Skip to content

GitLab

Explore

Sign in

This is an archived project. Repository and other project resources are read-only.

Change lizard's public IP

The folks that host our server need us to change lizard's IP from 198.252.153.59 to 204.13.164.63.

Preparation steps:

Check with our colo friends about the expected timeline: Week of June 4-11th (between Tails releases 4.19 and 4.20)
Communicate with A/I to schedule the change of tails-ns-1.boum.org.
Inventory uses of the IP in our config and list impacts of this change (include Tails upgrades and /home)
Assert that the new IP works in the machine.
The week before, send out messages including the expected time/date:
- Short blog post
- Send to tails-dev
- Send to amnesia-news
- The authoritative server for our nameservers need to change the IP for tails-ns-1.boum.org
- Our GitLab provider needs to update a firewall rule that allows outgoing connections to our Gitolite
The day before:
- adjust A records in our DNS to a low TTL.
- Add new IP-based SSH fingerprints entries in hieradata/common.yaml.

Execution plan:

Tweet that it's about to happen
Change Tinc node address for lizard (i.e. merge puppet-tails!61 (merged)) and run Puppet Agent on all hosts.
Change DNS records in Tails infra:
- Change A records in primary DNS
- Change A records in secondary DNS (this is probably automatic)
Change lizard's network config (IP, Gateway and DNS)
Ensure all nodes can connect to Puppet Server via VPN (including sib and its VMs)
Fix Dropbear config as Grub extra options in hieradata/node/lizard.tails.boum.org.yaml and test that.
Wrap up:
- Make sure A/I's A record for tails-ns-1.boum.org is changed.
- Update masterless config of stone.
- Update static host definitions in our monitoring node (modules/tails_private/manifests/hosts.pp).
- Remove old IP-based SSH fingerprints entries in hieradata/common.yaml.
- Adjust DNS records back to normal TTL.
- Make sure GitLab can connect to our Gitolite (and mirror tails.git there)
- Tweet that everything is working again.
- Let our colo friends know that the change was successful
- Change IP in Munin config (not managed by us)

Edited Nov 08, 2021 by Zen Fu

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Assignee Loading

Time tracking Loading