Document the git.cacert.org container
authorJan Dittberner <jan@dittberner.info>
Thu, 19 May 2016 22:28:30 +0000 (00:28 +0200)
committerJan Dittberner <jan@dittberner.info>
Thu, 19 May 2016 22:28:30 +0000 (00:28 +0200)
This commit adds documentation for the git container. The information
has been gathered from
https://wiki.cacert.org/SystemAdministration/Systems/Git?action=recall&rev=4
and the actual system.

docs/configdiff/git/git-apache-config.diff [new file with mode: 0644]
docs/configdiff/git/git-daemon-run.diff [new file with mode: 0644]
docs/configdiff/git/gitweb.conf.diff [new file with mode: 0644]
docs/systems.rst
docs/systems/git.rst [new file with mode: 0644]

diff --git a/docs/configdiff/git/git-apache-config.diff b/docs/configdiff/git/git-apache-config.diff
new file mode 100644 (file)
index 0000000..ad2c182
--- /dev/null
@@ -0,0 +1,121 @@
+diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
+--- orig/etc/apache2/conf-available/security.conf      2015-11-28 13:59:22.000000000 +0100
++++ git/etc/apache2/conf-available/security.conf       2016-05-20 00:15:49.874994024 +0200
+@@ -10,6 +10,17 @@
+ #   Order Deny,Allow
+ #   Deny from all
+ #</Directory>
++<Directory />
++      Options FollowSymLinks
++      AllowOverride None
++</Directory>
++
++<Directory /var/www/>
++      Options Indexes FollowSymLinks MultiViews
++      AllowOverride None
++      Order allow,deny
++      allow from all
++</Directory>
+ # Changing the following options will not really affect the security of the
+diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
+--- orig/etc/apache2/mods-available/ssl.conf   2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/mods-available/ssl.conf    2016-01-02 16:13:42.695785273 +0100
+@@ -56,7 +56,8 @@
+       #   ciphers(1) man page from the openssl package for list of all available
+       #   options.
+       #   Enable only secure ciphers:
+-      SSLCipherSuite HIGH:!aNULL
++      #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
++      SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
+       # SSL server cipher order preference:
+       # Use server priorities for cipher algorithm choice.
+@@ -65,7 +66,7 @@
+       # the CPU cost, and did not override SSLCipherSuite in a way that puts
+       # insecure ciphers first.
+       # Default: Off
+-      #SSLHonorCipherOrder on
++      SSLHonorCipherOrder on
+       #   The protocols to enable.
+       #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
+--- orig/etc/apache2/sites-available/000-default.conf  2015-10-24 10:37:19.000000000 +0200
++++ git/etc/apache2/sites-available/000-default.conf   2016-05-20 00:21:02.697250540 +0200
+@@ -11,11 +11,19 @@
+       ServerAdmin webmaster@localhost
+       DocumentRoot /var/www/html
++      RewriteEngine on
++      RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
++      RewriteCond %{HTTP_HOST} !^$
++      RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE] 
++
++      Redirect / https://git.cacert.org/gitweb
++
+       # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+       # error, crit, alert, emerg.
+       # It is also possible to configure the loglevel for particular
+       # modules, e.g.
+       #LogLevel info ssl:warn
++      LogLevel warn
+       ErrorLog ${APACHE_LOG_DIR}/error.log
+       CustomLog ${APACHE_LOG_DIR}/access.log combined
+diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
+--- orig/etc/apache2/sites-available/default-ssl.conf  2016-05-20 00:05:51.022493172 +0200
++++ git/etc/apache2/sites-available/default-ssl.conf   2016-05-20 00:14:50.350565644 +0200
+@@ -2,13 +2,27 @@
+       <VirtualHost _default_:443>
+               ServerAdmin webmaster@localhost
++              Redirect /index.html /gitweb/
++
+               DocumentRoot /var/www/html
++              <Directory />
++                      Options FollowSymLinks
++                      AllowOverride None
++              </Directory>
++              <Directory /var/www/>
++                      Options Indexes FollowSymLinks MultiViews
++                      AllowOverride None
++                      Order allow,deny
++                      allow from all
++              </Directory>
++      
+               # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+               # error, crit, alert, emerg.
+               # It is also possible to configure the loglevel for particular
+               # modules, e.g.
+               #LogLevel info ssl:warn
++              LogLevel warn
+               ErrorLog ${APACHE_LOG_DIR}/error.log
+               CustomLog ${APACHE_LOG_DIR}/access.log combined
+@@ -29,8 +43,8 @@
+               #   /usr/share/doc/apache2/README.Debian.gz for more info.
+               #   If both key and certificate are stored in the same file, only the
+               #   SSLCertificateFile directive is needed.
+-              SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+-              SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
++              SSLCertificateFile    /etc/ssl/public/git.c.o.chain.crt
++              SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
+               #   Server Certificate Chain:
+               #   Point SSLCertificateChainFile at a file containing the
+@@ -130,6 +144,12 @@
+               # MSIE 7 and newer should be able to use keepalive
+               BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
++              # HSTS
++              Header always set Strict-Transport-Security "max-age=31536000"
++              Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
++              Header always set X-Frame-Options "DENY"
++              Header always set X-XSS-Protection "1; mode=block"
++              Header always set X-Content-Type-Options "nosniff"
+       </VirtualHost>
+ </IfModule>
diff --git a/docs/configdiff/git/git-daemon-run.diff b/docs/configdiff/git/git-daemon-run.diff
new file mode 100644 (file)
index 0000000..abcca5a
--- /dev/null
@@ -0,0 +1,8 @@
+--- orig/etc/sv/git-daemon/run 2016-03-19 14:22:50.000000000 +0100
++++ git/etc/sv/git-daemon/run  2014-02-06 01:46:55.424870926 +0100
+@@ -3,4 +3,4 @@
+ echo 'git-daemon starting.'
+ exec chpst -ugitdaemon \
+   "$(git --exec-path)"/git-daemon --verbose --reuseaddr \
+-    --base-path=/var/lib /var/lib/git
++    --base-path=/var/cache/git /var/cache/git
diff --git a/docs/configdiff/git/gitweb.conf.diff b/docs/configdiff/git/gitweb.conf.diff
new file mode 100644 (file)
index 0000000..0e8e957
--- /dev/null
@@ -0,0 +1,40 @@
+--- orig/etc/gitweb.conf       2016-03-19 14:22:50.000000000 +0100
++++ git/etc/gitweb.conf        2014-02-17 02:25:18.281157394 +0100
+@@ -1,5 +1,8 @@
+ # path to git projects (<project>.git)
+-$projectroot = "/var/lib/git";
++$projectroot = "/var/cache/git";
++
++# only show repos that are also served via git-daemon
++$export_ok = "git-daemon-export-ok";
+ # directory to use for temp files
+ $git_temp = "/tmp";
+@@ -13,6 +16,9 @@
+ # file with project list; by default, simply scan the projectroot dir.
+ #$projects_list = $projectroot;
++# Enable categories
++$projects_list_group_categories = 1;
++
+ # stylesheet to use
+ #@stylesheets = ("static/gitweb.css");
+@@ -28,3 +34,17 @@
+ # git-diff-tree(1) options to use for generated patches
+ #@diff_opts = ("-M");
+ @diff_opts = ();
++
++# auto generate fetch URLs
++@git_base_url_list = (
++      "git://git.cacert.org",
++      "ssh://git.cacert.org/var/cache/git");
++
++# Prevent XSS attacks
++$prevent_xss = 1;
++
++# enable gravatar support
++$feature{'avatar'}{'default'} = ['gravatar'];
++
++# enable syntax highlighting
++$feature{'highlight'}{'default'} = [1];
index f5963ad..e9e9e16 100644 (file)
@@ -17,6 +17,7 @@ administrator team.
    systems/cats
    systems/email
    systems/emailout
+   systems/git
    systems/monitor
    systems/webmail
 
diff --git a/docs/systems/git.rst b/docs/systems/git.rst
new file mode 100644 (file)
index 0000000..79ba57b
--- /dev/null
@@ -0,0 +1,368 @@
+.. index::
+   single: Systems; Git
+
+===
+Git
+===
+
+Purpose
+=======
+
+`Git`_ server for the :wiki:`Software` development and :wiki:`System
+Administration <SystemAdministration/Team>` teams.
+
+.. _Git: https://www.git-scm.com/
+
+Application Links
+-----------------
+
+Gitweb
+   http://git.cacert.org/gitweb/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s)    |
++=============+=====================+
+| Git         | :ref:`people_jandd` |
++-------------+---------------------+
+| Gitweb      | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* git-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario`, :ref:`people_benbe` and :ref:`people_neo` have
+:program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.250`
+:IP Intranet: :ip:v4:`172.16.2.250`
+:IP Internal: :ip:v4:`10.0.0.250`
+:MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+DNS
+---
+
+.. index::
+   single: DNS records; <machine>
+
+===================== ======== ============================================
+Name                  Type     Content
+===================== ======== ============================================
+git.cacert.org.       IN A     213.154.225.250
+git.cacert.org.       IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
+git.cacert.org.       IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
+git.intra.cacert.org. IN A     172.16.2.250
+===================== ======== ============================================
+
+.. seealso::
+
+   See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Jessie
+   single: Debian GNU/Linux; 8.4
+
+* Debian GNU/Linux 8.4
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+-----------------------------+
+| Port     | Service | Origin  | Purpose                     |
++==========+=========+=========+=============================+
+| 22/tcp   | ssh     | ANY     | admin console access        |
++----------+---------+---------+-----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA  |
++----------+---------+---------+-----------------------------+
+| 80/tcp   | http    | ANY     | application                 |
++----------+---------+---------+-----------------------------+
+| 443/tcp  | https   | ANY     | application                 |
++----------+---------+---------+-----------------------------+
+| 5666/tcp | nrpe    | monitor | remote monitoring service   |
++----------+---------+---------+-----------------------------+
+| 9418/tcp | git     | ANY     | Git daemon port             |
++----------+---------+---------+-----------------------------+
+
+.. todo:: disable insecure git-daemon port and http for git, replace these with
+   https for read access and git+ssh for write access
+
+Running services
+----------------
+
+.. index::
+   single: Apache httpd
+   single: Postfix
+   single: cron
+   single: nrpe
+   single: openssh
+   single: rsyslog
+   single: git-daemon
+
++--------------------+---------------------+----------------------------------------+
+| Service            | Usage               | Start mechanism                        |
++====================+=====================+========================================+
+| openssh server     | ssh daemon for      | init script :file:`/etc/init.d/ssh`    |
+|                    | remote              |                                        |
+|                    | administration      |                                        |
++--------------------+---------------------+----------------------------------------+
+| Apache httpd       | Webserver for       | init script                            |
+|                    | gitweb              | :file:`/etc/init.d/apache2`            |
+|                    |                     |                                        |
++--------------------+---------------------+----------------------------------------+
+| cron               | job scheduler       | init script :file:`/etc/init.d/cron`   |
++--------------------+---------------------+----------------------------------------+
+| rsyslog            | syslog daemon       | init script                            |
+|                    |                     | :file:`/etc/init.d/syslog`             |
++--------------------+---------------------+----------------------------------------+
+| Postfix            | SMTP server for     | init script                            |
+|                    | local mail          | :file:`/etc/init.d/postfix`            |
+|                    | submission          |                                        |
++--------------------+---------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring   | init script                            |
+|                    | service queried by  | :file:`/etc/init.d/nagios-nrpe-server` |
+|                    | :doc:`monitor`      |                                        |
++--------------------+---------------------+----------------------------------------+
+| runit              | service supervision | :file:`/etc/inittab` entry             |
+|                    | for git-daemon      |                                        |
++--------------------+---------------------+----------------------------------------+
+| git-daemon         | Daemon for native   | runit service description in           |
+|                    | Git protocol        | :file:`/etc/sv/git-daemon/run`         |
+|                    | access              |                                        |
++--------------------+---------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* :doc:`jenkins` for git repository access
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+* :doc:`jenkins` for triggering web hooks
+
+Security
+========
+
+.. sshkeys::
+   :RSA:   b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
+   :DSA:   27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
+   :ECDSA: b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
+
+.. todo:: setup ED25519 host key
+
+Dedicated user roles
+--------------------
+
++-----------------+----------------------------------------------------+
+| Group           | Purpose                                            |
++=================+====================================================+
+| git-birdshack   | access to :wiki:`BirdShack` git repositories       |
++-----------------+----------------------------------------------------+
+| softass         | Software assessors                                 |
++-----------------+----------------------------------------------------+
+| git-boardvoting | access to board voting git repository              |
++-----------------+----------------------------------------------------+
+| git-rccrtauth   | access to Roundcube certificate authentication git |
+|                 | repository                                         |
++-----------------+----------------------------------------------------+
+| git-infra       | access to infrastructure git repositories          |
++-----------------+----------------------------------------------------+
+
+.. todo:: think about regulating git access by a proper git repository manager
+   like gitolite
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Gitweb has been modified to use https for `Gravatar`_ lookups:
+
+.. code-block:: diff
+
+   --- gitweb.cgi  2014-02-06 14:01:48.696730208 +0000
+   +++ /usr/share/gitweb/gitweb.cgi        2014-02-06 14:03:52.933721422 +0000
+   @@ -2064,7 +2064,7 @@
+           my $email = lc shift;
+           my $size = shift;
+           $avatar_cache{$email} ||=
+   -               "http://www.gravatar.com/avatar/" .
+   +               "https://secure.gravatar.com/avatar/" .
+                           Digest::MD5::md5_hex($email) . "?s=";
+           return $avatar_cache{$email} . $size;
+    }
+
+.. _Gravatar: http://www.gravatar.com/
+
+
+Risk assessments on critical packages
+-------------------------------------
+
+The package git-daemon-run exposes the git native protocol which is prone to
+man in the middle attacks that could hand out modified code to users. There are
+alternatives (ssh, https) and git-daemon support should be disabled.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: git.cacert.org
+   :altnames:   DNS:git.cacert.org
+   :certfile:   /etc/ssl/public/git.c.o.chain.crt
+   :keyfile:    /etc/ssl/private/git.c.o.key
+   :serial:     11E84D
+   :expiration: Mar 31 20:07:57 18 GMT
+   :sha1fp:     B8:F9:FF:4E:F3:F6:45:A9:44:7D:8A:1E:F5:D7:28:24:74:ED:48:46
+   :issuer:     CA Cert Signing Authority
+
+The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
+certificate too.
+
+.. seealso::
+
+   * :wiki:`SystemAdministration/CertificateList`
+
+.. index:: Git repositories
+
+Git repositories
+----------------
+
+.. index::
+   pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
+
+Apache httpd serves the gitweb interface via http and https. The http
+VirtualHost redirects all traffic to https. The following changes have been
+applied to the Debian package's Apache httpd configuration:
+
+.. literalinclude:: ../configdiff/git/git-apache-config.diff
+   :language: diff
+
+.. index::
+   pair: Gitweb; configuration
+
+Gitweb configuration
+--------------------
+
+Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
+changes to the version contained in the distribution package:
+
+.. literalinclude:: ../configdiff/git/gitweb.conf.diff
+   :language: diff
+
+.. index::
+   pair: runit; configuration
+   pair: git-daemon; configuration
+
+git-daemon configuration
+------------------------
+
+The git-daemon is started by runit. The configuration is stored in
+:file:`/etc/sv/git-daemon/run` and has the following changes to the version
+contained in the distribution package git-daemon-run:
+
+.. literalinclude:: ../configdiff/git/git-daemon-run.diff
+   :language: diff
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: enable IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+Adding a git repository
+-----------------------
+
+The git repositories are stored in :file:`/var/cache/git/`. To create a new
+repository use:
+
+.. code-block:: shell
+
+   cd /var/cache/git/
+   git init --bare --shared=group <reponame.git>
+   chgrp -R <groupname> <reponame.git>
+
+The gitweb index is built from all repositories that contain a file
+:file:`git-daemon-export-ok`. You should also put a description in the
+repository's :file:`description` file and set the repository owner via:
+
+.. code-block:: shell
+
+   cd <reponame.git>
+   git config gitweb.owner "Owner information"
+
+.. seealso::
+
+   * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+   http://httpd.apache.org/docs/2.4/