Svn

Purpose

This system hosts the Subversion repository that is used for some CAcert documents and code that has not been moved to Git yet, for example:

  • Events

  • Policy development

  • Documentation

Administration

System Administration

Todo

find an additional admin

Application Administration

Application

Administrator(s)

Subversion

Jan Dittberner

Contact

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.238

IP Intranet:

172.16.2.15

IP Internal:

10.0.0.20

IPv6:

2001:7b8:616:162:2::15

MAC address:

00:16:3e:13:87:bb (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for svn.infra.cacert.org

DNS

Name

Type

Content

svn.cacert.org.

IN SSHFP

1 1 1128972FB54F927477A781718E2F9C114E9CA383

svn.cacert.org.

IN SSHFP

2 1 3A36E5DF06304C481F01FC723FD88A086E82D986

svn.cacert.org.

IN A

213.154.225.238

svn.cacert.org.

IN AAAA

2001:7b8:616:162:2::15

cert.svn.cacert.org.

IN CNAME

svn.cacert.org.

nocert.svn.cacert.org

IN CNAME

svn.cacert.org.

Operating System

  • Debian GNU/Linux 12 Bookworm

Applicable Documentation

Access to specific paths in the repository is granted on request if approved by team leaders/officers.

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

application

443/tcp

https

ANY

application

5665/tcp

icinga2

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for Subversion

systemd unit apache2.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus

systemd unit dbus.service

Exim

SMTP server for local mail submission

systemd unit exim4.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Puppet agent

configuration management agent

systemd unit puppet.service

Connected Systems

Outbound network connections

  • crl.cacert.org (rsync) for getting CRLs

  • Infra02 as resolving nameserver

  • Emailout as SMTP relay

  • Puppet (tcp/8140) as Puppet master

  • Proxyout as HTTP proxy for APT

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0, MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6

DSA

-

ECDSA

SHA256:VvsTuiTYiz3P194MM9bwteZcKwyLi/RMWHd0a3TEmYY, MD5:f9:10:2c:bb:1d:2f:d4:c4:b3:74:b6:f9:26:4c:64:54

ED25519

SHA256:Oga06gc4LasN/lTb6SZzlYfg6HFeMn5Rgnm+G9hHtzw, MD5:56:88:68:0d:3a:32:13:6b:da:bd:ae:d7:cc:9b:b8:f5

Non-distribution packages and modifications

  • None

Risk assessments on critical packages

Apache httpd is configured with a minimum of enabled modules to allow TLS and Subversion but nothing else to reduce potential security risks.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of svn to Puppet code

Keys and X.509 certificates

  • Certificate for CN svn.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/svn.cacert.org.chain.pem

    • private key in file /etc/ssl/private/svn.cacert.org.key.pem

  • /etc/ssl/public/svn.cacert.org_client_cas.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

Apache httpd configuration

Apache httpd configuration is fully managed by the Puppet profile sitemodules/profiles/manifests/subversion_server.pp in cacertgit:cacert-puppet.

Subversion configuration

Subversion authorization (aliases, groups and ACLs) is configured in /srv/dav_svn.authz in the format specified in path based authorization in the Subversion book.

The repository data is stored in /srv/svnrepo.

CRL update job

CRLs are updated by /etc/cron.daily/fetchcrls.

Tasks

X.509 Auth for policy

  • Documentation officer has endorsed

  • Waiting on Org-assurer word as to org-assurer policy stuff

Mail notifications

  • commit hooks on policy to policy list?

Changes

Planned

The configuration of this system will be migrated to a setup fully managed by Puppet.

System Future

  • No plans

Additional documentation

References