Tech:Private Git

Orain's private git repo is stored on prod7 and is read-only by the user 'git' and commit only to the user 'root'.


 * User 'git'

The git user is used to automatically update /root/private on all Orain servers and the account is authenticated via ssh by a private key stored in the private git repo (along with the public key as well). Ansible uses one of the keypairs from the private repo to authenticate to prod7 in order to download the latest code.


 * Files stored

The keypairs for the user 'git' are stored in the repo along with Orain's SSL cert and private key. The ansible variable file is also stored in the repo. Any files that should not be public but need to be available for either general or ansible operations can be stored. Only ops can commit to the repo via the root user.

Private
The repo stores private data that if compromised, should be reset immediately in order to ensure the security of the servers and services we operate. Below is a complete list of services and variables which are stored in the repo and how to reset them if necessary.


 * SSL

The clusters SSL cert and SSL private key are both stored in a directory of the repo. If the cert is exposed, there are no concerns assuming the key is still secure. If the private key is exposed, email sysadmin@undefinedorain.org immediately to notify an ops member with SSL access (currently John, but Dusti also has access) to reissue/revoke the cert as appropriate.


 * MariaDB

A few MariaDB passwords are managed in the repo. The root password, the mediawiki password and the debian installation password. If any are exposed, resetting these should be easy by just modifying the repo and forcing an ansible run (although, upon discovering - changing the passwords immediately is preferred and disabling ansible to prevent re-enabling the old passwords).


 * MediaWiki

The wgSecretKey and wgUpgradeKey variables are stored in the repo. If either variables are exposed, simply modify them to another random character string. An email to sysadmin@undefinedorain.org should also be made as wgSecretKey is used in various operations within MediaWiki such as password hashing, OAuth secrets and the reinstall screen for MW (should not be an issue though).


 * Redis

The Redis 'AUTH' password is stored in the repo. If this is exposed, reset the variable to another randomly generated string and force an ansible run. As the installation is restricted to Orain's servers only, exposing this should not have any real user impact.


 * HHVM

The HHVM administrator server's password is stored in the repo. If this is exposed, reset the variable to something else and email sysadmin@undefinedorain.org. This is because the password allows a user to stop a HHVM instance on a server as well as access some details regarding the operation of HHVM on the server.