Svn¶
Purpose¶
This system hosts the Subversion repository that is used for some CAcert documents and code that has not been moved to Git yet, for example:
Events
Policy development
Documentation
Application Links¶
- The subversion repository
- Anonymous read-only HTTP access
- Username/password authenticated HTTPS access
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
---|---|
Subversion |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:16:3e:13:87:bb
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
svn.cacert.org. |
IN SSHFP |
1 1 1128972FB54F927477A781718E2F9C114E9CA383 |
svn.cacert.org. |
IN SSHFP |
2 1 3A36E5DF06304C481F01FC723FD88A086E82D986 |
svn.cacert.org. |
IN A |
213.154.225.238 |
svn.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::15 |
cert.svn.cacert.org. |
IN CNAME |
svn.cacert.org. |
nocert.svn.cacert.org |
IN CNAME |
svn.cacert.org. |
See also
Operating System¶
Debian GNU/Linux 12 Bookworm
Applicable Documentation¶
Access to specific paths in the repository is granted on request if approved by team leaders/officers.
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
application |
443/tcp |
https |
ANY |
application |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for Subversion |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus |
systemd unit |
Exim |
SMTP server for local mail submission |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
Connected Systems¶
Connection from Blog because blog uses some resources served from svn
Connection from https://www.cacert.org/ because blog posts are embedded there
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
None
Risk assessments on critical packages¶
Apache httpd is configured with a minimum of enabled modules to allow TLS and Subversion but nothing else to reduce potential security risks.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.
Todo
move configuration of svn to Puppet code
Keys and X.509 certificates¶
Certificate for CN svn.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/svn.cacert.org.chain.pem
private key in file /etc/ssl/private/svn.cacert.org.key.pem
/etc/ssl/public/svn.cacert.org_client_cas.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
Apache httpd configuration¶
Apache httpd configuration is fully managed by the Puppet profile
sitemodules/profiles/manifests/subversion_server.pp
in
cacertgit:cacert-puppet.
Subversion configuration¶
Subversion authorization (aliases, groups and ACLs) is configured in
/srv/dav_svn.authz
in the format specified in path based authorization in
the Subversion book.
The repository data is stored in /srv/svnrepo
.
CRL update job¶
CRLs are updated by /etc/cron.daily/fetchcrls
.
Tasks¶
X.509 Auth for policy¶
Documentation officer has endorsed
Waiting on Org-assurer word as to org-assurer policy stuff
Mail notifications¶
commit hooks on policy to policy list?
Changes¶
Planned¶
The configuration of this system will be migrated to a setup fully managed by Puppet.
System Future¶
No plans
Additional documentation¶
See also