aboutsummaryrefslogtreecommitdiff
path: root/TODO.md
blob: 0dade33405960cf2bbc980c550445ce2a78628da (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
TODO
====

General
-------

  - setup ikiwiki website
  - setup a proper issue tracker

Hydra
-----

  - module-update: get latest commit from production branch, setup branch if need.
  - module-commit:
    - check and set git-flow in all repositories
    - check, install and test puppet pre-commit via git-hooks on all repositories using module-commit
  - bootless: properly support `$subdevice` in parted or always use first partition (like `/dev/sdb1`).
  - newkeys: split SSH/OpenPGP check: just generate OpenPGP key if absent.
  - ssh-config: hydra integration.
  - deploy: automatically set ORIGIN through config parameter.

Hydractl
--------

  - provision:
    - config parser using a custom function with `include` directive, avoiding `source`.
    - change default cryptsetup options.
    - support for cswap with passphrase.
  - deploy: PREFIX support.
  - puppet-setup-stored: configure storeconfigs database.
  - backup-restore-user and backup-restore-users.
  - site backup, copy and restoration: call backup-restore-user
  - hydractl backup-restore-site {debian,wiki}.
  - wrapper to import/export monkeysphere keys into keyringer.
  - enhance mysql-repair.
  - backup-restore-SERVICE: stop/start service.
  - backup-copy action.
  - backup-restore-reprepro: rsync -av /var/backups/remote/$ORIG/restore/$DATE/var/reprepro/ /var/reprepro/.
  - backup-restore-site:
    - metastore integration for fine-grained permissions.
    - use metadata do detect drupal series.

Puppet modules
--------------

### Security

- apache:
  - try libapache2-modsecurity.
  - deploy https://git.immerda.ch/csp-report/
- apt: check if squeeze-lts is being automatically processed.
- loginrecords: deploy module.
- ssh:
  - access restrictions.
    - denyhosts, but we don't want to log IPs.
    - using shorewall: http://www.debian-administration.org/articles/250#comment_16
    - alowed users / groups.
  - deprecate server DSA keys and setup ECDSA support.
  - enhanced cipher modes.
- backup:
  - turn on $doluks, $dolvm, $dombr and $dobios on backupninja::sys for servers and physical machines.
  - sync-backups support for rsyncing from kvms / snapshots.
- virtual: migrate away from vservers.
  - kvm-manager or libvirt.
- websites:
  - freewvs.
- puppet: masterless puppet:
  - keyringer/gpg integration.
    - http://it-dev.web.cern.ch/book/cern-puppet-development-user-guide/puppet-development-work-flow-git/hiera-hierarchical-databa-1
    - https://github.com/compete/hiera_yamlgpg
    - https://github.com/crayfishx/hiera-gpg
  - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
    - add a monkeysphere auth subkey to every openpgp key used for backups.
    - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
  - how to manage storeconfigs?
  - http://current.workingdirectory.net/posts/2011/puppet-without-masters/
  - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
  - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
  - https://github.com/jordansissel/puppet-examples/tree/master/masterless

### Fixes

- general:
  - rollback of commits about charset.
  - switch to conf.d:
    - php ("refactor" branch), remove E_STRICT from production's error_reporting.
    - apache2.
    - profile / bashrc.
    - sudoers.
- etherpad: `You need to set a sessionKey value in settings.json`.
- annex: [Problems with large numbers of files](http://git-annex.branchable.com/forum/Problems_with_large_numbers_of_files/).
- websites: php / wordpress / wp-cli: composer installation and dependencies:
  - http://getcomposer.org/doc/00-intro.md#installation-nix
  - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
  - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
- puppet:
  - puppetlast.
  - bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue.
  - bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
- apache: inside vservers: `/usr/sbin/apache2ctl: 87: ulimit: error setting limit (Operation not permitted)`.
- hydra: ensure `/tmp/system-upgrade` and `/tmp/system-upgrade-env are absent`.
- backup: `sync-media-iterate [volume]`.
- munin: enable/disable cgi graphing.
- mysql:
  - prefetech: https://github.com/DavidS/puppet-mysql-old/issues/3
  - `symbolize is deprecated. Call the intern method on the object instead` (https://projects.puppetlabs.com/issues/17223).
  - `using unique option prefix myisam-recover instead of myisam-recover-options is deprecated (...) Please use the full name instead`.
- nodo:
  - cleanup hidden `/.gem`.
  - split prompt.sh in a separate bash-prompt repository and include it at `puppet-nodo` and `rhatto/apps.git`.
  - remove `import` statements from `init.pp`, which will need some refactoring in other modules like `ntp` to fix autoloading.
- mail:
  - deploy https://git.autistici.org/ale/smtp-fp/tree/master
           https://github.com/EFForg/starttls-everywhere
  - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
           https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
           https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616

### Features

- snort: module managing service and /etc/snort/snort.debian.conf.
- git: email notifications
  - https://packages.debian.org/jessie/git-notifier
  - https://github.com/mhagger/git-multimail
  - using OpenPGP?
- trac: ship http://trac.edgewall.org/wiki/TracGit#hooks
- support for http/https proxy inside web nodes
  - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
  - make all apache sites listen to 8080
- git: gitolite:
  - /root/.config/git/config permission denied ikiwiki issue:
    - http://www.redmine.org/issues/13631
    - https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2
    - https://bugs.gentoo.org/show_bug.cgi?id=460370
    - http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/
    - related to ikiwiki's post-update hooks which is not getting the $HOME env correctly
  - [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
- mail: mlmmj:
  - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
  - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
- bind: nsupdate / dynamic dns:
  - http://linux.yyz.us/nsupdate/
  - http://linux.yyz.us/dns/ddns-server.html
  - http://caunter.ca/nsupdate.txt
  - http://www.rtfm-sarl.ch/articles/using-nsupdate.html
  - https://github.com/skx/dhcp.io/
- postfix:
  - DKIM.
  - gpg_mailgate support and wheezy changes in the remaining master.cf templates.
- munin:
  - lvm monitoring.
  - filter rrdcache messages from syslog.
- nagios: snmp, nrpe, nsca
  - http://nagios.sourceforge.net/docs/3_0/addons.html
  - http://www.math.wisc.edu/~jheim/snmp/
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
  - http://wiki.rtorrent.org/MagnetUri
  - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
  - https://github.com/danfolkes/Magnet2Torrent
  - http://code.google.com/p/pyroscope/wiki/CommandLineTools
- openid: provider:
  - http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server
  - https://github.com/openid/php-openid
  - http://simpleid.koinic.net/

Repo management
---------------

- integration with puppet environments.
- merge, review, pull requests for all modules.
- automatic mirros: github, gitorious and bitbucket.
- publish modules on puppet forge.
- create shared projects: rinetd, runit, apcupsd, autossh, autofs, ejabberd, dhcp.