1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
TODO
====
* UseDns disable on sshd_config for vagrant nodes.
* Support for recursive clones in `bin/mrconfig`.
* Test!
* Puppet 3.x support:
* http://docs.puppetlabs.com/puppet/latest/reference/environments.html
* https://github.com/mitchellh/vagrant/issues/3740
* https://search.disconnect.me/searchTerms/serp?search=b5af0f89-a8ba-4601-8deb-6b45c8032414
* https://ask.puppetlabs.com/question/10975/for-node-definitionclassification-what-is-the-successor-to-import-nodespp-now-that-import-is-deprecated/
Puppet modules
--------------
### Security
- knock integration via https://github.com/juasiepo/knockd
- apache:
- try libapache2-modsecurity.
- deploy https://git.immerda.ch/csp-report/
- disable other_vhosts_access.log
- loginrecords: deploy module.
- ssh:
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- access restrictions:
- denyhosts, but we don't want to log IPs.
- using shorewall: http://www.debian-administration.org/articles/250#comment_16
- alowed users / groups.
- backup:
- support for $dombr and $dobios on backupninja::sys for servers and physical machines.
- sync-backups support for rsyncing from kvms / snapshots.
- virtual: migrate to kvm/libvirt.
- websites: freewvs.
- puppet: masterless puppet:
- keyringer/gpg integration.
- http://it-dev.web.cern.ch/book/cern-puppet-development-user-guide/puppet-development-work-flow-git/hiera-hierarchical-databa-1
- https://github.com/compete/hiera_yamlgpg
- https://github.com/crayfishx/hiera-gpg
- how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
- add a monkeysphere auth subkey to every openpgp key used for backups.
- make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
- how to manage storeconfigs?
- http://current.workingdirectory.net/posts/2011/puppet-without-masters/
- http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
- http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
- https://github.com/jordansissel/puppet-examples/tree/master/masterless
- drupal/wordpress:
- cronjob/cli: switch to site user
### Fixes
- nodo: support for prosody:
- https://github.com/dgoulet/prosody-otr
- http://prosody.im/doc/creating_accounts#importing_from_ejabberd
- config with good score at https://xmpp.net/index.php
- rename `nodo::base::vserver` and `nodo::role::vserver` to a more generic `virtual` suffix.
- use prompt.sh from bash-prompt as a submodule.
- general:
- features/autoload: nodo, virtual, dhcp and others
- rollback of commits about charset.
- switch to conf.d:
- php ("refactor" branch), remove E_STRICT from production's error_reporting.
- apache2.
- sudoers.
- drupal:
- drupal_update: Do you really want to continue with the update process? (y/n):
Do you really want to continue with the update process? (y/n): Aborting. [cancel],
possibly related to https://www.drupal.org/node/443392
- sshd/backup:
- ecdsa priority: alternatives:
- unsupport ecdsa in the server
- export ecdsa pubkeys
- manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`
- force option via rsync/rdiff handlers
- enable ecdsa key
- etherpad: `You need to set a sessionKey value in settings.json`.
- websites:
- php / wordpress / wp-cli: composer installation and dependencies:
- http://getcomposer.org/doc/00-intro.md#installation-nix
- https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
- suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
- make rails optional on websites::hosting
- puppet:
- puppetlast.
- bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue.
- bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
- backup: `sync-media-iterate [volume]`.
- mail:
- support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
- use ssl::dhparams, move to 2048 bit and use the standard file names and paths.
- [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)
- schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails
sent as `root@localhost`.
- deploy https://git.autistici.org/ale/smtp-fp/tree/master
https://github.com/EFForg/starttls-everywhere
- deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
### Features
- git:
- gitweb clean urls
- email notifications
- https://packages.debian.org/jessie/git-notifier
- https://github.com/mhagger/git-multimail
- using OpenPGP?
- support for http/https proxy inside web nodes
- encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
- make all apache sites listen to 8080
- git: gitolite:
- /root/.config/git/config permission denied ikiwiki issue:
- http://www.redmine.org/issues/13631
- https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2
- https://bugs.gentoo.org/show_bug.cgi?id=460370
- http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/
- related to ikiwiki's post-update hooks which is not getting the $HOME env correctly
- [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
- mail: mlmmj:
- lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
- `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
- bind: nsupdate / dynamic dns:
- http://linux.yyz.us/nsupdate/
- http://linux.yyz.us/dns/ddns-server.html
- http://caunter.ca/nsupdate.txt
- http://www.rtfm-sarl.ch/articles/using-nsupdate.html
- https://github.com/skx/dhcp.io/
- munin: lvm monitoring.
- nagios: snmp, nrpe, nsca
- http://nagios.sourceforge.net/docs/3_0/addons.html
- http://www.math.wisc.edu/~jheim/snmp/
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
- http://wiki.rtorrent.org/MagnetUri
- http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
- https://github.com/danfolkes/Magnet2Torrent
- http://code.google.com/p/pyroscope/wiki/CommandLineTools
- https://trac.transmissionbt.com/ticket/4176
- http://wiki.rtorrent.org/MagnetUri
- https://github.com/rakshasa/rtorrent/issues/212
- saving/restoring `.meta` and `~/rtorrent/.session` files.
- onion:
- support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
- load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
- nodo:
- decrease http://www.cups.org/doc-1.1/sam.html#Timeout on cupds.conf from laptops that use remote printers set on client.conf
- syslog-ng: use conf.d
Repo management
---------------
- merge, review, pull requests for all modules.
|