Add new section for critical systems
authorJan Dittberner <jan@dittberner.info>
Thu, 5 May 2016 11:51:39 +0000 (13:51 +0200)
committerJan Dittberner <jan@dittberner.info>
Thu, 5 May 2016 11:51:39 +0000 (13:51 +0200)
This commit adds a new section for critical systems. The general
systems.rst title has been changed to "non-critical systems". The
critical/template.rst has been added for convenience for the critical
admins.

An empty skeleton page has been added for the Webdb system. Some
unneeded content has been removed from the index page. The systems page
headline level has been modified.

docs/conf.py
docs/critical.rst [new file with mode: 0644]
docs/critical/template.rst [new file with mode: 0644]
docs/critical/webdb.rst [new file with mode: 0644]
docs/index.rst
docs/systems.rst

index 569dd5f..b51957c 100644 (file)
@@ -77,7 +77,7 @@ language = None
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = ['_build', 'systems/template.rst']
+exclude_patterns = ['_build', 'systems/template.rst', 'critical/template.rst']
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
diff --git a/docs/critical.rst b/docs/critical.rst
new file mode 100644 (file)
index 0000000..8ac0472
--- /dev/null
@@ -0,0 +1,11 @@
+================
+Critical Systems
+================
+
+.. toctree::
+   :maxdepth: 1
+
+   critical/webdb
+
+.. add more systems here. https://wiki.cacert.org/SystemAdministration/Systems/
+   is a good starting point on what should be documented
diff --git a/docs/critical/template.rst b/docs/critical/template.rst
new file mode 100644 (file)
index 0000000..7ab0e91
--- /dev/null
@@ -0,0 +1,341 @@
+.. index::
+   single: Systems; <host>
+
+==================
+Systems - TEMPLATE
+==================
+
+Purpose
+=======
+
+.. <SHORT DESCRIPTION>
+
+Application Links
+-----------------
+
+.. link1
+     https://<hostname>/<path>
+
+   link2
+     https://<hostname>/<path2>
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+.. people_<name> are defined in people.rst
+
+* Primary: :ref:`people_primary`
+* Secondary: :ref:`people_secondary`
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application   | Administrator(s)    |
++===============+=====================+
+| <application> | :ref:`people_admin` |
++---------------+---------------------+
+
+Contact
+-------
+
+* <system>-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_a` and :ref:`people_b` have :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+.. <PHYSICAL HOST, VM GUEST, APACHE VIRTUAL HOST, etc.>
+
+.. ## Use the following for containers on Infra02:
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Physical Configuration
+----------------------
+
+.. seealso::
+
+   See https://wiki.cacert.org/SystemAdministration/EquipmentList
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`<IP>`
+:IP Intranet: :ip:v4:`<IP>`
+:IP Internal: :ip:v4:`<IP>`
+:MAC address: :mac:`<MAC>` (interfacename)
+
+.. seealso::
+
+   See :doc:`../network`
+
+DNS
+---
+
+.. index::
+   single: DNS records; <machine>
+
+========================== ======== ==========================================
+Name                       Type     Content
+========================== ======== ==========================================
+<HOST>.cacert.org.         IN A     <IP>
+<HOST>.intra.cacert.org.   IN A     <IP>
+========================== ======== ==========================================
+
+.. seealso::
+
+   See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Codename
+   single: Debian GNU/Linux; x.y
+
+* Debian GNU/Linux x.y
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
+.. use the values from this table or add new lines if applicable
+
++----------+-----------+-----------+-----------------------------------------+
+| Port     | Service   | Origin    | Purpose                                 |
++==========+===========+===========+=========================================+
+| 22/tcp   | ssh       | ANY       | admin console access                    |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp   | http      | ANY       | application                             |
++----------+-----------+-----------+-----------------------------------------+
+| 443/tcp  | https     | ANY       | application                             |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
++----------+-----------+-----------+-----------------------------------------+
+| 3306/tcp | mysql     | local     | MySQL database for ...                  |
++----------+-----------+-----------+-----------------------------------------+
+| 5432/tcp | pgsql     | local     | PostgreSQL database for ...             |
++----------+-----------+-----------+-----------------------------------------+
+| 465/udp  | syslog    | local     | syslog port                             |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: Apache
+   single: Icinga2
+   single: MySQL
+   single: OpenERP
+   single: Postfix
+   single: PostgreSQL
+   single: cron
+   single: nginx
+   single: nrpe
+   single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service            | Usage              | Start mechanism                        |
++====================+====================+========================================+
+| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
+|                    | remote             |                                        |
+|                    | administration     |                                        |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd       | Webserver for ...  | init script                            |
+|                    |                    | :file:`/etc/init.d/apache2`            |
++--------------------+--------------------+----------------------------------------+
+| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------+----------------------------------------+
+| rsyslog            | syslog daemon      | init script                            |
+|                    |                    | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL         | PostgreSQL         | init script                            |
+|                    | database server    | :file:`/etc/init.d/postgresql`         |
+|                    | for ...            |                                        |
++--------------------+--------------------+----------------------------------------+
+| MySQL              | MySQL database     | init script                            |
+|                    | server for ...     | :file:`/etc/init.d/mysql`              |
++--------------------+--------------------+----------------------------------------+
+| Postfix            | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/postfix`            |
+|                    | submission, ...    |                                        |
++--------------------+--------------------+----------------------------------------+
+| Exim               | SMTP server for    | init script                            |
+|                    | local mail         | :file:`/etc/init.d/exim4`              |
+|                    | submission, ...    |                                        |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring  | init script                            |
+|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`     |                                        |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++-------------+--------------+---------------------------+
+| RDBMS       | Name         | Used for                  |
++=============+==============+===========================+
+| MySQL       | application1 | fictional application one |
++-------------+--------------+---------------------------+
+| PostgreSQL  | application2 | fictional application two |
++-------------+--------------+---------------------------+
+
+Running Guests
+--------------
+
++----------------+-------------+---------------+---------+---------------+
+| Machine        | IP Intranet | IP Internet   | Ports   | Purpose       |
++================+=============+===============+=========+===============+
+| :doc:`machine` | <LOCAL IP>  | <INTERNET IP> | <PORTS> | <DESCRIPTION> |
++----------------+-------------+---------------+---------+---------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-----------------------------------------------------+
+| Algorithm | Fingerprint                                         |
++===========+=====================================================+
+| RSA       |                                                     |
++-----------+-----------------------------------------------------+
+| DSA       |                                                     |
++-----------+-----------------------------------------------------+
+| ECDSA     |                                                     |
++-----------+-----------------------------------------------------+
+| ED25519   |                                                     |
++-----------+-----------------------------------------------------+
+
+.. seealso::
+
+   See :doc:`../sshkeys`
+
+Dedicated user roles
+--------------------
+
+.. If the system has some dedicated user groups besides the sudo group used for
+   administration it should be documented here Regular operating system groups
+   should not be documented
+
++-------------+-----------------------------+
+| Group       | Purpose                     |
++=============+=============================+
+| <groupname> | <short purpose description> |
++-------------+-----------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. * None
+   or
+   * List of non-distribution packages and modifications (with some
+     explaination why no distribution package could be used)
+
+Risk assessments on critical packages
+-------------------------------------
+
+.. add a paragraph for each known risk. The risk has to be described.
+   Mitigation or risk acceptance has to be documented.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+* :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
+* :file:`/etc/apache2/ssl/<path to server key>` server key
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
+   * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+
+.. seealso::
+
+   * :doc:`../certlist`
+   * https://wiki.cacert.org/SystemAdministration/CertificateList
+
+<service_x> configuration
+-------------------------
+
+.. add a section for the configuration of each service where configuration
+   deviates from OS package defaults
+
+Tasks
+=====
+
+Planned
+-------
+
+.. add a paragraph or todo directive for each larger planned task. You may want
+   to link to specific issues if you use some issue tracker.
+
+Changes
+=======
+
+System Future
+-------------
+
+.. use this section to describe any plans for the system future. These are
+   larger plans like moving to another host, abandoning the system or replacing
+   its funtionality with something else.
+
+.. * No plans
+
+Additional documentation
+========================
+
+.. add inline documentation
+
+.. remove unneeded links from the list below, add other links that apply
+
+.. seealso::
+
+   * https://wiki.cacert.org/Exim4Configuration
+   * https://wiki.cacert.org/PostfixConfiguration
+   * https://wiki.cacert.org/QmailConfiguration
+   * https://wiki.cacert.org/SendmailConfiguration
+   * https://wiki.cacert.org/StunnelConfiguration
+
+References
+----------
+
+.. can be used to provide links to reference documentation
+   * http://product.site.com/docs/
+   * [[http://product.site.com/whitepaper/document.pdf|Paper on how to setup...]]
diff --git a/docs/critical/webdb.rst b/docs/critical/webdb.rst
new file mode 100644 (file)
index 0000000..4cb1cb7
--- /dev/null
@@ -0,0 +1,6 @@
+=====
+Webdb
+=====
+
+.. copy content structure from critical/template.rst and adapt to the needs for
+   this system
index 2d761e9..271aefc 100644 (file)
@@ -1,20 +1,16 @@
-.. CAcert infrastructure documentation master file, created by
-   sphinx-quickstart on Wed Apr 13 19:34:10 2016.
-   You can adapt this file completely to your liking, but it should at least
-   contain the root `toctree` directive.
+CAcert infrastructure documentation
+===================================
 
-Welcome to CAcert infrastructure's documentation!
-=================================================
+This documentation aims to describe the current status of CAcert's technical
+infrastructure.
 
-This documentation aims to describe the current status of CAcert's
-infrastructure systems. The goal is to provide a more practical way to publish
-the documentation.
-
-Contents:
+Table of Contents
+=================
 
 .. toctree::
    :maxdepth: 1
 
+   critical
    systems
    network
    iplist
index 7af2be0..d756c83 100644 (file)
@@ -1,5 +1,9 @@
-Systems
-=======
+====================
+Non-Critical Systems
+====================
+
+Non-critical systems are those that are managed by the infrastructure
+administrator team.
 
 .. toctree::
    :maxdepth: 1
@@ -12,8 +16,9 @@ Systems
    systems/monitor
    systems/webmail
 
+
 General
--------
+=======
 
 .. todo:: consider whether a central MySQL service should be setup
 
@@ -67,7 +72,7 @@ General
 .. todo:: think about replacing nrpe with Icinga2 satellites
 
 Checklist
----------
+=========
 
 .. index::
    single: etckeeper