Fix link to external monitoring checks master
authorJan Dittberner <jandd@cacert.org>
Sun, 18 Aug 2019 06:58:49 +0000 (08:58 +0200)
committerJan Dittberner <jandd@cacert.org>
Sun, 18 Aug 2019 06:58:49 +0000 (08:58 +0200)
39 files changed:
doc-requirements.txt
docs/Pipfile
docs/Pipfile.lock
docs/conf.py
docs/external.rst [new file with mode: 0644]
docs/external/extmon.rst [new file with mode: 0644]
docs/index.rst
docs/iplist.rst
docs/lxcsetup.rst
docs/network.rst
docs/systems.rst
docs/systems/blog.rst
docs/systems/board.rst
docs/systems/bugs.rst
docs/systems/cats.rst
docs/systems/email.rst
docs/systems/emailout.rst
docs/systems/git.rst
docs/systems/infra02.rst
docs/systems/ircserver.rst
docs/systems/issue.rst
docs/systems/jenkins.rst
docs/systems/lists.rst
docs/systems/monitor.rst
docs/systems/motion.rst [new file with mode: 0644]
docs/systems/proxyin.rst [new file with mode: 0644]
docs/systems/proxyout.rst
docs/systems/puppet.rst
docs/systems/svn.rst
docs/systems/template.rst
docs/systems/test.rst
docs/systems/test3.rst
docs/systems/translations.rst
docs/systems/web.rst
docs/systems/webmail.rst
docs/systems/webstatic.rst
tools/Pipfile
tools/Pipfile.lock
tools/ssh_host_keys.py

index a3c8d91..1874ac8 100644 (file)
@@ -1,28 +1,34 @@
-alabaster==0.7.10
-Babel==2.5.3
-certifi==2018.4.16
+alabaster==0.7.12
+attrs==19.1.0
+Babel==2.7.0
+certifi==2019.6.16
 chardet==3.0.4
-docutils==0.14
-gitdb2==2.0.3
-GitPython==2.1.9
-idna==2.6
-imagesize==1.0.0
+dateutils==0.6.6
+docutils==0.15.2
+gitdb2==2.0.5
+GitPython==2.1.13
+idna==2.8
+imagesize==1.1.0
 ipcalc==1.99.0
-jandd.sphinxext.ip==0.2.4
+jandd.sphinxext.ip==0.3.0
 jandd.sphinxext.mac==0.1.0
-Jinja2==2.10
-MarkupSafe==1.0
-packaging==17.1
-pkg-resources==0.0.0
-py-dateutil==2.2
-Pygments==2.2.0
-pyparsing==2.2.0
-pytz==2018.4
-requests==2.18.4
-six==1.11.0
-smmap2==2.0.3
-snowballstemmer==1.2.1
-Sphinx==1.7.2
-sphinxcontrib-websupport==1.0.1
-urllib3==1.22
+Jinja2==2.10.1
+MarkupSafe==1.1.1
+packaging==19.1
+Pygments==2.4.2
+pyparsing==2.4.2
+python-dateutil==2.8.0
+pytz==2019.1
+requests==2.22.0
+six==1.12.0
+smmap2==2.0.5
+snowballstemmer==1.9.0
+Sphinx==2.1.2
+sphinxcontrib-applehelp==1.0.1
+sphinxcontrib-devhelp==1.0.1
+sphinxcontrib-htmlhelp==1.0.2
+sphinxcontrib-jsmath==1.0.1
+sphinxcontrib-qthelp==1.0.2
+sphinxcontrib-serializinghtml==1.1.3
+urllib3==1.25.3
 validate-email==1.3
index 6261bee..033398a 100644 (file)
@@ -14,4 +14,4 @@ validate-email = "*"
 [dev-packages]
 
 [requires]
-python_version = "3.6"
+python_version = "3.7"
index b9e1f08..71839c7 100644 (file)
@@ -1,11 +1,11 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "dca01cf448380a87625e914b200ca5b617c2b424bb61d615a6189a2ff62d58a7"
+            "sha256": "3f84f87945441353b07733193713bf3883f2fea908413e6e1617c5d5f54a0aa2"
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_version": "3.6"
+            "python_version": "3.7"
         },
         "sources": [
             {
             ],
             "version": "==1.4.0"
         },
+        "attrs": {
+            "hashes": [
+                "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79",
+                "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399"
+            ],
+            "version": "==19.1.0"
+        },
         "babel": {
             "hashes": [
-                "sha256:6778d85147d5d85345c14a26aada5e478ab04e39b078b0745ee6870c2b5cf669",
-                "sha256:8cba50f48c529ca3fa18cf81fa9403be176d374ac4d60738b839122dfaaa3d23"
+                "sha256:af92e6106cb7c55286b25b38ad7695f8b4efb36a90ba483d7f7a6628c46158ab",
+                "sha256:e86135ae101e31e2c8ec20a4e0c5220f4eed12487d5cf3f78be7e98d3a57fc28"
             ],
-            "version": "==2.6.0"
+            "version": "==2.7.0"
         },
         "certifi": {
             "hashes": [
-                "sha256:339dc09518b07e2fa7eda5450740925974815557727d6bd35d319c1524a04a4c",
-                "sha256:6d58c986d22b038c8c0df30d639f23a3e6d172a05c3583e766f4c0b785c0986a"
+                "sha256:046832c04d4e752f37383b628bc601a7ea7211496b4638f6514d0e5b9acc4939",
+                "sha256:945e3ba63a0b9f577b1395204e13c3a231f9bc0223888be653286534e5873695"
             ],
-            "version": "==2018.10.15"
+            "version": "==2019.6.16"
         },
         "chardet": {
             "hashes": [
         },
         "docutils": {
             "hashes": [
-                "sha256:02aec4bd92ab067f6ff27a38a38a41173bf01bed8f89157768c1573f53e474a6",
-                "sha256:51e64ef2ebfb29cae1faa133b3710143496eca21c530f3f71424d77687764274",
-                "sha256:7a4bd47eaf6596e1295ecb11361139febe29b084a87bf005bf899f9a42edc3c6"
+                "sha256:6c4f696463b79f1fb8ba0c594b63840ebd41f059e92b31957c46b74a4599b6d0",
+                "sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827",
+                "sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99"
             ],
-            "version": "==0.14"
+            "version": "==0.15.2"
         },
         "gitdb2": {
             "hashes": [
                 "sha256:83361131a1836661a155172932a13c08bda2db3674e4caa32368aa6eb02f38c2",
                 "sha256:e3a0141c5f2a3f635c7209d56c496ebe1ad35da82fe4d3ec4aaa36278d70648a"
             ],
-            "markers": "python_version != '3.1.*' and python_version >= '2.7' and python_version != '3.2.*' and python_version != '3.0.*' and python_version != '3.3.*'",
             "version": "==2.0.5"
         },
         "gitpython": {
             "hashes": [
-                "sha256:563221e5a44369c6b79172f455584c9ebbb122a13368cc82cb4b5addff788f82",
-                "sha256:8237dc5bfd6f1366abeee5624111b9d6879393d84745a507de0fda86043b65a8"
+                "sha256:c15c55ff890cd3a6a8330059e80885410a328f645551b55a91d858bfb3eb2573",
+                "sha256:df752b6b6f06f11213e91c4925aea7eaf9e37e88fb71c8a7a1aa0a5c10852120"
             ],
             "index": "pypi",
-            "version": "==2.1.11"
+            "version": "==2.1.13"
         },
         "idna": {
             "hashes": [
-                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
-                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
+                "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
+                "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
             ],
-            "version": "==2.7"
+            "version": "==2.8"
         },
         "imagesize": {
             "hashes": [
                 "sha256:3f349de3eb99145973fefb7dbe38554414e5c30abd0c8e4b970a7c9d09f3a1d8",
                 "sha256:f3832918bc3c66617f92e35f5d70729187676313caa60c187eb0f28b8fe5e3b5"
             ],
-            "markers": "python_version != '3.2.*' and python_version >= '2.7' and python_version != '3.1.*' and python_version != '3.3.*' and python_version != '3.0.*'",
             "version": "==1.1.0"
         },
         "ipcalc": {
         },
         "jandd.sphinxext.ip": {
             "hashes": [
-                "sha256:9038c005331ef0473ffc37b6163dd5fba2ecca097da82feba46a39ac0206a910",
-                "sha256:dfac23f4d819505329c73efe12f5fab2890105b53797fcb3e6c27cf15ff3b994"
+                "sha256:11c4674034d3b874ddf1baa379ec92e2ca3cf7a274ca9d100f11c9eb429ab430",
+                "sha256:18ea4d526882e0be7368e16473da17ff1203041eb93e9d31998336a286088b02"
             ],
             "index": "pypi",
-            "version": "==0.2.4"
+            "version": "==0.3.0"
         },
         "jandd.sphinxext.mac": {
             "hashes": [
         },
         "jinja2": {
             "hashes": [
-                "sha256:74c935a1b8bb9a3947c50a54766a969d4846290e1e788ea44c1392163723c3bd",
-                "sha256:f84be1bb0040caca4cea721fcbbbbd61f9be9464ca236387158b0feea01914a4"
+                "sha256:065c4f02ebe7f7cf559e49ee5a95fb800a9e4528727aec6f24402a5374c65013",
+                "sha256:14dd6caf1527abb21f08f86c784eac40853ba93edb79552aa1e4b8aef1b61c7b"
             ],
-            "version": "==2.10"
+            "version": "==2.10.1"
         },
         "markupsafe": {
             "hashes": [
-                "sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665"
+                "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473",
+                "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161",
+                "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235",
+                "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5",
+                "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff",
+                "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b",
+                "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1",
+                "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e",
+                "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183",
+                "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66",
+                "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1",
+                "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1",
+                "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e",
+                "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b",
+                "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905",
+                "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735",
+                "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d",
+                "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e",
+                "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d",
+                "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c",
+                "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21",
+                "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2",
+                "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5",
+                "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b",
+                "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
+                "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
+                "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
+                "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7"
             ],
-            "version": "==1.0"
+            "version": "==1.1.1"
         },
         "packaging": {
             "hashes": [
-                "sha256:0886227f54515e592aaa2e5a553332c73962917f2831f1b0f9b9f4380a4b9807",
-                "sha256:f95a1e147590f204328170981833854229bb2912ac3d5f89e2a8ccd2834800c9"
+                "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9",
+                "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe"
             ],
-            "markers": "python_version != '3.2.*' and python_version != '3.1.*' and python_version >= '2.6' and python_version != '3.0.*'",
-            "version": "==18.0"
+            "version": "==19.1"
         },
         "pygments": {
             "hashes": [
-                "sha256:78f3f434bcc5d6ee09020f92ba487f95ba50f1e3ef83ae96b9d5ffa1bab25c5d",
-                "sha256:dbae1046def0efb574852fab9e90209b23f556367b5a320c0bcb871c77c3e8cc"
+                "sha256:71e430bc85c88a430f000ac1d9b331d2407f681d6f6aec95e8bcfbc3df5b0127",
+                "sha256:881c4c157e45f30af185c1ffe8d549d48ac9127433f2c380c24b84572ad66297"
             ],
-            "version": "==2.2.0"
+            "version": "==2.4.2"
         },
         "pyparsing": {
             "hashes": [
-                "sha256:bc6c7146b91af3f567cf6daeaec360bc07d45ffec4cf5353f4d7a208ce7ca30a",
-                "sha256:d29593d8ebe7b57d6967b62494f8c72b03ac0262b1eed63826c6f788b3606401"
+                "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80",
+                "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4"
             ],
-            "markers": "python_version != '3.2.*' and python_version != '3.1.*' and python_version >= '2.6' and python_version != '3.0.*'",
-            "version": "==2.2.2"
+            "version": "==2.4.2"
         },
         "python-dateutil": {
             "hashes": [
-                "sha256:2f13d3ea236aeb237e7258d5729c46eafe1506fd7f8507f34730734ed8b37454",
-                "sha256:f7cde3aecf8a797553d6ec49b65f0fbcffe7ffb971ccac452d181c28fd279936"
+                "sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb",
+                "sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"
             ],
-            "version": "==2.7.4"
+            "version": "==2.8.0"
         },
         "pytz": {
             "hashes": [
-                "sha256:642253af8eae734d1509fc6ac9c1aee5e5b69d76392660889979b9870610a46b",
-                "sha256:91e3ccf2c344ffaa6defba1ce7f38f97026943f675b7703f44789768e4cb0ece"
+                "sha256:303879e36b721603cc54604edcac9d20401bdbe31e1e4fdee5b9f98d5d31dfda",
+                "sha256:d747dd3d23d77ef44c6a3526e274af6efeb0a6f1afd5a69ba4d5be4098c8e141"
             ],
-            "version": "==2018.6"
+            "version": "==2019.1"
         },
         "requests": {
             "hashes": [
-                "sha256:99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c",
-                "sha256:a84b8c9ab6239b578f22d1c21d51b696dcfe004032bb80ea832398d6909d7279"
+                "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
+                "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
             ],
-            "markers": "python_version != '3.1.*' and python_version < '4' and python_version != '3.3.*' and python_version != '3.0.*' and python_version != '3.2.*' and python_version >= '2.7'",
-            "version": "==2.20.0"
+            "version": "==2.22.0"
         },
         "six": {
             "hashes": [
-                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
-                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+                "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+                "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
             ],
-            "version": "==1.11.0"
+            "version": "==1.12.0"
         },
         "smmap2": {
             "hashes": [
                 "sha256:0555a7bf4df71d1ef4218e4807bbf9b201f910174e6e08af2e138d4e517b4dde",
                 "sha256:29a9ffa0497e7f2be94ca0ed1ca1aa3cd4cf25a1f6b4f5f87f74b46ed91d609a"
             ],
-            "markers": "python_version != '3.1.*' and python_version >= '2.7' and python_version != '3.2.*' and python_version != '3.0.*' and python_version != '3.3.*'",
             "version": "==2.0.5"
         },
         "snowballstemmer": {
             "hashes": [
-                "sha256:919f26a68b2c17a7634da993d91339e288964f93c274f1343e3bbbe2096e1128",
-                "sha256:9f3bcd3c401c3e862ec0ebe6d2c069ebc012ce142cce209c098ccb5b09136e89"
+                "sha256:9f3b9ffe0809d174f7047e121431acf99c89a7040f0ca84f94ba53a498e6d0c9"
             ],
-            "version": "==1.2.1"
+            "version": "==1.9.0"
         },
         "sphinx": {
             "hashes": [
-                "sha256:652eb8c566f18823a022bb4b6dbc868d366df332a11a0226b5bc3a798a479f17",
-                "sha256:d222626d8356de702431e813a05c68a35967e3d66c6cd1c2c89539bb179a7464"
+                "sha256:22538e1bbe62b407cf5a8aabe1bb15848aa66bb79559f42f5202bbce6b757a69",
+                "sha256:f9a79e746b87921cabc3baa375199c6076d1270cee53915dbd24fdbeaaacc427"
             ],
             "index": "pypi",
-            "version": "==1.8.1"
+            "version": "==2.1.2"
         },
-        "sphinxcontrib-websupport": {
+        "sphinxcontrib-applehelp": {
             "hashes": [
-                "sha256:68ca7ff70785cbe1e7bccc71a48b5b6d965d79ca50629606c7861a21b206d9dd",
-                "sha256:9de47f375baf1ea07cdb3436ff39d7a9c76042c10a769c52353ec46e4e8fc3b9"
+                "sha256:edaa0ab2b2bc74403149cb0209d6775c96de797dfd5b5e2a71981309efab3897",
+                "sha256:fb8dee85af95e5c30c91f10e7eb3c8967308518e0f7488a2828ef7bc191d0d5d"
             ],
-            "markers": "python_version != '3.2.*' and python_version >= '2.7' and python_version != '3.1.*' and python_version != '3.3.*' and python_version != '3.0.*'",
-            "version": "==1.1.0"
+            "version": "==1.0.1"
+        },
+        "sphinxcontrib-devhelp": {
+            "hashes": [
+                "sha256:6c64b077937330a9128a4da74586e8c2130262f014689b4b89e2d08ee7294a34",
+                "sha256:9512ecb00a2b0821a146736b39f7aeb90759834b07e81e8cc23a9c70bacb9981"
+            ],
+            "version": "==1.0.1"
+        },
+        "sphinxcontrib-htmlhelp": {
+            "hashes": [
+                "sha256:4670f99f8951bd78cd4ad2ab962f798f5618b17675c35c5ac3b2132a14ea8422",
+                "sha256:d4fd39a65a625c9df86d7fa8a2d9f3cd8299a3a4b15db63b50aac9e161d8eff7"
+            ],
+            "version": "==1.0.2"
+        },
+        "sphinxcontrib-jsmath": {
+            "hashes": [
+                "sha256:2ec2eaebfb78f3f2078e73666b1415417a116cc848b72e5172e596c871103178",
+                "sha256:a9925e4a4587247ed2191a22df5f6970656cb8ca2bd6284309578f2153e0c4b8"
+            ],
+            "version": "==1.0.1"
+        },
+        "sphinxcontrib-qthelp": {
+            "hashes": [
+                "sha256:513049b93031beb1f57d4daea74068a4feb77aa5630f856fcff2e50de14e9a20",
+                "sha256:79465ce11ae5694ff165becda529a600c754f4bc459778778c7017374d4d406f"
+            ],
+            "version": "==1.0.2"
+        },
+        "sphinxcontrib-serializinghtml": {
+            "hashes": [
+                "sha256:c0efb33f8052c04fd7a26c0a07f1678e8512e0faec19f4aa8f2473a8b81d5227",
+                "sha256:db6615af393650bf1151a6cd39120c29abaf93cc60db8c48eb2dddbfdc3a9768"
+            ],
+            "version": "==1.1.3"
         },
         "urllib3": {
             "hashes": [
-                "sha256:41c3db2fc01e5b907288010dec72f9d0a74e37d6994e6eb56849f59fea2265ae",
-                "sha256:8819bba37a02d143296a4d032373c4dd4aca11f6d4c9973335ca75f9c8475f59"
+                "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1",
+                "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232"
             ],
-            "markers": "python_version != '3.1.*' and python_version < '4' and python_version != '3.3.*' and python_version != '3.0.*' and python_version != '3.2.*' and python_version >= '2.7'",
-            "version": "==1.24"
+            "version": "==1.25.3"
         },
         "validate-email": {
             "hashes": [
index 52ae16d..a9b4ace 100644 (file)
@@ -23,54 +23,55 @@ from docutils import nodes, utils
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
-sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath("."))
 
 # -- General configuration ------------------------------------------------
 
 # If your documentation needs a minimal Sphinx version, state it here.
-#needs_sphinx = '1.0'
+# needs_sphinx = '1.0'
 
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'sphinx.ext.todo',
-    'sphinx.ext.extlinks',
-    'jandd.sphinxext.ip',
-    'jandd.sphinxext.mac',
-    'sphinxext.cacert',
+    "sphinx.ext.todo",
+    "sphinx.ext.extlinks",
+    "jandd.sphinxext.ip",
+    "jandd.sphinxext.mac",
+    "sphinxext.cacert",
 ]
 
 # Add any paths that contain templates here, relative to this directory.
-templates_path = ['_templates']
+templates_path = ["_templates"]
 
 # The suffix(es) of source filenames.
 # You can specify multiple suffix as a list of string:
 # source_suffix = ['.rst', '.md']
-source_suffix = '.rst'
+source_suffix = ".rst"
 
 # The encoding of source files.
-#source_encoding = 'utf-8-sig'
+# source_encoding = 'utf-8-sig'
 
 # The master toctree document.
-master_doc = 'index'
+master_doc = "index"
 
 # General information about the project.
-project = u'CAcert infrastructure'
-copyright = u'2016, 2017, 2018 Jan Dittberner, CAcert'
-author = u'CAcert infrastructure team'
+project = u"CAcert infrastructure"
+copyright = u"2016, 2017, 2018 Jan Dittberner, CAcert"
+author = u"CAcert infrastructure team"
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
-version = u'0.1'
+version = u"0.1"
 # The full version, including alpha/beta/rc tags.
 release = "{}-git:{} built:{}".format(
-        version,
-        repo.Repo('..').git.describe('--always', '--dirty'),
-        datetime.utcnow().replace(microsecond=0))
+    version,
+    repo.Repo("..").git.describe("--always", "--dirty"),
+    datetime.utcnow().replace(microsecond=0),
+)
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -81,37 +82,37 @@ language = None
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
-#today = ''
+# today = ''
 # Else, today_fmt is used as the format for a strftime call.
-#today_fmt = '%B %d, %Y'
+# today_fmt = '%B %d, %Y'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = ['_build', 'systems/template.rst', 'critical/template.rst']
+exclude_patterns = ["_build", "systems/template.rst", "critical/template.rst"]
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
-#default_role = None
+# default_role = None
 
 # If true, '()' will be appended to :func: etc. cross-reference text.
-#add_function_parentheses = True
+# add_function_parentheses = True
 
 # If true, the current module name will be prepended to all description
 # unit titles (such as .. function::).
-#add_module_names = True
+# add_module_names = True
 
 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
-#show_authors = False
+# show_authors = False
 
 # The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
+pygments_style = "sphinx"
 
 # A list of ignored prefixes for module index sorting.
-#modindex_common_prefix = []
+# modindex_common_prefix = []
 
 # If true, keep warnings as "system message" paragraphs in the built documents.
-#keep_warnings = False
+# keep_warnings = False
 
 # If true, `todo` and `todoList` produce output, else they produce nothing.
 todo_include_todos = True
@@ -121,147 +122,149 @@ todo_include_todos = True
 
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-html_theme = 'classic'
+html_theme = "classic"
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 html_theme_options = {
-    'sidebarbgcolor': '#f5f7f7',
-    'sidebartextcolor': '#334d55',
-    'sidebarlinkcolor': '#005fa9',
+    "sidebarbgcolor": "#f5f7f7",
+    "sidebartextcolor": "#334d55",
+    "sidebarlinkcolor": "#005fa9",
 }
 
 # Add any paths that contain custom themes here, relative to this directory.
-#html_theme_path = []
+# html_theme_path = []
 
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
 html_title = project + " documentation v" + release
 
 # A shorter title for the navigation bar.  Default is the same as html_title.
-#html_short_title = None
+# html_short_title = None
 
 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
-html_logo = os.path.join('images', 'CAcert-logo-colour.svg')
+html_logo = os.path.join("images", "CAcert-logo-colour.svg")
 
 # The name of an image file (relative to this directory) to use as a favicon of
 # the docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
 # pixels large.
-html_favicon = os.path.join('images', 'favicon.ico')
+html_favicon = os.path.join("images", "favicon.ico")
 
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+html_static_path = ["_static"]
 
 # Add any extra paths that contain custom files (such as robots.txt or
 # .htaccess) here, relative to this directory. These files are copied
 # directly to the root of the documentation.
-#html_extra_path = []
+# html_extra_path = []
 
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
-#html_last_updated_fmt = '%b %d, %Y'
+# html_last_updated_fmt = '%b %d, %Y'
 
 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
-#html_use_smartypants = True
+# html_use_smartypants = True
 
 # Custom sidebar templates, maps document names to template names.
-#html_sidebars = {}
+# html_sidebars = {}
 
 # Additional templates that should be rendered to pages, maps page names to
 # template names.
-#html_additional_pages = {}
+# html_additional_pages = {}
 
 # If false, no module index is generated.
-#html_domain_indices = True
+# html_domain_indices = True
 
 # If false, no index is generated.
-#html_use_index = True
+# html_use_index = True
 
 # If true, the index is split into individual pages for each letter.
-#html_split_index = False
+# html_split_index = False
 
 # If true, links to the reST sources are added to the pages.
-#html_show_sourcelink = True
+# html_show_sourcelink = True
 
 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
-#html_show_sphinx = True
+# html_show_sphinx = True
 
 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
-#html_show_copyright = True
+# html_show_copyright = True
 
 # If true, an OpenSearch description file will be output, and all pages will
 # contain a <link> tag referring to it.  The value of this option must be the
 # base URL from which the finished HTML is served.
-#html_use_opensearch = ''
+# html_use_opensearch = ''
 
 # This is the file name suffix for HTML files (e.g. ".xhtml").
-#html_file_suffix = None
+# html_file_suffix = None
 
 # Language to be used for generating the HTML full-text search index.
 # Sphinx supports the following languages:
 #   'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja'
 #   'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr'
-#html_search_language = 'en'
+# html_search_language = 'en'
 
 # A dictionary with options for the search language support, empty by default.
 # Now only 'ja' uses this config value
-#html_search_options = {'type': 'default'}
+# html_search_options = {'type': 'default'}
 
 # The name of a javascript file (relative to the configuration directory) that
 # implements a search results scorer. If empty, the default will be used.
-#html_search_scorer = 'scorer.js'
+# html_search_scorer = 'scorer.js'
 
 # Output file base name for HTML help builder.
-htmlhelp_basename = 'CAcertinfrastructuredoc'
+htmlhelp_basename = "CAcertinfrastructuredoc"
 
 # -- Options for LaTeX output ---------------------------------------------
 
 latex_elements = {
-# The paper size ('letterpaper' or 'a4paper').
-#'papersize': 'letterpaper',
-
-# The font size ('10pt', '11pt' or '12pt').
-#'pointsize': '10pt',
-
-# Additional stuff for the LaTeX preamble.
-#'preamble': '',
-
-# Latex figure (float) alignment
-#'figure_align': 'htbp',
+    # The paper size ('letterpaper' or 'a4paper').
+    #'papersize': 'letterpaper',
+    # The font size ('10pt', '11pt' or '12pt').
+    #'pointsize': '10pt',
+    # Additional stuff for the LaTeX preamble.
+    #'preamble': '',
+    # Latex figure (float) alignment
+    #'figure_align': 'htbp',
 }
 
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
-    (master_doc, 'CAcertinfrastructure.tex', u'CAcert infrastructure Documentation',
-     u'Jan Dittberner', 'manual'),
+    (
+        master_doc,
+        "CAcertinfrastructure.tex",
+        u"CAcert infrastructure Documentation",
+        u"Jan Dittberner",
+        "manual",
+    )
 ]
 
 # The name of an image file (relative to this directory) to place at the top of
 # the title page.
-#latex_logo = None
+# latex_logo = None
 
 # For "manual" documents, if this is true, then toplevel headings are parts,
 # not chapters.
-#latex_use_parts = False
+# latex_use_parts = False
 
 # If true, show page references after internal links.
-#latex_show_pagerefs = False
+# latex_show_pagerefs = False
 
 # If true, show URL addresses after external links.
-#latex_show_urls = False
+# latex_show_urls = False
 
 # Documents to append as an appendix to all manuals.
-#latex_appendices = []
+# latex_appendices = []
 
 # If false, no module index is generated.
-#latex_domain_indices = True
+# latex_domain_indices = True
 
 
 # -- Options for manual page output ---------------------------------------
@@ -269,12 +272,17 @@ latex_documents = [
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    (master_doc, 'cacertinfrastructure', u'CAcert infrastructure Documentation',
-     [author], 1)
+    (
+        master_doc,
+        "cacertinfrastructure",
+        u"CAcert infrastructure Documentation",
+        [author],
+        1,
+    )
 ]
 
 # If true, show URL addresses after external links.
-#man_show_urls = False
+# man_show_urls = False
 
 
 # -- Options for Texinfo output -------------------------------------------
@@ -283,22 +291,28 @@ man_pages = [
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
-    (master_doc, 'CAcertinfrastructure', u'CAcert infrastructure Documentation',
-     author, 'CAcertinfrastructure', 'One line description of project.',
-     'Miscellaneous'),
+    (
+        master_doc,
+        "CAcertinfrastructure",
+        u"CAcert infrastructure Documentation",
+        author,
+        "CAcertinfrastructure",
+        "One line description of project.",
+        "Miscellaneous",
+    )
 ]
 
 # Documents to append as an appendix to all manuals.
-#texinfo_appendices = []
+# texinfo_appendices = []
 
 # If false, no module index is generated.
-#texinfo_domain_indices = True
+# texinfo_domain_indices = True
 
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
-#texinfo_show_urls = 'footnote'
+# texinfo_show_urls = 'footnote'
 
 # If true, do not generate a @detailmenu in the "Top" node's menu.
-#texinfo_no_detailmenu = False
+# texinfo_no_detailmenu = False
 
 
 # -- Options for Epub output ----------------------------------------------
@@ -310,72 +324,75 @@ epub_publisher = author
 epub_copyright = copyright
 
 # The basename for the epub file. It defaults to the project name.
-#epub_basename = project
+# epub_basename = project
 
 # The HTML theme for the epub output. Since the default themes are not
 # optimized for small screen space, using the same theme for HTML and epub
 # output is usually not wise. This defaults to 'epub', a theme designed to save
 # visual space.
-#epub_theme = 'epub'
+# epub_theme = 'epub'
 
 # The language of the text. It defaults to the language option
 # or 'en' if the language is not set.
-#epub_language = ''
+# epub_language = ''
 
 # The scheme of the identifier. Typical schemes are ISBN or URL.
-#epub_scheme = ''
+# epub_scheme = ''
 
 # The unique identifier of the text. This can be a ISBN number
 # or the project homepage.
-#epub_identifier = ''
+# epub_identifier = ''
 
 # A unique identification for the text.
-#epub_uid = ''
+# epub_uid = ''
 
 # A tuple containing the cover image and cover page html template filenames.
-#epub_cover = ()
+# epub_cover = ()
 
 # A sequence of (type, uri, title) tuples for the guide element of content.opf.
-#epub_guide = ()
+# epub_guide = ()
 
 # HTML files that should be inserted before the pages created by sphinx.
 # The format is a list of tuples containing the path and title.
-#epub_pre_files = []
+# epub_pre_files = []
 
 # HTML files that should be inserted after the pages created by sphinx.
 # The format is a list of tuples containing the path and title.
-#epub_post_files = []
+# epub_post_files = []
 
 # A list of files that should not be packed into the epub file.
-epub_exclude_files = ['search.html']
+epub_exclude_files = ["search.html"]
 
 # The depth of the table of contents in toc.ncx.
-#epub_tocdepth = 3
+# epub_tocdepth = 3
 
 # Allow duplicate toc entries.
-#epub_tocdup = True
+# epub_tocdup = True
 
 # Choose between 'default' and 'includehidden'.
-#epub_tocscope = 'default'
+# epub_tocscope = 'default'
 
 # Fix unsupported image types using the Pillow.
-#epub_fix_images = False
+# epub_fix_images = False
 
 # Scale large images.
-#epub_max_image_width = 0
+# epub_max_image_width = 0
 
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
-#epub_show_urls = 'inline'
+# epub_show_urls = 'inline'
 
 # If false, no index is generated.
-#epub_use_index = True
+# epub_use_index = True
 
 
 extlinks = {
-    'wiki': ('https://wiki.cacert.org/%s', 'Wiki '),
-    'cacertgit': (
-        'https://git.cacert.org/gitweb/?p=%s.git', 'CAcert Git repository '),
-    'github': ('https://github.com/CAcertOrg/%s', 'Github repository '),
+    "wiki": ("https://wiki.cacert.org/%s", "Wiki "),
+    "cacertgit": ("https://git.cacert.org/gitweb/?p=%s.git", "CAcert Git repository "),
+    "github": ("https://github.com/CAcertOrg/%s", "Github repository "),
+    "monitor": (
+        "https://monitor.cacert.org/monitoring/host/show?host=%s",
+        "Monitoring checks for ",
+    ),
 }
 
 
@@ -386,15 +403,16 @@ def cacert_bug(name, rawtext, text, lineno, inliner, options={}, content=[]):
             raise ValueError
     except ValueError:
         msg = inliner.reporter.error(
-            'Bug number must be a number greater than or equal to 1; '
-            '"%s" is invalid.' % text, line=lineno)
+            "Bug number must be a number greater than or equal to 1; "
+            '"%s" is invalid.' % text,
+            line=lineno,
+        )
         prb = inliner.problematic(rawtext, rawtext, msg)
         return [prb], [msg]
-    ref = 'https://bugs.cacert.org/view.php?id=%d' % bugnum
-    node = nodes.reference(rawtext, '#' + utils.unescape(text), refuri=ref,
-                           **options)
+    ref = "https://bugs.cacert.org/view.php?id=%d" % bugnum
+    node = nodes.reference(rawtext, "#" + utils.unescape(text), refuri=ref, **options)
     return [node], []
 
 
 def setup(app):
-    app.add_role('bug', cacert_bug)
+    app.add_role("bug", cacert_bug)
diff --git a/docs/external.rst b/docs/external.rst
new file mode 100644 (file)
index 0000000..464c569
--- /dev/null
@@ -0,0 +1,11 @@
+================
+External Systems
+================
+
+External systems that are relevant to the CAcert infrastructure but are not
+part of the infrastructure.
+
+.. toctree::
+   :maxdepth: 1
+
+   external/extmon
diff --git a/docs/external/extmon.rst b/docs/external/extmon.rst
new file mode 100644 (file)
index 0000000..1b9cb4e
--- /dev/null
@@ -0,0 +1,242 @@
+.. index::
+   single: Systems; Extmon
+
+======
+Extmon
+======
+
+Purpose
+=======
+
+Extmon is used as an external Icinga2 agent that monitors the availability of
+CAcert service from the Internet. The system is sponsored by
+:ref:`people_jandd` and is running on a Hetzner cloud instance in Germany.
+
+Application Links
+-----------------
+
+`Service checks executed by extmon <https://monitor.cacert.org/monitoring/list/servicegroups#!/monitoring/list/services?servicegroup_name=external-checks>`_
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application   | Administrator(s)    |
++===============+=====================+
+| icinga2 agent | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* extmon-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is a virtual KVM machine hosted on a Hetzner cloud server in
+N├╝rnberg, Germany.
+
+Physical Configuration
+----------------------
+
+* 1 VCPU
+* 2 GB RAM
+* 20 GB local disc
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`116.203.192.12`
+:IPv6:        :ip:v6:`2a01:4f8:c2c:a5b9::1`
+:MAC address: :mac:`96:00:00:2c:89:82` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+.. index::
+   single: Monitoring; Extmon
+
+Monitoring
+----------
+
+:internal checks: :monitor:`extmon.infra.cacert.org`
+
+DNS
+---
+
+The system has no DNS entries.
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
+
+* Debian GNU/Linux 10.0
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-------------------------------+
+| Port     | Service | Origin  | Purpose                       |
++==========+=========+=========+===============================+
+| 22/tcp   | ssh     | ANY     | admin console access          |
++----------+---------+---------+-------------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA    |
++----------+---------+---------+-------------------------------+
+| 68/udp   | dhcp    | hetzner | dynamic network configuration |
++----------+---------+---------+-------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service     |
++----------+---------+---------+-------------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: openssh
+   single: puppet
+   single: rsyslog
+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| Exim           | SMTP server for          | systemd unit ``exim4.service``   |
+|                | local mail submission    |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
+
+Databases
+---------
+
+* None
+
+Connected Systems
+-----------------
+
+* :doc:`../systems/monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) Hetzner cloud nameservers
+* :doc:`../systems/puppet` (tcp/8140) as Puppet master
+* checked CAcert systems on publicly opened ports
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:pRCCUOzQbNf2MSDyq3mt/zCYrf9Cowo0tUp+cLcP5ZU MD5:89:07:d2:68:02:37:73:86:a3:f0:53:46:e9:93:3c:b5
+   :DSA:     SHA256:qQmdmDcCrj9CgGK/LsT0zz8d90wCmn0HlSmt9WRqIF8 MD5:8c:f0:fa:e2:18:98:22:fb:ae:ed:c3:84:78:0e:70:5f
+   :ECDSA:   SHA256:+5X1KhHfqCSfVzNhT6xXpKYwsS/bZvI5rOM7hPogcWo MD5:f3:65:d0:12:a6:e9:cc:91:f4:55:32:c0:ca:75:59:17
+   :ED25519: SHA256:lxUPfNgUMZ/JrZHVG9Qc33x7vqyKGgmIJ54rgx+dZow MD5:39:b7:17:91:05:2d:1c:ad:4b:5a:5e:e0:e6:01:2c:a5
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+The system provides no public services besides an Icinga2 agent that executes
+commands sent from :doc:`../systems/monitor`.
+
+The Puppet agent package and a few dependencies are installed from the
+official Puppet APT repository because the versions in Debian are too old to
+use modern Puppet features.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+* None
+
+Tasks
+=====
+
+Add a service to be checked by extmon
+-------------------------------------
+
+Service monitoring is configured in the :cacertgit:`cacert-icinga2-conf_d`.
+
+All checks for services on hosts with the following block will be executed by
+extmon:
+
+.. code-block::
+
+   vars.external = true
+
+Changes
+=======
+
+Planned
+-------
+
+* None
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+* None
+
+References
+----------
+
+* https://icinga.com/docs/icinga2/latest/
index d6200dc..c132b7d 100644 (file)
@@ -12,6 +12,7 @@ Table of Contents
 
    critical
    systems
+   external
    lxcsetup
    network
    iplist
index f20050c..16c38dc 100644 (file)
@@ -12,6 +12,10 @@ Internet IP addresses
 
 .. ip:v6range:: 2001:7b8:616:162:2::/80
 
+.. ip:v4range:: 116.203.192.12/32
+
+.. ip:v6range:: 2a01:4f8:c2c:a5b9::1/128
+
 
 Intranet IP addresses
 ---------------------
index af79cea..4f7380e 100644 (file)
@@ -2,6 +2,11 @@
 Setup of a new CAcert LXC container with Puppet agent
 =====================================================
 
+.. todo::
+
+   Update the LXC setup documentation. lxc-setup might not work with LXC 3.0
+   that is used on :doc:`systems/infra02` since 2019-07-13.
+
 Preparation
 ===========
 
index 078f3ad..99e9c57 100644 (file)
@@ -22,6 +22,8 @@ IPv6 connectivity is also available. The infrastructure IPv6 addresses are
 taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
 :ip:v6range:`2001:7b8:616:162:2::/80` ranges.
 
+External monitoring is provided from the ranges :ip:v4range:`116.203.192.12/32`
+and :ip:v6range:`2a01:4f8:c2c:a5b9::1/128`.
 
 Intranet
 --------
index 0e6201f..404f430 100644 (file)
@@ -18,12 +18,14 @@ administrator team.
    systems/git
    systems/ircserver
    systems/issue
-   systems/lists
    systems/jenkins
+   systems/lists
    systems/monitor
-   systems/puppet
+   systems/motion
+   systems/pgpkeys
    systems/proxyin
    systems/proxyout
+   systems/puppet
    systems/svn
    systems/test
    systems/test2
@@ -33,6 +35,7 @@ administrator team.
    systems/web
    systems/webmail
    systems/webstatic
+   systems/wiki
 
 
 General
@@ -87,28 +90,23 @@ General
    That's it, now the package update status should be properly displayed in
    Icinga.
 
-.. todo:: think about replacing nrpe with Icinga2 satellites
-
 Checklist
 =========
 
 .. index::
    single: etckeeper
+   single: icinga2
    single: nrpe
+   single: puppet
 
 * All containers should be monitored by :doc:`systems/monitor` and should
-  therefore have :program:`nagios-nrpe-server` installed
+  therefore have :program:`icinga2` installed and managed via Puppet (older
+  systems without Puppet have :program:`nagios-nrpe-server` installed)
 * All containers should use :program:`etckeeper` to put their local setup into
   version control. All local setup should use :file:`/etc` to make sure it is
   handled by :program:`etckeeper`
 * All infrastructure systems must send their mail via :doc:`systems/emailout`
 * All infrastructure systems should have an system-admin@cacert.org alias to
   reach their admins
-* The installation of :index:`systemd-sysv` in containers can be blocked by
-  putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
-
-    Package: systemd-sysv
-    Pin: release a=stable
-    Pin-Priority: -1
 
 .. todo:: document how to setup the system-admin alias on the email system
index b225e87..482d24e 100644 (file)
@@ -61,9 +61,8 @@ Contact
 Additional People
 -----------------
 
-:ref:`Jan Dittberner <people_jandd>`, :ref:`Mario Lipinski <people_mario>` and
-:ref:`Dirk Astrath <people_dirk>` have :program:`sudo` access on that machine
-too.
+:ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
+have :program:`sudo` access on that machine too.
 
 Basics
 ======
@@ -86,6 +85,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Blog
+
+Monitoring
+----------
+
+:internal checks: :monitor:`blog.infra.cacert.org`
+
 DNS
 ---
 
@@ -116,9 +123,9 @@ Operating System
 
 .. index::
    single: Debian GNU/Linux; Jessie
-   single: Debian GNU/Linux; 8.10
+   single: Debian GNU/Linux; 8.11
 
-* Debian GNU/Linux 8.10
+* Debian GNU/Linux 8.11
 
 Applicable Documentation
 ------------------------
@@ -153,40 +160,39 @@ Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: MySQL
-   single: PHP FPM
-   single: Postfix
+   single: apache httpd
    single: cron
+   single: dbus
+   single: mysql
    single: nrpe
    single: openssh
-
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Apache httpd       | Webserver for blog | init script                            |
-|                    |                    | :file:`/etc/init.d/apache2`            |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| MySQL              | MySQL database     | init script                            |
-|                    | server for blog    | :file:`/etc/init.d/mysql`              |
-+--------------------+--------------------+----------------------------------------+
-| PHP FPM            | PHP FPM executor   | init script                            |
-|                    | for blog           | :file:`/etc/init.d/php5-fpm`           |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission         |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
+   single: postfix
+
++--------------------+--------------------+-------------------------------------------------+
+| Service            | Usage              | Start mechanism                                 |
++====================+====================+=================================================+
+| Apache httpd       | Webserver for blog | systemd unit ``apache2.service``                |
++--------------------+--------------------+-------------------------------------------------+
+| cron               | job scheduler      | systemd unit ``cron.service``                   |
++--------------------+--------------------+-------------------------------------------------+
+| dbus-daemon        | System message bus | systemd unit ``dbus.service``                   |
+|                    | daemon             |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| MySQL              | MySQL database     | systemd unit ``mysql.service``                  |
+|                    | server for blog    |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| openssh server     | ssh daemon for     | systemd unit ``ssh.service``                    |
+|                    | remote             |                                                 |
+|                    | administration     |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| Postfix            | SMTP server for    | systemd unit ``postfix.service``                |
+|                    | local mail         |                                                 |
+|                    | submission         |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| Nagios NRPE server | remote monitoring  | systemd unit ``/etc/init.d/nagios-nrpe-server`` |
+|                    | service queried by |                                                 |
+|                    | :doc:`monitor`     |                                                 |
++--------------------+--------------------+-------------------------------------------------+
 
 Databases
 ---------
@@ -225,10 +231,10 @@ Security
 ========
 
 .. sshkeys::
-   :RSA:     MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
-   :DSA:     MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
-   :ECDSA:   MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
-   :ED25519: MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
+   :RSA:     SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
+   :DSA:     SHA256:TUOE69GQYSWuJtL6l2WWr5FLSzWH8iBKDgE2ijZA9oA MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
+   :ECDSA:   SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
+   :ED25519: SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
 
 Dedicated user roles
 --------------------
@@ -332,21 +338,28 @@ Wordpress configuration
 Tasks
 =====
 
+.. todo:: add a section documenting wordpress and plugin updates
+.. todo:: add a section documenting wordpress user management
+
+Changes
+=======
+
 Planned
 -------
 
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
+.. todo:: update wordpress to 5.x
+.. todo:: update to Debian 9/10
 .. todo:: setup IPv6
 
 .. todo::
    setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
 
-Changes
-=======
-
 System Future
 -------------
 
-.. todo:: system should be upgraded to Debian 9
+* No plans
 
 Additional documentation
 ========================
index 18bde33..c9b622a 100644 (file)
@@ -70,6 +70,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Board
+
+Monitoring
+----------
+
+:internal checks: :monitor:`board.infra.cacert.org`
+
 DNS
 ---
 
@@ -98,11 +106,6 @@ Operating System
 
 * Debian GNU/Linux 7.11
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
@@ -197,9 +200,9 @@ Security
 ========
 
 .. sshkeys::
-   :RSA:   c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
-   :DSA:   f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
-   :ECDSA: 0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
+   :RSA:   SHA256:j20Xl83ZK90nYXuIxOMJTcQH75rBcAWIfRnzoPs1qr4 MD5:c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
+   :DSA:   SHA256:If2oWICT8sA7I+n0kyr+e6oTKa4oKaDFs/kSOQu3UwU MD5:f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
+   :ECDSA: SHA256:bAsIi9uHC2lm5HSho3EtdltumBmNPUvHIcFJo0UXj7A MD5:0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
 
 .. todo:: setup ED25519 host key (needs update to Jessie)
 
@@ -341,22 +344,24 @@ that the XML-RPC service binds to.
 Tasks
 =====
 
+.. todo:: add a section documenting how to add/remove openerp users
+
+Changes
+=======
+
 Planned
 -------
 
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
 .. todo:: disable unneeded Apache modules
-
 .. todo:: setup IPv6
-
-.. todo:: consider using a centralized PostgreSQL instance
-
-Changes
-=======
+.. todo:: update to Debian 8/9/10
 
 System Future
 -------------
 
-.. todo:: system should be updated to Debian 8/9
+* No plans
 
 Additional documentation
 ========================
index 69a9af9..15da3a0 100644 (file)
@@ -71,6 +71,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Bugs
+
+Monitoring
+----------
+
+:internal checks: :monitor:`bugs.infra.cacert.org`
+
 DNS
 ---
 
@@ -102,14 +110,9 @@ Operating System
 
 .. index::
    single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
-
-* Debian GNU/Linux 9.4
-
-Applicable Documentation
-------------------------
+   single: Debian GNU/Linux; 9.9
 
-That's it
+* Debian GNU/Linux 9.9
 
 Services
 ========
@@ -128,7 +131,7 @@ Listening services
 +----------+---------+---------+--------------------------------+
 | 443/tcp  | https   | ANY     | web server for bug tracker     |
 +----------+---------+---------+--------------------------------+
-| 5666/tcp | nrpe    | monitor | remote monitoring service      |
+| 5665/tcp | icinga2 | monitor | remote monitoring service      |
 +----------+---------+---------+--------------------------------+
 | 3306/tcp | mysql   | local   | MySQL database for bug tracker |
 +----------+---------+---------+--------------------------------+
@@ -139,43 +142,45 @@ Running services
 .. index::
    single: apache httpd
    single: cron
+   single: dbus
+   single: icinga2
    single: mariadb
-   single: nrpe
    single: openssh
    single: postfix
    single: puppet agent
    single: rsyslog
 
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| Apache httpd       | Webserver for bug  | init script                            |
-|                    | tracker            | :file:`/etc/init.d/apache2`            |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| MariaDB            | MariaDB database   | init script                            |
-|                    | server for bug     | :file:`/etc/init.d/mysql`              |
-|                    | tracker            |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission         |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Puppet agent       | configuration      | init script                            |
-|                    | management agent   | :file:`/etc/init.d/puppet`             |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| Apache httpd   | Webserver for bug        | systemd unit ``apache2.service`` |
+|                | tracker                  |                                  |
++----------------+--------------------------+----------------------------------+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| MariaDB        | MariaDB database         | systemd unit ``mariadb.service`` |
+|                | server for bug           |                                  |
+|                | tracker                  |                                  |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote                   |                                  |
+|                | administration           |                                  |
++----------------+--------------------------+----------------------------------+
+| Postfix        | SMTP server for          | systemd unit ``postfix.service`` |
+|                | local mail               |                                  |
+|                | submission               |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
+|                |                          |                                  |
++----------------+--------------------------+----------------------------------+
 
 Databases
 ---------
@@ -347,12 +352,18 @@ add an additional logging socket in the Postfix chroot.
 Tasks
 =====
 
-Planned
--------
+.. todo:: add a section documenting how to manage mantis projects
+.. todo:: add a section documenting how to manage mantis users
 
 Changes
 =======
 
+Planned
+-------
+
+.. todo:: upgrade to Debian 10 (when Puppet is available)
+
+
 System Future
 -------------
 
index 43f1b9e..8989cdb 100644 (file)
@@ -67,6 +67,11 @@ Logical Location
 
    See :doc:`../network`
 
+Monitoring
+----------
+
+:internal checks: :monitor:`cats.infra.cacert.org`
+
 DNS
 ---
 
@@ -99,11 +104,6 @@ Operating System
 
 * Debian GNU/Linux 7.11
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
@@ -130,12 +130,12 @@ Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: MySQL
-   single: Postfix
+   single: apache httpd
    single: cron
+   single: mysql
    single: nrpe
    single: openssh
+   single: postfix
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
@@ -196,9 +196,9 @@ Security
 ========
 
 .. sshkeys::
-   :RSA:   d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
-   :DSA:   0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
-   :ECDSA: bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
+   :RSA:   SHA256:YFr1fODx7PjurFxxkB8UNL9lwG/AeWuTLQ8Q8h3fZf4 MD5:d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
+   :DSA:   SHA256:CDUkGlsZBQl8MysXb67JLgXGkBaboSUYTz/iyWEtlxg MD5:0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
+   :ECDSA: SHA256:H1SVPJbeDpPNGeZsolCF1nc87v08N2vi53waM3zNAI0 MD5:bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
 
 .. todo:: setup ED25519 host key (needs update to Jessie)
 
@@ -352,20 +352,24 @@ MySQL configuration is stored in the :file:`/etc/mysql/` directory.
 Tasks
 =====
 
+.. todo:: document how to update the CATS software
+
+Changes
+=======
+
 Planned
 -------
 
-.. todo:: update to Debian Jessie
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
+.. todo:: update to Debian 8/9/10
 .. todo:: setup IPv6
 .. todo:: setup CRL checks
 
-Changes
-=======
-
 System Future
 -------------
 
-.. todo:: system should be updated to Debian 8/9
+* No plans
 
 Additional documentation
 ========================
index d89f78a..e2143d2 100644 (file)
@@ -47,27 +47,50 @@ Logical Location
 :IP Internet: :ip:v4:`213.154.225.228`
 :IP Intranet: :ip:v4:`172.16.2.19`
 :IP Internal: :ip:v4:`10.0.0.19`
-:IPv6:        :ip:v6:`2001:7b8:616:162:2::19`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::228`
 :MAC address: :mac:`00:ff:8f:e0:4a:90` (eth0)
 
 .. seealso::
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Email
+
+Monitoring
+----------
+
+:internal checks: :monitor:`email.infra.cacert.org`
+
 DNS
 ---
 
 .. index::
    single: DNS records; Email
 
-======================= ======== ============================================
-Name                    Type     Content
-======================= ======== ============================================
-email.cacert.org.       IN A     213.154.225.228
-email.cacert.org.       IN SSHFP 1 1 BF391FD72656A275524D1D25A624C6045B44AE90
-email.cacert.org.       IN SSHFP 2 1 73B0D8ACB492A7187016DD3C5FC1519B309A550F
-email.intra.cacert.org. IN A     172.16.2.19
-======================= ======== ============================================
++-------------------------+-----------+----------------------------------------------------------------------+
+| Name                    | Type      | Content                                                              |
++=========================+===========+======================================================================+
+| email.cacert.org.       | IN A      | 213.154.225.228                                                      |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  AAAA  | 2001:7b8:616:162:2::228                                              |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 1 1 bf391fd72656a275524d1d25a624c6045b44ae90                         |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 1 2 c8b68f3eb9a83902391b78686b4885a317fac0f74b0490a78b32ecbbee921df1 |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 3 1 5ffbc51c37cdff52db9c488c08b89af9ffee06a0                         |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 3 2 a114de78fc26bd0dc6fa2206d7c04519ec875023cf203e446d4bbbbc4e24da19 |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 4 1 18418515e94817f0624bf0a192331addf878ff66                         |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 4 2 d4fe3165206ba69baf4643253138561789918688375ed8ab89bcfc4411535221 |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.intra.cacert.org. | IN A      | 172.16.2.19                                                          |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.infra.cacert.org. | IN A      | 10.0.0.19                                                            |
++-------------------------+-----------+----------------------------------------------------------------------+
 
 A DKIM record for cacert.org ist setup but no DKIM signing is active currently.
 
@@ -84,15 +107,10 @@ Operating System
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Lenny
-   single: Debian GNU/Linux; 5.0.10
+   single: Debian GNU/Linux; Stretch
+   single: Debian GNU/Linux; 9.9
 
-* Debian GNU/Linux 5.0.10
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 9.9
 
 Services
 ========
@@ -100,102 +118,80 @@ Services
 Listening services
 ------------------
 
-+----------+---------+----------------+----------------------------------------+
-| Port     | Service | Origin         | Purpose                                |
-+==========+=========+================+========================================+
-| 22/tcp   | ssh     | ANY            | admin console access                   |
-+----------+---------+----------------+----------------------------------------+
-| 25/tcp   | smtp    | ANY            | mail receiver for cacert.org           |
-+----------+---------+----------------+----------------------------------------+
-| 110/tcp  | pop3    | ANY            | POP3 access for cacert.org mail        |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 143/tcp  | imap    | ANY            | IMAP access for cacert.org mail        |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 465/tcp  | smtps   | ANY            | SMTPS for cacert.org mail addresses    |
-+----------+---------+----------------+----------------------------------------+
-| 587/tcp  | smtp    | ANY            | mail submission for cacert.org mail    |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 993/tcp  | imaps   | ANY            | IMAPS access for cacert.org mail       |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 995/tcp  | pop3s   | ANY            | POP3S access for cacert.org mail       |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 2000/tcp | sieve   | ANY            | Manage sieve access for cacert.org     |
-|          |         |                | mail addresses                         |
-+----------+---------+----------------+----------------------------------------+
-| 2001/tcp | sieve   | :doc:`webmail` | Manage sieve access for cacert.org     |
-|          |         |                | mail addresses without TLS, accessible |
-|          |         |                | from ``172.16.2.20`` only              |
-+----------+---------+----------------+----------------------------------------+
-| 3306/tcp | mysql   | local          | MySQL database server                  |
-+----------+---------+----------------+----------------------------------------+
-| 4433/tcp | http    | local          | Apache httpd with phpmyadmin           |
-+----------+---------+----------------+----------------------------------------+
-| 5666/tcp | nrpe    | monitor        | remote monitoring service              |
-+----------+---------+----------------+----------------------------------------+
-
-.. topic:: PHPMyAdmin access
-
-   Administrators can use ssh to forward the Apache httpd HTTPS port to their
-   own machine:
-
-   .. code-block:: bash
-
-      ssh -L 4433:localhost:4433 -l username email.cacert.org
-
-   and access PHPMyAdmin at https://localhost:4433/
++----------+---------+---------+-------------------------------------+
+| Port     | Service | Origin  | Purpose                             |
++==========+=========+=========+=====================================+
+| 22/tcp   | ssh     | ANY     | admin console access                |
++----------+---------+---------+-------------------------------------+
+| 25/tcp   | smtp    | ANY     | mail receiver for cacert.org        |
++----------+---------+---------+-------------------------------------+
+| 110/tcp  | pop3    | ANY     | POP3 access for cacert.org mail     |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 143/tcp  | imap    | ANY     | IMAP access for cacert.org mail     |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 465/tcp  | smtps   | ANY     | SMTPS for cacert.org mail addresses |
++----------+---------+---------+-------------------------------------+
+| 587/tcp  | smtp    | ANY     | mail submission for cacert.org mail |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 993/tcp  | imaps   | ANY     | IMAPS access for cacert.org mail    |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 995/tcp  | pop3s   | ANY     | POP3S access for cacert.org mail    |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 4190/tcp | sieve   | ANY     | Manage sieve access for cacert.org  |
+|          |         |         | mail addresses                      |
++----------+---------+---------+-------------------------------------+
+| 3306/tcp | mysql   | local   | MariaDB database server             |
++----------+---------+---------+-------------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service           |
++----------+---------+---------+-------------------------------------+
 
 Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: MySQL
-   single: Postfix
    single: cron
+   single: dbus
    single: dovecot
-   single: nrpe
+   single: icinga2
+   single: mariadb
    single: openssh
-   single: pysieved
+   single: postfix
+   single: puppet
    single: rsyslog
-   single: xinetd
-
-+--------------------+---------------------+----------------------------------------+
-| Service            | Usage               | Start mechanism                        |
-+====================+=====================+========================================+
-| Apache httpd       | Webserver for       | init script                            |
-|                    | phpmyadmin          | :file:`/etc/init.d/apache2`            |
-+--------------------+---------------------+----------------------------------------+
-| cron               | job scheduler       | init script :file:`/etc/init.d/cron`   |
-+--------------------+---------------------+----------------------------------------+
-| dovecot            | IMAP(s) and POP3(s) | init script                            |
-|                    | daemon              | :file:`/etc/init.d/dovecot`            |
-+--------------------+---------------------+----------------------------------------+
-| MySQL              | MySQL database      | init script                            |
-|                    | server for email    | :file:`/etc/init.d/mysql`              |
-|                    | services            |                                        |
-+--------------------+---------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring   | init script                            |
-|                    | service queried by  | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`      |                                        |
-+--------------------+---------------------+----------------------------------------+
-| openssh server     | ssh daemon for      | init script :file:`/etc/init.d/ssh`    |
-|                    | remote              |                                        |
-|                    | administration      |                                        |
-+--------------------+---------------------+----------------------------------------+
-| Postfix            | SMTP server for     | init script                            |
-|                    | cacert.org          | :file:`/etc/init.d/postfix`            |
-+--------------------+---------------------+----------------------------------------+
-| rsyslog            | syslog daemon       | init script                            |
-|                    |                     | :file:`/etc/init.d/syslog`             |
-+--------------------+---------------------+----------------------------------------+
-| xinetd             | socket listener     | init script                            |
-|                    | for pysieved        | :file:`/etc/init.d/xinetd`             |
-+--------------------+---------------------+----------------------------------------+
+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| dovecot        | IMAP(s), POP3(s) and     | systemd unit ``dovecot.service`` |
+|                | sieve filter daemon      |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| MariaDB        | MariaDB database         | systemd unit ``mariadb.service`` |
+|                | server for email         |                                  |
+|                | services                 |                                  |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for remote    | systemd unit ``ssh.service``     |
+|                | administration           |                                  |
++----------------+--------------------------+----------------------------------+
+| Postfix        | SMTP server for          | systemd unit ``postfix.service`` |
+|                | cacert.org               |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
 
 Databases
 ---------
@@ -205,15 +201,9 @@ Databases
 +=======+================+==================================+
 | MySQL | cacertusers    | database for dovecot and postfix |
 +-------+----------------+----------------------------------+
-| MySQL | postfixpolicyd | empty database                   |
-+-------+----------------+----------------------------------+
 | MySQL | roundcubemail  | roundcube on :doc:`webmail`      |
 +-------+----------------+----------------------------------+
 
-.. todo:: check whether the empty postfixpolicyd database is required
-
-.. todo:: consider moving the databases to a new central MySQL service
-
 Connected Systems
 -----------------
 
@@ -225,53 +215,48 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* :doc:`proxyout` as HTTP proxy for APT
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
 * :doc:`issue` for OTRS mail
 * :doc:`lists` for mailing lists
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`puppet` (tcp/8140) as Puppet master
 * arbitrary Internet SMTP servers for outgoing mail
 
 Security
 ========
 
 .. sshkeys::
-   :RSA: a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
-   :DSA: f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91
-
-.. warning::
-
-   The system is too old to support ECDSA or ED25519 keys.
+   :RSA:     SHA256:yLaPPrmoOQI5G3hoa0iFoxf6wPdLBJCnizLsu+6SHfE MD5:a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
+   :ECDSA:   SHA256:oRTeePwmvQ3G+iIG18BFGeyHUCPPID5EbUu7vE4k2hk MD5:16:95:af:c9:71:f4:d8:f7:91:7f:f7:2f:25:b3:f1:63
+   :ED25519: SHA256:1P4xZSBrppuvRkMlMThWF4mRhog3Xtiribz8RBFTUiE MD5:db:1e:68:3f:dd:b0:bb:68:c8:8b:cb:39:85:7d:f7:40
 
 Non-distribution packages and modifications
 -------------------------------------------
 
-Tlslite in :file:`/usr/local/lib/tlslite-0.3.8/` has been patched to handle
-GeneratorExit exceptions. The original tlslite 0.3.8 is stored in
-:file:`/usr/local/lib/tlslite-0.3.8-orig/`.
-
-Pysieved in :file:`/usr/local/lib/pysieved.neale/` seems to be a git clone from
-2009 originating from http://woozle.org/~neale/repos/pysieved at commit
-``d9b67036387a9a7aca954a17ff6fec44a8d309e0`` with no local modifications.
-
-:file:`/usr/local/lib/pysieved` is a symbolic link to
-:file:`/usr/local/lib/pysieved.neale/`.
-
-.. todo:: use pysieved, python-tlslite and dovecot-sieve from distribution
-   packages after OS upgrade
-
+* None
 
 Risk assessments on critical packages
 -------------------------------------
 
-The whole system is outdated, it needs to be replaced as soon as possible.
+Postfix and Dovecot have very good security reputation. The system is patched
+regularly.
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
 
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+.. todo: move Postfix, Dovecot, ssh and MariaDB configuration to Puppet
+
 Keys and X.509 certificates
 ---------------------------
 
-Server certificate for SMTP communication from the Internet and PHPMyAdmin.
+Server certificate for SMTP communication from the Internet.
 
 .. sslcert:: email.cacert.org
    :altnames:   DNS:email.cacert.org
@@ -291,57 +276,20 @@ Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
    :serial:    1381F8
    :secondary:
 
-* :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
-  Diffie-Hellman parameter files for Postfix
-
 .. note::
 
    Postfix uses the email.cacert.org certificate for client authentication if
    requested by a target server.
 
-   .. todo::
-      check whether it makes sense to use a separate certificate for that
-      purpose
-
 .. seealso::
 
    * :wiki:`SystemAdministration/CertificateList`
 
 .. index::
-   pair: Apache httpd; configuration
-
-Apache httpd configuration
---------------------------
-
-:file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
-allows dedicated users to access a PHPMyAdmin instance. The allowed users are
-authenticated by client certificates and are authorized by an entry in
-:file:`/etc/apache2/phpmyadmin.passwd`.
-
-.. note::
-
-   to authorize a user you need the subject distinguished name of the user's
-   client certificate which can be extracted with::
-
-      openssl x509 -noout -subject -in certificate.crt
-
-   A line with the subject distinguished name and the fake password
-   ``xxj31ZMTZzkVA`` separated by colon have to be added to
-   :file:`/etc/apache2/phpmyadmin.passwd`::
-
-      /CN=Example User/emailAddress=example@cacert.org:xxj31ZMTZzkVA
-
-.. seealso::
-
-   FakeBasicAuth option of the `SSLOptions
-   <https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
-   directive in the mod_ssl reference documentation.
+   pair: MariaDB; configuration
 
-.. index::
-   pair: MySQL; configuration
-
-MySQL configuration
--------------------
+MariaDB configuration
+---------------------
 
 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
 
@@ -351,22 +299,6 @@ MySQL configuration is stored in the :file:`/etc/mysql/` directory.
 
 .. _nss:
 
-NSS configuration
------------------
-
-The libc name service switch is configured to use MySQL lookups for passwd,
-group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
-:file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
-is configured in :file:`/etc/libnss-mysql-root.cfg`.
-
-.. index::
-   pair: PHPMyAdmin; configuration
-
-PHPMyAdmin configuration
-------------------------
-
-PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
-
 .. index::
    pair: dovecot; configuration
 
@@ -375,22 +307,16 @@ Dovecot configuration
 
 Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
 database settings are stored in
-:file:`dovecot-sql-masterpassword-webmail.conf`.
+:file:`dovecot-sql.conf.ext`.
 
 .. index::
    pair: dovecot; authentication
 
 .. topic:: Dovecot authentication
 
-   :file:`/etc/dovecot/dovecot.conf` refers to PAM mail. PAM mail is defined
-   :file:`/etc/pam.d/mail`. System users are defined by NSS which is a
-   combination of :file:`/etc/passwd` (for root and non-imap/pop users) and
-   :file:`/etc/libnss-mysql*` (see `nss`_).
-
    There is a special master password so that webmail can do the authentication
    for dovecot using certificates. This is defined in
-   :file:`/etc/dovecot/dovecot-sql-masterpassword-webmail.conf`. This special
-   password is restricted to the IP address of Community.
+   :file:`/etc/dovecot/dovecot-sql.conf.ext`.
 
 .. index::
    pair: Postfix; configuration
@@ -425,47 +351,10 @@ following files are special for this setup:
 
 .. todo:: consider to send all outgoing mail via :doc:`emailout`
 
-.. todo:: remove unused transports from :file:`master.cf`
-
-.. index::
-   pair: pysieved; configuration
-
-PySieved configuration
-----------------------
-
-:file:`/usr/local/etc/pysieved.ini` for regular manage sieve access and
-:file:`/usr/local/etc/pysieved-notls.ini` for use with Roundcube webmail.
-Pysieved uses dovecot for authentication.
-
-.. index::
-   pair: rsyslog; configuration
-
-Rsyslog configuration
----------------------
-
-Rsyslog is configured in :file:`/etc/rsyslog.conf` which includes files in
-:file:`/etc/rsyslog.d/`. Consumption of kernel log messages and network input
-is disabled. :file:`/etc/rsyslog.d/postfix.conf` configures a separate unix
-socket to receive log messages from postfix and
-:file:`/etc/rsyslog.d/remotelog.conf` contains commented settings for a
-non-existant remote syslog server.
-
-.. todo:: setup remote logging when a central logging container is available
-
-.. index::
-   pair: xinetd; configuration
-
-Xinetd configuration
---------------------
-
-Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
-these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
-:file:`/etc/xinetd.d/pysieved-notls`.
-
 Email storage
 -------------
 
-Mail for :samp:`{user}` is stored in :samp:`/home/{user}/Maildir`.
+Mail for :samp:`{user}` is stored in :samp:`/home/mailboxes/{user}/Maildir`.
 
 .. todo::
    move mail storage to a separate data volume to allow easier backup and OS
@@ -530,12 +419,21 @@ There are two types of aliases.
    cacertusers database. The reason for this implementation is to only allow
    the designated person to send email from this email address.
 
+Client certificate authentication
+---------------------------------
+
+There were plans for X.509 certificate authentication for mail services, but
+there is no progress so far.
+
+Changes
+=======
+
 Planned
 -------
 
-.. todo:: implement CRL checking
+.. todo:: update to Debian 10 (when Puppet is available)
 
-.. todo:: setup IPv6
+.. todo:: implement CRL checking
 
 .. todo::
    throttle brute force attack attempts using fail2ban or similar mechanism
@@ -543,18 +441,10 @@ Planned
 .. todo::
    consider to use LDAP to consolidate user, password and email information
 
-* there were plans for X.509 certificate authentication for mail services, but
-  there is no progress so far
-
-Changes
-=======
-
 System Future
 -------------
 
-.. todo::
-   The system has to be replaced with a new system using a current operating
-   system version
+* No plans
 
 Additional documentation
 ========================
@@ -572,5 +462,5 @@ Postfix documentation
    http://www.postfix.org/documentation.html
 Postfix Debian wiki page
    https://wiki.debian.org/Postfix
-Dovecot 1.x wiki
-   http://wiki1.dovecot.org/FrontPage
+Dovecot 2.x wiki
+   http://wiki2.dovecot.org/FrontPage
index 8c611db..1472b47 100644 (file)
@@ -44,30 +44,50 @@ Logical Location
 :IP Internet: :ip:v4:`213.154.225.239`
 :IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
 :IP Internal: :ip:v4:`10.0.0.32`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::239`
 :MAC address: :mac:`00:ff:12:01:65:02` (eth0)
 
 .. seealso::
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Emailout
+
+Monitoring
+----------
+
+:internal checks: :monitor:`emailout.infra.cacert.org`
+
 DNS
 ---
 
 .. index::
    single: DNS records; Emailout
 
-========================== ======== ====================================================================
-Name                       Type     Content
-========================== ======== ====================================================================
-emailout.cacert.org.       IN A     213.154.225.239
-emailout.cacert.org.       IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
-emailout.cacert.org.       IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
-emailout.cacert.org.       IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
-emailout.cacert.org.       IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
-emailout.cacert.org.       IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
-emailout.cacert.org.       IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
-emailout.intra.cacert.org. IN A     172.16.2.32
-========================== ======== ====================================================================
++----------------------------+----------+----------------------------------------------------------------------+
+| Name                       | Type     | Content                                                              |
++============================+==========+======================================================================+
+| emailout.cacert.org.       | IN A     | 213.154.225.239                                                      |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN AAAA  | 2001:7b8:616:162:2::239                                              |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 1 1 1ba1ab632911e8a68a69521130120695086d858c                         |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055 |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba                         |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 4 1 63f40df8536052d33d2d515eceb111ccb7983619                         |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 4 2 4ceb488ad17ea7c8db161fdf3357e273d2ea1fe5be183794aacd7c4bfdfaa8a5 |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.intra.cacert.org. | IN A     | 172.16.2.32                                                          |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.infra.cacert.org. | IN A     | 10.0.0.32                                                            |
++----------------------------+----------+----------------------------------------------------------------------+
 
 .. seealso::
 
@@ -77,18 +97,18 @@ Operating System
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 10.0
 
 Applicable Documentation
 ------------------------
 
 The following packages where installed after the container setup::
 
-   apt-get install vim-nox screen aptitude git etckeeper postfix \
-     postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
+   apt-get install vim-nox screen git etckeeper postfix postfix-pcre opendkim \
+     opendkim-tools man-db rsyslog logrotate \
      heirloom-mailx netcat-openbsd swaks
 
 Services
@@ -97,57 +117,54 @@ Services
 Listening services
 ------------------
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | intranet  | mail delivery from intranet MTAs        |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+----------+----------------------------------+
+| Port     | Service | Origin   | Purpose                          |
++==========+=========+==========+==================================+
+| 22/tcp   | ssh     | ANY      | admin console access             |
++----------+---------+----------+----------------------------------+
+| 25/tcp   | smtp    | intranet | mail delivery from intranet MTAs |
++----------+---------+----------+----------------------------------+
+| 5665/tcp | icinga2 | monitor  | remote monitoring service        |
++----------+---------+----------+----------------------------------+
 
 Running services
 ----------------
 
 .. index::
-   single: OpenDKIM
-   single: Postfix
    single: cron
-   single: nrpe
+   single: dbus
+   single: icinga2
+   single: opendkim
    single: openssh
+   single: postfix
    single: puppet agent
    single: rsyslog
 
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
-| OpenDKIM           | DKIM signing       | init script                            |
-|                    | daemon             | :file:`/etc/init.d/opendkim`           |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission, and    |                                        |
-|                    | mail relay for     |                                        |
-|                    | infrastructure     |                                        |
-|                    | systems            |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Puppet agent       | configuration      | init script :file:`/etc/init.d/puppet` |
-|                    | management agent   |                                        |
-+--------------------+--------------------+----------------------------------------+
++----------------+--------------------------+-----------------------------------+
+| Service        | Usage                    | Start mechanism                   |
++================+==========================+===================================+
+| cron           | job scheduler            | systemd unit ``cron.service``     |
++----------------+--------------------------+-----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``     |
+|                | daemon                   |                                   |
++----------------+--------------------------+-----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service``  |
++----------------+--------------------------+-----------------------------------+
+| OpenDKIM       | DKIM signing daemon      | systemd unit ``opendkim.service`` |
++----------------+--------------------------+-----------------------------------+
+| openssh server | ssh daemon for remote    | systemd unit ``ssh.service``      |
+|                | administration           |                                   |
++----------------+--------------------------+-----------------------------------+
+| Postfix        | SMTP server for          | systemd unit ``postfix.service``  |
+|                | local mail submission,   |                                   |
+|                | and mail relay for       |                                   |
+|                | infrastructure systems   |                                   |
++----------------+--------------------------+-----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``   |
+|                | management agent         |                                   |
++----------------+--------------------------+-----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service``  |
++----------------+--------------------------+-----------------------------------+
 
 Connected Systems
 -----------------
@@ -169,7 +186,6 @@ Security
 
 .. sshkeys::
    :RSA:     SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
-   :DSA:     SHA256:p0AvAUtHuAVmPJBNq7yVkNt9jQ81DOptn2PhK8J7rAw MD5:6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
    :ECDSA:   SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20 MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
    :ED25519: SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92
 
@@ -183,9 +199,16 @@ Risk assessments on critical packages
 
 Postfix has a very good security reputation. The system is patched regularly.
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
 Keys and X.509 certificates
 ---------------------------
 
@@ -306,13 +329,13 @@ Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
-.. todo:: setup IPv6
-
-Changes
-=======
+.. todo:: upgrade to Debian 10 (when Puppet is available)
 
 System Future
 -------------
index 4b59901..2965b0d 100644 (file)
@@ -73,6 +73,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Git
+
+Monitoring
+----------
+
+:internal checks: :monitor:`git.infra.cacert.org`
+
 DNS
 ---
 
@@ -107,11 +115,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
@@ -326,14 +329,14 @@ The runit service handling is triggered through :file:`/etc/inittab`.
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: enable IPv6
 
-Changes
-=======
-
 System Future
 -------------
 
index d2c1597..9e2eeb0 100644 (file)
@@ -58,7 +58,7 @@ The machine has been sponsored by `Thomas Krenn`_ and has the following hardware
 parameters:
 
 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
-:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
+:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz (4 Cores, 8 Threads)
 :RAM: 16 GiB ECC
 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
 :NIC:
@@ -66,7 +66,7 @@ parameters:
   * eth0 Intel Corporation 82579LM Gigabit Network Connection
   * eth1 Intel Corporation 82574L Gigabit Network Connection
 
-There is a 2 TB USB backup disk attached to the system.
+There is a 2 TB USB WDC WD20EARS-00MVWB0 backup disk attached to the system.
 
 .. seealso::
 
@@ -91,6 +91,73 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Infra02
+
+Monitoring
+----------
+
+:internal checks: :monitor:`infra02.infra.cacert.org`
+:external checks: :monitor:`infra02.cacert.org`
+
+Remote Console
+--------------
+
+This system can be managed through a remote console, which may especially be
+important during system upgrades and/or reboots.
+
+The hardware of the system is equipped with a BMC Controller which supports the
+Intelligent Platform Management Interface (IMPI).
+
+Due the security design of the CAcert intranet, the network interface of this BMC
+is not connected to the publicly reachable part of the CAcert intranet,
+but rather to the management part, and is thus only reachable by members of the
+critical system administrator team.
+
+So the following instructions only apply to them.
+
+The BMC interface can be reached from your local admin machine through the
+CAcert hopper by setting up the following SSH port forwarding:
+
+.. code:: bash
+
+   IPMIHOST=infra02ilo.intra.cacert.org
+   LOCALPORT=8082
+   HTTPSPORT=443
+   IKVMPORT=5900
+   ssh -f -N -L ${LOCALPORT}:${IPMIHOST}:${HTTPSPORT} \
+                           -L ${IKVMPORT}:${IPMIHOST}:${IKVMPORT} hopper
+
+and then browsing to the web UI:
+
+.. code:: bash
+
+   firefox https://127.0.0.1:${LOCALPORT}/
+
+To use the remote console facility, first install Oracle Java JRE 8.0_211 on
+your admin machine. Then download the launch.jnlp script offered by the web UI
+and save it in $HOME. Then use this script "console" to execute it:
+
+.. code:: bash
+
+   #! /bin/bash
+   # console - run remote console for CAcert infra02 with Oracle Java environment
+
+   export JAVADIR=/opt/java/jre1.8.0_211/bin
+   export JAVA=${JAVADIR}/java
+   export JAVAWS=${JAVADIR}/javaws
+
+   LAUNCH=${HOME}/launch.jnlp
+
+   if [ -f ${LAUNCH} ]
+   then
+         echo "Do not forget to use setupcon if the console keyboard mapping is lame" 1>&2
+         sed -i -e 's/443/8082/' ${LAUNCH}
+         exec ${JAVAWS} ${LAUNCH}
+   else
+         echo $0: cannot read ${LAUNCH} 1>&2
+   fi
+
 DNS
 ---
 
@@ -118,15 +185,10 @@ Operating System
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Wheezy
-   single: Debian GNU/Linux; 7.11
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
-* Debian GNU/Linux 7.11
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 10.0
 
 Services
 ========
@@ -134,59 +196,89 @@ Services
 Listening services
 ------------------
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 53/tcp   | dns       | internal  | DNS resolver for infra.cacert.org       |
-| 53/udp   |           |           |                                         |
-+----------+-----------+-----------+-----------------------------------------+
-| 123/udp  | ntp       | ANY       | network time protocol for host,         |
-|          |           |           | listening on the Internet IPv6 and IPv4 |
-|          |           |           | addresses                               |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+----------+-----------------------------------------+
+| Port     | Service | Origin   | Purpose                                 |
++==========+=========+==========+=========================================+
+| 22/tcp   | ssh     | ANY      | admin console access                    |
++----------+---------+----------+-----------------------------------------+
+| 25/tcp   | smtp    | local    | mail delivery to local MTA              |
++----------+---------+----------+-----------------------------------------+
+| 53/tcp   | dns     | internal | DNS resolver for infra.cacert.org       |
+| 53/udp   |         |          |                                         |
++----------+---------+----------+-----------------------------------------+
+| 123/udp  | ntp     | ANY      | network time protocol for host,         |
+|          |         |          | listening on the Internet IPv6 and IPv4 |
+|          |         |          | addresses                               |
++----------+---------+----------+-----------------------------------------+
+| 5666/tcp | nrpe    | monitor  | remote monitoring service               |
++----------+---------+----------+-----------------------------------------+
 
 Running services
 ----------------
 
 .. index::
-   single: openssh
+   single: acpid
+   single: atop
+   single: atopacctd
    single: cron
+   single: dbus
    single: dnsmasq
-   single: rsyslog
-   single: ntpd
-   single: Postfix
+   single: lxc
+   single: mdadm
    single: nrpe
-
-+--------------------+--------------------+-----------------------------------------+
-| Service            | Usage              | Start mechanism                         |
-+====================+====================+=========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
-|                    | remote             |                                         |
-|                    | administration     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| dnsmasq            | DNS resolver       | init script :file:`/etc/init.d/dnsmasq` |
-+--------------------+--------------------+-----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
-+--------------------+--------------------+-----------------------------------------+
-| rsyslog            | syslog daemon      | init script                             |
-|                    |                    | :file:`/etc/init.d/syslog`              |
-+--------------------+--------------------+-----------------------------------------+
-| ntpd               | time server        | init script :file:`/etc/init.d/ntp`     |
-+--------------------+--------------------+-----------------------------------------+
-| Postfix            | SMTP server for    | init script                             |
-|                    | local mail         | :file:`/etc/init.d/postfix`             |
-|                    | submission, ...    |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                             |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
-|                    | :doc:`monitor`     |                                         |
-+--------------------+--------------------+-----------------------------------------+
+   single: ntpd
+   single: openssh
+   single: postfix
+   single: radvd
+   single: rsyslog
+   single: smartd
+
++--------------------+----------------------+---------------------------------------------+
+| Service            | Usage                | Start mechanism                             |
++====================+======================+=============================================+
+| acpid              | ACPI daemon          | systemd unit ``acpid.service``              |
++--------------------+----------------------+---------------------------------------------+
+| atop               | Advanced system      | systemd unit ``atop.service``               |
+|                    | and process monitor  |                                             |
++--------------------+----------------------+---------------------------------------------+
+| atopacctd          | Advanced system      | systemd unit ``atopacct.service``           |
+|                    | and process monitor  |                                             |
+|                    | accounting daemon    |                                             |
++--------------------+----------------------+---------------------------------------------+
+| cron               | job scheduler        | systemd unit ``cron.service``               |
++--------------------+----------------------+---------------------------------------------+
+| dbus-daemon        | System message bus   | systemd unit ``dbus.service``               |
+|                    | daemon               |                                             |
++--------------------+----------------------+---------------------------------------------+
+| dnsmasq            | DNS resolver         | systemd unit ``dnsmasq.service``            |
++--------------------+----------------------+---------------------------------------------+
+| LXC                | Service for LXC      | systemd unit ``lxc.service``                |
+|                    | container management |                                             |
++--------------------+----------------------+---------------------------------------------+
+| mdadm              | RAID monitoring      | systemd unit ``mdmonitor.service``          |
++--------------------+----------------------+---------------------------------------------+
+| Nagios NRPE server | remote monitoring    | systemd unit ``nagios-nrpe-server.service`` |
+|                    | service queried by   |                                             |
+|                    | :doc:`monitor`       |                                             |
++--------------------+----------------------+---------------------------------------------+
+| ntpd               | time server          | systemd unit ``ntp.service``                |
++--------------------+----------------------+---------------------------------------------+
+| openssh server     | ssh daemon for       | systemd unit ``ssh.service``                |
+|                    | remote               |                                             |
+|                    | administration       |                                             |
++--------------------+----------------------+---------------------------------------------+
+| postfix            | SMTP server for      | systemd unit ``postfix.service``            |
+|                    | local mail           |                                             |
+|                    | submission, ...      |                                             |
++--------------------+----------------------+---------------------------------------------+
+| radvd              | IPv6 route           | systemd unit ``radvd.service``              |
+|                    | advertisement        |                                             |
++--------------------+----------------------+---------------------------------------------+
+| rsyslog            | syslog daemon        | systemd unit ``rsyslog.service``            |
++--------------------+----------------------+---------------------------------------------+
+| smartd             | S.M.A.R.T. HDD       | systemd unit ``smartd.service``             |
+|                    | monitoring           |                                             |
++--------------------+----------------------+---------------------------------------------+
 
 .. Running Guests
    --------------
@@ -212,10 +304,10 @@ Security
 ========
 
 .. sshkeys::
-   :RSA:     86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
-   :DSA:     b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
-   :ECDSA:   79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
-   :ED25519: 25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
+   :RSA:     SHA256:Y7DXSj8c5hhlpesEl+8FJDvEBn7Jg8aauOYvPLlAzII MD5:86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
+   :DSA:     SHA256:OgGI/EfR/dFNcKL7ePUXktBroR6uarFuc8t7uN1qDcg MD5:b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
+   :ECDSA:   SHA256:OufwA1whcpd+mb/jEseoKZZQ3qFql16hPuzo/aQmBio MD5:79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
+   :ED25519: SHA256:eXWoP7L/A25p/YW3vmj+4NFy2lEEVcRaLnNhcelBar8 MD5:25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
 
 Dedictated user roles
 ---------------------
@@ -230,39 +322,14 @@ Non-distribution packages and modifications
 Risk assessments and critical packages
 --------------------------------------
 
-The system is the basis for all other infrastructure systems. Access to this
-system has to be tightly controlled.
-
-Tasks
-=====
-
-.. todo:: find out why the system logs are messed up
-.. todo:: upgrade to Debian Stretch
-.. todo:: document whether it is safe to reboot this system
-.. todo:: document how to setup a new container
-.. todo:: document how to setup firewall rules/forwarding
-.. todo:: document how the backup system works
-.. todo:: add DNS setup for IPv6 address
-.. todo:: switch to Puppet management
-
-Planned
--------
-
-* None
-
-Changes
-=======
-
-System Future
--------------
-
-* No plans
+The system is the host system for all other infrastructure systems. Access to
+this system has to be tightly controlled.
 
 Critical Configuration items
 ============================
 
 .. index::
-   pair: Ferm; configuration
+   pair: dnsmasq; configuration
 
 Dnsmasq configuration
 ---------------------
@@ -271,6 +338,9 @@ Dnsmasq serves the local DNS zone infra.cacert.org to the `br0` interface. It
 is configured by :file:`/etc/dnsmasq.d/00infra` and uses :file:`/etc/hosts` as
 source for IP addresses.
 
+.. index::
+   pair: Ferm; configuration
+
 Ferm firewall configuration
 ---------------------------
 
@@ -289,6 +359,50 @@ The container configuration is contained in files named
 The root filesystems of the containers are stored on :term:`LVM` volumes that
 are mounted in :file:`/var/lib/lxc/<container>/rootfs` for each container.
 
+Tasks
+=====
+
+.. todo:: document how to setup a new container
+.. todo:: document how to setup firewall rules/forwarding
+.. todo:: document how the backup system works
+
+Reboot
+------
+
+The system can be rebooted safely since the Debian Buster installation on
+2019-07-13:
+
+.. code-block:: bash
+
+   systemctl reboot
+
+Restarting the firewall
+-----------------------
+
+To restart the firewall setup perform a configuration syntax check and use
+systemctl to reload ferm's configuration.
+
+.. code-block:: bash
+
+   ferm -n /etc/ferm/ferm.conf
+   systemctl reload ferm.service
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: add DNS setup for IPv6 address
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
+.. todo:: replace ferm with nftables setup
+
+System Future
+-------------
+
+* No plans
+
 Additional documentation
 ========================
 
index 73bc66d..d9ff921 100644 (file)
@@ -69,6 +69,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Ircserver
+
+Monitoring
+----------
+
+:internal checks: :monitor:`ircserver.infra.cacert.org`
+
 DNS
 ---
 
@@ -105,11 +113,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
index 111c685..7f7ca9d 100644 (file)
@@ -74,6 +74,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Issue
+
+Monitoring
+----------
+
+:internal checks: :monitor:`issue.infra.cacert.org`
+
 DNS
 ---
 
@@ -104,11 +112,6 @@ Operating System
 
 .. todo:: upgrade to Debian Jessie
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
@@ -303,6 +306,38 @@ Postfix configuration
 Tasks
 =====
 
+Creating new OTRS user accounts
+-------------------------------
+
+* Go to Admin -> Users -> Add
+* Fill out user details
+
+  * Use a securely random generated password (min. 12 chars, mixed of capital-
+    non-capital letters, numbers and special chars), send it to the user via
+    encrypted mail (also include URL of the issue tracking system, username and
+    some initial instructions or a link to documentation if available)
+  * Use CAcert email addresses only
+
+* Set the preferences for the user. Good standards are:
+
+  * Show tickets: 25
+  * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
+  * Follow up notification: Yes
+  * Ticket lock timeout notification: Yes
+  * Move notification: Yes (or No if the queues for the user get many new tickets)
+  * Spelling Dictionary: English 
+
+* Submit
+* Do NOT set any groups for the user.
+* Go to Admin -> Users -> Roles <-> Users
+* Choose the newly created user
+* Set the roles the user has
+* Submit
+* Now you are done :) 
+
+Changes
+=======
+
 Planned
 -------
 
@@ -334,10 +369,6 @@ Ideas
 
 * Use centralised logging
 
-
-Changes
-=======
-
 System Future
 -------------
 
@@ -346,36 +377,6 @@ System Future
 Additional documentation
 ========================
 
-Creating new OTRS user accounts
--------------------------------
-
-* Go to Admin -> Users -> Add
-* Fill out user details
-
-  * Use a securely random generated password (min. 12 chars, mixed of capital-
-    non-capital letters, numbers and special chars), send it to the user via
-    encrypted mail (also include URL of the issue tracking system, username and
-    some initial instructions or a link to documentation if available)
-  * Use CAcert email addresses only
-
-* Set the preferences for the user. Good standards are:
-
-  * Show tickets: 25
-  * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
-  * Follow up notification: Yes
-  * Ticket lock timeout notification: Yes
-  * Move notification: Yes (or No if the queues for the user get many new tickets)
-  * Spelling Dictionary: English 
-
-* Submit
-* Do NOT set any groups for the user.
-* Go to Admin -> Users -> Roles <-> Users
-* Choose the newly created user
-* Set the roles the user has
-* Submit
-* Now you are done :) 
-
-
 .. seealso::
 
    * :wiki:`PostfixConfiguration`
index ccbc23d..0c457f1 100644 (file)
@@ -68,6 +68,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Jenkins
+
+Monitoring
+----------
+
+:internal checks: :monitor:`jenkins.infra.cacert.org`
+
 DNS
 ---
 
@@ -95,15 +103,10 @@ Operating System
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
-
-* Debian GNU/Linux 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 10.0
 
 Services
 ========
@@ -122,7 +125,7 @@ Listening services
 +----------+---------+----------+----------------------------+
 | 2022/tcp | Jenkins | internal | Jenkins ssh port           |
 +----------+---------+----------+----------------------------+
-| 5666/tcp | nrpe    | monitor  | remote monitoring service  |
+| 5665/tcp | icinga2 | monitor  | remote monitoring service  |
 +----------+---------+----------+----------------------------+
 | 8080/tcp | Jenkins | internal | Jenkins web interface      |
 +----------+---------+----------+----------------------------+
@@ -132,38 +135,37 @@ Running services
 
 .. index::
    single: cron
+   single: dbus
    single: exim
+   single: icinga2
    single: jenkins
-   single: nrpe
    single: openssh
    single: puppet agent
    single: rsyslog
 
-+--------------------+--------------------+-----------------------------------------+
-| Service            | Usage              | Start mechanism                         |
-+====================+====================+=========================================+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
-+--------------------+--------------------+-----------------------------------------+
-| Exim               | SMTP server for    | init script                             |
-|                    | local mail         | :file:`/etc/init.d/exim4`               |
-|                    | submission         |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Jenkins            | Jenkins CI server  | init script :file:`/etc/init.d/jenkins` |
-+--------------------+--------------------+-----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                             |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
-|                    | :doc:`monitor`     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
-|                    | remote             |                                         |
-|                    | administration     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Puppet agent       | configuration      | init script                             |
-|                    | management agent   | :file:`/etc/init.d/puppet`              |
-+--------------------+--------------------+-----------------------------------------+
-| rsyslog            | syslog daemon      | init script                             |
-|                    |                    | :file:`/etc/init.d/syslog`              |
-+--------------------+--------------------+-----------------------------------------+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| Exim           | SMTP server for local    | systemd unit ``exim4.service``   |
+|                | mail submission          |                                  |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| Jenkins        | Jenkins CI server        | systemd unit ``jenkins.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
 
 Connected Systems
 -----------------
@@ -234,11 +236,19 @@ management web interface with role based access control.
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 * build more of CAcert's software on the Jenkins instance
 
+System Future
+-------------
+
+* No plans
+
 Additional documentation
 ========================
 
index 02e4be1..1adfe36 100644 (file)
@@ -375,16 +375,15 @@ Adding a list
 
 5. add subscribers/ other owners
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: upgrade the lists system OS to Debian 9 (Stretch)
-
 .. todo:: manage the lists system using Puppet
 
-Changes
-=======
-
 System Future
 -------------
 
index 20b89a2..72439bb 100644 (file)
@@ -83,6 +83,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Monitor
+
+Monitoring
+----------
+
+:internal checks: :monitor:`monitor.infra.cacert.org`
+
 DNS
 ---
 
@@ -311,14 +319,12 @@ configurations are defined in the :file:`objects/` subdirectory.
 Tasks
 =====
 
-Planned
--------
-
-.. todo:: switch to Icinga2 and Icingaweb2
-
 Changes
 =======
 
+Planned
+-------
+
 System Future
 -------------
 
diff --git a/docs/systems/motion.rst b/docs/systems/motion.rst
new file mode 100644 (file)
index 0000000..c6a0cc4
--- /dev/null
@@ -0,0 +1,345 @@
+.. index::
+   single: Systems; Motion
+
+======
+Motion
+======
+
+Purpose
+=======
+
+This system provides the CAcert board motion system. The system replaced the
+board voting system that had been provided on :doc:`webmail` at
+https://community.cacert.org/board/.
+
+Application Links
+-----------------
+
+   Board motion system
+     https://motion.cacert.org/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------------+---------------------+
+| Application         | Administrator(s)    |
++=====================+=====================+
+| board motion system | :ref:`people_jandd` |
++---------------------+---------------------+
+
+Contact
+-------
+
+* motion-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.117`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::117`
+:MAC address: :mac:`00:ff:cc:ce:0d:24` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+.. index::
+   single: Monitoring; Motion
+
+Monitoring
+----------
+
+:internal checks: :monitor:`motion.infra.cacert.org`
+:external checks: :monitor:`motion.cacert.org`
+
+DNS
+---
+
+.. index::
+   single: DNS records; Motion
+
+======================== ======== ====================================================================
+Name                     Type     Content
+======================== ======== ====================================================================
+motion.cacert.org.       IN A     213.154.225.241
+motion.cacert.org.       IN AAAA  2001:7b8:616:162:2::241
+motion.cacert.org.       IN SSHFP 1 1 f018202c72749af5f48d45d5d536422f9c364fbb
+motion.cacert.org.       IN SSHFP 1 2 0d17bbfe2efa97edbb13ffe3e6bfd3b4b9be5117f3c831a2f1a55b6c50e92fd4
+motion.cacert.org.       IN SSHFP 2 1 ee6f2e346a5d5164100721f99765a4d3d08c6dce
+motion.cacert.org.       IN SSHFP 2 2 53dedfd2c566011db80311528eba15fd000b0a5092ab1fc8104ca5804490cd18
+motion.cacert.org.       IN SSHFP 3 1 6d4a9ec30f30aa0634b8879cded8ce884498e290
+motion.cacert.org.       IN SSHFP 3 2 325ee301da21844adb8f12c0011b8d73709be8b2b9f375829224ac79c8fdfa6e
+motion.cacert.org.       IN SSHFP 4 1 78e1edee04907de6b56d9c0d4900178f9426c02d
+motion.cacert.org.       IN SSHFP 4 2 ca108fc298cb08406fe02454d9245ee1cf26c7241691da9a5b6bc69c56afd5c1
+motion.infra.cacert.org. IN A     10.0.0.117
+======================== ======== ====================================================================
+
+.. seealso::
+
+   See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
+
+* Debian GNU/Linux 10.0
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port     | Service | Origin  | Purpose                    |
++==========+=========+=========+============================+
+| 22/tcp   | ssh     | ANY     | admin console access       |
++----------+---------+---------+----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 8443/tcp | https   | ANY     | board motion application   |
++----------+---------+---------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service  |
++----------+---------+---------+----------------------------+
+
+The board motion system is reachable via :doc:`proxyin`. SSH is forwarded from
+port 11722 on the public IP addresses.
+
+Running services
+----------------
+
+.. index::
+   single: cacert-boardvoting
+   single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: openssh
+   single: puppet
+   single: rsyslog
+
++--------------------+--------------------------+---------------------------------------------+
+| Service            | Usage                    | Start mechanism                             |
++====================+==========================+=============================================+
+| cacert-boardvoting | application              | systemd unit ``cacert-boardvoting.service`` |
++--------------------+--------------------------+---------------------------------------------+
+| cron               | job scheduler            | systemd unit ``cron.service``               |
++--------------------+--------------------------+---------------------------------------------+
+| dbus-daemon        | System message bus       | systemd unit ``dbus.service``               |
+|                    | daemon                   |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| Exim               | SMTP server for          | systemd unit ``exim4.service``              |
+|                    | local mail               |                                             |
+|                    | submission               |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| icinga2            | Icinga2 monitoring agent | systemd unit ``icinga2.service``            |
++--------------------+--------------------------+---------------------------------------------+
+| openssh server     | ssh daemon for           | systemd unit ``ssh.service``                |
+|                    | remote                   |                                             |
+|                    | administration           |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| Puppet agent       | configuration            | systemd unit ``puppet.service``             |
+|                    | management agent         |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| rsyslog            | syslog daemon            | systemd unit ``rsyslog.service``            |
++--------------------+--------------------------+---------------------------------------------+
+
+Databases
+---------
+
++--------+------------------------------------------------------+--------------------+
+| RDBMS  | Name                                                 | Used for           |
++========+======================================================+====================+
+| SQLite | :file:`/srv/cacert-boardvoting/data/database.sqlite` | cacert-boardvoting |
++--------+------------------------------------------------------+--------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`proxyin` for incoming application traffic
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT and Puppet
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:DRe7/i76l+27E//j5r/TtLm+URfzyDGi8aVbbFDpL9Q MD5:8a:a8:61:d2:07:79:27:6a:37:f8:30:2a:36:aa:d9:4f
+   :DSA:     SHA256:U97f0sVmAR24AxFSjroV/QALClCSqx/IEEylgESQzRg MD5:ec:76:0a:d5:5e:ff:29:1e:f4:b4:78:5f:5e:0f:2a:af
+   :ECDSA:   SHA256:Ml7jAdohhErbjxLAARuNc3Cb6LK583WCkiSsecj9+m4 MD5:3f:38:14:95:9e:fb:10:79:c5:72:d6:c6:79:a8:84:cf
+   :ED25519: SHA256:yhCPwpjLCEBv4CRU2SRe4c8mxyQWkdqaW2vGnFav1cE MD5:c5:40:79:42:09:9d:5e:47:45:d6:ab:e9:58:af:eb:26
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* Board motion system
+
+  The system runs the board motion system developed in the
+  :cacertgit:`cacert-boardvoting`.
+
+  The software is installed from a Debian package that is hosted on
+  :doc:`webstatic`.
+
+  The sofware is built on :doc:`jenkins` via the `cacert-boardvoting Job`_ when
+  there are changes in Git. The Debian package can be built using
+  :program:`gbp`.
+
+  The software is installed and configured via Puppet.
+
+  .. _cacert-boardvoting Job: https://jenkins.cacert.org/job/cacert-boardvoting/
+  .. todo:: describe more in-depth how to build the Debian package
+
+Risk assessments on critical packages
+-------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+The system is stripped down to the bare minimum. The CAcert board voting system
+software is developed using `Go <https://golang.org/>`_ which handles a lot of
+common programming errors at compile time and has a quite good security track
+record.
+
+The board motion tool is run as a separate system user ``cacert-boardvoting``
+and is built as a small self-contained static binary. Access is restricted via
+https.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: motion.cacert.org
+   :altnames:   DNS:motion.cacert.org
+   :certfile:   /srv/cacert-boardvoting/data/server.crt
+   :keyfile:    /srv/cacert-boardvoting/data/server.key
+   :serial:     02D8A3
+   :expiration: Aug 01 18:06:22 2021 GMT
+   :sha1fp:     90:B8:A7:CE:ED:56:94:D0:58:7B:65:94:FF:D5:5A:43:08:2C:2A:62
+   :issuer:     CAcert Class 3 Root
+
+* :file:`/srv/cacert-boardvoting/data/cacert_class3.pem` CAcert class 3 CA
+  certificate (allowed CA certificate for client certificates)
+
+.. seealso::
+
+   * :wiki:`SystemAdministration/CertificateList`
+
+cacert-boardvoting configuration
+--------------------------------
+
+:program:`cacert-boardvoting` is configured via Puppet profile
+``profiles::cacert-boardvoting``.
+
+Tasks
+=====
+
+Add/Remove voters
+-----------------
+
+An :term:`Application Administrator` can add and remove voters from the CAcert
+board voting system using the :program:`sqlite3` program:
+
+.. code-block:: bash
+
+   cd /srv/cacert-boardvoting/data
+   # open database
+   sqlite3 database.sqlite
+
+.. code-block:: sql
+
+   -- find existing voters
+   select * from voters where enabled=1;
+
+   -- disable voters that should not be able to vote using Ids from the result
+   -- of the previous query
+   update voters set enabled=0 where id in (1, 2, 3);
+
+   -- find existing accounts of voter John Doe and Jane Smith
+   select * from voters where name like 'John%' or name like 'Jane%';
+
+   -- John has an account with id 4, Jane is not in the system
+   -- enable John
+   update voters set enabled=1 where id=4;
+
+   -- insert Jane
+   insert into voters (name, enabled, reminder) values ('Jane Doe', 1,
+     'jane.doe@cacert.org');
+
+   -- find voter id for Jane
+   select id from voters where name='Jane Doe';
+
+   -- Jane has id 42
+   -- insert email address mapping for Jane (used for authentication)
+   insert into emails (voter, address) values (42, 'jane.doe@cacert.org');
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: implement user administration inside the application
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+   * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://git.cacert.org/gitweb/?p=cacert-boardvoting.git;a=blob_plain;f=README.md;hb=HEAD
diff --git a/docs/systems/proxyin.rst b/docs/systems/proxyin.rst
new file mode 100644 (file)
index 0000000..3ce8cad
--- /dev/null
@@ -0,0 +1,282 @@
+.. index::
+   single: Systems; Proxyin
+
+=======
+Proxyin
+=======
+
+Purpose
+=======
+
+This system provides an incoming TLS proxy using `sniproxy`_ to share one
+public IPv4 address between multiple services.
+
+.. _sniproxy: https://github.com/dlundquist/sniproxy
+
+Application Links
+-----------------
+
+No direct links, applications run on other systems.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s)    |
++=============+=====================+
+| sniproxy    | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* proxyin-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.241`
+:IP Intranet: :ip:v4:`172.16.2.241`
+:IP Internal: :ip:v4:`10.0.0.35`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::35`
+:MAC address: :mac:`00:16:3e:3c:c8:a6` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+.. index::
+   single: Monitoring; Proxyin
+
+Monitoring
+----------
+
+:internal checks: :monitor:`proxyin.infra.cacert.org`
+:external checks: :monitor:`proxyin.cacert.org`
+
+DNS
+---
+
+.. index::
+   single: DNS records; Proxyin
+
+========================= ======== =====================================================================
+Name                      Type     Content
+========================= ======== =====================================================================
+proxyin.cacert.org.       IN A     213.154.225.241
+proxyin.cacert.org.       IN AAAA  2001:7b8:616:162:2::35
+proxyin.cacert.org.       IN SSHFP 1 1 c7c559bc06d236b4128e6d720a573d805a27727a
+proxyin.cacert.org.       IN SSHFP 1 2 affa8cc26dffa7f0803db2d027ab23f013aeabfb3b2d1b1a16659e38dba14528
+proxyin.cacert.org.       IN SSHFP 2 1 19bb944a917067131f02be4e9a709ade68c260f8
+proxyin.cacert.org.       IN SSHFP 2 2 b9b5860f3427ea9c3460c62a880527a41470c77000e5083ffffb7defa0d42e4e
+proxyin.cacert.org.       IN SSHFP 3 1 b9581a544ca96fe071341acb450a2cf74b1b7c9f
+proxyin.cacert.org.       IN SSHFP 3 2 be3dd21fde37042659a25143cb5171b39d22ea2c846745af9c098003a9004185
+proxyin.cacert.org.       IN SSHFP 4 1 9b4ba8c78b6585abaf2b46bce78a6f366f1e9bac
+proxyin.cacert.org.       IN SSHFP 4 2 59125e8706a208fa8eed2b5994ec60f7ba8e31b1c26d90ce909d78a0027359ef
+proxyin.intra.cacert.org. IN A     172.16.2.241
+proxyin.infra.cacert.org. IN A     10.0.0.35
+========================= ======== =====================================================================
+
+.. seealso::
+
+   See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
+
+* Debian GNU/Linux 10.0
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port     | Service | Origin  | Purpose                    |
++==========+=========+=========+============================+
+| 22/tcp   | ssh     | ANY     | admin console access       |
++----------+---------+---------+----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 80/tcp   | http    | ANY     | sniproxy                   |
++----------+---------+---------+----------------------------+
+| 443/tcp  | https   | ANY     | sniproxy                   |
++----------+---------+---------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service  |
++----------+---------+---------+----------------------------+
+| 8080/tcp | http    | local   | nginx                      |
++----------+---------+---------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: nginx
+   single: openssh
+   single: puppet
+   single: rsyslog
+   single: sniproxy
+
++----------------+--------------------------+-----------------------------------+
+| Service        | Usage                    | Start mechanism                   |
++================+==========================+===================================+
+| cron           | job scheduler            | systemd unit ``cron.service``     |
++----------------+--------------------------+-----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``     |
+|                | daemon                   |                                   |
++----------------+--------------------------+-----------------------------------+
+| Exim           | SMTP server for          | systemd unit ``exim4.service``    |
+|                | local mail submission    |                                   |
++----------------+--------------------------+-----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service``  |
++----------------+--------------------------+-----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``      |
+|                | remote administration    |                                   |
++----------------+--------------------------+-----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``   |
+|                | management agent         |                                   |
++----------------+--------------------------+-----------------------------------+
+| sniproxy       | TLS SNI proxy            | systemd unit ``sniproxy.service`` |
++----------------+--------------------------+-----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service``  |
++----------------+--------------------------+-----------------------------------+
+
+Databases
+---------
+
+* None
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`motion` (tcp/8443) as backend for https://motion.cacert.org/
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:r/qMwm3/p/CAPbLQJ6sj8BOuq/s7LRsaFmWeONuhRSg MD5:9d:ab:4f:2d:48:81:a1:86:68:99:8a:49:d5:01:07:6f
+   :DSA:     SHA256:ubWGDzQn6pw0YMYqiAUnpBRwx3AA5Qg///t976DULk4 MD5:2c:33:c7:bd:f2:6b:1a:03:ea:cd:c3:da:d8:a7:fa:c2
+   :ECDSA:   SHA256:vj3SH943BCZZolFDy1Fxs50i6iyEZ0WvnAmAA6kAQYU MD5:7d:ac:f4:ce:fb:4f:17:72:4d:5a:c4:b4:08:5d:8b:7c
+   :ED25519: SHA256:WRJehwaiCPqO7StZlOxg97qOMbHCbZDOkJ14oAJzWe8 MD5:14:6d:9e:24:de:97:f7:96:bc:cd:45:28:1b:b5:52:7e
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+The system is stripped down to the bare minimum. Both :program:`sniproxy` and
+:program:`nginx` are security supported. The :program:`nginx-light` package is
+used for `nginx` because no special features are required.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+The host does not provide own TLS services and therefore has no certificates.
+
+nginx configuration
+-------------------
+
+:program:`nginx` is configured via Puppet profile ``profiles::sniproxy`` and
+just redirects all http traffic to https.
+
+sniproxy configuration
+----------------------
+
+:program:`sniproxy` is configured via Puppet profile ``profiles::sniproxy``,
+TCP traffic on port 80 is forwarded to the local nginx and https traffic is
+forwarded to the target hosts as configured in
+:file:`hieradata/nodes/proxyin.yaml`.
+
+Tasks
+=====
+
+Adding a new forward entry
+--------------------------
+
+Add a line to the ``profiles::sniproxy::https_forwards`` item in Hiera data and
+adjust the firewall configuration on :doc:`infra02`.
+
+Changes
+=======
+
+Planned
+-------
+
+* None
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+   * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://github.com/dlundquist/sniproxy
index d28c710..f48d76e 100644 (file)
@@ -70,6 +70,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Proxyout
+
+Monitoring
+----------
+
+:internal checks: :monitor:`proxyout.infra.cacert.org`
+
 DNS
 ---
 
@@ -86,10 +94,10 @@ Operating System
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 10.0
 
 Applicable Documentation
 ------------------------
@@ -103,51 +111,56 @@ Services
 Listening services
 ------------------
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 3128/tcp | http      | internal  | squid http/https proxy                  |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+----------+----------------------------+
+| Port     | Service | Origin   | Purpose                    |
++==========+=========+==========+============================+
+| 22/tcp   | ssh     | ANY      | admin console access       |
++----------+---------+----------+----------------------------+
+| 25/tcp   | smtp    | local    | mail delivery to local MTA |
++----------+---------+----------+----------------------------+
+| 3128/tcp | http    | internal | squid http/https proxy     |
++----------+---------+----------+----------------------------+
+| 5665/tcp | icinga2 | monitor  | remote monitoring service  |
++----------+---------+----------+----------------------------+
 
 Running services
 ----------------
 
 .. index::
    single: cron
+   single: dbus
    single: exim
+   single: icinga2
    single: openssh
-   single: puppet agent
+   single: puppet
    single: rsyslog
    single: squid
 
-+----------------+--------------------+--------------------------------------+
-| Service        | Usage              | Start mechanism                      |
-+================+====================+======================================+
-| cron           | job scheduler      | init script :file:`/etc/init.d/cron` |
-+----------------+--------------------+--------------------------------------+
-| Exim           | SMTP server for    | init script                          |
-|                | local mail         | :file:`/etc/init.d/exim4`            |
-|                | submission         |                                      |
-+----------------+--------------------+--------------------------------------+
-| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
-|                | remote             |                                      |
-|                | administration     |                                      |
-+----------------+--------------------+--------------------------------------+
-| Puppet agent   | local Puppet agent | init script                          |
-|                |                    | :file:`/etc/init.d/puppet`           |
-+----------------+--------------------+--------------------------------------+
-| rsyslog        | syslog daemon      | init script                          |
-|                |                    | :file:`/etc/init.d/syslog`           |
-+----------------+--------------------+--------------------------------------+
-| Squid          | Caching and        | init script                          |
-|                | filtering http/    | :file:`/etc/init.d/squid`            |
-|                | https proxy for    |                                      |
-|                | internal machines  |                                      |
-+----------------+--------------------+--------------------------------------+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| Exim           | SMTP server for          | systemd unit ``exim4.service``   |
+|                | local mail submission    |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration management | systemd unit ``puppet.service``  |
+|                | agent                    |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
+| Squid          | Caching and filtering    | systemd unit ``squid.service``   |
+|                | http/https proxy for     |                                  |
+|                | internal machines        |                                  |
++----------------+--------------------------+----------------------------------+
 
 Connected Systems
 -----------------
@@ -217,13 +230,25 @@ configuration items outside of the Puppet repository.
 Tasks
 =====
 
+Adding ACLs to Squid
+--------------------
+
+Add required lines to the ``profiles::squid::acls`` item in Hiera data for node
+proxyout.
+
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: Change all infrastructure hosts to use this machine as APT proxy to
           avoid flaky firewall configurations on :doc:`infra02`.
 
-.. todo:: Add more APT repositories and ACLs if needed
+System Future
+-------------
+
+* No plans
 
 Additional documentation
 ========================
index 9c06c49..81f78cf 100644 (file)
@@ -72,6 +72,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Puppet
+
+Monitoring
+----------
+
+:internal checks: :monitor:`puppet.infra.cacert.org`
+
 DNS
 ---
 
@@ -88,15 +96,10 @@ Operating System
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
-* Debian GNU/Linux 9.4
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 10.0
 
 Services
 ========
@@ -254,7 +257,6 @@ trusted Puppet agents.
 The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
 puppet itself.
 
-
 Eyaml private key
 -----------------
 
@@ -264,7 +266,6 @@ key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
 private key is stored in
 :file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
 
-
 hiera configuration
 -------------------
 
@@ -272,7 +273,6 @@ Puppet uses Hiera for hierarchical information retrieval. The global hiera
 configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
 defines the hierarchy lookup as well as the eyaml key locations.
 
-
 puppet configuration
 --------------------
 
@@ -288,21 +288,19 @@ pattern (see references below) and code/data separation via Hiera.
 Updates to the cacert-puppet repository trigger a web hook listening on tcp
 port 8000 that automatically updates the production environment directory.
 
-
 Tasks
 =====
 
+.. todo:: add a section to describe how to add a system for puppet management
+
+Changes
+=======
+
 Planned
 -------
 
 * migrate as many systems as possible to use Puppet for a more
   reproducible/auditable system setup
-* automate updates of the Puppet code from Git
-
-.. todo:: improve Webhook to run r10k after git pull
-
-Changes
-=======
 
 System Future
 -------------
index 45a4244..f041269 100644 (file)
@@ -83,6 +83,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Svn
+
+Monitoring
+----------
+
+:internal checks: :monitor:`svn.infra.cacert.org`
+
 DNS
 ---
 
@@ -317,12 +325,6 @@ CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
 Tasks
 =====
 
-Planned
--------
-
-The configuration of this system will be migrated to a setup fully managed by
-Puppet.
-
 X.509 Auth for policy
 ---------------------
 
@@ -337,6 +339,13 @@ Mail notifications
 Changes
 =======
 
+Planned
+-------
+
+The configuration of this system will be migrated to a setup fully managed by
+Puppet.
+
+
 System Future
 -------------
 
index 35ca202..8ddf96a 100644 (file)
@@ -66,6 +66,8 @@ This system is located in an :term:`LXC` container on physical machine
 Physical Configuration
 ----------------------
 
+.. fill this section for physical machines, remove it for VMs/containers
+
 .. seealso::
 
    See :wiki:`SystemAdministration/EquipmentList`
@@ -73,15 +75,29 @@ Physical Configuration
 Logical Location
 ----------------
 
-:IP Internet: :ip:v4:`<IP>`
-:IP Intranet: :ip:v4:`<IP>`
-:IP Internal: :ip:v4:`<IP>`
+.. add information about network settings of the system
+
+:IP Internet: :ip:v4:`213.154.225.<IP>`
+:IP Intranet: :ip:v4:`172.16.2.<IP>`
+:IP Internal: :ip:v4:`10.0.0.<IP>`
+:IPv6:        :ip:v6:`2001:7b8:616:162:x::<IP>`
 :MAC address: :mac:`<MAC>` (interfacename)
 
 .. seealso::
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; <machine>
+
+Monitoring
+----------
+
+.. add links to monitoring checks
+
+:internal checks: :monitor:`template.infra.cacert.org`
+:external checks: :monitor:`template.cacert.org`
+
 DNS
 ---
 
@@ -108,11 +124,6 @@ Operating System
 
 * Debian GNU/Linux x.y
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
@@ -121,86 +132,112 @@ Listening services
 
 .. use the values from this table or add new lines if applicable
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 80/tcp   | http      | ANY       | application                             |
-+----------+-----------+-----------+-----------------------------------------+
-| 443/tcp  | https     | ANY       | application                             |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
-| 3306/tcp | mysql     | local     | MySQL database for ...                  |
-+----------+-----------+-----------+-----------------------------------------+
-| 5432/tcp | pgsql     | local     | PostgreSQL database for ...             |
-+----------+-----------+-----------+-----------------------------------------+
-| 465/udp  | syslog    | local     | syslog port                             |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+---------+-----------------------------+
+| Port     | Service | Origin  | Purpose                     |
++==========+=========+=========+=============================+
+| 22/tcp   | ssh     | ANY     | admin console access        |
++----------+---------+---------+-----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA  |
++----------+---------+---------+-----------------------------+
+| 80/tcp   | http    | ANY     | application                 |
++----------+---------+---------+-----------------------------+
+| 443/tcp  | https   | ANY     | application                 |
++----------+---------+---------+-----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service   |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe    | monitor | remote monitoring service   |
++----------+---------+---------+-----------------------------+
+| 3306/tcp | mysql   | local   | MySQL database for ...      |
++----------+---------+---------+-----------------------------+
+| 5432/tcp | pgsql   | local   | PostgreSQL database for ... |
++----------+---------+---------+-----------------------------+
+| 465/udp  | syslog  | local   | syslog port                 |
++----------+---------+---------+-----------------------------+
 
 Running services
 ----------------
 
+..
+   document running services, keep the table in alphabetic order to allow
+   easier diffing, the Start mechanism column should point to an absolute path
+   to an init script or the name of a systemd unit
+
 .. index::
-   single: Apache
-   single: Icinga2
-   single: MySQL
-   single: OpenERP
-   single: Postfix
-   single: PostgreSQL
+   single: apache httpd
    single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: mariadb
+   single: mysql
    single: nginx
    single: nrpe
+   single: openerp
    single: openssh
-
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Apache httpd       | Webserver for ...  | init script                            |
-|                    |                    | :file:`/etc/init.d/apache2`            |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
-| PostgreSQL         | PostgreSQL         | init script                            |
-|                    | database server    | :file:`/etc/init.d/postgresql`         |
-|                    | for ...            |                                        |
-+--------------------+--------------------+----------------------------------------+
-| MySQL              | MySQL database     | init script                            |
-|                    | server for ...     | :file:`/etc/init.d/mysql`              |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission, ...    |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Exim               | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/exim4`              |
-|                    | submission, ...    |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
+   single: postfix
+   single: postgresql
+   single: puppet
+   single: rsyslog
+
++--------------------+--------------------------+----------------------------------------+
+| Service            | Usage                    | Start mechanism                        |
++====================+==========================+========================================+
+| Apache httpd       | Webserver for ...        | init script                            |
+|                    |                          | :file:`/etc/init.d/apache2`            |
++--------------------+--------------------------+----------------------------------------+
+| cron               | job scheduler            | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------------+----------------------------------------+
+| dbus-daemon        | System message bus       | systemd unit ``dbus.service``          |
+|                    | daemon                   |                                        |
++--------------------+--------------------------+----------------------------------------+
+| Exim               | SMTP server for          | init script                            |
+|                    | local mail               | :file:`/etc/init.d/exim4`              |
+|                    | submission, ...          |                                        |
++--------------------+--------------------------+----------------------------------------+
+| icinga2            | Icinga2 monitoring agent | systemd unit ``icinga2.service``       |
++--------------------+--------------------------+----------------------------------------+
+| MariaDB            | MariaDB database         | systemd unit ``mariadb.service``       |
+|                    | server for bug           |                                        |
+|                    | tracker                  |                                        |
++--------------------+--------------------------+----------------------------------------+
+| MySQL              | MySQL database           | init script                            |
+|                    | server for ...           | :file:`/etc/init.d/mysql`              |
++--------------------+--------------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring        | init script                            |
+|                    | service queried by       | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`           |                                        |
++--------------------+--------------------------+----------------------------------------+
+| openssh server     | ssh daemon for           | init script :file:`/etc/init.d/ssh`    |
+|                    | remote                   |                                        |
+|                    | administration           |                                        |
++--------------------+--------------------------+----------------------------------------+
+| Postfix            | SMTP server for          | init script                            |
+|                    | local mail               | :file:`/etc/init.d/postfix`            |
+|                    | submission, ...          |                                        |
++--------------------+--------------------------+----------------------------------------+
+| PostgreSQL         | PostgreSQL               | init script                            |
+|                    | database server          | :file:`/etc/init.d/postgresql`         |
+|                    | for ...                  |                                        |
++--------------------+--------------------------+----------------------------------------+
+| Puppet agent       | configuration            | systemd unit ``puppet.service``        |
+|                    | management agent         |                                        |
++--------------------+--------------------------+----------------------------------------+
+| rsyslog            | syslog daemon            | init script                            |
+|                    |                          | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------------+----------------------------------------+
 
 Databases
 ---------
 
-+-------------+--------------+---------------------------+
-| RDBMS       | Name         | Used for                  |
-+=============+==============+===========================+
-| MySQL       | application1 | fictional application one |
-+-------------+--------------+---------------------------+
-| PostgreSQL  | application2 | fictional application two |
-+-------------+--------------+---------------------------+
++------------+--------------+-----------------------------+
+| RDBMS      | Name         | Used for                    |
++============+==============+=============================+
+| MySQL      | application1 | fictional application one   |
++------------+--------------+-----------------------------+
+| PostgreSQL | application2 | fictional application two   |
++------------+--------------+-----------------------------+
+| SQLite     | application  | fictional application three |
++------------+--------------+-----------------------------+
 
 Running Guests
 --------------
@@ -220,14 +257,21 @@ Outbound network connections
 ----------------------------
 
 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+  .. or
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
 * :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 * crl.cacert.org (rsync) for getting CRLs
 
 Security
 ========
 
-.. add the MD5 fingerprints of the SSH host keys
+..
+   add the SHA256 and MD5 fingerprints of the SSH host keys. You can just paste
+   the output of the ssh_host_keys.py script in the tools folder of the
+   cacert-infradocs git repository with the root filesystem of the host as
+   argument.
 
 .. sshkeys::
    :RSA:
@@ -262,14 +306,26 @@ Risk assessments on critical packages
 .. add a paragraph for each known risk. The risk has to be described.
    Mitigation or risk acceptance has to be documented.
 
+..
+   The Puppet agent package and a few dependencies are installed from the
+   official Puppet APT repository because the versions in Debian are too old to
+   use modern Puppet features.
+
 Critical Configuration items
 ============================
 
+..
+   The system configuration is managed via Puppet profiles. There should be no
+   configuration items outside of the :cacertgit:`cacert-puppet`.
+
 Keys and X.509 certificates
 ---------------------------
 
-.. use the sslcert directive to have certificates added to the certificate list
-   automatically
+..
+   use the sslcert directive to have certificates added to the certificate list
+   automatically. There is a script sslcert.py in the tools directory of the
+   cacert-infradocs git repository that can generate these directives
+   automatically.
 
 .. sslcert:: template.cacert.org
    :altnames:
@@ -298,21 +354,27 @@ Keys and X.509 certificates
 <service_x> configuration
 -------------------------
 
-.. add a section for the configuration of each service where configuration
+..
+   add a section for the configuration of each service where configuration
    deviates from OS package defaults
 
 Tasks
 =====
 
+..
+   add a section for each system maintenance task that is special for this
+   system, i.e. adding/removing accounts, running some special maintenance
+   scripts or similar tasks
+
+Changes
+=======
+
 Planned
 -------
 
 .. add a paragraph or todo directive for each larger planned task. You may want
    to link to specific issues if you use some issue tracker.
 
-Changes
-=======
-
 System Future
 -------------
 
index 0f9ac65..9e9fdbd 100644 (file)
@@ -70,6 +70,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Test
+
+Monitoring
+----------
+
+:internal checks: :monitor:`test.infra.cacert.org`
+
 DNS
 ---
 
@@ -101,11 +109,6 @@ Operating System
 
 * Debian GNU/Linux 8.11
 
-Applicable Documentation
-------------------------
-
-There is no additional documentation for this system.
-
 Services
 ========
 
@@ -434,6 +437,9 @@ and to use mbox style mailboxes in /var/mail/%u in the following files:
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
@@ -441,8 +447,6 @@ Planned
 
    Upgrade test to Debian Stretch when the software is ready.
 
-Changes
-=======
 
 System Future
 -------------
index 444cf87..f735bec 100644 (file)
@@ -83,6 +83,14 @@ there are some special mappings in the infra02 firewall to get access to this sy
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Test3
+
+Monitoring
+----------
+
+.. :internal checks: :monitor:`test3.infra.cacert.org`
+
 DNS
 ---
 
@@ -449,14 +457,14 @@ all mail is delivered to the mailbox of the *cacertmail* user in
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: implement git workflows for updates maybe using :doc:`jenkins`
 
-Changes
-=======
-
 System Future
 -------------
 
index 572849b..8aa91be 100644 (file)
@@ -71,6 +71,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Translations
+
+Monitoring
+----------
+
+:internal checks: :monitor:`translations.infra.cacert.org`
+
 DNS
 ---
 
@@ -107,11 +115,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
@@ -394,6 +397,9 @@ Pootle version and have to be checked/updated.
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
@@ -413,8 +419,6 @@ Planned
    them with the :program:`sudo` system to allow members of the `pootle-update`
    group to run them in the context of the `pootle` system user
 
-Changes
-=======
 
 System Future
 -------------
index 16e32b2..c3fba2d 100644 (file)
@@ -68,6 +68,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Web
+
+Monitoring
+----------
+
+:internal checks: :monitor:`web.infra.cacert.org`
+
 DNS
 ---
 
@@ -100,11 +108,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
@@ -211,7 +214,7 @@ Critical Configuration items
 ============================
 
 The system configuration is managed via Puppet profiles. There should be no
-configuration items outside of the Puppet repository.
+configuration items outside of the :cacertgit:`cacert-puppet`.
 
 .. todo:: move configuration of :doc:`web` to Puppet code
 
@@ -231,9 +234,9 @@ Keys and X.509 certificates
    :altnames:   DNS:funding.cacert.org
    :certfile:   /etc/ssl/certs/funding.cacert.org.crt
    :keyfile:    /etc/ssl/private/funding.cacert.org.key
-   :serial:     02A770
-   :expiration: Feb 16 12:07:35 2019 GMT
-   :sha1fp:     36:E0:A1:86:7A:FA:C6:F4:86:9F:CC:9C:61:4D:B9:A4:7C:0F:9F:C9
+   :serial:     02D059
+   :expiration: Jan 31 16:29:20 2021 GMT
+   :sha1fp:     FD:0D:2A:33:70:64:0E:2A:D6:F6:72:0F:D0:47:D9:C7:BD:E3:F4:DF
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: infradocs.cacert.org
@@ -249,9 +252,9 @@ Keys and X.509 certificates
    :altnames:   DNS:jenkins.cacert.org
    :certfile:   /etc/ssl/certs/jenkins.cacert.org.crt
    :keyfile:    /etc/ssl/private/jenkins.cacert.org.key
-   :serial:     02A76F
-   :expiration: Feb 16 12:07:29 2019 GMT
-   :sha1fp:     D1:E3:5B:73:63:28:C6:31:0F:35:4A:2F:0D:12:B5:6C:3F:72:08:3D
+   :serial:     02D058
+   :expiration: Jan 31 16:27:54 2021 GMT
+   :sha1fp:     00:5B:9C:4D:2E:D2:E4:69:2D:32:61:DC:25:98:F0:89:C9:E1:50:F1
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: web.cacert.org
@@ -310,14 +313,14 @@ Apache httpd configuration
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: manage the web system using Puppet
 
-Changes
-=======
-
 System Future
 -------------
 
index 7878236..0eb88d8 100644 (file)
@@ -329,14 +329,14 @@ The board voting system uses a SQLite database in
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: implement CRL checking
 
-Changes
-=======
-
 System Future
 -------------
 
index 77c175b..34e90aa 100644 (file)
@@ -24,6 +24,9 @@ Funding
 Infrastructure Documentation
    https://infradocs.cacert.org/
 
+CAcert internal Debian repository
+   https://webstatic.infra.cacert.org/
+
 Administration
 ==============
 
@@ -77,6 +80,14 @@ Logical Location
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Webstatic
+
+Monitoring
+----------
+
+:internal checks: :monitor:`webstatic.infra.cacert.org`
+
 DNS
 ---
 
@@ -108,14 +119,9 @@ Operating System
 
 .. index::
    single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; 9.9
 
-* Debian GNU/Linux 9.4
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 9.9
 
 Services
 ========
@@ -205,13 +211,15 @@ Dedicated user roles
 --------------------
 
 +-------------------+---------------------------------------------------+
-| Group             | Purpose                                           |
+| Role              | Purpose                                           |
 +===================+===================================================+
 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
 |                   | :file:`/var/www/codedocs.cacert.org/html/` and    |
 |                   | :file:`/var/www/infradocs.cacert.org/html/`       |
 +-------------------+---------------------------------------------------+
 
+.. todo:: manage ``jenkins-infradocs`` user via Puppet
+
 Non-distribution packages and modifications
 -------------------------------------------
 
@@ -236,51 +244,42 @@ Critical Configuration items
 ============================
 
 The system configuration is managed via Puppet profiles. There should be no
-configuration items outside of the Puppet repository.
-
-.. todo:: move configuration of :doc:`webstatic` to Puppet code
+configuration items outside of the :cacertgit:`cacert-puppet`.
 
 Keys and X.509 certificates
 ---------------------------
 
-The host does not provide TLS services and therefore has no certificates.
-
-.. todo::
-   move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
+The host does not provide own TLS services and therefore has no certificates.
 
 Apache httpd configuration
 --------------------------
 
-The main configuration files for Apache httpd are:
-
-* :file:`/etc/apache2/sites-available/000-default.conf`
+Apache configuration is managed via the Puppet profile
+``profiles::static_websites``.
 
-  Defines the default VirtualHost for requests reaching this host with no
-  specifically handled host name.
+Debian repository configuration
+-------------------------------
 
-* :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
-
-  Defines the VirtualHost for https://codedocs.cacert.org/
-
-* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
-
-  Defines the VirtualHost for https://funding.cacert.org/
-
-* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
-
-  Defines the VirtualHost for https://infradocs.cacert.org/
+The Debian repository is managed via the Puppet profile
+``profiles::debarchive``. Packages that are uploaded to
+:file:`/srv/upload/incoming` are automatically processed by
+:program:`inoticoming` and :program:`reprepro`. Only packages signed by a known
+PGP key (managed via Puppet) are accepted and provided at
+https://webstatic.infra.cacert.org/.
 
+The repository signing key is stored in
+:file:`/srv/debarchive/.gnupg/private-keys-v1.d/223894064EE26851A245DE9208C5C0ABF772F7A7.key`.
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
-.. todo:: manage the webstatic system using Puppet
-
-Changes
-=======
+.. todo:: update to Debian 10 (when Puppet is available)
 
 System Future
 -------------
@@ -298,3 +297,5 @@ References
 ----------
 
 * http://httpd.apache.org/docs/2.4/
+* https://manpages.debian.org/buster/inoticoming/inoticoming.1.en.html
+* https://manpages.debian.org/buster/reprepro/reprepro.1.en.html
index 75dd450..f9c82c5 100644 (file)
@@ -9,4 +9,4 @@ cryptography = "*"
 [dev-packages]
 
 [requires]
-python_version = "3.6"
+python_version = "3.7"
index da2f4ee..4736511 100644 (file)
@@ -1,11 +1,11 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "688228320144bd6c0942d8b12483fd041545165a9dae2f68cb2b3af03b5220d5"
+            "sha256": "319904517ee99cc03df0ec42fe048a84aeb8344d0653c9bddb32ed1f24760223"
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_version": "3.6"
+            "python_version": "3.7"
         },
         "sources": [
             {
         },
         "cffi": {
             "hashes": [
-                "sha256:151b7eefd035c56b2b2e1eb9963c90c6302dc15fbd8c1c0a83a163ff2c7d7743",
-                "sha256:1553d1e99f035ace1c0544050622b7bc963374a00c467edafac50ad7bd276aef",
-                "sha256:1b0493c091a1898f1136e3f4f991a784437fac3673780ff9de3bcf46c80b6b50",
-                "sha256:2ba8a45822b7aee805ab49abfe7eec16b90587f7f26df20c71dd89e45a97076f",
-                "sha256:3bb6bd7266598f318063e584378b8e27c67de998a43362e8fce664c54ee52d30",
-                "sha256:3c85641778460581c42924384f5e68076d724ceac0f267d66c757f7535069c93",
-                "sha256:3eb6434197633b7748cea30bf0ba9f66727cdce45117a712b29a443943733257",
-                "sha256:495c5c2d43bf6cebe0178eb3e88f9c4aa48d8934aa6e3cddb865c058da76756b",
-                "sha256:4c91af6e967c2015729d3e69c2e51d92f9898c330d6a851bf8f121236f3defd3",
-                "sha256:57b2533356cb2d8fac1555815929f7f5f14d68ac77b085d2326b571310f34f6e",
-                "sha256:770f3782b31f50b68627e22f91cb182c48c47c02eb405fd689472aa7b7aa16dc",
-                "sha256:79f9b6f7c46ae1f8ded75f68cf8ad50e5729ed4d590c74840471fc2823457d04",
-                "sha256:7a33145e04d44ce95bcd71e522b478d282ad0eafaf34fe1ec5bbd73e662f22b6",
-                "sha256:857959354ae3a6fa3da6651b966d13b0a8bed6bbc87a0de7b38a549db1d2a359",
-                "sha256:87f37fe5130574ff76c17cab61e7d2538a16f843bb7bca8ebbc4b12de3078596",
-                "sha256:95d5251e4b5ca00061f9d9f3d6fe537247e145a8524ae9fd30a2f8fbce993b5b",
-                "sha256:9d1d3e63a4afdc29bd76ce6aa9d58c771cd1599fbba8cf5057e7860b203710dd",
-                "sha256:a36c5c154f9d42ec176e6e620cb0dd275744aa1d804786a71ac37dc3661a5e95",
-                "sha256:a6a5cb8809091ec9ac03edde9304b3ad82ad4466333432b16d78ef40e0cce0d5",
-                "sha256:ae5e35a2c189d397b91034642cb0eab0e346f776ec2eb44a49a459e6615d6e2e",
-                "sha256:b0f7d4a3df8f06cf49f9f121bead236e328074de6449866515cea4907bbc63d6",
-                "sha256:b75110fb114fa366b29a027d0c9be3709579602ae111ff61674d28c93606acca",
-                "sha256:ba5e697569f84b13640c9e193170e89c13c6244c24400fc57e88724ef610cd31",
-                "sha256:be2a9b390f77fd7676d80bc3cdc4f8edb940d8c198ed2d8c0be1319018c778e1",
-                "sha256:ca1bd81f40adc59011f58159e4aa6445fc585a32bb8ac9badf7a2c1aa23822f2",
-                "sha256:d5d8555d9bfc3f02385c1c37e9f998e2011f0db4f90e250e5bc0c0a85a813085",
-                "sha256:e55e22ac0a30023426564b1059b035973ec82186ddddbac867078435801c7801",
-                "sha256:e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4",
-                "sha256:ecbb7b01409e9b782df5ded849c178a0aa7c906cf8c5a67368047daab282b184",
-                "sha256:ed01918d545a38998bfa5902c7c00e0fee90e957ce036a4000a88e3fe2264917",
-                "sha256:edabd457cd23a02965166026fd9bfd196f4324fe6032e866d0f3bd0301cd486f",
-                "sha256:fdf1c1dc5bafc32bc5d08b054f94d659422b05aba244d6be4ddc1c72d9aa70fb"
+                "sha256:041c81822e9f84b1d9c401182e174996f0bae9991f33725d059b771744290774",
+                "sha256:046ef9a22f5d3eed06334d01b1e836977eeef500d9b78e9ef693f9380ad0b83d",
+                "sha256:066bc4c7895c91812eff46f4b1c285220947d4aa46fa0a2651ff85f2afae9c90",
+                "sha256:066c7ff148ae33040c01058662d6752fd73fbc8e64787229ea8498c7d7f4041b",
+                "sha256:2444d0c61f03dcd26dbf7600cf64354376ee579acad77aef459e34efcb438c63",
+                "sha256:300832850b8f7967e278870c5d51e3819b9aad8f0a2c8dbe39ab11f119237f45",
+                "sha256:34c77afe85b6b9e967bd8154e3855e847b70ca42043db6ad17f26899a3df1b25",
+                "sha256:46de5fa00f7ac09f020729148ff632819649b3e05a007d286242c4882f7b1dc3",
+                "sha256:4aa8ee7ba27c472d429b980c51e714a24f47ca296d53f4d7868075b175866f4b",
+                "sha256:4d0004eb4351e35ed950c14c11e734182591465a33e960a4ab5e8d4f04d72647",
+                "sha256:4e3d3f31a1e202b0f5a35ba3bc4eb41e2fc2b11c1eff38b362de710bcffb5016",
+                "sha256:50bec6d35e6b1aaeb17f7c4e2b9374ebf95a8975d57863546fa83e8d31bdb8c4",
+                "sha256:55cad9a6df1e2a1d62063f79d0881a414a906a6962bc160ac968cc03ed3efcfb",
+                "sha256:5662ad4e4e84f1eaa8efce5da695c5d2e229c563f9d5ce5b0113f71321bcf753",
+                "sha256:59b4dc008f98fc6ee2bb4fd7fc786a8d70000d058c2bbe2698275bc53a8d3fa7",
+                "sha256:73e1ffefe05e4ccd7bcea61af76f36077b914f92b76f95ccf00b0c1b9186f3f9",
+                "sha256:a1f0fd46eba2d71ce1589f7e50a9e2ffaeb739fb2c11e8192aa2b45d5f6cc41f",
+                "sha256:a2e85dc204556657661051ff4bab75a84e968669765c8a2cd425918699c3d0e8",
+                "sha256:a5457d47dfff24882a21492e5815f891c0ca35fefae8aa742c6c263dac16ef1f",
+                "sha256:a8dccd61d52a8dae4a825cdbb7735da530179fea472903eb871a5513b5abbfdc",
+                "sha256:ae61af521ed676cf16ae94f30fe202781a38d7178b6b4ab622e4eec8cefaff42",
+                "sha256:b012a5edb48288f77a63dba0840c92d0504aa215612da4541b7b42d849bc83a3",
+                "sha256:d2c5cfa536227f57f97c92ac30c8109688ace8fa4ac086d19d0af47d134e2909",
+                "sha256:d42b5796e20aacc9d15e66befb7a345454eef794fdb0737d1af593447c6c8f45",
+                "sha256:dee54f5d30d775f525894d67b1495625dd9322945e7fee00731952e0368ff42d",
+                "sha256:e070535507bd6aa07124258171be2ee8dfc19119c28ca94c9dfb7efd23564512",
+                "sha256:e1ff2748c84d97b065cc95429814cdba39bcbd77c9c85c89344b317dc0d9cbff",
+                "sha256:ed851c75d1e0e043cbf5ca9a8e1b13c4c90f3fbd863dacb01c0808e2b5204201"
             ],
-            "version": "==1.11.5"
+            "version": "==1.12.3"
         },
         "cryptography": {
             "hashes": [
-                "sha256:02602e1672b62e803e08617ec286041cc453e8d43f093a5f4162095506bc0beb",
-                "sha256:10b48e848e1edb93c1d3b797c83c72b4c387ab0eb4330aaa26da8049a6cbede0",
-                "sha256:17db09db9d7c5de130023657be42689d1a5f60502a14f6f745f6f65a6b8195c0",
-                "sha256:227da3a896df1106b1a69b1e319dce218fa04395e8cc78be7e31ca94c21254bc",
-                "sha256:2cbaa03ac677db6c821dac3f4cdfd1461a32d0615847eedbb0df54bb7802e1f7",
-                "sha256:31db8febfc768e4b4bd826750a70c79c99ea423f4697d1dab764eb9f9f849519",
-                "sha256:4a510d268e55e2e067715d728e4ca6cd26a8e9f1f3d174faf88e6f2cb6b6c395",
-                "sha256:6a88d9004310a198c474d8a822ee96a6dd6c01efe66facdf17cb692512ae5bc0",
-                "sha256:76936ec70a9b72eb8c58314c38c55a0336a2b36de0c7ee8fb874a4547cadbd39",
-                "sha256:7e3b4aecc4040928efa8a7cdaf074e868af32c58ffc9bb77e7bf2c1a16783286",
-                "sha256:8168bcb08403ef144ff1fb880d416f49e2728101d02aaadfe9645883222c0aa5",
-                "sha256:8229ceb79a1792823d87779959184a1bf95768e9248c93ae9f97c7a2f60376a1",
-                "sha256:8a19e9f2fe69f6a44a5c156968d9fc8df56d09798d0c6a34ccc373bb186cee86",
-                "sha256:8d10113ca826a4c29d5b85b2c4e045ffa8bad74fb525ee0eceb1d38d4c70dfd6",
-                "sha256:be495b8ec5a939a7605274b6e59fbc35e76f5ad814ae010eb679529671c9e119",
-                "sha256:dc2d3f3b1548f4d11786616cf0f4415e25b0fbecb8a1d2cd8c07568f13fdde38",
-                "sha256:e4aecdd9d5a3d06c337894c9a6e2961898d3f64fe54ca920a72234a3de0f9cb3",
-                "sha256:e79ab4485b99eacb2166f3212218dd858258f374855e1568f728462b0e6ee0d9",
-                "sha256:f995d3667301e1754c57b04e0bae6f0fa9d710697a9f8d6712e8cca02550910f"
+                "sha256:24b61e5fcb506424d3ec4e18bca995833839bf13c59fc43e530e488f28d46b8c",
+                "sha256:25dd1581a183e9e7a806fe0543f485103232f940fcfc301db65e630512cce643",
+                "sha256:3452bba7c21c69f2df772762be0066c7ed5dc65df494a1d53a58b683a83e1216",
+                "sha256:41a0be220dd1ed9e998f5891948306eb8c812b512dc398e5a01846d855050799",
+                "sha256:5751d8a11b956fbfa314f6553d186b94aa70fdb03d8a4d4f1c82dcacf0cbe28a",
+                "sha256:5f61c7d749048fa6e3322258b4263463bfccefecb0dd731b6561cb617a1d9bb9",
+                "sha256:72e24c521fa2106f19623a3851e9f89ddfdeb9ac63871c7643790f872a305dfc",
+                "sha256:7b97ae6ef5cba2e3bb14256625423413d5ce8d1abb91d4f29b6d1a081da765f8",
+                "sha256:961e886d8a3590fd2c723cf07be14e2a91cf53c25f02435c04d39e90780e3b53",
+                "sha256:96d8473848e984184b6728e2c9d391482008646276c3ff084a1bd89e15ff53a1",
+                "sha256:ae536da50c7ad1e002c3eee101871d93abdc90d9c5f651818450a0d3af718609",
+                "sha256:b0db0cecf396033abb4a93c95d1602f268b3a68bb0a9cc06a7cff587bb9a7292",
+                "sha256:cfee9164954c186b191b91d4193989ca994703b2fff406f71cf454a2d3c7327e",
+                "sha256:e6347742ac8f35ded4a46ff835c60e68c22a536a8ae5c4422966d06946b6d4c6",
+                "sha256:f27d93f0139a3c056172ebb5d4f9056e770fdf0206c2f422ff2ebbad142e09ed",
+                "sha256:f57b76e46a58b63d1c6375017f4564a28f19a5ca912691fd2e4261b3414b618d"
             ],
             "index": "pypi",
-            "version": "==2.3.1"
-        },
-        "idna": {
-            "hashes": [
-                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
-                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
-            ],
             "version": "==2.7"
         },
         "pycparser": {
         },
         "six": {
             "hashes": [
-                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
-                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+                "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+                "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
             ],
-            "version": "==1.11.0"
+            "version": "==1.12.0"
         }
     },
     "develop": {}
index ecc125e..9fa9d7f 100755 (executable)
@@ -5,33 +5,47 @@ import os.path
 import subprocess
 from glob import glob
 
-SUPPORTED_SSH_KEY_TYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+SUPPORTED_SSH_KEY_TYPES = ("RSA", "DSA", "ECDSA", "ED25519")
+HASH_ALGORITHMS = ("SHA256", "MD5")
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     parser = argparse.ArgumentParser(
         description=(
-            'Convert a set of ssh host keys to the syntax expected by the '
-            'sshkeys directive of the CAcert infrastructure documentation'))
-    parser.add_argument(
-        'root', metavar='ROOT', type=str, help='root directory'
+            "Convert a set of ssh host keys to the syntax expected by the "
+            "sshkeys directive of the CAcert infrastructure documentation"
+        )
     )
+    parser.add_argument("root", metavar="ROOT", type=str, help="root directory")
     args = parser.parse_args()
 
     keys = {}
-    for host_key in glob(os.path.join(
-        args.root, 'etc/ssh', 'ssh_host_*key.pub')
-    ):
-        fp = subprocess.check_output(
-            ['ssh-keygen', '-l', '-f', host_key]).strip().split()
-        keys[fp[3][1:-1].decode('ascii')] = fp[1].decode('ascii')
+    for host_key in glob(os.path.join(args.root, "etc/ssh", "ssh_host_*key.pub")):
+        for algorithm in HASH_ALGORITHMS:
+            fp = (
+                subprocess.check_output(
+                    ["ssh-keygen", "-l", "-E", algorithm, "-f", host_key]
+                )
+                .decode("ascii")
+                .strip()
+                .split()
+            )
+            key_type = fp[3][1:-1]
+            keys.setdefault(key_type, {})
+            keys[key_type][algorithm] = fp[1]
 
-    max_length = max([len(key) for key in keys.keys()
-                      if key in SUPPORTED_SSH_KEY_TYPES])
+    max_length = max(
+        [len(key) for key in keys.keys() if key in SUPPORTED_SSH_KEY_TYPES]
+    )
 
     print(".. sshkeys::")
-    for typ, key in [
-        (typ, keys[typ]) for typ in SUPPORTED_SSH_KEY_TYPES
-        if typ in keys
+    for typ, key_dict in [
+        (typ, keys[typ]) for typ in SUPPORTED_SSH_KEY_TYPES if typ in keys
     ]:
-        print("   :{}:{} {}".format(typ, ' ' * (max_length - len(typ)), key))
+        print(
+            "   :{}:{} {}".format(
+                typ,
+                " " * (max_length - len(typ)),
+                " ".join([key_dict[algorithm] for algorithm in HASH_ALGORITHMS]),
+            )
+        )