Document proxyout
authorJan Dittberner <jandd@cacert.org>
Sat, 26 Aug 2017 22:36:52 +0000 (00:36 +0200)
committerJan Dittberner <jandd@cacert.org>
Sat, 26 Aug 2017 22:36:52 +0000 (00:36 +0200)
docs/systems.rst
docs/systems/proxyout.rst [new file with mode: 0644]
docs/systems/puppet.rst
docs/systems/svn.rst

index 55922d7..72a8125 100644 (file)
@@ -23,6 +23,7 @@ administrator team.
    systems/issue
    systems/monitor
    systems/puppet
+   systems/proxyout
    systems/svn
    systems/webmail
 
diff --git a/docs/systems/proxyout.rst b/docs/systems/proxyout.rst
new file mode 100644 (file)
index 0000000..11422af
--- /dev/null
@@ -0,0 +1,203 @@
+.. index::
+   single: Systems; Proxyout
+
+========
+Proxyout
+========
+
+Purpose
+=======
+
+This system acts as outgoing HTTP and HTTPS proxy for access to APT
+repositories.
+
+Application Links
+-----------------
+
+This system has no publicly visible URLs.
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+.. people_<name> are defined in people.rst
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s)    |
++=============+=====================+
+| Squid       | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* proxyout-admin@cacert.org
+
+Additional People
+-----------------
+
+* None
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.200`
+:MAC address: :mac:`00:16:3e:15:b8:8c` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+DNS
+---
+
+.. index::
+   single: DNS records; Proxyout
+
+.. todo:: setup DNS records (in infra.cacert.org zone)
+
+.. seealso::
+
+   See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Stretch
+   single: Debian GNU/Linux; 9.1
+
+* Debian GNU/Linux 9.1
+
+Applicable Documentation
+------------------------
+
+The system is managed by :doc:`puppet`. The puppet repository is browsable at
+https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary.
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port     | Service   | Origin    | Purpose                                 |
++==========+===========+===========+=========================================+
+| 22/tcp   | ssh       | ANY       | admin console access                    |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
++----------+-----------+-----------+-----------------------------------------+
+| 3128/tcp | http      | internal  | squid http/https proxy                  |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: puppet agent
+   single: cron
+   single: exim4
+   single: squid
+   single: openssh
+
++----------------+--------------------+--------------------------------------+
+| Service        | Usage              | Start mechanism                      |
++================+====================+======================================+
+| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
+|                | remote             |                                      |
+|                | administration     |                                      |
++----------------+--------------------+--------------------------------------+
+| cron           | job scheduler      | init script :file:`/etc/init.d/cron` |
++----------------+--------------------+--------------------------------------+
+| Exim           | SMTP server for    | init script                          |
+|                | local mail         | :file:`/etc/init.d/exim4`            |
+|                | submission         |                                      |
++----------------+--------------------+--------------------------------------+
+| Puppet agent   | local Puppet agent | init script                          |
+|                |                    | :file:`/etc/init.d/puppet`           |
++----------------+--------------------+--------------------------------------+
+| Squid          | Caching and        | init script                          |
+|                | filtering http/    | :file:`/etc/init.d/squid`            |
+|                | https proxy for    |                                      |
+|                | internal machines  |                                      |
++----------------+--------------------+--------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`motion`
+* :doc:`proxyin`
+* :doc:`puppet`
+* :doc:`svn`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* .debian.org Debian mirrors
+* apt.puppetlabs.com as Debian repository for puppet packages
+
+Security
+========
+
+.. sshkeys::
+   :ECDSA:   74:70:63:b9:3e:6b:9f:a2:34:0e:9a:92:77:dd:93:73
+   :ED25519: 43:0d:1e:ec:1b:5f:c3:84:38:c7:75:b7:be:3c:1b:d4
+   :RSA:     1e:8e:1d:06:a5:fa:d6:08:95:e9:68:fb:ae:16:24:8f
+
+Risk assessments on critical packages
+-------------------------------------
+
+Squid is a proven http and https proxy installed from distribution packages
+with low risk.
+
+Critical Configuration items
+============================
+
+All configuration is managed in Puppet. There are no certificates or private
+keys used on this machine.
+
+Tasks
+=====
+
+Planned
+-------
+
+Change all infrastructure hosts to use this machine as APT proxy to avoid flaky
+firewall configurations on :doc:`infra02`.
+
+Additional documentation
+========================
+
+.. seealso::
+
+   * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* http://www.squid-cache.org/
index 06517a2..eb9a9e9 100644 (file)
@@ -185,9 +185,7 @@ Outbound network connections
 
 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
 * :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
-* apt.puppetlabs.com as Debian repository for puppet packages
+* :doc:`proxyout` as HTTP proxy for APT
 * forgeapi.puppet.com for Puppet forge access
 * rubygems.org for Puppet specific Ruby gems
 
@@ -195,11 +193,9 @@ Security
 ========
 
 .. sshkeys::
-   :RSA:     5b:50:09:cf:e8:46:a4:a7:d8:00:85:3d:ec:85:b0:9d
-   :DSA:     fb:6f:e4:96:62:09:8c:08:a8:d6:9b:d5:08:d2:e9:ad
-   :ECDSA:   71:44:f9:39:ef:0c:f8:1c:ae:05:8d:a1:07:05:69:f7
-   :ED25519: c5:84:7a:dd:40:a9:2d:67:57:a0:0b:dc:60:3d:cc:22
-
+   :ECDSA:   29:06:f1:71:8d:65:3e:39:7c:49:69:16:8d:99:97:15
+   :ED25519: 53:dc:e7:4d:25:89:a8:d5:5a:24:0b:06:3f:41:cd:4d
+   :RSA:     54:57:b0:09:46:ba:56:95:5e:e3:35:df:28:27:ed:c5
 
 Non-distribution packages and modifications
 -------------------------------------------
index 61cb470..ea93245 100644 (file)
@@ -189,9 +189,7 @@ Outbound network connections
 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
 * :doc:`emailout` as SMTP relay
 * :doc:`puppet` (tcp/8140) as Puppet master
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
-* apt.puppetlabs.com as Debian repository for puppet packages
+* :doc:`proxyout` as HTTP proxy for APT
 
 Security
 ========