1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
TODO
====
General
-------
- setup static website
- setup a proper issue tracker
Hydra
-----
- module-update: get latest commit from production branch, setup branch if needed.
- module-commit:
- check and set git-flow in all repositories
- check, install and test puppet pre-commit via git-hooks on all repositories using module-commit
- bootless: properly support `$subdevice` in parted or always use first partition (like `/dev/sdb1`).
- newkeys: split SSH/OpenPGP check: just generate OpenPGP key if absent.
- ssh-config: hydra integration.
- deploy: automatically set ORIGIN through config parameter.
Hydractl
--------
- provision: config parser using a custom function with `include` directive, avoiding `source`.
- upgrade: run docker upgrade on all available images.
- deploy: PREFIX support.
- puppet-setup-stored: configure storeconfigs database.
- site backup, copy and restoration: call backup-restore-user
- hydractl backup-restore-site {debian,wiki}.
- wrapper to import/export monkeysphere keys into keyringer.
- backup-restore-user and backup-restore-users.
- backup-restore-SERVICE: stop/start service.
- backup-copy action.
- backup-restore-reprepro: rsync -av /var/backups/remote/$ORIG/restore/$DATE/var/reprepro/ /var/reprepro/.
- backup-restore-site:
- metastore integration for fine-grained permissions.
- use metadata do detect drupal series.
- backup-restore-sites: support for other backup locations
Puppet modules
--------------
### Security
- badusb mitigations.
- knock integration via https://github.com/juasiepo/knockd
- apache:
- try libapache2-modsecurity.
- deploy https://git.immerda.ch/csp-report/
- apt: check if squeeze-lts is being automatically processed.
- loginrecords: deploy module.
- ssh:
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- access restrictions:
- denyhosts, but we don't want to log IPs.
- using shorewall: http://www.debian-administration.org/articles/250#comment_16
- alowed users / groups.
- backup:
- support for $dombr and $dobios on backupninja::sys for servers and physical machines.
- sync-backups support for rsyncing from kvms / snapshots.
- virtual: migrate to kvm/libvirt.
- websites: freewvs.
- puppet: masterless puppet:
- keyringer/gpg integration.
- http://it-dev.web.cern.ch/book/cern-puppet-development-user-guide/puppet-development-work-flow-git/hiera-hierarchical-databa-1
- https://github.com/compete/hiera_yamlgpg
- https://github.com/crayfishx/hiera-gpg
- how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
- add a monkeysphere auth subkey to every openpgp key used for backups.
- make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
- how to manage storeconfigs?
- http://current.workingdirectory.net/posts/2011/puppet-without-masters/
- http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
- http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
- https://github.com/jordansissel/puppet-examples/tree/master/masterless
- drupal/wordpress:
- cronjob/cli: switch to site user
### Fixes
- drupal:
- drupal_update: Do you really want to continue with the update process? (y/n):
Do you really want to continue with the update process? (y/n): Aborting. [cancel],
possibly related to https://www.drupal.org/node/443392
- sshd/backup:
- ecdsa priority: alternatives:
- unsupport ecdsa in the server
- export ecdsa pubkeys
- manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`
- force option via rsync/rdiff handlers
- enable ecdsa key
- general:
- features/autoload: nodo, virtual, dhcp and others
- rollback of commits about charset.
- switch to conf.d:
- php ("refactor" branch), remove E_STRICT from production's error_reporting.
- apache2.
- profile / bashrc.
- sudoers.
- etherpad: `You need to set a sessionKey value in settings.json`.
- websites:
- php / wordpress / wp-cli: composer installation and dependencies:
- http://getcomposer.org/doc/00-intro.md#installation-nix
- https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
- suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
- make rails optional on websites::hosting
- puppet:
- puppetlast.
- bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue.
- bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
- backup: `sync-media-iterate [volume]`.
- backupninja: parametrized classes without dynamic lookups.
- munin: enable/disable cgi graphing.
- mysql:
- prefetech: https://github.com/DavidS/puppet-mysql-old/issues/3
- `symbolize is deprecated. Call the intern method on the object instead` (https://projects.puppetlabs.com/issues/17223).
- `using unique option prefix myisam-recover instead of myisam-recover-options is deprecated (...) Please use the full name instead`.
- nodo:
- rename `nodo::base::vserver` and `nodo::role::vserver` to a more generic `virtual` suffix.
- cleanup hidden `/.gem`.
- use prompt.sh from bash-prompt as a submodule.
- mail:
- schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails
sent as `root@localhost`.
- deploy https://git.autistici.org/ale/smtp-fp/tree/master
https://github.com/EFForg/starttls-everywhere
- deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
### Features
- git:
- email notifications
- https://packages.debian.org/jessie/git-notifier
- https://github.com/mhagger/git-multimail
- using OpenPGP?
- rename `gitolite` user to `git`
- support for http/https proxy inside web nodes
- encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
- make all apache sites listen to 8080
- git: gitolite:
- /root/.config/git/config permission denied ikiwiki issue:
- http://www.redmine.org/issues/13631
- https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2
- https://bugs.gentoo.org/show_bug.cgi?id=460370
- http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/
- related to ikiwiki's post-update hooks which is not getting the $HOME env correctly
- [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
- mail: mlmmj:
- lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
- `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
- bind: nsupdate / dynamic dns:
- http://linux.yyz.us/nsupdate/
- http://linux.yyz.us/dns/ddns-server.html
- http://caunter.ca/nsupdate.txt
- http://www.rtfm-sarl.ch/articles/using-nsupdate.html
- https://github.com/skx/dhcp.io/
- munin:
- lvm monitoring.
- filter rrdcache messages from syslog.
- nagios: snmp, nrpe, nsca
- http://nagios.sourceforge.net/docs/3_0/addons.html
- http://www.math.wisc.edu/~jheim/snmp/
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
- http://wiki.rtorrent.org/MagnetUri
- http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
- https://github.com/danfolkes/Magnet2Torrent
- http://code.google.com/p/pyroscope/wiki/CommandLineTools
- https://trac.transmissionbt.com/ticket/4176
- http://wiki.rtorrent.org/MagnetUri
- https://github.com/rakshasa/rtorrent/issues/212
- saving/restoring `.meta` and `~/rtorrent/.session` files.
- openid: provider:
- http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server
- https://github.com/openid/php-openid
- http://simpleid.koinic.net/
- onion:
- support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
- load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
Repo management
---------------
- integration with puppet environments.
- merge, review, pull requests for all modules.
- update shared urls using https://gitlab.com/groups/shared-puppet-modules-group
|