aboutsummaryrefslogtreecommitdiff
path: root/puppet/TODO.md
blob: 429bd4d42b04fdb9ff9393c70c5ebafa48fec245 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
TODO
====

High priority
-------------

- puppet: masterless:
  - keyringer/gpg integration.
    - https://github.com/compete/hiera_yamlgpg
    - https://github.com/crayfishx/hiera-gpg
    - https://github.com/sihil/hiera-eyaml-gpg
    - https://github.com/StackExchange/blackbox
    - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet
    - https://docs.puppetlabs.com/hiera/1/custom_backends.html
    - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
    - https://packages.debian.org/jessie/hiera-eyaml
  - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
    - add a monkeysphere auth subkey to every openpgp key used for backups.
    - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
  - http://current.workingdirectory.net/posts/2011/puppet-without-masters/
  - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
  - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
  - https://github.com/jordansissel/puppet-examples/tree/master/masterless
- sshd:
  - https://stribika.github.io/2015/01/04/secure-secure-shell.html
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60
  - enable ecdsa key.
  - ecdsa priority: alternatives:
    - unsupport ecdsa in the server.
    - export ecdsa pubkeys.
    - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`.
    - force option via rsync/rdiff handlers.
- virtual: migrate to kvm/libvirt.
- loginrecords: deploy module.
- deploy https://github.com/wido/puppet-module-tcpwrappers
- nodo:
  - run stages.
  - allow more resources to be declared via hiera.
  - fix hiera default boolean value when true.
  - easy way to toggle management of subsystems.

Medium priority
---------------

- apt: raspbian support, including unnatended-upgrades.
- backup:
  - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
  - sync-backups support for rsyncing from kvms / snapshots.
- nodo:
  - cleanup and refactor.
  - uniform variable names.
  - use prompt.sh from bash-prompt as a submodule.
- common: autoload.
- general:
  - rollback of commits about charset.
  - switch to conf.d:
    - php ("refactor" branch), remove E_STRICT from production's error_reporting.
    - apache2.
    - sudoers.
- backup: `sync-media-iterate [volume]`.
- mail:
  - use ssl::dhparams, move to 2048 bit and use the standard file names and paths:
    - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)

Low priority
------------

- merge, review, pull requests for all modules.
- bind: nsupdate / dynamic dns:
  - http://linux.yyz.us/nsupdate/
  - http://linux.yyz.us/dns/ddns-server.html
  - http://caunter.ca/nsupdate.txt
  - http://www.rtfm-sarl.ch/articles/using-nsupdate.html
  - https://github.com/skx/dhcp.io/
- munin: lvm monitoring.
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
  - http://wiki.rtorrent.org/MagnetUri
  - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
  - https://github.com/danfolkes/Magnet2Torrent
  - http://code.google.com/p/pyroscope/wiki/CommandLineTools
  - https://trac.transmissionbt.com/ticket/4176
  - http://wiki.rtorrent.org/MagnetUri
  - https://github.com/rakshasa/rtorrent/issues/212
  - saving/restoring `.meta` and `~/rtorrent/.session` files.
- support for http/https proxy inside web nodes:
  - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
  - make all apache sites listen to 8080.
- git:
  - gitolite: [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
  - gitweb clean urls.
  - email notifications.
    - https://packages.debian.org/jessie/git-notifier
    - https://github.com/mhagger/git-multimail
    - using OpenPGP?
- syslog-ng: use conf.d.
- etherpad: `You need to set a sessionKey value in settings.json`.
- knock integration via https://github.com/juasiepo/knockd
- apache:
  - try libapache2-modsecurity.
  - deploy https://git.immerda.ch/csp-report/
  - disable other_vhosts_access.log.
- onion:
  - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
  - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
- nagios: snmp, nrpe, nsca
  - http://nagios.sourceforge.net/docs/3_0/addons.html
  - http://www.math.wisc.edu/~jheim/snmp/
- ssh access restrictions:
  - denyhosts, but we don't want to log IPs.
  - using shorewall: http://www.debian-administration.org/articles/250#comment_16
    - alowed users / groups.
- websites: freewvs.
- puppet: bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
- mail:
  - review dovecot recipient delimiter handling: to which mailbox messages should be sent?
  - mlmmj:
    - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
    - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
- drupal/wordpress:
  - cronjob/cli: switch to site user.
  - drupal_update: Do you really want to continue with the update process? (y/n):
    Do you really want to continue with the update process? (y/n): Aborting. [cancel],
    possibly related to https://www.drupal.org/node/443392
- php / wordpress / wp-cli: composer installation and dependencies:
  - http://getcomposer.org/doc/00-intro.md#installation-nix
  - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
  - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
- nodo: support for prosody:
  - https://github.com/dgoulet/prosody-otr
  - http://prosody.im/doc/creating_accounts#importing_from_ejabberd
  - config with good score at https://xmpp.net/index.php
- mail:
  - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
  - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails.
    sent as `root@localhost`.
  - deploy https://git.autistici.org/ale/smtp-fp/tree/master
           https://github.com/EFForg/starttls-everywhere
  - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
           https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
           https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
  - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).