fill up remaining sections of the template

7646eddc · anarcat · 77c5c9e9 · 7646eddc
Verified Commit 7646eddc authored 4 years ago by anarcat
--- a/tsa/howto/tls.mdwn
+++ b/tsa/howto/tls.mdwn
@@ -130,16 +130,32 @@ Then run Puppet on all affected hosts, for example the static mirrors:

 ## Disaster recovery

+No disaster recovery plan yet (TODO).
+
 # Reference

 ## Installation
-<!-- how to setup the service from scratch -->
+
+There is no documentation on how to deploy this service from
+scratch. To deploy a new cert, see the above section and the
+`ssl::service` Puppet resource.

 ## SLA
-<!-- this describes an acceptable level of service for this service -->
+
+TLS is critical and should be highly available when relevant. It
+should fail closed, that is if it fails a security check, it should
+not allow a connexion.

 ## Design

+TLS is one of two major transport security protocols used at TPA (the
+other being [[ipsec]]). It is used by web servers (Apache, HA Proxy,
+Nginx), bacup servers (Bacula), mail servers (Postfix), and possibly
+more.
+
+Certificate generation is done by git hooks for Let's Encrypt or by a
+`makefile` and cron job for auto-ca, see below for details.
+
 ### Certificate authorities in use at Tor

 This documents mostly covers the Let's Encrypt certificates used by
@@ -251,36 +267,36 @@ server (currently `cupani`):

 ## Issues

-<!-- such projects are never over. add a pointer to well-known issues -->
-<!-- and show how to report problems. usually a link to the bugtracker -->
+There is no issue tracker specifically for this project, [File][] or
+[search][] for issues in the [generic internal services][search] component.
+
+ [File]: https://trac.torproject.org/projects/tor/newticket?component=Internal+Services%2FTor+Sysadmin+Team
+ [search]: https://trac.torproject.org/projects/tor/query?status=!closed&component=Internal+Services%2FTor+Sysadmin+Team

 ## Monitoring and testing

-<!-- describe how this service is monitored and how it can be tested -->
-<!-- after major changes like IP address changes or upgrades -->
+When a HTTPS certificate is configured on a host, it MUST be
+(manually) configured in Nagios. This can be done by adding the host
+to the `apache-https-host`, `haproxy-https-host`, `nginx-https-hosts`,
+depending on the webserver implementation. If the TLS server is
+another implementation, a new check SHOULD be written.
+
+All Let's Encrypt certificates are automatically checked for expiry by
+Nagios as well, on top of the above checks.

 # Discussion

 ## Overview

-<!-- describe the overall project. should include a link to a ticket -->
-<!-- that has a launch checklist -->
-
-## Goals
-<!-- include bugs to be fixed -->
-
-### Must have
-
-### Nice to have
-
-### Non-Goals
-
-## Approvals required
-<!-- for example, legal, "vegas", accounting, current maintainer -->
-
-## Proposed Solution
+There are no plans to do major changes to the TLS configuration,
+although [review of the cipher suites](https://trac.torproject.org/projects/tor/ticket/32351) is in progress (as of April
+2020). We should have mechanisms to do such audits on a more
+regular basis, and facilitate changes of those configurations over the
+entire infrastructure.

-## Cost
+<!-- the Goals, Approvals, Proposed solutions and Cost sections have -->
+<!-- been removed from the template because we don't have any big -->
+<!-- project on the TLS infra at the moment -->

 ## Alternatives considered