freifunk-berlin / puppet Goto Github PK

We should add support for https for monitor.berlin.freifunk.net.

IPv6 auto configuration should be disabled by default on the server.

Add a Vagrantfile for local "testing" of the deployment scripts

We should rate limit the request a user can make to the ca.berlin.freifunk.net. Just in case a bot tricks our catcha.

We should add build-essential to the packages we install with install.sh

We should manage users with puppet. Documentation:

• https://docs.puppetlabs.com/references/latest/type.html#user
• https://docs.puppetlabs.com/references/latest/type.html#sshauthorizedkey

We should integrate the conntrack (timeout, hash size) changes into the puppet templates.

We should set the timeout to something reasonable like two minutes or something like this.

Upgrade ubuntu release on monitor machine.

From time to time we don't have enough space to update the system because we keep multiple old kernel versions in the file system. We should check if there is an option to remove the old kernels with an auto-update or if we need to write a cron-job.

At the moment we create database "backups" with the script in /etc/cron.daily/postgres-backup. Functionality that removes old backups is missing which is a problem.

At the moment nipap-www runs in a tmux instance. We should create a wsgi configuration for nipap-www. Nipap-www is the admin interface for nipap. Nipap-www should listen on localhost.

https://github.com/SpriteLink/NIPAP/blob/master/nipap-www/nipap-www.wsgi

@booo will send @nosy79 a script for cert generation and we will deploy a proper cert for lists.berlin.freifunk.net

Add the deployment of the frontend to the puppet configuration.

@egmont1227 Is there a mechanism for all vm's that updates the packages on the systems or should I manage this?

In other setups I use unattended upgrades for security updates and update the other packages by hand:

https://help.ubuntu.com/10.04/serverguide/automatic-updates.html

Every time I have to configure nginx and php-fpm I get crazy :/ I'm not sure if the configuration is sane. We should check this all togehter if we plan to use a php frontend.

We should update all puppet modules.

We should rotate the nginx logs. There is a logrotate module for puppet.

Update release on buildbot. Should be coordinated with @stargieg.

They remove the unattended_upgrade class from the apt module. We should use the new puppet community module instead. We should check if the default configuration installs security updates only.

Add a licence for the code.

We already have a minimal package set for all hosts:

https://github.com/freifunk-berlin/puppet/blob/master/puppet/manifests/site.pp#L16

We should add some standard debugging tools such as:

• mtr
• tracepath
• tcpdump
• screen

@cholin you mentioned some other packages. Can you add them to the list?

From time to time apticron informs me about new packages e.g. on monitor.berlin... We do install security updates without human interaction. I don't see a reason why I should update normal packages and why apticron should annoy me from time to time.

I suggest we remove apticron or find a usefull configuration.

A small script that installs the required packages and creates the configuration would be awesome.

http://wiki.freifunk.net/MABB:Standards#Statistiken

On the vpn03a host we have another openvpn instance apart from the tcp and udp instances. We should move all users to the new instance and shutdown the instance. I contacted possible useres with new credentials and asked them to migrate. I will shutdown the old instance at 2015-01-15.

Most of the certificates are valid till November. We should update the certificates.

Add configuration for rrdcached.

• create /var/lib/rrdcached/{db, journal}
• start service
• -B option fix

We should forward as described in the header. @nosy79 can implement this.

We use a patched version of openvpn that did not receive updates for a long time. We should update the openvpn package.

I made some changes to the routing infrastructure which we have to port to puppet. I added a "ip rule" to /etc/rc.local, added another routing table and changed the openvpn up/down script to use the new routing table.

Each openvpn instance should log to /var/log/openvpn/ and we should add a logrotate file to /etc/logrotate.d/ for openvpn.

We should add https for ca.berlin.freifunk.net.

Create a buildbot slave puppet configuration that people can use to setup a buildbot slave vm.

Bin der readme gefolgt, ich vermute irgendein typisches Dependencyproblem, und die hat ja normalerweise schon mal irgendwer gesehen und vergessen aufzuschreiben :)

$ vagrant up
==> monitor: Mounting shared folders...
    monitor: /vagrant => /home/user/freifunk/puppet/puppet
    monitor: /tmp/vagrant-puppet/modules-6088f7e1c7d848ff4b2520c25b0f7ac1 => /home/user/freifunk/puppet/puppet/modules
    monitor: /tmp/vagrant-puppet/manifests-a11d1078b1b1f2e3bdea27312f6ba513 => /home/user/freifunk/puppet/puppet/manifests
==> monitor: Running provisioner: shell...
    monitor: Running: /tmp/vagrant-shell20160829-25979-y46354.sh
==> monitor: stdin: is not a tty
==> monitor: Generating a 4096 bit RSA private key
[...]
==> monitor: writing new private key to '/etc/ssl/private/monitor.berlin.freifunk.net.key'
==> monitor: -----
==> monitor: Signature ok
==> monitor: subject=
==> monitor: /C=DE/ST=Berlin/O=Freifunk Berlin/L=Berlin/CN=monitor.berlin.freifunk.net/OU=Freifunk Berlin/[email protected]
==> monitor: Getting Private key
==> monitor: Running provisioner: puppet...
==> monitor: Running Puppet with site.pp...
==> monitor: stdin: is not a tty
==> monitor: Warning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults
==> monitor: Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Could not find declared class php-fpm at /tmp/vagrant-puppet/manifests-a11d1078b1b1f2e3bdea27312f6ba513/site.pp:127 on node monitor.berlin.freifunk.net
==> monitor: Wrapped exception:
==> monitor: Could not find declared class php-fpm
==> monitor: Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Could not find declared class php-fpm at /tmp/vagrant-puppet/manifests-a11d1078b1b1f2e3bdea27312f6ba513/site.pp:127 on node monitor.berlin.freifunk.net

Add configuration for buildbot and deploy scripts to buildbot machine.

The cert chain of the current ssl deployments is incomplete. I think we should fix this:

https://www.ssllabs.com/ssltest/analyze.html?d=buildbot.berlin.freifunk.net

Add a bit of documentation for the other freifunk freaks ;)

Maybe we should add the network configuration to puppet? Important file is /etc/network/interfaces

The current iptables rules contain a two rules that redirect traffic from port 80 etc. to the openvpn ports. I don't think we need these rules. We should remove them.

The https setup for berlin.freifunk.net is not optimal:

https://www.ssllabs.com/ssltest/analyze.html?d=berlin.freifunk.net&latest

Where apropriate we should add a permanent https redirect from http. For e.g. the buildbot nginx configuration this is a problem because the router wget version does not support https.

Complete the puppet configuration for config.berlin.freifunk.net. We still need to:

• configure uwsgi
• configure postgres
• install nipapd, etc.
• install custom nipapd frontend

We should document the smart host setup we use.

Check if we need a 'pool-file'. If there is no reason to have a pool file we should disable it in the configuration. The configuration option:

--ifconfig-pool-persist file [seconds]
              Persist/unpersist ifconfig-pool data to file, at seconds intervals (default=600), as
              well as on program startup and shutdown.

              The goal of this option is  to  provide  a  long-term  association  between  clients
              (denoted  by their common name) and the virtual IP address assigned to them from the
              ifconfig-pool.  Maintaining a long-term association is good for clients  because  it
              allows them to effectively use the --persist-tun option.

              file is a comma-delimited ASCII file, formatted as <Common-Name>,<IP-address>.

              If seconds = 0, file will be treated as read-only.  This is useful if you would like
              to treat file as a configuration file.

              Note that the entries in this file are treated by OpenVPN as suggestions only, based
              on  past  associations  between a common name and IP address.  They do not guarantee
              that the given common name will always receive the given IP address.   If  you  want
              guaranteed assignment, use --ifconfig-push

The mimetype for md5sums is shitty in the buildbot nginx configuration. Example:

http://buildbot.berlin.freifunk.net/buildbot/unstable/ar71xx/706/default/md5sums

We should handle md5sums as txt files.

We have plenty of non-reporting entries for our monitor service. 63 of 268 nodes are outdated for http://monitor.berlin.freifunk.net. I wrote a snippet to detect these nodes (see https://gist.github.com/cholin/3378b204ab7513bc6024 - output: http://paste.debian.net/hidden/2dbd50bb/).

I would suggest we remove these outdated entries automatically via a cronjob. For example after 14 days of inactivity.

We should decide on a logging stragegie for our http servers and implement this strategie on all http servers via puppet. At the moment the access and error log are piped to /dev/null.

@cholin suggested that we keep a small error log, e.g. for a day. I guess this is usefull for debugging. I assumed in my initial configuration that we can enable the error log temporarily if we need it. Do you think this is not enough?

If we need to manage logs we can use the puppet logrotate module:

https://github.com/rodjek/puppet-logrotate/

A new long term support release is available for our ubuntu host. We should create a list of affected machines and start upgrading.

https for https://download.berlin.freifunk.net/ is broken. We should fix this.