TODO ==== General ------- - setup ikiwiki website - setup a proper issue tracker Hydra ----- - module-update: get latest commit from production branch, setup branch if need. - module-commit: - check and set git-flow in all repositories - check, install and test puppet pre-commit via git-hooks on all repositories using module-commit - bootless: properly support `$subdevice` in parted or always use first partition (like `/dev/sdb1`). - newkeys: split SSH/OpenPGP check: just generate OpenPGP key if absent. - ssh-config: hydra integration. - deploy: automatically set ORIGIN through config parameter. Hydractl -------- - provision: - config parser using a custom function with `include` directive, avoiding `source`. - change default cryptsetup options. - support for cswap with passphrase. - upgrade: - run docker upgrade on all available images. - deploy: PREFIX support. - puppet-setup-stored: configure storeconfigs database. - site backup, copy and restoration: call backup-restore-user - hydractl backup-restore-site {debian,wiki}. - wrapper to import/export monkeysphere keys into keyringer. - enhance mysql-repair. - backup-restore-user and backup-restore-users. - backup-restore-SERVICE: stop/start service. - backup-copy action. - backup-restore-reprepro: rsync -av /var/backups/remote/$ORIG/restore/$DATE/var/reprepro/ /var/reprepro/. - backup-restore-site: - metastore integration for fine-grained permissions. - use metadata do detect drupal series. - backup-restore-sites: support for other backup locations Puppet modules -------------- ### Security - badusb mitigations. - knock integration via https://github.com/juasiepo/knockd - apache: - try libapache2-modsecurity. - deploy https://git.immerda.ch/csp-report/ - apt: check if squeeze-lts is being automatically processed. - loginrecords: deploy module. - ssh: - access restrictions: - denyhosts, but we don't want to log IPs. - using shorewall: http://www.debian-administration.org/articles/250#comment_16 - alowed users / groups. - backup: - support for $dombr and $dobios on backupninja::sys for servers and physical machines. - sync-backups support for rsyncing from kvms / snapshots. - virtual: migrate away from vservers. - kvm-manager or libvirt. - websites: - freewvs. - puppet: masterless puppet: - keyringer/gpg integration. - http://it-dev.web.cern.ch/book/cern-puppet-development-user-guide/puppet-development-work-flow-git/hiera-hierarchical-databa-1 - https://github.com/compete/hiera_yamlgpg - https://github.com/crayfishx/hiera-gpg - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?): - add a monkeysphere auth subkey to every openpgp key used for backups. - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/ - how to manage storeconfigs? - http://current.workingdirectory.net/posts/2011/puppet-without-masters/ - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/ - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html - https://github.com/jordansissel/puppet-examples/tree/master/masterless - drupal/wordpress: - cronjob/cli: switch to site user ### Fixes - drupal: - drupal_update: Do you really want to continue with the update process? (y/n): Do you really want to continue with the update process? (y/n): Aborting. [cancel], possibly related to https://www.drupal.org/node/443392 - sshd/backup: - ecdsa priority: alternatives: - unsupport ecdsa in the server - export ecdsa pubkeys - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa` - force option via rsync/rdiff handlers - enable ecdsa key - general: - rollback of commits about charset. - switch to conf.d: - php ("refactor" branch), remove E_STRICT from production's error_reporting. - apache2. - profile / bashrc. - sudoers. - etherpad: `You need to set a sessionKey value in settings.json`. - annex: [Problems with large numbers of files](http://git-annex.branchable.com/forum/Problems_with_large_numbers_of_files/). - websites: - php / wordpress / wp-cli: composer installation and dependencies: - http://getcomposer.org/doc/00-intro.md#installation-nix - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`. - make rails optional on websites::hosting - puppet: - puppetlast. - bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue. - bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963 - hydra: ensure `/tmp/system-upgrade` and `/tmp/system-upgrade-env are absent`. - backup: - `sync-media-iterate [volume]`. - merge feature/autoload - munin: enable/disable cgi graphing. - mysql: - prefetech: https://github.com/DavidS/puppet-mysql-old/issues/3 - `symbolize is deprecated. Call the intern method on the object instead` (https://projects.puppetlabs.com/issues/17223). - `using unique option prefix myisam-recover instead of myisam-recover-options is deprecated (...) Please use the full name instead`. - nodo: - cleanup hidden `/.gem`. - use prompt.sh from bash-prompt as a submodule. - remove `import` statements from `init.pp`, which will need some refactoring in other modules to fix autoloading. - mail: - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails send as `root@localhost`. - deploy https://git.autistici.org/ale/smtp-fp/tree/master https://github.com/EFForg/starttls-everywhere - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616 ### Features - nodo::utils::security::forensics, including - https://qa.debian.org/developer.php?login=forensics-devel%40lists.alioth.debian.org - https://packages.debian.org/wheezy-backports/lime-forensics-dkms - snort: module managing service and /etc/snort/snort.debian.conf. - git: - email notifications - https://packages.debian.org/jessie/git-notifier - https://github.com/mhagger/git-multimail - using OpenPGP? - rename `gitolite` user to `git` - trac: ship http://trac.edgewall.org/wiki/TracGit#hooks - support for http/https proxy inside web nodes - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html - make all apache sites listen to 8080 - git: gitolite: - /root/.config/git/config permission denied ikiwiki issue: - http://www.redmine.org/issues/13631 - https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2 - https://bugs.gentoo.org/show_bug.cgi?id=460370 - http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/ - related to ikiwiki's post-update hooks which is not getting the $HOME env correctly - [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html). - mail: mlmmj: - lists with hyphens are not working when mails are sent directly, but work when sent to an alias. - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`. - bind: nsupdate / dynamic dns: - http://linux.yyz.us/nsupdate/ - http://linux.yyz.us/dns/ddns-server.html - http://caunter.ca/nsupdate.txt - http://www.rtfm-sarl.ch/articles/using-nsupdate.html - https://github.com/skx/dhcp.io/ - postfix: - DKIM. - DMARC. - gpg_mailgate support and wheezy changes in the remaining master.cf templates. - munin: - lvm monitoring. - filter rrdcache messages from syslog. - nagios: snmp, nrpe, nsca - http://nagios.sourceforge.net/docs/3_0/addons.html - http://www.math.wisc.edu/~jheim/snmp/ - pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed: - http://wiki.rtorrent.org/MagnetUri - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/ - https://github.com/danfolkes/Magnet2Torrent - http://code.google.com/p/pyroscope/wiki/CommandLineTools - https://trac.transmissionbt.com/ticket/4176 - http://wiki.rtorrent.org/MagnetUri - saving/restoring `.meta` and `~/rtorrent/.session` files. - openid: provider: - http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server - https://github.com/openid/php-openid - http://simpleid.koinic.net/ - onion: - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot Repo management --------------- - integration with puppet environments. - merge, review, pull requests for all modules. - automatic mirrors: github, gitorious and bitbucket. - publish modules on puppet forge. - create shared projects: rinetd, runit, apcupsd, autossh, autofs, ejabberd, dhcp.