781e03cec4a98d32156d4b0709df68a6780cc045
[cacert-infradocs.git] / docs / systems / irc.rst
1 .. index::
2 single: Systems; Irc
3
4 ===
5 IRC
6 ===
7
8 Purpose
9 =======
10
11 This system provides the CAcert IRC service for private communications,
12 allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday
13 chat, meetings, and general support.
14
15 Application Links
16 -----------------
17
18 https://irc.cacert.org/
19 HTTPS secured Web based IRC access
20
21 http://irc.cacert.org/
22 HTTP fallback for Web based IRC access
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: None
31 * Secondary: :ref:`people_mario`, :ref:`people_jandd`
32
33 Application Administration
34 --------------------------
35
36 +--------------+------------------+
37 | Application | Administrator(s) |
38 +==============+==================+
39 | IRC server | None |
40 +--------------+------------------+
41 | IRC services | None |
42 +--------------+------------------+
43 | IRC webchat | None |
44 +--------------+------------------+
45
46 .. todo::
47 find an administrator willing to properly setup/maintain IRC applications
48 and push the migration to :doc:`ircserver`.
49
50 Contact
51 -------
52
53 * irc-admin@cacert.org
54
55 Basics
56 ======
57
58 Physical Location
59 -----------------
60
61 This system is located in an :term:`LXC` container on physical machine
62 :doc:`infra02`.
63
64 Logical Location
65 ----------------
66
67 :IP Internet: :ip:v4:`213.154.225.233`
68 :IP Intranet: :ip:v4:`172.16.2.14`
69 :IP Internal: :ip:v4:`10.0.0.14`
70 :MAC address: :mac:`00:ff:8d:45:01:a4` (eth0)
71
72 .. seealso::
73
74 See :doc:`../network`
75
76 DNS
77 ---
78
79 .. index::
80 single: DNS records; Irc
81
82 ======================= ======== ==========================================
83 Name Type Content
84 ======================= ======== ==========================================
85 irc.cacert.org. IN A 213.154.225.233
86 irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
87 irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
88 irc.intra.cacert.org. IN A 172.16.2.14
89 ======================= ======== ==========================================
90
91 .. seealso::
92
93 See :wiki:`SystemAdministration/Procedures/DNSChanges`
94
95 Operating System
96 ----------------
97
98 .. index::
99 single: Debian GNU/Linux; Wheezy
100 single: Debian GNU/Linux; 7.11
101
102 * Debian GNU/Linux 7.11
103
104 Applicable Documentation
105 ------------------------
106
107 :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
108
109 Services
110 ========
111
112 Listening services
113 ------------------
114
115 +----------+---------+---------+--------------------------------------+
116 | Port | Service | Origin | Purpose |
117 +==========+=========+=========+======================================+
118 | 22/tcp | ssh | ANY | admin console access |
119 +----------+---------+---------+--------------------------------------+
120 | 25/tcp | smtp | local | mail delivery to local MTA |
121 +----------+---------+---------+--------------------------------------+
122 | 80/tcp | http | ANY | IRC webchat |
123 +----------+---------+---------+--------------------------------------+
124 | 443/tcp | https | ANY | IRC webchat |
125 +----------+---------+---------+--------------------------------------+
126 | 5666/tcp | nrpe | monitor | remote monitoring service |
127 +----------+---------+---------+--------------------------------------+
128 | 6667/tcp | ircd | ANY | IRC |
129 +----------+---------+---------+--------------------------------------+
130 | 6668/tcp | ircd | ANY | IRC [#f1]_ |
131 +----------+---------+---------+--------------------------------------+
132 | 7000/tcp | ircd | ANY | IRC |
133 +----------+---------+---------+--------------------------------------+
134
135 ircd opens a random UDP port for some reason.
136
137 .. [#f1] Not forwarded from :doc:`infra02` to container
138
139 .. todo:: find out what the UDP port is used for
140
141 Running services
142 ----------------
143
144 .. index::
145 single: Postfix
146 single: cron
147 single: lighttpd
148 single: nrpe
149 single: openssh
150 single: oftc-hybrid-ircd
151
152 +--------------------+--------------------+----------------------------------------+
153 | Service | Usage | Start mechanism |
154 +====================+====================+========================================+
155 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
156 | | remote | |
157 | | administration | |
158 +--------------------+--------------------+----------------------------------------+
159 | lighttpd | Webserver for | init script |
160 | | IRC webchat | :file:`/etc/init.d/lighttpd` |
161 +--------------------+--------------------+----------------------------------------+
162 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
163 +--------------------+--------------------+----------------------------------------+
164 | Postfix | SMTP server for | init script |
165 | | local mail | :file:`/etc/init.d/postfix` |
166 | | submission | |
167 +--------------------+--------------------+----------------------------------------+
168 | OFTC Hybrid IRCD | IRC server | start script |
169 | | | :file:`/home/ircserver/ircd/bin/ircd` |
170 | | | started manually |
171 +--------------------+--------------------+----------------------------------------+
172 | Nagios NRPE server | remote monitoring | init script |
173 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
174 | | :doc:`monitor` | |
175 +--------------------+--------------------+----------------------------------------+
176
177 Connected Systems
178 -----------------
179
180 * :doc:`monitor`
181
182 Outbound network connections
183 ----------------------------
184
185 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
186 * :doc:`emailout` as SMTP relay
187 * :doc:`proxyout` as HTTP proxy for APT
188
189 Security
190 ========
191
192 .. sshkeys::
193 :RSA: 6e:7c:14:4b:a3:fe:8c:88:1b:d0:e8:3c:93:9c:33:2f
194 :DSA: e7:92:a5:80:49:a9:fe:d3:57:11:1d:ca:b8:0f:c0:44
195 :ECDSA: c5:6a:f5:cc:be:a5:94:03:b8:32:d0:97:ef:26:ac:35
196
197 Dedicated user roles
198 --------------------
199
200 +-----------+--------------+
201 | Group | Purpose |
202 +===========+==============+
203 | ircserver | IRC daemon |
204 +-----------+--------------+
205 | services | IRC services |
206 +-----------+--------------+
207
208 Non-distribution packages and modifications
209 -------------------------------------------
210
211 .. index::
212 pair: non-distribution; oftc-ircd
213
214 OFTC Hybrid IRC daemon
215 ......................
216
217 * The IRC server runs as a self compiled `OFTC Hybrid
218 <http://www.oftc.net/CodingProjects/#ircd>`_ from upstream's `GitHub
219 repository <https://github.com/oftc/oftc-hybrid>`_ at revision
220 1435aa49a8b20d6ed816f53518ae5f22d0579cc4 (tag: oftc-hybrid-1.6.15).
221 * The configured source code is available in
222 :file:`/home/ircserver/oftc-hybrid/`
223 * The installed ircd is in :file:`/home/ircserver/ircd/`
224 * The used configure options are contained in
225 :file:`/home/ircserver/configline`
226
227 The IRC server is linked against system shared libraries and may not work
228 anymore if these are updated to ABI incompatible versions.
229
230 This is the listed of linked libraries as of 2014-10-24::
231
232 $ ldd ircd/bin/ircd
233 linux-gate.so.1 => (0xf7714000)
234 libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xf7709000)
235 libcrypt.so.1 => /lib/i386-linux-gnu/i686/cmov/libcrypt.so.1 (0xf76d7000)
236 libssl.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0 (0xf767d000)
237 libcrypto.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libcrypto.so.1.0.0 (0xf74bf000)
238 libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xf735a000)
239 /lib/ld-linux.so.2 (0xf7715000)
240 libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xf7341000)
241
242 OFTC IRC services
243 .................
244
245 * The IRC services where self compiled `OFTC Services
246 <http://www.oftc.net/CodingProjects/#services>`_ from upstreams `release
247 tarballs <http://www.oftc.net/releases/oftc-ircservices/>`_ unfortunatelly
248 recompilation on the current Debian system does not produce a working binary.
249 * The configured source code is available at
250 :file:`/home/services/oftc-services-1.5.8/`
251 * The installed disfunctional IRC services are installed in
252 :file:`/home/services/services`
253 * The used configure options are contained in :file:`/home/services/configline`
254
255 .. warning::
256 There are no services running currently because loading the PostgreSQL
257 driver leads to a segmentation fault in the compiled binaries. PostgreSQL
258 has been uninstalled and the ircservices database has been backed up to
259 :file:`/home/ircserver/archive/pg_ircservices_dump-20180216-143937.sql.gz`.
260
261 IRC Webchat
262 ...........
263
264 * The used Web based IRC software is a self compiled `CGI:IRC
265 <http://cgiirc.sourceforge.net/>`_ version 0.5.9
266 * The Web based IRC software is contained in :file:`/var/cgi/`
267
268 Risk assessments on critical packages
269 -------------------------------------
270
271 The self compiled binaries of OFTC Hybrid ircd, OFTC Services and IRC webchat
272 are not updated regularly. There is no administrator with good enough knowledge
273 for these applications to properly maintain these.
274
275 Critical Configuration items
276 ============================
277
278 Keys and X.509 certificates
279 ---------------------------
280
281 .. sslcert:: irc.cacert.org
282 :altnames: DNS:cert.irc.cacert.org, DNS:irc.cacert.org, DNS:nocert.irc.cacert.org
283 :certfile: /home/ircserver/ssl/cert.pem
284 :keyfile: /home/ircserver/ssl/rsa.key
285 :serial: 11E863
286 :expiration: Mar 31 20:31:00 18 GMT
287 :sha1fp: 04:EF:FE:61:44:9F:74:AB:C0:D3:5E:F4:D9:48:59:B5:B0:23:27:B2
288 :issuer: CA Cert Signing Authority
289
290 .. sslcert:: irc.cacert.org
291 :certfile: /etc/lighttpd/ssl/server.pem
292 :keyfile: /etc/lighttpd/ssl/server.pem
293 :serial: 11E863
294 :secondary:
295
296 The :file:`/etc/lighttpd/ssl/server.pem` is a combined key and certificate file
297 for lighttpd.
298
299 .. index::
300 pair: lighttpd; configuration
301
302 lighttpd configuration
303 ----------------------
304
305 * :file:`/etc/lighttpd/lighttpd.conf` main configuration file
306 * :file:`/etc/lighttpd/conf-enabled/10-cgi.conf` CGI path configuration
307 * :file:`/etc/lighttpd/conf-enabled/10-ssl.conf` TLS configuration
308
309 Configure CGI and TLS support for lighttpd. CGI requests go to /var/cgi
310 containing the CGI IRC client. Request to configuration and source code is
311 restricted.
312
313 .. index::
314 pair: oftc-hybrid-ircd; configuration
315 pair: ircd; configuration
316
317 oftc-hybrid-ircd configuration
318 ------------------------------
319
320 * :file:`/home/ircserver/ircd/etc/ircd.conf` main IRC server configuration,
321 defining settings, ports and TLS settings
322
323 .. todo:: add more details
324
325 .. todo::
326 there are a lot of ops users defined in :file:`ircd.conf` check whether
327 these are still valid
328
329 .. index::
330 pair: IRC webchat; configuration
331
332 IRC webchat configuration
333 -------------------------
334
335 * :file:`/var/cgi/cgiirc.config`
336
337 The configuration defines the connection to the ircd and some defaults for the
338 client like default user names and channel.
339
340 Changes
341 =======
342
343 System Future
344 -------------
345
346 This system should be retired and replaced with the new :doc:`ircserver` that
347 should be running packaged and properly supported software.
348
349 .. note::
350
351 Current Debian releases contain packaged versions of some ircd/irc services
352 combinations:
353
354 * `ircd-hybrid <https://packages.debian.org/jessie/ircd-hybrid>`_ similar
355 to the current software
356 * `charybdis <https://packages.debian.org/jessie/charybdis>`_ with
357 `atheme-services <https://packages.debian.org/jessie/atheme-services>`_
358 (compatible with ircd-hybrid too)
359 * `ircd-ratbox <https://packages.debian.org/jessie/ircd-ratbox>`_ with
360 `ratbox-services
361 <https://packages.debian.org/jessie/ratbox-services-pgsql>`_ used by
362 EFNet
363
364 CGI:IRC has been removed from Debian because it had no active maintainer.