Motion¶
Purpose¶
This system provides the CAcert board motion system. The system replaced the board voting system that had been provided on the old webmail system at https://community.cacert.org/board/.
Application Links¶
- Board motion system
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Application Administration¶
Application |
Administrator(s) |
---|---|
board motion system |
Contact¶
Additional People¶
No other people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
None
- IP Intranet:
None
- IP Internal:
- IPv6:
- MAC address:
00:ff:cc:ce:0d:24
(eth0)
See also
See Network
Monitoring¶
- internal checks:
- external checks:
DNS¶
Name |
Type |
Content |
---|---|---|
motion.cacert.org. |
IN A |
213.154.225.241 |
motion.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::241 |
motion.cacert.org. |
IN SSHFP |
1 1 f018202c72749af5f48d45d5d536422f9c364fbb |
motion.cacert.org. |
IN SSHFP |
1 2 0d17bbfe2efa97edbb13ffe3e6bfd3b4b9be5117f3c831a2f1a55b6c50e92fd4 |
motion.cacert.org. |
IN SSHFP |
2 1 ee6f2e346a5d5164100721f99765a4d3d08c6dce |
motion.cacert.org. |
IN SSHFP |
2 2 53dedfd2c566011db80311528eba15fd000b0a5092ab1fc8104ca5804490cd18 |
motion.cacert.org. |
IN SSHFP |
3 1 6d4a9ec30f30aa0634b8879cded8ce884498e290 |
motion.cacert.org. |
IN SSHFP |
3 2 325ee301da21844adb8f12c0011b8d73709be8b2b9f375829224ac79c8fdfa6e |
motion.cacert.org. |
IN SSHFP |
4 1 78e1edee04907de6b56d9c0d4900178f9426c02d |
motion.cacert.org. |
IN SSHFP |
4 2 ca108fc298cb08406fe02454d9245ee1cf26c7241691da9a5b6bc69c56afd5c1 |
motion.infra.cacert.org. |
IN A |
10.0.0.117 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
8443/tcp |
https |
ANY |
board motion application |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
The board motion system is reachable via Proxyin. SSH is forwarded from port 11722 on the public IP addresses.
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
cacert-boardvoting |
application |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
SQLite |
|
cacert-boardvoting |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
None
Non-distribution packages and modifications¶
Board motion system
The system runs the board motion system developed in the CAcert Git repository cacert-boardvoting.
The software is installed from a Debian package that is hosted on Webstatic.
The sofware is built on Jenkins via the cacert-boardvoting Job when there are changes in Git. The Debian package can be built using gbp.
The software is installed and configured via Puppet.
Todo
describe more in-depth how to build the Debian package
Risk assessments on critical packages¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
The system is stripped down to the bare minimum. The CAcert board voting system software is developed using Go which handles a lot of common programming errors at compile time and has a quite good security track record.
The board motion tool is run as a separate system user cacert-boardvoting
and is built as a small self-contained static binary. Access is restricted via
https.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Keys and X.509 certificates¶
Certificate for CN motion.cacert.org, see details in the certificate list
certificate in file /srv/cacert-boardvoting/data/server.crt
private key in file /srv/cacert-boardvoting/data/server.key
/srv/cacert-boardvoting/data/cacert_class3.pem
CAcert class 3 CA certificate (allowed CA certificate for client certificates)
cacert-boardvoting configuration¶
cacert-boardvoting is configured via Puppet profile
profiles::cacert-boardvoting
.
Tasks¶
Add/Remove voters¶
An Application Administrator can add and remove voters from the CAcert board voting system using the sqlite3 program:
cd /srv/cacert-boardvoting/data
# open database
sqlite3 database.sqlite
-- find existing voters
select * from voters where enabled=1;
-- disable voters that should not be able to vote using Ids from the result
-- of the previous query
update voters set enabled=0 where id in (1, 2, 3);
-- find existing accounts of voter John Doe and Jane Smith
select * from voters where name like 'John%' or name like 'Jane%';
-- John has an account with id 4, Jane is not in the system
-- enable John
update voters set enabled=1 where id=4;
-- insert Jane
insert into voters (name, enabled, reminder) values ('Jane Doe', 1,
'jane.doe@cacert.org');
-- find voter id for Jane
select id from voters where name='Jane Doe';
-- Jane has id 42
-- insert email address mapping for Jane (used for authentication)
insert into emails (voter, address) values (42, 'jane.doe@cacert.org');
Changes¶
Planned¶
None
System Future¶
No plans
Additional documentation¶
See also
References¶
README.md
in CAcert Git repository cacert-boardvoting