# Assumptions - We'll eventually migrate all Tails infra to use `tails.net` - We'll eventually get rid of `tails.boum.org` (modulo redirections, to avoid link rot) - We'll not migrate everything at once, so steps should be incremental # Migration steps - [x] Migrate Puppet config to use `voxpupuli/nginx` - [x] Website -- #17985 - [x] Translation platform - [x] puppet-weblate!15+ - [x] puppet-code!11+ - [x] jenkins-tools!2+ - [x] tails!1699+ - [x] Staging website - [x] Inform `tails-l10n@` - [x] Machine FQDNs - [x] chameleon - [x] dragon - [x] ecours - [x] iguana - [x] lizard - [x] gecko - [x] stone - [x] skink - [x] teels - [x] Gitolite - [x] LimeSurvey - [ ] Rsync (needs coordination with mirror admins) - [x] Create `rsync.tails.net` - [x] Update the documentation on the website: - [x] Request the change to mirror operators and kindly ask them to report back - [ ] Check the state on Oct 31st and notify them once again - [x] Start serving several addresses under the tails.net domain: - [x] Tor Browser archive: https://torbrowser-archive.tails.boum.org - [x] ISO links: https://iso-history.tails.boum.org and https://nightly.tails.boum.org - [x] APT snapshots: https://time-based.snapshots.deb.tails.boum.org and https://tagged.snapshots.deb.tails.boum.org - [x] Redmine archives - ~~Redmine redirects~~ (see [thread](https://gitlab.tails.boum.org/tails/sysadmin/-/issues/17987#note_246337)) # Postponed These items need to be coordinated in the context of the the merge with TPA. See more info on: `sysadmin-private.git:meetings/2024-09-23.md` - GitLab (service provider needs to add support to the `tails.net` domain) - Jenkins: - Documentation on tails/tails> - Jenkins configuration - tails/jenkins-jobs> - gitlab-jenkins integration - Mailman (lists at autistici) - APT repository: https://deb.tails.boum.org - Icinga2 / Icingaweb2 <details> <summary>Node migration steps</summary> 1. Add a DNS entry for the host in the `tails.net` zone 1. Replace all entries in Puppet: ``` set HOSTNAME skink git grep -l $HOSTNAME.tails.boum.org | xargs -l sed -i -e "s/$HOSTNAME.tails.boum.org/$HOSTNAME.tails.net/" for i in yaml eyaml; find hieradata/node/ \ -regex "hieradata/node/$HOSTNAME.tails.boum.org.$i" \ -exec git mv '{}' "hieradata/node/$HOSTNAME.tails.net.$i" \; ; end ``` 1. Commit and push the changes: ``` git commit -a -m "Move $HOSTNAME to the tails.net domain" -m "refs sysadmin#17987" git push ``` 1. Change the machine hostname: ``` set HOSTNAME (hostname) sudo sed -i -e "s/$HOSTNAME.tails.boum.org/$HOSTNAME.tails.net/" /etc/hosts /etc/puppet/puppet.conf sudo find /var/lib/puppet/ssl -type f -delete ``` 1. In the Puppet Master node: ``` set HOSTNAME skink sudo puppetserver ca clean --certname $HOSTNAME.tails.boum.org sudo puppet node deactivate $HOSTNAME.tails.boum.org ``` 1. In the node: ``` sudo puppet agent -t --waitforcert 5 ``` 1. In the Puppet Master: ``` sudo puppetserver ca list # Check the fingerprint! sudo puppetserver ca sign --certname $HOSTNAME.tails.net ``` 1. Wait for the Puppet run to finish to make sure the node exports any exported .resources it declares 1. In lizard, run Puppet for the VPN entrypoints and the monitoring node: ``` for i in iguana ecours lizard; ssh $i.tails.boum.org sudo systemctl restart puppet-run; end ``` 1. Force the node's icinga2 to use the new hostname and delete the old certificate: ``` sudo systemctl restart icinga2 sudo rm /var/lib/icinga2/certs/(hostname).tails.boum.org.{crt,key} ``` 1. Sign the node's Icinga2 certificate in ecours: ``` # List the pending certificates and get the fingerprint... sudo icinga2 ca list # ...then sign sudo icinga2 ca sign $FINGERPRINT ``` 1. Move the entries in sysadmin-private.git:systems to the new hostname 1. Reboot the node and make sure Puppet works: ``` sudo shutdown -r now # Do the Dropbear dance sudo puppet agent -t ``` </details> # Tracked separately - #18026+ - #18024+ - #18095+