Note that this documentation needs work, as it overlaps with normal user management procedures, see issue 40129. Also note that the operations people have their own onboarding document to track this work as well.
It might also be better on the frontpage of the wiki, or a more general introduction page.
Glossary
- TSA: Tor System Administrators
- TPA: Tor Project Admins, synonymous with TSA, preferably used to disambiguate with the other TSAs
- TPI: Tor Project Inc. the company that employs Tor staff
- TPO:
torproject.org, machines officially managed by TSA, often shortened as.tpo, for example.www.tpo torproject.net, machines in DNS but not officially managed by TSA- a sysadmin can also be a service admin, and both can be paid work
Orienteering
- sysadmin wiki
- service list
- machines list
- key machines:
- jump host:
ssh-dal.torproject.organdssh-fsn, for North America and Europe - home pages and shell server:
people.torproject.orgAKAperdulce - IRC bouncer:
chives - Puppet:
pauli - LDAP:
db.torproject.orgAKAalberti - Main mail servers:
mx-dal-01,srs-dal-01,mta-dal-01 - Master Ganeti nodes:
fsn-node-01,dal-node-01 - key services:
- GitLab: https://gitlab.torproject.org/ - issue tracking, project management, and git repository hosting
- git repositories list, clone this first
- web sites and team
- Grafana: https://grafana.torproject.org - monitoring dashboard, password in password manager
- see also the full service list
- how the team works:
- meetings:
- TPA has weekly checkins, monthly roadmap, and yearly in-person meetings
- 1:1s: monthly
- TPI has online All hands every week on Wednesday and yearly in-person
- IRC / BBB / Signal / right to disconnect
- support: "star of the week" shift rotation
- issue dashboards: TPA, web
- roadmap, policies
- calendars:
- TPA team: tracking meetings and sometimes rotation
- AFK tracker: to update when you take a vacation, leave, or holiday
- TPI holidays: US public holidays
- see also employee handbook from HR
- mailing lists:
- tor-project@lists.torproject.org - Open list where anyone is welcome to watch but posting is moderated. Please favor using this when you can.
- tor-internal@lists.torproject.org - If something truly can't include the wider community then this is the spot.
- tor-team@lists.torproject.org - Exact same as tor-internal@ except that the list will accept email from non-members. If you need a cc when emailing a non-tor person then this is the place.
- tor-employees@lists.torproject.org - TPI staff mailing list
- tor-meeting@lists.torproject.org - for public meetings
- torproject-admin@torproject.org - TPA-specific "mailing list" (not a mailing list but an alias)
- tpa-team@lists.torproject.org - TPA team mailing list
-
see the list of mailing lists for a more exhaustive list
-
IRC channels:
#tor-project- general Tor project channel#tor-admin- channel for TPA specific stuff#tor-www- Tor websites development channel#tor-internal- channel for private discussions, need secret password and being added to the@tor-tpomemberwithGroupServ, part of thetor-internal@lists.tpowelcome email)#tor-bots- where a lot of bots live#tor-alerts... except the monitoring bots, which live here#tor-meeting- where some meetings are held#tor-meeting2- fallback for the above
Important documentation
- Getting to know LDAP
- SSH jump host configuration
- How to edit this wiki, make sure you have a local copy of the documentation!
- Puppet primer: adding yourself to the allow list
- New machine creation
- Updating status.tpo
- Tor Websites
- Roadmap and Policies
More advanced documentation
- Account creation procedures
- Password management
- Adding and removing websites in the static mirror system
- Editing DNS
- TLS certificate operations
- Puppet code linting and the entire Puppet operations manual
- Backup restore procedures
- Documentation design
- Ganeti operations manual
The full documentation is available in the wiki and particularly from the service list.
Accounts to create
This section is specifically targeted at existing sysadmins, which should follow this checklist to create the necessary accounts on all core services. More services might be required if the new person is part of other service teams, see the service list for the exhaustive list.
The subsections here are checklists of things that we can copy in issues where we create the required accesses.
All new recruits should get what's listed in the issue template.
Then new TPA members should also get what's listed in "Basic TPA access", and if needed also what's in "Full TPA access".
Basic TPI access
Moved to the new account issue template.
Basic TPA access
- [ ] GitLab
tpo/tpagroup membership, "Maintainer" or "Owner" level (this also grants access totpo/teamandtpo/web, among other things) - [ ] Nextcloud add to group TPA
- [ ]
torproject-admin@andtorproject-admin-vcs@aliases
Many of those are granted as part of the routine "core tor membership" admission process.
Full TPA access
Other accounts required for full TPA access, those require the person to be vetted by a member of the community as they give access to everything:
- [ ] LDAP admin access
- [ ] Puppet git repository access
- [ ] TPA password manager access (
tor-passwords.giton the Puppet server) - [ ] Safespring cloud access (e.g.
Message-ID: <87bk4fru9n.fsf@angela.anarc.at>)
Other services
Extra services we are not directly responsible for, but that TPA staff may administer at some point. Those are given as needed, depending on which service the new person will be "service admin" for:
- [ ] BBB access
- [ ] GitLab
-adminaccount - [ ] Nextcloud admin account
- [ ] RT
- [ ] torproject github account
Those are purely optional. See the service list for more ideas.
Welcome email
This email should be edited and sent to the hired candidates when they are confirmed.
Hi X!
First of all, congratulations and welcome to TPI (Tor Project, Inc.) and the TPA (Admin) team. Exciting times!
We'd like you to join us on your first orientation meeting on TODO Month day, TODO:00 UTC (TODO:00 your local time), in my home room. Also note that we have our weekly check-in on Monday at 18:00UTC as well.
Make sure you can attend the meeting and pen it down in your calendar. If you cannot make it for some reason, please do let us know as soon as possible so we can reschedule.
Here is the agenda for the meeting:
TODO: copy paste from the OnBoardingAgendaTemplate, and append:
- Stakeholders for your work:
- TPA
- web team
- consultants
- the rest of Tor...
- How the TPA team works:
- TPA systems crash course through the new-person wiki page
Note that the "crash course" takes 20 to 30 minutes, so if you ran out of time doing the rest of the page, reschedule, don't rush.
You will shortly receive the following credentials, in an OpenPGP encrypted email, if you haven't already:
- an LDAP account
- a Nextcloud account
- a GitLab account
If you believe you already have one of those account (GitLab, in particular), do let us know.
You should do the following with these accesses:
- hook your favorite calendar application with your Nextcloud account
- configure an SSH key in LDAP
- login to
people.torproject.org(akaperdulce) and download the known hosts, see the jump host documentation on how to partially automate this - if you need an IRC bouncer, login to
chives.torproject.organd setup a screen/tmux session, or ask@pastlyon IRC to get access to the ZNC bouncer - provide a merge request on about/people to add your bio and picture, see the documentation on the people page
So you also have a lot of reading to do already! The new-person page is a good reference to get started.
But take it slowly! It can be overwhelming to join a new organisation and it will take you some time to get acquainted with everything. Don't hesitate to ask if you have any questions!
See you soon, and welcome aboard!