Svn¶

Purpose¶

This system hosts the Subversion repository that is used for some CAcert documents and code that has not been moved to Git yet, for example:

Events
Policy development
Documentation

Application Links¶

The subversion repository: https://svn.cacert.org/CAcert/
Anonymous read-only HTTP access: http://svn.cacert.org/CAcert/
Username/password authenticated HTTPS access: https://nocert.svn.cacert.org/CAcert/

Administration¶

System Administration¶

Primary: Jan Dittberner
Secondary: None

Todo

find an additional admin

Application Administration¶

Application	Administrator(s)
Subversion	Jan Dittberner

Contact¶

svn-admin@cacert.org

Additional People¶

No additional people have sudo access on that machine.

Basics¶

Physical Location¶

This system is located in an LXC container on physical machine Infra02.

Logical Location¶

IP Internet:: 213.154.225.238
IP Intranet:: 172.16.2.15
IP Internal:: 10.0.0.20
IPv6:: 2001:7b8:616:162:2::15
MAC address:: 00:16:3e:13:87:bb (eth0)

See also

See Network

Monitoring¶

internal checks:: Monitoring checks for svn.infra.cacert.org

DNS¶

Name	Type	Content
svn.cacert.org.	IN SSHFP	1 1 1128972FB54F927477A781718E2F9C114E9CA383
svn.cacert.org.	IN SSHFP	2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
svn.cacert.org.	IN A	213.154.225.238
svn.cacert.org.	IN AAAA	2001:7b8:616:162:2::15
cert.svn.cacert.org.	IN CNAME	svn.cacert.org.
nocert.svn.cacert.org	IN CNAME	svn.cacert.org.

Operating System¶

Debian GNU/Linux 12 Bookworm

Applicable Documentation¶

Access to specific paths in the repository is granted on request if approved by team leaders/officers.

Services¶

Listening services¶

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	application
443/tcp	https	ANY	application
5665/tcp	icinga2	monitor	remote monitoring service

Running services¶

Service	Usage	Start mechanism
Apache httpd	Webserver for Subversion	systemd unit `apache2.service`
cron	job scheduler	systemd unit `cron.service`
dbus-daemon	System message bus	systemd unit `dbus.service`
Exim	SMTP server for local mail submission	systemd unit `exim4.service`
icinga2	Icinga2 monitoring agent	systemd unit `icinga2.service`
openssh server	ssh daemon for remote administration	systemd unit `ssh.service`
Puppet agent	configuration management agent	systemd unit `puppet.service`

Connected Systems¶

Monitor
Connection from Blog because blog uses some resources served from svn
Connection from https://www.cacert.org/ because blog posts are embedded there
Monitor

Outbound network connections¶

crl.cacert.org (rsync) for getting CRLs
Infra02 as resolving nameserver
Emailout as SMTP relay
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT

Security¶

SSH host keys¶

Algorithm	Fingerprints
RSA	`SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0`, `MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6`
DSA	-
ECDSA	`SHA256:VvsTuiTYiz3P194MM9bwteZcKwyLi/RMWHd0a3TEmYY`, `MD5:f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54`
ED25519	`SHA256:Oga06gc4LasN/lTb6SZzlYfg6HFeMn5Rgnm+G9hHtzw`, `MD5:56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5`

See also

SSH host key list

Non-distribution packages and modifications¶

None

Risk assessments on critical packages¶

Apache httpd is configured with a minimum of enabled modules to allow TLS and Subversion but nothing else to reduce potential security risks.

Critical Configuration items¶

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of svn to Puppet code

Keys and X.509 certificates¶

Certificate for CN svn.cacert.org, see details in the certificate list

certificate in file /etc/ssl/public/svn.cacert.org.chain.pem
private key in file /etc/ssl/private/svn.cacert.org.key.pem

/etc/ssl/public/svn.cacert.org_client_cas.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

See also

Wiki page SystemAdministration/CertificateList

Apache httpd configuration¶

Apache httpd configuration is fully managed by the Puppet profile sitemodules/profiles/manifests/subversion_server.pp in cacertgit:cacert-puppet.

Subversion configuration¶

Subversion authorization (aliases, groups and ACLs) is configured in /srv/dav_svn.authz in the format specified in path based authorization in the Subversion book.

The repository data is stored in /srv/svnrepo.

CRL update job¶

CRLs are updated by /etc/cron.daily/fetchcrls.

Tasks¶

X.509 Auth for policy¶

Documentation officer has endorsed
Waiting on Org-assurer word as to org-assurer policy stuff

Mail notifications¶

commit hooks on policy to policy list?

Changes¶

Planned¶

The configuration of this system will be migrated to a setup fully managed by Puppet.

System Future¶

No plans

Additional documentation¶

See also

References¶

http://svnbook.red-bean.com/en/1.8/svn.reposadmin.html