.d/nagios-nrpe-server` |
 |                    | :doc:`monitor`       |                                        |
 +--------------------+----------------------+----------------------------------------+
+| openssh server     | ssh daemon for       | init script :file:`/etc/init.d/ssh`    |
+|                    | remote               |                                        |
+|                    | administration       |                                        |
+|                    | and git access       |                                        |
++--------------------+----------------------+----------------------------------------+
+| Puppet agent       | configuration        | init script                            |
+|                    | management agent     | :file:`/etc/init.d/puppet`             |
++--------------------+----------------------+----------------------------------------+
+| rsyslog            | syslog daemon        | init script                            |
+|                    |                      | :file:`/etc/init.d/syslog`             |
++--------------------+----------------------+----------------------------------------+
 
 Connected Systems
 -----------------
 
 Connected Systems
 -----------------
@@ -180,8 +183,9 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`infra02` as resolving nameserver
 * :doc:`emailout` as SMTP relay
 * :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 
 Security
 * :doc:`proxyout` as HTTP proxy for APT
 
 Security
@@ -208,6 +212,10 @@ Dedicated user roles
 Non-distribution packages and modifications
 -------------------------------------------
 
 Non-distribution packages and modifications
 -------------------------------------------
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 The used :program:`gitolite` version is from Debian Jessie and should either
 be replaced by :program:`gitolite3` from Debian Stretch or a combination of
 git repositories on :doc:`git` and web hooks for triggering updates.
 The used :program:`gitolite` version is from Debian Jessie and should either
 be replaced by :program:`gitolite3` from Debian Stretch or a combination of
 git repositories on :doc:`git` and web hooks for triggering updates.
@@ -225,9 +233,19 @@ defined set of ssh keys.
 
 .. todo:: check access on gitolite repositories
 
 
 .. todo:: check access on gitolite repositories
 
+The system uses third party packages with a good security track record and
+regular updates. The attack surface is small due to the tightly restricted
+access to the system. The puppet agent is not exposed for access from outside
+the system.
+
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`webstatic` to Puppet code
+
 Keys and X.509 certificates
 ---------------------------
 
 Keys and X.509 certificates
 ---------------------------