CAcert infrastructure documentation¶
This documentation aims to describe the current status of CAcert’s technical infrastructure.
Table of Contents¶
Indices and tables¶
Todo
Update the LXC setup documentation. lxc-setup might not work with LXC 3.0 that is used on Infra02 since 2019-07-13.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/lxcsetup.rst, line 5.)
Todo
consider whether a central MySQL service should be setup
Many containers contain their own instance of MySQL. It might be a better idea to centralize the MySQL setups in a single container.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 41.)
Todo
consider whether a central PostgreSQL service should be setup
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 46.)
Todo
setup a central syslog service and install syslog clients in each container
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 48.)
Todo
think about replacing nrpe with Icinga2 satellites
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 90.)
Todo
document how to setup the system-admin alias on the email system
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems.rst, line 114.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 32.)
Todo
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 262.)
Todo
setup IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 338.)
Todo
setup CRL checks (can be borrowed from Svn) for client certificates
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 340.)
Todo
system should be upgraded to Debian 9
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/blog.rst, line 349.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 28.)
Todo
setup ED25519 host key (needs update to Jessie)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 204.)
Todo
update to Odoo (OpenERP successor)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 214.)
Todo
check whether the form display issue has been fixed upstream
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 264.)
Todo
disable unneeded Apache modules
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 347.)
Todo
setup IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 349.)
Todo
consider using a centralized PostgreSQL instance
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 351.)
Todo
system should be updated to Debian 8/9
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/board.rst, line 359.)
Todo
move configuration of Bugs to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/bugs.rst, line 257.)
Todo
disable subversion access
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 193.)
Todo
setup ED25519 host key (needs update to Jessie)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 203.)
Todo
add a Vagrantfile to allow easy CATS testing setups
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 227.)
Todo
move certificates to /etc/ssl/public and keys to
/etc/ssl/private
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 266.)
Todo
move CATS configuration to /etc/
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 287.)
Todo
refactor CATS to not store configuration in the PHP session
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 288.)
Todo
either fix fetching from the test system or remove this functionality
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 308.)
Todo
use /etc/cron.d instead of user specific crontab
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 309.)
Todo
put the scripts in /home/cats/tools/ into git
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 310.)
Todo
update to Debian Jessie
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 358.)
Todo
setup IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 359.)
Todo
setup CRL checks
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 360.)
Todo
system should be updated to Debian 8/9
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/cats.rst, line 368.)
Todo
setup DKIM properly, see #696 for an older discussion
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 74.)
Todo
setup SPF records when the system is ready, see #492 for an older discussion
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 76.)
Todo
check whether the empty postfixpolicyd database is required
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 213.)
Todo
consider moving the databases to a new central MySQL service
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 215.)
Todo
use pysieved, python-tlslite and dovecot-sieve from distribution packages after OS upgrade
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 259.)
Todo
check whether it makes sense to use a separate certificate for that purpose
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 302.)
Todo
consider to send all outgoing mail via Emailout
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 426.)
Todo
remove unused transports from master.cf
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 428.)
Todo
setup remote logging when a central logging container is available
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 453.)
Todo
move mail storage to a separate data volume to allow easier backup and OS upgrades
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 470.)
Todo
implement tooling to automate password salt generation and user creation
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 509.)
Todo
implement CRL checking
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 536.)
Todo
setup IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 538.)
Todo
throttle brute force attack attempts using fail2ban or similar mechanism
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 540.)
Todo
consider to use LDAP to consolidate user, password and email information
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 543.)
Todo
The system has to be replaced with a new system using a current operating system version
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/email.rst, line 555.)
Todo
setup a proper certificate for incoming STARTTLS
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 192.)
Todo
enable OpenDKIM in Postfix configuration when the DNS record is in place and Email is ready for DKIM too or is configured to send mail via emailout.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 259.)
Todo
setup IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/emailout.rst, line 312.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 31.)
Todo
disable insecure git-daemon port and http for git, replace these with https for read access and git+ssh for write access
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 137.)
Todo
think about regulating git access by a proper git repository manager like gitolite or gitea
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 226.)
Todo
enable IPv6
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/git.rst, line 332.)
Todo
document how to setup a new container
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 297.)
Todo
document how to setup firewall rules/forwarding
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 298.)
Todo
document how the backup system works
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 299.)
Todo
add DNS setup for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 300.)
Todo
switch to Puppet management
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/infra02.rst, line 301.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 30.)
Todo
setup init script for kiwiirc
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 284.)
Todo
implement some update monitoring for Kiwi IRC
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 296.)
Todo
move configuration of Ircserver to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/ircserver.rst, line 309.)
Todo
upgrade to Debian Jessie
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 105.)
Todo
setup ED25519 host key
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/issue.rst, line 215.)
Todo
move configuration of Jenkins to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/jenkins.rst, line 225.)
Todo
setup ED25519 host key (needs update to Jessie)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 225.)
Todo
upgrade the lists system OS to Debian 9 (Stretch)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 381.)
Todo
manage the lists system using Puppet
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/lists.rst, line 383.)
Todo
add IPv6 ranges when they are monitored
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/monitor.rst, line 225.)
Todo
move configuration of Monitor to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/monitor.rst, line 266.)
Todo
switch to Icinga2 and Icingaweb2
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/monitor.rst, line 317.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 30.)
Todo
setup DNS records (in infra.cacert.org zone)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 79.)
Todo
Change all infrastructure hosts to use this machine as APT proxy to avoid flaky firewall configurations on Infra02.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 223.)
Todo
Add more APT repositories and ACLs if needed
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/proxyout.rst, line 226.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 30.)
Todo
setup DNS records (in infra.cacert.org zone)
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 81.)
Todo
improve Webhook to run r10k after git pull
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/puppet.rst, line 302.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 42.)
Todo
add AAAA record for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 102.)
Todo
move configuration of Svn to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/svn.rst, line 232.)
Todo
add AAAA record for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 89.)
Todo
add the SHA-256 fingerprints of the SSH host keys
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 229.)
Todo
add ED25519 key for test
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 236.)
Todo
clarify why the signer software on test is currently running as the root user
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 253.)
Todo
integrate or revert the changes to server.pl on test, use the current release branch version from CAcert Git repository cacert-devel
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 286.)
Todo
check whether the openssl configuration files on test are equal to those in http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 399.)
Todo
Upgrade test to Debian Stretch when the software is ready.
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test.rst, line 440.)
Todo
add AAAA record for IPv6 address
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 109.)
Todo
add intra.cacert.org. A record
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 110.)
Todo
clarify why the signer software on test3 is currently running as the root user
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 365.)
Todo
implement git workflows for updates maybe using Jenkins
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/test3.rst, line 455.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 31.)
Todo
consider building the virtualenv on Jenkins to avoid development tools on this system
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 259.)
Todo
move configuration of Translations to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 340.)
Todo
integrate the pootle projects with version control systems. The templates
(.pot files) in /var/www/pootle/po can be updated and loaded into
Pootle by invoking:
pootle update_stores --project=<project_id> --language=templates
see the Pootle documentation
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 400.)
Todo
update and improve the scripts in /usr/local/bin and integrate
them with the sudo system to allow members of the pootle-update
group to run them in the context of the pootle system user
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/translations.rst, line 410.)
Todo
move configuration of Web to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/web.rst, line 216.)
Todo
manage the web system using Puppet
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/web.rst, line 316.)
Todo
move board voting system to a separate container
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 18.)
Todo
move staff list to a separate container or integrate it into some new self service system
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 20.)
Todo
find admins for webmail
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 54.)
Todo
Research wether Roundcube has been patched or not
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 223.)
Todo
Put the staff list script in a git repository
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 299.)
Todo
Put the password reset script in a git repository
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 309.)
Todo
Put the current version of the board voting system in a git repository
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 325.)
Todo
implement CRL checking
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 335.)
Todo
The system has to be replaced with a new system using a current operating system version
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webmail.rst, line 343.)
Todo
find an additional admin
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 36.)
Todo
move configuration of Webstatic to Puppet code
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 241.)
Todo
move the TLS configuration for the served VirtualHosts to Webstatic
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 248.)
Todo
manage the webstatic system using Puppet
(The original entry is located in /var/lib/jenkins/workspace/cacert-infradocs/docs/systems/webstatic.rst, line 280.)
