d97681ba807193b54e9a848f24d99c9b2015197a
[cacert-infradocs.git] / docs / systems / irc.rst
1 .. index::
2 single: Systems; Irc
3
4 ===
5 IRC
6 ===
7
8 Purpose
9 =======
10
11 This system provides the CAcert IRC service for private communications,
12 allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday
13 chat, meetings, and general support.
14
15 Application Links
16 -----------------
17
18 https://irc.cacert.org/
19 HTTPS secured Web based IRC access
20
21 http://irc.cacert.org/
22 HTTP fallback for Web based IRC access
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: None
31 * Secondary: :ref:`people_mario`, :ref:`people_jandd`
32
33 Application Administration
34 --------------------------
35
36 +--------------+------------------+
37 | Application | Administrator(s) |
38 +==============+==================+
39 | IRC server | None |
40 +--------------+------------------+
41 | IRC services | None |
42 +--------------+------------------+
43 | IRC webchat | None |
44 +--------------+------------------+
45
46 .. todo::
47 find an administrator willing to properly setup/maintain IRC applications
48 and push the migration to :doc:`ircserver`.
49
50 Contact
51 -------
52
53 * irc-admin@cacert.org
54
55 Basics
56 ======
57
58 Physical Location
59 -----------------
60
61 This system is located in an :term:`LXC` container on physical machine
62 :doc:`infra02`.
63
64 Logical Location
65 ----------------
66
67 :IP Internet: :ip:v4:`213.154.225.233`
68 :IP Intranet: :ip:v4:`172.16.2.14`
69 :IP Internal: :ip:v4:`10.0.0.14`
70 :MAC address: :mac:`00:ff:8d:45:01:a4` (eth0)
71
72 .. seealso::
73
74 See :doc:`../network`
75
76 DNS
77 ---
78
79 .. index::
80 single: DNS records; Irc
81
82 ======================= ======== ==========================================
83 Name Type Content
84 ======================= ======== ==========================================
85 irc.cacert.org. IN A 213.154.225.233
86 irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
87 irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
88 irc.intra.cacert.org. IN A 172.16.2.14
89 ======================= ======== ==========================================
90
91 .. seealso::
92
93 See :wiki:`SystemAdministration/Procedures/DNSChanges`
94
95 Operating System
96 ----------------
97
98 .. index::
99 single: Debian GNU/Linux; Wheezy
100 single: Debian GNU/Linux; 7.11
101
102 * Debian GNU/Linux 7.11
103
104 Applicable Documentation
105 ------------------------
106
107 :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
108
109 Services
110 ========
111
112 Listening services
113 ------------------
114
115 +----------+---------+---------+--------------------------------------+
116 | Port | Service | Origin | Purpose |
117 +==========+=========+=========+======================================+
118 | 22/tcp | ssh | ANY | admin console access |
119 +----------+---------+---------+--------------------------------------+
120 | 25/tcp | smtp | local | mail delivery to local MTA |
121 +----------+---------+---------+--------------------------------------+
122 | 80/tcp | http | ANY | IRC webchat |
123 +----------+---------+---------+--------------------------------------+
124 | 443/tcp | https | ANY | IRC webchat |
125 +----------+---------+---------+--------------------------------------+
126 | 5666/tcp | nrpe | monitor | remote monitoring service |
127 +----------+---------+---------+--------------------------------------+
128 | 5432/tcp | pgsql | local | PostgreSQL database for IRC services |
129 +----------+---------+---------+--------------------------------------+
130 | 6667/tcp | ircd | ANY | IRC |
131 +----------+---------+---------+--------------------------------------+
132 | 6668/tcp | ircd | ANY | IRC [#f1]_ |
133 +----------+---------+---------+--------------------------------------+
134 | 7000/tcp | ircd | ANY | IRC |
135 +----------+---------+---------+--------------------------------------+
136
137 ircd opens a random UDP port for some reason.
138
139 .. [#f1] Not forwarded from :doc:`infra02` to container
140
141 .. todo:: find out what the UDP port is used for
142
143 Running services
144 ----------------
145
146 .. index::
147 single: Postfix
148 single: PostgreSQL
149 single: cron
150 single: lighttpd
151 single: nrpe
152 single: openssh
153 single: oftc-hybrid-ircd
154
155 +--------------------+--------------------+----------------------------------------+
156 | Service | Usage | Start mechanism |
157 +====================+====================+========================================+
158 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
159 | | remote | |
160 | | administration | |
161 +--------------------+--------------------+----------------------------------------+
162 | lighttpd | Webserver for | init script |
163 | | IRC webchat | :file:`/etc/init.d/lighttpd` |
164 +--------------------+--------------------+----------------------------------------+
165 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
166 +--------------------+--------------------+----------------------------------------+
167 | PostgreSQL | PostgreSQL | init script |
168 | | database server | :file:`/etc/init.d/postgresql` |
169 | | for IRC services | |
170 +--------------------+--------------------+----------------------------------------+
171 | Postfix | SMTP server for | init script |
172 | | local mail | :file:`/etc/init.d/postfix` |
173 | | submission | |
174 +--------------------+--------------------+----------------------------------------+
175 | OFTC Hybrid IRCD | IRC server | start script |
176 | | | :file:`/home/ircserver/ircd/bin/ircd` |
177 | | | started manually |
178 +--------------------+--------------------+----------------------------------------+
179 | Nagios NRPE server | remote monitoring | init script |
180 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
181 | | :doc:`monitor` | |
182 +--------------------+--------------------+----------------------------------------+
183
184 Databases
185 ---------
186
187 +------------+-------------+--------------+
188 | RDBMS | Name | Used for |
189 +============+=============+==============+
190 | PostgreSQL | ircservices | IRC services |
191 +------------+-------------+--------------+
192
193 Connected Systems
194 -----------------
195
196 * :doc:`monitor`
197
198 Outbound network connections
199 ----------------------------
200
201 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
202 * :doc:`emailout` as SMTP relay
203 * ftp.nl.debian.org as Debian mirror
204 * security.debian.org for Debian security updates
205
206 Security
207 ========
208
209 .. sshkeys::
210 :RSA: 6e:7c:14:4b:a3:fe:8c:88:1b:d0:e8:3c:93:9c:33:2f
211 :DSA: e7:92:a5:80:49:a9:fe:d3:57:11:1d:ca:b8:0f:c0:44
212 :ECDSA: c5:6a:f5:cc:be:a5:94:03:b8:32:d0:97:ef:26:ac:35
213
214 Dedicated user roles
215 --------------------
216
217 +-----------+--------------+
218 | Group | Purpose |
219 +===========+==============+
220 | ircserver | IRC daemon |
221 +-----------+--------------+
222 | services | IRC services |
223 +-----------+--------------+
224
225 Non-distribution packages and modifications
226 -------------------------------------------
227
228 .. index::
229 pair: non-distribution; oftc-ircd
230
231 OFTC Hybrid IRC daemon
232 ......................
233
234 * The IRC server runs as a self compiled `OFTC Hybrid
235 <http://www.oftc.net/CodingProjects/#ircd>`_ from upstream's `GitHub
236 repository <https://github.com/oftc/oftc-hybrid>`_ at revision
237 1435aa49a8b20d6ed816f53518ae5f22d0579cc4 (tag: oftc-hybrid-1.6.15).
238 * The configured source code is available in
239 :file:`/home/ircserver/oftc-hybrid/`
240 * The installed ircd is in :file:`/home/ircserver/ircd/`
241 * The used configure options are contained in
242 :file:`/home/ircserver/configline`
243
244 The IRC server is linked against system shared libraries and may not work
245 anymore if these are updated to ABI incompatible versions.
246
247 This is the listed of linked libraries as of 2014-10-24::
248
249 $ ldd ircd/bin/ircd
250 linux-gate.so.1 => (0xf7714000)
251 libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xf7709000)
252 libcrypt.so.1 => /lib/i386-linux-gnu/i686/cmov/libcrypt.so.1 (0xf76d7000)
253 libssl.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0 (0xf767d000)
254 libcrypto.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libcrypto.so.1.0.0 (0xf74bf000)
255 libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xf735a000)
256 /lib/ld-linux.so.2 (0xf7715000)
257 libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xf7341000)
258
259 OFTC IRC services
260 .................
261
262 * The IRC services where self compiled `OFTC Services
263 <http://www.oftc.net/CodingProjects/#services>`_ from upstreams `release
264 tarballs <http://www.oftc.net/releases/oftc-ircservices/>`_ unfortunatelly
265 recompilation on the current Debian system does not produce a working binary.
266 * The configured source code is available at
267 :file:`/home/services/oftc-services-1.5.8/`
268 * The installed disfunctional IRC services are installed in
269 :file:`/home/services/services`
270 * The used configure options are contained in :file:`/home/services/configline`
271
272 .. warning::
273 There are no services running currently because loading the PostgreSQL
274 driver leads to a segmentation fault in the compiled binaries.
275
276 IRC Webchat
277 ...........
278
279 * The used Web based IRC software is a self compiled `CGI:IRC
280 <http://cgiirc.sourceforge.net/>`_ version 0.5.9
281 * The Web based IRC software is contained in :file:`/var/cgi/`
282
283 Risk assessments on critical packages
284 -------------------------------------
285
286 The self compiled binaries of OFTC Hybrid ircd, OFTC Services and IRC webchat
287 are not updated regularly. There is no administrator with good enough knowledge
288 for these applications to properly maintain these.
289
290 Critical Configuration items
291 ============================
292
293 Keys and X.509 certificates
294 ---------------------------
295
296 .. sslcert:: irc.cacert.org
297 :altnames: DNS:cert.irc.cacert.org, DNS:irc.cacert.org, DNS:nocert.irc.cacert.org
298 :certfile: /home/ircserver/ssl/cert.pem
299 :keyfile: /home/ircserver/ssl/rsa.key
300 :serial: 11E863
301 :expiration: Mar 31 20:31:00 18 GMT
302 :sha1fp: 04:EF:FE:61:44:9F:74:AB:C0:D3:5E:F4:D9:48:59:B5:B0:23:27:B2
303 :issuer: CA Cert Signing Authority
304
305 .. sslcert:: irc.cacert.org
306 :certfile: /etc/lighttpd/ssl/server.pem
307 :keyfile: /etc/lighttpd/ssl/server.pem
308 :serial: 11E863
309 :secondary:
310
311 The :file:`/etc/lighttpd/ssl/server.pem` is a combined key and certificate file
312 for lighttpd.
313
314 .. index::
315 pair: lighttpd; configuration
316
317 lighttpd configuration
318 ----------------------
319
320 * :file:`/etc/lighttpd/conf-enabled/10-cgi.conf` CGI path configuration
321 * :file:`/etc/lighttpd/conf-enabled/10-ssl.conf` TLS configuration
322
323 .. todo:: add more details
324
325 .. index::
326 pair: oftc-hybrid-ircd; configuration
327 pair: ircd; configuration
328
329 oftc-hybrid-ircd configuration
330 ------------------------------
331
332 * :file:`/home/ircserver/ircd/etc/ircd.conf` main IRC server configuration,
333 defining settings, ports and TLS settings
334
335 .. todo:: add more details
336 .. todo::
337 there are a lot of ops users defined in :file:`ircd.conf` check whether
338 these are still valid
339
340 .. index::
341 pair: IRC webchat; configuration
342
343 IRC webchat configuration
344 -------------------------
345
346 * :file:`/var/cgi/cgiirc.config`
347
348 .. todo:: add more details
349
350 Potentially obsolete configuration
351 ----------------------------------
352
353 There are some directories in :file:`/etc/` that contain seemingly unused
354 configuration files:
355
356 * :file:`/etc/irc/`
357 * :file:`/etc/oftc-hybrid/`
358
359 There is also a half-uninstalled package :program:`ircd-hybrid` whose config
360 files are partially still available (:file:`/etc/default/ircd-hybrid` and
361 :file:`/etc/logrotate.d/ircd-hybrid`)
362
363 Changes
364 =======
365
366 System Future
367 -------------
368
369 This system should be retired and replaced with the new :doc:`ircserver` that
370 should be running packaged and properly supported software.
371
372 .. note::
373
374 Current Debian releases contain packaged versions of some ircd/irc services
375 combinations:
376
377 * `ircd-hybrid <https://packages.debian.org/jessie/ircd-hybrid>`_ similar
378 to the current software
379 * `charybdis <https://packages.debian.org/jessie/charybdis>`_ with
380 `atheme-services <https://packages.debian.org/jessie/atheme-services>`_
381 (compatible with ircd-hybrid too)
382 * `ircd-ratbox <https://packages.debian.org/jessie/ircd-ratbox>`_ with
383 `ratbox-services
384 <https://packages.debian.org/jessie/ratbox-services-pgsql>`_ used by
385 EFNet
386
387 CGI:IRC has been removed from Debian because it had no active maintainer.