Move systems to separate folder
authorJan Dittberner <jan@dittberner.info>
Sun, 17 Apr 2016 18:31:19 +0000 (20:31 +0200)
committerJan Dittberner <jan@dittberner.info>
Sun, 17 Apr 2016 18:44:46 +0000 (20:44 +0200)
Refine structure of the Infra02 documentation and the machine template

.gitignore
docs/conf.py
docs/index.rst
docs/infra02.rst [deleted file]
docs/systems.rst [new file with mode: 0644]
docs/systems/infra02.rst [new file with mode: 0644]
docs/systems/template.rst [new file with mode: 0644]
docs/template.rst [deleted file]

index 249cac4..47dc4ed 100644 (file)
@@ -1,6 +1,7 @@
 *.pyc
 *.pyo
 .*.swp
+.swp
 venv/
 _build/
 .ropeproject/
index 5ce9729..0a7d7b0 100644 (file)
@@ -77,7 +77,7 @@ language = None
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = ['_build', 'template.rst']
+exclude_patterns = ['_build', 'systems/template.rst']
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
index 14780af..ad3c562 100644 (file)
@@ -15,8 +15,8 @@ Contents:
 .. toctree::
    :maxdepth: 2
 
+   systems
    network
-   infra02
    iplist
 
 
@@ -26,3 +26,4 @@ Indices and tables
 * :ref:`genindex`
 * :ref:`search`
 
+.. todolist::
diff --git a/docs/infra02.rst b/docs/infra02.rst
deleted file mode 100644 (file)
index 5757073..0000000
+++ /dev/null
@@ -1,193 +0,0 @@
-=======
-Infra02
-=======
-
-Purpose
-=======
-
-The infrastructure host system Infra02 is a dedicated machine for the CAcert
-infrastructure.
-
-Infra02 is the host system for all infrastructure containers. The containers
-are setup using the Linux kernel's LXC_ system. The firewall for infrastructure
-is maintained on this machine using Ferm_.
-
-.. _LXC: https://linuxcontainers.org/
-.. _Ferm: http://ferm.foo-projects.org/
-
-Basics
-======
-
-Physical Location
------------------
-
-The machine is located in a server rack at BIT B.V. in the Netherlands.
-
-Physical Configuration
-----------------------
-
-The machine has been sponsored by Thomas Krenn and has the following hardware
-parameters:
-
-:Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
-:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
-:RAM: 16 GiB ECC
-:Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
-:NIC:
-
-  * eth0 Intel Corporation 82579LM Gigabit Network Connection
-  * eth1 Intel Corporation 82574L Gigabit Network Connection
-
-There is a 2 TB USB backup disk attached to the system
-
-.. seealso::
-
-   See https://wiki.cacert.org/SystemAdministration/EquipmentList
-
-Logical Location
-----------------
-
-:IP Internet: :ip:v4:`213.154.225.230`
-:IP Intranet: :ip:v4:`172.16.2.10`
-:IP internal: :ip:v4:`10.0.0.1`
-:IPv6: :ip:v6:`2001:7b8:616:162:1::10`
-:IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
-:MAC address:
-
-  * :mac:`00:25:90:a9:66:e9` (eth0)
-  * :mac:`fe:0e:ee:75:a3:a5` (br0)
-
-.. seealso::
-
-   :doc:`network`.
-
-DNS
----
-
-* infrastructure.cacert.org. IN A 213.154.225.230
-* infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
-* infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
-* infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
-* infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
-* infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
-* infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
-* infra02.intra.cacert.org. IN A 172.16.2.10
-
-.. seealso::
-
-   See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
-
-Operating System
-----------------
-
-* Debian GNU/Linux 7.10
-
-Applicable Documentation
-------------------------
-
-This is it :-)
-
-Administration
-==============
-
-System Administration
----------------------
-
-* Primary: `Jan Dittberner`_
-* Secondary: `Mario Lipinski`_
-
-.. _Jan Dittberner: jandd@cacert.org
-.. _Mario Lipinski: mario@cacert.org
-
-Contact
--------
-
-* infrastructure-admin@cacert.org
-
-Services
-========
-
-Listening services
-------------------
-
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 123/udp  | ntp       | ANY       | network time protocol for host,         |
-|          |           |           | listening on the Internet IPv6 and IPv4 |
-|          |           |           | addresses                               |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
-
-Running services
-----------------
-
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
-| ntpd               | time server        | init script :file:`/etc/init.d/ntp`    |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission, ...    |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
-
-.. Running Guests
-   --------------
-
-   .. some directive to list guests here
-
-Connected Systems
------------------
-
-* :doc:`monitor`
-* :doc:`emailout`
-
-Outbound network connections
-----------------------------
-
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
-
-Security
-========
-
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint                                         |
-+===========+=====================================================+
-| RSA       | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
-+-----------+-----------------------------------------------------+
-| DSA       | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
-+-----------+-----------------------------------------------------+
-| ECDSA     | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
-+-----------+-----------------------------------------------------+
-| ED25519   | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
-
-   See :doc:`sshkeys`
-
diff --git a/docs/systems.rst b/docs/systems.rst
new file mode 100644 (file)
index 0000000..0444850
--- /dev/null
@@ -0,0 +1,7 @@
+Systems
+=======
+
+.. toctree::
+   :maxdepth: 2
+
+   systems/infra02
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst
new file mode 100644 (file)
index 0000000..9cb621d
--- /dev/null
@@ -0,0 +1,245 @@
+.. index::
+   single: Systems; Infra02
+
+=======
+Infra02
+=======
+
+Purpose
+=======
+
+The infrastructure host system Infra02 is a dedicated physical machine for the
+CAcert infrastructure.
+
+.. index::
+   single: LXC
+   single: Ferm
+
+Infra02 is the host system for all infrastructure containers. The containers
+are setup using the Linux kernel's LXC_ system. The firewall for infrastructure
+is maintained on this machine using Ferm_.
+
+.. _LXC: https://linuxcontainers.org/
+.. _Ferm: http://ferm.foo-projects.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: `Jan Dittberner`_
+* Secondary: `Mario Lipinski`_
+
+.. _Jan Dittberner: jandd@cacert.org
+.. _Mario Lipinski: mario@cacert.org
+
+Contact
+-------
+
+* infrastructure-admin@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+The machine is located in a server rack at BIT B.V. in the Netherlands.
+
+Physical Configuration
+----------------------
+
+The machine has been sponsored by Thomas Krenn and has the following hardware
+parameters:
+
+:Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
+:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
+:RAM: 16 GiB ECC
+:Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
+:NIC:
+
+  * eth0 Intel Corporation 82579LM Gigabit Network Connection
+  * eth1 Intel Corporation 82574L Gigabit Network Connection
+
+There is a 2 TB USB backup disk attached to the system.
+
+.. seealso::
+
+   See https://wiki.cacert.org/SystemAdministration/EquipmentList
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.230`
+:IP Intranet: :ip:v4:`172.16.2.10`
+:IP internal: :ip:v4:`10.0.0.1`
+:IPv6: :ip:v6:`2001:7b8:616:162:1::10`
+:IPv6 on br0: :ip:v6:`2001:7b8:616:162:2::10`
+:MAC address:
+
+  * :mac:`00:25:90:a9:66:e9` (eth0)
+  * :mac:`fe:0e:ee:75:a3:a5` (br0)
+
+.. seealso::
+
+   :doc:`network`.
+
+DNS
+---
+
+* infrastructure.cacert.org. IN A 213.154.225.230
+* infrastructure.cacert.org. IN SSHFP 1 1 5A82D3C150AF002C05784F73250A067053AEED63
+* infrastructure.cacert.org. IN SSHFP 1 2 63B0D74A3F1CE61865A5EB0497EF05243BC4067EC983C69AB8E62F3CB940CC82
+* infrastructure.cacert.org. IN SSHFP 2 1 AF8D8E3386EAA72997709632ADF2B457E6FEF0DC
+* infrastructure.cacert.org. IN SSHFP 2 2 3A0188FC47D1FDD14D70A2FB78F51792D06BA11EAE6AB16E73CB7BB8DD6A0DC8
+* infrastructure.cacert.org. IN SSHFP 3 1 3E1B9EBF85B726CF831C76ECB8C17786AEDF40E8
+* infrastructure.cacert.org. IN SSHFP 3 2 3AE7F0035C2172977E99BFE312C7A8299650DEA16A975EA13EECE8FDA426062A
+* infra02.intra.cacert.org. IN A 172.16.2.10
+
+.. seealso::
+
+   See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port     | Service   | Origin    | Purpose                                 |
++==========+===========+===========+=========================================+
+| 22/tcp   | ssh       | ANY       | admin console access                    |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
++----------+-----------+-----------+-----------------------------------------+
+| 123/udp  | ntp       | ANY       | network time protocol for host,         |
+|          |           |           | listening on the Internet IPv6 and IPv4 |
+|          |           |           | addresses                               |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
++--------------------+--------------------+----------------------------------------+
+| Service            | Usage              | Start mechanism                        |
++====================+====================+========================================+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
+| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
+| ntpd               | time server        | init script :file:`/etc/init.d/ntp`    |
++--------------------+--------------------+----------------------------------------+
+| Postfix            | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/postfix`            |
+|                    | submission, ...    |                                        |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring  | init script                            |
+|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`     |                                        |
++--------------------+--------------------+----------------------------------------+
+
+.. Running Guests
+   --------------
+
+   .. some directive to list guests here
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`emailout`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-----------------------------------------------------+
+| Algorithm | Fingerprint                                         |
++===========+=====================================================+
+| RSA       | ``86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c`` |
++-----------+-----------------------------------------------------+
+| DSA       | ``b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5`` |
++-----------+-----------------------------------------------------+
+| ECDSA     | ``79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0`` |
++-----------+-----------------------------------------------------+
+| ED25519   | ``25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4`` |
++-----------+-----------------------------------------------------+
+
+.. seealso::
+
+   See :doc:`sshkeys`
+
+Dedictated user roles
+---------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments and critical packages
+--------------------------------------
+
+The system is the basis for all other infrastructure systems. Access to this
+system has to be tightly controlled.
+
+Tasks
+=====
+
+.. todo:: find out why the system logs are messed up
+.. todo:: upgrade to Debian Jessie
+.. todo:: document whether it is safe to reboot this system
+.. todo:: document how to setup a new container
+.. todo:: document how to setup firewall rules/forwarding
+.. todo:: document how the backup system works
+
+Planned
+-------
+
+* None
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+   * https://wiki.cacert.org/PostfixConfiguration
diff --git a/docs/systems/template.rst b/docs/systems/template.rst
new file mode 100644 (file)
index 0000000..ee6de53
--- /dev/null
@@ -0,0 +1,276 @@
+==================
+Systems - TEMPLATE
+==================
+
+Purpose
+=======
+
+.. <SHORT DESCRIPTION>
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: <SYSADMIN's NAME>
+* Secondary: <secondary name>
+
+Application Administration
+--------------------------
+
+* <application>: <sysadmin's name>
+
+Contact
+-------
+
+ * <system>-admin@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
+
+.. ## Use the following for containers on Infra02:
+
+This system is located in an LXC_ container on physical machine :doc:`infra02`.
+
+Physical Configuration
+----------------------
+
+.. seealso::
+
+   See https://wiki.cacert.org/SystemAdministration/EquipmentList
+
+Logical location
+----------------
+
+ * IP Internet: <IP>
+ * IP Intranet: <IP>
+ * IP Internal: <IP>
+ * MAC address: <MAC> (interfacename)
+
+.. seealso::
+
+   See :doc:`../network`
+
+DNS
+---
+
+ * <HOSTNAME>.cacert.org. IN A <IP>
+ * <HOSTNAME>.intra.cacert.org. IN A <IP>
+
+.. seealso::
+
+   See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+ * Debian GNU/Linux x.y
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port     | Service   | Origin    | Purpose                                 |
++==========+===========+===========+=========================================+
+| 22/tcp   | ssh       | ANY       | admin console access                    |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp   | http      | ANY       | application                             |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp  | https     | ANY       | application                             |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
++----------+-----------+-----------+-----------------------------------------+
+
+.. below are some definitions of commonly open ports, choose those that are applicable and order the table by port number
+   || 3306/tcp || mysql || local || MySQL database for ... ||
+   || 5432/tcp || pgsql || local || PostgreSQL database for ... ||
+   || 465/udp || syslog || local || syslog port ||
+
+Running services
+----------------
+
++--------------------+--------------------+----------------------------------------+
+| Service            | Usage              | Start mechanism                        |
++====================+====================+========================================+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd       | Webserver for ...  | init script                            |
+|                    |                    | :file:`/etc/init.d/apache2`            |
++--------------------+--------------------+----------------------------------------+
+| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL         | PostgreSQL         | init script                            |
+|                    | database server    | :file:`/etc/init.d/postgresql`         |
+|                    | for ...            |                                        |
++--------------------+--------------------+----------------------------------------+
+| MySQL              | MySQL database     | init script                            |
+|                    | server for ...     | :file:`/etc/init.d/mysql`              |
++--------------------+--------------------+----------------------------------------+
+| Postfix            | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/postfix`            |
+|                    | submission, ...    |                                        |
++--------------------+--------------------+----------------------------------------+
+| Exim               | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/exim4`              |
+|                    | submission, ...    |                                        |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring  | init script                            |
+|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`     |                                        |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+--------------+---------------------------+
+| RDBMS       | Name         | Used for                  |
++=============+==============+===========================+
+| MySQL       | application1 | fictional application one |
++-------------+--------------+---------------------------+
+| PostgreSQL  | application2 | fictional application two |
++-------------+--------------+---------------------------+
+
+Running Guests
+--------------
+
++----------------+-------------+---------------+---------+---------------+
+| Machine        | IP Intranet | IP Internet   | Ports   | Purpose       |
++================+=============+===============+=========+===============+
+| :doc:`machine` | <LOCAL IP>  | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
++----------------+-------------+---------------+---------+---------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-----------------------------------------------------+
+| Algorithm | Fingerprint                                         |
++===========+=====================================================+
+| RSA       |                                                     |
++-----------+-----------------------------------------------------+
+| DSA       |                                                     |
++-----------+-----------------------------------------------------+
+| ECDSA     |                                                     |
++-----------+-----------------------------------------------------+
+| ED25519   |                                                     |
++-----------+-----------------------------------------------------+
+
+.. seealso::
+
+   See :doc:`../sshkeys`
+
+Dedicated user roles
+--------------------
+
+.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
+   Regular operating system groups should not be documented
+
+.. || '''Group''' || '''Purpose''' ||
+   || goodguys || Shell access for the good guys ||
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. * None
+   or
+   * List of non-distribution packages and modifications
+
+Risk assessments on critical packages
+-------------------------------------
+
+Tasks
+=====
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
+* :file:`/etc/apache2/ssl/<path to server key>` server key
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+   * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+   * :doc:`../certlist`
+   * https://wiki.cacert.org/SystemAdministration/CertificateList
+
+Tasks
+=====
+
+Planned
+-------
+
+.. add a paragraph for each larger planned task that seems to be worth
+   mentioning. You may want to link to specific issues if you use some issue
+   tracker.
+
+Changes
+=======
+
+System Future
+-------------
+
+.. * No plans
+
+Additional documentation
+========================
+
+.. add inline documentation
+
+.. remove unneeded links from the list below, add other links that apply
+
+.. seealso:
+
+   * https://wiki.cacert.org/Exim4Configuration
+   * https://wiki.cacert.org/PostfixConfiguration
+   * https://wiki.cacert.org/QmailConfiguration
+   * https://wiki.cacert.org/SendmailConfiguration
+   * https://wiki.cacert.org/StunnelConfiguration
+
+References
+----------
+
+.. can be used to provide links to reference documentation
+   * http://product.site.com/docs/
+   * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
diff --git a/docs/template.rst b/docs/template.rst
deleted file mode 100644 (file)
index e2ebe5f..0000000
+++ /dev/null
@@ -1,277 +0,0 @@
-==================
-Systems - TEMPLATE
-==================
-
-Purpose
-=======
-
-.. <SHORT DESCRIPTION>
-
-Basics
-======
-
-Physical Location
------------------
-
-.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
-
-.. ## Use the following for containers on Infra02:
-
-This system is located in an LXC_ container on physical machine :doc:`infra02`.
-
-Physical Configuration
-----------------------
-
-.. seealso::
-
-   See https://wiki.cacert.org/SystemAdministration/EquipmentList
-
-Logical location
-----------------
-
- * IP Internet: <IP>
- * IP Intranet: <IP>
- * IP Internal: <IP>
- * MAC address: <MAC> (interfacename)
-
-.. seealso::
-
-   See :doc:`network`
-
-DNS
----
-
- * <HOSTNAME>.cacert.org. IN A <IP>
- * <HOSTNAME>.intra.cacert.org. IN A <IP>
-
-.. seealso::
-
-   See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
-
-Operating System
-----------------
-
- * Debian GNU/Linux x.y
-
-Applicable Documentation
-------------------------
-
-This is it :-)
-
-Administration
-==============
-
-System Administration
----------------------
-
-* Primary: <SYSADMIN's NAME>
-* Secondary: <secondary name>
-
-Contact
--------
-
- * <system>-admin@cacert.org
-
-Services
-========
-
-Listening services
-------------------
-
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 80/tcp   | http      | ANY       | application                             |
-+----------+-----------+-----------+-----------------------------------------+
-| 443/tcp  | https     | ANY       | application                             |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
-
-.. below are some definitions of commonly open ports, choose those that are applicable and order the table by port number
-   || 3306/tcp || mysql || local || MySQL database for ... ||
-   || 5432/tcp || pgsql || local || PostgreSQL database for ... ||
-   || 465/udp || syslog || local || syslog port ||
-
-Running services
-----------------
-
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Apache httpd       | Webserver for ...  | init script                            |
-|                    |                    | :file:`/etc/init.d/apache2`            |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
-| PostgreSQL         | PostgreSQL         | init script                            |
-|                    | database server    | :file:`/etc/init.d/postgresql`         |
-|                    | for ...            |                                        |
-+--------------------+--------------------+----------------------------------------+
-| MySQL              | MySQL database     | init script                            |
-|                    | server for ...     | :file:`/etc/init.d/mysql`              |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission, ...    |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Exim               | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/exim4`              |
-|                    | submission, ...    |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
-
-Databases
----------
-
-+-------------+--------------+---------------------------+
-| RDBMS       | Name         | Used for                  |
-+=============+==============+===========================+
-| MySQL       | application1 | fictional application one |
-+-------------+--------------+---------------------------+
-| PostgreSQL  | application2 | fictional application two |
-+-------------+--------------+---------------------------+
-
-Running Guests
---------------
-
-+----------------+-------------+---------------+---------+---------------+
-| Machine        | IP Intranet | IP Internet   | Ports   | Purpose       |
-+================+=============+===============+=========+===============+
-| :doc:`machine` | <LOCAL IP>  | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
-+----------------+-------------+---------------+---------+---------------+
-
-Connected Systems
------------------
-
-* :doc:`monitor`
-
-Outbound network connections
-----------------------------
-
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* :doc:`emailout` as SMTP relay
-* ftp.nl.debian.org as Debian mirror
-* security.debian.org for Debian security updates
-* crl.cacert.org (rsync) for getting CRLs
-
-Security
-========
-
-SSH host keys
--------------
-
-+-----------+-----------------------------------------------------+
-| Algorithm | Fingerprint                                         |
-+===========+=====================================================+
-| RSA       |                                                     |
-+-----------+-----------------------------------------------------+
-| DSA       |                                                     |
-+-----------+-----------------------------------------------------+
-| ECDSA     |                                                     |
-+-----------+-----------------------------------------------------+
-| ED25519   |                                                     |
-+-----------+-----------------------------------------------------+
-
-.. seealso::
-
-   See :doc:`sshkeys`
-
-Dedicated user roles
---------------------
-
-.. If the system has some dedicated user groups besides the sudo group used for administration it should be documented here
-   Regular operating system groups should not be documented
-
-.. || '''Group''' || '''Purpose''' ||
-   || goodguys || Shell access for the good guys ||
-
-Non-distribution packages and modifications
--------------------------------------------
-
-.. * None
-   or
-   * List of non-distribution packages and modifications
-
-Risk assessments on critical packages
--------------------------------------
-
-Tasks
-=====
-
-Critical Configuration items
-============================
-
-Keys and X.509 certificates
----------------------------
-
-* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
-* :file:`/etc/apache2/ssl/<path to server key>` server key
-
-.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
-   * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
-
-.. seealso::
-
-   See :doc:`certlist`
-
-Changes
-=======
-
-Planned
--------
-
-System Future
-.............
-
-.. * No plans
-
-Document Stuff
-..............
-
-.. add a paragraph for each larger planned task that seems to be worth
-   mentioning. You may want to link to specific issues if you use some issue
-   tracker.
-
-Potential Similiar Configurations
-.................................
-
-* https://wiki.cacert.org/Exim4Configuration
-* https://wiki.cacert.org/PostfixConfiguration
-* https://wiki.cacert.org/QmailConfiguration
-* https://wiki.cacert.org/SendmailConfiguration
-* https://wiki.cacert.org/StunnelConfiguration
-
-Potential System Procedures
-...........................
-
-* https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
-* https://wiki.cacert.org/SystemAdministration/CertificateList
-
-References
-==========
-
-.. can be used to provide links to reference documentation
-   * http://product.site.com/docs/
-   * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
-
-Links
-=====
-
-.. || [[https://<system>.cacert.org/]] || <System> URL ||
-   may contain more URLs if there are multiple useful entry points
-