Add web and webstatic to Puppet
[cacert-infradocs.git] / docs / systems / ircserver.rst
1 .. index::
2 single: Systems; Ircserver
3
4 =========
5 Ircserver
6 =========
7
8 Purpose
9 =======
10
11 This system is the planned replacement for :doc:`irc`.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_jandd`
20 * Secondary: None
21
22 .. todo:: find an additional admin
23
24 Application Administration
25 --------------------------
26
27 +--------------+---------------------+
28 | Application | Administrator(s) |
29 +==============+=====================+
30 | IRC server | :ref:`people_jandd` |
31 +--------------+---------------------+
32 | IRC services | :ref:`people_jandd` |
33 +--------------+---------------------+
34 | Votebot | :ref:`people_jandd` |
35 +--------------+---------------------+
36
37 Contact
38 -------
39
40 * irc-admin@cacert.org
41
42 Basics
43 ======
44
45 Physical Location
46 -----------------
47
48 This system is located in an :term:`LXC` container on physical machine
49 :doc:`infra02`.
50
51 Logical Location
52 ----------------
53
54 :IP Internet: :ip:v4:`213.154.225.233`
55 :IP Intranet: :ip:v4:`172.16.2.24`
56 :IP Internal: :ip:v4:`10.0.0.130`
57 :IPv6: :ip:v6:`2001:7b8:616:162:2::14`
58 :MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
59
60 .. todo:: setup IPv6
61
62 .. seealso::
63
64 See :doc:`../network`
65
66 DNS
67 ---
68
69 .. index::
70 single: DNS records; Ircserver
71 single: DNS records; Irc
72
73 ======================= ======== ==========================================
74 Name Type Content
75 ======================= ======== ==========================================
76 irc.cacert.org. IN A 213.154.225.233
77 irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
78 irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
79 irc.intra.cacert.org. IN A 172.16.2.14
80 ======================= ======== ==========================================
81
82 .. todo:: setup new SSHFP records
83 .. todo:: setup IPv6 AAAA records
84
85 .. seealso::
86
87 See :wiki:`SystemAdministration/Procedures/DNSChanges`
88
89 Operating System
90 ----------------
91
92 .. index::
93 single: Debian GNU/Linux; Stretch
94 single: Debian GNU/Linux; 9.4
95
96 * Debian GNU/Linux 9.4
97
98 Applicable Documentation
99 ------------------------
100
101 This is it :-)
102
103 Services
104 ========
105
106 Listening services
107 ------------------
108
109 +----------+--------------+---------+----------------------------+
110 | Port | Service | Origin | Purpose |
111 +==========+==============+=========+============================+
112 | 22/tcp | ssh | ANY | admin console access |
113 +----------+--------------+---------+----------------------------+
114 | 25/tcp | smtp | local | mail delivery to local MTA |
115 +----------+--------------+---------+----------------------------+
116 | 80/tcp | http | ANY | redirect to https |
117 +----------+--------------+---------+----------------------------+
118 | 443/tcp | https | ANY | reverse proxy for kiwiirc |
119 +----------+--------------+---------+----------------------------+
120 | 5666/tcp | nrpe | monitor | remote monitoring service |
121 +----------+--------------+---------+----------------------------+
122 | 6667/tcp | ircd | ANY | IRC |
123 +----------+--------------+---------+----------------------------+
124 | 7000/tcp | ircd | ANY | IRC (SSL) |
125 +----------+--------------+---------+----------------------------+
126 | 7001/tcp | ircd | local | IRC (services) |
127 +----------+--------------+---------+----------------------------+
128 | 7778/tcp | kiwiirc | local | kiwiirc process |
129 +----------+--------------+---------+----------------------------+
130 | 8080/tcp | irc-services | ANY | IRC services |
131 +----------+--------------+---------+----------------------------+
132
133 irc opens a random UDP port.
134
135 The following port forwarding is setup on :doc:`infra02`
136
137 +-------------+-------+-----------------+
138 | Intranet IP | Port | Target |
139 +=============+=======+=================+
140 | 172.16.2.14 | 13022 | 10.0.0.130:22 |
141 +-------------+-------+-----------------+
142 | 172.16.2.14 | 13080 | 10.0.0.130:80 |
143 +-------------+-------+-----------------+
144 | 172.16.2.14 | 13443 | 10.0.0.130:443 |
145 +-------------+-------+-----------------+
146 | 172.16.2.14 | 13667 | 10.0.0.130:6667 |
147 +-------------+-------+-----------------+
148 | 172.16.2.14 | 13700 | 10.0.0.130:7000 |
149 +-------------+-------+-----------------+
150
151 .. todo:: implement final forwarding to required ports from :doc:`infra02`
152 .. todo:: allow forwarding of IPv6 ports
153
154 Running services
155 ----------------
156
157 .. index::
158 single: atheme-services
159 single: cron
160 single: exim
161 single: inspircd
162 single: kiwiirc
163 single: nginx
164 single: nrpe
165 single: openssh
166 single: puppet agent
167 single: rsyslog
168 single: votebot
169
170 +--------------------+--------------------+----------------------------------------+
171 | Service | Usage | Start mechanism |
172 +====================+====================+========================================+
173 | atheme-services | IRC services | init script |
174 | | | :file:`/etc/init.d/atheme-services` |
175 +--------------------+--------------------+----------------------------------------+
176 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
177 +--------------------+--------------------+----------------------------------------+
178 | Exim | SMTP server for | init script |
179 | | local mail | :file:`/etc/init.d/exim4` |
180 | | submission | |
181 +--------------------+--------------------+----------------------------------------+
182 | inspircd | IRC daemon | init script |
183 | | | :file:`/etc/init.d/inspircd` |
184 +--------------------+--------------------+----------------------------------------+
185 | kiwiirc | IRC web client | start script |
186 | | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
187 | | | started by user kiwiirc |
188 +--------------------+--------------------+----------------------------------------+
189 | nginx | Reverse proxy for | init script |
190 | | kiwiirc | :file:`/etc/init.d/nginx` |
191 +--------------------+--------------------+----------------------------------------+
192 | Nagios NRPE server | remote monitoring | init script |
193 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
194 | | :doc:`monitor` | |
195 +--------------------+--------------------+----------------------------------------+
196 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
197 | | remote | |
198 | | administration | |
199 +--------------------+--------------------+----------------------------------------+
200 | Puppet agent | configuration | init script |
201 | | management agent | :file:`/etc/init.d/puppet` |
202 +--------------------+--------------------+----------------------------------------+
203 | rsyslog | syslog daemon | init script |
204 | | | :file:`/etc/init.d/syslog` |
205 +--------------------+--------------------+----------------------------------------+
206 | votebot | CAcert vote bot | init script (spring-boot) |
207 | | | :file:`/etc/init.d/cacert-votebot` |
208 +--------------------+--------------------+----------------------------------------+
209
210 Connected Systems
211 -----------------
212
213 * :doc:`monitor`
214
215 Outbound network connections
216 ----------------------------
217
218 * :doc:`infra02` as resolving nameserver
219 * :doc:`emailout` as SMTP relay
220 * :doc:`puppet` (tcp/8140) as Puppet master
221 * :doc:`proxyout` as HTTP proxy for APT
222
223 Security
224 ========
225
226 .. sshkeys::
227 :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
228 :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
229 :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
230 :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
231
232 Dedicated user roles
233 --------------------
234
235 +---------+-------------------------------------+
236 | User | Purpose |
237 +=========+=====================================+
238 | votebot | used to run the votebot |
239 +---------+-------------------------------------+
240 | kiwiirc | used to run the Kiwi IRC web client |
241 +---------+-------------------------------------+
242
243 Non-distribution packages and modifications
244 -------------------------------------------
245
246 The Puppet agent package and a few dependencies are installed from the official
247 Puppet APT repository because the versions in Debian are too old to use modern
248 Puppet features.
249
250 Votebot
251 ~~~~~~~
252
253 The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
254 as a self contained executable Spring-Boot jar archive. The bot is started via
255 init.
256
257 .. _votebot:
258
259 .. topic:: Votebot
260
261 The vote bot is a Java based IRC bot developed at
262 https://git.cacert.org/gitweb/?p=cacert-votebot.git and built at
263 https://jenkins.cacert.org/job/cacert-votebot/. The bot is started
264 automatically via its init script.
265
266 Kiwi IRC
267 ~~~~~~~~
268
269 Kiwi IRC is a nodejs based IRC web client. The software has been installed via
270 `Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
271 https://kiwiirc.com/docs/installing and
272 https://kiwiirc.com/docs/installing/proxies. The software is running on the
273 local loopback interface and Internet access is provided by an nginx reverse
274 proxy that also provides https connectivity. NodeJS and npm have been installed
275 from Debian packages.
276
277 Risk assessments on critical packages
278 -------------------------------------
279
280 Votebot is a Java based application and therefore Java security patches should
281 be applied as soon as they become available.
282
283 Kiwi IRC is nodejs based and uses some third party npm packages. The
284 application is kept behind a reverse proxy but it is advisable to make sure
285 that available updates are applied.
286
287 .. todo:: implement some update monitoring for Kiwi IRC
288
289 The system uses third party packages with a good security track record and
290 regular updates. The attack surface is small due to the tightly restricted
291 access to the system. The puppet agent is not exposed for access from outside
292 the system.
293
294 Critical Configuration items
295 ============================
296
297 The system configuration is managed via Puppet profiles. There should be no
298 configuration items outside of the Puppet repository.
299
300 .. todo:: move configuration of :doc:`ircserver` to Puppet code
301
302 Keys and X.509 certificates
303 ---------------------------
304
305 .. sslcert:: irc.cacert.org
306 :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
307 :certfile: /etc/ssl/public/irc.cacert.org.crt
308 :keyfile: /etc/ssl/private/irc.cacert.org.key
309 :serial: 1381E8
310 :expiration: Mar 16 09:35:36 2020 GMT
311 :sha1fp: 42:F6:7C:4E:0C:AC:8A:42:7D:9A:94:55:7E:73:7E:E9:40:5C:87:91
312 :issuer: CA Cert Signing Authority
313
314 .. index::
315 pair: inspircd; configuration
316
317 inspircd configuration
318 ----------------------
319
320 Inspircd is installed from a Debian package. It is configured via files in
321 :file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
322
323 .. index::
324 pair: atheme-services; configuration
325
326 atheme-services configuration
327 -----------------------------
328
329 Atheme-services is installed from a Debian package. It is configured via
330 :file:`/etc/atheme/atheme.conf`.
331
332 .. index::
333 pair: Kiwi IRC; configuration
334
335 Kiwi IRC configuration
336 ----------------------
337
338 Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
339 the configuration is changed it can be applied by running:
340
341 .. code-block:: bash
342
343 sudo -s -u kiwi
344 cd ~/KiwiIRC
345 ./kiwi reconfig
346
347 nginx configuration
348 -------------------
349
350 The nginx configuration for reverse proxying Kiwi IRC is stored in
351 :file:`/etc/nginx/sites-available/default`. The same certificate and private
352 key are used for inspirced and nginx.
353
354 votebot configuration
355 ---------------------
356
357 Votebot is configured via spring-boot mechanisms. The current configuration file
358 is :file:`/home/votebot/cacert-votebot-0.1.0-SNAPSHOT.conf` and configures
359 Votebot to connect to localhost as VoteBot. The bot uses the channels #agm and
360 #vote. Channels could be changed in an :file:`application.properties` file in
361 :file:`/home/votebot`. The available property names can be found in the `git
362 repository`_.
363
364 .. _git repository: https://git.cacert.org/gitweb/?p=cacert-votebot.git;a=blob;f=src/main/resources/application.properties
365
366 Tasks
367 =====
368
369 Planned
370 -------
371
372 - setup DNS records
373
374 Changes
375 =======
376
377 System Future
378 -------------
379
380 - replace :doc:`irc` by this system
381
382 Additional documentation
383 ========================
384
385 .. seealso::
386
387 * :wiki:`Exim4Configuration`
388 * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
389
390 References
391 ----------
392
393 Atheme services website
394 https://atheme.github.io/atheme.html
395
396 Inspircd wiki
397 https://wiki.inspircd.org/
398
399 Kiwi IRC documentation
400 https://kiwiirc.com/docs/
401
402 nginx documentation
403 http://nginx.org/en/docs/