Quick links
User Documentation
Torproject Sysadmin Team
Howtos
Meeting
Policies
Providers
Roadmaps
Sandbox
Service
Need help?
Tails
Doc
- git, shell, ldap, etc. accounts
- sys admin and service admin tasks
- Bits and pieces of Tor Project infrastructure information
- When using extra.tpo
- Hardware requirements
- How to get help
- Lektor website development environment on macOS
- Naming scheme
- How to report email problems
- Running non-root services
- learning how to do an ssh jump host on tpo
- How make website changes
- Getting an SVN account
Howto
- Web Key Directory
- Apu
- Benchmark
- Build and upload Debian packages
- Cache
- Conference
- Create a new user
- Cumin
- Dns
- Drbd
- Fabric
- Ganeti
- Git
- Gitlab
- RETIRED
- Grafana
- Incident response
- Ipsec
- Creating a tunnel with HE.net
- Irc
- Reference
- Dealing with messed up consoles
- Kvm
- Ldap
- Lektor
- Letsencrypt
- Logging
- LVM cheat sheet
- Nagios
- New machine cymru
- New machine hetzner cloud
- New machine hetzner robot
- New machine mandos
- Billing and ordering
- New machine
- How to get a new Tor System Administrator (with web developer duties) on board
- Nftables
- Openpgp
- Manual web-based OpenStack configuration
- Postgresql
- Puppet
- Raid
- Reboots
- Rename a host
- Rename a user
- Decommissioning a host
- Retire a user
- Rt
- Static component
- Submission
- How-to
- Tls
- Trac
- Upgrades
- YubiKey documentation
- Upgrades
  - Bookworm
  - Bullseye
  - Buster
  - Trixie
Meeting
- Agenda
- 2019 04 08
- 2019 05 06
- 2019 06 03
- 2019 07 01
- 2019 09 09
- 2019 10 07
- 2019 11 04
- 2019 11 25
- 2020 01 13
- 2020 02 03
- 2020 03 09
- Roll call: who's there and emergencies
- 2020 05 11
- Roll call: who's there and emergencies
- 2020 07 01
- Roll call: who's there and emergencies
- 2020 12 02
- 2021 01 19
- 2021 01 26
- Roll call: who's there and emergencies
- 2021 03 02
- 2021 04 07
- 2021 05 03
- 2021 06 02
- 2021 06 14
- 2021 09 07
- Roll call: who's there and emergencies
- 2021 11 01
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2022 01 24
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2023 12 11
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 Q1 Roadmap meeting
- 2025 02 10
- 2025 03 10
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 05 12
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Template
Policy
- Template
- Tpa rfc 1 policy
- Tpa rfc 10 jenkins retirement
- Tpa rfc 11 svn retirement
- Tpa rfc 12 triage and office hours
- Tpa rfc 13 okrs for roadmap
- Tpa rfc 14 gitlab artifacts
- Tpa rfc 15 email services
- Tpa rfc 16 replacing lektor i18n plugin
- Tpa rfc 17 disaster recovery
- Tpa rfc 18 security policy
- Tpa rfc 19 gitlab labels
- Tpa rfc 2 support
- Tpa rfc 20 bullseye upgrades
- Tpa rfc 21 uninstall svn
- Tpa rfc 22 rename irc
- Tpa rfc 23 retire ipv6only
- Tpa rfc 24 extend merge permissions web
- Tpa rfc 25 btcpay replacement
- Tpa rfc 26 limesurvey upgrade
- Tpa rfc 27 python2 eol
- Tpa rfc 28 alphabetical triage
- Tpa rfc 29 lektor scss plugin
- Tpa rfc 3 tools
- Tpa rfc 30 change lego plugins
- Tpa rfc 31 outsource email
- Tpa rfc 32 nextcloud root level folders migration
- Tpa rfc 33 monitoring
- Tpa rfc 34 office hours ends
- Tpa rfc 35 gitlab email address changes
- Tpa rfc 36 gitolite gitweb retirement
- Tpa rfc 37 lektor replacement
- Tpa rfc 38 new wiki service
- Tpa rfc 39 nextcloud account policy
- Tpa rfc 4 prometheus disk
- Tpa rfc 40 cymru migration
- Tpa rfc 41 schleuder retirement
- Tpa rfc 42 roadmap 2023
- Tpa rfc 43 cymru migration plan
- Tpa rfc 44 email emergency recovery
- Tpa rfc 45 mail architecture
- Tpa rfc 46 gitlab 2fa
- Tpa rfc 47 email account retirement
- Tpa rfc 48 enable new gitlab web ide
- Tpa rfc 5 gitlab
- Tpa rfc 50 private gitlab pages
- Tpa rfc 51 improve l10n review ci workflow
- Tpa rfc 52 cymru migration timeline
- Tpa rfc 53 security keys
- Tpa rfc 54 build boxes retirement
- Tpa rfc 55 swap file policy
- Tpa rfc 56 large file storage
- Tpa rfc 57 bookworm upgrades
- Tpa rfc 58 podman runner
- Tpa rfc 59 ssh jump host aliases
- Tpa rfc 6 naming convention
- Tpa rfc 60 gitlab 2fa enforcement
- Tpa rfc 61 roadmap 2024
- Tpa rfc 62 tpa password manager
- Tpa rfc 63 storage server budget
- Tpa rfc 64 puppet tls certificates
- Tpa rfc 65 postgresql backups
- Tpa rfc 66 gitlab ultimate program
- Tpa rfc 67 retire mini nag
- Tpa rfc 68 idle canary servers
- Tpa rfc 69 civicrm http basic auth
- Tpa rfc 7 root
- Tpa rfc 70 move tails sysadmin issues
- Tpa rfc 71 emergency email deployments round 2
- Tpa rfc 72 migrate donate 01 to gnt dal cluster
- Tpa rfc 73 tails infra merge roadmap
- Tpa rfc 74 gitlab ci retention policy
- Tpa rfc 75 new office hours
- Tpa rfc 76 puppet merge request workflow
- Tails and TPA Puppet codebase merge
- Tpa rfc 78 dangerzone retirement
- Tpa rfc 79 general merge request workflows
- Tpa rfc 8 gitlab ci libvirt
- Tpa rfc 80 debian trixie upgrade schedule
- Tpa rfc 81 gitlab access
- Tpa rfc 82 merge tor and tails support policies
- Tpa rfc 83 mail log retention
- Tpa rfc 84 minio backups and scaling
- Tpa rfc 85 invite only internal irc channels
- Tpa rfc 86 identity access management
- Tpa rfc 87 container image lifecycle
- Background
- Tpa rfc 89 gitaly migration
- Tpa rfc 89 gitlab encrypted confidential notifications
- Tpa rfc 9 proposed process
- Tpa rfc 90 signed commits
- Tpa rfc 91 incident response
- Tpa rfc 92 emergency bbb hosting provider change
Provider
- Autistici / Inventati
- PUSCII
- Quintex
Roadmap
- 2020
- 2021
- 2022
- 2023
- Priorities for 2025
- Tails merge
Service
- BTCpayserver
- Anon ticket
- Backup and restore procedures
- Blog
- Cdn
- Ci
- Crm
- Dangerzone
- Debian archive
- Documentation
- Donate
- Email
- Forum
- Jenkins
- Lists
- Nextcloud
- Object storage
- Onion
- Password manager
- Prometheus
- Schleuder
- Static shim
- Status
- Styleguide
- Support Portal
- Survey
- Template
- Tor weather
- Vault
Tails
- How tos
- Processes
- Tails Sysadmins role description
- Scripts
- Services managed by Tails Sysadmins
- Systems
- How tos
- Processes
  - Improve the infrastructure behind Tails
  - Onboarding new Tails sysadmins
- Scripts
  - Managing mirrors
- Services
- Systems
  - Boot times
  - Chameleon
    - OOB access
  - Dragon
    - Rebooting Dragon
    - Hardware
  - Ecours
    - Information
  - Gecko
    - Information
  - Iguana
    - Hardware
  - Lizard
    - Boot
    - Parts details
    - Setup
  - Skink
    - Skink
    - Usage policy for skink.tails.net
  - Stone
    - Hardware
    - Information
  - Teels
    - Information

Debian upgrades of Tails nodes

:warning: This page documents what i recall from the upgrade procedure which, as far as i know, was undocumented until the moment of writing. It may be incomplete and we may do something different for the bookworm → trixie upgrades (see tpo/tpa/team#42071).

Update the profile::tails::apt class to account for the new version.
For each node:
Start a tmux or screen session on the host where the upgrade will be happening.
Set profile::tails::apt::codename in hiera for the node with the codename of the new debian version, commit, push.
Run Puppet once so the distro codename is updated.
Run apt full-upgrade and apt autopurge manually.
Run Puppet in the node until it converges.
Reboot the machine.
Check that everything works fine.
Once all nodes have been upgraded, update the $codename parameter in the profile::tails::apt class and remove the per-node configuration in hiera.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search