Document webstatic
[cacert-infradocs.git] / docs / systems / ircserver.rst
1 .. index::
2 single: Systems; Ircserver
3
4 =========
5 Ircserver
6 =========
7
8 Purpose
9 =======
10
11 This system is the planned replacement for :doc:`irc`
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_martin`
20 * Secondary: :ref:`people_jandd`
21
22 Application Administration
23 --------------------------
24
25 +--------------+-------------------------------------------+
26 | Application | Administrator(s) |
27 +==============+===========================================+
28 | IRC server | :ref:`people_martin`, :ref:`people_jandd` |
29 +--------------+-------------------------------------------+
30 | IRC services | :ref:`people_martin`, :ref:`people_jandd` |
31 +--------------+-------------------------------------------+
32 | Votebot | :ref:`people_martin`, :ref:`people_jandd` |
33 +--------------+-------------------------------------------+
34
35 Contact
36 -------
37
38 * irc-admin@cacert.org
39
40 Basics
41 ======
42
43 Physical Location
44 -----------------
45
46 This system is located in an :term:`LXC` container on physical machine
47 :doc:`infra02`.
48
49 Logical Location
50 ----------------
51
52 :IP Internet: :ip:v4:`213.154.225.233`
53 :IP Intranet: :ip:v4:`172.16.2.24`
54 :IP Internal: :ip:v4:`10.0.0.130`
55 :MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
56
57 .. todo:: setup IPv6
58
59 .. seealso::
60
61 See :doc:`../network`
62
63 DNS
64 ---
65
66 .. index::
67 single: DNS records; Ircserver
68 single: DNS records; Irc
69
70 ======================= ======== ==========================================
71 Name Type Content
72 ======================= ======== ==========================================
73 irc.cacert.org. IN A 213.154.225.233
74 irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
75 irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
76 irc.intra.cacert.org. IN A 172.16.2.14
77 ======================= ======== ==========================================
78
79 .. todo:: setup new SSHFP records
80
81 .. seealso::
82
83 See :wiki:`SystemAdministration/Procedures/DNSChanges`
84
85 Operating System
86 ----------------
87
88 .. index::
89 single: Debian GNU/Linux; Jessie
90 single: Debian GNU/Linux; 8.8
91
92 * Debian GNU/Linux 8.8
93
94 Applicable Documentation
95 ------------------------
96
97 This is it :-)
98
99 Services
100 ========
101
102 Listening services
103 ------------------
104
105 +----------+--------------+---------+----------------------------+
106 | Port | Service | Origin | Purpose |
107 +==========+==============+=========+============================+
108 | 22/tcp | ssh | ANY | admin console access |
109 +----------+--------------+---------+----------------------------+
110 | 25/tcp | smtp | local | mail delivery to local MTA |
111 +----------+--------------+---------+----------------------------+
112 | 80/tcp | http | ANY | redirect to https |
113 +----------+--------------+---------+----------------------------+
114 | 443/tcp | https | ANY | reverse proxy for kiwiirc |
115 +----------+--------------+---------+----------------------------+
116 | 5666/tcp | nrpe | monitor | remote monitoring service |
117 +----------+--------------+---------+----------------------------+
118 | 6667/tcp | ircd | ANY | IRC |
119 +----------+--------------+---------+----------------------------+
120 | 7000/tcp | ircd | ANY | IRC (SSL) |
121 +----------+--------------+---------+----------------------------+
122 | 7001/tcp | ircd | local | IRC (services) |
123 +----------+--------------+---------+----------------------------+
124 | 7778/tcp | kiwiirc | local | kiwiirc process |
125 +----------+--------------+---------+----------------------------+
126 | 8080/tcp | irc-services | ANY | IRC services |
127 +----------+--------------+---------+----------------------------+
128
129 irc opens a random UDP port.
130
131 The following port forwarding is setup on :doc:`infra02`
132
133 +-------------+-------+-----------------+
134 | Intranet IP | Port | Target |
135 +=============+=======+=================+
136 | 172.16.2.14 | 13022 | 10.0.0.130:22 |
137 +-------------+-------+-----------------+
138 | 172.16.2.14 | 13080 | 10.0.0.130:80 |
139 +-------------+-------+-----------------+
140 | 172.16.2.14 | 13443 | 10.0.0.130:443 |
141 +-------------+-------+-----------------+
142 | 172.16.2.14 | 13667 | 10.0.0.130:6667 |
143 +-------------+-------+-----------------+
144 | 172.16.2.14 | 13700 | 10.0.0.130:7000 |
145 +-------------+-------+-----------------+
146
147 .. todo:: implement final forwarding to required ports from :doc:`infra02`
148
149 Running services
150 ----------------
151
152 .. index::
153 single: cron
154 single: exim
155 single: nrpe
156 single: openssh
157 single: inspircd
158 single: atheme-services
159 single: votebot
160
161 +--------------------+--------------------+----------------------------------------+
162 | Service | Usage | Start mechanism |
163 +====================+====================+========================================+
164 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
165 | | remote | |
166 | | administration | |
167 +--------------------+--------------------+----------------------------------------+
168 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
169 +--------------------+--------------------+----------------------------------------+
170 | Exim | SMTP server for | init script |
171 | | local mail | :file:`/etc/init.d/exim4` |
172 | | submission | |
173 +--------------------+--------------------+----------------------------------------+
174 | Nagios NRPE server | remote monitoring | init script |
175 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
176 | | :doc:`monitor` | |
177 +--------------------+--------------------+----------------------------------------+
178 | inspircd | IRC daemon | init script |
179 | | | :file:`/etc/init.d/inspircd` |
180 +--------------------+--------------------+----------------------------------------+
181 | atheme-services | IRC services | init script |
182 | | | :file:`/etc/init.d/atheme-services` |
183 +--------------------+--------------------+----------------------------------------+
184 | kiwiirc | IRC web client | start script |
185 | | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
186 | | | started by user kiwiirc |
187 +--------------------+--------------------+----------------------------------------+
188 | nginx | Reverse proxy for | init script |
189 | | kiwiirc | :file:`/etc/init.d/nginx` |
190 +--------------------+--------------------+----------------------------------------+
191
192 Connected Systems
193 -----------------
194
195 * :doc:`monitor`
196
197 Outbound network connections
198 ----------------------------
199
200 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
201 * :doc:`emailout` as SMTP relay
202 * ftp.nl.debian.org as Debian mirror
203 * security.debian.org for Debian security updates
204 * crl.cacert.org (rsync) for getting CRLs
205
206 Security
207 ========
208
209 .. sshkeys::
210 :RSA: dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
211 :DSA: 52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
212 :ECDSA: 61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
213
214 Dedicated user roles
215 --------------------
216
217 +---------+-------------------------------------+
218 | User | Purpose |
219 +=========+=====================================+
220 | votebot | used to run the votebot |
221 +---------+-------------------------------------+
222 | kiwiirc | used to run the Kiwi IRC web client |
223 +---------+-------------------------------------+
224
225 Non-distribution packages and modifications
226 -------------------------------------------
227
228 Votebot
229 ~~~~~~~
230
231 The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
232 as a self contained Java jar archive. The bot is started manually as described
233 above. For improved maintainability it should be packaged and provide a start
234 mechanism that is better integrated with the system.
235
236 .. _votebot:
237
238 .. topic:: Votebot
239
240 The vote bot is a Java based IRC bot developed at
241 https://github.com/CAcertOrg/cacert-votebot. The bot is started manually by
242 running
243
244 .. code-block:: bash
245
246 java -DvoteBot.meetingChn=SGM -cp VoteBot.jar \
247 de.dogcraft.irc.CAcertVoteBot -u -h 10.0.0.14 -p 6667 --nick VoteBot
248
249 .. todo:: use a CAcert git repository for votebot
250
251 .. todo:: package votebot for Debian
252
253 .. todo:: provide a proper init script/and or systemd unit for votebot
254
255
256 Kiwi IRC
257 ~~~~~~~~
258
259 Kiwi IRC is a nodejs based IRC web client. The software has been installed via
260 `Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
261 https://kiwiirc.com/docs/installing and
262 https://kiwiirc.com/docs/installing/proxies. The software is running on the
263 local loopback interface and Internet access is provided by an nginx reverse
264 proxy that also provides https connectivity. NodeJS and npm have been installed
265 from Debian packages.
266
267 Risk assessments on critical packages
268 -------------------------------------
269
270 Votebot is a Java based application and therefore Java security patches should
271 be applied as soon as they become available.
272
273 Kiwi IRC is nodejs based and uses some third party npm packages. The
274 application is kept behind a reverse proxy but it is advisable to make sure
275 that available updates are applied.
276
277 .. todo:: implement some update monitoring for Kiwi IRC
278
279
280 Critical Configuration items
281 ============================
282
283 Keys and X.509 certificates
284 ---------------------------
285
286 .. sslcert:: irc.cacert.org
287 :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
288 :certfile: /etc/ssl/public/irc.cacert.org.crt
289 :keyfile: /etc/ssl/private/irc.cacert.org.key
290 :serial: 0FBBE0
291 :expiration: Oct 22 15:27:04 16 GMT
292 :sha1fp: 82:F7:B8:08:FB:FD:C3:FA:21:6C:89:B7:07:69:3D:66:F8:BC:5F:AA
293 :issuer: CA Cert Signing Authority
294
295
296 .. index::
297 pair: inspircd; configuration
298
299 inspircd configuration
300 ----------------------
301
302 Inspircd is installed from a Debian package. It is configured via files in
303 :file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
304
305 .. index::
306 pair: atheme-services; configuration
307
308 atheme-services configuration
309 -----------------------------
310
311 Atheme-services is installed from a Debian package. It is configured via
312 :file:`/etc/atheme/atheme.conf`.
313
314 Kiwi IRC configuration
315 ----------------------
316
317 Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
318 the configuration is changed it can be applied by running:
319
320 .. code-block:: bash
321
322 sudo -s -u kiwi
323 cd ~/KiwiIRC
324 ./kiwi reconfig
325
326 nginx configuration
327 -------------------
328
329 The nginx configuration for reverse proxying Kiwi IRC is stored in
330 :file:`/etc/nginx/sites-available/default`. The same certificate and private
331 key are used for inspirced and nginx.
332
333
334 Tasks
335 =====
336
337 Planned
338 -------
339
340 - setup IPv6
341 - setup DNS records
342
343 Changes
344 =======
345
346 System Future
347 -------------
348
349 - replace :doc:`irc` by this system
350
351 Additional documentation
352 ========================
353
354 .. seealso::
355
356 * :wiki:`Exim4Configuration`
357 * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
358
359 References
360 ----------
361
362 Atheme services website
363 https://atheme.github.io/atheme.html
364
365 Inspircd wiki
366 https://wiki.inspircd.org/
367
368 Kiwi IRC documentation
369 https://kiwiirc.com/docs/
370
371 nginx documentation
372 http://nginx.org/en/docs/