CAcert infrastructure documentation¶
This documentation aims to describe the current status of CAcert’s technical infrastructure.
Table of Contents¶
Indices and tables¶
Todo
Update the LXC setup documentation. lxc-setup might not work with LXC 3.0 that is used on Infra02 since 2019-07-13.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/lxcsetup.rst, line 5.)
Todo
consider whether a central MySQL service should be setup
Many containers contain their own instance of MySQL. It might be a better idea to centralize the MySQL setups in a single container.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 49.)
Todo
consider whether a central PostgreSQL service should be setup
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 54.)
Todo
setup a central syslog service and install syslog clients in each container
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 56.)
Todo
document how to setup the system-admin alias on the email system
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 117.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 32.)
Todo
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 275.)
Todo
move configuration of blog to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 285.)
Todo
add a section documenting wordpress and plugin updates
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 353.)
Todo
add a section documenting wordpress user management
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 354.)
Todo
manage the blog system using Puppet
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 362.)
Todo
setup CRL checks (can be borrowed from svn for client certificates
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 364.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 28.)
Todo
setup ED25519 host key (needs update to Jessie)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 207.)
Todo
update to Odoo (OpenERP successor)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 217.)
Todo
check whether the form display issue has been fixed upstream
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 267.)
Todo
add a section documenting how to add/remove openerp users
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 347.)
Todo
switch to Puppet management
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 355.)
Todo
replace nrpe with icinga2 agent
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 356.)
Todo
disable unneeded Apache modules
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 357.)
Todo
setup IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 358.)
Todo
update to Debian 8/9/10
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 359.)
Todo
move all configuration of bugs to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 263.)
Todo
add a section documenting how to manage mantis projects
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 344.)
Todo
add a section documenting how to manage mantis users
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 345.)
Todo
Switch ingest traffic for webmail to proxyin and drop http redirector configuration from Apache httpd
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 353.)
Todo
disable subversion access
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 193.)
Todo
setup ED25519 host key (needs update to Jessie)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 203.)
Todo
add a Vagrantfile to allow easy CATS testing setups
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 226.)
Todo
move certificates to /etc/ssl/public and keys to
/etc/ssl/private
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 265.)
Todo
move CATS configuration to /etc/
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 286.)
Todo
refactor CATS to not store configuration in the PHP session
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 287.)
Todo
either fix fetching from the test system or remove this functionality
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 307.)
Todo
use /etc/cron.d instead of user specific crontab
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 308.)
Todo
put the scripts in /home/cats/tools/ into git
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 309.)
Todo
document how to update the CATS software
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 354.)
Todo
switch to Puppet management
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 362.)
Todo
replace nrpe with icinga2 agent
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 363.)
Todo
update to Debian 8/9/10
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 364.)
Todo
setup IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 365.)
Todo
setup CRL checks
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 366.)
Todo
add DNS records for code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/code.rst, line 82.)
Todo
manage Gitea and configuration in Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/code.rst, line 182.)
Todo
Switch ingest traffic for webmail to proxyin and drop http redirector configuration from Apache httpd
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/community.rst, line 344.)
Todo
setup DKIM properly, see #696 for an older discussion
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 105.)
Todo
setup SPF records when the system is ready, see #492 for an older discussion
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 107.)
Todo
consider to send all outgoing mail via emailout
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 430.)
Todo
move mail storage to a separate data volume to allow easier backup and OS upgrades
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 437.)
Todo
implement CRL checking
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 495.)
Todo
throttle brute force attack attempts using fail2ban or similar mechanism
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 497.)
Todo
enable OpenDKIM in Postfix configuration when the DNS record is in place and email is ready for DKIM too or is configured to send mail via emailout.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 288.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 31.)
Todo
disable insecure git-daemon port and http for git, replace these with https for read access and git+ssh for write access
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 140.)
Todo
think about regulating git access by a proper git repository manager like gitolite or gitea
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 229.)
Todo
enable IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 321.)
Todo
switch monitoring to Icinga 2
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 279.)
Todo
document how to setup a new container
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 362.)
Todo
document how to setup firewall rules/forwarding
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 363.)
Todo
document how the backup system works
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 364.)
Todo
add DNS setup for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 393.)
Todo
switch to Puppet management
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 394.)
Todo
replace nrpe with icinga2 agent
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 395.)
Todo
replace ferm with nftables setup
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 396.)
Todo
add Icinga 2 system monitoring
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra03.rst, line 180.)
Todo
use proxyout for outgoing http/https traffic
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra03.rst, line 196.)
Todo
describe how to add a new container, setup nftables rules, routing, proxying, outgoing mail and monitoring
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra03.rst, line 228.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 30.)
Todo
implement some update monitoring for Kiwi IRC
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 286.)
Todo
move configuration of ircserver to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 299.)
Todo
upgrade to Debian Buster
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 113.)
Todo
setup ED25519 host key
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 218.)
Todo
move configuration of jenkins to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/jenkins.rst, line 227.)
Todo
setup ED25519 host key (needs update to Jessie)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 224.)
Todo
upgrade the lists system OS to Debian 9 (Stretch)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 383.)
Todo
manage the lists system using Puppet
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 384.)
Todo
manage mariadb configuration in Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/mariadb.rst, line 187.)
Todo
move more configuration of monitor to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/monitor.rst, line 277.)
Todo
describe more in-depth how to build the Debian package
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/motion.rst, line 231.)
Todo
implement user administration inside the application
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/motion.rst, line 328.)
Todo
implement OpenID Connect authentication when the CAcert OIDC IDP has been setupIt is planned to add OpenID Connect
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/nextcloud.rst, line 245.)
Todo
add DNS records for pgsql
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/pgsql.rst, line 77.)
Todo
manage PostgreSQL server configuration in Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/pgsql.rst, line 184.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 30.)
Todo
setup DNS records (in infra.cacert.org zone)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 87.)
Todo
Change all infrastructure hosts to use this machine as APT proxy to avoid flaky firewall configurations on infra02.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 239.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 30.)
Todo
add a section to describe how to add a system for puppet management
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 301.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 42.)
Todo
move configuration of svn to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 239.)
Todo
add AAAA record for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 97.)
Todo
generate ED25519 key for test
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 237.)
Todo
remove DSA host key
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 239.)
Todo
clarify why the signer software on test is currently running as the root user
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 252.)
Todo
integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 285.)
Todo
check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 398.)
Todo
Upgrade test to Debian Stretch/Buster/Bullseye when the software is ready.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 442.)
Todo
setup monitoring for test2
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 77.)
Todo
add AAAA record for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 99.)
Todo
add SSHFP records for ECDSA and ED25519 host keys
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 101.)
Todo
remove SSHFP records for DSA host key
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 103.)
Todo
generate ECDSA and ED25519 host keys
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 237.)
Todo
remove DSA host key
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 239.)
Todo
clarify why the signer software on test2 is currently running as the root user
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 252.)
Todo
clarify the process how changes get into the WebDB and Signer directories and clarify differences to Git and test
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 273.)
Todo
clarify whether old it-sls.de certificates can be decommissioned
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 342.)
Todo
check whether the openssl configuration files on test2 are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 370.)
Todo
reconfigure postfix on test2 to use the correct hostnames
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 391.)
Todo
check dovecot configuration on test2, compare with test and/or production webdb system
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 400.)
Todo
ensure that test2 is really similar to webdb, implement a proper deployment process to support real staging
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 414.)
Todo
add AAAA record for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 117.)
Todo
add intra.cacert.org. A record
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 118.)
Todo
clarify why the signer software on test3 is currently running as the root user
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 373.)
Todo
implement git workflows for updates maybe using jenkins
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 466.)
Todo
setup monitoring for testmgr
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 223.)
Todo
make testmgr available on default ports via proxyin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 225.)
Todo
setup proper DNS entries for testmgr
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 227.)
Todo
upgrade testmgr to a supported OS version (depends on upgraded CATS and testmgr software)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 229.)
Todo
use Puppet to manage testmgr
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 234.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 31.)
Todo
consider building the virtualenv on jenkins to avoid development tools on this system
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 262.)
Todo
move configuration of translations to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 343.)
Todo
integrate the pootle projects with version control systems. The templates
(.pot files) in /var/www/pootle/po can be updated and loaded into
Pootle by invoking:
pootle update_stores --project=<project_id> --language=templates
see the Pootle documentation
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 406.)
Todo
update and improve the scripts in /usr/local/bin and integrate
them with the sudo system to allow members of the pootle-update
group to run them in the context of the pootle system user
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 416.)
Todo
add SSHFP for ED25519 key, remove SSHFP for DSA key, add AAAA record for IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/web.rst, line 106.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 39.)
Todo
manage jenkins-infradocs user via Puppet
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 213.)
Todo
document wiki admins
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 31.)
Todo
properly document the Wiki setup or replace it with a packaged version
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 201.)
Todo
upgrade to MoinMoin 2.x when it is available
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 209.)
Todo
move configuration of wiki to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 217.)
Todo
more comprehensive Apache configuration documentation for wiki
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 246.)
Todo
manage the blog system using Puppet
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 251.)
