CAcert infrastructure documentation

This documentation aims to describe the current status of CAcert’s technical infrastructure.

Table of Contents

• Critical Systems
• Non-Critical Systems
• External Systems
• Setup of a new CAcert LXC container with Puppet agent
• LVM usage on infrastructure machines
• Network
• IP address list
• SSH Host Keys
• X.509 Certificates
• People list
• Glossary
• Building the documentation

Indices and tables

• Index

• Search Page

Todo

Update the LXC setup documentation. lxc-setup might not work with LXC 3.0 that is used on Infra02 since 2019-07-13.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/lxcsetup.rst, line 5.)

Todo

consider whether a central MySQL service should be used

Many containers contain their own instance of MySQL. It might be a better idea to centralize the MySQL setups in a single container.

A shareable MariaDB instance is available on MariaDB.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 51.)

Todo

consider whether a central PostgreSQL service should be used

A shareable PostgreSQL instance is available on PostgreSQL.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 58.)

Todo

setup a central syslog service and install syslog clients in each container

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 62.)

Todo

document how to setup the system-admin alias on the email system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 123.)

Todo

setup public DNS for authserver

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/authserver.rst, line 86.)

Todo

Wordpress hardening

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 272.)

Todo

move configuration of blog to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 282.)

Todo

add a section documenting wordpress and plugin updates

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 350.)

Todo

add a section documenting wordpress user management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 351.)

Todo

manage the blog system using Puppet

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 359.)

Todo

setup CRL checks (can be borrowed from svn for client certificates

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 361.)

Todo

move all configuration of bugs to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 262.)

Todo

add a section documenting how to manage mantis projects

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 343.)

Todo

add a section documenting how to manage mantis users

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 344.)

Todo

Switch ingest traffic for webmail to proxyin and drop http redirector configuration from Apache httpd

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 352.)

Todo

disable subversion access

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 192.)

Todo

setup ED25519 host key (needs update to Jessie)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 202.)

Todo

add a Vagrantfile to allow easy CATS testing setups

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 225.)

Todo

move certificates to /etc/ssl/public and keys to /etc/ssl/private

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 264.)

Todo

move CATS configuration to /etc/

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 285.)

Todo

refactor CATS to not store configuration in the PHP session

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 286.)

Todo

either fix fetching from the test system or remove this functionality

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 306.)

Todo

use /etc/cron.d instead of user specific crontab

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 307.)

Todo

put the scripts in /home/cats/tools/ into git

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 308.)

Todo

document how to update the CATS software

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 353.)

Todo

switch to Puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 361.)

Todo

replace nrpe with icinga2 agent

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 362.)

Todo

update to Debian 8/9/10

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 363.)

Todo

setup IPv6

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 364.)

Todo

setup CRL checks

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 365.)

Todo

Switch ingest traffic for webmail to proxyin and drop http redirector configuration from Apache httpd

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/community.rst, line 343.)

Todo

setup DKIM properly, see #696 for an older discussion

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 105.)

Todo

consider to send all outgoing mail via emailout

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 430.)

Todo

move mail storage to a separate data volume to allow easier backup and OS upgrades

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 437.)

Todo

implement CRL checking

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 495.)

Todo

enable OpenDKIM in Postfix configuration when the DNS record is in place and email is ready for DKIM too or is configured to send mail via emailout.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 288.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 31.)

Todo

disable insecure git-daemon port and http for git, replace these with https for read access and git+ssh for write access

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 139.)

Todo

think about regulating git access by a proper git repository manager like gitolite or gitea

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 228.)

Todo

enable IPv6

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 320.)

Todo

implement client registration in IDP

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/idp.rst, line 19.)

Todo

install client registration application

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/idp.rst, line 260.)

Todo

switch monitoring to Icinga 2

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 286.)

Todo

document how to setup a new container

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 368.)

Todo

document how to setup firewall rules/forwarding

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 369.)

Todo

document how the backup system works

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 370.)

Todo

add DNS setup for IPv6 address

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 399.)

Todo

switch to Puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 400.)

Todo

replace nrpe with icinga2 agent

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 401.)

Todo

replace ferm with nftables setup

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 402.)

Todo

add Icinga 2 system monitoring

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra03.rst, line 185.)

Todo

use proxyout for outgoing http/https traffic

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra03.rst, line 201.)

Todo

describe how to add a new container, setup nftables rules, routing, proxying, outgoing mail and monitoring

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra03.rst, line 229.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 30.)

Todo

implement some update monitoring for Kiwi IRC

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 290.)

Todo

move configuration of ircserver to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 303.)

Todo

find an administrator for this system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 33.)

Todo

upgrade to Debian Buster

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 115.)

Todo

setup ED25519 host key

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 220.)

Todo

move configuration of jenkins to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/jenkins.rst, line 227.)

Todo

find a primary administrator for this system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 30.)

Todo

move configuration of lists to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 254.)

Todo

manage mariadb configuration in Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/mariadb.rst, line 179.)

Todo

describe more in-depth how to build the Debian package

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/motion.rst, line 231.)

Todo

implement OpenID Connect authentication when the CAcert OIDC IDP has been setupIt is planned to add OpenID Connect

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/nextcloud.rst, line 250.)

Todo

manage PostgreSQL server configuration in Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/pgsql.rst, line 189.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 30.)

Todo

setup DNS records (in infra.cacert.org zone)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 87.)

Todo

Change all infrastructure hosts to use this machine as APT proxy to avoid flaky firewall configurations on infra02.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 238.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 30.)

Todo

add a section to describe how to add a system for puppet management

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 301.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 42.)

Todo

move configuration of svn to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 238.)

Todo

add AAAA record for IPv6 address

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 97.)

Todo

generate ED25519 key for test

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 237.)

Todo

remove DSA host key

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 239.)

Todo

clarify why the signer software on test is currently running as the root user

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 252.)

Todo

integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 285.)

Todo

check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 398.)

Todo

Upgrade test to Debian Stretch/Buster/Bullseye when the software is ready.

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 442.)

Todo

setup monitoring for test2

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 77.)

Todo

add AAAA record for IPv6 address

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 99.)

Todo

add SSHFP records for ECDSA and ED25519 host keys

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 101.)

Todo

remove SSHFP records for DSA host key

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 103.)

Todo

generate ECDSA and ED25519 host keys

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 237.)

Todo

remove DSA host key

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 239.)

Todo

clarify why the signer software on test2 is currently running as the root user

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 252.)

Todo

clarify the process how changes get into the WebDB and Signer directories and clarify differences to Git and test

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 273.)

Todo

clarify whether old it-sls.de certificates can be decommissioned

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 342.)

Todo

check whether the openssl configuration files on test2 are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 370.)

Todo

reconfigure postfix on test2 to use the correct hostnames

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 391.)

Todo

check dovecot configuration on test2, compare with test and/or production webdb system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 400.)

Todo

ensure that test2 is really similar to webdb, implement a proper deployment process to support real staging

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test2.rst, line 414.)

Todo

add intra.cacert.org. A record

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 129.)

Todo

clarify why the signer software on test3 is currently running as the root user

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 384.)

Todo

implement monitoring and renewal processes for the server certificates

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 428.)

Todo

implement git workflows for updates maybe using Jenkins

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 480.)

Todo

setup monitoring for testmgr

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 222.)

Todo

make testmgr available on default ports via proxyin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 224.)

Todo

setup proper DNS entries for testmgr

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 226.)

Todo

upgrade testmgr to a supported OS version (depends on upgraded CATS and testmgr software)

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 228.)

Todo

use Puppet to manage testmgr

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/testmgr.rst, line 233.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 31.)

Todo

consider building the virtualenv on jenkins to avoid development tools on this system

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 263.)

Todo

move configuration of translations to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 344.)

Todo

integrate the pootle projects with version control systems. The templates (.pot files) in /var/www/pootle/po can be updated and loaded into Pootle by invoking:

pootle update_stores --project=<project_id> --language=templates

see the Pootle documentation

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 407.)

Todo

update and improve the scripts in /usr/local/bin and integrate them with the sudo system to allow members of the pootle-update group to run them in the context of the pootle system user

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 417.)

Todo

add SSHFP for ED25519 key, remove SSHFP for DSA key, add AAAA record for IPv6

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/web.rst, line 106.)

Todo

find an additional admin

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 39.)

Todo

manage jenkins-infradocs user via Puppet

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 213.)

Todo

document wiki admins

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 31.)

Todo

properly document the Wiki setup or replace it with a packaged version

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 201.)

Todo

upgrade to MoinMoin 2.x when it is available

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 209.)

Todo

move configuration of wiki to Puppet code

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 217.)

Todo

more comprehensive Apache configuration documentation for wiki

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 246.)

Todo

manage the blog system using Puppet

(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/wiki.rst, line 251.)