CAcert infrastructure documentation

This documentation aims to describe the current status of CAcert’s technical infrastructure.

Table of Contents

• Critical Systems
• Non-Critical Systems
• External Systems
• Setup of a new CAcert LXC container with Puppet agent
• Network
• IP address list
• SSH Host Keys
• X.509 Certificates
• People list
• Glossary
• Building the documentation

Indices and tables

• Index

• Search Page

Todo

Update the LXC setup documentation. lxc-setup might not work with LXC 3.0 that is used on Infra02 since 2019-07-13.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/lxcsetup.rst, line 5.)

Todo

consider whether a central MySQL service should be setup

Many containers contain their own instance of MySQL. It might be a better idea to centralize the MySQL setups in a single container.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 44.)

Todo

consider whether a central PostgreSQL service should be setup

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 49.)

Todo

setup a central syslog service and install syslog clients in each container

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 51.)

Todo

document how to setup the system-admin alias on the email system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 112.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 32.)

Todo

Wordpress hardening

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 268.)

Todo

add a section documenting wordpress and plugin updates

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 341.)

Todo

add a section documenting wordpress user management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 342.)

Todo

switch to Puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 350.)

Todo

replace nrpe with icinga2 agent

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 351.)

Todo

update wordpress to 5.x

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 352.)

Todo

update to Debian 9/10

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 353.)

Todo

setup IPv6

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 354.)

Todo

setup CRL checks (can be borrowed from Svn) for client certificates

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 356.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 28.)

Todo

setup ED25519 host key (needs update to Jessie)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 207.)

Todo

update to Odoo (OpenERP successor)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 217.)

Todo

check whether the form display issue has been fixed upstream

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 267.)

Todo

add a section documenting how to add/remove openerp users

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 347.)

Todo

switch to Puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 355.)

Todo

replace nrpe with icinga2 agent

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 356.)

Todo

disable unneeded Apache modules

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 357.)

Todo

setup IPv6

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 358.)

Todo

update to Debian 8/9/10

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 359.)

Todo

move configuration of Bugs to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 262.)

Todo

add a section documenting how to manage mantis projects

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 355.)

Todo

add a section documenting how to manage mantis users

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 356.)

Todo

upgrade to Debian 10 (when Puppet is available)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 364.)

Todo

disable subversion access

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 193.)

Todo

setup ED25519 host key (needs update to Jessie)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 203.)

Todo

add a Vagrantfile to allow easy CATS testing setups

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 227.)

Todo

move certificates to /etc/ssl/public and keys to /etc/ssl/private

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 266.)

Todo

move CATS configuration to /etc/

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 287.)

Todo

refactor CATS to not store configuration in the PHP session

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 288.)

Todo

either fix fetching from the test system or remove this functionality

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 308.)

Todo

use /etc/cron.d instead of user specific crontab

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 309.)

Todo

put the scripts in /home/cats/tools/ into git

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 310.)

Todo

document how to update the CATS software

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 355.)

Todo

switch to Puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 363.)

Todo

replace nrpe with icinga2 agent

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 364.)

Todo

update to Debian 8/9/10

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 365.)

Todo

setup IPv6

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 366.)

Todo

setup CRL checks

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 367.)

Todo

setup DKIM properly, see #696 for an older discussion

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 97.)

Todo

setup SPF records when the system is ready, see #492 for an older discussion

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 99.)

Todo

consider to send all outgoing mail via Emailout

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 352.)

Todo

move mail storage to a separate data volume to allow easier backup and OS upgrades

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 359.)

Todo

implement tooling to automate password salt generation and user creation

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 398.)

Todo

update to Debian 10 (when Puppet is available)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 434.)

Todo

implement CRL checking

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 436.)

Todo

throttle brute force attack attempts using fail2ban or similar mechanism

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 438.)

Todo

consider to use LDAP to consolidate user, password and email information

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 441.)

Todo

setup a proper certificate for incoming STARTTLS

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 215.)

Todo

enable OpenDKIM in Postfix configuration when the DNS record is in place and Email is ready for DKIM too or is configured to send mail via emailout.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 282.)

Todo

upgrade to Debian 10 (when Puppet is available)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 338.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 31.)

Todo

disable insecure git-daemon port and http for git, replace these with https for read access and git+ssh for write access

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 140.)

Todo

think about regulating git access by a proper git repository manager like gitolite or gitea

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 229.)

Todo

enable IPv6

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 338.)

Todo

document how to setup a new container

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 365.)

Todo

document how to setup firewall rules/forwarding

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 366.)

Todo

document how the backup system works

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 367.)

Todo

add DNS setup for IPv6 address

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 396.)

Todo

switch to Puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 397.)

Todo

replace nrpe with icinga2 agent

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 398.)

Todo

replace ferm with nftables setup

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 399.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 30.)

Todo

setup init script for kiwiirc

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 287.)

Todo

implement some update monitoring for Kiwi IRC

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 299.)

Todo

move configuration of Ircserver to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 312.)

Todo

upgrade to Debian Jessie

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 113.)

Todo

setup ED25519 host key

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 218.)

Todo

move configuration of Jenkins to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/jenkins.rst, line 227.)

Todo

setup ED25519 host key (needs update to Jessie)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 225.)

Todo

upgrade the lists system OS to Debian 9 (Stretch)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 384.)

Todo

manage the lists system using Puppet

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 385.)

Todo

add IPv6 ranges when they are monitored

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/monitor.rst, line 233.)

Todo

move configuration of Monitor to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/monitor.rst, line 274.)

Todo

describe more in-depth how to build the Debian package

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/motion.rst, line 231.)

Todo

implement user administration inside the application

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/motion.rst, line 328.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 30.)

Todo

setup DNS records (in infra.cacert.org zone)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 87.)

Todo

Change all infrastructure hosts to use this machine as APT proxy to avoid flaky firewall configurations on Infra02.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 245.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 30.)

Todo

setup DNS records (in infra.cacert.org zone)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 89.)

Todo

add a section to describe how to add a system for puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 294.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 42.)

Todo

add AAAA record for IPv6 address

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 110.)

Todo

move configuration of Svn to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 240.)

Todo

add AAAA record for IPv6 address

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 97.)

Todo

add the SHA-256 fingerprints of the SSH host keys

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 232.)

Todo

add ED25519 key for test

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 239.)

Todo

clarify why the signer software on test is currently running as the root user

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 256.)

Todo

integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 289.)

Todo

check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 402.)

Todo

Upgrade test to Debian Stretch when the software is ready.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 446.)

Todo

add AAAA record for IPv6 address

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 117.)

Todo

add intra.cacert.org. A record

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 118.)

Todo

clarify why the signer software on test3 is currently running as the root user

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 373.)

Todo

implement git workflows for updates maybe using Jenkins

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 466.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 31.)

Todo

consider building the virtualenv on Jenkins to avoid development tools on this system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 262.)

Todo

move configuration of Translations to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 343.)

Todo

integrate the pootle projects with version control systems. The templates (.pot files) in /var/www/pootle/po can be updated and loaded into Pootle by invoking:

pootle update_stores --project=<project_id> --language=templates

see the Pootle documentation

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 406.)

Todo

update and improve the scripts in /usr/local/bin and integrate them with the sudo system to allow members of the pootle-update group to run them in the context of the pootle system user

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 416.)

Todo

move configuration of Web to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/web.rst, line 219.)

Todo

manage the web system using Puppet

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/web.rst, line 322.)

Todo

move board voting system to a separate container

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 18.)

Todo

move staff list to a separate container or integrate it into some new self service system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 20.)

Todo

find admins for webmail

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 54.)

Todo

Research wether Roundcube has been patched or not

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 223.)

Todo

Put the staff list script in a git repository

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 299.)

Todo

Put the password reset script in a git repository

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 309.)

Todo

Put the current version of the board voting system in a git repository

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 325.)

Todo

implement CRL checking

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 338.)

Todo

The system has to be replaced with a new system using a current operating system version

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 343.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 39.)

Todo

manage jenkins-infradocs user via Puppet

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 221.)

Todo

update to Debian 10 (when Puppet is available)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 282.)