11 `Git`_ server for the :wiki:`Software` development and :wiki:`System
12 Administration <SystemAdministration/Team>` teams.
14 .. _Git: https://www.git-scm.com/
20 http://git.cacert.org/gitweb/
28 * Primary: :ref:`people_jandd`
31 .. todo:: find an additional admin
33 Application Administration
34 --------------------------
36 +-------------+---------------------+
37 | Application | Administrator(s) |
38 +=============+=====================+
39 | Git | :ref:`people_jandd` |
40 +-------------+---------------------+
41 | Gitweb | :ref:`people_jandd` |
42 +-------------+---------------------+
47 * git-admin@cacert.org
52 :ref:`people_mario`, :ref:`people_benbe` and :ref:`people_neo` have
53 :program:`sudo` access on that machine too.
61 This system is located in an :term:`LXC` container on physical machine
67 :IP Internet: :ip:v4:`213.154.225.250`
68 :IP Intranet: :ip:v4:`172.16.2.250`
69 :IP Internal: :ip:v4:`10.0.0.250`
70 :MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
80 single: DNS records; <machine>
82 ===================== ======== ============================================
84 ===================== ======== ============================================
85 git.cacert.org. IN A 213.154.225.250
86 git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
87 git.cacert.org. IN SSHFP 1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5
88 git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
89 git.cacert.org. IN SSHFP 2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01
90 git.cacert.org. IN SSHFP 3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED
91 git.cacert.org. IN SSHFP 3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644
92 git.intra.cacert.org. IN A 172.16.2.250
93 ===================== ======== ============================================
97 See :wiki:`SystemAdministration/Procedures/DNSChanges`
103 single: Debian GNU/Linux; Jessie
104 single: Debian GNU/Linux; 8.4
106 * Debian GNU/Linux 8.4
108 Applicable Documentation
109 ------------------------
119 +----------+---------+---------+-----------------------------+
120 | Port | Service | Origin | Purpose |
121 +==========+=========+=========+=============================+
122 | 22/tcp | ssh | ANY | admin console access |
123 +----------+---------+---------+-----------------------------+
124 | 25/tcp | smtp | local | mail delivery to local MTA |
125 +----------+---------+---------+-----------------------------+
126 | 80/tcp | http | ANY | application |
127 +----------+---------+---------+-----------------------------+
128 | 443/tcp | https | ANY | application |
129 +----------+---------+---------+-----------------------------+
130 | 5666/tcp | nrpe | monitor | remote monitoring service |
131 +----------+---------+---------+-----------------------------+
132 | 9418/tcp | git | ANY | Git daemon port |
133 +----------+---------+---------+-----------------------------+
135 .. todo:: disable insecure git-daemon port and http for git, replace these with
136 https for read access and git+ssh for write access
150 +--------------------+---------------------+----------------------------------------+
151 | Service | Usage | Start mechanism |
152 +====================+=====================+========================================+
153 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
155 | | administration | |
156 +--------------------+---------------------+----------------------------------------+
157 | Apache httpd | Webserver for | init script |
158 | | gitweb | :file:`/etc/init.d/apache2` |
160 +--------------------+---------------------+----------------------------------------+
161 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
162 +--------------------+---------------------+----------------------------------------+
163 | rsyslog | syslog daemon | init script |
164 | | | :file:`/etc/init.d/syslog` |
165 +--------------------+---------------------+----------------------------------------+
166 | Postfix | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/postfix` |
169 +--------------------+---------------------+----------------------------------------+
170 | Nagios NRPE server | remote monitoring | init script |
171 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
172 | | :doc:`monitor` | |
173 +--------------------+---------------------+----------------------------------------+
174 | runit | service supervision | :file:`/etc/inittab` entry |
175 | | for git-daemon | |
176 +--------------------+---------------------+----------------------------------------+
177 | git-daemon | Daemon for native | runit service description in |
178 | | Git protocol | :file:`/etc/sv/git-daemon/run` |
180 +--------------------+---------------------+----------------------------------------+
186 * :doc:`jenkins` for git repository access
188 Outbound network connections
189 ----------------------------
191 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
192 * :doc:`emailout` as SMTP relay
193 * ftp.nl.debian.org as Debian mirror
194 * security.debian.org for Debian security updates
195 * crl.cacert.org (rsync) for getting CRLs
196 * :doc:`jenkins` for triggering web hooks
202 :RSA: b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
203 :DSA: 27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
204 :ECDSA: b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
206 .. todo:: setup ED25519 host key
211 +-----------------+----------------------------------------------------+
213 +=================+====================================================+
214 | git-birdshack | access to :wiki:`BirdShack` git repositories |
215 +-----------------+----------------------------------------------------+
216 | softass | Software assessors |
217 +-----------------+----------------------------------------------------+
218 | git-boardvoting | access to board voting git repository |
219 +-----------------+----------------------------------------------------+
220 | git-rccrtauth | access to Roundcube certificate authentication git |
222 +-----------------+----------------------------------------------------+
223 | git-infra | access to infrastructure git repositories |
224 +-----------------+----------------------------------------------------+
226 .. todo:: think about regulating git access by a proper git repository manager
229 Non-distribution packages and modifications
230 -------------------------------------------
232 Gitweb has been modified to use https for `Gravatar`_ lookups:
236 --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
237 +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
238 @@ -2064,7 +2064,7 @@
239 my $email = lc shift;
241 $avatar_cache{$email} ||=
242 - "http://www.gravatar.com/avatar/" .
243 + "https://secure.gravatar.com/avatar/" .
244 Digest::MD5::md5_hex($email) . "?s=";
245 return $avatar_cache{$email} . $size;
248 .. _Gravatar: http://www.gravatar.com/
251 Risk assessments on critical packages
252 -------------------------------------
254 The package git-daemon-run exposes the git native protocol which is prone to
255 man in the middle attacks that could hand out modified code to users. There are
256 alternatives (ssh, https) and git-daemon support should be disabled.
258 Critical Configuration items
259 ============================
261 Keys and X.509 certificates
262 ---------------------------
264 .. sslcert:: git.cacert.org
265 :altnames: DNS:git.cacert.org
266 :certfile: /etc/ssl/public/git.c.o.chain.crt
267 :keyfile: /etc/ssl/private/git.c.o.key
269 :expiration: Mar 31 20:07:57 18 GMT
270 :sha1fp: B8:F9:FF:4E:F3:F6:45:A9:44:7D:8A:1E:F5:D7:28:24:74:ED:48:46
271 :issuer: CA Cert Signing Authority
273 The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
278 * :wiki:`SystemAdministration/CertificateList`
280 .. index:: Git repositories
286 pair: Apache httpd; configuration
288 Apache httpd configuration
289 --------------------------
291 Apache httpd serves the gitweb interface via http and https. The http
292 VirtualHost redirects all traffic to https. The following changes have been
293 applied to the Debian package's Apache httpd configuration:
295 .. literalinclude:: ../configdiff/git/git-apache-config.diff
299 pair: Gitweb; configuration
304 Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
305 changes to the version contained in the distribution package:
307 .. literalinclude:: ../configdiff/git/gitweb.conf.diff
311 pair: runit; configuration
312 pair: git-daemon; configuration
314 git-daemon configuration
315 ------------------------
317 The git-daemon is started by runit. The configuration is stored in
318 :file:`/etc/sv/git-daemon/run` and has the following changes to the version
319 contained in the distribution package git-daemon-run:
321 .. literalinclude:: ../configdiff/git/git-daemon-run.diff
330 .. todo:: enable IPv6
340 Additional documentation
341 ========================
343 Adding a git repository
344 -----------------------
346 The git repositories are stored in :file:`/var/cache/git/`. To create a new
349 .. code-block:: shell
352 git init --bare --shared=group <reponame.git>
353 chgrp -R <groupname> <reponame.git>
355 The gitweb index is built from all repositories that contain a file
356 :file:`git-daemon-export-ok`. You should also put a description in the
357 repository's :file:`description` file and set the repository owner via:
359 .. code-block:: shell
362 git config gitweb.owner "Owner information"
366 * :wiki:`PostfixConfiguration`
371 Apache httpd documentation
372 http://httpd.apache.org/docs/2.4/