Quick links
User Documentation
Torproject Sysadmin Team
Howtos
Meeting
Policies
Providers
Roadmaps
Sandbox
Service
Need help?
Tails
Doc
- git, shell, ldap, etc. accounts
- sys admin and service admin tasks
- Bits and pieces of Tor Project infrastructure information
- When using extra.tpo
- Hardware requirements
- How to get help
- Lektor website development environment on macOS
- Naming scheme
- How to report email problems
- Running non-root services
- learning how to do an ssh jump host on tpo
- How make website changes
- Getting an SVN account
Howto
- Web Key Directory
- Apu
- Benchmark
- Build and upload Debian packages
- Cache
- Conference
- Create a new user
- Cumin
- Dns
- Drbd
- Fabric
- Ganeti
- Git
- Gitlab
- RETIRED
- Grafana
- Incident response
- Ipsec
- Creating a tunnel with HE.net
- Irc
- Reference
- Dealing with messed up consoles
- Kvm
- Ldap
- Lektor
- Letsencrypt
- Logging
- LVM cheat sheet
- Nagios
- New machine cymru
- New machine hetzner cloud
- New machine hetzner robot
- New machine mandos
- Billing and ordering
- New machine
- How to get a new Tor System Administrator (with web developer duties) on board
- Nftables
- Openpgp
- Manual web-based OpenStack configuration
- Postgresql
- Puppet
- Raid
- Reboots
- Rename a host
- Rename a user
- Decommissioning a host
- Retire a user
- Rt
- Static component
- Submission
- How-to
- Tls
- Trac
- Upgrades
- YubiKey documentation
- Upgrades
  - Bookworm
  - Bullseye
  - Buster
  - Trixie
Meeting
- Agenda
- 2019 04 08
- 2019 05 06
- 2019 06 03
- 2019 07 01
- 2019 09 09
- 2019 10 07
- 2019 11 04
- 2019 11 25
- 2020 01 13
- 2020 02 03
- 2020 03 09
- Roll call: who's there and emergencies
- 2020 05 11
- Roll call: who's there and emergencies
- 2020 07 01
- Roll call: who's there and emergencies
- 2020 12 02
- 2021 01 19
- 2021 01 26
- Roll call: who's there and emergencies
- 2021 03 02
- 2021 04 07
- 2021 05 03
- 2021 06 02
- 2021 06 14
- 2021 09 07
- Roll call: who's there and emergencies
- 2021 11 01
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2022 01 24
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2023 12 11
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 Q1 Roadmap meeting
- 2025 02 10
- 2025 03 10
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 05 12
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Template
Policy
- Template
- Tpa rfc 1 policy
- Tpa rfc 10 jenkins retirement
- Tpa rfc 11 svn retirement
- Tpa rfc 12 triage and office hours
- Tpa rfc 13 okrs for roadmap
- Tpa rfc 14 gitlab artifacts
- Tpa rfc 15 email services
- Tpa rfc 16 replacing lektor i18n plugin
- Tpa rfc 17 disaster recovery
- Tpa rfc 18 security policy
- Tpa rfc 19 gitlab labels
- Tpa rfc 2 support
- Tpa rfc 20 bullseye upgrades
- Tpa rfc 21 uninstall svn
- Tpa rfc 22 rename irc
- Tpa rfc 23 retire ipv6only
- Tpa rfc 24 extend merge permissions web
- Tpa rfc 25 btcpay replacement
- Tpa rfc 26 limesurvey upgrade
- Tpa rfc 27 python2 eol
- Tpa rfc 28 alphabetical triage
- Tpa rfc 29 lektor scss plugin
- Tpa rfc 3 tools
- Tpa rfc 30 change lego plugins
- Tpa rfc 31 outsource email
- Tpa rfc 32 nextcloud root level folders migration
- Tpa rfc 33 monitoring
- Tpa rfc 34 office hours ends
- Tpa rfc 35 gitlab email address changes
- Tpa rfc 36 gitolite gitweb retirement
- Tpa rfc 37 lektor replacement
- Tpa rfc 38 new wiki service
- Tpa rfc 39 nextcloud account policy
- Tpa rfc 4 prometheus disk
- Tpa rfc 40 cymru migration
- Tpa rfc 41 schleuder retirement
- Tpa rfc 42 roadmap 2023
- Tpa rfc 43 cymru migration plan
- Tpa rfc 44 email emergency recovery
- Tpa rfc 45 mail architecture
- Tpa rfc 46 gitlab 2fa
- Tpa rfc 47 email account retirement
- Tpa rfc 48 enable new gitlab web ide
- Tpa rfc 5 gitlab
- Tpa rfc 50 private gitlab pages
- Tpa rfc 51 improve l10n review ci workflow
- Tpa rfc 52 cymru migration timeline
- Tpa rfc 53 security keys
- Tpa rfc 54 build boxes retirement
- Tpa rfc 55 swap file policy
- Tpa rfc 56 large file storage
- Tpa rfc 57 bookworm upgrades
- Tpa rfc 58 podman runner
- Tpa rfc 59 ssh jump host aliases
- Tpa rfc 6 naming convention
- Tpa rfc 60 gitlab 2fa enforcement
- Tpa rfc 61 roadmap 2024
- Tpa rfc 62 tpa password manager
- Tpa rfc 63 storage server budget
- Tpa rfc 64 puppet tls certificates
- Tpa rfc 65 postgresql backups
- Tpa rfc 66 gitlab ultimate program
- Tpa rfc 67 retire mini nag
- Tpa rfc 68 idle canary servers
- Tpa rfc 69 civicrm http basic auth
- Tpa rfc 7 root
- Tpa rfc 70 move tails sysadmin issues
- Tpa rfc 71 emergency email deployments round 2
- Tpa rfc 72 migrate donate 01 to gnt dal cluster
- Tpa rfc 73 tails infra merge roadmap
- Tpa rfc 74 gitlab ci retention policy
- Tpa rfc 75 new office hours
- Tpa rfc 76 puppet merge request workflow
- Tails and TPA Puppet codebase merge
- Tpa rfc 78 dangerzone retirement
- Tpa rfc 79 general merge request workflows
- Tpa rfc 8 gitlab ci libvirt
- Tpa rfc 80 debian trixie upgrade schedule
- Tpa rfc 81 gitlab access
- Tpa rfc 82 merge tor and tails support policies
- Tpa rfc 83 mail log retention
- Tpa rfc 84 minio backups and scaling
- Tpa rfc 85 invite only internal irc channels
- Tpa rfc 86 identity access management
- Tpa rfc 87 container image lifecycle
- Background
- Tpa rfc 89 gitaly migration
- Tpa rfc 89 gitlab encrypted confidential notifications
- Tpa rfc 9 proposed process
- Tpa rfc 90 signed commits
- Tpa rfc 91 incident response
- Tpa rfc 92 emergency bbb hosting provider change
Provider
- Autistici / Inventati
- PUSCII
- Quintex
Roadmap
- 2020
- 2021
- 2022
- 2023
- Priorities for 2025
- Tails merge
Service
- BTCpayserver
- Anon ticket
- Backup and restore procedures
- Blog
- Cdn
- Ci
- Crm
- Dangerzone
- Debian archive
- Documentation
- Donate
- Email
- Forum
- Jenkins
- Lists
- Nextcloud
- Object storage
- Onion
- Password manager
- Prometheus
- Schleuder
- Static shim
- Status
- Styleguide
- Support Portal
- Survey
- Template
- Tor weather
- Vault
Tails
- How tos
- Processes
- Tails Sysadmins role description
- Scripts
- Services managed by Tails Sysadmins
- Systems
- How tos
- Processes
  - Improve the infrastructure behind Tails
  - Onboarding new Tails sysadmins
- Scripts
  - Managing mirrors
- Services
- Systems
  - Boot times
  - Chameleon
    - OOB access
  - Dragon
    - Rebooting Dragon
    - Hardware
  - Ecours
    - Information
  - Gecko
    - Information
  - Iguana
    - Hardware
  - Lizard
    - Boot
    - Parts details
    - Setup
  - Skink
    - Skink
    - Usage policy for skink.tails.net
  - Stone
    - Hardware
    - Information
  - Teels
    - Information

VPN

:warning: This service will change during [[policy/tpa-rfc-73-tails-infra-merge-roadmap]] and this page should be updated when that happens.

We're using a VPN between our different machines to interconnect them and have them managed by lizard's puppetmaster.

:warning: this documentation does not take into account the changes done in puppet-tails commit da321073230f1feb3076d4296d6ab73f70cbca4f and friends.

Installation

Once you installed the system on a new machine, you'll need to setup the VPN by hand on it, right before you can go on with the puppet client setup and first run.

On the new system

apt-get install tinc
Create the basic configuration for the Tails VPN:

export VPN_NAME=tailsvpn export VPN_HOSTNAME=$(hostname) mkdir -p /etc/tinc/$VPN_NAME/hosts echo "Name=$VPN_HOSTNAME" > /etc/tinc/$VPN_NAME/tinc.conf echo "Device=/dev/net/tun" >> /etc/tinc/$VPN_NAME/tinc.conf echo "Mode=switch" >> /etc/tinc/$VPN_NAME/tinc.conf echo "ConnectTo=lizard" >> /etc/tinc/$VPN_NAME/tinc.conf
Generate the SSL key pair for this host:

tincd -n $VPN_NAME -K4096

… and save the pubkey to /etc/tinc/$VPN_NAME/rsa_key.pub

Import the other VPN peers hosts file into /etc/tinc/$VPN_NAME/hosts/. You'll find them on any other VPN peers.
Create this new host configuration file (/etc/tinc/$VPN_NAME/hosts/$VPN_HOSTNAME). Use another one as example. You just need to change the Address field, the Subnet one, and put the right RSA public key.
Mark the VPN as autostarting:

echo "$VPN_NAME" >> /etc/tinc/nets.boot systemctl enable tinc@tailsvpn.service
Copy this new host configuration file in the same place on lizard. Restart its tinc@tailsvpn service.
In the node definition in our puppet manifest (manifests/nodes.pp), add a tails::vpn::instance declaration. Copy the host public key in our puppet-tails module (files/vpn/$VPN_NAME/public_keys/$VPN_HOSTNAME.crt). Add, commit and push.
Start the VPN on the new host

systemctl tinc@tailsvpn start
Configure the puppet client.

Now you should be able to run the puppet client over the VPN.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search