projects / cacert-infradocs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Change of critical team.
[cacert-infradocs.git] / docs / systems / ircserver.rst
1 .. index::
2 single: Systems; Ircserver
3
4 =========
5 Ircserver
6 =========
7
8 Purpose
9 =======
10
11 This system provides the CAcert IRC service for private communications,
12 allowing usage of CAcert-secured SSL-Encrypted IRC traffic for our everyday
13 chat, meetings, and general support.
14
15 Application Links
16 -----------------
17
18 https://irc.cacert.org/
19 HTTPS secured Web based IRC access
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_jandd`
28 * Secondary: None
29
30 .. todo:: find an additional admin
31
32 Application Administration
33 --------------------------
34
35 +--------------+---------------------+
36 | Application | Administrator(s) |
37 +==============+=====================+
38 | IRC server | :ref:`people_jandd` |
39 +--------------+---------------------+
40 | IRC services | :ref:`people_jandd` |
41 +--------------+---------------------+
42 | Votebot | :ref:`people_jandd` |
43 +--------------+---------------------+
44
45 Contact
46 -------
47
48 * irc-admin@cacert.org
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: :ip:v4:`213.154.225.233`
63 :IP Intranet: :ip:v4:`172.16.2.14`
64 :IP Internal: :ip:v4:`10.0.0.130`
65 :IPv6: :ip:v6:`2001:7b8:616:162:2::14`
66 :MAC address: :mac:`00:ff:9a:79:ca:b1` (eth0)
67
68 .. seealso::
69
70 See :doc:`../network`
71
72 .. index::
73 single: Monitoring; Ircserver
74
75 Monitoring
76 ----------
77
78 :internal checks: :monitor:`ircserver.infra.cacert.org`
79
80 DNS
81 ---
82
83 .. index::
84 single: DNS records; Ircserver
85 single: DNS records; Irc
86
87 =========================== ======== ====================================================================
88 Name Type Content
89 =========================== ======== ====================================================================
90 irc.cacert.org. IN A 213.154.225.233
91 irc.cacert.org. IN AAAA 2001:7b8:616:162:2::14
92 irc.cacert.org. IN SSHFP 1 1 39b6c81b9fe76bd3c112f891ad3198f7a6102f4c
93 irc.cacert.org. IN SSHFP 1 2 30c1fce412955bb4947bbcb25a395d8e5820403eddb5746ecced578d97f46567
94 irc.cacert.org. IN SSHFP 2 1 90fcff63476f93d5e4f5d634ba1407445323d3fe
95 irc.cacert.org. IN SSHFP 2 2 734a6729a077d77c79af0e8f45187f88c25d7cd102c34aee1e753d9644c965bc
96 irc.cacert.org. IN SSHFP 3 1 5b9191613e743082fd4aa64e1f3a4601ed77f366
97 irc.cacert.org. IN SSHFP 3 2 b88f898cd5251b2b6e315a2e266873747b7cd237c0f92458916af938e4694f96
98 irc.cacert.org. IN SSHFP 4 1 866a42ee920b7f38a86ca9f3b07af808aae9768c
99 irc.cacert.org. IN SSHFP 4 2 68d44bc21d05550c8aab62163b9257c85b9bcf0a4cab1c96ad2ca674b803601c
100 ircserver.intra.cacert.org. IN A 172.16.2.14
101 =========================== ======== ====================================================================
102
103 .. seealso::
104
105 See :wiki:`SystemAdministration/Procedures/DNSChanges`
106
107 Operating System
108 ----------------
109
110 .. index::
111 single: Debian GNU/Linux; Stretch
112 single: Debian GNU/Linux; 9.4
113
114 * Debian GNU/Linux 9.4
115
116 Services
117 ========
118
119 Listening services
120 ------------------
121
122 +----------+--------------+---------+----------------------------+
123 | Port | Service | Origin | Purpose |
124 +==========+==============+=========+============================+
125 | 22/tcp | ssh | ANY | admin console access |
126 +----------+--------------+---------+----------------------------+
127 | 25/tcp | smtp | local | mail delivery to local MTA |
128 +----------+--------------+---------+----------------------------+
129 | 80/tcp | http | ANY | redirect to https |
130 +----------+--------------+---------+----------------------------+
131 | 443/tcp | https | ANY | reverse proxy for kiwiirc |
132 +----------+--------------+---------+----------------------------+
133 | 5666/tcp | nrpe | monitor | remote monitoring service |
134 +----------+--------------+---------+----------------------------+
135 | 6667/tcp | ircd | ANY | IRC |
136 +----------+--------------+---------+----------------------------+
137 | 7000/tcp | ircd | ANY | IRC (SSL) |
138 +----------+--------------+---------+----------------------------+
139 | 7001/tcp | ircd | local | IRC (services) |
140 +----------+--------------+---------+----------------------------+
141 | 7778/tcp | kiwiirc | local | kiwiirc process |
142 +----------+--------------+---------+----------------------------+
143 | 8080/tcp | irc-services | ANY | IRC services |
144 +----------+--------------+---------+----------------------------+
145
146 irc opens a random UDP port.
147
148 The following port forwarding is setup on :doc:`infra02`
149
150 +-------------+-------+-----------------+
151 | Intranet IP | Port | Target |
152 +=============+=======+=================+
153 | 172.16.2.14 | 13022 | 10.0.0.130:22 |
154 +-------------+-------+-----------------+
155 | 172.16.2.14 | 13080 | 10.0.0.130:80 |
156 +-------------+-------+-----------------+
157 | 172.16.2.14 | 13443 | 10.0.0.130:443 |
158 +-------------+-------+-----------------+
159 | 172.16.2.14 | 13667 | 10.0.0.130:6667 |
160 +-------------+-------+-----------------+
161 | 172.16.2.14 | 13700 | 10.0.0.130:7000 |
162 +-------------+-------+-----------------+
163
164 Running services
165 ----------------
166
167 .. index::
168 single: atheme-services
169 single: cron
170 single: exim
171 single: inspircd
172 single: kiwiirc
173 single: nginx
174 single: nrpe
175 single: openssh
176 single: puppet agent
177 single: rsyslog
178 single: votebot
179
180 +--------------------+--------------------+----------------------------------------+
181 | Service | Usage | Start mechanism |
182 +====================+====================+========================================+
183 | atheme-services | IRC services | init script |
184 | | | :file:`/etc/init.d/atheme-services` |
185 +--------------------+--------------------+----------------------------------------+
186 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
187 +--------------------+--------------------+----------------------------------------+
188 | Exim | SMTP server for | init script |
189 | | local mail | :file:`/etc/init.d/exim4` |
190 | | submission | |
191 +--------------------+--------------------+----------------------------------------+
192 | inspircd | IRC daemon | init script |
193 | | | :file:`/etc/init.d/inspircd` |
194 +--------------------+--------------------+----------------------------------------+
195 | kiwiirc | IRC web client | start script |
196 | | | :file:`/home/kiwiirc/KiwiIRC/kiwi` |
197 | | | started by user kiwiirc |
198 +--------------------+--------------------+----------------------------------------+
199 | nginx | Reverse proxy for | init script |
200 | | kiwiirc | :file:`/etc/init.d/nginx` |
201 +--------------------+--------------------+----------------------------------------+
202 | Nagios NRPE server | remote monitoring | init script |
203 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
204 | | :doc:`monitor` | |
205 +--------------------+--------------------+----------------------------------------+
206 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
207 | | remote | |
208 | | administration | |
209 +--------------------+--------------------+----------------------------------------+
210 | Puppet agent | configuration | init script |
211 | | management agent | :file:`/etc/init.d/puppet` |
212 +--------------------+--------------------+----------------------------------------+
213 | rsyslog | syslog daemon | init script |
214 | | | :file:`/etc/init.d/syslog` |
215 +--------------------+--------------------+----------------------------------------+
216 | votebot | CAcert vote bot | init script (spring-boot) |
217 | | | :file:`/etc/init.d/cacert-votebot` |
218 +--------------------+--------------------+----------------------------------------+
219
220 Connected Systems
221 -----------------
222
223 * :doc:`monitor`
224
225 Outbound network connections
226 ----------------------------
227
228 * :doc:`infra02` as resolving nameserver
229 * :doc:`emailout` as SMTP relay
230 * :doc:`puppet` (tcp/8140) as Puppet master
231 * :doc:`proxyout` as HTTP proxy for APT
232
233 Security
234 ========
235
236 .. sshkeys::
237 :RSA: SHA256:MMH85BKVW7SUe7yyWjldjlggQD7dtXRuzO1XjZf0ZWc MD5:dc:8f:c3:d7:38:72:39:13:6f:97:db:3d:06:c6:83:db
238 :DSA: SHA256:c0pnKaB313x5rw6PRRh/iMJdfNECw0ruHnU9lkTJZbw MD5:52:73:d9:76:38:df:bd:18:37:4a:e3:9d:65:14:ac:39
239 :ECDSA: SHA256:uI+JjNUlGytuMVouJmhzdHt80jfA+SRYkWr5OORpT5Y MD5:61:9f:ca:c7:05:0e:46:a1:8f:6d:7f:3a:68:ce:5a:21
240 :ED25519: SHA256:aNRLwh0FVQyKq2IWO5JXyFubzwpMqxyWrSymdLgDYBw MD5:79:2a:a2:ca:99:23:50:2c:1c:48:cf:8c:fe:b9:51:e5
241
242 Dedicated user roles
243 --------------------
244
245 +---------+-------------------------------------+
246 | User | Purpose |
247 +=========+=====================================+
248 | votebot | used to run the votebot |
249 +---------+-------------------------------------+
250 | kiwiirc | used to run the Kiwi IRC web client |
251 +---------+-------------------------------------+
252
253 Non-distribution packages and modifications
254 -------------------------------------------
255
256 The Puppet agent package and a few dependencies are installed from the official
257 Puppet APT repository because the versions in Debian are too old to use modern
258 Puppet features.
259
260 Votebot
261 ~~~~~~~
262
263 The :ref:`Votebot <votebot>` is a custom developed IRC daemon that is packaged
264 as a self contained executable Spring-Boot jar archive. The bot is started via
265 init.
266
267 .. _votebot:
268
269 .. topic:: Votebot
270
271 The vote bot is a Java based IRC bot developed at
272 https://git.cacert.org/gitweb/?p=cacert-votebot.git and built at
273 https://jenkins.cacert.org/job/cacert-votebot/. The bot is started
274 automatically via its init script.
275
276 Kiwi IRC
277 ~~~~~~~~
278
279 Kiwi IRC is a nodejs based IRC web client. The software has been installed via
280 `Github <https://github.com/prawnsalad/KiwiIRC.git>`_ and npm as described in
281 https://kiwiirc.com/docs/installing and
282 https://kiwiirc.com/docs/installing/proxies. The software is running on the
283 local loopback interface and Internet access is provided by an nginx reverse
284 proxy that also provides https connectivity. NodeJS and npm have been installed
285 from Debian packages.
286
287 .. todo:: setup init script for kiwiirc
288
289 Risk assessments on critical packages
290 -------------------------------------
291
292 Votebot is a Java based application and therefore Java security patches should
293 be applied as soon as they become available.
294
295 Kiwi IRC is nodejs based and uses some third party npm packages. The
296 application is kept behind a reverse proxy but it is advisable to make sure
297 that available updates are applied.
298
299 .. todo:: implement some update monitoring for Kiwi IRC
300
301 The system uses third party packages with a good security track record and
302 regular updates. The attack surface is small due to the tightly restricted
303 access to the system. The puppet agent is not exposed for access from outside
304 the system.
305
306 Critical Configuration items
307 ============================
308
309 The system configuration is managed via Puppet profiles. There should be no
310 configuration items outside of the Puppet repository.
311
312 .. todo:: move configuration of :doc:`ircserver` to Puppet code
313
314 Keys and X.509 certificates
315 ---------------------------
316
317 .. sslcert:: irc.cacert.org
318 :altnames: DNS:irc.cacert.org, DNS:ircserver.cacert.org
319 :certfile: /etc/ssl/public/irc.cacert.org.crt
320 :keyfile: /etc/ssl/private/irc.cacert.org.key
321 :serial: 1381E8
322 :expiration: Mar 16 09:35:36 2020 GMT
323 :sha1fp: 42:F6:7C:4E:0C:AC:8A:42:7D:9A:94:55:7E:73:7E:E9:40:5C:87:91
324 :issuer: CA Cert Signing Authority
325
326 .. index::
327 pair: inspircd; configuration
328
329 inspircd configuration
330 ----------------------
331
332 Inspircd is installed from a Debian package. It is configured via files in
333 :file:`/etc/inspircd/`. The main configuration file is :file:`inspircd.conf`.
334
335 .. index::
336 pair: atheme-services; configuration
337
338 atheme-services configuration
339 -----------------------------
340
341 Atheme-services is installed from a Debian package. It is configured via
342 :file:`/etc/atheme/atheme.conf`.
343
344 .. index::
345 pair: Kiwi IRC; configuration
346
347 Kiwi IRC configuration
348 ----------------------
349
350 Kiwi IRC configuration is kept in :file:`/home/kiwiirc/KiwiIRC/config.js`. When
351 the configuration is changed it can be applied by running:
352
353 .. code-block:: bash
354
355 sudo -s -u kiwi
356 cd ~/KiwiIRC
357 ./kiwi reconfig
358
359 nginx configuration
360 -------------------
361
362 The nginx configuration for reverse proxying Kiwi IRC is stored in
363 :file:`/etc/nginx/sites-available/default`. The same certificate and private
364 key are used for inspirced and nginx.
365
366 votebot configuration
367 ---------------------
368
369 Votebot is configured via spring-boot mechanisms. The current configuration file
370 is :file:`/home/votebot/cacert-votebot-0.1.0-SNAPSHOT.conf` and configures
371 Votebot to connect to localhost as VoteBot. The bot uses the channels #agm and
372 #vote. Channels could be changed in an :file:`application.properties` file in
373 :file:`/home/votebot`. The available property names can be found in the `git
374 repository`_.
375
376 .. _git repository: https://git.cacert.org/gitweb/?p=cacert-votebot.git;a=blob;f=src/main/resources/application.properties
377
378 Tasks
379 =====
380
381 Planned
382 -------
383
384 - None
385
386 Changes
387 =======
388
389 - Nothing planned
390
391 Additional documentation
392 ========================
393
394 .. seealso::
395
396 * :wiki:`Exim4Configuration`
397 * :wiki:`Technology/TechnicalSupport/EndUserSupport/IRC`
398
399 References
400 ----------
401
402 Atheme services website
403 https://atheme.github.io/atheme.html
404
405 Inspircd wiki
406 https://wiki.inspircd.org/
407
408 Kiwi IRC documentation
409 https://kiwiirc.com/docs/
410
411 nginx documentation
412 http://nginx.org/en/docs/
Sphinx based infrastructure documentation