Wiki

Purpose

The purpose of the wiki server is to serve the wiki, implemented with MoinMoin.

Administration

System Administration

Application Administration

Todo

document wiki admins

Contact

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.235

IP Intranet:

172.16.2.12

IP Internal:

10.0.0.12

IPv6:

2001:7b8:616:162:2::12

MAC address:

00:ff:32:e3:13:66 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for wiki.infra.cacert.org

DNS

Name

Type

Content

wiki.cacert.org.

IN A

213.154.225.235

wiki.cacert.org.

IN AAAA

2001:7b8:616:162:2::12

wiki.cacert.org.

IN SSHFP

1 1 5C3E0D3265782405E0141C47BF0E16EC14B12E08

wiki.cacert.org.

IN SSHFP

1 2 69101872cb629e30a78ca4aac781720e1217c3733f6bb8d659034e9c23c890df

wiki.cacert.org.

IN SSHFP

3 1 73113627b9e77be383e4da3a8c4b4a0ae07df5ba

wiki.cacert.org.

IN SSHFP

3 2 88d73c828d56d3cccac530558bf0a1b2678c238f285c3ef6b61fa05ea782fd60

wiki.cacert.org.

IN SSHFP

4 1 c1d79ceb8986b02b6b477f8c9e50b2623a15cfe8

wiki.cacert.org.

IN SSHFP

4 2 6cfa531e0eebbb01b226444d33c238b83c96cc134d23662f95a36c095c4dfbdf

wiki.infra.cacert.org.

IN AAAA

2001:7b8:616:162:2::12

wiki.infra.cacert.org.

IN MX

1 emailout.infra.cacert.org.

wiki.intra.cacert.org.

IN A

172.16.2.12

Operating System

  • Debian GNU/Linux 10 Buster

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

application

443/tcp

https

ANY

application

5665/tcp

icinga2

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for the Wiki

systemd unit apache2.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission

systemd unit postfix.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Connected Systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • Proxyout as HTTP proxy for APT

  • Puppet (tcp/8140) as Puppet master

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:aRAYcstinjCnjKSqx4FyDhIXw3M/a7jWWQNOnCPIkN8, MD5:f8:16:e5:40:91:42:10:a6:ba:aa:e3:f9:1a:71:d7:09

DSA

-

ECDSA

SHA256:iNc8go1W08zKxTBVi/ChsmeMI48oXD72th+gXqeC/WA, MD5:09:ea:70:41:1b:bb:a4:6a:fa:fd:37:c2:29:05:35:0e

ED25519

SHA256:bPpTHg7ruwGyJkRNM8I4uDyWzBNNI2YvlaNsCVxN+98, MD5:1e:4f:70:ff:65:c2:d5:8a:e2:24:09:04:77:94:9b:a0

Non-distribution packages and modifications

MoinMoin in /srv/www/wiki/.

Todo

properly document the Wiki setup or replace it with a packaged version

Risk assessments on critical packages

The MoinMoin 1.x wiki software is based on Python 2 which is EOL. The software should be replaced when MoinMoin 2.x comes out with support for Python 3.

Todo

upgrade to MoinMoin 2.x when it is available

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Todo

move configuration of wiki to Puppet code

Keys and X.509 certificates

All keys and certificates are managed in the file hieradata/nodes/wiki.yaml in the CAcert Git repository cacert-puppet.

  • Certificate for CN wiki.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/wiki.cacert.org.chain.pem

    • private key in file /etc/ssl/private/wiki.cacert.org.key.pem

/etc/ssl/public/wiki.cacert.org_client_cas.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

Apache configuration

Apache is configured using files in /etc/apache2 integrating the MoinMoin wiki using mod_wsgi.

Todo

more comprehensive Apache configuration documentation for wiki

Changes

Todo

manage the blog system using Puppet

System Future

Additional documentation

  • No plans

References