blob: eb2ac2e30f21e8b75732cb4d408f8a9a183ce601 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
TODO
====
High priority
-------------
- puppet: masterless:
- ensure puppet daemon is stopped.
- gpg integration:
- https://github.com/compete/hiera_yamlgpg
- https://github.com/sihil/hiera-eyaml-gpg
- https://docs.puppetlabs.com/hiera/1/custom_backends.html
- https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
- https://packages.debian.org/jessie/hiera-eyaml
- key deployment
- add a monkeysphere auth subkey to every openpgp key used for backups.
- make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
- http://current.workingdirectory.net/posts/2011/puppet-without-masters/
- http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
- http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
- https://github.com/jordansissel/puppet-examples/tree/master/masterless
- sshd:
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60
- enable ecdsa key.
- ecdsa priority: alternatives:
- unsupport ecdsa in the server.
- export ecdsa pubkeys.
- manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`.
- force option via rsync/rdiff handlers.
- virtual: migrate to kvm/libvirt.
- loginrecords: deploy module.
- deploy https://github.com/wido/puppet-module-tcpwrappers
- nodo:
- allow more resources to be declared via hiera.
- fix hiera default boolean value when true.
Medium priority
---------------
- apt: raspbian support, including unnatended-upgrades.
- backup:
- support for $dombr and $dobios on backupninja::sys for servers and physical machines.
- sync-backups support for rsyncing from kvms / snapshots.
- nodo:
- cleanup and refactor.
- uniform variable names.
- use prompt.sh from bash-prompt as a submodule.
- easy way to toggle management of subsystems.
- common: autoload ou replace.
- general:
- rollback of commits about charset.
- switch to conf.d:
- https://wiki.debian.org/PHP/
- http://www.phpdeveloper.org.uk/overriding-default-php-settings-in-debian-and-ubuntu/
- php ("refactor" branch), remove E_STRICT from production's error_reporting.
- apache2.
- sudoers.
- backup: `sync-media-iterate [volume]`.
- mail:
- use ssl::dhparams, move to 2048 bit and use the standard file names and paths:
- [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)
Low priority
------------
- nodo: solve network-manager / wicd conflict.
- merge, review, pull requests for all modules.
- munin: lvm monitoring.
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
- http://wiki.rtorrent.org/MagnetUri
- http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
- https://github.com/danfolkes/Magnet2Torrent
- http://code.google.com/p/pyroscope/wiki/CommandLineTools
- https://trac.transmissionbt.com/ticket/4176
- http://wiki.rtorrent.org/MagnetUri
- https://github.com/rakshasa/rtorrent/issues/212
- saving/restoring `.meta` and `~/rtorrent/.session` files.
- support for http/https proxy inside web nodes:
- encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
- make all apache sites listen to 8080.
- syslog-ng: use conf.d.
- knock integration via https://github.com/juasiepo/knockd
- apache / websites:
- try libapache2-mod-security2.
- deploy https://git.immerda.ch/csp-report/
- ssh access restrictions:
- using shorewall: http://www.debian-administration.org/articles/250#comment_16
- alowed users / groups.
- mail:
- review dovecot recipient delimiter handling: to which mailbox messages should be sent?
- drupal/wordpress:
- cronjob/cli: switch to site user.
- mail:
- schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails.
sent as `root@localhost`.
- mlmmj:
- lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
- `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
- support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
- deploy https://git.autistici.org/ale/smtp-fp/tree/master (use cert from ca.autistici.org/ca.pem).
https://github.com/EFForg/starttls-everywhere
- deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
- support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
|