aboutsummaryrefslogtreecommitdiff
path: root/TODO.md
blob: d401134d9ae630c16520ed36edeb81179278efed (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
TODO
====

High priority
-------------

- puppet: masterless:
  - keyringer/gpg integration.
    - https://github.com/compete/hiera_yamlgpg
    - https://github.com/crayfishx/hiera-gpg
    - https://github.com/StackExchange/blackbox
    - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet
    - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
    - https://packages.debian.org/jessie/hiera-eyaml
  - how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
    - add a monkeysphere auth subkey to every openpgp key used for backups.
    - make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
  - http://current.workingdirectory.net/posts/2011/puppet-without-masters/
  - http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
  - http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
  - https://github.com/jordansissel/puppet-examples/tree/master/masterless
- sshd:
  - https://stribika.github.io/2015/01/04/secure-secure-shell.html
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#60
  - enable ecdsa key.
  - ecdsa priority: alternatives:
    - unsupport ecdsa in the server.
    - export ecdsa pubkeys.
    - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`.
    - force option via rsync/rdiff handlers.
- virtual: migrate to kvm/libvirt.
- loginrecords: deploy module.

Medium priority
---------------

- backup:
  - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
  - sync-backups support for rsyncing from kvms / snapshots.
- nodo: use prompt.sh from bash-prompt as a submodule.
- common: autoload.
- general:
  - rollback of commits about charset.
  - switch to conf.d:
    - php ("refactor" branch), remove E_STRICT from production's error_reporting.
    - apache2.
    - sudoers.
- backup: `sync-media-iterate [volume]`.
- mail:
  - use ssl::dhparams, move to 2048 bit and use the standard file names and paths:
    - [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)

Low priority
------------

* merge, review, pull requests for all modules.
- bind: nsupdate / dynamic dns:
  - http://linux.yyz.us/nsupdate/
  - http://linux.yyz.us/dns/ddns-server.html
  - http://caunter.ca/nsupdate.txt
  - http://www.rtfm-sarl.ch/articles/using-nsupdate.html
  - https://github.com/skx/dhcp.io/
- munin: lvm monitoring.
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
  - http://wiki.rtorrent.org/MagnetUri
  - http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
  - https://github.com/danfolkes/Magnet2Torrent
  - http://code.google.com/p/pyroscope/wiki/CommandLineTools
  - https://trac.transmissionbt.com/ticket/4176
  - http://wiki.rtorrent.org/MagnetUri
  - https://github.com/rakshasa/rtorrent/issues/212
  - saving/restoring `.meta` and `~/rtorrent/.session` files.

- support for http/https proxy inside web nodes:
  - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
  - make all apache sites listen to 8080.
- git:
  - gitweb clean urls.
  - email notifications.
    - https://packages.debian.org/jessie/git-notifier
    - https://github.com/mhagger/git-multimail
    - using OpenPGP?
- nodo:
  - decrease http://www.cups.org/doc-1.1/sam.html#Timeout on cupds.conf from laptops that use remote printers set on client.conf.
- syslog-ng: use conf.d
- etherpad: `You need to set a sessionKey value in settings.json`.
- knock integration via https://github.com/juasiepo/knockd
- apache:
  - try libapache2-modsecurity.
  - deploy https://git.immerda.ch/csp-report/
  - disable other_vhosts_access.log
- onion:
  - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
  - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
- nagios: snmp, nrpe, nsca
  - http://nagios.sourceforge.net/docs/3_0/addons.html
  - http://www.math.wisc.edu/~jheim/snmp/
- ssh access restrictions:
  - denyhosts, but we don't want to log IPs.
  - using shorewall: http://www.debian-administration.org/articles/250#comment_16
    - alowed users / groups.
- websites: freewvs.
- puppet:
  - puppetlast.
  - bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue.
  - bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
- mail: mlmmj:
  - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
  - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
- drupal/wordpress:
  - cronjob/cli: switch to site user.
  - drupal_update: Do you really want to continue with the update process? (y/n):
    Do you really want to continue with the update process? (y/n): Aborting. [cancel],
    possibly related to https://www.drupal.org/node/443392
- php / wordpress / wp-cli: composer installation and dependencies:
  - http://getcomposer.org/doc/00-intro.md#installation-nix
  - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
  - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
- nodo: support for prosody:
  - https://github.com/dgoulet/prosody-otr
  - http://prosody.im/doc/creating_accounts#importing_from_ejabberd
  - config with good score at https://xmpp.net/index.php
- websites:
  - make rails, moin, trac, etc optional on websites::hosting.
- git: gitolite:
  - /root/.config/git/config permission denied ikiwiki issue:
    - http://www.redmine.org/issues/13631
    - https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2
    - https://bugs.gentoo.org/show_bug.cgi?id=460370
    - http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/
    - related to ikiwiki's post-update hooks which is not getting the $HOME env correctly
  - [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
- mail:
  - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
  - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails.
    sent as `root@localhost`.
  - deploy https://git.autistici.org/ale/smtp-fp/tree/master
           https://github.com/EFForg/starttls-everywhere
  - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
           https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
           https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
  - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
  - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails
    sent as `root@localhost`.
  - deploy https://git.autistici.org/ale/smtp-fp/tree/master
           https://github.com/EFForg/starttls-everywhere
  - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
           https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
           https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616