Git

Purpose

Git server for the Wiki page Software development and System Administration teams.

Application Links

Gitweb

http://git.cacert.org/gitweb/

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Todo

find an additional admin

Application Administration

Application	Administrator(s)
Git	Jan Dittberner
Gitweb	Jan Dittberner

Contact

• git-admin@cacert.org

Additional People

Dirk Astrath has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.250

IP Intranet:

172.16.2.250

IP Internal:

10.0.0.250

MAC address:

00:ff:2e:b0:4b:1b (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for git.infra.cacert.org

DNS

Name	Type	Content
git.cacert.org.	IN A	213.154.225.250
git.cacert.org.	IN SSHFP	1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
git.cacert.org.	IN SSHFP	1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5
git.cacert.org.	IN SSHFP	2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
git.cacert.org.	IN SSHFP	2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01
git.cacert.org.	IN SSHFP	3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED
git.cacert.org.	IN SSHFP	3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644
git.cacert.org.	IN SSHFP	4 1 13D611007B43D073CF4D89784510398116623EB7
git.cacert.org.	IN SSHFP	4 2 40A61A25488FE01C056EAAFF703EF0FF9C6B01BEE00580A91B95741DFAA59751
git.intra.cacert.org.	IN A	172.16.2.250

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 13 Trixie

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	application
443/tcp	https	ANY	application
5666/tcp	nrpe	monitor	remote monitoring service

Running services

Service	Usage	Start mechanism
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
cron	job scheduler	systemd unit cron.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Postfix	SMTP server for local mail submission	systemd unit postfix.service
nginx	Webserver for git	systemd unit nginx.service

Connected Systems

• Monitor

• Jenkins for git repository access

Outbound network connections

• crl.cacert.org (rsync) for getting CRLs

• DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

• Emailout as SMTP relay

• Proxyout as HTTP proxy for APT

• Jenkins for triggering web hooks

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:2rvhdmx5MwccTmlCod/HLCbZ2GfY3uhL7aIQyO+eosU, MD5:b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
DSA	-
ECDSA	SHA256:EyvZhINEAST2uBFxSLAqZmRUd/U8GPl05N7LMqdJVkQ, MD5:b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
ED25519	SHA256:QKYaJUiP4BwFbqr/cD7w/5xrAb7gBYCpG5V0Hfqll1E, MD5:38:6b:90:f7:8b:c7:b2:cf:cd:86:29:5c:e4:03:fa:35

See also

SSH host key list

Dedicated user roles

Group	Purpose
git-birdshack	access to Wiki page BirdShack git repositories
softass	Software assessors
git-boardvoting	access to board voting git repository
git-rccrtauth	access to Roundcube certificate authentication git repository
git-infra	access to infrastructure git repositories

Todo

Move repositories to Code

Non-distribution packages and modifications

• None

Risk assessments on critical packages

The system only uses security supported packages exposed via quite safe protocols.

Critical Configuration items

Keys and X.509 certificates

• Certificate for CN git.cacert.org, see details in the certificate list

• certificate in file /etc/ssl/public/git.cacert.org.chain.pem

• private key in file /etc/ssl/private/git.cacert.org.key.pem

The /etc/ssl/public/git.c.o.chain.crt contains the CAcert.org Class 1 certificate too.

See also

• Wiki page SystemAdministration/CertificateList

Git repositories

nginx configuration

nginx serves the cgit interface via http and https. The http VirtualHost redirects all traffic to https.

cgit configuration

cgit is configured in /etc/cgitrc.

Tasks

Changes

Planned

System Future

• Remove the system and move content to Code

Additional documentation

Adding a git repository

The git repositories are stored in /srv/git/. To create a new repository use:

cd /srv/git/
git init --bare --shared=group <reponame.git>
chgrp -R <groupname> <reponame.git>

The gitweb index is built from all repositories that contain a file git-daemon-export-ok. You should also put a description in the repository’s description file and set the repository owner via:

cd <reponame.git>
git config gitweb.owner "Owner information"

See also

• Wiki page PostfixConfiguration

References

• https://nginx.org/en/docs/