Maintenance on ircserver container
[cacert-infradocs.git] / docs / systems / ircserver.rst
1 .. index::
2 single: Systems; Ircserver
3
4 =========
5 Ircserver
6 =========
7
8 Purpose
9 =======
10
11 This system is the planned replacement for :doc:`irc`.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_jandd`
20 * Secondary: None
21
22 .. todo:: find an additional admin
23
24 Application Administration
25 --------------------------
26
27 +--------------+---------------------+
28 | Application | Administrator(s) |
29 +==============+=====================+
30 | IRC server | :ref:`people_jandd` |
31 +--------------+---------------------+
32 | IRC services | :ref:`people_jandd` |
33 +--------------+---------------------+
34 | Votebot | :ref:`people_jandd` |
35 +--------------+---------------------+
36
37 Contact
38 -------
39
40 * irc-admin@cacert.org
41
42 Basics
43 ======
44
45 Physical Location
46 -----------------
47
48 This system is located in an :term:`LXC` container on physical machine
49 :doc:`infra02`.
50
51 Logical Location
52 ----------------
53
54 :IP Internet: :ip:v4:`213.154.225.233`
55 :IP Intranet: :ip:v4:`172.16.2.24`
56 :IP Internal: :ip:v4:`10.0.0.130`
57 :MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
58
59 .. todo:: setup IPv6
60
61 .. seealso::
62
63 See :doc:`../network`
64
65 DNS
66 ---
67
68 .. index::
69 single: DNS records; Ircserver
70 single: DNS records; Irc
71
72 ======================= ======== ==========================================
73 Name Type Content
74 ======================= ======== ==========================================
75 irc.cacert.org. IN A 213.154.225.233
76 irc.cacert.org. IN SSHFP 1 1 C123F73001682277DE5346923518D17CC94E298E
77 irc.cacert.org. IN SSHFP 2 1 B85941C077732F78BE290B8F0B44B0A5E8A0E51D
78 irc.intra.cacert.org. IN A 172.16.2.14
79 ======================= ======== ==========================================
80
81 .. todo:: setup new SSHFP records
82
83 .. seealso::
84
85 See :wiki:`SystemAdministration/Procedures/DNSChanges`
86
87 Operating System
88 ----------------
89
90 .. index::
91 single: Debian GNU/Linux; Stretch
92 single: Debian GNU/Linux; 9.3
93
94 * Debian GNU/Linux 9.3
95
96 Applicable Documentation
97 ------------------------
98
99 This is it :-)
100
101 Services
102 ========
103
104 Listening services
105 ------------------
106
107 +----------+--------------+---------+----------------------------+
108 | Port | Service | Origin | Purpose |
109 +==========+==============+=========+============================+
110 | 22/tcp | ssh | ANY | admin console access |
111 +----------+--------------+---------+----------------------------+
112 | 25/tcp | smtp | local | mail delivery to local MTA |
113 +----------+--------------+---------+----------------------------+
114 | 80/tcp | http | ANY | redirect to https |
115 +----------+--------------+---------+----------------------------+
116 | 443/tcp | https | ANY | reverse proxy for kiwiirc |
117 +----------+--------------+---------+----------------------------+
118 | 5666/tcp | nrpe | monitor | remote monitoring service |
119 +----------+--------------+---------+----------------------------+
120 | 6667/tcp | ircd | ANY | IRC |
121 +----------+--------------+---------+----------------------------+
122 | 7000/tcp | ircd | ANY | IRC (SSL) |
123 +----------+--------------+---------+----------------------------+
124 | 7001/tcp | ircd | local | IRC (services) |
125 +----------+--------------+---------+----------------------------+
126 | 7778/tcp | kiwiirc | local | kiwiirc process |
127 +----------+--------------+---------+----------------------------+
128 | 8080/tcp | irc-services | ANY | IRC services |
129 +----------+--------------+---------+----------------------------+
130
131 irc opens a random UDP port.
132
133 The following port forwarding is setup on :doc:`infra02`
134
135 +-------------+-------+-----------------+
136 | Intranet IP | Port | Target |
137 +=============+=======+=================+
138 | 172.16.2.14 | 13022 | 10.0.0.130:22 |
139 +-------------+-------+-----------------+
140 | 172.16.2.14 | 13080 | 10.0.0.130:80 |
141 +-------------+-------+-----------------+
142 | 172.16.2.14 | 13443 | 10.0.0.130:443 |
143 +-------------+-------+-----------------+
144 | 172.16.2.14 | 13667 | 10.0.0.130:6667 |
145 +-------------+-------+-----------------+
146 | 172.16.2.14 | 13700 | 10.0.0.130:7000 |
147 +-------------+-------+-----------------+
148
149 .. todo:: implement final forwarding to required ports from :doc:`infra02`
150
151 Running services
152 ----------------
153
154 .. index::
155 single: cron
156 single: exim
157 single: nrpe
158 single: openssh
159 single: inspircd
160 single: atheme-services
161 single: votebot
162
163 +--------------------+--------------------+----------------------------------------+
164 | Service | Usage | Start mechanism |
165 +====================+====================+========================================+
166 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
167 | | remote | |
168 | | administration | |
169 +--------------------+--------------------+----------------------------------------+
170 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
171 +--------------------+--------------------+----------------------------------------+
172 | rsyslog | syslog daemon | init script |
173 | | | :file:`/etc/init.d/syslog` |
174 +--------------------+--------------------+----------------------------------------+
175 | Exim | SMTP server for | init script |
176 | | local mail | :file:`/etc/init.d/exim4` |
177 | | submission | |
178 +--------------------+--------------------+----------------------------------------+
179 | Nagios NRPE server | remote monitoring | init script |
180 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
181 | | :doc:`monitor` | |
182 +--------------------+--------------------+----------------------------------------+
183 | inspircd | IRC daemon | init script |
184 | | | :file:`/etc/init.d/inspircd` |
185 +--------------------+--------------------+----------------------------------------+
186 | atheme-services | IRC services | init script |
187 | | | :file:`/etc/init.d/atheme-services` |
188 +--------------------+--------------------+----------------------------------------+
189 | kiwiirc | IRC web client | start script |
190 | | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
191 | | | started by user kiwiirc |
192 +--------------------+--------------------+----------------------------------------+
193 | nginx | Reverse proxy for | init script |
194 | | kiwiirc | :file:`/etc/init.d/nginx` |
195 +--------------------+--------------------+----------------------------------------+
196
197 Connected Systems
198 -----------------
199
200 * :doc:`monitor`
201
202 Outbound network connections
203 ----------------------------
204
205 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
206 * :doc:`emailout` as SMTP relay
207 * :doc:`proxyout` as HTTP proxy for APT
208
209 Security
210 ========
211
212 .. sshkeys::
213 :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
214 :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
215 :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
216 :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
217
218 Dedicated user roles
219 --------------------
220
221 +---------+-------------------------------------+
222 | User | Purpose |
223 +=========+=====================================+
224 | votebot | used to run the votebot |
225 +---------+-------------------------------------+
226 | kiwiirc | used to run the Kiwi IRC web client |
227 +---------+-------------------------------------+
228
229 Non-distribution packages and modifications
230 -------------------------------------------
231
232 Votebot
233 ~~~~~~~
234
235 The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
236 as a self contained Java jar archive. The bot is started manually as described
237 above. For improved maintainability it should be packaged and provide a start
238 mechanism that is better integrated with the system.
239
240 .. _votebot:
241
242 .. topic:: Votebot
243
244 The vote bot is a Java based IRC bot developed at
245 https://github.com/CAcertOrg/cacert-votebot. The bot is started manually by
246 running
247
248 .. code-block:: bash
249
250 java -DvoteBot.meetingChn=SGM -cp VoteBot.jar \
251 de.dogcraft.irc.CAcertVoteBot -u -h 10.0.0.14 -p 6667 --nick VoteBot
252
253 .. todo:: use a CAcert git repository for votebot
254
255 .. todo:: package votebot for Debian
256
257 .. todo:: provide a proper init script/and or systemd unit for votebot
258
259
260 Kiwi IRC
261 ~~~~~~~~
262
263 Kiwi IRC is a nodejs based IRC web client. The software has been installed via
264 `Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
265 https://kiwiirc.com/docs/installing and
266 https://kiwiirc.com/docs/installing/proxies. The software is running on the
267 local loopback interface and Internet access is provided by an nginx reverse
268 proxy that also provides https connectivity. NodeJS and npm have been installed
269 from Debian packages.
270
271 Risk assessments on critical packages
272 -------------------------------------
273
274 Votebot is a Java based application and therefore Java security patches should
275 be applied as soon as they become available.
276
277 Kiwi IRC is nodejs based and uses some third party npm packages. The
278 application is kept behind a reverse proxy but it is advisable to make sure
279 that available updates are applied.
280
281 .. todo:: implement some update monitoring for Kiwi IRC
282
283
284 Critical Configuration items
285 ============================
286
287 Keys and X.509 certificates
288 ---------------------------
289
290 .. sslcert:: irc.cacert.org
291 :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
292 :certfile: /etc/ssl/public/irc.cacert.org.crt
293 :keyfile: /etc/ssl/private/irc.cacert.org.key
294 :serial: 0FBBE0
295 :expiration: Oct 22 15:27:04 16 GMT
296 :sha1fp: 82:F7:B8:08:FB:FD:C3:FA:21:6C:89:B7:07:69:3D:66:F8:BC:5F:AA
297 :issuer: CA Cert Signing Authority
298
299
300 .. index::
301 pair: inspircd; configuration
302
303 inspircd configuration
304 ----------------------
305
306 Inspircd is installed from a Debian package. It is configured via files in
307 :file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
308
309 .. index::
310 pair: atheme-services; configuration
311
312 atheme-services configuration
313 -----------------------------
314
315 Atheme-services is installed from a Debian package. It is configured via
316 :file:`/etc/atheme/atheme.conf`.
317
318 Kiwi IRC configuration
319 ----------------------
320
321 Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
322 the configuration is changed it can be applied by running:
323
324 .. code-block:: bash
325
326 sudo -s -u kiwi
327 cd ~/KiwiIRC
328 ./kiwi reconfig
329
330 nginx configuration
331 -------------------
332
333 The nginx configuration for reverse proxying Kiwi IRC is stored in
334 :file:`/etc/nginx/sites-available/default`. The same certificate and private
335 key are used for inspirced and nginx.
336
337
338 Tasks
339 =====
340
341 Planned
342 -------
343
344 - setup IPv6
345 - setup DNS records
346
347 Changes
348 =======
349
350 System Future
351 -------------
352
353 - replace :doc:`irc` by this system
354
355 Additional documentation
356 ========================
357
358 .. seealso::
359
360 * :wiki:`Exim4Configuration`
361 * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
362
363 References
364 ----------
365
366 Atheme services website
367 https://atheme.github.io/atheme.html
368
369 Inspircd wiki
370 https://wiki.inspircd.org/
371
372 Kiwi IRC documentation
373 https://kiwiirc.com/docs/
374
375 nginx documentation
376 http://nginx.org/en/docs/