Update OCSP responder certificates after renewal on August 25, 2019. master
authorWytze van der Raay <wytze@cacert.org>
Mon, 26 Aug 2019 08:35:18 +0000 (10:35 +0200)
committerWytze van der Raay <wytze@cacert.org>
Mon, 26 Aug 2019 08:35:18 +0000 (10:35 +0200)
40 files changed:
doc-requirements.txt
docs/Pipfile
docs/Pipfile.lock
docs/conf.py
docs/critical/ocsp.rst
docs/external.rst [new file with mode: 0644]
docs/external/extmon.rst [new file with mode: 0644]
docs/index.rst
docs/iplist.rst
docs/lxcsetup.rst
docs/network.rst
docs/systems.rst
docs/systems/blog.rst
docs/systems/board.rst
docs/systems/bugs.rst
docs/systems/cats.rst
docs/systems/email.rst
docs/systems/emailout.rst
docs/systems/git.rst
docs/systems/infra02.rst
docs/systems/ircserver.rst
docs/systems/issue.rst
docs/systems/jenkins.rst
docs/systems/lists.rst
docs/systems/monitor.rst
docs/systems/motion.rst [new file with mode: 0644]
docs/systems/proxyin.rst [new file with mode: 0644]
docs/systems/proxyout.rst
docs/systems/puppet.rst
docs/systems/svn.rst
docs/systems/template.rst
docs/systems/test.rst
docs/systems/test3.rst
docs/systems/translations.rst
docs/systems/web.rst
docs/systems/webmail.rst
docs/systems/webstatic.rst
tools/Pipfile
tools/Pipfile.lock
tools/ssh_host_keys.py

index a3c8d91..1874ac8 100644 (file)
@@ -1,28 +1,34 @@
-alabaster==0.7.10
-Babel==2.5.3
-certifi==2018.4.16
+alabaster==0.7.12
+attrs==19.1.0
+Babel==2.7.0
+certifi==2019.6.16
 chardet==3.0.4
 chardet==3.0.4
-docutils==0.14
-gitdb2==2.0.3
-GitPython==2.1.9
-idna==2.6
-imagesize==1.0.0
+dateutils==0.6.6
+docutils==0.15.2
+gitdb2==2.0.5
+GitPython==2.1.13
+idna==2.8
+imagesize==1.1.0
 ipcalc==1.99.0
 ipcalc==1.99.0
-jandd.sphinxext.ip==0.2.4
+jandd.sphinxext.ip==0.3.0
 jandd.sphinxext.mac==0.1.0
 jandd.sphinxext.mac==0.1.0
-Jinja2==2.10
-MarkupSafe==1.0
-packaging==17.1
-pkg-resources==0.0.0
-py-dateutil==2.2
-Pygments==2.2.0
-pyparsing==2.2.0
-pytz==2018.4
-requests==2.18.4
-six==1.11.0
-smmap2==2.0.3
-snowballstemmer==1.2.1
-Sphinx==1.7.2
-sphinxcontrib-websupport==1.0.1
-urllib3==1.22
+Jinja2==2.10.1
+MarkupSafe==1.1.1
+packaging==19.1
+Pygments==2.4.2
+pyparsing==2.4.2
+python-dateutil==2.8.0
+pytz==2019.1
+requests==2.22.0
+six==1.12.0
+smmap2==2.0.5
+snowballstemmer==1.9.0
+Sphinx==2.1.2
+sphinxcontrib-applehelp==1.0.1
+sphinxcontrib-devhelp==1.0.1
+sphinxcontrib-htmlhelp==1.0.2
+sphinxcontrib-jsmath==1.0.1
+sphinxcontrib-qthelp==1.0.2
+sphinxcontrib-serializinghtml==1.1.3
+urllib3==1.25.3
 validate-email==1.3
 validate-email==1.3
index 6261bee..033398a 100644 (file)
@@ -14,4 +14,4 @@ validate-email = "*"
 [dev-packages]
 
 [requires]
 [dev-packages]
 
 [requires]
-python_version = "3.6"
+python_version = "3.7"
index b9e1f08..71839c7 100644 (file)
@@ -1,11 +1,11 @@
 {
     "_meta": {
         "hash": {
 {
     "_meta": {
         "hash": {
-            "sha256": "dca01cf448380a87625e914b200ca5b617c2b424bb61d615a6189a2ff62d58a7"
+            "sha256": "3f84f87945441353b07733193713bf3883f2fea908413e6e1617c5d5f54a0aa2"
         },
         "pipfile-spec": 6,
         "requires": {
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_version": "3.6"
+            "python_version": "3.7"
         },
         "sources": [
             {
         },
         "sources": [
             {
             ],
             "version": "==1.4.0"
         },
             ],
             "version": "==1.4.0"
         },
+        "attrs": {
+            "hashes": [
+                "sha256:69c0dbf2ed392de1cb5ec704444b08a5ef81680a61cb899dc08127123af36a79",
+                "sha256:f0b870f674851ecbfbbbd364d6b5cbdff9dcedbc7f3f5e18a6891057f21fe399"
+            ],
+            "version": "==19.1.0"
+        },
         "babel": {
             "hashes": [
         "babel": {
             "hashes": [
-                "sha256:6778d85147d5d85345c14a26aada5e478ab04e39b078b0745ee6870c2b5cf669",
-                "sha256:8cba50f48c529ca3fa18cf81fa9403be176d374ac4d60738b839122dfaaa3d23"
+                "sha256:af92e6106cb7c55286b25b38ad7695f8b4efb36a90ba483d7f7a6628c46158ab",
+                "sha256:e86135ae101e31e2c8ec20a4e0c5220f4eed12487d5cf3f78be7e98d3a57fc28"
             ],
             ],
-            "version": "==2.6.0"
+            "version": "==2.7.0"
         },
         "certifi": {
             "hashes": [
         },
         "certifi": {
             "hashes": [
-                "sha256:339dc09518b07e2fa7eda5450740925974815557727d6bd35d319c1524a04a4c",
-                "sha256:6d58c986d22b038c8c0df30d639f23a3e6d172a05c3583e766f4c0b785c0986a"
+                "sha256:046832c04d4e752f37383b628bc601a7ea7211496b4638f6514d0e5b9acc4939",
+                "sha256:945e3ba63a0b9f577b1395204e13c3a231f9bc0223888be653286534e5873695"
             ],
             ],
-            "version": "==2018.10.15"
+            "version": "==2019.6.16"
         },
         "chardet": {
             "hashes": [
         },
         "chardet": {
             "hashes": [
         },
         "docutils": {
             "hashes": [
         },
         "docutils": {
             "hashes": [
-                "sha256:02aec4bd92ab067f6ff27a38a38a41173bf01bed8f89157768c1573f53e474a6",
-                "sha256:51e64ef2ebfb29cae1faa133b3710143496eca21c530f3f71424d77687764274",
-                "sha256:7a4bd47eaf6596e1295ecb11361139febe29b084a87bf005bf899f9a42edc3c6"
+                "sha256:6c4f696463b79f1fb8ba0c594b63840ebd41f059e92b31957c46b74a4599b6d0",
+                "sha256:9e4d7ecfc600058e07ba661411a2b7de2fd0fafa17d1a7f7361cd47b1175c827",
+                "sha256:a2aeea129088da402665e92e0b25b04b073c04b2dce4ab65caaa38b7ce2e1a99"
             ],
             ],
-            "version": "==0.14"
+            "version": "==0.15.2"
         },
         "gitdb2": {
             "hashes": [
                 "sha256:83361131a1836661a155172932a13c08bda2db3674e4caa32368aa6eb02f38c2",
                 "sha256:e3a0141c5f2a3f635c7209d56c496ebe1ad35da82fe4d3ec4aaa36278d70648a"
             ],
         },
         "gitdb2": {
             "hashes": [
                 "sha256:83361131a1836661a155172932a13c08bda2db3674e4caa32368aa6eb02f38c2",
                 "sha256:e3a0141c5f2a3f635c7209d56c496ebe1ad35da82fe4d3ec4aaa36278d70648a"
             ],
-            "markers": "python_version != '3.1.*' and python_version >= '2.7' and python_version != '3.2.*' and python_version != '3.0.*' and python_version != '3.3.*'",
             "version": "==2.0.5"
         },
         "gitpython": {
             "hashes": [
             "version": "==2.0.5"
         },
         "gitpython": {
             "hashes": [
-                "sha256:563221e5a44369c6b79172f455584c9ebbb122a13368cc82cb4b5addff788f82",
-                "sha256:8237dc5bfd6f1366abeee5624111b9d6879393d84745a507de0fda86043b65a8"
+                "sha256:c15c55ff890cd3a6a8330059e80885410a328f645551b55a91d858bfb3eb2573",
+                "sha256:df752b6b6f06f11213e91c4925aea7eaf9e37e88fb71c8a7a1aa0a5c10852120"
             ],
             "index": "pypi",
             ],
             "index": "pypi",
-            "version": "==2.1.11"
+            "version": "==2.1.13"
         },
         "idna": {
             "hashes": [
         },
         "idna": {
             "hashes": [
-                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
-                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
+                "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
+                "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
             ],
             ],
-            "version": "==2.7"
+            "version": "==2.8"
         },
         "imagesize": {
             "hashes": [
                 "sha256:3f349de3eb99145973fefb7dbe38554414e5c30abd0c8e4b970a7c9d09f3a1d8",
                 "sha256:f3832918bc3c66617f92e35f5d70729187676313caa60c187eb0f28b8fe5e3b5"
             ],
         },
         "imagesize": {
             "hashes": [
                 "sha256:3f349de3eb99145973fefb7dbe38554414e5c30abd0c8e4b970a7c9d09f3a1d8",
                 "sha256:f3832918bc3c66617f92e35f5d70729187676313caa60c187eb0f28b8fe5e3b5"
             ],
-            "markers": "python_version != '3.2.*' and python_version >= '2.7' and python_version != '3.1.*' and python_version != '3.3.*' and python_version != '3.0.*'",
             "version": "==1.1.0"
         },
         "ipcalc": {
             "version": "==1.1.0"
         },
         "ipcalc": {
         },
         "jandd.sphinxext.ip": {
             "hashes": [
         },
         "jandd.sphinxext.ip": {
             "hashes": [
-                "sha256:9038c005331ef0473ffc37b6163dd5fba2ecca097da82feba46a39ac0206a910",
-                "sha256:dfac23f4d819505329c73efe12f5fab2890105b53797fcb3e6c27cf15ff3b994"
+                "sha256:11c4674034d3b874ddf1baa379ec92e2ca3cf7a274ca9d100f11c9eb429ab430",
+                "sha256:18ea4d526882e0be7368e16473da17ff1203041eb93e9d31998336a286088b02"
             ],
             "index": "pypi",
             ],
             "index": "pypi",
-            "version": "==0.2.4"
+            "version": "==0.3.0"
         },
         "jandd.sphinxext.mac": {
             "hashes": [
         },
         "jandd.sphinxext.mac": {
             "hashes": [
         },
         "jinja2": {
             "hashes": [
         },
         "jinja2": {
             "hashes": [
-                "sha256:74c935a1b8bb9a3947c50a54766a969d4846290e1e788ea44c1392163723c3bd",
-                "sha256:f84be1bb0040caca4cea721fcbbbbd61f9be9464ca236387158b0feea01914a4"
+                "sha256:065c4f02ebe7f7cf559e49ee5a95fb800a9e4528727aec6f24402a5374c65013",
+                "sha256:14dd6caf1527abb21f08f86c784eac40853ba93edb79552aa1e4b8aef1b61c7b"
             ],
             ],
-            "version": "==2.10"
+            "version": "==2.10.1"
         },
         "markupsafe": {
             "hashes": [
         },
         "markupsafe": {
             "hashes": [
-                "sha256:a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665"
+                "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473",
+                "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161",
+                "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235",
+                "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5",
+                "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff",
+                "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b",
+                "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1",
+                "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e",
+                "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183",
+                "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66",
+                "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1",
+                "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1",
+                "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e",
+                "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b",
+                "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905",
+                "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735",
+                "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d",
+                "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e",
+                "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d",
+                "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c",
+                "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21",
+                "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2",
+                "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5",
+                "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b",
+                "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
+                "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
+                "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
+                "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7"
             ],
             ],
-            "version": "==1.0"
+            "version": "==1.1.1"
         },
         "packaging": {
             "hashes": [
         },
         "packaging": {
             "hashes": [
-                "sha256:0886227f54515e592aaa2e5a553332c73962917f2831f1b0f9b9f4380a4b9807",
-                "sha256:f95a1e147590f204328170981833854229bb2912ac3d5f89e2a8ccd2834800c9"
+                "sha256:a7ac867b97fdc07ee80a8058fe4435ccd274ecc3b0ed61d852d7d53055528cf9",
+                "sha256:c491ca87294da7cc01902edbe30a5bc6c4c28172b5138ab4e4aa1b9d7bfaeafe"
             ],
             ],
-            "markers": "python_version != '3.2.*' and python_version != '3.1.*' and python_version >= '2.6' and python_version != '3.0.*'",
-            "version": "==18.0"
+            "version": "==19.1"
         },
         "pygments": {
             "hashes": [
         },
         "pygments": {
             "hashes": [
-                "sha256:78f3f434bcc5d6ee09020f92ba487f95ba50f1e3ef83ae96b9d5ffa1bab25c5d",
-                "sha256:dbae1046def0efb574852fab9e90209b23f556367b5a320c0bcb871c77c3e8cc"
+                "sha256:71e430bc85c88a430f000ac1d9b331d2407f681d6f6aec95e8bcfbc3df5b0127",
+                "sha256:881c4c157e45f30af185c1ffe8d549d48ac9127433f2c380c24b84572ad66297"
             ],
             ],
-            "version": "==2.2.0"
+            "version": "==2.4.2"
         },
         "pyparsing": {
             "hashes": [
         },
         "pyparsing": {
             "hashes": [
-                "sha256:bc6c7146b91af3f567cf6daeaec360bc07d45ffec4cf5353f4d7a208ce7ca30a",
-                "sha256:d29593d8ebe7b57d6967b62494f8c72b03ac0262b1eed63826c6f788b3606401"
+                "sha256:6f98a7b9397e206d78cc01df10131398f1c8b8510a2f4d97d9abd82e1aacdd80",
+                "sha256:d9338df12903bbf5d65a0e4e87c2161968b10d2e489652bb47001d82a9b028b4"
             ],
             ],
-            "markers": "python_version != '3.2.*' and python_version != '3.1.*' and python_version >= '2.6' and python_version != '3.0.*'",
-            "version": "==2.2.2"
+            "version": "==2.4.2"
         },
         "python-dateutil": {
             "hashes": [
         },
         "python-dateutil": {
             "hashes": [
-                "sha256:2f13d3ea236aeb237e7258d5729c46eafe1506fd7f8507f34730734ed8b37454",
-                "sha256:f7cde3aecf8a797553d6ec49b65f0fbcffe7ffb971ccac452d181c28fd279936"
+                "sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb",
+                "sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"
             ],
             ],
-            "version": "==2.7.4"
+            "version": "==2.8.0"
         },
         "pytz": {
             "hashes": [
         },
         "pytz": {
             "hashes": [
-                "sha256:642253af8eae734d1509fc6ac9c1aee5e5b69d76392660889979b9870610a46b",
-                "sha256:91e3ccf2c344ffaa6defba1ce7f38f97026943f675b7703f44789768e4cb0ece"
+                "sha256:303879e36b721603cc54604edcac9d20401bdbe31e1e4fdee5b9f98d5d31dfda",
+                "sha256:d747dd3d23d77ef44c6a3526e274af6efeb0a6f1afd5a69ba4d5be4098c8e141"
             ],
             ],
-            "version": "==2018.6"
+            "version": "==2019.1"
         },
         "requests": {
             "hashes": [
         },
         "requests": {
             "hashes": [
-                "sha256:99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c",
-                "sha256:a84b8c9ab6239b578f22d1c21d51b696dcfe004032bb80ea832398d6909d7279"
+                "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
+                "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
             ],
             ],
-            "markers": "python_version != '3.1.*' and python_version < '4' and python_version != '3.3.*' and python_version != '3.0.*' and python_version != '3.2.*' and python_version >= '2.7'",
-            "version": "==2.20.0"
+            "version": "==2.22.0"
         },
         "six": {
             "hashes": [
         },
         "six": {
             "hashes": [
-                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
-                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+                "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+                "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
             ],
             ],
-            "version": "==1.11.0"
+            "version": "==1.12.0"
         },
         "smmap2": {
             "hashes": [
                 "sha256:0555a7bf4df71d1ef4218e4807bbf9b201f910174e6e08af2e138d4e517b4dde",
                 "sha256:29a9ffa0497e7f2be94ca0ed1ca1aa3cd4cf25a1f6b4f5f87f74b46ed91d609a"
             ],
         },
         "smmap2": {
             "hashes": [
                 "sha256:0555a7bf4df71d1ef4218e4807bbf9b201f910174e6e08af2e138d4e517b4dde",
                 "sha256:29a9ffa0497e7f2be94ca0ed1ca1aa3cd4cf25a1f6b4f5f87f74b46ed91d609a"
             ],
-            "markers": "python_version != '3.1.*' and python_version >= '2.7' and python_version != '3.2.*' and python_version != '3.0.*' and python_version != '3.3.*'",
             "version": "==2.0.5"
         },
         "snowballstemmer": {
             "hashes": [
             "version": "==2.0.5"
         },
         "snowballstemmer": {
             "hashes": [
-                "sha256:919f26a68b2c17a7634da993d91339e288964f93c274f1343e3bbbe2096e1128",
-                "sha256:9f3bcd3c401c3e862ec0ebe6d2c069ebc012ce142cce209c098ccb5b09136e89"
+                "sha256:9f3b9ffe0809d174f7047e121431acf99c89a7040f0ca84f94ba53a498e6d0c9"
             ],
             ],
-            "version": "==1.2.1"
+            "version": "==1.9.0"
         },
         "sphinx": {
             "hashes": [
         },
         "sphinx": {
             "hashes": [
-                "sha256:652eb8c566f18823a022bb4b6dbc868d366df332a11a0226b5bc3a798a479f17",
-                "sha256:d222626d8356de702431e813a05c68a35967e3d66c6cd1c2c89539bb179a7464"
+                "sha256:22538e1bbe62b407cf5a8aabe1bb15848aa66bb79559f42f5202bbce6b757a69",
+                "sha256:f9a79e746b87921cabc3baa375199c6076d1270cee53915dbd24fdbeaaacc427"
             ],
             "index": "pypi",
             ],
             "index": "pypi",
-            "version": "==1.8.1"
+            "version": "==2.1.2"
         },
         },
-        "sphinxcontrib-websupport": {
+        "sphinxcontrib-applehelp": {
             "hashes": [
             "hashes": [
-                "sha256:68ca7ff70785cbe1e7bccc71a48b5b6d965d79ca50629606c7861a21b206d9dd",
-                "sha256:9de47f375baf1ea07cdb3436ff39d7a9c76042c10a769c52353ec46e4e8fc3b9"
+                "sha256:edaa0ab2b2bc74403149cb0209d6775c96de797dfd5b5e2a71981309efab3897",
+                "sha256:fb8dee85af95e5c30c91f10e7eb3c8967308518e0f7488a2828ef7bc191d0d5d"
             ],
             ],
-            "markers": "python_version != '3.2.*' and python_version >= '2.7' and python_version != '3.1.*' and python_version != '3.3.*' and python_version != '3.0.*'",
-            "version": "==1.1.0"
+            "version": "==1.0.1"
+        },
+        "sphinxcontrib-devhelp": {
+            "hashes": [
+                "sha256:6c64b077937330a9128a4da74586e8c2130262f014689b4b89e2d08ee7294a34",
+                "sha256:9512ecb00a2b0821a146736b39f7aeb90759834b07e81e8cc23a9c70bacb9981"
+            ],
+            "version": "==1.0.1"
+        },
+        "sphinxcontrib-htmlhelp": {
+            "hashes": [
+                "sha256:4670f99f8951bd78cd4ad2ab962f798f5618b17675c35c5ac3b2132a14ea8422",
+                "sha256:d4fd39a65a625c9df86d7fa8a2d9f3cd8299a3a4b15db63b50aac9e161d8eff7"
+            ],
+            "version": "==1.0.2"
+        },
+        "sphinxcontrib-jsmath": {
+            "hashes": [
+                "sha256:2ec2eaebfb78f3f2078e73666b1415417a116cc848b72e5172e596c871103178",
+                "sha256:a9925e4a4587247ed2191a22df5f6970656cb8ca2bd6284309578f2153e0c4b8"
+            ],
+            "version": "==1.0.1"
+        },
+        "sphinxcontrib-qthelp": {
+            "hashes": [
+                "sha256:513049b93031beb1f57d4daea74068a4feb77aa5630f856fcff2e50de14e9a20",
+                "sha256:79465ce11ae5694ff165becda529a600c754f4bc459778778c7017374d4d406f"
+            ],
+            "version": "==1.0.2"
+        },
+        "sphinxcontrib-serializinghtml": {
+            "hashes": [
+                "sha256:c0efb33f8052c04fd7a26c0a07f1678e8512e0faec19f4aa8f2473a8b81d5227",
+                "sha256:db6615af393650bf1151a6cd39120c29abaf93cc60db8c48eb2dddbfdc3a9768"
+            ],
+            "version": "==1.1.3"
         },
         "urllib3": {
             "hashes": [
         },
         "urllib3": {
             "hashes": [
-                "sha256:41c3db2fc01e5b907288010dec72f9d0a74e37d6994e6eb56849f59fea2265ae",
-                "sha256:8819bba37a02d143296a4d032373c4dd4aca11f6d4c9973335ca75f9c8475f59"
+                "sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1",
+                "sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232"
             ],
             ],
-            "markers": "python_version != '3.1.*' and python_version < '4' and python_version != '3.3.*' and python_version != '3.0.*' and python_version != '3.2.*' and python_version >= '2.7'",
-            "version": "==1.24"
+            "version": "==1.25.3"
         },
         "validate-email": {
             "hashes": [
         },
         "validate-email": {
             "hashes": [
index 52ae16d..a9b4ace 100644 (file)
@@ -23,54 +23,55 @@ from docutils import nodes, utils
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
-sys.path.insert(0, os.path.abspath('.'))
+sys.path.insert(0, os.path.abspath("."))
 
 # -- General configuration ------------------------------------------------
 
 # If your documentation needs a minimal Sphinx version, state it here.
 
 # -- General configuration ------------------------------------------------
 
 # If your documentation needs a minimal Sphinx version, state it here.
-#needs_sphinx = '1.0'
+# needs_sphinx = '1.0'
 
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
 
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'sphinx.ext.todo',
-    'sphinx.ext.extlinks',
-    'jandd.sphinxext.ip',
-    'jandd.sphinxext.mac',
-    'sphinxext.cacert',
+    "sphinx.ext.todo",
+    "sphinx.ext.extlinks",
+    "jandd.sphinxext.ip",
+    "jandd.sphinxext.mac",
+    "sphinxext.cacert",
 ]
 
 # Add any paths that contain templates here, relative to this directory.
 ]
 
 # Add any paths that contain templates here, relative to this directory.
-templates_path = ['_templates']
+templates_path = ["_templates"]
 
 # The suffix(es) of source filenames.
 # You can specify multiple suffix as a list of string:
 # source_suffix = ['.rst', '.md']
 
 # The suffix(es) of source filenames.
 # You can specify multiple suffix as a list of string:
 # source_suffix = ['.rst', '.md']
-source_suffix = '.rst'
+source_suffix = ".rst"
 
 # The encoding of source files.
 
 # The encoding of source files.
-#source_encoding = 'utf-8-sig'
+# source_encoding = 'utf-8-sig'
 
 # The master toctree document.
 
 # The master toctree document.
-master_doc = 'index'
+master_doc = "index"
 
 # General information about the project.
 
 # General information about the project.
-project = u'CAcert infrastructure'
-copyright = u'2016, 2017, 2018 Jan Dittberner, CAcert'
-author = u'CAcert infrastructure team'
+project = u"CAcert infrastructure"
+copyright = u"2016, 2017, 2018 Jan Dittberner, CAcert"
+author = u"CAcert infrastructure team"
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
-version = u'0.1'
+version = u"0.1"
 # The full version, including alpha/beta/rc tags.
 release = "{}-git:{} built:{}".format(
 # The full version, including alpha/beta/rc tags.
 release = "{}-git:{} built:{}".format(
-        version,
-        repo.Repo('..').git.describe('--always', '--dirty'),
-        datetime.utcnow().replace(microsecond=0))
+    version,
+    repo.Repo("..").git.describe("--always", "--dirty"),
+    datetime.utcnow().replace(microsecond=0),
+)
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -81,37 +82,37 @@ language = None
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
-#today = ''
+# today = ''
 # Else, today_fmt is used as the format for a strftime call.
 # Else, today_fmt is used as the format for a strftime call.
-#today_fmt = '%B %d, %Y'
+# today_fmt = '%B %d, %Y'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = ['_build', 'systems/template.rst', 'critical/template.rst']
+exclude_patterns = ["_build", "systems/template.rst", "critical/template.rst"]
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
-#default_role = None
+# default_role = None
 
 # If true, '()' will be appended to :func: etc. cross-reference text.
 
 # If true, '()' will be appended to :func: etc. cross-reference text.
-#add_function_parentheses = True
+# add_function_parentheses = True
 
 # If true, the current module name will be prepended to all description
 # unit titles (such as .. function::).
 
 # If true, the current module name will be prepended to all description
 # unit titles (such as .. function::).
-#add_module_names = True
+# add_module_names = True
 
 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
 
 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
-#show_authors = False
+# show_authors = False
 
 # The name of the Pygments (syntax highlighting) style to use.
 
 # The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
+pygments_style = "sphinx"
 
 # A list of ignored prefixes for module index sorting.
 
 # A list of ignored prefixes for module index sorting.
-#modindex_common_prefix = []
+# modindex_common_prefix = []
 
 # If true, keep warnings as "system message" paragraphs in the built documents.
 
 # If true, keep warnings as "system message" paragraphs in the built documents.
-#keep_warnings = False
+# keep_warnings = False
 
 # If true, `todo` and `todoList` produce output, else they produce nothing.
 todo_include_todos = True
 
 # If true, `todo` and `todoList` produce output, else they produce nothing.
 todo_include_todos = True
@@ -121,147 +122,149 @@ todo_include_todos = True
 
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-html_theme = 'classic'
+html_theme = "classic"
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 html_theme_options = {
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 html_theme_options = {
-    'sidebarbgcolor': '#f5f7f7',
-    'sidebartextcolor': '#334d55',
-    'sidebarlinkcolor': '#005fa9',
+    "sidebarbgcolor": "#f5f7f7",
+    "sidebartextcolor": "#334d55",
+    "sidebarlinkcolor": "#005fa9",
 }
 
 # Add any paths that contain custom themes here, relative to this directory.
 }
 
 # Add any paths that contain custom themes here, relative to this directory.
-#html_theme_path = []
+# html_theme_path = []
 
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
 html_title = project + " documentation v" + release
 
 # A shorter title for the navigation bar.  Default is the same as html_title.
 
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
 html_title = project + " documentation v" + release
 
 # A shorter title for the navigation bar.  Default is the same as html_title.
-#html_short_title = None
+# html_short_title = None
 
 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
 
 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
-html_logo = os.path.join('images', 'CAcert-logo-colour.svg')
+html_logo = os.path.join("images", "CAcert-logo-colour.svg")
 
 # The name of an image file (relative to this directory) to use as a favicon of
 # the docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
 # pixels large.
 
 # The name of an image file (relative to this directory) to use as a favicon of
 # the docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
 # pixels large.
-html_favicon = os.path.join('images', 'favicon.ico')
+html_favicon = os.path.join("images", "favicon.ico")
 
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
 
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
+html_static_path = ["_static"]
 
 # Add any extra paths that contain custom files (such as robots.txt or
 # .htaccess) here, relative to this directory. These files are copied
 # directly to the root of the documentation.
 
 # Add any extra paths that contain custom files (such as robots.txt or
 # .htaccess) here, relative to this directory. These files are copied
 # directly to the root of the documentation.
-#html_extra_path = []
+# html_extra_path = []
 
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
 
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
-#html_last_updated_fmt = '%b %d, %Y'
+# html_last_updated_fmt = '%b %d, %Y'
 
 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
 
 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
-#html_use_smartypants = True
+# html_use_smartypants = True
 
 # Custom sidebar templates, maps document names to template names.
 
 # Custom sidebar templates, maps document names to template names.
-#html_sidebars = {}
+# html_sidebars = {}
 
 # Additional templates that should be rendered to pages, maps page names to
 # template names.
 
 # Additional templates that should be rendered to pages, maps page names to
 # template names.
-#html_additional_pages = {}
+# html_additional_pages = {}
 
 # If false, no module index is generated.
 
 # If false, no module index is generated.
-#html_domain_indices = True
+# html_domain_indices = True
 
 # If false, no index is generated.
 
 # If false, no index is generated.
-#html_use_index = True
+# html_use_index = True
 
 # If true, the index is split into individual pages for each letter.
 
 # If true, the index is split into individual pages for each letter.
-#html_split_index = False
+# html_split_index = False
 
 # If true, links to the reST sources are added to the pages.
 
 # If true, links to the reST sources are added to the pages.
-#html_show_sourcelink = True
+# html_show_sourcelink = True
 
 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
 
 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
-#html_show_sphinx = True
+# html_show_sphinx = True
 
 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
 
 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
-#html_show_copyright = True
+# html_show_copyright = True
 
 # If true, an OpenSearch description file will be output, and all pages will
 # contain a <link> tag referring to it.  The value of this option must be the
 # base URL from which the finished HTML is served.
 
 # If true, an OpenSearch description file will be output, and all pages will
 # contain a <link> tag referring to it.  The value of this option must be the
 # base URL from which the finished HTML is served.
-#html_use_opensearch = ''
+# html_use_opensearch = ''
 
 # This is the file name suffix for HTML files (e.g. ".xhtml").
 
 # This is the file name suffix for HTML files (e.g. ".xhtml").
-#html_file_suffix = None
+# html_file_suffix = None
 
 # Language to be used for generating the HTML full-text search index.
 # Sphinx supports the following languages:
 #   'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja'
 #   'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr'
 
 # Language to be used for generating the HTML full-text search index.
 # Sphinx supports the following languages:
 #   'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja'
 #   'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr'
-#html_search_language = 'en'
+# html_search_language = 'en'
 
 # A dictionary with options for the search language support, empty by default.
 # Now only 'ja' uses this config value
 
 # A dictionary with options for the search language support, empty by default.
 # Now only 'ja' uses this config value
-#html_search_options = {'type': 'default'}
+# html_search_options = {'type': 'default'}
 
 # The name of a javascript file (relative to the configuration directory) that
 # implements a search results scorer. If empty, the default will be used.
 
 # The name of a javascript file (relative to the configuration directory) that
 # implements a search results scorer. If empty, the default will be used.
-#html_search_scorer = 'scorer.js'
+# html_search_scorer = 'scorer.js'
 
 # Output file base name for HTML help builder.
 
 # Output file base name for HTML help builder.
-htmlhelp_basename = 'CAcertinfrastructuredoc'
+htmlhelp_basename = "CAcertinfrastructuredoc"
 
 # -- Options for LaTeX output ---------------------------------------------
 
 latex_elements = {
 
 # -- Options for LaTeX output ---------------------------------------------
 
 latex_elements = {
-# The paper size ('letterpaper' or 'a4paper').
-#'papersize': 'letterpaper',
-
-# The font size ('10pt', '11pt' or '12pt').
-#'pointsize': '10pt',
-
-# Additional stuff for the LaTeX preamble.
-#'preamble': '',
-
-# Latex figure (float) alignment
-#'figure_align': 'htbp',
+    # The paper size ('letterpaper' or 'a4paper').
+    #'papersize': 'letterpaper',
+    # The font size ('10pt', '11pt' or '12pt').
+    #'pointsize': '10pt',
+    # Additional stuff for the LaTeX preamble.
+    #'preamble': '',
+    # Latex figure (float) alignment
+    #'figure_align': 'htbp',
 }
 
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
 }
 
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
-    (master_doc, 'CAcertinfrastructure.tex', u'CAcert infrastructure Documentation',
-     u'Jan Dittberner', 'manual'),
+    (
+        master_doc,
+        "CAcertinfrastructure.tex",
+        u"CAcert infrastructure Documentation",
+        u"Jan Dittberner",
+        "manual",
+    )
 ]
 
 # The name of an image file (relative to this directory) to place at the top of
 # the title page.
 ]
 
 # The name of an image file (relative to this directory) to place at the top of
 # the title page.
-#latex_logo = None
+# latex_logo = None
 
 # For "manual" documents, if this is true, then toplevel headings are parts,
 # not chapters.
 
 # For "manual" documents, if this is true, then toplevel headings are parts,
 # not chapters.
-#latex_use_parts = False
+# latex_use_parts = False
 
 # If true, show page references after internal links.
 
 # If true, show page references after internal links.
-#latex_show_pagerefs = False
+# latex_show_pagerefs = False
 
 # If true, show URL addresses after external links.
 
 # If true, show URL addresses after external links.
-#latex_show_urls = False
+# latex_show_urls = False
 
 # Documents to append as an appendix to all manuals.
 
 # Documents to append as an appendix to all manuals.
-#latex_appendices = []
+# latex_appendices = []
 
 # If false, no module index is generated.
 
 # If false, no module index is generated.
-#latex_domain_indices = True
+# latex_domain_indices = True
 
 
 # -- Options for manual page output ---------------------------------------
 
 
 # -- Options for manual page output ---------------------------------------
@@ -269,12 +272,17 @@ latex_documents = [
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    (master_doc, 'cacertinfrastructure', u'CAcert infrastructure Documentation',
-     [author], 1)
+    (
+        master_doc,
+        "cacertinfrastructure",
+        u"CAcert infrastructure Documentation",
+        [author],
+        1,
+    )
 ]
 
 # If true, show URL addresses after external links.
 ]
 
 # If true, show URL addresses after external links.
-#man_show_urls = False
+# man_show_urls = False
 
 
 # -- Options for Texinfo output -------------------------------------------
 
 
 # -- Options for Texinfo output -------------------------------------------
@@ -283,22 +291,28 @@ man_pages = [
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
-    (master_doc, 'CAcertinfrastructure', u'CAcert infrastructure Documentation',
-     author, 'CAcertinfrastructure', 'One line description of project.',
-     'Miscellaneous'),
+    (
+        master_doc,
+        "CAcertinfrastructure",
+        u"CAcert infrastructure Documentation",
+        author,
+        "CAcertinfrastructure",
+        "One line description of project.",
+        "Miscellaneous",
+    )
 ]
 
 # Documents to append as an appendix to all manuals.
 ]
 
 # Documents to append as an appendix to all manuals.
-#texinfo_appendices = []
+# texinfo_appendices = []
 
 # If false, no module index is generated.
 
 # If false, no module index is generated.
-#texinfo_domain_indices = True
+# texinfo_domain_indices = True
 
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
 
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
-#texinfo_show_urls = 'footnote'
+# texinfo_show_urls = 'footnote'
 
 # If true, do not generate a @detailmenu in the "Top" node's menu.
 
 # If true, do not generate a @detailmenu in the "Top" node's menu.
-#texinfo_no_detailmenu = False
+# texinfo_no_detailmenu = False
 
 
 # -- Options for Epub output ----------------------------------------------
 
 
 # -- Options for Epub output ----------------------------------------------
@@ -310,72 +324,75 @@ epub_publisher = author
 epub_copyright = copyright
 
 # The basename for the epub file. It defaults to the project name.
 epub_copyright = copyright
 
 # The basename for the epub file. It defaults to the project name.
-#epub_basename = project
+# epub_basename = project
 
 # The HTML theme for the epub output. Since the default themes are not
 # optimized for small screen space, using the same theme for HTML and epub
 # output is usually not wise. This defaults to 'epub', a theme designed to save
 # visual space.
 
 # The HTML theme for the epub output. Since the default themes are not
 # optimized for small screen space, using the same theme for HTML and epub
 # output is usually not wise. This defaults to 'epub', a theme designed to save
 # visual space.
-#epub_theme = 'epub'
+# epub_theme = 'epub'
 
 # The language of the text. It defaults to the language option
 # or 'en' if the language is not set.
 
 # The language of the text. It defaults to the language option
 # or 'en' if the language is not set.
-#epub_language = ''
+# epub_language = ''
 
 # The scheme of the identifier. Typical schemes are ISBN or URL.
 
 # The scheme of the identifier. Typical schemes are ISBN or URL.
-#epub_scheme = ''
+# epub_scheme = ''
 
 # The unique identifier of the text. This can be a ISBN number
 # or the project homepage.
 
 # The unique identifier of the text. This can be a ISBN number
 # or the project homepage.
-#epub_identifier = ''
+# epub_identifier = ''
 
 # A unique identification for the text.
 
 # A unique identification for the text.
-#epub_uid = ''
+# epub_uid = ''
 
 # A tuple containing the cover image and cover page html template filenames.
 
 # A tuple containing the cover image and cover page html template filenames.
-#epub_cover = ()
+# epub_cover = ()
 
 # A sequence of (type, uri, title) tuples for the guide element of content.opf.
 
 # A sequence of (type, uri, title) tuples for the guide element of content.opf.
-#epub_guide = ()
+# epub_guide = ()
 
 # HTML files that should be inserted before the pages created by sphinx.
 # The format is a list of tuples containing the path and title.
 
 # HTML files that should be inserted before the pages created by sphinx.
 # The format is a list of tuples containing the path and title.
-#epub_pre_files = []
+# epub_pre_files = []
 
 # HTML files that should be inserted after the pages created by sphinx.
 # The format is a list of tuples containing the path and title.
 
 # HTML files that should be inserted after the pages created by sphinx.
 # The format is a list of tuples containing the path and title.
-#epub_post_files = []
+# epub_post_files = []
 
 # A list of files that should not be packed into the epub file.
 
 # A list of files that should not be packed into the epub file.
-epub_exclude_files = ['search.html']
+epub_exclude_files = ["search.html"]
 
 # The depth of the table of contents in toc.ncx.
 
 # The depth of the table of contents in toc.ncx.
-#epub_tocdepth = 3
+# epub_tocdepth = 3
 
 # Allow duplicate toc entries.
 
 # Allow duplicate toc entries.
-#epub_tocdup = True
+# epub_tocdup = True
 
 # Choose between 'default' and 'includehidden'.
 
 # Choose between 'default' and 'includehidden'.
-#epub_tocscope = 'default'
+# epub_tocscope = 'default'
 
 # Fix unsupported image types using the Pillow.
 
 # Fix unsupported image types using the Pillow.
-#epub_fix_images = False
+# epub_fix_images = False
 
 # Scale large images.
 
 # Scale large images.
-#epub_max_image_width = 0
+# epub_max_image_width = 0
 
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
 
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
-#epub_show_urls = 'inline'
+# epub_show_urls = 'inline'
 
 # If false, no index is generated.
 
 # If false, no index is generated.
-#epub_use_index = True
+# epub_use_index = True
 
 
 extlinks = {
 
 
 extlinks = {
-    'wiki': ('https://wiki.cacert.org/%s', 'Wiki '),
-    'cacertgit': (
-        'https://git.cacert.org/gitweb/?p=%s.git', 'CAcert Git repository '),
-    'github': ('https://github.com/CAcertOrg/%s', 'Github repository '),
+    "wiki": ("https://wiki.cacert.org/%s", "Wiki "),
+    "cacertgit": ("https://git.cacert.org/gitweb/?p=%s.git", "CAcert Git repository "),
+    "github": ("https://github.com/CAcertOrg/%s", "Github repository "),
+    "monitor": (
+        "https://monitor.cacert.org/monitoring/host/show?host=%s",
+        "Monitoring checks for ",
+    ),
 }
 
 
 }
 
 
@@ -386,15 +403,16 @@ def cacert_bug(name, rawtext, text, lineno, inliner, options={}, content=[]):
             raise ValueError
     except ValueError:
         msg = inliner.reporter.error(
             raise ValueError
     except ValueError:
         msg = inliner.reporter.error(
-            'Bug number must be a number greater than or equal to 1; '
-            '"%s" is invalid.' % text, line=lineno)
+            "Bug number must be a number greater than or equal to 1; "
+            '"%s" is invalid.' % text,
+            line=lineno,
+        )
         prb = inliner.problematic(rawtext, rawtext, msg)
         return [prb], [msg]
         prb = inliner.problematic(rawtext, rawtext, msg)
         return [prb], [msg]
-    ref = 'https://bugs.cacert.org/view.php?id=%d' % bugnum
-    node = nodes.reference(rawtext, '#' + utils.unescape(text), refuri=ref,
-                           **options)
+    ref = "https://bugs.cacert.org/view.php?id=%d" % bugnum
+    node = nodes.reference(rawtext, "#" + utils.unescape(text), refuri=ref, **options)
     return [node], []
 
 
 def setup(app):
     return [node], []
 
 
 def setup(app):
-    app.add_role('bug', cacert_bug)
+    app.add_role("bug", cacert_bug)
index 1d4c40a..583fdb1 100644 (file)
@@ -24,18 +24,18 @@ Keys and X.509 certificates
    :altnames:
    :certfile:   /usr/local/etc/ocspd/certs/class1.crt
    :keyfile:    /usr/local/etc/ocspd/private/class1.key
    :altnames:
    :certfile:   /usr/local/etc/ocspd/certs/class1.crt
    :keyfile:    /usr/local/etc/ocspd/private/class1.key
-   :serial:     1320EE
-   :expiration: Aug 25 09:45:00 2019 GMT
-   :sha1fp:     68:08:77:DD:F2:3A:8C:2F:A0:DC:EC:6B:BD:C6:71:80:DD:44:3A:C7
+   :serial:     144847
+   :expiration: Aug 24 14:12:48 2021 GMT
+   :sha1fp:     6A:F9:88:26:25:F2:58:D2:4F:0D:A9:FB:F2:27:DE:A1:49:0B:84:B2
    :issuer:     CAcert Class 1 Root
 
 .. sslcert:: ocsp.cacert.org class3 (issued with X509v3 Extended Key Usage: OCSP Signing)
    :altnames:
    :certfile:   /usr/local/etc/ocspd/certs/class3.crt
    :keyfile:    /usr/local/etc/ocspd/private/class1.key
    :issuer:     CAcert Class 1 Root
 
 .. sslcert:: ocsp.cacert.org class3 (issued with X509v3 Extended Key Usage: OCSP Signing)
    :altnames:
    :certfile:   /usr/local/etc/ocspd/certs/class3.crt
    :keyfile:    /usr/local/etc/ocspd/private/class1.key
-   :serial:     02B395
-   :expiration: Aug 25 09:44:51 2019 GMT
-   :sha1fp:     AA:F0:AE:3D:0A:11:47:6C:9F:1E:EB:23:15:15:38:40:CA:29:0D:45
+   :serial:     2d99d
+   :expiration: Aug 24 14:14:29 2021 GMT
+   :sha1fp:     3A:53:54:CF:57:83:5D:F5:DC:0F:53:D2:7E:30:22:AF:68:83:24:B8
    :issuer:     CAcert Class 3 Root
 
 Note: generating a CSR with OCSP Signing flag set can be done with an openssl config file like this:
    :issuer:     CAcert Class 3 Root
 
 Note: generating a CSR with OCSP Signing flag set can be done with an openssl config file like this:
diff --git a/docs/external.rst b/docs/external.rst
new file mode 100644 (file)
index 0000000..464c569
--- /dev/null
@@ -0,0 +1,11 @@
+================
+External Systems
+================
+
+External systems that are relevant to the CAcert infrastructure but are not
+part of the infrastructure.
+
+.. toctree::
+   :maxdepth: 1
+
+   external/extmon
diff --git a/docs/external/extmon.rst b/docs/external/extmon.rst
new file mode 100644 (file)
index 0000000..1b9cb4e
--- /dev/null
@@ -0,0 +1,242 @@
+.. index::
+   single: Systems; Extmon
+
+======
+Extmon
+======
+
+Purpose
+=======
+
+Extmon is used as an external Icinga2 agent that monitors the availability of
+CAcert service from the Internet. The system is sponsored by
+:ref:`people_jandd` and is running on a Hetzner cloud instance in Germany.
+
+Application Links
+-----------------
+
+`Service checks executed by extmon <https://monitor.cacert.org/monitoring/list/servicegroups#!/monitoring/list/services?servicegroup_name=external-checks>`_
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------+---------------------+
+| Application   | Administrator(s)    |
++===============+=====================+
+| icinga2 agent | :ref:`people_jandd` |
++---------------+---------------------+
+
+Contact
+-------
+
+* extmon-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is a virtual KVM machine hosted on a Hetzner cloud server in
+N├╝rnberg, Germany.
+
+Physical Configuration
+----------------------
+
+* 1 VCPU
+* 2 GB RAM
+* 20 GB local disc
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`116.203.192.12`
+:IPv6:        :ip:v6:`2a01:4f8:c2c:a5b9::1`
+:MAC address: :mac:`96:00:00:2c:89:82` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+.. index::
+   single: Monitoring; Extmon
+
+Monitoring
+----------
+
+:internal checks: :monitor:`extmon.infra.cacert.org`
+
+DNS
+---
+
+The system has no DNS entries.
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
+
+* Debian GNU/Linux 10.0
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-------------------------------+
+| Port     | Service | Origin  | Purpose                       |
++==========+=========+=========+===============================+
+| 22/tcp   | ssh     | ANY     | admin console access          |
++----------+---------+---------+-------------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA    |
++----------+---------+---------+-------------------------------+
+| 68/udp   | dhcp    | hetzner | dynamic network configuration |
++----------+---------+---------+-------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service     |
++----------+---------+---------+-------------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: openssh
+   single: puppet
+   single: rsyslog
+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| Exim           | SMTP server for          | systemd unit ``exim4.service``   |
+|                | local mail submission    |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
+
+Databases
+---------
+
+* None
+
+Connected Systems
+-----------------
+
+* :doc:`../systems/monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) Hetzner cloud nameservers
+* :doc:`../systems/puppet` (tcp/8140) as Puppet master
+* checked CAcert systems on publicly opened ports
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:pRCCUOzQbNf2MSDyq3mt/zCYrf9Cowo0tUp+cLcP5ZU MD5:89:07:d2:68:02:37:73:86:a3:f0:53:46:e9:93:3c:b5
+   :DSA:     SHA256:qQmdmDcCrj9CgGK/LsT0zz8d90wCmn0HlSmt9WRqIF8 MD5:8c:f0:fa:e2:18:98:22:fb:ae:ed:c3:84:78:0e:70:5f
+   :ECDSA:   SHA256:+5X1KhHfqCSfVzNhT6xXpKYwsS/bZvI5rOM7hPogcWo MD5:f3:65:d0:12:a6:e9:cc:91:f4:55:32:c0:ca:75:59:17
+   :ED25519: SHA256:lxUPfNgUMZ/JrZHVG9Qc33x7vqyKGgmIJ54rgx+dZow MD5:39:b7:17:91:05:2d:1c:ad:4b:5a:5e:e0:e6:01:2c:a5
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+The system provides no public services besides an Icinga2 agent that executes
+commands sent from :doc:`../systems/monitor`.
+
+The Puppet agent package and a few dependencies are installed from the
+official Puppet APT repository because the versions in Debian are too old to
+use modern Puppet features.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+* None
+
+Tasks
+=====
+
+Add a service to be checked by extmon
+-------------------------------------
+
+Service monitoring is configured in the :cacertgit:`cacert-icinga2-conf_d`.
+
+All checks for services on hosts with the following block will be executed by
+extmon:
+
+.. code-block::
+
+   vars.external = true
+
+Changes
+=======
+
+Planned
+-------
+
+* None
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+* None
+
+References
+----------
+
+* https://icinga.com/docs/icinga2/latest/
index d6200dc..c132b7d 100644 (file)
@@ -12,6 +12,7 @@ Table of Contents
 
    critical
    systems
 
    critical
    systems
+   external
    lxcsetup
    network
    iplist
    lxcsetup
    network
    iplist
index f20050c..16c38dc 100644 (file)
@@ -12,6 +12,10 @@ Internet IP addresses
 
 .. ip:v6range:: 2001:7b8:616:162:2::/80
 
 
 .. ip:v6range:: 2001:7b8:616:162:2::/80
 
+.. ip:v4range:: 116.203.192.12/32
+
+.. ip:v6range:: 2a01:4f8:c2c:a5b9::1/128
+
 
 Intranet IP addresses
 ---------------------
 
 Intranet IP addresses
 ---------------------
index af79cea..4f7380e 100644 (file)
@@ -2,6 +2,11 @@
 Setup of a new CAcert LXC container with Puppet agent
 =====================================================
 
 Setup of a new CAcert LXC container with Puppet agent
 =====================================================
 
+.. todo::
+
+   Update the LXC setup documentation. lxc-setup might not work with LXC 3.0
+   that is used on :doc:`systems/infra02` since 2019-07-13.
+
 Preparation
 ===========
 
 Preparation
 ===========
 
index 078f3ad..99e9c57 100644 (file)
@@ -22,6 +22,8 @@ IPv6 connectivity is also available. The infrastructure IPv6 addresses are
 taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
 :ip:v6range:`2001:7b8:616:162:2::/80` ranges.
 
 taken from the :ip:v6range:`2001:7b8:616:162:1::/80` and
 :ip:v6range:`2001:7b8:616:162:2::/80` ranges.
 
+External monitoring is provided from the ranges :ip:v4range:`116.203.192.12/32`
+and :ip:v6range:`2a01:4f8:c2c:a5b9::1/128`.
 
 Intranet
 --------
 
 Intranet
 --------
index 0e6201f..404f430 100644 (file)
@@ -18,12 +18,14 @@ administrator team.
    systems/git
    systems/ircserver
    systems/issue
    systems/git
    systems/ircserver
    systems/issue
-   systems/lists
    systems/jenkins
    systems/jenkins
+   systems/lists
    systems/monitor
    systems/monitor
-   systems/puppet
+   systems/motion
+   systems/pgpkeys
    systems/proxyin
    systems/proxyout
    systems/proxyin
    systems/proxyout
+   systems/puppet
    systems/svn
    systems/test
    systems/test2
    systems/svn
    systems/test
    systems/test2
@@ -33,6 +35,7 @@ administrator team.
    systems/web
    systems/webmail
    systems/webstatic
    systems/web
    systems/webmail
    systems/webstatic
+   systems/wiki
 
 
 General
 
 
 General
@@ -87,28 +90,23 @@ General
    That's it, now the package update status should be properly displayed in
    Icinga.
 
    That's it, now the package update status should be properly displayed in
    Icinga.
 
-.. todo:: think about replacing nrpe with Icinga2 satellites
-
 Checklist
 =========
 
 .. index::
    single: etckeeper
 Checklist
 =========
 
 .. index::
    single: etckeeper
+   single: icinga2
    single: nrpe
    single: nrpe
+   single: puppet
 
 * All containers should be monitored by :doc:`systems/monitor` and should
 
 * All containers should be monitored by :doc:`systems/monitor` and should
-  therefore have :program:`nagios-nrpe-server` installed
+  therefore have :program:`icinga2` installed and managed via Puppet (older
+  systems without Puppet have :program:`nagios-nrpe-server` installed)
 * All containers should use :program:`etckeeper` to put their local setup into
   version control. All local setup should use :file:`/etc` to make sure it is
   handled by :program:`etckeeper`
 * All infrastructure systems must send their mail via :doc:`systems/emailout`
 * All infrastructure systems should have an system-admin@cacert.org alias to
   reach their admins
 * All containers should use :program:`etckeeper` to put their local setup into
   version control. All local setup should use :file:`/etc` to make sure it is
   handled by :program:`etckeeper`
 * All infrastructure systems must send their mail via :doc:`systems/emailout`
 * All infrastructure systems should have an system-admin@cacert.org alias to
   reach their admins
-* The installation of :index:`systemd-sysv` in containers can be blocked by
-  putting the following lines in :file:`/etc/apt/preferences.d/systemd-sysv`::
-
-    Package: systemd-sysv
-    Pin: release a=stable
-    Pin-Priority: -1
 
 .. todo:: document how to setup the system-admin alias on the email system
 
 .. todo:: document how to setup the system-admin alias on the email system
index b225e87..482d24e 100644 (file)
@@ -61,9 +61,8 @@ Contact
 Additional People
 -----------------
 
 Additional People
 -----------------
 
-:ref:`Jan Dittberner <people_jandd>`, :ref:`Mario Lipinski <people_mario>` and
-:ref:`Dirk Astrath <people_dirk>` have :program:`sudo` access on that machine
-too.
+:ref:`Jan Dittberner <people_jandd>` and :ref:`Mario Lipinski <people_mario>`
+have :program:`sudo` access on that machine too.
 
 Basics
 ======
 
 Basics
 ======
@@ -86,6 +85,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Blog
+
+Monitoring
+----------
+
+:internal checks: :monitor:`blog.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -116,9 +123,9 @@ Operating System
 
 .. index::
    single: Debian GNU/Linux; Jessie
 
 .. index::
    single: Debian GNU/Linux; Jessie
-   single: Debian GNU/Linux; 8.10
+   single: Debian GNU/Linux; 8.11
 
 
-* Debian GNU/Linux 8.10
+* Debian GNU/Linux 8.11
 
 Applicable Documentation
 ------------------------
 
 Applicable Documentation
 ------------------------
@@ -153,40 +160,39 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Apache
-   single: MySQL
-   single: PHP FPM
-   single: Postfix
+   single: apache httpd
    single: cron
    single: cron
+   single: dbus
+   single: mysql
    single: nrpe
    single: openssh
    single: nrpe
    single: openssh
-
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Apache httpd       | Webserver for blog | init script                            |
-|                    |                    | :file:`/etc/init.d/apache2`            |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| MySQL              | MySQL database     | init script                            |
-|                    | server for blog    | :file:`/etc/init.d/mysql`              |
-+--------------------+--------------------+----------------------------------------+
-| PHP FPM            | PHP FPM executor   | init script                            |
-|                    | for blog           | :file:`/etc/init.d/php5-fpm`           |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission         |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
+   single: postfix
+
++--------------------+--------------------+-------------------------------------------------+
+| Service            | Usage              | Start mechanism                                 |
++====================+====================+=================================================+
+| Apache httpd       | Webserver for blog | systemd unit ``apache2.service``                |
++--------------------+--------------------+-------------------------------------------------+
+| cron               | job scheduler      | systemd unit ``cron.service``                   |
++--------------------+--------------------+-------------------------------------------------+
+| dbus-daemon        | System message bus | systemd unit ``dbus.service``                   |
+|                    | daemon             |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| MySQL              | MySQL database     | systemd unit ``mysql.service``                  |
+|                    | server for blog    |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| openssh server     | ssh daemon for     | systemd unit ``ssh.service``                    |
+|                    | remote             |                                                 |
+|                    | administration     |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| Postfix            | SMTP server for    | systemd unit ``postfix.service``                |
+|                    | local mail         |                                                 |
+|                    | submission         |                                                 |
++--------------------+--------------------+-------------------------------------------------+
+| Nagios NRPE server | remote monitoring  | systemd unit ``/etc/init.d/nagios-nrpe-server`` |
+|                    | service queried by |                                                 |
+|                    | :doc:`monitor`     |                                                 |
++--------------------+--------------------+-------------------------------------------------+
 
 Databases
 ---------
 
 Databases
 ---------
@@ -225,10 +231,10 @@ Security
 ========
 
 .. sshkeys::
 ========
 
 .. sshkeys::
-   :RSA:     MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
-   :DSA:     MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
-   :ECDSA:   MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
-   :ED25519: MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
+   :RSA:     SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d
+   :DSA:     SHA256:TUOE69GQYSWuJtL6l2WWr5FLSzWH8iBKDgE2ijZA9oA MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5
+   :ECDSA:   SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81
+   :ED25519: SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d
 
 Dedicated user roles
 --------------------
 
 Dedicated user roles
 --------------------
@@ -332,21 +338,28 @@ Wordpress configuration
 Tasks
 =====
 
 Tasks
 =====
 
+.. todo:: add a section documenting wordpress and plugin updates
+.. todo:: add a section documenting wordpress user management
+
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
+.. todo:: update wordpress to 5.x
+.. todo:: update to Debian 9/10
 .. todo:: setup IPv6
 
 .. todo::
    setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
 
 .. todo:: setup IPv6
 
 .. todo::
    setup CRL checks (can be borrowed from :doc:`svn`) for client certificates
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
-.. todo:: system should be upgraded to Debian 9
+* No plans
 
 Additional documentation
 ========================
 
 Additional documentation
 ========================
index 18bde33..c9b622a 100644 (file)
@@ -70,6 +70,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Board
+
+Monitoring
+----------
+
+:internal checks: :monitor:`board.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -98,11 +106,6 @@ Operating System
 
 * Debian GNU/Linux 7.11
 
 
 * Debian GNU/Linux 7.11
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
@@ -197,9 +200,9 @@ Security
 ========
 
 .. sshkeys::
 ========
 
 .. sshkeys::
-   :RSA:   c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
-   :DSA:   f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
-   :ECDSA: 0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
+   :RSA:   SHA256:j20Xl83ZK90nYXuIxOMJTcQH75rBcAWIfRnzoPs1qr4 MD5:c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
+   :DSA:   SHA256:If2oWICT8sA7I+n0kyr+e6oTKa4oKaDFs/kSOQu3UwU MD5:f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
+   :ECDSA: SHA256:bAsIi9uHC2lm5HSho3EtdltumBmNPUvHIcFJo0UXj7A MD5:0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
 
 .. todo:: setup ED25519 host key (needs update to Jessie)
 
 
 .. todo:: setup ED25519 host key (needs update to Jessie)
 
@@ -341,22 +344,24 @@ that the XML-RPC service binds to.
 Tasks
 =====
 
 Tasks
 =====
 
+.. todo:: add a section documenting how to add/remove openerp users
+
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
 .. todo:: disable unneeded Apache modules
 .. todo:: disable unneeded Apache modules
-
 .. todo:: setup IPv6
 .. todo:: setup IPv6
-
-.. todo:: consider using a centralized PostgreSQL instance
-
-Changes
-=======
+.. todo:: update to Debian 8/9/10
 
 System Future
 -------------
 
 
 System Future
 -------------
 
-.. todo:: system should be updated to Debian 8/9
+* No plans
 
 Additional documentation
 ========================
 
 Additional documentation
 ========================
index 69a9af9..15da3a0 100644 (file)
@@ -71,6 +71,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Bugs
+
+Monitoring
+----------
+
+:internal checks: :monitor:`bugs.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -102,14 +110,9 @@ Operating System
 
 .. index::
    single: Debian GNU/Linux; Stretch
 
 .. index::
    single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
-
-* Debian GNU/Linux 9.4
-
-Applicable Documentation
-------------------------
+   single: Debian GNU/Linux; 9.9
 
 
-That's it
+* Debian GNU/Linux 9.9
 
 Services
 ========
 
 Services
 ========
@@ -128,7 +131,7 @@ Listening services
 +----------+---------+---------+--------------------------------+
 | 443/tcp  | https   | ANY     | web server for bug tracker     |
 +----------+---------+---------+--------------------------------+
 +----------+---------+---------+--------------------------------+
 | 443/tcp  | https   | ANY     | web server for bug tracker     |
 +----------+---------+---------+--------------------------------+
-| 5666/tcp | nrpe    | monitor | remote monitoring service      |
+| 5665/tcp | icinga2 | monitor | remote monitoring service      |
 +----------+---------+---------+--------------------------------+
 | 3306/tcp | mysql   | local   | MySQL database for bug tracker |
 +----------+---------+---------+--------------------------------+
 +----------+---------+---------+--------------------------------+
 | 3306/tcp | mysql   | local   | MySQL database for bug tracker |
 +----------+---------+---------+--------------------------------+
@@ -139,43 +142,45 @@ Running services
 .. index::
    single: apache httpd
    single: cron
 .. index::
    single: apache httpd
    single: cron
+   single: dbus
+   single: icinga2
    single: mariadb
    single: mariadb
-   single: nrpe
    single: openssh
    single: postfix
    single: puppet agent
    single: rsyslog
 
    single: openssh
    single: postfix
    single: puppet agent
    single: rsyslog
 
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| Apache httpd       | Webserver for bug  | init script                            |
-|                    | tracker            | :file:`/etc/init.d/apache2`            |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| MariaDB            | MariaDB database   | init script                            |
-|                    | server for bug     | :file:`/etc/init.d/mysql`              |
-|                    | tracker            |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission         |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Puppet agent       | configuration      | init script                            |
-|                    | management agent   | :file:`/etc/init.d/puppet`             |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| Apache httpd   | Webserver for bug        | systemd unit ``apache2.service`` |
+|                | tracker                  |                                  |
++----------------+--------------------------+----------------------------------+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| MariaDB        | MariaDB database         | systemd unit ``mariadb.service`` |
+|                | server for bug           |                                  |
+|                | tracker                  |                                  |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote                   |                                  |
+|                | administration           |                                  |
++----------------+--------------------------+----------------------------------+
+| Postfix        | SMTP server for          | systemd unit ``postfix.service`` |
+|                | local mail               |                                  |
+|                | submission               |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
+|                |                          |                                  |
++----------------+--------------------------+----------------------------------+
 
 Databases
 ---------
 
 Databases
 ---------
@@ -347,12 +352,18 @@ add an additional logging socket in the Postfix chroot.
 Tasks
 =====
 
 Tasks
 =====
 
-Planned
--------
+.. todo:: add a section documenting how to manage mantis projects
+.. todo:: add a section documenting how to manage mantis users
 
 Changes
 =======
 
 
 Changes
 =======
 
+Planned
+-------
+
+.. todo:: upgrade to Debian 10 (when Puppet is available)
+
+
 System Future
 -------------
 
 System Future
 -------------
 
index 43f1b9e..8989cdb 100644 (file)
@@ -67,6 +67,11 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+Monitoring
+----------
+
+:internal checks: :monitor:`cats.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -99,11 +104,6 @@ Operating System
 
 * Debian GNU/Linux 7.11
 
 
 * Debian GNU/Linux 7.11
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
@@ -130,12 +130,12 @@ Running services
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Apache
-   single: MySQL
-   single: Postfix
+   single: apache httpd
    single: cron
    single: cron
+   single: mysql
    single: nrpe
    single: openssh
    single: nrpe
    single: openssh
+   single: postfix
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
 
 +--------------------+--------------------+----------------------------------------+
 | Service            | Usage              | Start mechanism                        |
@@ -196,9 +196,9 @@ Security
 ========
 
 .. sshkeys::
 ========
 
 .. sshkeys::
-   :RSA:   d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
-   :DSA:   0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
-   :ECDSA: bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
+   :RSA:   SHA256:YFr1fODx7PjurFxxkB8UNL9lwG/AeWuTLQ8Q8h3fZf4 MD5:d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
+   :DSA:   SHA256:CDUkGlsZBQl8MysXb67JLgXGkBaboSUYTz/iyWEtlxg MD5:0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
+   :ECDSA: SHA256:H1SVPJbeDpPNGeZsolCF1nc87v08N2vi53waM3zNAI0 MD5:bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
 
 .. todo:: setup ED25519 host key (needs update to Jessie)
 
 
 .. todo:: setup ED25519 host key (needs update to Jessie)
 
@@ -352,20 +352,24 @@ MySQL configuration is stored in the :file:`/etc/mysql/` directory.
 Tasks
 =====
 
 Tasks
 =====
 
+.. todo:: document how to update the CATS software
+
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
-.. todo:: update to Debian Jessie
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
+.. todo:: update to Debian 8/9/10
 .. todo:: setup IPv6
 .. todo:: setup CRL checks
 
 .. todo:: setup IPv6
 .. todo:: setup CRL checks
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
-.. todo:: system should be updated to Debian 8/9
+* No plans
 
 Additional documentation
 ========================
 
 Additional documentation
 ========================
index d89f78a..e2143d2 100644 (file)
@@ -47,27 +47,50 @@ Logical Location
 :IP Internet: :ip:v4:`213.154.225.228`
 :IP Intranet: :ip:v4:`172.16.2.19`
 :IP Internal: :ip:v4:`10.0.0.19`
 :IP Internet: :ip:v4:`213.154.225.228`
 :IP Intranet: :ip:v4:`172.16.2.19`
 :IP Internal: :ip:v4:`10.0.0.19`
-:IPv6:        :ip:v6:`2001:7b8:616:162:2::19`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::228`
 :MAC address: :mac:`00:ff:8f:e0:4a:90` (eth0)
 
 .. seealso::
 
    See :doc:`../network`
 
 :MAC address: :mac:`00:ff:8f:e0:4a:90` (eth0)
 
 .. seealso::
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Email
+
+Monitoring
+----------
+
+:internal checks: :monitor:`email.infra.cacert.org`
+
 DNS
 ---
 
 .. index::
    single: DNS records; Email
 
 DNS
 ---
 
 .. index::
    single: DNS records; Email
 
-======================= ======== ============================================
-Name                    Type     Content
-======================= ======== ============================================
-email.cacert.org.       IN A     213.154.225.228
-email.cacert.org.       IN SSHFP 1 1 BF391FD72656A275524D1D25A624C6045B44AE90
-email.cacert.org.       IN SSHFP 2 1 73B0D8ACB492A7187016DD3C5FC1519B309A550F
-email.intra.cacert.org. IN A     172.16.2.19
-======================= ======== ============================================
++-------------------------+-----------+----------------------------------------------------------------------+
+| Name                    | Type      | Content                                                              |
++=========================+===========+======================================================================+
+| email.cacert.org.       | IN A      | 213.154.225.228                                                      |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  AAAA  | 2001:7b8:616:162:2::228                                              |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 1 1 bf391fd72656a275524d1d25a624c6045b44ae90                         |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 1 2 c8b68f3eb9a83902391b78686b4885a317fac0f74b0490a78b32ecbbee921df1 |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 3 1 5ffbc51c37cdff52db9c488c08b89af9ffee06a0                         |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 3 2 a114de78fc26bd0dc6fa2206d7c04519ec875023cf203e446d4bbbbc4e24da19 |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 4 1 18418515e94817f0624bf0a192331addf878ff66                         |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.cacert.org.       | IN  SSHFP | 4 2 d4fe3165206ba69baf4643253138561789918688375ed8ab89bcfc4411535221 |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.intra.cacert.org. | IN A      | 172.16.2.19                                                          |
++-------------------------+-----------+----------------------------------------------------------------------+
+| email.infra.cacert.org. | IN A      | 10.0.0.19                                                            |
++-------------------------+-----------+----------------------------------------------------------------------+
 
 A DKIM record for cacert.org ist setup but no DKIM signing is active currently.
 
 
 A DKIM record for cacert.org ist setup but no DKIM signing is active currently.
 
@@ -84,15 +107,10 @@ Operating System
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Lenny
-   single: Debian GNU/Linux; 5.0.10
+   single: Debian GNU/Linux; Stretch
+   single: Debian GNU/Linux; 9.9
 
 
-* Debian GNU/Linux 5.0.10
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 9.9
 
 Services
 ========
 
 Services
 ========
@@ -100,102 +118,80 @@ Services
 Listening services
 ------------------
 
 Listening services
 ------------------
 
-+----------+---------+----------------+----------------------------------------+
-| Port     | Service | Origin         | Purpose                                |
-+==========+=========+================+========================================+
-| 22/tcp   | ssh     | ANY            | admin console access                   |
-+----------+---------+----------------+----------------------------------------+
-| 25/tcp   | smtp    | ANY            | mail receiver for cacert.org           |
-+----------+---------+----------------+----------------------------------------+
-| 110/tcp  | pop3    | ANY            | POP3 access for cacert.org mail        |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 143/tcp  | imap    | ANY            | IMAP access for cacert.org mail        |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 465/tcp  | smtps   | ANY            | SMTPS for cacert.org mail addresses    |
-+----------+---------+----------------+----------------------------------------+
-| 587/tcp  | smtp    | ANY            | mail submission for cacert.org mail    |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 993/tcp  | imaps   | ANY            | IMAPS access for cacert.org mail       |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 995/tcp  | pop3s   | ANY            | POP3S access for cacert.org mail       |
-|          |         |                | addresses                              |
-+----------+---------+----------------+----------------------------------------+
-| 2000/tcp | sieve   | ANY            | Manage sieve access for cacert.org     |
-|          |         |                | mail addresses                         |
-+----------+---------+----------------+----------------------------------------+
-| 2001/tcp | sieve   | :doc:`webmail` | Manage sieve access for cacert.org     |
-|          |         |                | mail addresses without TLS, accessible |
-|          |         |                | from ``172.16.2.20`` only              |
-+----------+---------+----------------+----------------------------------------+
-| 3306/tcp | mysql   | local          | MySQL database server                  |
-+----------+---------+----------------+----------------------------------------+
-| 4433/tcp | http    | local          | Apache httpd with phpmyadmin           |
-+----------+---------+----------------+----------------------------------------+
-| 5666/tcp | nrpe    | monitor        | remote monitoring service              |
-+----------+---------+----------------+----------------------------------------+
-
-.. topic:: PHPMyAdmin access
-
-   Administrators can use ssh to forward the Apache httpd HTTPS port to their
-   own machine:
-
-   .. code-block:: bash
-
-      ssh -L 4433:localhost:4433 -l username email.cacert.org
-
-   and access PHPMyAdmin at https://localhost:4433/
++----------+---------+---------+-------------------------------------+
+| Port     | Service | Origin  | Purpose                             |
++==========+=========+=========+=====================================+
+| 22/tcp   | ssh     | ANY     | admin console access                |
++----------+---------+---------+-------------------------------------+
+| 25/tcp   | smtp    | ANY     | mail receiver for cacert.org        |
++----------+---------+---------+-------------------------------------+
+| 110/tcp  | pop3    | ANY     | POP3 access for cacert.org mail     |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 143/tcp  | imap    | ANY     | IMAP access for cacert.org mail     |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 465/tcp  | smtps   | ANY     | SMTPS for cacert.org mail addresses |
++----------+---------+---------+-------------------------------------+
+| 587/tcp  | smtp    | ANY     | mail submission for cacert.org mail |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 993/tcp  | imaps   | ANY     | IMAPS access for cacert.org mail    |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 995/tcp  | pop3s   | ANY     | POP3S access for cacert.org mail    |
+|          |         |         | addresses                           |
++----------+---------+---------+-------------------------------------+
+| 4190/tcp | sieve   | ANY     | Manage sieve access for cacert.org  |
+|          |         |         | mail addresses                      |
++----------+---------+---------+-------------------------------------+
+| 3306/tcp | mysql   | local   | MariaDB database server             |
++----------+---------+---------+-------------------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service           |
++----------+---------+---------+-------------------------------------+
 
 Running services
 ----------------
 
 .. index::
 
 Running services
 ----------------
 
 .. index::
-   single: Apache
-   single: MySQL
-   single: Postfix
    single: cron
    single: cron
+   single: dbus
    single: dovecot
    single: dovecot
-   single: nrpe
+   single: icinga2
+   single: mariadb
    single: openssh
    single: openssh
-   single: pysieved
+   single: postfix
+   single: puppet
    single: rsyslog
    single: rsyslog
-   single: xinetd
-
-+--------------------+---------------------+----------------------------------------+
-| Service            | Usage               | Start mechanism                        |
-+====================+=====================+========================================+
-| Apache httpd       | Webserver for       | init script                            |
-|                    | phpmyadmin          | :file:`/etc/init.d/apache2`            |
-+--------------------+---------------------+----------------------------------------+
-| cron               | job scheduler       | init script :file:`/etc/init.d/cron`   |
-+--------------------+---------------------+----------------------------------------+
-| dovecot            | IMAP(s) and POP3(s) | init script                            |
-|                    | daemon              | :file:`/etc/init.d/dovecot`            |
-+--------------------+---------------------+----------------------------------------+
-| MySQL              | MySQL database      | init script                            |
-|                    | server for email    | :file:`/etc/init.d/mysql`              |
-|                    | services            |                                        |
-+--------------------+---------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring   | init script                            |
-|                    | service queried by  | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`      |                                        |
-+--------------------+---------------------+----------------------------------------+
-| openssh server     | ssh daemon for      | init script :file:`/etc/init.d/ssh`    |
-|                    | remote              |                                        |
-|                    | administration      |                                        |
-+--------------------+---------------------+----------------------------------------+
-| Postfix            | SMTP server for     | init script                            |
-|                    | cacert.org          | :file:`/etc/init.d/postfix`            |
-+--------------------+---------------------+----------------------------------------+
-| rsyslog            | syslog daemon       | init script                            |
-|                    |                     | :file:`/etc/init.d/syslog`             |
-+--------------------+---------------------+----------------------------------------+
-| xinetd             | socket listener     | init script                            |
-|                    | for pysieved        | :file:`/etc/init.d/xinetd`             |
-+--------------------+---------------------+----------------------------------------+
+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| dovecot        | IMAP(s), POP3(s) and     | systemd unit ``dovecot.service`` |
+|                | sieve filter daemon      |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| MariaDB        | MariaDB database         | systemd unit ``mariadb.service`` |
+|                | server for email         |                                  |
+|                | services                 |                                  |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for remote    | systemd unit ``ssh.service``     |
+|                | administration           |                                  |
++----------------+--------------------------+----------------------------------+
+| Postfix        | SMTP server for          | systemd unit ``postfix.service`` |
+|                | cacert.org               |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
 
 Databases
 ---------
 
 Databases
 ---------
@@ -205,15 +201,9 @@ Databases
 +=======+================+==================================+
 | MySQL | cacertusers    | database for dovecot and postfix |
 +-------+----------------+----------------------------------+
 +=======+================+==================================+
 | MySQL | cacertusers    | database for dovecot and postfix |
 +-------+----------------+----------------------------------+
-| MySQL | postfixpolicyd | empty database                   |
-+-------+----------------+----------------------------------+
 | MySQL | roundcubemail  | roundcube on :doc:`webmail`      |
 +-------+----------------+----------------------------------+
 
 | MySQL | roundcubemail  | roundcube on :doc:`webmail`      |
 +-------+----------------+----------------------------------+
 
-.. todo:: check whether the empty postfixpolicyd database is required
-
-.. todo:: consider moving the databases to a new central MySQL service
-
 Connected Systems
 -----------------
 
 Connected Systems
 -----------------
 
@@ -225,53 +215,48 @@ Connected Systems
 Outbound network connections
 ----------------------------
 
 Outbound network connections
 ----------------------------
 
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* :doc:`proxyout` as HTTP proxy for APT
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
 * :doc:`issue` for OTRS mail
 * :doc:`lists` for mailing lists
 * :doc:`issue` for OTRS mail
 * :doc:`lists` for mailing lists
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`puppet` (tcp/8140) as Puppet master
 * arbitrary Internet SMTP servers for outgoing mail
 
 Security
 ========
 
 .. sshkeys::
 * arbitrary Internet SMTP servers for outgoing mail
 
 Security
 ========
 
 .. sshkeys::
-   :RSA: a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
-   :DSA: f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91
-
-.. warning::
-
-   The system is too old to support ECDSA or ED25519 keys.
+   :RSA:     SHA256:yLaPPrmoOQI5G3hoa0iFoxf6wPdLBJCnizLsu+6SHfE MD5:a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
+   :ECDSA:   SHA256:oRTeePwmvQ3G+iIG18BFGeyHUCPPID5EbUu7vE4k2hk MD5:16:95:af:c9:71:f4:d8:f7:91:7f:f7:2f:25:b3:f1:63
+   :ED25519: SHA256:1P4xZSBrppuvRkMlMThWF4mRhog3Xtiribz8RBFTUiE MD5:db:1e:68:3f:dd:b0:bb:68:c8:8b:cb:39:85:7d:f7:40
 
 Non-distribution packages and modifications
 -------------------------------------------
 
 
 Non-distribution packages and modifications
 -------------------------------------------
 
-Tlslite in :file:`/usr/local/lib/tlslite-0.3.8/` has been patched to handle
-GeneratorExit exceptions. The original tlslite 0.3.8 is stored in
-:file:`/usr/local/lib/tlslite-0.3.8-orig/`.
-
-Pysieved in :file:`/usr/local/lib/pysieved.neale/` seems to be a git clone from
-2009 originating from http://woozle.org/~neale/repos/pysieved at commit
-``d9b67036387a9a7aca954a17ff6fec44a8d309e0`` with no local modifications.
-
-:file:`/usr/local/lib/pysieved` is a symbolic link to
-:file:`/usr/local/lib/pysieved.neale/`.
-
-.. todo:: use pysieved, python-tlslite and dovecot-sieve from distribution
-   packages after OS upgrade
-
+* None
 
 Risk assessments on critical packages
 -------------------------------------
 
 
 Risk assessments on critical packages
 -------------------------------------
 
-The whole system is outdated, it needs to be replaced as soon as possible.
+Postfix and Dovecot have very good security reputation. The system is patched
+regularly.
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
 
 Critical Configuration items
 ============================
 
 
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+.. todo: move Postfix, Dovecot, ssh and MariaDB configuration to Puppet
+
 Keys and X.509 certificates
 ---------------------------
 
 Keys and X.509 certificates
 ---------------------------
 
-Server certificate for SMTP communication from the Internet and PHPMyAdmin.
+Server certificate for SMTP communication from the Internet.
 
 .. sslcert:: email.cacert.org
    :altnames:   DNS:email.cacert.org
 
 .. sslcert:: email.cacert.org
    :altnames:   DNS:email.cacert.org
@@ -291,57 +276,20 @@ Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
    :serial:    1381F8
    :secondary:
 
    :serial:    1381F8
    :secondary:
 
-* :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
-  Diffie-Hellman parameter files for Postfix
-
 .. note::
 
    Postfix uses the email.cacert.org certificate for client authentication if
    requested by a target server.
 
 .. note::
 
    Postfix uses the email.cacert.org certificate for client authentication if
    requested by a target server.
 
-   .. todo::
-      check whether it makes sense to use a separate certificate for that
-      purpose
-
 .. seealso::
 
    * :wiki:`SystemAdministration/CertificateList`
 
 .. index::
 .. seealso::
 
    * :wiki:`SystemAdministration/CertificateList`
 
 .. index::
-   pair: Apache httpd; configuration
-
-Apache httpd configuration
---------------------------
-
-:file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
-allows dedicated users to access a PHPMyAdmin instance. The allowed users are
-authenticated by client certificates and are authorized by an entry in
-:file:`/etc/apache2/phpmyadmin.passwd`.
-
-.. note::
-
-   to authorize a user you need the subject distinguished name of the user's
-   client certificate which can be extracted with::
-
-      openssl x509 -noout -subject -in certificate.crt
-
-   A line with the subject distinguished name and the fake password
-   ``xxj31ZMTZzkVA`` separated by colon have to be added to
-   :file:`/etc/apache2/phpmyadmin.passwd`::
-
-      /CN=Example User/emailAddress=example@cacert.org:xxj31ZMTZzkVA
-
-.. seealso::
-
-   FakeBasicAuth option of the `SSLOptions
-   <https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
-   directive in the mod_ssl reference documentation.
+   pair: MariaDB; configuration
 
 
-.. index::
-   pair: MySQL; configuration
-
-MySQL configuration
--------------------
+MariaDB configuration
+---------------------
 
 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
 
 
 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
 
@@ -351,22 +299,6 @@ MySQL configuration is stored in the :file:`/etc/mysql/` directory.
 
 .. _nss:
 
 
 .. _nss:
 
-NSS configuration
------------------
-
-The libc name service switch is configured to use MySQL lookups for passwd,
-group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
-:file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
-is configured in :file:`/etc/libnss-mysql-root.cfg`.
-
-.. index::
-   pair: PHPMyAdmin; configuration
-
-PHPMyAdmin configuration
-------------------------
-
-PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
-
 .. index::
    pair: dovecot; configuration
 
 .. index::
    pair: dovecot; configuration
 
@@ -375,22 +307,16 @@ Dovecot configuration
 
 Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
 database settings are stored in
 
 Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
 database settings are stored in
-:file:`dovecot-sql-masterpassword-webmail.conf`.
+:file:`dovecot-sql.conf.ext`.
 
 .. index::
    pair: dovecot; authentication
 
 .. topic:: Dovecot authentication
 
 
 .. index::
    pair: dovecot; authentication
 
 .. topic:: Dovecot authentication
 
-   :file:`/etc/dovecot/dovecot.conf` refers to PAM mail. PAM mail is defined
-   :file:`/etc/pam.d/mail`. System users are defined by NSS which is a
-   combination of :file:`/etc/passwd` (for root and non-imap/pop users) and
-   :file:`/etc/libnss-mysql*` (see `nss`_).
-
    There is a special master password so that webmail can do the authentication
    for dovecot using certificates. This is defined in
    There is a special master password so that webmail can do the authentication
    for dovecot using certificates. This is defined in
-   :file:`/etc/dovecot/dovecot-sql-masterpassword-webmail.conf`. This special
-   password is restricted to the IP address of Community.
+   :file:`/etc/dovecot/dovecot-sql.conf.ext`.
 
 .. index::
    pair: Postfix; configuration
 
 .. index::
    pair: Postfix; configuration
@@ -425,47 +351,10 @@ following files are special for this setup:
 
 .. todo:: consider to send all outgoing mail via :doc:`emailout`
 
 
 .. todo:: consider to send all outgoing mail via :doc:`emailout`
 
-.. todo:: remove unused transports from :file:`master.cf`
-
-.. index::
-   pair: pysieved; configuration
-
-PySieved configuration
-----------------------
-
-:file:`/usr/local/etc/pysieved.ini` for regular manage sieve access and
-:file:`/usr/local/etc/pysieved-notls.ini` for use with Roundcube webmail.
-Pysieved uses dovecot for authentication.
-
-.. index::
-   pair: rsyslog; configuration
-
-Rsyslog configuration
----------------------
-
-Rsyslog is configured in :file:`/etc/rsyslog.conf` which includes files in
-:file:`/etc/rsyslog.d/`. Consumption of kernel log messages and network input
-is disabled. :file:`/etc/rsyslog.d/postfix.conf` configures a separate unix
-socket to receive log messages from postfix and
-:file:`/etc/rsyslog.d/remotelog.conf` contains commented settings for a
-non-existant remote syslog server.
-
-.. todo:: setup remote logging when a central logging container is available
-
-.. index::
-   pair: xinetd; configuration
-
-Xinetd configuration
---------------------
-
-Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
-these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
-:file:`/etc/xinetd.d/pysieved-notls`.
-
 Email storage
 -------------
 
 Email storage
 -------------
 
-Mail for :samp:`{user}` is stored in :samp:`/home/{user}/Maildir`.
+Mail for :samp:`{user}` is stored in :samp:`/home/mailboxes/{user}/Maildir`.
 
 .. todo::
    move mail storage to a separate data volume to allow easier backup and OS
 
 .. todo::
    move mail storage to a separate data volume to allow easier backup and OS
@@ -530,12 +419,21 @@ There are two types of aliases.
    cacertusers database. The reason for this implementation is to only allow
    the designated person to send email from this email address.
 
    cacertusers database. The reason for this implementation is to only allow
    the designated person to send email from this email address.
 
+Client certificate authentication
+---------------------------------
+
+There were plans for X.509 certificate authentication for mail services, but
+there is no progress so far.
+
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
-.. todo:: implement CRL checking
+.. todo:: update to Debian 10 (when Puppet is available)
 
 
-.. todo:: setup IPv6
+.. todo:: implement CRL checking
 
 .. todo::
    throttle brute force attack attempts using fail2ban or similar mechanism
 
 .. todo::
    throttle brute force attack attempts using fail2ban or similar mechanism
@@ -543,18 +441,10 @@ Planned
 .. todo::
    consider to use LDAP to consolidate user, password and email information
 
 .. todo::
    consider to use LDAP to consolidate user, password and email information
 
-* there were plans for X.509 certificate authentication for mail services, but
-  there is no progress so far
-
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
-.. todo::
-   The system has to be replaced with a new system using a current operating
-   system version
+* No plans
 
 Additional documentation
 ========================
 
 Additional documentation
 ========================
@@ -572,5 +462,5 @@ Postfix documentation
    http://www.postfix.org/documentation.html
 Postfix Debian wiki page
    https://wiki.debian.org/Postfix
    http://www.postfix.org/documentation.html
 Postfix Debian wiki page
    https://wiki.debian.org/Postfix
-Dovecot 1.x wiki
-   http://wiki1.dovecot.org/FrontPage
+Dovecot 2.x wiki
+   http://wiki2.dovecot.org/FrontPage
index 8c611db..1472b47 100644 (file)
@@ -44,30 +44,50 @@ Logical Location
 :IP Internet: :ip:v4:`213.154.225.239`
 :IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
 :IP Internal: :ip:v4:`10.0.0.32`
 :IP Internet: :ip:v4:`213.154.225.239`
 :IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
 :IP Internal: :ip:v4:`10.0.0.32`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::239`
 :MAC address: :mac:`00:ff:12:01:65:02` (eth0)
 
 .. seealso::
 
    See :doc:`../network`
 
 :MAC address: :mac:`00:ff:12:01:65:02` (eth0)
 
 .. seealso::
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Emailout
+
+Monitoring
+----------
+
+:internal checks: :monitor:`emailout.infra.cacert.org`
+
 DNS
 ---
 
 .. index::
    single: DNS records; Emailout
 
 DNS
 ---
 
 .. index::
    single: DNS records; Emailout
 
-========================== ======== ====================================================================
-Name                       Type     Content
-========================== ======== ====================================================================
-emailout.cacert.org.       IN A     213.154.225.239
-emailout.cacert.org.       IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
-emailout.cacert.org.       IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
-emailout.cacert.org.       IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
-emailout.cacert.org.       IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
-emailout.cacert.org.       IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
-emailout.cacert.org.       IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
-emailout.intra.cacert.org. IN A     172.16.2.32
-========================== ======== ====================================================================
++----------------------------+----------+----------------------------------------------------------------------+
+| Name                       | Type     | Content                                                              |
++============================+==========+======================================================================+
+| emailout.cacert.org.       | IN A     | 213.154.225.239                                                      |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN AAAA  | 2001:7b8:616:162:2::239                                              |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 1 1 1ba1ab632911e8a68a69521130120695086d858c                         |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055 |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba                         |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 4 1 63f40df8536052d33d2d515eceb111ccb7983619                         |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.cacert.org.       | IN SSHFP | 4 2 4ceb488ad17ea7c8db161fdf3357e273d2ea1fe5be183794aacd7c4bfdfaa8a5 |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.intra.cacert.org. | IN A     | 172.16.2.32                                                          |
++----------------------------+----------+----------------------------------------------------------------------+
+| emailout.infra.cacert.org. | IN A     | 10.0.0.32                                                            |
++----------------------------+----------+----------------------------------------------------------------------+
 
 .. seealso::
 
 
 .. seealso::
 
@@ -77,18 +97,18 @@ Operating System
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
 
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 10.0
 
 Applicable Documentation
 ------------------------
 
 The following packages where installed after the container setup::
 
 
 Applicable Documentation
 ------------------------
 
 The following packages where installed after the container setup::
 
-   apt-get install vim-nox screen aptitude git etckeeper postfix \
-     postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
+   apt-get install vim-nox screen git etckeeper postfix postfix-pcre opendkim \
+     opendkim-tools man-db rsyslog logrotate \
      heirloom-mailx netcat-openbsd swaks
 
 Services
      heirloom-mailx netcat-openbsd swaks
 
 Services
@@ -97,57 +117,54 @@ Services
 Listening services
 ------------------
 
 Listening services
 ------------------
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | intranet  | mail delivery from intranet MTAs        |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+----------+----------------------------------+
+| Port     | Service | Origin   | Purpose                          |
++==========+=========+==========+==================================+
+| 22/tcp   | ssh     | ANY      | admin console access             |
++----------+---------+----------+----------------------------------+
+| 25/tcp   | smtp    | intranet | mail delivery from intranet MTAs |
++----------+---------+----------+----------------------------------+
+| 5665/tcp | icinga2 | monitor  | remote monitoring service        |
++----------+---------+----------+----------------------------------+
 
 Running services
 ----------------
 
 .. index::
 
 Running services
 ----------------
 
 .. index::
-   single: OpenDKIM
-   single: Postfix
    single: cron
    single: cron
-   single: nrpe
+   single: dbus
+   single: icinga2
+   single: opendkim
    single: openssh
    single: openssh
+   single: postfix
    single: puppet agent
    single: rsyslog
 
    single: puppet agent
    single: rsyslog
 
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
-| OpenDKIM           | DKIM signing       | init script                            |
-|                    | daemon             | :file:`/etc/init.d/opendkim`           |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission, and    |                                        |
-|                    | mail relay for     |                                        |
-|                    | infrastructure     |                                        |
-|                    | systems            |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Puppet agent       | configuration      | init script :file:`/etc/init.d/puppet` |
-|                    | management agent   |                                        |
-+--------------------+--------------------+----------------------------------------+
++----------------+--------------------------+-----------------------------------+
+| Service        | Usage                    | Start mechanism                   |
++================+==========================+===================================+
+| cron           | job scheduler            | systemd unit ``cron.service``     |
++----------------+--------------------------+-----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``     |
+|                | daemon                   |                                   |
++----------------+--------------------------+-----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service``  |
++----------------+--------------------------+-----------------------------------+
+| OpenDKIM       | DKIM signing daemon      | systemd unit ``opendkim.service`` |
++----------------+--------------------------+-----------------------------------+
+| openssh server | ssh daemon for remote    | systemd unit ``ssh.service``      |
+|                | administration           |                                   |
++----------------+--------------------------+-----------------------------------+
+| Postfix        | SMTP server for          | systemd unit ``postfix.service``  |
+|                | local mail submission,   |                                   |
+|                | and mail relay for       |                                   |
+|                | infrastructure systems   |                                   |
++----------------+--------------------------+-----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``   |
+|                | management agent         |                                   |
++----------------+--------------------------+-----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service``  |
++----------------+--------------------------+-----------------------------------+
 
 Connected Systems
 -----------------
 
 Connected Systems
 -----------------
@@ -169,7 +186,6 @@ Security
 
 .. sshkeys::
    :RSA:     SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
 
 .. sshkeys::
    :RSA:     SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
-   :DSA:     SHA256:p0AvAUtHuAVmPJBNq7yVkNt9jQ81DOptn2PhK8J7rAw MD5:6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
    :ECDSA:   SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20 MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
    :ED25519: SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92
 
    :ECDSA:   SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20 MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
    :ED25519: SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92
 
@@ -183,9 +199,16 @@ Risk assessments on critical packages
 
 Postfix has a very good security reputation. The system is patched regularly.
 
 
 Postfix has a very good security reputation. The system is patched regularly.
 
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
 
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
 Keys and X.509 certificates
 ---------------------------
 
 Keys and X.509 certificates
 ---------------------------
 
@@ -306,13 +329,13 @@ Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
-.. todo:: setup IPv6
-
-Changes
-=======
+.. todo:: upgrade to Debian 10 (when Puppet is available)
 
 System Future
 -------------
 
 System Future
 -------------
index 4b59901..2965b0d 100644 (file)
@@ -73,6 +73,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Git
+
+Monitoring
+----------
+
+:internal checks: :monitor:`git.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -107,11 +115,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
@@ -326,14 +329,14 @@ The runit service handling is triggered through :file:`/etc/inittab`.
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: enable IPv6
 
 Planned
 -------
 
 .. todo:: enable IPv6
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
index d2c1597..9e2eeb0 100644 (file)
@@ -58,7 +58,7 @@ The machine has been sponsored by `Thomas Krenn`_ and has the following hardware
 parameters:
 
 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
 parameters:
 
 :Mainboard: Supermicro X9SCL/X9SCM Version 1.11A
-:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
+:CPU: Intel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz (4 Cores, 8 Threads)
 :RAM: 16 GiB ECC
 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
 :NIC:
 :RAM: 16 GiB ECC
 :Disks: 2 x 1TB WDC WD1003FBYX-01Y7B1
 :NIC:
@@ -66,7 +66,7 @@ parameters:
   * eth0 Intel Corporation 82579LM Gigabit Network Connection
   * eth1 Intel Corporation 82574L Gigabit Network Connection
 
   * eth0 Intel Corporation 82579LM Gigabit Network Connection
   * eth1 Intel Corporation 82574L Gigabit Network Connection
 
-There is a 2 TB USB backup disk attached to the system.
+There is a 2 TB USB WDC WD20EARS-00MVWB0 backup disk attached to the system.
 
 .. seealso::
 
 
 .. seealso::
 
@@ -91,6 +91,73 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Infra02
+
+Monitoring
+----------
+
+:internal checks: :monitor:`infra02.infra.cacert.org`
+:external checks: :monitor:`infra02.cacert.org`
+
+Remote Console
+--------------
+
+This system can be managed through a remote console, which may especially be
+important during system upgrades and/or reboots.
+
+The hardware of the system is equipped with a BMC Controller which supports the
+Intelligent Platform Management Interface (IMPI).
+
+Due the security design of the CAcert intranet, the network interface of this BMC
+is not connected to the publicly reachable part of the CAcert intranet,
+but rather to the management part, and is thus only reachable by members of the
+critical system administrator team.
+
+So the following instructions only apply to them.
+
+The BMC interface can be reached from your local admin machine through the
+CAcert hopper by setting up the following SSH port forwarding:
+
+.. code:: bash
+
+   IPMIHOST=infra02ilo.intra.cacert.org
+   LOCALPORT=8082
+   HTTPSPORT=443
+   IKVMPORT=5900
+   ssh -f -N -L ${LOCALPORT}:${IPMIHOST}:${HTTPSPORT} \
+                           -L ${IKVMPORT}:${IPMIHOST}:${IKVMPORT} hopper
+
+and then browsing to the web UI:
+
+.. code:: bash
+
+   firefox https://127.0.0.1:${LOCALPORT}/
+
+To use the remote console facility, first install Oracle Java JRE 8.0_211 on
+your admin machine. Then download the launch.jnlp script offered by the web UI
+and save it in $HOME. Then use this script "console" to execute it:
+
+.. code:: bash
+
+   #! /bin/bash
+   # console - run remote console for CAcert infra02 with Oracle Java environment
+
+   export JAVADIR=/opt/java/jre1.8.0_211/bin
+   export JAVA=${JAVADIR}/java
+   export JAVAWS=${JAVADIR}/javaws
+
+   LAUNCH=${HOME}/launch.jnlp
+
+   if [ -f ${LAUNCH} ]
+   then
+         echo "Do not forget to use setupcon if the console keyboard mapping is lame" 1>&2
+         sed -i -e 's/443/8082/' ${LAUNCH}
+         exec ${JAVAWS} ${LAUNCH}
+   else
+         echo $0: cannot read ${LAUNCH} 1>&2
+   fi
+
 DNS
 ---
 
 DNS
 ---
 
@@ -118,15 +185,10 @@ Operating System
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Wheezy
-   single: Debian GNU/Linux; 7.11
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
 
-* Debian GNU/Linux 7.11
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 10.0
 
 Services
 ========
 
 Services
 ========
@@ -134,59 +196,89 @@ Services
 Listening services
 ------------------
 
 Listening services
 ------------------
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 53/tcp   | dns       | internal  | DNS resolver for infra.cacert.org       |
-| 53/udp   |           |           |                                         |
-+----------+-----------+-----------+-----------------------------------------+
-| 123/udp  | ntp       | ANY       | network time protocol for host,         |
-|          |           |           | listening on the Internet IPv6 and IPv4 |
-|          |           |           | addresses                               |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+----------+-----------------------------------------+
+| Port     | Service | Origin   | Purpose                                 |
++==========+=========+==========+=========================================+
+| 22/tcp   | ssh     | ANY      | admin console access                    |
++----------+---------+----------+-----------------------------------------+
+| 25/tcp   | smtp    | local    | mail delivery to local MTA              |
++----------+---------+----------+-----------------------------------------+
+| 53/tcp   | dns     | internal | DNS resolver for infra.cacert.org       |
+| 53/udp   |         |          |                                         |
++----------+---------+----------+-----------------------------------------+
+| 123/udp  | ntp     | ANY      | network time protocol for host,         |
+|          |         |          | listening on the Internet IPv6 and IPv4 |
+|          |         |          | addresses                               |
++----------+---------+----------+-----------------------------------------+
+| 5666/tcp | nrpe    | monitor  | remote monitoring service               |
++----------+---------+----------+-----------------------------------------+
 
 Running services
 ----------------
 
 .. index::
 
 Running services
 ----------------
 
 .. index::
-   single: openssh
+   single: acpid
+   single: atop
+   single: atopacctd
    single: cron
    single: cron
+   single: dbus
    single: dnsmasq
    single: dnsmasq
-   single: rsyslog
-   single: ntpd
-   single: Postfix
+   single: lxc
+   single: mdadm
    single: nrpe
    single: nrpe
-
-+--------------------+--------------------+-----------------------------------------+
-| Service            | Usage              | Start mechanism                         |
-+====================+====================+=========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
-|                    | remote             |                                         |
-|                    | administration     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| dnsmasq            | DNS resolver       | init script :file:`/etc/init.d/dnsmasq` |
-+--------------------+--------------------+-----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
-+--------------------+--------------------+-----------------------------------------+
-| rsyslog            | syslog daemon      | init script                             |
-|                    |                    | :file:`/etc/init.d/syslog`              |
-+--------------------+--------------------+-----------------------------------------+
-| ntpd               | time server        | init script :file:`/etc/init.d/ntp`     |
-+--------------------+--------------------+-----------------------------------------+
-| Postfix            | SMTP server for    | init script                             |
-|                    | local mail         | :file:`/etc/init.d/postfix`             |
-|                    | submission, ...    |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                             |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
-|                    | :doc:`monitor`     |                                         |
-+--------------------+--------------------+-----------------------------------------+
+   single: ntpd
+   single: openssh
+   single: postfix
+   single: radvd
+   single: rsyslog
+   single: smartd
+
++--------------------+----------------------+---------------------------------------------+
+| Service            | Usage                | Start mechanism                             |
++====================+======================+=============================================+
+| acpid              | ACPI daemon          | systemd unit ``acpid.service``              |
++--------------------+----------------------+---------------------------------------------+
+| atop               | Advanced system      | systemd unit ``atop.service``               |
+|                    | and process monitor  |                                             |
++--------------------+----------------------+---------------------------------------------+
+| atopacctd          | Advanced system      | systemd unit ``atopacct.service``           |
+|                    | and process monitor  |                                             |
+|                    | accounting daemon    |                                             |
++--------------------+----------------------+---------------------------------------------+
+| cron               | job scheduler        | systemd unit ``cron.service``               |
++--------------------+----------------------+---------------------------------------------+
+| dbus-daemon        | System message bus   | systemd unit ``dbus.service``               |
+|                    | daemon               |                                             |
++--------------------+----------------------+---------------------------------------------+
+| dnsmasq            | DNS resolver         | systemd unit ``dnsmasq.service``            |
++--------------------+----------------------+---------------------------------------------+
+| LXC                | Service for LXC      | systemd unit ``lxc.service``                |
+|                    | container management |                                             |
++--------------------+----------------------+---------------------------------------------+
+| mdadm              | RAID monitoring      | systemd unit ``mdmonitor.service``          |
++--------------------+----------------------+---------------------------------------------+
+| Nagios NRPE server | remote monitoring    | systemd unit ``nagios-nrpe-server.service`` |
+|                    | service queried by   |                                             |
+|                    | :doc:`monitor`       |                                             |
++--------------------+----------------------+---------------------------------------------+
+| ntpd               | time server          | systemd unit ``ntp.service``                |
++--------------------+----------------------+---------------------------------------------+
+| openssh server     | ssh daemon for       | systemd unit ``ssh.service``                |
+|                    | remote               |                                             |
+|                    | administration       |                                             |
++--------------------+----------------------+---------------------------------------------+
+| postfix            | SMTP server for      | systemd unit ``postfix.service``            |
+|                    | local mail           |                                             |
+|                    | submission, ...      |                                             |
++--------------------+----------------------+---------------------------------------------+
+| radvd              | IPv6 route           | systemd unit ``radvd.service``              |
+|                    | advertisement        |                                             |
++--------------------+----------------------+---------------------------------------------+
+| rsyslog            | syslog daemon        | systemd unit ``rsyslog.service``            |
++--------------------+----------------------+---------------------------------------------+
+| smartd             | S.M.A.R.T. HDD       | systemd unit ``smartd.service``             |
+|                    | monitoring           |                                             |
++--------------------+----------------------+---------------------------------------------+
 
 .. Running Guests
    --------------
 
 .. Running Guests
    --------------
@@ -212,10 +304,10 @@ Security
 ========
 
 .. sshkeys::
 ========
 
 .. sshkeys::
-   :RSA:     86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
-   :DSA:     b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
-   :ECDSA:   79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
-   :ED25519: 25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
+   :RSA:     SHA256:Y7DXSj8c5hhlpesEl+8FJDvEBn7Jg8aauOYvPLlAzII MD5:86:d5:f8:71:2e:ab:5e:50:5d:f6:37:6b:16:8f:d1:1c
+   :DSA:     SHA256:OgGI/EfR/dFNcKL7ePUXktBroR6uarFuc8t7uN1qDcg MD5:b4:fb:c2:74:33:eb:cc:f0:3e:31:38:c9:a8:df:0a:f5
+   :ECDSA:   SHA256:OufwA1whcpd+mb/jEseoKZZQ3qFql16hPuzo/aQmBio MD5:79:c4:b8:ff:ef:c9:df:9a:45:07:8d:ab:71:7c:e9:c0
+   :ED25519: SHA256:eXWoP7L/A25p/YW3vmj+4NFy2lEEVcRaLnNhcelBar8 MD5:25:d1:c7:44:1c:38:9e:ad:89:32:c7:9c:43:8e:41:c4
 
 Dedictated user roles
 ---------------------
 
 Dedictated user roles
 ---------------------
@@ -230,39 +322,14 @@ Non-distribution packages and modifications
 Risk assessments and critical packages
 --------------------------------------
 
 Risk assessments and critical packages
 --------------------------------------
 
-The system is the basis for all other infrastructure systems. Access to this
-system has to be tightly controlled.
-
-Tasks
-=====
-
-.. todo:: find out why the system logs are messed up
-.. todo:: upgrade to Debian Stretch
-.. todo:: document whether it is safe to reboot this system
-.. todo:: document how to setup a new container
-.. todo:: document how to setup firewall rules/forwarding
-.. todo:: document how the backup system works
-.. todo:: add DNS setup for IPv6 address
-.. todo:: switch to Puppet management
-
-Planned
--------
-
-* None
-
-Changes
-=======
-
-System Future
--------------
-
-* No plans
+The system is the host system for all other infrastructure systems. Access to
+this system has to be tightly controlled.
 
 Critical Configuration items
 ============================
 
 .. index::
 
 Critical Configuration items
 ============================
 
 .. index::
-   pair: Ferm; configuration
+   pair: dnsmasq; configuration
 
 Dnsmasq configuration
 ---------------------
 
 Dnsmasq configuration
 ---------------------
@@ -271,6 +338,9 @@ Dnsmasq serves the local DNS zone infra.cacert.org to the `br0` interface. It
 is configured by :file:`/etc/dnsmasq.d/00infra` and uses :file:`/etc/hosts` as
 source for IP addresses.
 
 is configured by :file:`/etc/dnsmasq.d/00infra` and uses :file:`/etc/hosts` as
 source for IP addresses.
 
+.. index::
+   pair: Ferm; configuration
+
 Ferm firewall configuration
 ---------------------------
 
 Ferm firewall configuration
 ---------------------------
 
@@ -289,6 +359,50 @@ The container configuration is contained in files named
 The root filesystems of the containers are stored on :term:`LVM` volumes that
 are mounted in :file:`/var/lib/lxc/<container>/rootfs` for each container.
 
 The root filesystems of the containers are stored on :term:`LVM` volumes that
 are mounted in :file:`/var/lib/lxc/<container>/rootfs` for each container.
 
+Tasks
+=====
+
+.. todo:: document how to setup a new container
+.. todo:: document how to setup firewall rules/forwarding
+.. todo:: document how the backup system works
+
+Reboot
+------
+
+The system can be rebooted safely since the Debian Buster installation on
+2019-07-13:
+
+.. code-block:: bash
+
+   systemctl reboot
+
+Restarting the firewall
+-----------------------
+
+To restart the firewall setup perform a configuration syntax check and use
+systemctl to reload ferm's configuration.
+
+.. code-block:: bash
+
+   ferm -n /etc/ferm/ferm.conf
+   systemctl reload ferm.service
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: add DNS setup for IPv6 address
+.. todo:: switch to Puppet management
+.. todo:: replace nrpe with icinga2 agent
+.. todo:: replace ferm with nftables setup
+
+System Future
+-------------
+
+* No plans
+
 Additional documentation
 ========================
 
 Additional documentation
 ========================
 
index 73bc66d..d9ff921 100644 (file)
@@ -69,6 +69,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Ircserver
+
+Monitoring
+----------
+
+:internal checks: :monitor:`ircserver.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -105,11 +113,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
index 111c685..7f7ca9d 100644 (file)
@@ -74,6 +74,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Issue
+
+Monitoring
+----------
+
+:internal checks: :monitor:`issue.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -104,11 +112,6 @@ Operating System
 
 .. todo:: upgrade to Debian Jessie
 
 
 .. todo:: upgrade to Debian Jessie
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
@@ -303,6 +306,38 @@ Postfix configuration
 Tasks
 =====
 
 Tasks
 =====
 
+Creating new OTRS user accounts
+-------------------------------
+
+* Go to Admin -> Users -> Add
+* Fill out user details
+
+  * Use a securely random generated password (min. 12 chars, mixed of capital-
+    non-capital letters, numbers and special chars), send it to the user via
+    encrypted mail (also include URL of the issue tracking system, username and
+    some initial instructions or a link to documentation if available)
+  * Use CAcert email addresses only
+
+* Set the preferences for the user. Good standards are:
+
+  * Show tickets: 25
+  * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
+  * Follow up notification: Yes
+  * Ticket lock timeout notification: Yes
+  * Move notification: Yes (or No if the queues for the user get many new tickets)
+  * Spelling Dictionary: English 
+
+* Submit
+* Do NOT set any groups for the user.
+* Go to Admin -> Users -> Roles <-> Users
+* Choose the newly created user
+* Set the roles the user has
+* Submit
+* Now you are done :) 
+
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
@@ -334,10 +369,6 @@ Ideas
 
 * Use centralised logging
 
 
 * Use centralised logging
 
-
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
@@ -346,36 +377,6 @@ System Future
 Additional documentation
 ========================
 
 Additional documentation
 ========================
 
-Creating new OTRS user accounts
--------------------------------
-
-* Go to Admin -> Users -> Add
-* Fill out user details
-
-  * Use a securely random generated password (min. 12 chars, mixed of capital-
-    non-capital letters, numbers and special chars), send it to the user via
-    encrypted mail (also include URL of the issue tracking system, username and
-    some initial instructions or a link to documentation if available)
-  * Use CAcert email addresses only
-
-* Set the preferences for the user. Good standards are:
-
-  * Show tickets: 25
-  * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
-  * Follow up notification: Yes
-  * Ticket lock timeout notification: Yes
-  * Move notification: Yes (or No if the queues for the user get many new tickets)
-  * Spelling Dictionary: English 
-
-* Submit
-* Do NOT set any groups for the user.
-* Go to Admin -> Users -> Roles <-> Users
-* Choose the newly created user
-* Set the roles the user has
-* Submit
-* Now you are done :) 
-
-
 .. seealso::
 
    * :wiki:`PostfixConfiguration`
 .. seealso::
 
    * :wiki:`PostfixConfiguration`
index ccbc23d..0c457f1 100644 (file)
@@ -68,6 +68,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Jenkins
+
+Monitoring
+----------
+
+:internal checks: :monitor:`jenkins.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -95,15 +103,10 @@ Operating System
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
-
-* Debian GNU/Linux 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
 
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 10.0
 
 Services
 ========
 
 Services
 ========
@@ -122,7 +125,7 @@ Listening services
 +----------+---------+----------+----------------------------+
 | 2022/tcp | Jenkins | internal | Jenkins ssh port           |
 +----------+---------+----------+----------------------------+
 +----------+---------+----------+----------------------------+
 | 2022/tcp | Jenkins | internal | Jenkins ssh port           |
 +----------+---------+----------+----------------------------+
-| 5666/tcp | nrpe    | monitor  | remote monitoring service  |
+| 5665/tcp | icinga2 | monitor  | remote monitoring service  |
 +----------+---------+----------+----------------------------+
 | 8080/tcp | Jenkins | internal | Jenkins web interface      |
 +----------+---------+----------+----------------------------+
 +----------+---------+----------+----------------------------+
 | 8080/tcp | Jenkins | internal | Jenkins web interface      |
 +----------+---------+----------+----------------------------+
@@ -132,38 +135,37 @@ Running services
 
 .. index::
    single: cron
 
 .. index::
    single: cron
+   single: dbus
    single: exim
    single: exim
+   single: icinga2
    single: jenkins
    single: jenkins
-   single: nrpe
    single: openssh
    single: puppet agent
    single: rsyslog
 
    single: openssh
    single: puppet agent
    single: rsyslog
 
-+--------------------+--------------------+-----------------------------------------+
-| Service            | Usage              | Start mechanism                         |
-+====================+====================+=========================================+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`    |
-+--------------------+--------------------+-----------------------------------------+
-| Exim               | SMTP server for    | init script                             |
-|                    | local mail         | :file:`/etc/init.d/exim4`               |
-|                    | submission         |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Jenkins            | Jenkins CI server  | init script :file:`/etc/init.d/jenkins` |
-+--------------------+--------------------+-----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                             |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server`  |
-|                    | :doc:`monitor`     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`     |
-|                    | remote             |                                         |
-|                    | administration     |                                         |
-+--------------------+--------------------+-----------------------------------------+
-| Puppet agent       | configuration      | init script                             |
-|                    | management agent   | :file:`/etc/init.d/puppet`              |
-+--------------------+--------------------+-----------------------------------------+
-| rsyslog            | syslog daemon      | init script                             |
-|                    |                    | :file:`/etc/init.d/syslog`              |
-+--------------------+--------------------+-----------------------------------------+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| Exim           | SMTP server for local    | systemd unit ``exim4.service``   |
+|                | mail submission          |                                  |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| Jenkins        | Jenkins CI server        | systemd unit ``jenkins.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``  |
+|                | management agent         |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
 
 Connected Systems
 -----------------
 
 Connected Systems
 -----------------
@@ -234,11 +236,19 @@ management web interface with role based access control.
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 * build more of CAcert's software on the Jenkins instance
 
 Planned
 -------
 
 * build more of CAcert's software on the Jenkins instance
 
+System Future
+-------------
+
+* No plans
+
 Additional documentation
 ========================
 
 Additional documentation
 ========================
 
index 02e4be1..1adfe36 100644 (file)
@@ -375,16 +375,15 @@ Adding a list
 
 5. add subscribers/ other owners
 
 
 5. add subscribers/ other owners
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: upgrade the lists system OS to Debian 9 (Stretch)
 Planned
 -------
 
 .. todo:: upgrade the lists system OS to Debian 9 (Stretch)
-
 .. todo:: manage the lists system using Puppet
 
 .. todo:: manage the lists system using Puppet
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
index 20b89a2..72439bb 100644 (file)
@@ -83,6 +83,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Monitor
+
+Monitoring
+----------
+
+:internal checks: :monitor:`monitor.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -311,14 +319,12 @@ configurations are defined in the :file:`objects/` subdirectory.
 Tasks
 =====
 
 Tasks
 =====
 
-Planned
--------
-
-.. todo:: switch to Icinga2 and Icingaweb2
-
 Changes
 =======
 
 Changes
 =======
 
+Planned
+-------
+
 System Future
 -------------
 
 System Future
 -------------
 
diff --git a/docs/systems/motion.rst b/docs/systems/motion.rst
new file mode 100644 (file)
index 0000000..c6a0cc4
--- /dev/null
@@ -0,0 +1,345 @@
+.. index::
+   single: Systems; Motion
+
+======
+Motion
+======
+
+Purpose
+=======
+
+This system provides the CAcert board motion system. The system replaced the
+board voting system that had been provided on :doc:`webmail` at
+https://community.cacert.org/board/.
+
+Application Links
+-----------------
+
+   Board motion system
+     https://motion.cacert.org/
+
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++---------------------+---------------------+
+| Application         | Administrator(s)    |
++=====================+=====================+
+| board motion system | :ref:`people_jandd` |
++---------------------+---------------------+
+
+Contact
+-------
+
+* motion-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: None
+:IP Intranet: None
+:IP Internal: :ip:v4:`10.0.0.117`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::117`
+:MAC address: :mac:`00:ff:cc:ce:0d:24` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+.. index::
+   single: Monitoring; Motion
+
+Monitoring
+----------
+
+:internal checks: :monitor:`motion.infra.cacert.org`
+:external checks: :monitor:`motion.cacert.org`
+
+DNS
+---
+
+.. index::
+   single: DNS records; Motion
+
+======================== ======== ====================================================================
+Name                     Type     Content
+======================== ======== ====================================================================
+motion.cacert.org.       IN A     213.154.225.241
+motion.cacert.org.       IN AAAA  2001:7b8:616:162:2::241
+motion.cacert.org.       IN SSHFP 1 1 f018202c72749af5f48d45d5d536422f9c364fbb
+motion.cacert.org.       IN SSHFP 1 2 0d17bbfe2efa97edbb13ffe3e6bfd3b4b9be5117f3c831a2f1a55b6c50e92fd4
+motion.cacert.org.       IN SSHFP 2 1 ee6f2e346a5d5164100721f99765a4d3d08c6dce
+motion.cacert.org.       IN SSHFP 2 2 53dedfd2c566011db80311528eba15fd000b0a5092ab1fc8104ca5804490cd18
+motion.cacert.org.       IN SSHFP 3 1 6d4a9ec30f30aa0634b8879cded8ce884498e290
+motion.cacert.org.       IN SSHFP 3 2 325ee301da21844adb8f12c0011b8d73709be8b2b9f375829224ac79c8fdfa6e
+motion.cacert.org.       IN SSHFP 4 1 78e1edee04907de6b56d9c0d4900178f9426c02d
+motion.cacert.org.       IN SSHFP 4 2 ca108fc298cb08406fe02454d9245ee1cf26c7241691da9a5b6bc69c56afd5c1
+motion.infra.cacert.org. IN A     10.0.0.117
+======================== ======== ====================================================================
+
+.. seealso::
+
+   See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
+
+* Debian GNU/Linux 10.0
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port     | Service | Origin  | Purpose                    |
++==========+=========+=========+============================+
+| 22/tcp   | ssh     | ANY     | admin console access       |
++----------+---------+---------+----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 8443/tcp | https   | ANY     | board motion application   |
++----------+---------+---------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service  |
++----------+---------+---------+----------------------------+
+
+The board motion system is reachable via :doc:`proxyin`. SSH is forwarded from
+port 11722 on the public IP addresses.
+
+Running services
+----------------
+
+.. index::
+   single: cacert-boardvoting
+   single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: openssh
+   single: puppet
+   single: rsyslog
+
++--------------------+--------------------------+---------------------------------------------+
+| Service            | Usage                    | Start mechanism                             |
++====================+==========================+=============================================+
+| cacert-boardvoting | application              | systemd unit ``cacert-boardvoting.service`` |
++--------------------+--------------------------+---------------------------------------------+
+| cron               | job scheduler            | systemd unit ``cron.service``               |
++--------------------+--------------------------+---------------------------------------------+
+| dbus-daemon        | System message bus       | systemd unit ``dbus.service``               |
+|                    | daemon                   |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| Exim               | SMTP server for          | systemd unit ``exim4.service``              |
+|                    | local mail               |                                             |
+|                    | submission               |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| icinga2            | Icinga2 monitoring agent | systemd unit ``icinga2.service``            |
++--------------------+--------------------------+---------------------------------------------+
+| openssh server     | ssh daemon for           | systemd unit ``ssh.service``                |
+|                    | remote                   |                                             |
+|                    | administration           |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| Puppet agent       | configuration            | systemd unit ``puppet.service``             |
+|                    | management agent         |                                             |
++--------------------+--------------------------+---------------------------------------------+
+| rsyslog            | syslog daemon            | systemd unit ``rsyslog.service``            |
++--------------------+--------------------------+---------------------------------------------+
+
+Databases
+---------
+
++--------+------------------------------------------------------+--------------------+
+| RDBMS  | Name                                                 | Used for           |
++========+======================================================+====================+
+| SQLite | :file:`/srv/cacert-boardvoting/data/database.sqlite` | cacert-boardvoting |
++--------+------------------------------------------------------+--------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`proxyin` for incoming application traffic
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT and Puppet
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:DRe7/i76l+27E//j5r/TtLm+URfzyDGi8aVbbFDpL9Q MD5:8a:a8:61:d2:07:79:27:6a:37:f8:30:2a:36:aa:d9:4f
+   :DSA:     SHA256:U97f0sVmAR24AxFSjroV/QALClCSqx/IEEylgESQzRg MD5:ec:76:0a:d5:5e:ff:29:1e:f4:b4:78:5f:5e:0f:2a:af
+   :ECDSA:   SHA256:Ml7jAdohhErbjxLAARuNc3Cb6LK583WCkiSsecj9+m4 MD5:3f:38:14:95:9e:fb:10:79:c5:72:d6:c6:79:a8:84:cf
+   :ED25519: SHA256:yhCPwpjLCEBv4CRU2SRe4c8mxyQWkdqaW2vGnFav1cE MD5:c5:40:79:42:09:9d:5e:47:45:d6:ab:e9:58:af:eb:26
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* Board motion system
+
+  The system runs the board motion system developed in the
+  :cacertgit:`cacert-boardvoting`.
+
+  The software is installed from a Debian package that is hosted on
+  :doc:`webstatic`.
+
+  The sofware is built on :doc:`jenkins` via the `cacert-boardvoting Job`_ when
+  there are changes in Git. The Debian package can be built using
+  :program:`gbp`.
+
+  The software is installed and configured via Puppet.
+
+  .. _cacert-boardvoting Job: https://jenkins.cacert.org/job/cacert-boardvoting/
+  .. todo:: describe more in-depth how to build the Debian package
+
+Risk assessments on critical packages
+-------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+The system is stripped down to the bare minimum. The CAcert board voting system
+software is developed using `Go <https://golang.org/>`_ which handles a lot of
+common programming errors at compile time and has a quite good security track
+record.
+
+The board motion tool is run as a separate system user ``cacert-boardvoting``
+and is built as a small self-contained static binary. Access is restricted via
+https.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: motion.cacert.org
+   :altnames:   DNS:motion.cacert.org
+   :certfile:   /srv/cacert-boardvoting/data/server.crt
+   :keyfile:    /srv/cacert-boardvoting/data/server.key
+   :serial:     02D8A3
+   :expiration: Aug 01 18:06:22 2021 GMT
+   :sha1fp:     90:B8:A7:CE:ED:56:94:D0:58:7B:65:94:FF:D5:5A:43:08:2C:2A:62
+   :issuer:     CAcert Class 3 Root
+
+* :file:`/srv/cacert-boardvoting/data/cacert_class3.pem` CAcert class 3 CA
+  certificate (allowed CA certificate for client certificates)
+
+.. seealso::
+
+   * :wiki:`SystemAdministration/CertificateList`
+
+cacert-boardvoting configuration
+--------------------------------
+
+:program:`cacert-boardvoting` is configured via Puppet profile
+``profiles::cacert-boardvoting``.
+
+Tasks
+=====
+
+Add/Remove voters
+-----------------
+
+An :term:`Application Administrator` can add and remove voters from the CAcert
+board voting system using the :program:`sqlite3` program:
+
+.. code-block:: bash
+
+   cd /srv/cacert-boardvoting/data
+   # open database
+   sqlite3 database.sqlite
+
+.. code-block:: sql
+
+   -- find existing voters
+   select * from voters where enabled=1;
+
+   -- disable voters that should not be able to vote using Ids from the result
+   -- of the previous query
+   update voters set enabled=0 where id in (1, 2, 3);
+
+   -- find existing accounts of voter John Doe and Jane Smith
+   select * from voters where name like 'John%' or name like 'Jane%';
+
+   -- John has an account with id 4, Jane is not in the system
+   -- enable John
+   update voters set enabled=1 where id=4;
+
+   -- insert Jane
+   insert into voters (name, enabled, reminder) values ('Jane Doe', 1,
+     'jane.doe@cacert.org');
+
+   -- find voter id for Jane
+   select id from voters where name='Jane Doe';
+
+   -- Jane has id 42
+   -- insert email address mapping for Jane (used for authentication)
+   insert into emails (voter, address) values (42, 'jane.doe@cacert.org');
+
+Changes
+=======
+
+Planned
+-------
+
+.. todo:: implement user administration inside the application
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+   * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://git.cacert.org/gitweb/?p=cacert-boardvoting.git;a=blob_plain;f=README.md;hb=HEAD
diff --git a/docs/systems/proxyin.rst b/docs/systems/proxyin.rst
new file mode 100644 (file)
index 0000000..3ce8cad
--- /dev/null
@@ -0,0 +1,282 @@
+.. index::
+   single: Systems; Proxyin
+
+=======
+Proxyin
+=======
+
+Purpose
+=======
+
+This system provides an incoming TLS proxy using `sniproxy`_ to share one
+public IPv4 address between multiple services.
+
+.. _sniproxy: https://github.com/dlundquist/sniproxy
+
+Application Links
+-----------------
+
+No direct links, applications run on other systems.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s)    |
++=============+=====================+
+| sniproxy    | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* proxyin-admin@cacert.org
+
+Additional People
+-----------------
+
+No other people have :program:`sudo` access on that machine.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.241`
+:IP Intranet: :ip:v4:`172.16.2.241`
+:IP Internal: :ip:v4:`10.0.0.35`
+:IPv6:        :ip:v6:`2001:7b8:616:162:2::35`
+:MAC address: :mac:`00:16:3e:3c:c8:a6` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+.. index::
+   single: Monitoring; Proxyin
+
+Monitoring
+----------
+
+:internal checks: :monitor:`proxyin.infra.cacert.org`
+:external checks: :monitor:`proxyin.cacert.org`
+
+DNS
+---
+
+.. index::
+   single: DNS records; Proxyin
+
+========================= ======== =====================================================================
+Name                      Type     Content
+========================= ======== =====================================================================
+proxyin.cacert.org.       IN A     213.154.225.241
+proxyin.cacert.org.       IN AAAA  2001:7b8:616:162:2::35
+proxyin.cacert.org.       IN SSHFP 1 1 c7c559bc06d236b4128e6d720a573d805a27727a
+proxyin.cacert.org.       IN SSHFP 1 2 affa8cc26dffa7f0803db2d027ab23f013aeabfb3b2d1b1a16659e38dba14528
+proxyin.cacert.org.       IN SSHFP 2 1 19bb944a917067131f02be4e9a709ade68c260f8
+proxyin.cacert.org.       IN SSHFP 2 2 b9b5860f3427ea9c3460c62a880527a41470c77000e5083ffffb7defa0d42e4e
+proxyin.cacert.org.       IN SSHFP 3 1 b9581a544ca96fe071341acb450a2cf74b1b7c9f
+proxyin.cacert.org.       IN SSHFP 3 2 be3dd21fde37042659a25143cb5171b39d22ea2c846745af9c098003a9004185
+proxyin.cacert.org.       IN SSHFP 4 1 9b4ba8c78b6585abaf2b46bce78a6f366f1e9bac
+proxyin.cacert.org.       IN SSHFP 4 2 59125e8706a208fa8eed2b5994ec60f7ba8e31b1c26d90ce909d78a0027359ef
+proxyin.intra.cacert.org. IN A     172.16.2.241
+proxyin.infra.cacert.org. IN A     10.0.0.35
+========================= ======== =====================================================================
+
+.. seealso::
+
+   See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
+
+* Debian GNU/Linux 10.0
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port     | Service | Origin  | Purpose                    |
++==========+=========+=========+============================+
+| 22/tcp   | ssh     | ANY     | admin console access       |
++----------+---------+---------+----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 80/tcp   | http    | ANY     | sniproxy                   |
++----------+---------+---------+----------------------------+
+| 443/tcp  | https   | ANY     | sniproxy                   |
++----------+---------+---------+----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service  |
++----------+---------+---------+----------------------------+
+| 8080/tcp | http    | local   | nginx                      |
++----------+---------+---------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: nginx
+   single: openssh
+   single: puppet
+   single: rsyslog
+   single: sniproxy
+
++----------------+--------------------------+-----------------------------------+
+| Service        | Usage                    | Start mechanism                   |
++================+==========================+===================================+
+| cron           | job scheduler            | systemd unit ``cron.service``     |
++----------------+--------------------------+-----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``     |
+|                | daemon                   |                                   |
++----------------+--------------------------+-----------------------------------+
+| Exim           | SMTP server for          | systemd unit ``exim4.service``    |
+|                | local mail submission    |                                   |
++----------------+--------------------------+-----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service``  |
++----------------+--------------------------+-----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``      |
+|                | remote administration    |                                   |
++----------------+--------------------------+-----------------------------------+
+| Puppet agent   | configuration            | systemd unit ``puppet.service``   |
+|                | management agent         |                                   |
++----------------+--------------------------+-----------------------------------+
+| sniproxy       | TLS SNI proxy            | systemd unit ``sniproxy.service`` |
++----------------+--------------------------+-----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service``  |
++----------------+--------------------------+-----------------------------------+
+
+Databases
+---------
+
+* None
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT
+* :doc:`motion` (tcp/8443) as backend for https://motion.cacert.org/
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:r/qMwm3/p/CAPbLQJ6sj8BOuq/s7LRsaFmWeONuhRSg MD5:9d:ab:4f:2d:48:81:a1:86:68:99:8a:49:d5:01:07:6f
+   :DSA:     SHA256:ubWGDzQn6pw0YMYqiAUnpBRwx3AA5Qg///t976DULk4 MD5:2c:33:c7:bd:f2:6b:1a:03:ea:cd:c3:da:d8:a7:fa:c2
+   :ECDSA:   SHA256:vj3SH943BCZZolFDy1Fxs50i6iyEZ0WvnAmAA6kAQYU MD5:7d:ac:f4:ce:fb:4f:17:72:4d:5a:c4:b4:08:5d:8b:7c
+   :ED25519: SHA256:WRJehwaiCPqO7StZlOxg97qOMbHCbZDOkJ14oAJzWe8 MD5:14:6d:9e:24:de:97:f7:96:bc:cd:45:28:1b:b5:52:7e
+
+Dedicated user roles
+--------------------
+
+* None
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+The Puppet agent package and a few dependencies are installed from the official
+Puppet APT repository because the versions in Debian are too old to use modern
+Puppet features.
+
+The system is stripped down to the bare minimum. Both :program:`sniproxy` and
+:program:`nginx` are security supported. The :program:`nginx-light` package is
+used for `nginx` because no special features are required.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the :cacertgit:`cacert-puppet`.
+
+Keys and X.509 certificates
+---------------------------
+
+The host does not provide own TLS services and therefore has no certificates.
+
+nginx configuration
+-------------------
+
+:program:`nginx` is configured via Puppet profile ``profiles::sniproxy`` and
+just redirects all http traffic to https.
+
+sniproxy configuration
+----------------------
+
+:program:`sniproxy` is configured via Puppet profile ``profiles::sniproxy``,
+TCP traffic on port 80 is forwarded to the local nginx and https traffic is
+forwarded to the target hosts as configured in
+:file:`hieradata/nodes/proxyin.yaml`.
+
+Tasks
+=====
+
+Adding a new forward entry
+--------------------------
+
+Add a line to the ``profiles::sniproxy::https_forwards`` item in Hiera data and
+adjust the firewall configuration on :doc:`infra02`.
+
+Changes
+=======
+
+Planned
+-------
+
+* None
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+   * :wiki:`Exim4Configuration`
+
+References
+----------
+
+* https://github.com/dlundquist/sniproxy
index d28c710..f48d76e 100644 (file)
@@ -70,6 +70,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Proxyout
+
+Monitoring
+----------
+
+:internal checks: :monitor:`proxyout.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -86,10 +94,10 @@ Operating System
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
 
-* Debian GNU/Linux 9.4
+* Debian GNU/Linux 10.0
 
 Applicable Documentation
 ------------------------
 
 Applicable Documentation
 ------------------------
@@ -103,51 +111,56 @@ Services
 Listening services
 ------------------
 
 Listening services
 ------------------
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 3128/tcp | http      | internal  | squid http/https proxy                  |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+----------+----------------------------+
+| Port     | Service | Origin   | Purpose                    |
++==========+=========+==========+============================+
+| 22/tcp   | ssh     | ANY      | admin console access       |
++----------+---------+----------+----------------------------+
+| 25/tcp   | smtp    | local    | mail delivery to local MTA |
++----------+---------+----------+----------------------------+
+| 3128/tcp | http    | internal | squid http/https proxy     |
++----------+---------+----------+----------------------------+
+| 5665/tcp | icinga2 | monitor  | remote monitoring service  |
++----------+---------+----------+----------------------------+
 
 Running services
 ----------------
 
 .. index::
    single: cron
 
 Running services
 ----------------
 
 .. index::
    single: cron
+   single: dbus
    single: exim
    single: exim
+   single: icinga2
    single: openssh
    single: openssh
-   single: puppet agent
+   single: puppet
    single: rsyslog
    single: squid
 
    single: rsyslog
    single: squid
 
-+----------------+--------------------+--------------------------------------+
-| Service        | Usage              | Start mechanism                      |
-+================+====================+======================================+
-| cron           | job scheduler      | init script :file:`/etc/init.d/cron` |
-+----------------+--------------------+--------------------------------------+
-| Exim           | SMTP server for    | init script                          |
-|                | local mail         | :file:`/etc/init.d/exim4`            |
-|                | submission         |                                      |
-+----------------+--------------------+--------------------------------------+
-| openssh server | ssh daemon for     | init script :file:`/etc/init.d/ssh`  |
-|                | remote             |                                      |
-|                | administration     |                                      |
-+----------------+--------------------+--------------------------------------+
-| Puppet agent   | local Puppet agent | init script                          |
-|                |                    | :file:`/etc/init.d/puppet`           |
-+----------------+--------------------+--------------------------------------+
-| rsyslog        | syslog daemon      | init script                          |
-|                |                    | :file:`/etc/init.d/syslog`           |
-+----------------+--------------------+--------------------------------------+
-| Squid          | Caching and        | init script                          |
-|                | filtering http/    | :file:`/etc/init.d/squid`            |
-|                | https proxy for    |                                      |
-|                | internal machines  |                                      |
-+----------------+--------------------+--------------------------------------+
++----------------+--------------------------+----------------------------------+
+| Service        | Usage                    | Start mechanism                  |
++================+==========================+==================================+
+| cron           | job scheduler            | systemd unit ``cron.service``    |
++----------------+--------------------------+----------------------------------+
+| dbus-daemon    | System message bus       | systemd unit ``dbus.service``    |
+|                | daemon                   |                                  |
++----------------+--------------------------+----------------------------------+
+| Exim           | SMTP server for          | systemd unit ``exim4.service``   |
+|                | local mail submission    |                                  |
++----------------+--------------------------+----------------------------------+
+| icinga2        | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+--------------------------+----------------------------------+
+| openssh server | ssh daemon for           | systemd unit ``ssh.service``     |
+|                | remote administration    |                                  |
++----------------+--------------------------+----------------------------------+
+| Puppet agent   | configuration management | systemd unit ``puppet.service``  |
+|                | agent                    |                                  |
++----------------+--------------------------+----------------------------------+
+| rsyslog        | syslog daemon            | systemd unit ``rsyslog.service`` |
++----------------+--------------------------+----------------------------------+
+| Squid          | Caching and filtering    | systemd unit ``squid.service``   |
+|                | http/https proxy for     |                                  |
+|                | internal machines        |                                  |
++----------------+--------------------------+----------------------------------+
 
 Connected Systems
 -----------------
 
 Connected Systems
 -----------------
@@ -217,13 +230,25 @@ configuration items outside of the Puppet repository.
 Tasks
 =====
 
 Tasks
 =====
 
+Adding ACLs to Squid
+--------------------
+
+Add required lines to the ``profiles::squid::acls`` item in Hiera data for node
+proxyout.
+
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: Change all infrastructure hosts to use this machine as APT proxy to
           avoid flaky firewall configurations on :doc:`infra02`.
 
 Planned
 -------
 
 .. todo:: Change all infrastructure hosts to use this machine as APT proxy to
           avoid flaky firewall configurations on :doc:`infra02`.
 
-.. todo:: Add more APT repositories and ACLs if needed
+System Future
+-------------
+
+* No plans
 
 Additional documentation
 ========================
 
 Additional documentation
 ========================
index 9c06c49..81f78cf 100644 (file)
@@ -72,6 +72,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Puppet
+
+Monitoring
+----------
+
+:internal checks: :monitor:`puppet.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -88,15 +96,10 @@ Operating System
 ----------------
 
 .. index::
 ----------------
 
 .. index::
-   single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; Buster
+   single: Debian GNU/Linux; 10.0
 
 
-* Debian GNU/Linux 9.4
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 10.0
 
 Services
 ========
 
 Services
 ========
@@ -254,7 +257,6 @@ trusted Puppet agents.
 The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
 puppet itself.
 
 The CA data is stored in :file:`/etc/puppetlabs/puppet/ssl` and managed by
 puppet itself.
 
-
 Eyaml private key
 -----------------
 
 Eyaml private key
 -----------------
 
@@ -264,7 +266,6 @@ key in :file:`keys/public_key.pkcs7.pem` in the `CAcert puppet Git repository
 private key is stored in
 :file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
 
 private key is stored in
 :file:`/etc/puppetlabs/code/environments/production/keys/private_key.pkcs7.pem`.
 
-
 hiera configuration
 -------------------
 
 hiera configuration
 -------------------
 
@@ -272,7 +273,6 @@ Puppet uses Hiera for hierarchical information retrieval. The global hiera
 configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
 defines the hierarchy lookup as well as the eyaml key locations.
 
 configuration is stored in :file:`/etc/puppetlabs/puppet/hiera.yaml` and
 defines the hierarchy lookup as well as the eyaml key locations.
 
-
 puppet configuration
 --------------------
 
 puppet configuration
 --------------------
 
@@ -288,21 +288,19 @@ pattern (see references below) and code/data separation via Hiera.
 Updates to the cacert-puppet repository trigger a web hook listening on tcp
 port 8000 that automatically updates the production environment directory.
 
 Updates to the cacert-puppet repository trigger a web hook listening on tcp
 port 8000 that automatically updates the production environment directory.
 
-
 Tasks
 =====
 
 Tasks
 =====
 
+.. todo:: add a section to describe how to add a system for puppet management
+
+Changes
+=======
+
 Planned
 -------
 
 * migrate as many systems as possible to use Puppet for a more
   reproducible/auditable system setup
 Planned
 -------
 
 * migrate as many systems as possible to use Puppet for a more
   reproducible/auditable system setup
-* automate updates of the Puppet code from Git
-
-.. todo:: improve Webhook to run r10k after git pull
-
-Changes
-=======
 
 System Future
 -------------
 
 System Future
 -------------
index 45a4244..f041269 100644 (file)
@@ -83,6 +83,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Svn
+
+Monitoring
+----------
+
+:internal checks: :monitor:`svn.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -317,12 +325,6 @@ CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
 Tasks
 =====
 
 Tasks
 =====
 
-Planned
--------
-
-The configuration of this system will be migrated to a setup fully managed by
-Puppet.
-
 X.509 Auth for policy
 ---------------------
 
 X.509 Auth for policy
 ---------------------
 
@@ -337,6 +339,13 @@ Mail notifications
 Changes
 =======
 
 Changes
 =======
 
+Planned
+-------
+
+The configuration of this system will be migrated to a setup fully managed by
+Puppet.
+
+
 System Future
 -------------
 
 System Future
 -------------
 
index 35ca202..8ddf96a 100644 (file)
@@ -66,6 +66,8 @@ This system is located in an :term:`LXC` container on physical machine
 Physical Configuration
 ----------------------
 
 Physical Configuration
 ----------------------
 
+.. fill this section for physical machines, remove it for VMs/containers
+
 .. seealso::
 
    See :wiki:`SystemAdministration/EquipmentList`
 .. seealso::
 
    See :wiki:`SystemAdministration/EquipmentList`
@@ -73,15 +75,29 @@ Physical Configuration
 Logical Location
 ----------------
 
 Logical Location
 ----------------
 
-:IP Internet: :ip:v4:`<IP>`
-:IP Intranet: :ip:v4:`<IP>`
-:IP Internal: :ip:v4:`<IP>`
+.. add information about network settings of the system
+
+:IP Internet: :ip:v4:`213.154.225.<IP>`
+:IP Intranet: :ip:v4:`172.16.2.<IP>`
+:IP Internal: :ip:v4:`10.0.0.<IP>`
+:IPv6:        :ip:v6:`2001:7b8:616:162:x::<IP>`
 :MAC address: :mac:`<MAC>` (interfacename)
 
 .. seealso::
 
    See :doc:`../network`
 
 :MAC address: :mac:`<MAC>` (interfacename)
 
 .. seealso::
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; <machine>
+
+Monitoring
+----------
+
+.. add links to monitoring checks
+
+:internal checks: :monitor:`template.infra.cacert.org`
+:external checks: :monitor:`template.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -108,11 +124,6 @@ Operating System
 
 * Debian GNU/Linux x.y
 
 
 * Debian GNU/Linux x.y
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
@@ -121,86 +132,112 @@ Listening services
 
 .. use the values from this table or add new lines if applicable
 
 
 .. use the values from this table or add new lines if applicable
 
-+----------+-----------+-----------+-----------------------------------------+
-| Port     | Service   | Origin    | Purpose                                 |
-+==========+===========+===========+=========================================+
-| 22/tcp   | ssh       | ANY       | admin console access                    |
-+----------+-----------+-----------+-----------------------------------------+
-| 25/tcp   | smtp      | local     | mail delivery to local MTA              |
-+----------+-----------+-----------+-----------------------------------------+
-| 80/tcp   | http      | ANY       | application                             |
-+----------+-----------+-----------+-----------------------------------------+
-| 443/tcp  | https     | ANY       | application                             |
-+----------+-----------+-----------+-----------------------------------------+
-| 5666/tcp | nrpe      | monitor   | remote monitoring service               |
-+----------+-----------+-----------+-----------------------------------------+
-| 3306/tcp | mysql     | local     | MySQL database for ...                  |
-+----------+-----------+-----------+-----------------------------------------+
-| 5432/tcp | pgsql     | local     | PostgreSQL database for ...             |
-+----------+-----------+-----------+-----------------------------------------+
-| 465/udp  | syslog    | local     | syslog port                             |
-+----------+-----------+-----------+-----------------------------------------+
++----------+---------+---------+-----------------------------+
+| Port     | Service | Origin  | Purpose                     |
++==========+=========+=========+=============================+
+| 22/tcp   | ssh     | ANY     | admin console access        |
++----------+---------+---------+-----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA  |
++----------+---------+---------+-----------------------------+
+| 80/tcp   | http    | ANY     | application                 |
++----------+---------+---------+-----------------------------+
+| 443/tcp  | https   | ANY     | application                 |
++----------+---------+---------+-----------------------------+
+| 5665/tcp | icinga2 | monitor | remote monitoring service   |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe    | monitor | remote monitoring service   |
++----------+---------+---------+-----------------------------+
+| 3306/tcp | mysql   | local   | MySQL database for ...      |
++----------+---------+---------+-----------------------------+
+| 5432/tcp | pgsql   | local   | PostgreSQL database for ... |
++----------+---------+---------+-----------------------------+
+| 465/udp  | syslog  | local   | syslog port                 |
++----------+---------+---------+-----------------------------+
 
 Running services
 ----------------
 
 
 Running services
 ----------------
 
+..
+   document running services, keep the table in alphabetic order to allow
+   easier diffing, the Start mechanism column should point to an absolute path
+   to an init script or the name of a systemd unit
+
 .. index::
 .. index::
-   single: Apache
-   single: Icinga2
-   single: MySQL
-   single: OpenERP
-   single: Postfix
-   single: PostgreSQL
+   single: apache httpd
    single: cron
    single: cron
+   single: dbus
+   single: exim4
+   single: icinga2
+   single: mariadb
+   single: mysql
    single: nginx
    single: nrpe
    single: nginx
    single: nrpe
+   single: openerp
    single: openssh
    single: openssh
-
-+--------------------+--------------------+----------------------------------------+
-| Service            | Usage              | Start mechanism                        |
-+====================+====================+========================================+
-| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
-|                    | remote             |                                        |
-|                    | administration     |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Apache httpd       | Webserver for ...  | init script                            |
-|                    |                    | :file:`/etc/init.d/apache2`            |
-+--------------------+--------------------+----------------------------------------+
-| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
-+--------------------+--------------------+----------------------------------------+
-| rsyslog            | syslog daemon      | init script                            |
-|                    |                    | :file:`/etc/init.d/syslog`             |
-+--------------------+--------------------+----------------------------------------+
-| PostgreSQL         | PostgreSQL         | init script                            |
-|                    | database server    | :file:`/etc/init.d/postgresql`         |
-|                    | for ...            |                                        |
-+--------------------+--------------------+----------------------------------------+
-| MySQL              | MySQL database     | init script                            |
-|                    | server for ...     | :file:`/etc/init.d/mysql`              |
-+--------------------+--------------------+----------------------------------------+
-| Postfix            | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/postfix`            |
-|                    | submission, ...    |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Exim               | SMTP server for    | init script                            |
-|                    | local mail         | :file:`/etc/init.d/exim4`              |
-|                    | submission, ...    |                                        |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring  | init script                            |
-|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-|                    | :doc:`monitor`     |                                        |
-+--------------------+--------------------+----------------------------------------+
+   single: postfix
+   single: postgresql
+   single: puppet
+   single: rsyslog
+
++--------------------+--------------------------+----------------------------------------+
+| Service            | Usage                    | Start mechanism                        |
++====================+==========================+========================================+
+| Apache httpd       | Webserver for ...        | init script                            |
+|                    |                          | :file:`/etc/init.d/apache2`            |
++--------------------+--------------------------+----------------------------------------+
+| cron               | job scheduler            | init script :file:`/etc/init.d/cron`   |
++--------------------+--------------------------+----------------------------------------+
+| dbus-daemon        | System message bus       | systemd unit ``dbus.service``          |
+|                    | daemon                   |                                        |
++--------------------+--------------------------+----------------------------------------+
+| Exim               | SMTP server for          | init script                            |
+|                    | local mail               | :file:`/etc/init.d/exim4`              |
+|                    | submission, ...          |                                        |
++--------------------+--------------------------+----------------------------------------+
+| icinga2            | Icinga2 monitoring agent | systemd unit ``icinga2.service``       |
++--------------------+--------------------------+----------------------------------------+
+| MariaDB            | MariaDB database         | systemd unit ``mariadb.service``       |
+|                    | server for bug           |                                        |
+|                    | tracker                  |                                        |
++--------------------+--------------------------+----------------------------------------+
+| MySQL              | MySQL database           | init script                            |
+|                    | server for ...           | :file:`/etc/init.d/mysql`              |
++--------------------+--------------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring        | init script                            |
+|                    | service queried by       | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`           |                                        |
++--------------------+--------------------------+----------------------------------------+
+| openssh server     | ssh daemon for           | init script :file:`/etc/init.d/ssh`    |
+|                    | remote                   |                                        |
+|                    | administration           |                                        |
++--------------------+--------------------------+----------------------------------------+
+| Postfix            | SMTP server for          | init script                            |
+|                    | local mail               | :file:`/etc/init.d/postfix`            |
+|                    | submission, ...          |                                        |
++--------------------+--------------------------+----------------------------------------+
+| PostgreSQL         | PostgreSQL               | init script                            |
+|                    | database server          | :file:`/etc/init.d/postgresql`         |
+|                    | for ...                  |                                        |
++--------------------+--------------------------+----------------------------------------+
+| Puppet agent       | configuration            | systemd unit ``puppet.service``        |
+|                    | management agent         |                                        |
++--------------------+--------------------------+----------------------------------------+
+| rsyslog            | syslog daemon            | init script                            |
+|                    |                          | :file:`/etc/init.d/syslog`             |
++--------------------+--------------------------+----------------------------------------+
 
 Databases
 ---------
 
 
 Databases
 ---------
 
-+-------------+--------------+---------------------------+
-| RDBMS       | Name         | Used for                  |
-+=============+==============+===========================+
-| MySQL       | application1 | fictional application one |
-+-------------+--------------+---------------------------+
-| PostgreSQL  | application2 | fictional application two |
-+-------------+--------------+---------------------------+
++------------+--------------+-----------------------------+
+| RDBMS      | Name         | Used for                    |
++============+==============+=============================+
+| MySQL      | application1 | fictional application one   |
++------------+--------------+-----------------------------+
+| PostgreSQL | application2 | fictional application two   |
++------------+--------------+-----------------------------+
+| SQLite     | application  | fictional application three |
++------------+--------------+-----------------------------+
 
 Running Guests
 --------------
 
 Running Guests
 --------------
@@ -220,14 +257,21 @@ Outbound network connections
 ----------------------------
 
 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
 ----------------------------
 
 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+  .. or
+* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
 * :doc:`emailout` as SMTP relay
 * :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
 * :doc:`proxyout` as HTTP proxy for APT
 * crl.cacert.org (rsync) for getting CRLs
 
 Security
 ========
 
 * :doc:`proxyout` as HTTP proxy for APT
 * crl.cacert.org (rsync) for getting CRLs
 
 Security
 ========
 
-.. add the MD5 fingerprints of the SSH host keys
+..
+   add the SHA256 and MD5 fingerprints of the SSH host keys. You can just paste
+   the output of the ssh_host_keys.py script in the tools folder of the
+   cacert-infradocs git repository with the root filesystem of the host as
+   argument.
 
 .. sshkeys::
    :RSA:
 
 .. sshkeys::
    :RSA:
@@ -262,14 +306,26 @@ Risk assessments on critical packages
 .. add a paragraph for each known risk. The risk has to be described.
    Mitigation or risk acceptance has to be documented.
 
 .. add a paragraph for each known risk. The risk has to be described.
    Mitigation or risk acceptance has to be documented.
 
+..
+   The Puppet agent package and a few dependencies are installed from the
+   official Puppet APT repository because the versions in Debian are too old to
+   use modern Puppet features.
+
 Critical Configuration items
 ============================
 
 Critical Configuration items
 ============================
 
+..
+   The system configuration is managed via Puppet profiles. There should be no
+   configuration items outside of the :cacertgit:`cacert-puppet`.
+
 Keys and X.509 certificates
 ---------------------------
 
 Keys and X.509 certificates
 ---------------------------
 
-.. use the sslcert directive to have certificates added to the certificate list
-   automatically
+..
+   use the sslcert directive to have certificates added to the certificate list
+   automatically. There is a script sslcert.py in the tools directory of the
+   cacert-infradocs git repository that can generate these directives
+   automatically.
 
 .. sslcert:: template.cacert.org
    :altnames:
 
 .. sslcert:: template.cacert.org
    :altnames:
@@ -298,21 +354,27 @@ Keys and X.509 certificates
 <service_x> configuration
 -------------------------
 
 <service_x> configuration
 -------------------------
 
-.. add a section for the configuration of each service where configuration
+..
+   add a section for the configuration of each service where configuration
    deviates from OS package defaults
 
 Tasks
 =====
 
    deviates from OS package defaults
 
 Tasks
 =====
 
+..
+   add a section for each system maintenance task that is special for this
+   system, i.e. adding/removing accounts, running some special maintenance
+   scripts or similar tasks
+
+Changes
+=======
+
 Planned
 -------
 
 .. add a paragraph or todo directive for each larger planned task. You may want
    to link to specific issues if you use some issue tracker.
 
 Planned
 -------
 
 .. add a paragraph or todo directive for each larger planned task. You may want
    to link to specific issues if you use some issue tracker.
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
index 0f9ac65..9e9fdbd 100644 (file)
@@ -70,6 +70,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Test
+
+Monitoring
+----------
+
+:internal checks: :monitor:`test.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -101,11 +109,6 @@ Operating System
 
 * Debian GNU/Linux 8.11
 
 
 * Debian GNU/Linux 8.11
 
-Applicable Documentation
-------------------------
-
-There is no additional documentation for this system.
-
 Services
 ========
 
 Services
 ========
 
@@ -434,6 +437,9 @@ and to use mbox style mailboxes in /var/mail/%u in the following files:
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
@@ -441,8 +447,6 @@ Planned
 
    Upgrade test to Debian Stretch when the software is ready.
 
 
    Upgrade test to Debian Stretch when the software is ready.
 
-Changes
-=======
 
 System Future
 -------------
 
 System Future
 -------------
index 444cf87..f735bec 100644 (file)
@@ -83,6 +83,14 @@ there are some special mappings in the infra02 firewall to get access to this sy
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Test3
+
+Monitoring
+----------
+
+.. :internal checks: :monitor:`test3.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -449,14 +457,14 @@ all mail is delivered to the mailbox of the *cacertmail* user in
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: implement git workflows for updates maybe using :doc:`jenkins`
 
 Planned
 -------
 
 .. todo:: implement git workflows for updates maybe using :doc:`jenkins`
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
index 572849b..8aa91be 100644 (file)
@@ -71,6 +71,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Translations
+
+Monitoring
+----------
+
+:internal checks: :monitor:`translations.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -107,11 +115,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
@@ -394,6 +397,9 @@ Pootle version and have to be checked/updated.
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
@@ -413,8 +419,6 @@ Planned
    them with the :program:`sudo` system to allow members of the `pootle-update`
    group to run them in the context of the `pootle` system user
 
    them with the :program:`sudo` system to allow members of the `pootle-update`
    group to run them in the context of the `pootle` system user
 
-Changes
-=======
 
 System Future
 -------------
 
 System Future
 -------------
index 16e32b2..c3fba2d 100644 (file)
@@ -68,6 +68,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Web
+
+Monitoring
+----------
+
+:internal checks: :monitor:`web.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -100,11 +108,6 @@ Operating System
 
 * Debian GNU/Linux 9.4
 
 
 * Debian GNU/Linux 9.4
 
-Applicable Documentation
-------------------------
-
-This is it :-)
-
 Services
 ========
 
 Services
 ========
 
@@ -211,7 +214,7 @@ Critical Configuration items
 ============================
 
 The system configuration is managed via Puppet profiles. There should be no
 ============================
 
 The system configuration is managed via Puppet profiles. There should be no
-configuration items outside of the Puppet repository.
+configuration items outside of the :cacertgit:`cacert-puppet`.
 
 .. todo:: move configuration of :doc:`web` to Puppet code
 
 
 .. todo:: move configuration of :doc:`web` to Puppet code
 
@@ -231,9 +234,9 @@ Keys and X.509 certificates
    :altnames:   DNS:funding.cacert.org
    :certfile:   /etc/ssl/certs/funding.cacert.org.crt
    :keyfile:    /etc/ssl/private/funding.cacert.org.key
    :altnames:   DNS:funding.cacert.org
    :certfile:   /etc/ssl/certs/funding.cacert.org.crt
    :keyfile:    /etc/ssl/private/funding.cacert.org.key
-   :serial:     02A770
-   :expiration: Feb 16 12:07:35 2019 GMT
-   :sha1fp:     36:E0:A1:86:7A:FA:C6:F4:86:9F:CC:9C:61:4D:B9:A4:7C:0F:9F:C9
+   :serial:     02D059
+   :expiration: Jan 31 16:29:20 2021 GMT
+   :sha1fp:     FD:0D:2A:33:70:64:0E:2A:D6:F6:72:0F:D0:47:D9:C7:BD:E3:F4:DF
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: infradocs.cacert.org
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: infradocs.cacert.org
@@ -249,9 +252,9 @@ Keys and X.509 certificates
    :altnames:   DNS:jenkins.cacert.org
    :certfile:   /etc/ssl/certs/jenkins.cacert.org.crt
    :keyfile:    /etc/ssl/private/jenkins.cacert.org.key
    :altnames:   DNS:jenkins.cacert.org
    :certfile:   /etc/ssl/certs/jenkins.cacert.org.crt
    :keyfile:    /etc/ssl/private/jenkins.cacert.org.key
-   :serial:     02A76F
-   :expiration: Feb 16 12:07:29 2019 GMT
-   :sha1fp:     D1:E3:5B:73:63:28:C6:31:0F:35:4A:2F:0D:12:B5:6C:3F:72:08:3D
+   :serial:     02D058
+   :expiration: Jan 31 16:27:54 2021 GMT
+   :sha1fp:     00:5B:9C:4D:2E:D2:E4:69:2D:32:61:DC:25:98:F0:89:C9:E1:50:F1
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: web.cacert.org
    :issuer:     CAcert Class 3 Root
 
 .. sslcert:: web.cacert.org
@@ -310,14 +313,14 @@ Apache httpd configuration
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: manage the web system using Puppet
 
 Planned
 -------
 
 .. todo:: manage the web system using Puppet
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
index 7878236..0eb88d8 100644 (file)
@@ -329,14 +329,14 @@ The board voting system uses a SQLite database in
 Tasks
 =====
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 .. todo:: implement CRL checking
 
 Planned
 -------
 
 .. todo:: implement CRL checking
 
-Changes
-=======
-
 System Future
 -------------
 
 System Future
 -------------
 
index 77c175b..34e90aa 100644 (file)
@@ -24,6 +24,9 @@ Funding
 Infrastructure Documentation
    https://infradocs.cacert.org/
 
 Infrastructure Documentation
    https://infradocs.cacert.org/
 
+CAcert internal Debian repository
+   https://webstatic.infra.cacert.org/
+
 Administration
 ==============
 
 Administration
 ==============
 
@@ -77,6 +80,14 @@ Logical Location
 
    See :doc:`../network`
 
 
    See :doc:`../network`
 
+.. index::
+   single: Monitoring; Webstatic
+
+Monitoring
+----------
+
+:internal checks: :monitor:`webstatic.infra.cacert.org`
+
 DNS
 ---
 
 DNS
 ---
 
@@ -108,14 +119,9 @@ Operating System
 
 .. index::
    single: Debian GNU/Linux; Stretch
 
 .. index::
    single: Debian GNU/Linux; Stretch
-   single: Debian GNU/Linux; 9.4
+   single: Debian GNU/Linux; 9.9
 
 
-* Debian GNU/Linux 9.4
-
-Applicable Documentation
-------------------------
-
-This is it :-)
+* Debian GNU/Linux 9.9
 
 Services
 ========
 
 Services
 ========
@@ -205,13 +211,15 @@ Dedicated user roles
 --------------------
 
 +-------------------+---------------------------------------------------+
 --------------------
 
 +-------------------+---------------------------------------------------+
-| Group             | Purpose                                           |
+| Role              | Purpose                                           |
 +===================+===================================================+
 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
 |                   | :file:`/var/www/codedocs.cacert.org/html/` and    |
 |                   | :file:`/var/www/infradocs.cacert.org/html/`       |
 +-------------------+---------------------------------------------------+
 
 +===================+===================================================+
 | jenkins-infradocs | Used by :doc:`jenkins` to upload documentation to |
 |                   | :file:`/var/www/codedocs.cacert.org/html/` and    |
 |                   | :file:`/var/www/infradocs.cacert.org/html/`       |
 +-------------------+---------------------------------------------------+
 
+.. todo:: manage ``jenkins-infradocs`` user via Puppet
+
 Non-distribution packages and modifications
 -------------------------------------------
 
 Non-distribution packages and modifications
 -------------------------------------------
 
@@ -236,51 +244,42 @@ Critical Configuration items
 ============================
 
 The system configuration is managed via Puppet profiles. There should be no
 ============================
 
 The system configuration is managed via Puppet profiles. There should be no
-configuration items outside of the Puppet repository.
-
-.. todo:: move configuration of :doc:`webstatic` to Puppet code
+configuration items outside of the :cacertgit:`cacert-puppet`.
 
 Keys and X.509 certificates
 ---------------------------
 
 
 Keys and X.509 certificates
 ---------------------------
 
-The host does not provide TLS services and therefore has no certificates.
-
-.. todo::
-   move the TLS configuration for the served VirtualHosts to :doc:`webstatic`
+The host does not provide own TLS services and therefore has no certificates.
 
 Apache httpd configuration
 --------------------------
 
 
 Apache httpd configuration
 --------------------------
 
-The main configuration files for Apache httpd are:
-
-* :file:`/etc/apache2/sites-available/000-default.conf`
+Apache configuration is managed via the Puppet profile
+``profiles::static_websites``.
 
 
-  Defines the default VirtualHost for requests reaching this host with no
-  specifically handled host name.
+Debian repository configuration
+-------------------------------
 
 
-* :file:`/etc/apache2/sites-available/codedocs.cacert.org.conf`
-
-  Defines the VirtualHost for https://codedocs.cacert.org/
-
-* :file:`/etc/apache2/sites-available/funding.cacert.org.conf`
-
-  Defines the VirtualHost for https://funding.cacert.org/
-
-* :file:`/etc/apache2/sites-available/infradocs.cacert.org.conf`
-
-  Defines the VirtualHost for https://infradocs.cacert.org/
+The Debian repository is managed via the Puppet profile
+``profiles::debarchive``. Packages that are uploaded to
+:file:`/srv/upload/incoming` are automatically processed by
+:program:`inoticoming` and :program:`reprepro`. Only packages signed by a known
+PGP key (managed via Puppet) are accepted and provided at
+https://webstatic.infra.cacert.org/.
 
 
+The repository signing key is stored in
+:file:`/srv/debarchive/.gnupg/private-keys-v1.d/223894064EE26851A245DE9208C5C0ABF772F7A7.key`.
 
 Tasks
 =====
 
 
 Tasks
 =====
 
+Changes
+=======
+
 Planned
 -------
 
 Planned
 -------
 
-.. todo:: manage the webstatic system using Puppet
-
-Changes
-=======
+.. todo:: update to Debian 10 (when Puppet is available)
 
 System Future
 -------------
 
 System Future
 -------------
@@ -298,3 +297,5 @@ References
 ----------
 
 * http://httpd.apache.org/docs/2.4/
 ----------
 
 * http://httpd.apache.org/docs/2.4/
+* https://manpages.debian.org/buster/inoticoming/inoticoming.1.en.html
+* https://manpages.debian.org/buster/reprepro/reprepro.1.en.html
index 75dd450..f9c82c5 100644 (file)
@@ -9,4 +9,4 @@ cryptography = "*"
 [dev-packages]
 
 [requires]
 [dev-packages]
 
 [requires]
-python_version = "3.6"
+python_version = "3.7"
index da2f4ee..4736511 100644 (file)
@@ -1,11 +1,11 @@
 {
     "_meta": {
         "hash": {
 {
     "_meta": {
         "hash": {
-            "sha256": "688228320144bd6c0942d8b12483fd041545165a9dae2f68cb2b3af03b5220d5"
+            "sha256": "319904517ee99cc03df0ec42fe048a84aeb8344d0653c9bddb32ed1f24760223"
         },
         "pipfile-spec": 6,
         "requires": {
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_version": "3.6"
+            "python_version": "3.7"
         },
         "sources": [
             {
         },
         "sources": [
             {
         },
         "cffi": {
             "hashes": [
         },
         "cffi": {
             "hashes": [
-                "sha256:151b7eefd035c56b2b2e1eb9963c90c6302dc15fbd8c1c0a83a163ff2c7d7743",
-                "sha256:1553d1e99f035ace1c0544050622b7bc963374a00c467edafac50ad7bd276aef",
-                "sha256:1b0493c091a1898f1136e3f4f991a784437fac3673780ff9de3bcf46c80b6b50",
-                "sha256:2ba8a45822b7aee805ab49abfe7eec16b90587f7f26df20c71dd89e45a97076f",
-                "sha256:3bb6bd7266598f318063e584378b8e27c67de998a43362e8fce664c54ee52d30",
-                "sha256:3c85641778460581c42924384f5e68076d724ceac0f267d66c757f7535069c93",
-                "sha256:3eb6434197633b7748cea30bf0ba9f66727cdce45117a712b29a443943733257",
-                "sha256:495c5c2d43bf6cebe0178eb3e88f9c4aa48d8934aa6e3cddb865c058da76756b",
-                "sha256:4c91af6e967c2015729d3e69c2e51d92f9898c330d6a851bf8f121236f3defd3",
-                "sha256:57b2533356cb2d8fac1555815929f7f5f14d68ac77b085d2326b571310f34f6e",
-                "sha256:770f3782b31f50b68627e22f91cb182c48c47c02eb405fd689472aa7b7aa16dc",
-                "sha256:79f9b6f7c46ae1f8ded75f68cf8ad50e5729ed4d590c74840471fc2823457d04",
-                "sha256:7a33145e04d44ce95bcd71e522b478d282ad0eafaf34fe1ec5bbd73e662f22b6",
-                "sha256:857959354ae3a6fa3da6651b966d13b0a8bed6bbc87a0de7b38a549db1d2a359",
-                "sha256:87f37fe5130574ff76c17cab61e7d2538a16f843bb7bca8ebbc4b12de3078596",
-                "sha256:95d5251e4b5ca00061f9d9f3d6fe537247e145a8524ae9fd30a2f8fbce993b5b",
-                "sha256:9d1d3e63a4afdc29bd76ce6aa9d58c771cd1599fbba8cf5057e7860b203710dd",
-                "sha256:a36c5c154f9d42ec176e6e620cb0dd275744aa1d804786a71ac37dc3661a5e95",
-                "sha256:a6a5cb8809091ec9ac03edde9304b3ad82ad4466333432b16d78ef40e0cce0d5",
-                "sha256:ae5e35a2c189d397b91034642cb0eab0e346f776ec2eb44a49a459e6615d6e2e",
-                "sha256:b0f7d4a3df8f06cf49f9f121bead236e328074de6449866515cea4907bbc63d6",
-                "sha256:b75110fb114fa366b29a027d0c9be3709579602ae111ff61674d28c93606acca",
-                "sha256:ba5e697569f84b13640c9e193170e89c13c6244c24400fc57e88724ef610cd31",
-                "sha256:be2a9b390f77fd7676d80bc3cdc4f8edb940d8c198ed2d8c0be1319018c778e1",
-                "sha256:ca1bd81f40adc59011f58159e4aa6445fc585a32bb8ac9badf7a2c1aa23822f2",
-                "sha256:d5d8555d9bfc3f02385c1c37e9f998e2011f0db4f90e250e5bc0c0a85a813085",
-                "sha256:e55e22ac0a30023426564b1059b035973ec82186ddddbac867078435801c7801",
-                "sha256:e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4",
-                "sha256:ecbb7b01409e9b782df5ded849c178a0aa7c906cf8c5a67368047daab282b184",
-                "sha256:ed01918d545a38998bfa5902c7c00e0fee90e957ce036a4000a88e3fe2264917",
-                "sha256:edabd457cd23a02965166026fd9bfd196f4324fe6032e866d0f3bd0301cd486f",
-                "sha256:fdf1c1dc5bafc32bc5d08b054f94d659422b05aba244d6be4ddc1c72d9aa70fb"
+                "sha256:041c81822e9f84b1d9c401182e174996f0bae9991f33725d059b771744290774",
+                "sha256:046ef9a22f5d3eed06334d01b1e836977eeef500d9b78e9ef693f9380ad0b83d",
+                "sha256:066bc4c7895c91812eff46f4b1c285220947d4aa46fa0a2651ff85f2afae9c90",
+                "sha256:066c7ff148ae33040c01058662d6752fd73fbc8e64787229ea8498c7d7f4041b",
+                "sha256:2444d0c61f03dcd26dbf7600cf64354376ee579acad77aef459e34efcb438c63",
+                "sha256:300832850b8f7967e278870c5d51e3819b9aad8f0a2c8dbe39ab11f119237f45",
+                "sha256:34c77afe85b6b9e967bd8154e3855e847b70ca42043db6ad17f26899a3df1b25",
+                "sha256:46de5fa00f7ac09f020729148ff632819649b3e05a007d286242c4882f7b1dc3",
+                "sha256:4aa8ee7ba27c472d429b980c51e714a24f47ca296d53f4d7868075b175866f4b",
+                "sha256:4d0004eb4351e35ed950c14c11e734182591465a33e960a4ab5e8d4f04d72647",
+                "sha256:4e3d3f31a1e202b0f5a35ba3bc4eb41e2fc2b11c1eff38b362de710bcffb5016",
+                "sha256:50bec6d35e6b1aaeb17f7c4e2b9374ebf95a8975d57863546fa83e8d31bdb8c4",
+                "sha256:55cad9a6df1e2a1d62063f79d0881a414a906a6962bc160ac968cc03ed3efcfb",
+                "sha256:5662ad4e4e84f1eaa8efce5da695c5d2e229c563f9d5ce5b0113f71321bcf753",
+                "sha256:59b4dc008f98fc6ee2bb4fd7fc786a8d70000d058c2bbe2698275bc53a8d3fa7",
+                "sha256:73e1ffefe05e4ccd7bcea61af76f36077b914f92b76f95ccf00b0c1b9186f3f9",
+                "sha256:a1f0fd46eba2d71ce1589f7e50a9e2ffaeb739fb2c11e8192aa2b45d5f6cc41f",
+                "sha256:a2e85dc204556657661051ff4bab75a84e968669765c8a2cd425918699c3d0e8",
+                "sha256:a5457d47dfff24882a21492e5815f891c0ca35fefae8aa742c6c263dac16ef1f",
+                "sha256:a8dccd61d52a8dae4a825cdbb7735da530179fea472903eb871a5513b5abbfdc",
+                "sha256:ae61af521ed676cf16ae94f30fe202781a38d7178b6b4ab622e4eec8cefaff42",
+                "sha256:b012a5edb48288f77a63dba0840c92d0504aa215612da4541b7b42d849bc83a3",
+                "sha256:d2c5cfa536227f57f97c92ac30c8109688ace8fa4ac086d19d0af47d134e2909",
+                "sha256:d42b5796e20aacc9d15e66befb7a345454eef794fdb0737d1af593447c6c8f45",
+                "sha256:dee54f5d30d775f525894d67b1495625dd9322945e7fee00731952e0368ff42d",
+                "sha256:e070535507bd6aa07124258171be2ee8dfc19119c28ca94c9dfb7efd23564512",
+                "sha256:e1ff2748c84d97b065cc95429814cdba39bcbd77c9c85c89344b317dc0d9cbff",
+                "sha256:ed851c75d1e0e043cbf5ca9a8e1b13c4c90f3fbd863dacb01c0808e2b5204201"
             ],
             ],
-            "version": "==1.11.5"
+            "version": "==1.12.3"
         },
         "cryptography": {
             "hashes": [
         },
         "cryptography": {
             "hashes": [
-                "sha256:02602e1672b62e803e08617ec286041cc453e8d43f093a5f4162095506bc0beb",
-                "sha256:10b48e848e1edb93c1d3b797c83c72b4c387ab0eb4330aaa26da8049a6cbede0",
-                "sha256:17db09db9d7c5de130023657be42689d1a5f60502a14f6f745f6f65a6b8195c0",
-                "sha256:227da3a896df1106b1a69b1e319dce218fa04395e8cc78be7e31ca94c21254bc",
-                "sha256:2cbaa03ac677db6c821dac3f4cdfd1461a32d0615847eedbb0df54bb7802e1f7",
-                "sha256:31db8febfc768e4b4bd826750a70c79c99ea423f4697d1dab764eb9f9f849519",
-                "sha256:4a510d268e55e2e067715d728e4ca6cd26a8e9f1f3d174faf88e6f2cb6b6c395",
-                "sha256:6a88d9004310a198c474d8a822ee96a6dd6c01efe66facdf17cb692512ae5bc0",
-                "sha256:76936ec70a9b72eb8c58314c38c55a0336a2b36de0c7ee8fb874a4547cadbd39",
-                "sha256:7e3b4aecc4040928efa8a7cdaf074e868af32c58ffc9bb77e7bf2c1a16783286",
-                "sha256:8168bcb08403ef144ff1fb880d416f49e2728101d02aaadfe9645883222c0aa5",
-                "sha256:8229ceb79a1792823d87779959184a1bf95768e9248c93ae9f97c7a2f60376a1",
-                "sha256:8a19e9f2fe69f6a44a5c156968d9fc8df56d09798d0c6a34ccc373bb186cee86",
-                "sha256:8d10113ca826a4c29d5b85b2c4e045ffa8bad74fb525ee0eceb1d38d4c70dfd6",
-                "sha256:be495b8ec5a939a7605274b6e59fbc35e76f5ad814ae010eb679529671c9e119",
-                "sha256:dc2d3f3b1548f4d11786616cf0f4415e25b0fbecb8a1d2cd8c07568f13fdde38",
-                "sha256:e4aecdd9d5a3d06c337894c9a6e2961898d3f64fe54ca920a72234a3de0f9cb3",
-                "sha256:e79ab4485b99eacb2166f3212218dd858258f374855e1568f728462b0e6ee0d9",
-                "sha256:f995d3667301e1754c57b04e0bae6f0fa9d710697a9f8d6712e8cca02550910f"
+                "sha256:24b61e5fcb506424d3ec4e18bca995833839bf13c59fc43e530e488f28d46b8c",
+                "sha256:25dd1581a183e9e7a806fe0543f485103232f940fcfc301db65e630512cce643",
+                "sha256:3452bba7c21c69f2df772762be0066c7ed5dc65df494a1d53a58b683a83e1216",
+                "sha256:41a0be220dd1ed9e998f5891948306eb8c812b512dc398e5a01846d855050799",
+                "sha256:5751d8a11b956fbfa314f6553d186b94aa70fdb03d8a4d4f1c82dcacf0cbe28a",
+                "sha256:5f61c7d749048fa6e3322258b4263463bfccefecb0dd731b6561cb617a1d9bb9",
+                "sha256:72e24c521fa2106f19623a3851e9f89ddfdeb9ac63871c7643790f872a305dfc",
+                "sha256:7b97ae6ef5cba2e3bb14256625423413d5ce8d1abb91d4f29b6d1a081da765f8",
+                "sha256:961e886d8a3590fd2c723cf07be14e2a91cf53c25f02435c04d39e90780e3b53",
+                "sha256:96d8473848e984184b6728e2c9d391482008646276c3ff084a1bd89e15ff53a1",
+                "sha256:ae536da50c7ad1e002c3eee101871d93abdc90d9c5f651818450a0d3af718609",
+                "sha256:b0db0cecf396033abb4a93c95d1602f268b3a68bb0a9cc06a7cff587bb9a7292",
+                "sha256:cfee9164954c186b191b91d4193989ca994703b2fff406f71cf454a2d3c7327e",
+                "sha256:e6347742ac8f35ded4a46ff835c60e68c22a536a8ae5c4422966d06946b6d4c6",
+                "sha256:f27d93f0139a3c056172ebb5d4f9056e770fdf0206c2f422ff2ebbad142e09ed",
+                "sha256:f57b76e46a58b63d1c6375017f4564a28f19a5ca912691fd2e4261b3414b618d"
             ],
             "index": "pypi",
             ],
             "index": "pypi",
-            "version": "==2.3.1"
-        },
-        "idna": {
-            "hashes": [
-                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
-                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
-            ],
             "version": "==2.7"
         },
         "pycparser": {
             "version": "==2.7"
         },
         "pycparser": {
         },
         "six": {
             "hashes": [
         },
         "six": {
             "hashes": [
-                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
-                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+                "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+                "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
             ],
             ],
-            "version": "==1.11.0"
+            "version": "==1.12.0"
         }
     },
     "develop": {}
         }
     },
     "develop": {}
index ecc125e..9fa9d7f 100755 (executable)
@@ -5,33 +5,47 @@ import os.path
 import subprocess
 from glob import glob
 
 import subprocess
 from glob import glob
 
-SUPPORTED_SSH_KEY_TYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+SUPPORTED_SSH_KEY_TYPES = ("RSA", "DSA", "ECDSA", "ED25519")
+HASH_ALGORITHMS = ("SHA256", "MD5")
 
 
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     parser = argparse.ArgumentParser(
         description=(
     parser = argparse.ArgumentParser(
         description=(
-            'Convert a set of ssh host keys to the syntax expected by the '
-            'sshkeys directive of the CAcert infrastructure documentation'))
-    parser.add_argument(
-        'root', metavar='ROOT', type=str, help='root directory'
+            "Convert a set of ssh host keys to the syntax expected by the "
+            "sshkeys directive of the CAcert infrastructure documentation"
+        )
     )
     )
+    parser.add_argument("root", metavar="ROOT", type=str, help="root directory")
     args = parser.parse_args()
 
     keys = {}
     args = parser.parse_args()
 
     keys = {}
-    for host_key in glob(os.path.join(
-        args.root, 'etc/ssh', 'ssh_host_*key.pub')
-    ):
-        fp = subprocess.check_output(
-            ['ssh-keygen', '-l', '-f', host_key]).strip().split()
-        keys[fp[3][1:-1].decode('ascii')] = fp[1].decode('ascii')
+    for host_key in glob(os.path.join(args.root, "etc/ssh", "ssh_host_*key.pub")):
+        for algorithm in HASH_ALGORITHMS:
+            fp = (
+                subprocess.check_output(
+                    ["ssh-keygen", "-l", "-E", algorithm, "-f", host_key]
+                )
+                .decode("ascii")
+                .strip()
+                .split()
+            )
+            key_type = fp[3][1:-1]
+            keys.setdefault(key_type, {})
+            keys[key_type][algorithm] = fp[1]
 
 
-    max_length = max([len(key) for key in keys.keys()
-                      if key in SUPPORTED_SSH_KEY_TYPES])
+    max_length = max(
+        [len(key) for key in keys.keys() if key in SUPPORTED_SSH_KEY_TYPES]
+    )
 
     print(".. sshkeys::")
 
     print(".. sshkeys::")
-    for typ, key in [
-        (typ, keys[typ]) for typ in SUPPORTED_SSH_KEY_TYPES
-        if typ in keys
+    for typ, key_dict in [
+        (typ, keys[typ]) for typ in SUPPORTED_SSH_KEY_TYPES if typ in keys
     ]:
     ]:
-        print("   :{}:{} {}".format(typ, ' ' * (max_length - len(typ)), key))
+        print(
+            "   :{}:{} {}".format(
+                typ,
+                " " * (max_length - len(typ)),
+                " ".join([key_dict[algorithm] for algorithm in HASH_ALGORITHMS]),
+            )
+        )