TODO
====
-* UseDns disable on sshd_config for vagrant nodes.
-* Support for recursive clones in `bin/mrconfig`.
-* Test!
-* Puppet 3.x support:
- * http://docs.puppetlabs.com/puppet/latest/reference/environments.html
- * https://github.com/mitchellh/vagrant/issues/3740
- * https://search.disconnect.me/searchTerms/serp?search=b5af0f89-a8ba-4601-8deb-6b45c8032414
- * https://ask.puppetlabs.com/question/10975/for-node-definitionclassification-what-is-the-successor-to-import-nodespp-now-that-import-is-deprecated/
+High priority
+-------------
-Puppet modules
---------------
-
-### Security
-
-- knock integration via https://github.com/juasiepo/knockd
-- apache:
- - try libapache2-modsecurity.
- - deploy https://git.immerda.ch/csp-report/
- - disable other_vhosts_access.log
-- loginrecords: deploy module.
-- ssh:
- - https://stribika.github.io/2015/01/04/secure-secure-shell.html
- - access restrictions:
- - denyhosts, but we don't want to log IPs.
- - using shorewall: http://www.debian-administration.org/articles/250#comment_16
- - alowed users / groups.
-- backup:
- - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
- - sync-backups support for rsyncing from kvms / snapshots.
-- virtual: migrate to kvm/libvirt.
-- websites: freewvs.
-- puppet: masterless puppet:
+- puppet: masterless:
- keyringer/gpg integration.
- http://it-dev.web.cern.ch/book/cern-puppet-development-user-guide/puppet-development-work-flow-git/hiera-hierarchical-databa-1
- https://github.com/compete/hiera_yamlgpg
- https://github.com/crayfishx/hiera-gpg
+ - https://github.com/StackExchange/blackbox
+ - http://ww.telent.net/2014/2/10/keeping_secrets_in_public_with_puppet
+ - https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
+ - https://packages.debian.org/jessie/hiera-eyaml
- how to distribute keys outside the repo (i.e, avoiding all nodes to have all keys?):
- add a monkeysphere auth subkey to every openpgp key used for backups.
- make backupninja wrap around monkeysphere: http://web.monkeysphere.info/doc/user-ssh-advanced/
- - how to manage storeconfigs?
- http://current.workingdirectory.net/posts/2011/puppet-without-masters/
- http://andrewbunday.co.uk/2012/12/04/masterless-puppet-wrapper/
- http://semicomplete.com/presentations/puppet-at-loggly/puppet-at-loggly.pdf.html
- https://github.com/jordansissel/puppet-examples/tree/master/masterless
-- drupal/wordpress:
- - cronjob/cli: switch to site user
+- sshd:
+ - https://stribika.github.io/2015/01/04/secure-secure-shell.html
+ - enable ecdsa key
+ - ecdsa priority: alternatives:
+ - unsupport ecdsa in the server
+ - export ecdsa pubkeys
+ - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`
+ - force option via rsync/rdiff handlers
+- virtual: migrate to kvm/libvirt.
+- loginrecords: deploy module.
-### Fixes
+Medium priority
+---------------
-- nodo: support for prosody:
- - https://github.com/dgoulet/prosody-otr
- - http://prosody.im/doc/creating_accounts#importing_from_ejabberd
- - config with good score at https://xmpp.net/index.php
+- backup:
+ - support for $dombr and $dobios on backupninja::sys for servers and physical machines.
+ - sync-backups support for rsyncing from kvms / snapshots.
+- nodo:
- rename `nodo::base::vserver` and `nodo::role::vserver` to a more generic `virtual` suffix.
- use prompt.sh from bash-prompt as a submodule.
- general:
- php ("refactor" branch), remove E_STRICT from production's error_reporting.
- apache2.
- sudoers.
-- drupal:
- - drupal_update: Do you really want to continue with the update process? (y/n):
- Do you really want to continue with the update process? (y/n): Aborting. [cancel],
- possibly related to https://www.drupal.org/node/443392
-- sshd/backup:
- - ecdsa priority: alternatives:
- - unsupport ecdsa in the server
- - export ecdsa pubkeys
- - manage client's /root/.ssh/config: `HostKeyAlgorithms ssh-rsa`
- - force option via rsync/rdiff handlers
- - enable ecdsa key
-- etherpad: `You need to set a sessionKey value in settings.json`.
-- websites:
- - php / wordpress / wp-cli: composer installation and dependencies:
- - http://getcomposer.org/doc/00-intro.md#installation-nix
- - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
- - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
- - make rails optional on websites::hosting
-- puppet:
- - puppetlast.
- - bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue.
- - bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
- backup: `sync-media-iterate [volume]`.
- mail:
- - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
- - use ssl::dhparams, move to 2048 bit and use the standard file names and paths.
+ - use ssl::dhparams, move to 2048 bit and use the standard file names and paths:
- [Feature #4012: postfix: ship 2048bit dh parameters - Platform - LEAP Issue Tracker](https://leap.se/code/issues/4012)
- - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails
- sent as `root@localhost`.
- - deploy https://git.autistici.org/ale/smtp-fp/tree/master
- https://github.com/EFForg/starttls-everywhere
- - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
- https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
-### Features
+Low priority
+------------
-- git:
- - gitweb clean urls
- - email notifications
- - https://packages.debian.org/jessie/git-notifier
- - https://github.com/mhagger/git-multimail
- - using OpenPGP?
-- support for http/https proxy inside web nodes
- - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
- - make all apache sites listen to 8080
-- git: gitolite:
- - /root/.config/git/config permission denied ikiwiki issue:
- - http://www.redmine.org/issues/13631
- - https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2
- - https://bugs.gentoo.org/show_bug.cgi?id=460370
- - http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/
- - related to ikiwiki's post-update hooks which is not getting the $HOME env correctly
- - [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
-- mail: mlmmj:
- - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
- - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
+* merge, review, pull requests for all modules.
- bind: nsupdate / dynamic dns:
- http://linux.yyz.us/nsupdate/
- http://linux.yyz.us/dns/ddns-server.html
- http://www.rtfm-sarl.ch/articles/using-nsupdate.html
- https://github.com/skx/dhcp.io/
- munin: lvm monitoring.
-- nagios: snmp, nrpe, nsca
- - http://nagios.sourceforge.net/docs/3_0/addons.html
- - http://www.math.wisc.edu/~jheim/snmp/
- pyroscope: torrent workflow: torrent-maker, magnet2torrent and torrent-reseed:
- http://wiki.rtorrent.org/MagnetUri
- http://dan.folkes.me/2012/04/19/converting-a-magnet-link-into-a-torrent/
- http://wiki.rtorrent.org/MagnetUri
- https://github.com/rakshasa/rtorrent/issues/212
- saving/restoring `.meta` and `~/rtorrent/.session` files.
-- onion:
- - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
- - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
+
+- support for http/https proxy inside web nodes
+ - encrypted ssl keys: http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11440.html
+ - make all apache sites listen to 8080
+- git:
+ - gitweb clean urls
+ - email notifications
+ - https://packages.debian.org/jessie/git-notifier
+ - https://github.com/mhagger/git-multimail
+ - using OpenPGP?
- nodo:
- decrease http://www.cups.org/doc-1.1/sam.html#Timeout on cupds.conf from laptops that use remote printers set on client.conf
- syslog-ng: use conf.d
-
-Repo management
----------------
-
-- merge, review, pull requests for all modules.
+- etherpad: `You need to set a sessionKey value in settings.json`.
+- knock integration via https://github.com/juasiepo/knockd
+- apache:
+ - try libapache2-modsecurity.
+ - deploy https://git.immerda.ch/csp-report/
+ - disable other_vhosts_access.log
+- onion:
+ - support for existing hidden service key, generated with tools like https://github.com/katmagic/Shallot
+ - load balancing: http://archives.seul.org/tor/relays/Apr-2011/msg00022.html
+- nagios: snmp, nrpe, nsca
+ - http://nagios.sourceforge.net/docs/3_0/addons.html
+ - http://www.math.wisc.edu/~jheim/snmp/
+- ssh access restrictions:
+ - denyhosts, but we don't want to log IPs.
+ - using shorewall: http://www.debian-administration.org/articles/250#comment_16
+ - alowed users / groups.
+- websites: freewvs.
+- puppet:
+ - puppetlast.
+ - bug report: debian wheezy puppetmaster-passenger: not honoring certname / envvars LANG issue.
+ - bug report: debian wheezy puppet-common: needs the following patch: http://projects.puppetlabs.com/issues/10963
+- mail: mlmmj:
+ - lists with hyphens are not working when mails are sent directly, but work when sent to an alias.
+ - `mail::mlmmj::domain` needs updating or additional domains should be added into `relay_domains`.
+- drupal/wordpress:
+ - cronjob/cli: switch to site user
+ - drupal_update: Do you really want to continue with the update process? (y/n):
+ Do you really want to continue with the update process? (y/n): Aborting. [cancel],
+ possibly related to https://www.drupal.org/node/443392
+- php / wordpress / wp-cli: composer installation and dependencies:
+ - http://getcomposer.org/doc/00-intro.md#installation-nix
+ - https://github.com/wp-cli/wp-cli/wiki/Alternative-Install-Methods
+ - suhosin needs `suhosin.executor.include.whitelist = phar` on `/etc/php5/cli/conf.d/suhosin.ini`.
+- nodo: support for prosody:
+ - https://github.com/dgoulet/prosody-otr
+ - http://prosody.im/doc/creating_accounts#importing_from_ejabberd
+ - config with good score at https://xmpp.net/index.php
+- websites:
+ - make rails, moin, trac, etc optional on websites::hosting
+- git: gitolite:
+ - /root/.config/git/config permission denied ikiwiki issue:
+ - http://www.redmine.org/issues/13631
+ - https://answers.atlassian.com/questions/112982/permission-denied-errors-post-upgrade-to-stash-2
+ - https://bugs.gentoo.org/show_bug.cgi?id=460370
+ - http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/
+ - related to ikiwiki's post-update hooks which is not getting the $HOME env correctly
+ - [monkeysphere integration](http://gitolite.com/gitolite/g2/monkeysphere.html).
+- mail:
+ - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
+ - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails
+ sent as `root@localhost`.
+ - deploy https://git.autistici.org/ale/smtp-fp/tree/master
+ https://github.com/EFForg/starttls-everywhere
+ - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
+ https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
+ - support for [preventing SPAM connections with bird](http://www.debian-administration.org/article/715/Preventing_SPAM_connections_with_bird.).
+ - schleuder: manage `/etc/schleuder/schleuder.conf`, using `superadminaddr: root` or other recipient, to avoid mails
+ sent as `root@localhost`.
+ - deploy https://git.autistici.org/ale/smtp-fp/tree/master
+ https://github.com/EFForg/starttls-everywhere
+ - deploy https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration#Configuration_server_at_ISP
+ https://git-ipuppet.immerda.ch/module-apache/commit/?id=058dbb366b96cae1f8fb0def65f73a698f1c375d
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577616
projects / puppet-bootstrap.git / commitdiff