summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jan@dittberner.info>2016-06-05 15:08:00 +0200
committerJan Dittberner <jan@dittberner.info>2016-06-05 15:08:00 +0200
commit55bb34eac73ab52fd9221f06070bc6a43323814c (patch)
treef5750d6ed5b838cb65f9ef3eeb777278ac0422d2
parentccf284a871c68189216c86a4aa9c3b5633fbfd8c (diff)
parentbc5e2d317307cf82662f43da59dc9671da733063 (diff)
downloadcacert-infradocs-55bb34eac73ab52fd9221f06070bc6a43323814c.tar.gz
cacert-infradocs-55bb34eac73ab52fd9221f06070bc6a43323814c.tar.xz
cacert-infradocs-55bb34eac73ab52fd9221f06070bc6a43323814c.zip
Merge branch 'master' of git+ssh://git.cacert.org/var/lib/git/cacert-infradocs
* 'master' of git+ssh://git.cacert.org/var/lib/git/cacert-infradocs: Add documentation for IRC container Document the git.cacert.org container Add documentation for coaudit Improve sslcert.py tool Add pyx509/pyasn1 based tool to create sslcert directives
-rw-r--r--.gitignore5
-rw-r--r--docs/configdiff/git/git-apache-config.diff121
-rw-r--r--docs/configdiff/git/git-daemon-run.diff8
-rw-r--r--docs/configdiff/git/gitweb.conf.diff40
-rw-r--r--docs/systems.rst3
-rw-r--r--docs/systems/coaudit.rst177
-rw-r--r--docs/systems/git.rst368
-rw-r--r--docs/systems/irc.rst387
-rwxr-xr-xtools/sslcert.py116
-rw-r--r--tools/tool-requirements.txt3
10 files changed, 1226 insertions, 2 deletions
diff --git a/.gitignore b/.gitignore
index 47dc4ed..7638b3b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,8 @@
*.pyc
*.pyo
.*.swp
+.ropeproject/
.swp
-venv/
_build/
-.ropeproject/
+py2venv/
+venv/
diff --git a/docs/configdiff/git/git-apache-config.diff b/docs/configdiff/git/git-apache-config.diff
new file mode 100644
index 0000000..ad2c182
--- /dev/null
+++ b/docs/configdiff/git/git-apache-config.diff
@@ -0,0 +1,121 @@
+diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
+--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
++++ git/etc/apache2/conf-available/security.conf 2016-05-20 00:15:49.874994024 +0200
+@@ -10,6 +10,17 @@
+ # Order Deny,Allow
+ # Deny from all
+ #</Directory>
++<Directory />
++ Options FollowSymLinks
++ AllowOverride None
++</Directory>
++
++<Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++</Directory>
+
+
+ # Changing the following options will not really affect the security of the
+diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
+--- orig/etc/apache2/mods-available/ssl.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/mods-available/ssl.conf 2016-01-02 16:13:42.695785273 +0100
+@@ -56,7 +56,8 @@
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+- SSLCipherSuite HIGH:!aNULL
++ #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
++ SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
+
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+@@ -65,7 +66,7 @@
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
+- #SSLHonorCipherOrder on
++ SSLHonorCipherOrder on
+
+ # The protocols to enable.
+ # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
+--- orig/etc/apache2/sites-available/000-default.conf 2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/sites-available/000-default.conf 2016-05-20 00:21:02.697250540 +0200
+@@ -11,11 +11,19 @@
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
++ RewriteEngine on
++ RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
++ RewriteCond %{HTTP_HOST} !^$
++ RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE]
++
++ Redirect / https://git.cacert.org/gitweb
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
+--- orig/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:05:51.022493172 +0200
++++ git/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:14:50.350565644 +0200
+@@ -2,13 +2,27 @@
+ <VirtualHost _default_:443>
+ ServerAdmin webmaster@localhost
+
++ Redirect /index.html /gitweb/
++
+ DocumentRoot /var/www/html
+
++ <Directory />
++ Options FollowSymLinks
++ AllowOverride None
++ </Directory>
++ <Directory /var/www/>
++ Options Indexes FollowSymLinks MultiViews
++ AllowOverride None
++ Order allow,deny
++ allow from all
++ </Directory>
++
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
++ LogLevel warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+@@ -29,8 +43,8 @@
+ # /usr/share/doc/apache2/README.Debian.gz for more info.
+ # If both key and certificate are stored in the same file, only the
+ # SSLCertificateFile directive is needed.
+- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++ SSLCertificateFile /etc/ssl/public/git.c.o.chain.crt
++ SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+@@ -130,6 +144,12 @@
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
++ # HSTS
++ Header always set Strict-Transport-Security "max-age=31536000"
++ Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
++ Header always set X-Frame-Options "DENY"
++ Header always set X-XSS-Protection "1; mode=block"
++ Header always set X-Content-Type-Options "nosniff"
+ </VirtualHost>
+ </IfModule>
+
diff --git a/docs/configdiff/git/git-daemon-run.diff b/docs/configdiff/git/git-daemon-run.diff
new file mode 100644
index 0000000..abcca5a
--- /dev/null
+++ b/docs/configdiff/git/git-daemon-run.diff
@@ -0,0 +1,8 @@
+--- orig/etc/sv/git-daemon/run 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/sv/git-daemon/run 2014-02-06 01:46:55.424870926 +0100
+@@ -3,4 +3,4 @@
+ echo 'git-daemon starting.'
+ exec chpst -ugitdaemon \
+ "$(git --exec-path)"/git-daemon --verbose --reuseaddr \
+- --base-path=/var/lib /var/lib/git
++ --base-path=/var/cache/git /var/cache/git
diff --git a/docs/configdiff/git/gitweb.conf.diff b/docs/configdiff/git/gitweb.conf.diff
new file mode 100644
index 0000000..0e8e957
--- /dev/null
+++ b/docs/configdiff/git/gitweb.conf.diff
@@ -0,0 +1,40 @@
+--- orig/etc/gitweb.conf 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/gitweb.conf 2014-02-17 02:25:18.281157394 +0100
+@@ -1,5 +1,8 @@
+ # path to git projects (<project>.git)
+-$projectroot = "/var/lib/git";
++$projectroot = "/var/cache/git";
++
++# only show repos that are also served via git-daemon
++$export_ok = "git-daemon-export-ok";
+
+ # directory to use for temp files
+ $git_temp = "/tmp";
+@@ -13,6 +16,9 @@
+ # file with project list; by default, simply scan the projectroot dir.
+ #$projects_list = $projectroot;
+
++# Enable categories
++$projects_list_group_categories = 1;
++
+ # stylesheet to use
+ #@stylesheets = ("static/gitweb.css");
+
+@@ -28,3 +34,17 @@
+ # git-diff-tree(1) options to use for generated patches
+ #@diff_opts = ("-M");
+ @diff_opts = ();
++
++# auto generate fetch URLs
++@git_base_url_list = (
++ "git://git.cacert.org",
++ "ssh://git.cacert.org/var/cache/git");
++
++# Prevent XSS attacks
++$prevent_xss = 1;
++
++# enable gravatar support
++$feature{'avatar'}{'default'} = ['gravatar'];
++
++# enable syntax highlighting
++$feature{'highlight'}{'default'} = [1];
diff --git a/docs/systems.rst b/docs/systems.rst
index fe7d6e1..8370750 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -12,10 +12,13 @@ administrator team.
systems/arbitration
systems/blog
systems/board
+ systems/coaudit
systems/bugs
systems/cats
systems/email
systems/emailout
+ systems/git
+ systems/irc
systems/monitor
systems/webmail
diff --git a/docs/systems/coaudit.rst b/docs/systems/coaudit.rst
new file mode 100644
index 0000000..c99ca72
--- /dev/null
+++ b/docs/systems/coaudit.rst
@@ -0,0 +1,177 @@
+.. index::
+ single: Systems; Coaudit
+
+=======
+Coaudit
+=======
+
+Purpose
+=======
+
+Planned replacement for :wiki:`fiddle.it </SystemAdministration/Systems/fiddle>`.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_martin`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Contact
+-------
+
+* coaudit-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
+machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.230`
+:IP Intranet: :ip:v4:`172.16.2.118`
+:IP Internal: :ip:v4:`10.0.0.118`
+:MAC address: :mac:`00:ff:67:c2:08:53` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Coaudit
+
+=================== ======== ==========================
+Name Type Content
+=================== ======== ==========================
+coaudit.cacert.org. IN CNAME infrastructure.cacert.org.
+=================== ======== ==========================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Jessie
+ single: Debian GNU/Linux; 8.4
+
+* Debian GNU/Linux 8.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+-----------+-----------+-----------------------------------------+
+| 80/tcp | http | ANY | application |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: Apache
+ single: cron
+ single: exim
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver | init script |
+| | | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| Exim | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/exim4` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 07:e1:eb:c0:4d:01:b7:a1:16:b1:01:8b:6b:5f:59:43
+ :DSA: 66:ac:19:2c:a1:73:5b:6c:6c:55:3b:5b:52:cb:7e:ec
+ :ECDSA: 51:c7:bf:c6:f1:50:45:b7:cd:31:d7:41:40:60:b4:3c
+
+Critical Configuration items
+============================
+
+Apache httpd configuration
+--------------------------
+
+The system contains an uncustomized Apache httpd configuration.
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: either setup some application or remove the container
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`Exim4Configuration`
diff --git a/docs/systems/git.rst b/docs/systems/git.rst
new file mode 100644
index 0000000..79ba57b
--- /dev/null
+++ b/docs/systems/git.rst
@@ -0,0 +1,368 @@
+.. index::
+ single: Systems; Git
+
+===
+Git
+===
+
+Purpose
+=======
+
+`Git`_ server for the :wiki:`Software` development and :wiki:`System
+Administration <SystemAdministration/Team>` teams.
+
+.. _Git: https://www.git-scm.com/
+
+Application Links
+-----------------
+
+Gitweb
+ http://git.cacert.org/gitweb/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s) |
++=============+=====================+
+| Git | :ref:`people_jandd` |
++-------------+---------------------+
+| Gitweb | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* git-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario`, :ref:`people_benbe` and :ref:`people_neo` have
+:program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.250`
+:IP Intranet: :ip:v4:`172.16.2.250`
+:IP Internal: :ip:v4:`10.0.0.250`
+:MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; <machine>
+
+===================== ======== ============================================
+Name Type Content
+===================== ======== ============================================
+git.cacert.org. IN A 213.154.225.250
+git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
+git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
+git.intra.cacert.org. IN A 172.16.2.250
+===================== ======== ============================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Jessie
+ single: Debian GNU/Linux; 8.4
+
+* Debian GNU/Linux 8.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=============================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+-----------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+-----------------------------+
+| 80/tcp | http | ANY | application |
++----------+---------+---------+-----------------------------+
+| 443/tcp | https | ANY | application |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+-----------------------------+
+| 9418/tcp | git | ANY | Git daemon port |
++----------+---------+---------+-----------------------------+
+
+.. todo:: disable insecure git-daemon port and http for git, replace these with
+ https for read access and git+ssh for write access
+
+Running services
+----------------
+
+.. index::
+ single: Apache httpd
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+ single: rsyslog
+ single: git-daemon
+
++--------------------+---------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+=====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | gitweb | :file:`/etc/init.d/apache2` |
+| | | |
++--------------------+---------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+---------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+---------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+---------------------+----------------------------------------+
+| runit | service supervision | :file:`/etc/inittab` entry |
+| | for git-daemon | |
++--------------------+---------------------+----------------------------------------+
+| git-daemon | Daemon for native | runit service description in |
+| | Git protocol | :file:`/etc/sv/git-daemon/run` |
+| | access | |
++--------------------+---------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`jenkins` for git repository access
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+* :doc:`jenkins` for triggering web hooks
+
+Security
+========
+
+.. sshkeys::
+ :RSA: b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
+ :DSA: 27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
+ :ECDSA: b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
+
+.. todo:: setup ED25519 host key
+
+Dedicated user roles
+--------------------
+
++-----------------+----------------------------------------------------+
+| Group | Purpose |
++=================+====================================================+
+| git-birdshack | access to :wiki:`BirdShack` git repositories |
++-----------------+----------------------------------------------------+
+| softass | Software assessors |
++-----------------+----------------------------------------------------+
+| git-boardvoting | access to board voting git repository |
++-----------------+----------------------------------------------------+
+| git-rccrtauth | access to Roundcube certificate authentication git |
+| | repository |
++-----------------+----------------------------------------------------+
+| git-infra | access to infrastructure git repositories |
++-----------------+----------------------------------------------------+
+
+.. todo:: think about regulating git access by a proper git repository manager
+ like gitolite
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Gitweb has been modified to use https for `Gravatar`_ lookups:
+
+.. code-block:: diff
+
+ --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
+ +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
+ @@ -2064,7 +2064,7 @@
+ my $email = lc shift;
+ my $size = shift;
+ $avatar_cache{$email} ||=
+ - "http://www.gravatar.com/avatar/" .
+ + "https://secure.gravatar.com/avatar/" .
+ Digest::MD5::md5_hex($email) . "?s=";
+ return $avatar_cache{$email} . $size;
+ }
+
+.. _Gravatar: http://www.gravatar.com/
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The package git-daemon-run exposes the git native protocol which is prone to
+man in the middle attacks that could hand out modified code to users. There are
+alternatives (ssh, https) and git-daemon support should be disabled.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: git.cacert.org
+ :altnames: DNS:git.cacert.org
+ :certfile: /etc/ssl/public/git.c.o.chain.crt
+ :keyfile: /etc/ssl/private/git.c.o.key
+ :serial: 11E84D
+ :expiration: Mar 31 20:07:57 18 GMT
+ :sha1fp: B8:F9:FF:4E:F3:F6:45:A9:44:7D:8A:1E:F5:D7:28:24:74:ED:48:46
+ :issuer: CA Cert Signing Authority
+
+The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
+certificate too.
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index:: Git repositories
+
+Git repositories
+----------------
+
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+Apache httpd serves the gitweb interface via http and https. The http
+VirtualHost redirects all traffic to https. The following changes have been
+applied to the Debian package's Apache httpd configuration:
+
+.. literalinclude:: ../configdiff/git/git-apache-config.diff
+ :language: diff
+
+.. index::
+ pair: Gitweb; configuration
+
+Gitweb configuration
+--------------------
+
+Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
+changes to the version contained in the distribution package:
+
+.. literalinclude:: ../configdiff/git/gitweb.conf.diff
+ :language: diff
+
+.. index::
+ pair: runit; configuration
+ pair: git-daemon; configuration
+
+git-daemon configuration
+------------------------
+
+The git-daemon is started by runit. The configuration is stored in
+:file:`/etc/sv/git-daemon/run` and has the following changes to the version
+contained in the distribution package git-daemon-run:
+
+.. literalinclude:: ../configdiff/git/git-daemon-run.diff
+ :language: diff
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: enable IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+Adding a git repository
+-----------------------
+
+The git repositories are stored in :file:`/var/cache/git/`. To create a new
+repository use:
+
+.. code-block:: shell
+
+ cd /var/cache/git/
+ git init --bare --shared=group <reponame.git>
+ chgrp -R <groupname> <reponame.git>
+
+The gitweb index is built from all repositories that contain a file
+:file:`git-daemon-export-ok`. You should also put a description in the
+repository's :file:`description` file and set the repository owner via:
+
+.. code-block:: shell
+
+ cd <reponame.git>
+ git config gitweb.owner "Owner information"
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+ http://httpd.apache.org/docs/2.4/
diff --git a/docs/systems/irc.rst b/docs/systems/irc.rst
new file mode 100644
index 0000000..be86869
--- /dev/null
+++ b/docs/systems/irc.rst
@@ -0,0 +1,387 @@
+.. index::
+ single: Systems; Irc
+
+===
+IRC
+===
+
+Purpose
+=======
+
+This system provides the CAcert IRC service for private communications,
+allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday
+chat, meetings, and general support.
+
+Application Links
+-----------------
+
+https://irc.cacert.org/
+ HTTPS secured Web based IRC access
+
+http://irc.cacert.org/
+ HTTP fallback for Web based IRC access
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: None
+* Secondary: :ref:`people_mario`, :ref:`people_jandd`
+
+Application Administration
+--------------------------
+
++--------------+------------------+
+| Application | Administrator(s) |
++==============+==================+
+| IRC server | None |
++--------------+------------------+
+| IRC services | None |
++--------------+------------------+
+| IRC webchat | None |
++--------------+------------------+
+
+.. todo::
+ find an administrator willing to properly setup/maintain IRC applications
+ and push the migration to :doc:`ircserver`.
+
+Contact
+-------
+
+* irc-admin@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.233`
+:IP Intranet: :ip:v4:`172.16.2.14`
+:IP Internal: :ip:v4:`10.0.0.14`
+:MAC address: :mac:`00:ff:8d:45:01:a4` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Irc
+
+======================= ======== ==========================================
+Name Type Content
+======================= ======== ==========================================
+irc.cacert.org. IN A 213.154.225.233
+irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
+irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
+irc.intra.cacert.org. IN A 172.16.2.14
+======================= ======== ==========================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.10
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+:wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+--------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+======================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+--------------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+--------------------------------------+
+| 80/tcp | http | ANY | IRC webchat |
++----------+---------+---------+--------------------------------------+
+| 443/tcp | https | ANY | IRC webchat |
++----------+---------+---------+--------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+--------------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for IRC services |
++----------+---------+---------+--------------------------------------+
+| 6667/tcp | ircd | ANY | IRC |
++----------+---------+---------+--------------------------------------+
+| 6668/tcp | ircd | ANY | IRC [#f1]_ |
++----------+---------+---------+--------------------------------------+
+| 7000/tcp | ircd | ANY | IRC |
++----------+---------+---------+--------------------------------------+
+
+ircd opens a random UDP port for some reason.
+
+.. [#f1] Not forwarded from :doc:`infra02` to container
+
+.. todo:: find out what the UDP port is used for
+
+Running services
+----------------
+
+.. index::
+ single: Postfix
+ single: PostgreSQL
+ single: cron
+ single: lighttpd
+ single: nrpe
+ single: openssh
+ single: oftc-hybrid-ircd
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| lighttpd | Webserver for | init script |
+| | IRC webchat | :file:`/etc/init.d/lighttpd` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for IRC services | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| OFTC Hybrid IRCD | IRC server | start script |
+| | | :file:`/home/ircserver/ircd/bin/ircd` |
+| | | started manually |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++------------+-------------+--------------+
+| RDBMS | Name | Used for |
++============+=============+==============+
+| PostgreSQL | ircservices | IRC services |
++------------+-------------+--------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 6e:7c:14:4b:a3:fe:8c:88:1b:d0:e8:3c:93:9c:33:2f
+ :DSA: e7:92:a5:80:49:a9:fe:d3:57:11:1d:ca:b8:0f:c0:44
+ :ECDSA: c5:6a:f5:cc:be:a5:94:03:b8:32:d0:97:ef:26:ac:35
+
+Dedicated user roles
+--------------------
+
++-----------+--------------+
+| Group | Purpose |
++===========+==============+
+| ircserver | IRC daemon |
++-----------+--------------+
+| services | IRC services |
++-----------+--------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+.. index::
+ pair: non-distribution; oftc-ircd
+
+OFTC Hybrid IRC daemon
+......................
+
+* The IRC server runs as a self compiled `OFTC Hybrid
+ <http://www.oftc.net/CodingProjects/#ircd>`_ from upstream's `GitHub
+ repository <https://github.com/oftc/oftc-hybrid>`_ at revision
+ 1435aa49a8b20d6ed816f53518ae5f22d0579cc4 (tag: oftc-hybrid-1.6.15).
+* The configured source code is available in
+ :file:`/home/ircserver/oftc-hybrid/`
+* The installed ircd is in :file:`/home/ircserver/ircd/`
+* The used configure options are contained in
+ :file:`/home/ircserver/configline`
+
+The IRC server is linked against system shared libraries and may not work
+anymore if these are updated to ABI incompatible versions.
+
+This is the listed of linked libraries as of 2014-10-24::
+
+ $ ldd ircd/bin/ircd
+ linux-gate.so.1 => (0xf7714000)
+ libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xf7709000)
+ libcrypt.so.1 => /lib/i386-linux-gnu/i686/cmov/libcrypt.so.1 (0xf76d7000)
+ libssl.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0 (0xf767d000)
+ libcrypto.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libcrypto.so.1.0.0 (0xf74bf000)
+ libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xf735a000)
+ /lib/ld-linux.so.2 (0xf7715000)
+ libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xf7341000)
+
+OFTC IRC services
+.................
+
+* The IRC services where self compiled `OFTC Services
+ <http://www.oftc.net/CodingProjects/#services>`_ from upstreams `release
+ tarballs <http://www.oftc.net/releases/oftc-ircservices/>`_ unfortunatelly
+ recompilation on the current Debian system does not produce a working binary.
+* The configured source code is available at
+ :file:`/home/services/oftc-services-1.5.8/`
+* The installed disfunctional IRC services are installed in
+ :file:`/home/services/services`
+* The used configure options are contained in :file:`/home/services/configline`
+
+.. warning::
+ There are no services running currently because loading the PostgreSQL
+ driver leads to a segmentation fault in the compiled binaries.
+
+IRC Webchat
+...........
+
+* The used Web based IRC software is a self compiled `CGI:IRC
+ <http://cgiirc.sourceforge.net/>`_ version 0.5.9
+* The Web based IRC software is contained in :file:`/var/cgi/`
+
+Risk assessments on critical packages
+-------------------------------------
+
+The self compiled binaries of OFTC Hybrid ircd, OFTC Services and IRC webchat
+are not updated regularly. There is no administrator with good enough knowledge
+for these applications to properly maintain these.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: irc.cacert.org
+ :altnames: DNS:cert.irc.cacert.org, DNS:irc.cacert.org, DNS:nocert.irc.cacert.org
+ :certfile: /home/ircserver/ssl/cert.pem
+ :keyfile: /home/ircserver/ssl/rsa.key
+ :serial: 11E863
+ :expiration: Mar 31 20:31:00 18 GMT
+ :sha1fp: 04:EF:FE:61:44:9F:74:AB:C0:D3:5E:F4:D9:48:59:B5:B0:23:27:B2
+ :issuer: CA Cert Signing Authority
+
+.. sslcert:: irc.cacert.org
+ :certfile: /etc/lighttpd/ssl/server.pem
+ :keyfile: /etc/lighttpd/ssl/server.pem
+ :serial: 11E863
+ :secondary:
+
+The :file:`/etc/lighttpd/ssl/server.pem` is a combined key and certificate file
+for lighttpd.
+
+.. index::
+ pair: lighttpd; configuration
+
+lighttpd configuration
+----------------------
+
+* :file:`/etc/lighttpd/conf-enabled/10-cgi.conf` CGI path configuration
+* :file:`/etc/lighttpd/conf-enabled/10-ssl.conf` TLS configuration
+
+.. todo:: add more details
+
+.. index::
+ pair: oftc-hybrid-ircd; configuration
+ pair: ircd; configuration
+
+oftc-hybrid-ircd configuration
+------------------------------
+
+* :file:`/home/ircserver/ircd/etc/ircd.conf` main IRC server configuration,
+ defining settings, ports and TLS settings
+
+.. todo:: add more details
+.. todo::
+ there are a lot of ops users defined in :file:`ircd.conf` check whether
+ these are still valid
+
+.. index::
+ pair: IRC webchat; configuration
+
+IRC webchat configuration
+-------------------------
+
+* :file:`/var/cgi/cgiirc.config`
+
+.. todo:: add more details
+
+Potentially obsolete configuration
+----------------------------------
+
+There are some directories in :file:`/etc/` that contain seemingly unused
+configuration files:
+
+* :file:`/etc/irc/`
+* :file:`/etc/oftc-hybrid/`
+
+There is also a half-uninstalled package :program:`ircd-hybrid` whose config
+files are partially still available (:file:`/etc/default/ircd-hybrid` and
+:file:`/etc/logrotate.d/ircd-hybrid`)
+
+Changes
+=======
+
+System Future
+-------------
+
+This system should be retired and replaced with the new :doc:`ircserver` that
+should be running packaged and properly supported software.
+
+.. note::
+
+ Current Debian releases contain packaged versions of some ircd/irc services
+ combinations:
+
+ * `ircd-hybrid <https://packages.debian.org/jessie/ircd-hybrid>`_ similar
+ to the current software
+ * `charybdis <https://packages.debian.org/jessie/charybdis>`_ with
+ `atheme-services <https://packages.debian.org/jessie/atheme-services>`_
+ (compatible with ircd-hybrid too)
+ * `ircd-ratbox <https://packages.debian.org/jessie/ircd-ratbox>`_ with
+ `ratbox-services
+ <https://packages.debian.org/jessie/ratbox-services-pgsql>`_ used by
+ EFNet
+
+ CGI:IRC has been removed from Debian because it had no active maintainer.
diff --git a/tools/sslcert.py b/tools/sslcert.py
new file mode 100755
index 0000000..531a5b5
--- /dev/null
+++ b/tools/sslcert.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python
+
+from __future__ import print_function
+
+from datetime import datetime
+from hashlib import sha1
+import argparse
+import os.path
+
+from pyasn1_modules import pem
+from pyx509.pkcs7.asn1_models.X509_certificate import Certificate
+from pyx509.pkcs7_models import X509Certificate
+from pyx509.pkcs7.asn1_models.decoder_workarounds import decode
+
+
+ALTNAME_MAP = (
+ ('dNSName', 'DNS'),
+ ('rfc822Name', 'EMAIL'),
+ ('iPAddress', 'IP')
+)
+
+
+def x509_parse(derData):
+ """Decodes certificate.
+ @param derData: DER-encoded certificate string
+ @returns: pkcs7_models.X509Certificate
+ """
+ cert = decode(derData, asn1Spec=Certificate())[0]
+ x509cert = X509Certificate(cert)
+ return x509cert
+
+
+def get_altnames(cert):
+ altnames = cert.tbsCertificate.subjAltNameExt.value.values
+ retval = []
+ for typ, data in [(field[1], altnames[field[0]]) for field in ALTNAME_MAP]:
+ for item in sorted(data):
+ retval.append("{typ}:{item}".format(typ=typ, item=item))
+ return ", ".join(retval)
+
+
+def get_serial(cert):
+ serial = "%X" % cert.tbsCertificate.serial_number
+ return "0" * (len(serial) % 2) + serial
+
+
+def get_expiration(cert):
+ return datetime.strptime(
+ cert.tbsCertificate.validity.valid_to, '%Y%m%d%H%M%SZ'
+ ).strftime('%b %d %H:%M:%S %y GMT')
+
+
+def get_sha1fp(certdata):
+ hexhash = sha1(certdata).hexdigest().upper()
+ return ":".join([hexhash[i:i+2] for i in range(0, len(hexhash), 2)])
+
+
+def get_issuer(cert):
+ return cert.tbsCertificate.issuer.get_attributes()['CN'][0]
+
+
+def get_subject(cert):
+ return cert.tbsCertificate.subject.get_attributes()['CN'][0]
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(
+ description=(
+ 'Create an sslcert directive from data taken from a PEM encoded '
+ 'X.509 certificate file and its corresponding PEM encoded RSA key '
+ 'file.'))
+ parser.add_argument(
+ 'cert', metavar='CERT', type=open,
+ help='PEM encoded X.509 certficate file')
+ parser.add_argument(
+ '--key', metavar='KEY', type=open,
+ help='PEM encoded RSA private key', default=None)
+ parser.add_argument(
+ '--root', metavar='ROOT', type=str,
+ help='Relative root directory for key and cert')
+
+ args = parser.parse_args()
+
+ certpem = pem.readPemFromFile(args.cert)
+ certpath = os.path.abspath(args.cert.name)
+ if args.root:
+ certpath = '/' + os.path.relpath(certpath, args.root)
+ if args.key:
+ haskey = True
+ keypem = pem.readPemFromFile(args.key)
+ keypath = os.path.abspath(args.key.name)
+ if args.root:
+ keypath = '/' + os.path.relpath(keypath, args.root)
+ else:
+ keypath = 'TODO: define key path'
+
+ cert = x509_parse(certpem)
+ data = {
+ 'altnames': get_altnames(cert),
+ 'certfile': certpath,
+ 'keyfile': keypath,
+ 'serial': get_serial(cert),
+ 'expiration': get_expiration(cert),
+ 'sha1fp': get_sha1fp(certpem),
+ 'issuer': get_issuer(cert),
+ 'subject': get_subject(cert),
+ }
+ print(""".. sslcert:: {subject}
+ :altnames: {altnames}
+ :certfile: {certfile}
+ :keyfile: {keyfile}
+ :serial: {serial}
+ :expiration: {expiration}
+ :sha1fp: {sha1fp}
+ :issuer: {issuer}
+""".format(**data))
diff --git a/tools/tool-requirements.txt b/tools/tool-requirements.txt
new file mode 100644
index 0000000..e00844f
--- /dev/null
+++ b/tools/tool-requirements.txt
@@ -0,0 +1,3 @@
+pyasn1==0.1.9
+pyasn1-modules==0.0.8
+git+https://github.com/hiviah/pyx509@a35702c3d514c96d75a1c3498307a16991cdd0d3#egg=pyx509