73bc66de07aaa68798d6eacef348b5d7ebff0be4
[cacert-infradocs.git] / docs / systems / ircserver.rst
1 .. index::
2 single: Systems; Ircserver
3
4 =========
5 Ircserver
6 =========
7
8 Purpose
9 =======
10
11 This system provides the CAcert IRC service for private communications,
12 allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday
13 chat, meetings, and general support.
14
15 Application Links
16 -----------------
17
18 https://irc.cacert.org/
19 HTTPS secured Web based IRC access
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +--------------+---------------------+
36 | Application | Administrator(s) |
37 +==============+=====================+
38 | IRC server | :ref:`people_jandd` |
39 +--------------+---------------------+
40 | IRC services | :ref:`people_jandd` |
41 +--------------+---------------------+
42 | Votebot | :ref:`people_jandd` |
43 +--------------+---------------------+
44
45 Contact
46 -------
47
48 * irc-admin@cacert.org
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: :ip:v4:`213.154.225.233`
63 :IP Intranet: :ip:v4:`172.16.2.14`
64 :IP Internal: :ip:v4:`10.0.0.130`
65 :IPv6: :ip:v6:`2001:7b8:616:162:2::14`
66 :MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
67
68 .. seealso::
69
70 See :doc:`../network`
71
72 DNS
73 ---
74
75 .. index::
76 single: DNS records; Ircserver
77 single: DNS records; Irc
78
79 =========================== ======== ====================================================================
80 Name Type Content
81 =========================== ======== ====================================================================
82 irc.cacert.org. IN A 213.154.225.233
83 irc.cacert.org. IN AAAA 2001:7b8:616:162:2::14
84 irc.cacert.org. IN SSHFP 1 1 39b6c81b9fe76bd3c112f891ad3198f7a6102f4c
85 irc.cacert.org. IN SSHFP 1 2 30c1fce412955bb4947bbcb25a395d8e5820403eddb5746ecced578d97f46567
86 irc.cacert.org. IN SSHFP 2 1 90fcff63476f93d5e4f5d634ba1407445323d3fe
87 irc.cacert.org. IN SSHFP 2 2 734a6729a077d77c79af0e8f45187f88c25d7cd102c34aee1e753d9644c965bc
88 irc.cacert.org. IN SSHFP 3 1 5b9191613e743082fd4aa64e1f3a4601ed77f366
89 irc.cacert.org. IN SSHFP 3 2 b88f898cd5251b2b6e315a2e266873747b7cd237c0f92458916af938e4694f96
90 irc.cacert.org. IN SSHFP 4 1 866a42ee920b7f38a86ca9f3b07af808aae9768c
91 irc.cacert.org. IN SSHFP 4 2 68d44bc21d05550c8aab62163b9257c85b9bcf0a4cab1c96ad2ca674b803601c
92 ircserver.intra.cacert.org. IN A 172.16.2.14
93 =========================== ======== ====================================================================
94
95 .. seealso::
96
97 See :wiki:`SystemAdministration/Procedures/DNSChanges`
98
99 Operating System
100 ----------------
101
102 .. index::
103 single: Debian GNU/Linux; Stretch
104 single: Debian GNU/Linux; 9.4
105
106 * Debian GNU/Linux 9.4
107
108 Applicable Documentation
109 ------------------------
110
111 This is it :-)
112
113 Services
114 ========
115
116 Listening services
117 ------------------
118
119 +----------+--------------+---------+----------------------------+
120 | Port | Service | Origin | Purpose |
121 +==========+==============+=========+============================+
122 | 22/tcp | ssh | ANY | admin console access |
123 +----------+--------------+---------+----------------------------+
124 | 25/tcp | smtp | local | mail delivery to local MTA |
125 +----------+--------------+---------+----------------------------+
126 | 80/tcp | http | ANY | redirect to https |
127 +----------+--------------+---------+----------------------------+
128 | 443/tcp | https | ANY | reverse proxy for kiwiirc |
129 +----------+--------------+---------+----------------------------+
130 | 5666/tcp | nrpe | monitor | remote monitoring service |
131 +----------+--------------+---------+----------------------------+
132 | 6667/tcp | ircd | ANY | IRC |
133 +----------+--------------+---------+----------------------------+
134 | 7000/tcp | ircd | ANY | IRC (SSL) |
135 +----------+--------------+---------+----------------------------+
136 | 7001/tcp | ircd | local | IRC (services) |
137 +----------+--------------+---------+----------------------------+
138 | 7778/tcp | kiwiirc | local | kiwiirc process |
139 +----------+--------------+---------+----------------------------+
140 | 8080/tcp | irc-services | ANY | IRC services |
141 +----------+--------------+---------+----------------------------+
142
143 irc opens a random UDP port.
144
145 The following port forwarding is setup on :doc:`infra02`
146
147 +-------------+-------+-----------------+
148 | Intranet IP | Port | Target |
149 +=============+=======+=================+
150 | 172.16.2.14 | 13022 | 10.0.0.130:22 |
151 +-------------+-------+-----------------+
152 | 172.16.2.14 | 13080 | 10.0.0.130:80 |
153 +-------------+-------+-----------------+
154 | 172.16.2.14 | 13443 | 10.0.0.130:443 |
155 +-------------+-------+-----------------+
156 | 172.16.2.14 | 13667 | 10.0.0.130:6667 |
157 +-------------+-------+-----------------+
158 | 172.16.2.14 | 13700 | 10.0.0.130:7000 |
159 +-------------+-------+-----------------+
160
161 Running services
162 ----------------
163
164 .. index::
165 single: atheme-services
166 single: cron
167 single: exim
168 single: inspircd
169 single: kiwiirc
170 single: nginx
171 single: nrpe
172 single: openssh
173 single: puppet agent
174 single: rsyslog
175 single: votebot
176
177 +--------------------+--------------------+----------------------------------------+
178 | Service | Usage | Start mechanism |
179 +====================+====================+========================================+
180 | atheme-services | IRC services | init script |
181 | | | :file:`/etc/init.d/atheme-services` |
182 +--------------------+--------------------+----------------------------------------+
183 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
184 +--------------------+--------------------+----------------------------------------+
185 | Exim | SMTP server for | init script |
186 | | local mail | :file:`/etc/init.d/exim4` |
187 | | submission | |
188 +--------------------+--------------------+----------------------------------------+
189 | inspircd | IRC daemon | init script |
190 | | | :file:`/etc/init.d/inspircd` |
191 +--------------------+--------------------+----------------------------------------+
192 | kiwiirc | IRC web client | start script |
193 | | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
194 | | | started by user kiwiirc |
195 +--------------------+--------------------+----------------------------------------+
196 | nginx | Reverse proxy for | init script |
197 | | kiwiirc | :file:`/etc/init.d/nginx` |
198 +--------------------+--------------------+----------------------------------------+
199 | Nagios NRPE server | remote monitoring | init script |
200 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
201 | | :doc:`monitor` | |
202 +--------------------+--------------------+----------------------------------------+
203 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
204 | | remote | |
205 | | administration | |
206 +--------------------+--------------------+----------------------------------------+
207 | Puppet agent | configuration | init script |
208 | | management agent | :file:`/etc/init.d/puppet` |
209 +--------------------+--------------------+----------------------------------------+
210 | rsyslog | syslog daemon | init script |
211 | | | :file:`/etc/init.d/syslog` |
212 +--------------------+--------------------+----------------------------------------+
213 | votebot | CAcert vote bot | init script (spring-boot) |
214 | | | :file:`/etc/init.d/cacert-votebot` |
215 +--------------------+--------------------+----------------------------------------+
216
217 Connected Systems
218 -----------------
219
220 * :doc:`monitor`
221
222 Outbound network connections
223 ----------------------------
224
225 * :doc:`infra02` as resolving nameserver
226 * :doc:`emailout` as SMTP relay
227 * :doc:`puppet` (tcp/8140) as Puppet master
228 * :doc:`proxyout` as HTTP proxy for APT
229
230 Security
231 ========
232
233 .. sshkeys::
234 :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
235 :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
236 :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
237 :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
238
239 Dedicated user roles
240 --------------------
241
242 +---------+-------------------------------------+
243 | User | Purpose |
244 +=========+=====================================+
245 | votebot | used to run the votebot |
246 +---------+-------------------------------------+
247 | kiwiirc | used to run the Kiwi IRC web client |
248 +---------+-------------------------------------+
249
250 Non-distribution packages and modifications
251 -------------------------------------------
252
253 The Puppet agent package and a few dependencies are installed from the official
254 Puppet APT repository because the versions in Debian are too old to use modern
255 Puppet features.
256
257 Votebot
258 ~~~~~~~
259
260 The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
261 as a self contained executable Spring-Boot jar archive. The bot is started via
262 init.
263
264 .. _votebot:
265
266 .. topic:: Votebot
267
268 The vote bot is a Java based IRC bot developed at
269 https://git.cacert.org/gitweb/?p=cacert-votebot.git and built at
270 https://jenkins.cacert.org/job/cacert-votebot/. The bot is started
271 automatically via its init script.
272
273 Kiwi IRC
274 ~~~~~~~~
275
276 Kiwi IRC is a nodejs based IRC web client. The software has been installed via
277 `Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
278 https://kiwiirc.com/docs/installing and
279 https://kiwiirc.com/docs/installing/proxies. The software is running on the
280 local loopback interface and Internet access is provided by an nginx reverse
281 proxy that also provides https connectivity. NodeJS and npm have been installed
282 from Debian packages.
283
284 .. todo:: setup init script for kiwiirc
285
286 Risk assessments on critical packages
287 -------------------------------------
288
289 Votebot is a Java based application and therefore Java security patches should
290 be applied as soon as they become available.
291
292 Kiwi IRC is nodejs based and uses some third party npm packages. The
293 application is kept behind a reverse proxy but it is advisable to make sure
294 that available updates are applied.
295
296 .. todo:: implement some update monitoring for Kiwi IRC
297
298 The system uses third party packages with a good security track record and
299 regular updates. The attack surface is small due to the tightly restricted
300 access to the system. The puppet agent is not exposed for access from outside
301 the system.
302
303 Critical Configuration items
304 ============================
305
306 The system configuration is managed via Puppet profiles. There should be no
307 configuration items outside of the Puppet repository.
308
309 .. todo:: move configuration of :doc:`ircserver` to Puppet code
310
311 Keys and X.509 certificates
312 ---------------------------
313
314 .. sslcert:: irc.cacert.org
315 :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
316 :certfile: /etc/ssl/public/irc.cacert.org.crt
317 :keyfile: /etc/ssl/private/irc.cacert.org.key
318 :serial: 1381E8
319 :expiration: Mar 16 09:35:36 2020 GMT
320 :sha1fp: 42:F6:7C:4E:0C:AC:8A:42:7D:9A:94:55:7E:73:7E:E9:40:5C:87:91
321 :issuer: CA Cert Signing Authority
322
323 .. index::
324 pair: inspircd; configuration
325
326 inspircd configuration
327 ----------------------
328
329 Inspircd is installed from a Debian package. It is configured via files in
330 :file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
331
332 .. index::
333 pair: atheme-services; configuration
334
335 atheme-services configuration
336 -----------------------------
337
338 Atheme-services is installed from a Debian package. It is configured via
339 :file:`/etc/atheme/atheme.conf`.
340
341 .. index::
342 pair: Kiwi IRC; configuration
343
344 Kiwi IRC configuration
345 ----------------------
346
347 Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
348 the configuration is changed it can be applied by running:
349
350 .. code-block:: bash
351
352 sudo -s -u kiwi
353 cd ~/KiwiIRC
354 ./kiwi reconfig
355
356 nginx configuration
357 -------------------
358
359 The nginx configuration for reverse proxying Kiwi IRC is stored in
360 :file:`/etc/nginx/sites-available/default`. The same certificate and private
361 key are used for inspirced and nginx.
362
363 votebot configuration
364 ---------------------
365
366 Votebot is configured via spring-boot mechanisms. The current configuration file
367 is :file:`/home/votebot/cacert-votebot-0.1.0-SNAPSHOT.conf` and configures
368 Votebot to connect to localhost as VoteBot. The bot uses the channels #agm and
369 #vote. Channels could be changed in an :file:`application.properties` file in
370 :file:`/home/votebot`. The available property names can be found in the `git
371 repository`_.
372
373 .. _git repository: https://git.cacert.org/gitweb/?p=cacert-votebot.git;a=blob;f=src/main/resources/application.properties
374
375 Tasks
376 =====
377
378 Planned
379 -------
380
381 - None
382
383 Changes
384 =======
385
386 - Nothing planned
387
388 Additional documentation
389 ========================
390
391 .. seealso::
392
393 * :wiki:`Exim4Configuration`
394 * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
395
396 References
397 ----------
398
399 Atheme services website
400 https://atheme.github.io/atheme.html
401
402 Inspircd wiki
403 https://wiki.inspircd.org/
404
405 Kiwi IRC documentation
406 https://kiwiirc.com/docs/
407
408 nginx documentation
409 http://nginx.org/en/docs/