Code

Purpose

The system provides a Forgejo instance for hosting CAcert code. It will replace Git and probably Svn.

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: none

Application Administration

Application	Administrator(s)
PostgreSQL	Jan Dittberner

Contact

• code-admin@cacert.org

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra03.

Logical Location

IP Internet:

213.154.225.249

IP Intranet:

172.16.2.9

IP Internal:

10.0.3.15

IPv6:

2001:7b8:616:162:3::15

MAC address:

00:ff:8f:61:e0:32 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for code.infra.cacert.org

external checks:

Monitoring checks for code.cacert.org

DNS

Name	Type	Content
code.cacert.org.	IN A	213.154.225.249
code.cacert.org.	IN AAAA	2001:7b8:616:162:3::15
code.infra.cacert.org.	IN A	10.0.3.15
code.infra.cacert.org.	IN AAAA	2001:7b8:616:162:3::15

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 12 Bookworm

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	nginx	ANY	HTTP redirect for Forgejo
443/tcp	forgejo	ANY	HTTPS for ForgeJo application
5665/tcp	icinga2	monitor	remote monitoring service

Running services

Service	Usage	Start mechanism
cron	job scheduler	systemd unit cron.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
Forgejo	Forgejo Git application	systemd unit forgejo.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
nginx	web server to redirect HTTP traffic to https	systemd unit nginx.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Puppet agent	configuration management agent	systemd unit puppet.service
rsyslog	syslog daemon	systemd unit rsyslog.service

Connected Systems

• Jenkins

• Monitor

Outbound network connections

• DNS (53) resolver at 10.0.0.1 (Infra02)

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

• PostgreSQL as PostgreSQL database server

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:NMyZblaN2+kzVPKEpSvWBgI5Wg4fy4d3DhkPvJfdnOc, MD5:18:d1:56:0c:6c:f0:3c:53:2f:94:09:b9:cb:fe:15:80
DSA	-
ECDSA	SHA256:VOQv2awhDNa9PsHKdbgL9FhetHYGpAtGJ9GRbzVdy58, MD5:1d:bd:66:b3:07:60:32:20:db:67:1c:31:b2:46:59:09
ED25519	SHA256:zOA6Jk7EuUfUow3cK4b+gPxz1R91G6qDT/HshIGBuOs, MD5:e2:fa:ed:f4:e9:c7:e4:9a:ae:cb:af:01:86:8a:12:44

See also

SSH host key list

Non-distribution packages and modifications

Forgejo is installed as a single static binary. Forgejo is installed and managed via Puppet.

Risk assessments on critical packages

Forgejo is actively developed. The software needs to be updated regularly, but has good documentation including upgrade descriptions. All changes should be done via Puppet.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Changes

Nothing planned.

Additional documentation

See also

• Wiki page Exim4Configuration

• https://forgejo.org/