TODO
====

General
-------

  - setup static website
  - setup a proper issue tracker

Hydra
-----

  - module-update: get latest commit from production branch, setup branch if needed.
  - module-commit:
    - check and set git-flow in all repositories
    - check, install and test puppet pre-commit via git-hooks on all repositories using module-commit
  - bootless: properly support `$subdevice` in parted or always use first partition (like `/dev/sdb1`).
  - newkeys: split SSH/OpenPGP check: just generate OpenPGP key if absent.
  - ssh-config: hydra integration.
  - deploy: automatically set ORIGIN through config parameter.

Hydractl
--------

  - provision: config parser using a custom function with `include` directive, avoiding `source`.
  - upgrade: run docker upgrade on all available images.
  - deploy: PREFIX support.
  - puppet-setup-stored: configure storeconfigs database.
  - site backup, copy and restoration: call backup-restore-user
  - hydractl backup-restore-site {debian,wiki}.
  - wrapper to import/export monkeysphere keys into keyringer.
  - backup-restore-user and backup-restore-users.
  - backup-restore-SERVICE: stop/start service.
  - backup-copy action.
  - backup-restore-reprepro: rsync -av /var/backups/remote/$ORIG/restore/$DATE/var/reprepro/ /var/reprepro/.
  - backup-restore-site:
    - metastore integration for fine-grained permissions.
    - use metadata do detect drupal series.
  - backup-restore-sites: support for other backup locations

Puppet modules
--------------

### Security

- badusb mitigations.
- knock integration via https://github.com/juasiepo/knockd
- apache:
  - try libapache2-modsecurity.
  - deploy https://git.immerda.ch/csp-report/
- apt: check if squeeze-lts is being automatically processed.
- loginrecords: deploy module.
- ssh:
  - https://stribika.github.io/2015/01/04/secure-secure-shell.html
  - access restrictions:
    - denyhosts, but we don't want to log IPs.
    - using shorewall: http://www.debian-administration.org/articles/250#comment_16
    - alowed users / groups.
- backup:
  - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
  - sync-backups support for rsyncing from kvms / snapshots.
- virtual: migrate to kvm/libvirt.
- websites: freewvs.
- puppet: masterless puppet:
  - keyringer/gpg integration.
    - http://it-dev.web.cern.ch/book/cern-puppet-development-user-guide/puppet-development-work-flow-git/hiera-hierarchical-databa-1
    - https://github.com/compete/hiera_yamlgpg
    - https://github.com/crayfishx/hiera-gpg
  - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
    - add a monkeysphere auth subkey to every openpgp key used for backups.
    - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
  - how to manage storeconfigs?
  - http://current.workingdirectory.net/posts/2011/puppet-without-masters/
  - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
  - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
  - https://github.com/jordansissel/puppet-examples/tree/master/masterless
- drupal/wordpress:
  - cronjob/cli: switch to site user

### Fixes

- drupal:
  - drupal_update: Do you really want to continue with the update process? (y/n):
    Do you really want to continue with the update process? (y/n): Aborting. [cancel],
    possibly related to https://www.drupal.org/node/443392
- sshd/backup:
  - ecdsa priority: alternatives:
    - unsupport ecdsa in the server
    - export ecdsa pubkeys
    - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`
    - force option via rsync/rdiff handlers
  - enable ecdsa key
- general:
  - features/autoload: nodo, virtual, dhcp and others
  - module-update: nodo backup git websites
  - rollback of commits about charset.
  - switch to conf.d:
    - php ("refactor" branch), remove E_STRICT from production's error_reporting.
    - apache2.
    - profile / bashrc.
    - sudoers.
- etherpad: `You need to set a sessionKey value in settings.json`.
- websites:
  - php / wordpress / wp-cli: composer installation and dependencies:
    - http://getcomposer.org/doc/00-intro.md#installation-nix
    - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
    - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
  - make rails optional on websites::hosting
- puppet:
  - puppetlast.
  - bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue.
  - bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
- backup: `sync-media-iterate [volume]`.
- backupninja: parametrized classes without dynamic lookups.
- munin: enable/disable cgi graphing.
- mysql:
  - prefetech: https://github.com/DavidS/puppet-mysql-old/issues/3
  - `symbolize is deprecated. Call the intern method on the object instead` (https://projects.puppetlabs.com/issues/17223).
  - `using unique option prefix myisam-recover instead of myisam-recover-options is deprecated (...) Please use the full name instead`.
- nodo:
  - rename `nodo::base::vserver` and `nodo::role::vserver` to a more generic `virtual` suffix.
  - cleanup hidden `/.gem`.
  - use prompt.sh from bash-prompt as a submodule.
- mail:
  - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails
    sent as `root@localhost`.
  - deploy https://git.autistici.org/ale/smtp-fp/tree/master
           https://github.com/EFForg/starttls-everywhere
  - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
           https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
           https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616

### Features

- git:
  - email notifications
    - https://packages.debian.org/jessie/git-notifier
    - https://github.com/mhagger/git-multimail
    - using OpenPGP?
  - rename `gitolite` user to `git`
- support for http/https proxy inside web nodes
  - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
  - make all apache sites listen to 8080
- git: gitolite:
  - /root/.config/git/config permission denied ikiwiki issue:
    - http://www.redmine.org/issues/13631
    - https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2
    - https://bugs.gentoo.org/show_bug.cgi?id=460370
    - http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/
    - related to ikiwiki's post-update hooks which is not getting the $HOME env correctly
  - [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
- mail: mlmmj:
  - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
  - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
- bind: nsupdate / dynamic dns:
  - http://linux.yyz.us/nsupdate/
  - http://linux.yyz.us/dns/ddns-server.html
  - http://caunter.ca/nsupdate.txt
  - http://www.rtfm-sarl.ch/articles/using-nsupdate.html
  - https://github.com/skx/dhcp.io/
- munin:
  - lvm monitoring.
  - filter rrdcache messages from syslog.
- nagios: snmp, nrpe, nsca
  - http://nagios.sourceforge.net/docs/3_0/addons.html
  - http://www.math.wisc.edu/~jheim/snmp/
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
  - http://wiki.rtorrent.org/MagnetUri
  - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
  - https://github.com/danfolkes/Magnet2Torrent
  - http://code.google.com/p/pyroscope/wiki/CommandLineTools
  - https://trac.transmissionbt.com/ticket/4176
  - http://wiki.rtorrent.org/MagnetUri
  - https://github.com/rakshasa/rtorrent/issues/212
  - saving/restoring `.meta` and `~/rtorrent/.session` files.
- openid: provider:
  - http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server
  - https://github.com/openid/php-openid
  - http://simpleid.koinic.net/
- onion:
  - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
  - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html

Repo management
---------------

- integration with puppet environments.
- merge, review, pull requests for all modules.
- update shared urls using https://gitlab.com/groups/shared-puppet-modules-group