Motion

Purpose

This system provides the CAcert board motion system.

Historic fact: The system replaced the board voting system that had been provided on the old webmail system at https://community.cacert.org/board/.

Application Links

Board motion system

https://motion.cacert.org/

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Application Administration

Application	Administrator(s)
board motion system	Jan Dittberner

Contact

• motion-admin@cacert.org

Additional People

No other people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

None

IP Intranet:

None

IP Internal:

10.0.0.117

IPv6:

2001:7b8:616:162:2::117

MAC address:

00:ff:cc:ce:0d:24 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for motion.infra.cacert.org

external checks:

Monitoring checks for motion.cacert.org

DNS

Name	Type	Content
motion.cacert.org.	IN A	213.154.225.241
motion.cacert.org.	IN AAAA	2001:7b8:616:162:2::241
motion.cacert.org.	IN SSHFP	1 1 f018202c72749af5f48d45d5d536422f9c364fbb
motion.cacert.org.	IN SSHFP	1 2 0d17bbfe2efa97edbb13ffe3e6bfd3b4b9be5117f3c831a2f1a55b6c50e92fd4
motion.cacert.org.	IN SSHFP	2 1 ee6f2e346a5d5164100721f99765a4d3d08c6dce
motion.cacert.org.	IN SSHFP	2 2 53dedfd2c566011db80311528eba15fd000b0a5092ab1fc8104ca5804490cd18
motion.cacert.org.	IN SSHFP	3 1 6d4a9ec30f30aa0634b8879cded8ce884498e290
motion.cacert.org.	IN SSHFP	3 2 325ee301da21844adb8f12c0011b8d73709be8b2b9f375829224ac79c8fdfa6e
motion.cacert.org.	IN SSHFP	4 1 78e1edee04907de6b56d9c0d4900178f9426c02d
motion.cacert.org.	IN SSHFP	4 2 ca108fc298cb08406fe02454d9245ee1cf26c7241691da9a5b6bc69c56afd5c1
motion.infra.cacert.org.	IN A	10.0.0.117

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 13 Trixie

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
8443/tcp	https	ANY	board motion application
5665/tcp	icinga2	monitor	remote monitoring service

The board motion system is reachable via Proxyin. SSH is forwarded from port 11722 on the public IP addresses.

Running services

Service	Usage	Start mechanism
cacert-boardvoting	application	systemd unit cacert-boardvoting.service
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus daemon	systemd unit dbus.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Puppet agent	configuration management agent	systemd unit puppet.service

Databases

RDBMS	Name	Used for
SQLite	/srv/cacert-boardvoting/data/database.sqlite	cacert-boardvoting

Connected Systems

• Monitor

• Proxyin for incoming application traffic

Outbound network connections

• DNS (53) resolver at 10.0.0.1 (Infra02)

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT and Puppet

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:DRe7/i76l+27E//j5r/TtLm+URfzyDGi8aVbbFDpL9Q, MD5:8a:a8:61:d2:07:79:27:6a:37:f8:30:2a:36:aa:d9:4f
DSA	-
ECDSA	SHA256:Ml7jAdohhErbjxLAARuNc3Cb6LK583WCkiSsecj9+m4, MD5:3f:38:14:95:9e:fb:10:79:c5:72:d6:c6:79:a8:84:cf
ED25519	SHA256:yhCPwpjLCEBv4CRU2SRe4c8mxyQWkdqaW2vGnFav1cE, MD5:c5:40:79:42:09:9d:5e:47:45:d6:ab:e9:58:af:eb:26

See also

SSH host key list

Dedicated user roles

• None

Non-distribution packages and modifications

• Board motion system

  The system runs the board motion system developed in the CAcert Git repository cacert-boardvoting.

  The software is installed from a Debian package that is hosted on Webstatic.

  The sofware is built on Jenkins via the cacert-boardvoting Job when there are changes in Git. The Debian package can be built using gbp.

  The software is installed and configured via Puppet.

  Todo

  describe more in-depth how to build the Debian package

Risk assessments on critical packages

The system is stripped down to the bare minimum. The CAcert board voting system software is developed using Go which handles a lot of common programming errors at compile time and has a quite good security track record.

The board motion tool is run as a separate system user cacert-boardvoting and is built as a small self-contained static binary. Access is restricted via https.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Keys and X.509 certificates

The certificates are managed via Puppet and configured in the system’s Hiera data.

• Certificate for CN motion.cacert.org, see details in the certificate list

• certificate in file /etc/ssl/public/motion.cacert.org.chain.pem

• private key in file /etc/ssl/private/motion.cacert.org.key.pem

• /etc/ssl/public/motion.cacert.org_client_cas.pem CAcert class 3 CA certificate (allowed CA certificate for client certificates)

See also

• Wiki page SystemAdministration/CertificateList

cacert-boardvoting configuration

cacert-boardvoting is configured via Puppet profile profiles::cacert-boardvoting.

Tasks

Add/Remove voters

An Application Administrator and Secretary can add and remove voters from the CAcert board voting system via the Web UI.

Changes

Planned

• None

System Future

• No plans

Additional documentation

See also

• Wiki page Exim4Configuration

References

• README.md in CAcert Git repository cacert-boardvoting