31b132acac62d3cd629162847942965fa851cb28
[cacert-infradocs.git] / docs / systems / ircserver.rst
1 .. index::
2 single: Systems; Ircserver
3
4 =========
5 Ircserver
6 =========
7
8 Purpose
9 =======
10
11 This system is the planned replacement for :doc:`irc`.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_jandd`
20 * Secondary: None
21
22 .. todo:: find an additional admin
23
24 Application Administration
25 --------------------------
26
27 +--------------+---------------------+
28 | Application | Administrator(s) |
29 +==============+=====================+
30 | IRC server | :ref:`people_jandd` |
31 +--------------+---------------------+
32 | IRC services | :ref:`people_jandd` |
33 +--------------+---------------------+
34 | Votebot | :ref:`people_jandd` |
35 +--------------+---------------------+
36
37 Contact
38 -------
39
40 * irc-admin@cacert.org
41
42 Basics
43 ======
44
45 Physical Location
46 -----------------
47
48 This system is located in an :term:`LXC` container on physical machine
49 :doc:`infra02`.
50
51 Logical Location
52 ----------------
53
54 :IP Internet: :ip:v4:`213.154.225.233`
55 :IP Intranet: :ip:v4:`172.16.2.24`
56 :IP Internal: :ip:v4:`10.0.0.130`
57 :IPv6: :ip:v6:`2001:7b8:616:162:2::14`
58 :MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
59
60 .. todo:: setup IPv6
61
62 .. seealso::
63
64 See :doc:`../network`
65
66 DNS
67 ---
68
69 .. index::
70 single: DNS records; Ircserver
71 single: DNS records; Irc
72
73 ======================= ======== ==========================================
74 Name Type Content
75 ======================= ======== ==========================================
76 irc.cacert.org. IN A 213.154.225.233
77 irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
78 irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
79 irc.intra.cacert.org. IN A 172.16.2.14
80 ======================= ======== ==========================================
81
82 .. todo:: setup new SSHFP records
83
84 .. seealso::
85
86 See :wiki:`SystemAdministration/Procedures/DNSChanges`
87
88 Operating System
89 ----------------
90
91 .. index::
92 single: Debian GNU/Linux; Stretch
93 single: Debian GNU/Linux; 9.4
94
95 * Debian GNU/Linux 9.4
96
97 Applicable Documentation
98 ------------------------
99
100 This is it :-)
101
102 Services
103 ========
104
105 Listening services
106 ------------------
107
108 +----------+--------------+---------+----------------------------+
109 | Port | Service | Origin | Purpose |
110 +==========+==============+=========+============================+
111 | 22/tcp | ssh | ANY | admin console access |
112 +----------+--------------+---------+----------------------------+
113 | 25/tcp | smtp | local | mail delivery to local MTA |
114 +----------+--------------+---------+----------------------------+
115 | 80/tcp | http | ANY | redirect to https |
116 +----------+--------------+---------+----------------------------+
117 | 443/tcp | https | ANY | reverse proxy for kiwiirc |
118 +----------+--------------+---------+----------------------------+
119 | 5666/tcp | nrpe | monitor | remote monitoring service |
120 +----------+--------------+---------+----------------------------+
121 | 6667/tcp | ircd | ANY | IRC |
122 +----------+--------------+---------+----------------------------+
123 | 7000/tcp | ircd | ANY | IRC (SSL) |
124 +----------+--------------+---------+----------------------------+
125 | 7001/tcp | ircd | local | IRC (services) |
126 +----------+--------------+---------+----------------------------+
127 | 7778/tcp | kiwiirc | local | kiwiirc process |
128 +----------+--------------+---------+----------------------------+
129 | 8080/tcp | irc-services | ANY | IRC services |
130 +----------+--------------+---------+----------------------------+
131
132 irc opens a random UDP port.
133
134 The following port forwarding is setup on :doc:`infra02`
135
136 +-------------+-------+-----------------+
137 | Intranet IP | Port | Target |
138 +=============+=======+=================+
139 | 172.16.2.14 | 13022 | 10.0.0.130:22 |
140 +-------------+-------+-----------------+
141 | 172.16.2.14 | 13080 | 10.0.0.130:80 |
142 +-------------+-------+-----------------+
143 | 172.16.2.14 | 13443 | 10.0.0.130:443 |
144 +-------------+-------+-----------------+
145 | 172.16.2.14 | 13667 | 10.0.0.130:6667 |
146 +-------------+-------+-----------------+
147 | 172.16.2.14 | 13700 | 10.0.0.130:7000 |
148 +-------------+-------+-----------------+
149
150 .. todo:: implement final forwarding to required ports from :doc:`infra02`
151
152 Running services
153 ----------------
154
155 .. index::
156 single: cron
157 single: exim
158 single: nrpe
159 single: openssh
160 single: inspircd
161 single: atheme-services
162 single: votebot
163
164 +--------------------+--------------------+----------------------------------------+
165 | Service | Usage | Start mechanism |
166 +====================+====================+========================================+
167 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
168 | | remote | |
169 | | administration | |
170 +--------------------+--------------------+----------------------------------------+
171 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
172 +--------------------+--------------------+----------------------------------------+
173 | rsyslog | syslog daemon | init script |
174 | | | :file:`/etc/init.d/syslog` |
175 +--------------------+--------------------+----------------------------------------+
176 | Exim | SMTP server for | init script |
177 | | local mail | :file:`/etc/init.d/exim4` |
178 | | submission | |
179 +--------------------+--------------------+----------------------------------------+
180 | Nagios NRPE server | remote monitoring | init script |
181 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
182 | | :doc:`monitor` | |
183 +--------------------+--------------------+----------------------------------------+
184 | inspircd | IRC daemon | init script |
185 | | | :file:`/etc/init.d/inspircd` |
186 +--------------------+--------------------+----------------------------------------+
187 | atheme-services | IRC services | init script |
188 | | | :file:`/etc/init.d/atheme-services` |
189 +--------------------+--------------------+----------------------------------------+
190 | kiwiirc | IRC web client | start script |
191 | | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
192 | | | started by user kiwiirc |
193 +--------------------+--------------------+----------------------------------------+
194 | nginx | Reverse proxy for | init script |
195 | | kiwiirc | :file:`/etc/init.d/nginx` |
196 +--------------------+--------------------+----------------------------------------+
197
198 Connected Systems
199 -----------------
200
201 * :doc:`monitor`
202
203 Outbound network connections
204 ----------------------------
205
206 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
207 * :doc:`emailout` as SMTP relay
208 * :doc:`proxyout` as HTTP proxy for APT
209
210 Security
211 ========
212
213 .. sshkeys::
214 :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
215 :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
216 :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
217 :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
218
219 Dedicated user roles
220 --------------------
221
222 +---------+-------------------------------------+
223 | User | Purpose |
224 +=========+=====================================+
225 | votebot | used to run the votebot |
226 +---------+-------------------------------------+
227 | kiwiirc | used to run the Kiwi IRC web client |
228 +---------+-------------------------------------+
229
230 Non-distribution packages and modifications
231 -------------------------------------------
232
233 Votebot
234 ~~~~~~~
235
236 The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
237 as a self contained Java jar archive. The bot is started manually as described
238 above. For improved maintainability it should be packaged and provide a start
239 mechanism that is better integrated with the system.
240
241 .. _votebot:
242
243 .. topic:: Votebot
244
245 The vote bot is a Java based IRC bot developed at
246 https://github.com/CAcertOrg/cacert-votebot. The bot is started manually by
247 running
248
249 .. code-block:: bash
250
251 java -DvoteBot.meetingChn=SGM -cp VoteBot.jar \
252 de.dogcraft.irc.CAcertVoteBot -u -h 10.0.0.14 -p 6667 --nick VoteBot
253
254 .. todo:: use a CAcert git repository for votebot
255
256 .. todo:: package votebot for Debian
257
258 .. todo:: provide a proper init script/and or systemd unit for votebot
259
260
261 Kiwi IRC
262 ~~~~~~~~
263
264 Kiwi IRC is a nodejs based IRC web client. The software has been installed via
265 `Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
266 https://kiwiirc.com/docs/installing and
267 https://kiwiirc.com/docs/installing/proxies. The software is running on the
268 local loopback interface and Internet access is provided by an nginx reverse
269 proxy that also provides https connectivity. NodeJS and npm have been installed
270 from Debian packages.
271
272 Risk assessments on critical packages
273 -------------------------------------
274
275 Votebot is a Java based application and therefore Java security patches should
276 be applied as soon as they become available.
277
278 Kiwi IRC is nodejs based and uses some third party npm packages. The
279 application is kept behind a reverse proxy but it is advisable to make sure
280 that available updates are applied.
281
282 .. todo:: implement some update monitoring for Kiwi IRC
283
284
285 Critical Configuration items
286 ============================
287
288 Keys and X.509 certificates
289 ---------------------------
290
291 .. sslcert:: irc.cacert.org
292 :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
293 :certfile: /etc/ssl/public/irc.cacert.org.crt
294 :keyfile: /etc/ssl/private/irc.cacert.org.key
295 :serial: 1381E8
296 :expiration: Mar 16 09:35:36 2020 GMT
297 :sha1fp: 42:F6:7C:4E:0C:AC:8A:42:7D:9A:94:55:7E:73:7E:E9:40:5C:87:91
298 :issuer: CA Cert Signing Authority
299
300
301 .. index::
302 pair: inspircd; configuration
303
304 inspircd configuration
305 ----------------------
306
307 Inspircd is installed from a Debian package. It is configured via files in
308 :file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
309
310 .. index::
311 pair: atheme-services; configuration
312
313 atheme-services configuration
314 -----------------------------
315
316 Atheme-services is installed from a Debian package. It is configured via
317 :file:`/etc/atheme/atheme.conf`.
318
319 Kiwi IRC configuration
320 ----------------------
321
322 Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
323 the configuration is changed it can be applied by running:
324
325 .. code-block:: bash
326
327 sudo -s -u kiwi
328 cd ~/KiwiIRC
329 ./kiwi reconfig
330
331 nginx configuration
332 -------------------
333
334 The nginx configuration for reverse proxying Kiwi IRC is stored in
335 :file:`/etc/nginx/sites-available/default`. The same certificate and private
336 key are used for inspirced and nginx.
337
338
339 Tasks
340 =====
341
342 Planned
343 -------
344
345 - setup IPv6
346 - setup DNS records
347
348 Changes
349 =======
350
351 System Future
352 -------------
353
354 - replace :doc:`irc` by this system
355
356 Additional documentation
357 ========================
358
359 .. seealso::
360
361 * :wiki:`Exim4Configuration`
362 * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
363
364 References
365 ----------
366
367 Atheme services website
368 https://atheme.github.io/atheme.html
369
370 Inspircd wiki
371 https://wiki.inspircd.org/
372
373 Kiwi IRC documentation
374 https://kiwiirc.com/docs/
375
376 nginx documentation
377 http://nginx.org/en/docs/