Migrate all the infra to the tails.net namespace
Assumptions
- We'll eventually migrate all Tails infra to use
tails.net - We'll eventually get rid of
tails.boum.org(modulo redirections, to avoid link rot) - We'll not migrate everything at once, so steps should be incremental
Migration steps
-
Migrate Puppet config to use voxpupuli/nginx -
Website -- #17985 (closed) -
Translation platform -
Move Weblate to translate.tails.net (puppet-web... (puppet-weblate!15 - merged) -
puppet-code!11+ -
Move Weblate to the tails.net domain (jenkins-tools!2 - merged) -
Migrate Weblate to the tails.net domain (tails!1699 - merged) -
Staging website -
Inform tails-l10n@
-
-
Machine FQDNs -
chameleon -
dragon -
ecours -
iguana -
lizard -
gecko -
stone -
skink -
teels
-
-
Gitolite -
LimeSurvey -
Rsync (needs coordination with mirror admins) -
Create rsync.tails.net -
Update the documentation on the website: -
Request the change to mirror operators and kindly ask them to report back -
Check the state on Oct 31st and notify them once again
-
-
Start serving several addresses under the tails.net domain: -
Tor Browser archive: https://torbrowser-archive.tails.boum.org -
ISO links: https://iso-history.tails.boum.org and https://nightly.tails.boum.org -
APT snapshots: https://time-based.snapshots.deb.tails.boum.org and https://tagged.snapshots.deb.tails.boum.org -
Redmine archives -
Redmine redirects(see thread)
-
Postponed
These items need to be coordinated in the context of the the merge with TPA. See more info on: sysadmin-private.git:meetings/2024-09-23.md
- GitLab (service provider needs to add support to the
tails.netdomain) - Jenkins:
- Documentation on tails/tails>
- Jenkins configuration
- tails/jenkins-jobs>
- gitlab-jenkins integration
- Mailman (lists at autistici)
- APT repository: https://deb.tails.boum.org
- Icinga2 / Icingaweb2
Node migration steps
- Add a DNS entry for the host in the
tails.netzone - Replace all entries in Puppet:
set HOSTNAME skink git grep -l $HOSTNAME.tails.boum.org | xargs -l sed -i -e "s/$HOSTNAME.tails.boum.org/$HOSTNAME.tails.net/" for i in yaml eyaml; find hieradata/node/ \ -regex "hieradata/node/$HOSTNAME.tails.boum.org.$i" \ -exec git mv '{}' "hieradata/node/$HOSTNAME.tails.net.$i" \; ; end - Commit and push the changes:
git commit -a -m "Move $HOSTNAME to the tails.net domain" -m "refs sysadmin#17987" git push - Change the machine hostname:
set HOSTNAME (hostname) sudo sed -i -e "s/$HOSTNAME.tails.boum.org/$HOSTNAME.tails.net/" /etc/hosts /etc/puppet/puppet.conf sudo find /var/lib/puppet/ssl -type f -delete - In the Puppet Master node:
set HOSTNAME skink sudo puppetserver ca clean --certname $HOSTNAME.tails.boum.org sudo puppet node deactivate $HOSTNAME.tails.boum.org - In the node:
sudo puppet agent -t --waitforcert 5 - In the Puppet Master:
sudo puppetserver ca list # Check the fingerprint! sudo puppetserver ca sign --certname $HOSTNAME.tails.net - Wait for the Puppet run to finish to make sure the node exports any exported .resources it declares
- In lizard, run Puppet for the VPN entrypoints and the monitoring node:
for i in iguana ecours lizard; ssh $i.tails.boum.org sudo systemctl restart puppet-run; end - Force the node's icinga2 to use the new hostname and delete the old certificate:
sudo systemctl restart icinga2 sudo rm /var/lib/icinga2/certs/(hostname).tails.boum.org.{crt,key} - Sign the node's Icinga2 certificate in ecours:
# List the pending certificates and get the fingerprint... sudo icinga2 ca list # ...then sign sudo icinga2 ca sign $FINGERPRINT - Move the entries in sysadmin-private.git:systems to the new hostname
- Reboot the node and make sure Puppet works:
sudo shutdown -r now # Do the Dropbear dance sudo puppet agent -t
Tracked separately
Edited by Zen Fu