ea93245ff0109d24eb904c7fdaed2a687c0f12a1
[cacert-infradocs.git] / docs / systems / svn.rst
1 .. index::
2 single: Systems; Svn
3
4 ===
5 Svn
6 ===
7
8 Purpose
9 =======
10
11 This system hosts the `Subversion`_ repository that is used for some CAcert
12 documents and code that has not been moved to :doc:`git` yet, for example:
13
14 * Events
15 * Policy development
16 * Documentation
17
18 .. _Subversion: http://subversion.apache.org/
19
20 Application Links
21 -----------------
22
23 The subversion repository
24 https://svn.cacert.org/CAcert/
25
26 Anonymous read-only HTTP access
27 http://svn.cacert.org/CAcert/
28
29 Username/password authenticated HTTPS access
30 https://nocert.svn.cacert.org/CAcert/
31
32
33 Administration
34 ==============
35
36 System Administration
37 ---------------------
38
39 * Primary: :ref:`people_jandd`
40 * Secondary: None
41
42 .. todo:: find an additional admin
43
44 Application Administration
45 --------------------------
46
47 +---------------+---------------------+
48 | Application | Administrator(s) |
49 +===============+=====================+
50 | Subversion | :ref:`people_jandd` |
51 +---------------+---------------------+
52
53 Contact
54 -------
55
56 * svn-admin@cacert.org
57
58 Additional People
59 -----------------
60
61 :ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
62 too.
63
64 Basics
65 ======
66
67 Physical Location
68 -----------------
69
70 This system is located in an :term:`LXC` container on physical machine
71 :doc:`infra02`.
72
73 Logical Location
74 ----------------
75
76 :IP Internet: :ip:v4:`213.154.225.238`
77 :IP Intranet: :ip:v4:`172.16.2.15`
78 :IP Internal: :ip:v4:`10.0.0.20`
79 :IPv6: :ip:v6:`2001:7b8:616:162:2::15`
80 :MAC address: :mac:`00:16:3e:13:87:bb` (eth0)
81
82 .. seealso::
83
84 See :doc:`../network`
85
86 DNS
87 ---
88
89 .. index::
90 single: DNS records; Svn
91
92 ========================== ======== ============================================
93 Name Type Content
94 ========================== ======== ============================================
95 svn.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
96 svn.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
97 svn.cacert.org. IN A 213.154.225.238
98 cert.svn.cacert.org. IN CNAME svn.cacert.org.
99 nocert.svn.cacert.org IN CNAME svn.cacert.org
100 ========================== ======== ============================================
101
102 .. todo:: add AAAA record for IPv6 address
103
104 .. seealso::
105
106 See :wiki:`SystemAdministration/Procedures/DNSChanges`
107
108 Operating System
109 ----------------
110
111 .. index::
112 single: Debian GNU/Linux; Jessie
113 single: Debian GNU/Linux; 8.8
114
115 * Debian GNU/Linux 8.8
116
117 Applicable Documentation
118 ------------------------
119
120 Access to specific paths in the repository is granted on request if approved by
121 team leaders/officers.
122
123 Services
124 ========
125
126 Listening services
127 ------------------
128
129 +----------+-----------+-----------+-----------------------------------------+
130 | Port | Service | Origin | Purpose |
131 +==========+===========+===========+=========================================+
132 | 22/tcp | ssh | ANY | admin console access |
133 +----------+-----------+-----------+-----------------------------------------+
134 | 25/tcp | smtp | local | mail delivery to local MTA |
135 +----------+-----------+-----------+-----------------------------------------+
136 | 80/tcp | http | ANY | application |
137 +----------+-----------+-----------+-----------------------------------------+
138 | 443/tcp | https | ANY | application |
139 +----------+-----------+-----------+-----------------------------------------+
140 | 5666/tcp | nrpe | monitor | remote monitoring service |
141 +----------+-----------+-----------+-----------------------------------------+
142
143 Running services
144 ----------------
145
146 .. index::
147 single: Apache
148 single: Exim
149 single: Puppet agent
150 single: cron
151 single: nrpe
152 single: openssh
153
154 +--------------------+--------------------+----------------------------------------+
155 | Service | Usage | Start mechanism |
156 +====================+====================+========================================+
157 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
158 | | remote | |
159 | | administration | |
160 +--------------------+--------------------+----------------------------------------+
161 | Apache httpd | Webserver for | init script |
162 | | Subversion | :file:`/etc/init.d/apache2` |
163 +--------------------+--------------------+----------------------------------------+
164 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
165 +--------------------+--------------------+----------------------------------------+
166 | Exim | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/exim4` |
168 | | submission | |
169 +--------------------+--------------------+----------------------------------------+
170 | Nagios NRPE server | remote monitoring | init script |
171 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
172 | | :doc:`monitor` | |
173 +--------------------+--------------------+----------------------------------------+
174 | Puppet agent | configuration | init script |
175 | | management agent | :file:`/etc/init.d/puppet` |
176 +--------------------+--------------------+----------------------------------------+
177
178 Connected Systems
179 -----------------
180
181 * Connection from :doc:`blog` because blog uses some resources served from svn
182 * Connection from https://www.cacert.org/ because blog posts are embedded there
183 * :doc:`monitor`
184
185 Outbound network connections
186 ----------------------------
187
188 * crl.cacert.org (rsync) for getting CRLs
189 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
190 * :doc:`emailout` as SMTP relay
191 * :doc:`puppet` (tcp/8140) as Puppet master
192 * :doc:`proxyout` as HTTP proxy for APT
193
194 Security
195 ========
196
197 .. sshkeys::
198 :RSA: df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
199 :DSA: 07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
200 :ECDSA: f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54
201 :ED25519: 56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5
202
203
204 Non-distribution packages and modifications
205 -------------------------------------------
206
207 The Puppet agent package and a few dependencies are installed from the official
208 Puppet APT repository because the versions in Debian are too old to use modern
209 Puppet features.
210
211 Risk assessments on critical packages
212 -------------------------------------
213
214 Apache httpd is configured with a minimum of enabled modules to allow TLS and
215 Subversion but nothing else to reduce potential security risks.
216
217 The system uses third party packages with a good security track record and
218 regular updates. The attack surface is small due to the tightly restricted
219 access to the system. The puppet agent is not exposed for access from outside
220 the system.
221
222 Critical Configuration items
223 ============================
224
225 Keys and X.509 certificates
226 ---------------------------
227
228 .. sslcert:: svn.cacert.org
229 :altnames: DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org, DNS:svn.cacert.org
230 :certfile: /etc/apache2/ssl/svn.cacert.org.crt.pem
231 :keyfile: /etc/apache2/ssl/svn.cacert.org.key.pem
232 :serial: 028B8D
233 :expiration: Mar 24 10:57:53 18 GMT
234 :sha1fp: E2:E2:26:B3:5D:8A:FA:96:C0:94:A2:E5:11:9D:89:C7:AC:C7:B3:2D
235 :issuer: CAcert Class 3 Root
236
237 * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
238 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
239
240 .. seealso::
241
242 * :wiki:`SystemAdministration/CertificateList`
243
244 .. index::
245 pair: Apache httpd; configuration
246
247 Apache httpd configuration
248 --------------------------
249
250 The main configuration files for Apache httpd are:
251
252 * :file:`/etc/apache2/sites-available/cert.svn.cacert.org`
253
254 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using client
255 certificate authentication. The SNI server names svn.cacert.org and
256 cert.svn.cacert.org are handled by the VirtualHost configuration in this
257 file.
258
259 * :file:`/etc/apache2/sites-available/nocert.svn.cacert.org`
260
261 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using
262 username/password authentication. The SNI server name nocert.svn.cacert.org
263 is handled by the VirtualHost configuration in this file.
264
265 * :file:`/etc/apache2/sites-available/000-default`
266
267 Defines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
268
269 These files include the following files to configure Subversion and
270 authentication/authorization:
271
272 * :file:`/etc/apache2/sites-available/ssl_config.include`
273
274 contains VirtualHost specific TLS configuration
275
276 * :file:`/etc/apache2/sites-available/svn_anonymous_config.include`
277
278 configure anonymous SVN access without defining a password file and thus
279 restricting SVN paths that require authentication
280
281 * :file:`/etc/apache2/sites-available/svn_pwauth_config.include`
282
283 configure username/password authenticated access to SVN using the password
284 file :file:`/srv/dav_svn.passwd`.
285
286 * :file:`/etc/apache2/sites-available/svn_certauth_config.include`
287
288 configure TLS client certificate authenticated access to SVN using the first
289 email address in the client certificate's Subject Distinguished name as user
290 name
291
292 Subversion configuration
293 ------------------------
294
295 Subversion authorization (aliases, groups and ACLs) is configured in
296 :file:`/srv/dav_svn.authz` in the format specified in `path based authorization
297 <http://svnbook.red-bean.com/de/1.8/svn.serverconfig.pathbasedauthz.html>`_ in
298 the Subversion book.
299
300 The repository data is stored in :file:`/srv/svnrepo`.
301
302 CRL update job
303 --------------
304
305 CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
306
307
308 Tasks
309 =====
310
311 Planned
312 -------
313
314 The configuration of this system will be migrated to a setup fully managed by
315 Puppet.
316
317 X.509 Auth for policy
318 ---------------------
319
320 * Documentation officer has endorsed
321 * Waiting on Org-assurer word as to org-assurer policy stuff
322
323 Mail notifications
324 ------------------
325
326 * commit hooks on policy to policy list?
327
328 Changes
329 =======
330
331 System Future
332 -------------
333
334 * No plans
335
336 Additional documentation
337 ========================
338
339 .. seealso::
340
341 * :wiki:`Exim4Configuration`
342 * :wiki:`Technology/KnowledgeBase/ClientCerts#SVN`
343 * :wiki:`SystemAdministration/Systems/Svn/Setup`
344
345 References
346 ----------
347
348 * http://svnbook.red-bean.com/en/1.5/svn.reposadmin.html