======================== CAcert svn setup notes ======================== :Author: Jan Dittberner :Version: 0.2 :Date: 2011-04-27 .. header:: |cacertlogo| .. |cacertlogo| image:: CAcert-logo-colour.png :width: 5cm .. contents:: Initial setup ============= * install using lxc-setup .. code-block:: bash sudo ./lxc-setup -n svn -l 8G -i 10.0.0.20 -r `pwgen -s 32 -n 1` \ -a svn-admin@cacert.org sudo lxc-start -n svn -f /etc/lxc/svn.conf -d * adduser jandd * adduser jandd sudo * ssh-copy-id for jandd via forwarded connection from host * ``apt-get install aptitude`` * install additional packages: libapache2-svn, subversion, apache2-mpm-worker, openssl, wget * edit /etc/ssh/sshd_config to disable non-key and root logins * invoke-rc.d ssh restart * echo "10.0.0.20 svn svn.intra.cacert.org" >> /etc/hosts Configuration of Apache virtual hosts ===================================== svn.cacert.org:80 ----------------- * HTTP * read only * no authentication * no access to restricted areas * server name: svn.cacert.org * aliases: nocert.svn.cacert.org, cert.svn.cacert.org * modified default virtual host .. code-block:: apache :include: svn/sites-available/default svn.cacert.org:443 ------------------ * HTTPS * writeable * client certificate authentication * server name: svn.cacert.org * alias: cert.svn.cacert.org * ``/etc/apache2/sites-available/cert.svn.cacert.org`` .. code-block:: apache :include: svn/sites-available/cert.svn.cacert.org nocert.svn.cacert.org:443 ------------------------- * HTTPS * writeable * username/password authentication * server name: nocert.svn.cacert.org * ``/etc/apache2/sites-available/nocert.svn.cacert.org`` .. code-block:: apache :include: svn/sites-available/nocert.svn.cacert.org other Apache changes -------------------- * enable new virtual hosts: .. code-block:: bash a2ensite cert.svn.cacert.org a2ensite nocert.svn.cacert.org * enable required Apache modules .. code-block:: bash a2enmod ssl a2enmod dav_svn * create certificate directories and files .. code-block:: bash mkdir /etc/apache2/ssl wget -O - http://www.cacert.org/certs/root.crt \ > /etc/apache2/ssl/cacert-chain.pem wget -O - http://www.cacert.org/certs/root.crt \ http://www.cacert.org/certs/class3.crt \ > /etc/apache2/ssl/cacert-certs.pem Backup/Restore SVN repository ============================= * create svn repository .. code-block:: bash svnadmin create /srv/svnrepo * execute backup.sh on old svn host using a long random passphrase .. code-block:: bash :include: svn/backupsvn.sh * copy encrypted backup data to new svn host * restore backup using restore-backup.sh using the same long random passphrase .. code-block:: bash :include: svn/restore-backup.sh Final touch =========== * check Apache configuration .. code-block:: bash apache2ctl configtest * restart Apache .. code-block:: bash apache2ctl restart * add special ferm rules on host in /etc/ferm/ferm.d/svn.conf .. code-block:: bash :include: ferm.d/svn.conf