Update Debian release information
[cacert-infradocs.git] / docs / systems / svn.rst
1 .. index::
2 single: Systems; Svn
3
4 ===
5 Svn
6 ===
7
8 Purpose
9 =======
10
11 This system hosts the `Subversion`_ repository that is used for some CAcert
12 documents and code that has not been moved to :doc:`git` yet, for example:
13
14 * Events
15 * Policy development
16 * Documentation
17
18 .. _Subversion: http://subversion.apache.org/
19
20 Application Links
21 -----------------
22
23 The subversion repository
24 https://svn.cacert.org/CAcert/
25
26 Anonymous read-only HTTP access
27 http://svn.cacert.org/CAcert/
28
29 Username/password authenticated HTTPS access
30 https://nocert.svn.cacert.org/CAcert/
31
32
33 Administration
34 ==============
35
36 System Administration
37 ---------------------
38
39 * Primary: :ref:`people_jandd`
40 * Secondary: None
41
42 .. todo:: find an additional admin
43
44 Application Administration
45 --------------------------
46
47 +---------------+---------------------+
48 | Application | Administrator(s) |
49 +===============+=====================+
50 | Subversion | :ref:`people_jandd` |
51 +---------------+---------------------+
52
53 Contact
54 -------
55
56 * svn-admin@cacert.org
57
58 Additional People
59 -----------------
60
61 :ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
62 too.
63
64 Basics
65 ======
66
67 Physical Location
68 -----------------
69
70 This system is located in an :term:`LXC` container on physical machine
71 :doc:`infra02`.
72
73 Logical Location
74 ----------------
75
76 :IP Internet: :ip:v4:`213.154.225.238`
77 :IP Intranet: :ip:v4:`172.16.2.15`
78 :IP Internal: :ip:v4:`10.0.0.20`
79 :IPv6: :ip:v6:`2001:7b8:616:162:2::15`
80 :MAC address: :mac:`00:16:3e:13:87:bb` (eth0)
81
82 .. seealso::
83
84 See :doc:`../network`
85
86 DNS
87 ---
88
89 .. index::
90 single: DNS records; Svn
91
92 ========================== ======== ============================================
93 Name Type Content
94 ========================== ======== ============================================
95 svn.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
96 svn.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
97 svn.cacert.org. IN A 213.154.225.238
98 cert.svn.cacert.org. IN CNAME svn.cacert.org.
99 nocert.svn.cacert.org IN CNAME svn.cacert.org
100 ========================== ======== ============================================
101
102 .. todo:: add AAAA record for IPv6 address
103
104 .. seealso::
105
106 See :wiki:`SystemAdministration/Procedures/DNSChanges`
107
108 Operating System
109 ----------------
110
111 .. index::
112 single: Debian GNU/Linux; Jessie
113 single: Debian GNU/Linux; 8.8
114
115 * Debian GNU/Linux 8.8
116
117 Applicable Documentation
118 ------------------------
119
120 Access to specific paths in the repository is granted on request if approved by
121 team leaders/officers.
122
123 Services
124 ========
125
126 Listening services
127 ------------------
128
129 +----------+-----------+-----------+-----------------------------------------+
130 | Port | Service | Origin | Purpose |
131 +==========+===========+===========+=========================================+
132 | 22/tcp | ssh | ANY | admin console access |
133 +----------+-----------+-----------+-----------------------------------------+
134 | 25/tcp | smtp | local | mail delivery to local MTA |
135 +----------+-----------+-----------+-----------------------------------------+
136 | 80/tcp | http | ANY | application |
137 +----------+-----------+-----------+-----------------------------------------+
138 | 443/tcp | https | ANY | application |
139 +----------+-----------+-----------+-----------------------------------------+
140 | 5666/tcp | nrpe | monitor | remote monitoring service |
141 +----------+-----------+-----------+-----------------------------------------+
142
143 Running services
144 ----------------
145
146 .. index::
147 single: Apache
148 single: Exim
149 single: Puppet agent
150 single: cron
151 single: nrpe
152 single: openssh
153
154 +--------------------+--------------------+----------------------------------------+
155 | Service | Usage | Start mechanism |
156 +====================+====================+========================================+
157 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
158 | | remote | |
159 | | administration | |
160 +--------------------+--------------------+----------------------------------------+
161 | Apache httpd | Webserver for | init script |
162 | | Subversion | :file:`/etc/init.d/apache2` |
163 +--------------------+--------------------+----------------------------------------+
164 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
165 +--------------------+--------------------+----------------------------------------+
166 | Exim | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/exim4` |
168 | | submission | |
169 +--------------------+--------------------+----------------------------------------+
170 | Nagios NRPE server | remote monitoring | init script |
171 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
172 | | :doc:`monitor` | |
173 +--------------------+--------------------+----------------------------------------+
174 | Puppet agent | configuration | init script |
175 | | management agent | :file:`/etc/init.d/puppet` |
176 +--------------------+--------------------+----------------------------------------+
177
178 Connected Systems
179 -----------------
180
181 * Connection from :doc:`blog` because blog uses some resources served from svn
182 * Connection from https://www.cacert.org/ because blog posts are embedded there
183 * :doc:`monitor`
184
185 Outbound network connections
186 ----------------------------
187
188 * crl.cacert.org (rsync) for getting CRLs
189 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
190 * :doc:`emailout` as SMTP relay
191 * :doc:`puppet` (tcp/8140) as Puppet master
192 * ftp.nl.debian.org as Debian mirror
193 * security.debian.org for Debian security updates
194 * apt.puppetlabs.com as Debian repository for puppet packages
195
196 Security
197 ========
198
199 .. sshkeys::
200 :RSA: df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
201 :DSA: 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
202 :ECDSA: f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54
203 :ED25519: 56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5
204
205
206 Non-distribution packages and modifications
207 -------------------------------------------
208
209 The Puppet agent package and a few dependencies are installed from the official
210 Puppet APT repository because the versions in Debian are too old to use modern
211 Puppet features.
212
213 Risk assessments on critical packages
214 -------------------------------------
215
216 Apache httpd is configured with a minimum of enabled modules to allow TLS and
217 Subversion but nothing else to reduce potential security risks.
218
219 The system uses third party packages with a good security track record and
220 regular updates. The attack surface is small due to the tightly restricted
221 access to the system. The puppet agent is not exposed for access from outside
222 the system.
223
224 Critical Configuration items
225 ============================
226
227 Keys and X.509 certificates
228 ---------------------------
229
230 .. sslcert:: svn.cacert.org
231 :altnames: DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org, DNS:svn.cacert.org
232 :certfile: /etc/apache2/ssl/svn.cacert.org.crt.pem
233 :keyfile: /etc/apache2/ssl/svn.cacert.org.key.pem
234 :serial: 028B8D
235 :expiration: Mar 24 10:57:53 18 GMT
236 :sha1fp: E2:E2:26:B3:5D:8A:FA:96:C0:94:A2:E5:11:9D:89:C7:AC:C7:B3:2D
237 :issuer: CAcert Class 3 Root
238
239 * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
240 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
241
242 .. seealso::
243
244 * :wiki:`SystemAdministration/CertificateList`
245
246 .. index::
247 pair: Apache httpd; configuration
248
249 Apache httpd configuration
250 --------------------------
251
252 The main configuration files for Apache httpd are:
253
254 * :file:`/etc/apache2/sites-available/cert.svn.cacert.org`
255
256 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using client
257 certificate authentication. The SNI server names svn.cacert.org and
258 cert.svn.cacert.org are handled by the VirtualHost configuration in this
259 file.
260
261 * :file:`/etc/apache2/sites-available/nocert.svn.cacert.org`
262
263 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using
264 username/password authentication. The SNI server name nocert.svn.cacert.org
265 is handled by the VirtualHost configuration in this file.
266
267 * :file:`/etc/apache2/sites-available/000-default`
268
269 Defines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
270
271 These files include the following files to configure Subversion and
272 authentication/authorization:
273
274 * :file:`/etc/apache2/sites-available/ssl_config.include`
275
276 contains VirtualHost specific TLS configuration
277
278 * :file:`/etc/apache2/sites-available/svn_anonymous_config.include`
279
280 configure anonymous SVN access without defining a password file and thus
281 restricting SVN paths that require authentication
282
283 * :file:`/etc/apache2/sites-available/svn_pwauth_config.include`
284
285 configure username/password authenticated access to SVN using the password
286 file :file:`/srv/dav_svn.passwd`.
287
288 * :file:`/etc/apache2/sites-available/svn_certauth_config.include`
289
290 configure TLS client certificate authenticated access to SVN using the first
291 email address in the client certificate's Subject Distinguished name as user
292 name
293
294 Subversion configuration
295 ------------------------
296
297 Subversion authorization (aliases, groups and ACLs) is configured in
298 :file:`/srv/dav_svn.authz` in the format specified in `path based authorization
299 <http://svnbook.red-bean.com/de/1.8/svn.serverconfig.pathbasedauthz.html>`_ in
300 the Subversion book.
301
302 The repository data is stored in :file:`/srv/svnrepo`.
303
304 CRL update job
305 --------------
306
307 CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
308
309
310 Tasks
311 =====
312
313 Planned
314 -------
315
316 The configuration of this system will be migrated to a setup fully managed by
317 Puppet.
318
319 X.509 Auth for policy
320 ---------------------
321
322 * Documentation officer has endorsed
323 * Waiting on Org-assurer word as to org-assurer policy stuff
324
325 Mail notifications
326 ------------------
327
328 * commit hooks on policy to policy list?
329
330 Changes
331 =======
332
333 System Future
334 -------------
335
336 * No plans
337
338 Additional documentation
339 ========================
340
341 .. seealso::
342
343 * :wiki:`Exim4Configuration`
344 * :wiki:`Technology/KnowledgeBase/ClientCerts#SVN`
345 * :wiki:`SystemAdministration/Systems/Svn/Setup`
346
347 References
348 ----------
349
350 * http://svnbook.red-bean.com/en/1.5/svn.reposadmin.html