1 files changed, 138 insertions, 4 deletions
diff --git a/puppet/TODO.md b/puppet/TODO.md
index c773654..429bd4d 100644
--- a/puppet/TODO.md
+++ b/puppet/TODO.md
@@ -1,7 +1,141 @@
 TODO
 ====
 
-* Minimal manifest for fast provisioning.
-* Update to new nodo style (hiera and nodo::role).
-* Support for recursive clones in `bin/mrconfig`.
-* Test!
+High priority
+-------------
+
+- puppet: masterless:
+  - keyringer/gpg integration.
+    - https://github.com/compete/hiera_yamlgpg
+    - https://github.com/crayfishx/hiera-gpg
+    - https://github.com/sihil/hiera-eyaml-gpg
+    - https://github.com/StackExchange/blackbox
+    - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet
+    - https://docs.puppetlabs.com/hiera/1/custom_backends.html
+    - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
+    - https://packages.debian.org/jessie/hiera-eyaml
+  - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
+    - add a monkeysphere auth subkey to every openpgp key used for backups.
+    - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
+  - http://current.workingdirectory.net/posts/2011/puppet-without-masters/
+  - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
+  - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
+  - https://github.com/jordansissel/puppet-examples/tree/master/masterless
+- sshd:
+  - https://stribika.github.io/2015/01/04/secure-secure-shell.html
+  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60
+  - enable ecdsa key.
+  - ecdsa priority: alternatives:
+    - unsupport ecdsa in the server.
+    - export ecdsa pubkeys.
+    - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`.
+    - force option via rsync/rdiff handlers.
+- virtual: migrate to kvm/libvirt.
+- loginrecords: deploy module.
+- deploy https://github.com/wido/puppet-module-tcpwrappers
+- nodo:
+  - run stages.
+  - allow more resources to be declared via hiera.
+  - fix hiera default boolean value when true.
+  - easy way to toggle management of subsystems.
+
+Medium priority
+---------------
+
+- apt: raspbian support, including unnatended-upgrades.
+- backup:
+  - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
+  - sync-backups support for rsyncing from kvms / snapshots.
+- nodo:
+  - cleanup and refactor.
+  - uniform variable names.
+  - use prompt.sh from bash-prompt as a submodule.
+- common: autoload.
+- general:
+  - rollback of commits about charset.
+  - switch to conf.d:
+    - php ("refactor" branch), remove E_STRICT from production's error_reporting.
+    - apache2.
+    - sudoers.
+- backup: `sync-media-iterate [volume]`.
+- mail:
+  - use ssl::dhparams, move to 2048 bit and use the standard file names and paths:
+    - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)
+
+Low priority
+------------
+
+- merge, review, pull requests for all modules.
+- bind: nsupdate / dynamic dns:
+  - http://linux.yyz.us/nsupdate/
+  - http://linux.yyz.us/dns/ddns-server.html
+  - http://caunter.ca/nsupdate.txt
+  - http://www.rtfm-sarl.ch/articles/using-nsupdate.html
+  - https://github.com/skx/dhcp.io/
+- munin: lvm monitoring.
+- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
+  - http://wiki.rtorrent.org/MagnetUri
+  - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
+  - https://github.com/danfolkes/Magnet2Torrent
+  - http://code.google.com/p/pyroscope/wiki/CommandLineTools
+  - https://trac.transmissionbt.com/ticket/4176
+  - http://wiki.rtorrent.org/MagnetUri
+  - https://github.com/rakshasa/rtorrent/issues/212
+  - saving/restoring `.meta` and `~/rtorrent/.session` files.
+- support for http/https proxy inside web nodes:
+  - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
+  - make all apache sites listen to 8080.
+- git:
+  - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
+  - gitweb clean urls.
+  - email notifications.
+    - https://packages.debian.org/jessie/git-notifier
+    - https://github.com/mhagger/git-multimail
+    - using OpenPGP?
+- syslog-ng: use conf.d.
+- etherpad: `You need to set a sessionKey value in settings.json`.
+- knock integration via https://github.com/juasiepo/knockd
+- apache:
+  - try libapache2-modsecurity.
+  - deploy https://git.immerda.ch/csp-report/
+  - disable other_vhosts_access.log.
+- onion:
+  - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
+  - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
+- nagios: snmp, nrpe, nsca
+  - http://nagios.sourceforge.net/docs/3_0/addons.html
+  - http://www.math.wisc.edu/~jheim/snmp/
+- ssh access restrictions:
+  - denyhosts, but we don't want to log IPs.
+  - using shorewall: http://www.debian-administration.org/articles/250#comment_16
+    - alowed users / groups.
+- websites: freewvs.
+- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
+- mail:
+  - review dovecot recipient delimiter handling: to which mailbox messages should be sent?
+  - mlmmj:
+    - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
+    - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
+- drupal/wordpress:
+  - cronjob/cli: switch to site user.
+  - drupal_update: Do you really want to continue with the update process? (y/n):
+    Do you really want to continue with the update process? (y/n): Aborting. [cancel],
+    possibly related to https://www.drupal.org/node/443392
+- php / wordpress / wp-cli: composer installation and dependencies:
+  - http://getcomposer.org/doc/00-intro.md#installation-nix
+  - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
+  - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
+- nodo: support for prosody:
+  - https://github.com/dgoulet/prosody-otr
+  - http://prosody.im/doc/creating_accounts#importing_from_ejabberd
+  - config with good score at https://xmpp.net/index.php
+- mail:
+  - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
+  - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails.
+    sent as `root@localhost`.
+  - deploy https://git.autistici.org/ale/smtp-fp/tree/master
+           https://github.com/EFForg/starttls-everywhere
+  - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
+           https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
+           https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
+  - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).