Improve system documentation
[cacert-infradocs.git] / docs / systems / svn.rst
1 .. index::
2 single: Systems; Svn
3
4 ===
5 Svn
6 ===
7
8 Purpose
9 =======
10
11 This system hosts the `Subversion`_ repository that is used for some CAcert
12 documents and code that has not been moved to :doc:`git` yet, for example:
13
14 * Events
15 * Policy development
16 * Documentation
17
18 .. _Subversion: http://subversion.apache.org/
19
20 Application Links
21 -----------------
22
23 The subversion repository
24 https://svn.cacert.org/CAcert/
25
26 Anonymous read-only HTTP access
27 http://svn.cacert.org/CAcert/
28
29 Username/password authenticated HTTPS access
30 https://nocert.svn.cacert.org/CAcert/
31
32
33 Administration
34 ==============
35
36 System Administration
37 ---------------------
38
39 * Primary: :ref:`people_jandd`
40 * Secondary: None
41
42 .. todo:: find an additional admin
43
44 Application Administration
45 --------------------------
46
47 +---------------+---------------------+
48 | Application | Administrator(s) |
49 +===============+=====================+
50 | Subversion | :ref:`people_jandd` |
51 +---------------+---------------------+
52
53 Contact
54 -------
55
56 * svn-admin@cacert.org
57
58 Additional People
59 -----------------
60
61 :ref:`Mario Lipinski <people_mario>` has :program:`sudo` access on that machine
62 too.
63
64 Basics
65 ======
66
67 Physical Location
68 -----------------
69
70 This system is located in an :term:`LXC` container on physical machine
71 :doc:`infra02`.
72
73 Logical Location
74 ----------------
75
76 :IP Internet: :ip:v4:`213.154.225.238`
77 :IP Intranet: :ip:v4:`172.16.2.15`
78 :IP Internal: :ip:v4:`10.0.0.20`
79 :IPv6: :ip:v6:`2001:7b8:616:162:2::15`
80 :MAC address: :mac:`00:16:3e:13:87:bb` (eth0)
81
82 .. seealso::
83
84 See :doc:`../network`
85
86 .. index::
87 single: Monitoring; Svn
88
89 Monitoring
90 ----------
91
92 :internal checks: :monitor:`svn.infra.cacert.org`
93
94 DNS
95 ---
96
97 .. index::
98 single: DNS records; Svn
99
100 ========================== ======== ============================================
101 Name Type Content
102 ========================== ======== ============================================
103 svn.cacert.org. IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
104 svn.cacert.org. IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
105 svn.cacert.org. IN A 213.154.225.238
106 cert.svn.cacert.org. IN CNAME svn.cacert.org.
107 nocert.svn.cacert.org IN CNAME svn.cacert.org
108 ========================== ======== ============================================
109
110 .. todo:: add AAAA record for IPv6 address
111
112 .. seealso::
113
114 See :wiki:`SystemAdministration/Procedures/DNSChanges`
115
116 Operating System
117 ----------------
118
119 .. index::
120 single: Debian GNU/Linux; Stretch
121 single: Debian GNU/Linux; 9.6
122
123 * Debian GNU/Linux 9.6
124
125 Applicable Documentation
126 ------------------------
127
128 Access to specific paths in the repository is granted on request if approved by
129 team leaders/officers.
130
131 Services
132 ========
133
134 Listening services
135 ------------------
136
137 +----------+-----------+-----------+-----------------------------------------+
138 | Port | Service | Origin | Purpose |
139 +==========+===========+===========+=========================================+
140 | 22/tcp | ssh | ANY | admin console access |
141 +----------+-----------+-----------+-----------------------------------------+
142 | 25/tcp | smtp | local | mail delivery to local MTA |
143 +----------+-----------+-----------+-----------------------------------------+
144 | 80/tcp | http | ANY | application |
145 +----------+-----------+-----------+-----------------------------------------+
146 | 443/tcp | https | ANY | application |
147 +----------+-----------+-----------+-----------------------------------------+
148 | 5666/tcp | nrpe | monitor | remote monitoring service |
149 +----------+-----------+-----------+-----------------------------------------+
150
151 Running services
152 ----------------
153
154 .. index::
155 single: apache httpd
156 single: cron
157 single: exim
158 single: nrpe
159 single: openssh
160 single: puppet agent
161 single: rsyslog
162
163 +--------------------+--------------------+----------------------------------------+
164 | Service | Usage | Start mechanism |
165 +====================+====================+========================================+
166 | Apache httpd | Webserver for | init script |
167 | | Subversion | :file:`/etc/init.d/apache2` |
168 +--------------------+--------------------+----------------------------------------+
169 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
170 +--------------------+--------------------+----------------------------------------+
171 | Exim | SMTP server for | init script |
172 | | local mail | :file:`/etc/init.d/exim4` |
173 | | submission | |
174 +--------------------+--------------------+----------------------------------------+
175 | Nagios NRPE server | remote monitoring | init script |
176 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
177 | | :doc:`monitor` | |
178 +--------------------+--------------------+----------------------------------------+
179 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
180 | | remote | |
181 | | administration | |
182 +--------------------+--------------------+----------------------------------------+
183 | Puppet agent | configuration | init script |
184 | | management agent | :file:`/etc/init.d/puppet` |
185 +--------------------+--------------------+----------------------------------------+
186 | rsyslog | syslog daemon | init script |
187 | | | :file:`/etc/init.d/syslog` |
188 +--------------------+--------------------+----------------------------------------+
189
190 Connected Systems
191 -----------------
192
193 * Connection from :doc:`blog` because blog uses some resources served from svn
194 * Connection from https://www.cacert.org/ because blog posts are embedded there
195 * :doc:`monitor`
196
197 Outbound network connections
198 ----------------------------
199
200 * crl.cacert.org (rsync) for getting CRLs
201 * :doc:`infra02` as resolving nameserver
202 * :doc:`emailout` as SMTP relay
203 * :doc:`puppet` (tcp/8140) as Puppet master
204 * :doc:`proxyout` as HTTP proxy for APT
205
206 Security
207 ========
208
209 .. sshkeys::
210 :RSA: SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0 MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
211 :DSA: SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
212 :ECDSA: SHA256:VvsTuiTYiz3P194MM9bwteZcKwyLi/RMWHd0a3TEmYY MD5:f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54
213 :ED25519: SHA256:Oga06gc4LasN/lTb6SZzlYfg6HFeMn5Rgnm+G9hHtzw MD5:56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5
214
215
216 Non-distribution packages and modifications
217 -------------------------------------------
218
219 The Puppet agent package and a few dependencies are installed from the official
220 Puppet APT repository because the versions in Debian are too old to use modern
221 Puppet features.
222
223 Risk assessments on critical packages
224 -------------------------------------
225
226 Apache httpd is configured with a minimum of enabled modules to allow TLS and
227 Subversion but nothing else to reduce potential security risks.
228
229 The system uses third party packages with a good security track record and
230 regular updates. The attack surface is small due to the tightly restricted
231 access to the system. The puppet agent is not exposed for access from outside
232 the system.
233
234 Critical Configuration items
235 ============================
236
237 The system configuration is managed via Puppet profiles. There should be no
238 configuration items outside of the Puppet repository.
239
240 .. todo:: move configuration of :doc:`svn` to Puppet code
241
242 Keys and X.509 certificates
243 ---------------------------
244
245 .. sslcert:: svn.cacert.org
246 :altnames: DNS:cert.svn.cacert.org, DNS:nocert.svn.cacert.org, DNS:svn.cacert.org
247 :certfile: /etc/apache2/ssl/svn.cacert.org.crt.pem
248 :keyfile: /etc/apache2/ssl/svn.cacert.org.key.pem
249 :serial: 02C023
250 :expiration: Mar 16 10:36:50 2020 GMT
251 :sha1fp: 54:5D:E2:B8:81:1A:A8:79:43:55:79:E9:5B:B8:FC:0F:A0:F5:C7:D3
252 :issuer: CAcert Class 3 Root
253
254 * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
255 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
256
257 .. seealso::
258
259 * :wiki:`SystemAdministration/CertificateList`
260
261 .. index::
262 pair: Apache httpd; configuration
263
264 Apache httpd configuration
265 --------------------------
266
267 The main configuration files for Apache httpd are:
268
269 * :file:`/etc/apache2/sites-available/cert.svn.cacert.org`
270
271 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using client
272 certificate authentication. The SNI server names svn.cacert.org and
273 cert.svn.cacert.org are handled by the VirtualHost configuration in this
274 file.
275
276 * :file:`/etc/apache2/sites-available/nocert.svn.cacert.org`
277
278 Defines the https VirtualHost for IPv4 and IPv6 on port 443 using
279 username/password authentication. The SNI server name nocert.svn.cacert.org
280 is handled by the VirtualHost configuration in this file.
281
282 * :file:`/etc/apache2/sites-available/000-default`
283
284 Defines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
285
286 These files include the following files to configure Subversion and
287 authentication/authorization:
288
289 * :file:`/etc/apache2/sites-available/ssl_config.include`
290
291 contains VirtualHost specific TLS configuration
292
293 * :file:`/etc/apache2/sites-available/svn_anonymous_config.include`
294
295 configure anonymous SVN access without defining a password file and thus
296 restricting SVN paths that require authentication
297
298 * :file:`/etc/apache2/sites-available/svn_pwauth_config.include`
299
300 configure username/password authenticated access to SVN using the password
301 file :file:`/srv/dav_svn.passwd`.
302
303 * :file:`/etc/apache2/sites-available/svn_certauth_config.include`
304
305 configure TLS client certificate authenticated access to SVN using the first
306 email address in the client certificate's Subject Distinguished name as user
307 name
308
309 Subversion configuration
310 ------------------------
311
312 Subversion authorization (aliases, groups and ACLs) is configured in
313 :file:`/srv/dav_svn.authz` in the format specified in `path based authorization
314 <http://svnbook.red-bean.com/de/1.8/svn.serverconfig.pathbasedauthz.html>`_ in
315 the Subversion book.
316
317 The repository data is stored in :file:`/srv/svnrepo`.
318
319 CRL update job
320 --------------
321
322 CRLs are updated by :file:`/etc/cron.daily/fetchcrls`.
323
324
325 Tasks
326 =====
327
328 X.509 Auth for policy
329 ---------------------
330
331 * Documentation officer has endorsed
332 * Waiting on Org-assurer word as to org-assurer policy stuff
333
334 Mail notifications
335 ------------------
336
337 * commit hooks on policy to policy list?
338
339 Changes
340 =======
341
342 Planned
343 -------
344
345 The configuration of this system will be migrated to a setup fully managed by
346 Puppet.
347
348
349 System Future
350 -------------
351
352 * No plans
353
354 Additional documentation
355 ========================
356
357 .. seealso::
358
359 * :wiki:`Exim4Configuration`
360 * :wiki:`Technology/KnowledgeBase/ClientCerts#SVN`
361 * :wiki:`SystemAdministration/Systems/Svn/Setup`
362
363 References
364 ----------
365
366 * http://svnbook.red-bean.com/en/1.8/svn.reposadmin.html