50852ad8887874b7c591e2e9ed23fb3cf766377a
[cacert-infradocs.git] / docs / systems / ircserver.rst
1 .. index::
2 single: Systems; Ircserver
3
4 =========
5 Ircserver
6 =========
7
8 Purpose
9 =======
10
11 This system is the planned replacement for :doc:`irc`.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_jandd`
20 * Secondary: None
21
22 .. todo:: find an additional admin
23
24 Application Administration
25 --------------------------
26
27 +--------------+---------------------+
28 | Application | Administrator(s) |
29 +==============+=====================+
30 | IRC server | :ref:`people_jandd` |
31 +--------------+---------------------+
32 | IRC services | :ref:`people_jandd` |
33 +--------------+---------------------+
34 | Votebot | :ref:`people_jandd` |
35 +--------------+---------------------+
36
37 Contact
38 -------
39
40 * irc-admin@cacert.org
41
42 Basics
43 ======
44
45 Physical Location
46 -----------------
47
48 This system is located in an :term:`LXC` container on physical machine
49 :doc:`infra02`.
50
51 Logical Location
52 ----------------
53
54 :IP Internet: :ip:v4:`213.154.225.233`
55 :IP Intranet: :ip:v4:`172.16.2.24`
56 :IP Internal: :ip:v4:`10.0.0.130`
57 :IPv6: :ip:v6:`2001:7b8:616:162:2::14`
58 :MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
59
60 .. todo:: setup IPv6
61
62 .. seealso::
63
64 See :doc:`../network`
65
66 DNS
67 ---
68
69 .. index::
70 single: DNS records; Ircserver
71 single: DNS records; Irc
72
73 ======================= ======== ==========================================
74 Name Type Content
75 ======================= ======== ==========================================
76 irc.cacert.org. IN A 213.154.225.233
77 irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
78 irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
79 irc.intra.cacert.org. IN A 172.16.2.14
80 ======================= ======== ==========================================
81
82 .. todo:: setup new SSHFP records
83 .. todo:: setup IPv6 AAAA records
84
85 .. seealso::
86
87 See :wiki:`SystemAdministration/Procedures/DNSChanges`
88
89 Operating System
90 ----------------
91
92 .. index::
93 single: Debian GNU/Linux; Stretch
94 single: Debian GNU/Linux; 9.4
95
96 * Debian GNU/Linux 9.4
97
98 Applicable Documentation
99 ------------------------
100
101 This is it :-)
102
103 Services
104 ========
105
106 Listening services
107 ------------------
108
109 +----------+--------------+---------+----------------------------+
110 | Port | Service | Origin | Purpose |
111 +==========+==============+=========+============================+
112 | 22/tcp | ssh | ANY | admin console access |
113 +----------+--------------+---------+----------------------------+
114 | 25/tcp | smtp | local | mail delivery to local MTA |
115 +----------+--------------+---------+----------------------------+
116 | 80/tcp | http | ANY | redirect to https |
117 +----------+--------------+---------+----------------------------+
118 | 443/tcp | https | ANY | reverse proxy for kiwiirc |
119 +----------+--------------+---------+----------------------------+
120 | 5666/tcp | nrpe | monitor | remote monitoring service |
121 +----------+--------------+---------+----------------------------+
122 | 6667/tcp | ircd | ANY | IRC |
123 +----------+--------------+---------+----------------------------+
124 | 7000/tcp | ircd | ANY | IRC (SSL) |
125 +----------+--------------+---------+----------------------------+
126 | 7001/tcp | ircd | local | IRC (services) |
127 +----------+--------------+---------+----------------------------+
128 | 7778/tcp | kiwiirc | local | kiwiirc process |
129 +----------+--------------+---------+----------------------------+
130 | 8080/tcp | irc-services | ANY | IRC services |
131 +----------+--------------+---------+----------------------------+
132
133 irc opens a random UDP port.
134
135 The following port forwarding is setup on :doc:`infra02`
136
137 +-------------+-------+-----------------+
138 | Intranet IP | Port | Target |
139 +=============+=======+=================+
140 | 172.16.2.14 | 13022 | 10.0.0.130:22 |
141 +-------------+-------+-----------------+
142 | 172.16.2.14 | 13080 | 10.0.0.130:80 |
143 +-------------+-------+-----------------+
144 | 172.16.2.14 | 13443 | 10.0.0.130:443 |
145 +-------------+-------+-----------------+
146 | 172.16.2.14 | 13667 | 10.0.0.130:6667 |
147 +-------------+-------+-----------------+
148 | 172.16.2.14 | 13700 | 10.0.0.130:7000 |
149 +-------------+-------+-----------------+
150
151 .. todo:: implement final forwarding to required ports from :doc:`infra02`
152 .. todo:: allow forwarding of IPv6 ports
153
154 Running services
155 ----------------
156
157 .. index::
158 single: cron
159 single: exim
160 single: nrpe
161 single: openssh
162 single: inspircd
163 single: atheme-services
164 single: votebot
165
166 +--------------------+--------------------+----------------------------------------+
167 | Service | Usage | Start mechanism |
168 +====================+====================+========================================+
169 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
170 | | remote | |
171 | | administration | |
172 +--------------------+--------------------+----------------------------------------+
173 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
174 +--------------------+--------------------+----------------------------------------+
175 | rsyslog | syslog daemon | init script |
176 | | | :file:`/etc/init.d/syslog` |
177 +--------------------+--------------------+----------------------------------------+
178 | Exim | SMTP server for | init script |
179 | | local mail | :file:`/etc/init.d/exim4` |
180 | | submission | |
181 +--------------------+--------------------+----------------------------------------+
182 | Nagios NRPE server | remote monitoring | init script |
183 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
184 | | :doc:`monitor` | |
185 +--------------------+--------------------+----------------------------------------+
186 | inspircd | IRC daemon | init script |
187 | | | :file:`/etc/init.d/inspircd` |
188 +--------------------+--------------------+----------------------------------------+
189 | atheme-services | IRC services | init script |
190 | | | :file:`/etc/init.d/atheme-services` |
191 +--------------------+--------------------+----------------------------------------+
192 | kiwiirc | IRC web client | start script |
193 | | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
194 | | | started by user kiwiirc |
195 +--------------------+--------------------+----------------------------------------+
196 | nginx | Reverse proxy for | init script |
197 | | kiwiirc | :file:`/etc/init.d/nginx` |
198 +--------------------+--------------------+----------------------------------------+
199 | votebot | CAcert vote bot | init script (spring-boot) |
200 | | | :file:`/etc/init.d/cacert-votebot` |
201 +--------------------+--------------------+----------------------------------------+
202
203 Connected Systems
204 -----------------
205
206 * :doc:`monitor`
207
208 Outbound network connections
209 ----------------------------
210
211 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
212 * :doc:`emailout` as SMTP relay
213 * :doc:`puppet` (tcp/8140) as Puppet master
214 * :doc:`proxyout` as HTTP proxy for APT
215
216 Security
217 ========
218
219 .. sshkeys::
220 :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
221 :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
222 :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
223 :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
224
225 Dedicated user roles
226 --------------------
227
228 +---------+-------------------------------------+
229 | User | Purpose |
230 +=========+=====================================+
231 | votebot | used to run the votebot |
232 +---------+-------------------------------------+
233 | kiwiirc | used to run the Kiwi IRC web client |
234 +---------+-------------------------------------+
235
236 Non-distribution packages and modifications
237 -------------------------------------------
238
239 Votebot
240 ~~~~~~~
241
242 The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
243 as a self contained executable Spring-Boot jar archive. The bot is started via
244 init.
245
246 .. _votebot:
247
248 .. topic:: Votebot
249
250 The vote bot is a Java based IRC bot developed at
251 https://git.cacert.org/gitweb/?p=cacert-votebot.git and built at
252 https://jenkins.cacert.org/job/cacert-votebot/. The bot is started
253 automatically via its init script.
254
255 Kiwi IRC
256 ~~~~~~~~
257
258 Kiwi IRC is a nodejs based IRC web client. The software has been installed via
259 `Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
260 https://kiwiirc.com/docs/installing and
261 https://kiwiirc.com/docs/installing/proxies. The software is running on the
262 local loopback interface and Internet access is provided by an nginx reverse
263 proxy that also provides https connectivity. NodeJS and npm have been installed
264 from Debian packages.
265
266 Risk assessments on critical packages
267 -------------------------------------
268
269 Votebot is a Java based application and therefore Java security patches should
270 be applied as soon as they become available.
271
272 Kiwi IRC is nodejs based and uses some third party npm packages. The
273 application is kept behind a reverse proxy but it is advisable to make sure
274 that available updates are applied.
275
276 .. todo:: implement some update monitoring for Kiwi IRC
277
278
279 Critical Configuration items
280 ============================
281
282 The system configuration is managed via Puppet profiles. There should be no
283 configuration items outside of the Puppet repository.
284
285 .. todo:: move configuration of :doc:`ircserver` to Puppet code
286
287 Keys and X.509 certificates
288 ---------------------------
289
290 .. sslcert:: irc.cacert.org
291 :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
292 :certfile: /etc/ssl/public/irc.cacert.org.crt
293 :keyfile: /etc/ssl/private/irc.cacert.org.key
294 :serial: 1381E8
295 :expiration: Mar 16 09:35:36 2020 GMT
296 :sha1fp: 42:F6:7C:4E:0C:AC:8A:42:7D:9A:94:55:7E:73:7E:E9:40:5C:87:91
297 :issuer: CA Cert Signing Authority
298
299 .. index::
300 pair: inspircd; configuration
301
302 inspircd configuration
303 ----------------------
304
305 Inspircd is installed from a Debian package. It is configured via files in
306 :file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
307
308 .. index::
309 pair: atheme-services; configuration
310
311 atheme-services configuration
312 -----------------------------
313
314 Atheme-services is installed from a Debian package. It is configured via
315 :file:`/etc/atheme/atheme.conf`.
316
317 .. index::
318 pair: Kiwi IRC; configuration
319
320 Kiwi IRC configuration
321 ----------------------
322
323 Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
324 the configuration is changed it can be applied by running:
325
326 .. code-block:: bash
327
328 sudo -s -u kiwi
329 cd ~/KiwiIRC
330 ./kiwi reconfig
331
332 nginx configuration
333 -------------------
334
335 The nginx configuration for reverse proxying Kiwi IRC is stored in
336 :file:`/etc/nginx/sites-available/default`. The same certificate and private
337 key are used for inspirced and nginx.
338
339 votebot configuration
340 ---------------------
341
342 Votebot is configured via spring-boot mechanisms. The current configuration file
343 is :file:`/home/votebot/cacert-votebot-0.1.0-SNAPSHOT.conf` and configures
344 Votebot to connect to localhost as VoteBot. The bot uses the channels #agm and
345 #vote. Channels could be changed in an :file:`application.properties` file in
346 :file:`/home/votebot`. The available property names can be found in the `git
347 repository`_.
348
349 .. _git repository: https://git.cacert.org/gitweb/?p=cacert-votebot.git;a=blob;f=src/main/resources/application.properties
350
351 Tasks
352 =====
353
354 Planned
355 -------
356
357 - setup DNS records
358
359 Changes
360 =======
361
362 System Future
363 -------------
364
365 - replace :doc:`irc` by this system
366
367 Additional documentation
368 ========================
369
370 .. seealso::
371
372 * :wiki:`Exim4Configuration`
373 * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
374
375 References
376 ----------
377
378 Atheme services website
379 https://atheme.github.io/atheme.html
380
381 Inspircd wiki
382 https://wiki.inspircd.org/
383
384 Kiwi IRC documentation
385 https://kiwiirc.com/docs/
386
387 nginx documentation
388 http://nginx.org/en/docs/