Add web and webstatic to Puppet
[cacert-infradocs.git] / docs / systems / svn.rst
1 .. index::
2 single: Systems; Svn
3
4 ===
5 Svn
6 ===
7
8 Purpose
9 =======
10
11 This system hosts the `Subversion`_ repository that is used for some CAcert
12 documents and code that has not been moved to :doc:`git` yet, for example:
13
14 * Events
15 * Policy development
16 * Documentation
17
18 .. _Subversion: http://subversion.apache.org/
19
20 Application Links
21 -----------------
22
23 The subversion repository
24 https://svn.cacert.org/CAcert/
25
26 Anonymous read-only HTTP access
27 http://svn.cacert.org/CAcert/
28
29 Username/password authenticated HTTPS access
30 https://nocert.svn.cacert.org/CAcert/
31
32
33 Administration
34 ==============
35
36 System Administration
37 ---------------------
38
39 * Primary: :ref:`people_jandd`
40 * Secondary: None
41
42 .. todo:: find an additional admin
43
44 Application Administration
45 --------------------------
46
47 +---------------+---------------------+
48 | Application | Administrator(s) |
49 +===============+=====================+
50 | Subversion | :ref:`people_jandd` |
51 +---------------+---------------------+
52
53 Contact
54 -------
55
56 * svn-admin@cacert.org
57
58 Additional People
59 -----------------
60
61 :ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
62 too.
63
64 Basics
65 ======
66
67 Physical Location
68 -----------------
69
70 This system is located in an :term:`LXC` container on physical machine
71 :doc:`infra02`.
72
73 Logical Location
74 ----------------
75
76 :IP Internet: :ip:v4:`213.154.225.238`
77 :IP Intranet: :ip:v4:`172.16.2.15`
78 :IP Internal: :ip:v4:`10.0.0.20`
79 :IPv6: :ip:v6:`2001:7b8:616:162:2::15`
80 :MAC address: :mac:`00:16:3e:13:87:bb` (eth0)
81
82 .. seealso::
83
84 See :doc:`../network`
85
86 DNS
87 ---
88
89 .. index::
90 single: DNS records; Svn
91
92 ========================== ======== ============================================
93 Name Type Content
94 ========================== ======== ============================================
95 svn.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
96 svn.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
97 svn.cacert.org. IN A 213.154.225.238
98 cert.svn.cacert.org. IN CNAME svn.cacert.org.
99 nocert.svn.cacert.org IN CNAME svn.cacert.org
100 ========================== ======== ============================================
101
102 .. todo:: add AAAA record for IPv6 address
103
104 .. seealso::
105
106 See :wiki:`SystemAdministration/Procedures/DNSChanges`
107
108 Operating System
109 ----------------
110
111 .. index::
112 single: Debian GNU/Linux; Stretch
113 single: Debian GNU/Linux; 9.4
114
115 * Debian GNU/Linux 9.4
116
117 Applicable Documentation
118 ------------------------
119
120 Access to specific paths in the repository is granted on request if approved by
121 team leaders/officers.
122
123 Services
124 ========
125
126 Listening services
127 ------------------
128
129 +----------+-----------+-----------+-----------------------------------------+
130 | Port | Service | Origin | Purpose |
131 +==========+===========+===========+=========================================+
132 | 22/tcp | ssh | ANY | admin console access |
133 +----------+-----------+-----------+-----------------------------------------+
134 | 25/tcp | smtp | local | mail delivery to local MTA |
135 +----------+-----------+-----------+-----------------------------------------+
136 | 80/tcp | http | ANY | application |
137 +----------+-----------+-----------+-----------------------------------------+
138 | 443/tcp | https | ANY | application |
139 +----------+-----------+-----------+-----------------------------------------+
140 | 5666/tcp | nrpe | monitor | remote monitoring service |
141 +----------+-----------+-----------+-----------------------------------------+
142
143 Running services
144 ----------------
145
146 .. index::
147 single: apache httpd
148 single: cron
149 single: exim
150 single: nrpe
151 single: openssh
152 single: puppet agent
153 single: rsyslog
154
155 +--------------------+--------------------+----------------------------------------+
156 | Service | Usage | Start mechanism |
157 +====================+====================+========================================+
158 | Apache httpd | Webserver for | init script |
159 | | Subversion | :file:`/etc/init.d/apache2` |
160 +--------------------+--------------------+----------------------------------------+
161 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
162 +--------------------+--------------------+----------------------------------------+
163 | Exim | SMTP server for | init script |
164 | | local mail | :file:`/etc/init.d/exim4` |
165 | | submission | |
166 +--------------------+--------------------+----------------------------------------+
167 | Nagios NRPE server | remote monitoring | init script |
168 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
169 | | :doc:`monitor` | |
170 +--------------------+--------------------+----------------------------------------+
171 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
172 | | remote | |
173 | | administration | |
174 +--------------------+--------------------+----------------------------------------+
175 | Puppet agent | configuration | init script |
176 | | management agent | :file:`/etc/init.d/puppet` |
177 +--------------------+--------------------+----------------------------------------+
178 | rsyslog | syslog daemon | init script |
179 | | | :file:`/etc/init.d/syslog` |
180 +--------------------+--------------------+----------------------------------------+
181
182 Connected Systems
183 -----------------
184
185 * Connection from :doc:`blog` because blog uses some resources served from svn
186 * Connection from https://www.cacert.org/ because blog posts are embedded there
187 * :doc:`monitor`
188
189 Outbound network connections
190 ----------------------------
191
192 * crl.cacert.org (rsync) for getting CRLs
193 * :doc:`infra02` as resolving nameserver
194 * :doc:`emailout` as SMTP relay
195 * :doc:`puppet` (tcp/8140) as Puppet master
196 * :doc:`proxyout` as HTTP proxy for APT
197
198 Security
199 ========
200
201 .. sshkeys::
202 :RSA: SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0 MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
203 :DSA: SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
204 :ECDSA: SHA256:VvsTuiTYiz3P194MM9bwteZcKwyLi/RMWHd0a3TEmYY MD5:f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54
205 :ED25519: SHA256:Oga06gc4LasN/lTb6SZzlYfg6HFeMn5Rgnm+G9hHtzw MD5:56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5
206
207
208 Non-distribution packages and modifications
209 -------------------------------------------
210
211 The Puppet agent package and a few dependencies are installed from the official
212 Puppet APT repository because the versions in Debian are too old to use modern
213 Puppet features.
214
215 Risk assessments on critical packages
216 -------------------------------------
217
218 Apache httpd is configured with a minimum of enabled modules to allow TLS and
219 Subversion but nothing else to reduce potential security risks.
220
221 The system uses third party packages with a good security track record and
222 regular updates. The attack surface is small due to the tightly restricted
223 access to the system. The puppet agent is not exposed for access from outside
224 the system.
225
226 Critical Configuration items
227 ============================
228
229 The system configuration is managed via Puppet profiles. There should be no
230 configuration items outside of the Puppet repository.
231
232 .. todo:: move configuration of :doc:`svn` to Puppet code
233
234 Keys and X.509 certificates
235 ---------------------------
236
237 .. sslcert:: svn.cacert.org
238 :altnames: DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org, DNS:svn.cacert.org
239 :certfile: /etc/apache2/ssl/svn.cacert.org.crt.pem
240 :keyfile: /etc/apache2/ssl/svn.cacert.org.key.pem
241 :serial: 02C023
242 :expiration: Mar 16 10:36:50 2020 GMT
243 :sha1fp: 54:5D:E2:B8:81:1A:A8:79:43:55:79:E9:5B:B8:FC:0F:A0:F5:C7:D3
244 :issuer: CAcert Class 3 Root
245
246 * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
247 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
248
249 .. seealso::
250
251 * :wiki:`SystemAdministration/CertificateList`
252
253 .. index::
254 pair: Apache httpd; configuration
255
256 Apache httpd configuration
257 --------------------------
258
259 The main configuration files for Apache httpd are:
260
261 * :file:`/etc/apache2/sites-available/cert.svn.cacert.org`
262
263 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using client
264 certificate authentication. The SNI server names svn.cacert.org and
265 cert.svn.cacert.org are handled by the VirtualHost configuration in this
266 file.
267
268 * :file:`/etc/apache2/sites-available/nocert.svn.cacert.org`
269
270 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using
271 username/password authentication. The SNI server name nocert.svn.cacert.org
272 is handled by the VirtualHost configuration in this file.
273
274 * :file:`/etc/apache2/sites-available/000-default`
275
276 Defines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
277
278 These files include the following files to configure Subversion and
279 authentication/authorization:
280
281 * :file:`/etc/apache2/sites-available/ssl_config.include`
282
283 contains VirtualHost specific TLS configuration
284
285 * :file:`/etc/apache2/sites-available/svn_anonymous_config.include`
286
287 configure anonymous SVN access without defining a password file and thus
288 restricting SVN paths that require authentication
289
290 * :file:`/etc/apache2/sites-available/svn_pwauth_config.include`
291
292 configure username/password authenticated access to SVN using the password
293 file :file:`/srv/dav_svn.passwd`.
294
295 * :file:`/etc/apache2/sites-available/svn_certauth_config.include`
296
297 configure TLS client certificate authenticated access to SVN using the first
298 email address in the client certificate's Subject Distinguished name as user
299 name
300
301 Subversion configuration
302 ------------------------
303
304 Subversion authorization (aliases, groups and ACLs) is configured in
305 :file:`/srv/dav_svn.authz` in the format specified in `path based authorization
306 <http://svnbook.red-bean.com/de/1.8/svn.serverconfig.pathbasedauthz.html>`_ in
307 the Subversion book.
308
309 The repository data is stored in :file:`/srv/svnrepo`.
310
311 CRL update job
312 --------------
313
314 CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
315
316
317 Tasks
318 =====
319
320 Planned
321 -------
322
323 The configuration of this system will be migrated to a setup fully managed by
324 Puppet.
325
326 X.509 Auth for policy
327 ---------------------
328
329 * Documentation officer has endorsed
330 * Waiting on Org-assurer word as to org-assurer policy stuff
331
332 Mail notifications
333 ------------------
334
335 * commit hooks on policy to policy list?
336
337 Changes
338 =======
339
340 System Future
341 -------------
342
343 * No plans
344
345 Additional documentation
346 ========================
347
348 .. seealso::
349
350 * :wiki:`Exim4Configuration`
351 * :wiki:`Technology/KnowledgeBase/ClientCerts#SVN`
352 * :wiki:`SystemAdministration/Systems/Svn/Setup`
353
354 References
355 ----------
356
357 * http://svnbook.red-bean.com/en/1.8/svn.reposadmin.html