Quick links
User Documentation
Torproject Sysadmin Team
Howtos
Meeting
Policies
Providers
Roadmaps
Sandbox
Service
Need help?
Tails
Doc
- git, shell, ldap, etc. accounts
- sys admin and service admin tasks
- Bits and pieces of Tor Project infrastructure information
- When using extra.tpo
- Hardware requirements
- How to get help
- Lektor website development environment on macOS
- Naming scheme
- How to report email problems
- Running non-root services
- learning how to do an ssh jump host on tpo
- How make website changes
- Getting an SVN account
Howto
- Web Key Directory
- Apu
- Benchmark
- Build and upload Debian packages
- Cache
- Conference
- Create a new user
- Cumin
- Dns
- Drbd
- Fabric
- Ganeti
- Git
- Gitlab
- RETIRED
- Grafana
- Incident response
- Ipsec
- Creating a tunnel with HE.net
- Irc
- Reference
- Dealing with messed up consoles
- Kvm
- Ldap
- Lektor
- Letsencrypt
- Logging
- LVM cheat sheet
- Nagios
- New machine cymru
- New machine hetzner cloud
- New machine hetzner robot
- New machine mandos
- Billing and ordering
- New machine
- How to get a new Tor System Administrator (with web developer duties) on board
- Nftables
- Openpgp
- Manual web-based OpenStack configuration
- Postgresql
- Puppet
- Raid
- Reboots
- Rename a host
- Rename a user
- Decommissioning a host
- Retire a user
- Rt
- Static component
- Submission
- How-to
- Tls
- Trac
- Upgrades
- YubiKey documentation
- Upgrades
  - Bookworm
  - Bullseye
  - Buster
  - Trixie
Meeting
- Agenda
- 2019 04 08
- 2019 05 06
- 2019 06 03
- 2019 07 01
- 2019 09 09
- 2019 10 07
- 2019 11 04
- 2019 11 25
- 2020 01 13
- 2020 02 03
- 2020 03 09
- Roll call: who's there and emergencies
- 2020 05 11
- Roll call: who's there and emergencies
- 2020 07 01
- Roll call: who's there and emergencies
- 2020 12 02
- 2021 01 19
- 2021 01 26
- Roll call: who's there and emergencies
- 2021 03 02
- 2021 04 07
- 2021 05 03
- 2021 06 02
- 2021 06 14
- 2021 09 07
- Roll call: who's there and emergencies
- 2021 11 01
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2022 01 24
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2023 12 11
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 Q1 Roadmap meeting
- 2025 02 10
- 2025 03 10
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- 2025 05 12
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Roll call: who's there and emergencies
- Template
Policy
- Template
- Tpa rfc 1 policy
- Tpa rfc 10 jenkins retirement
- Tpa rfc 11 svn retirement
- Tpa rfc 12 triage and office hours
- Tpa rfc 13 okrs for roadmap
- Tpa rfc 14 gitlab artifacts
- Tpa rfc 15 email services
- Tpa rfc 16 replacing lektor i18n plugin
- Tpa rfc 17 disaster recovery
- Tpa rfc 18 security policy
- Tpa rfc 19 gitlab labels
- Tpa rfc 2 support
- Tpa rfc 20 bullseye upgrades
- Tpa rfc 21 uninstall svn
- Tpa rfc 22 rename irc
- Tpa rfc 23 retire ipv6only
- Tpa rfc 24 extend merge permissions web
- Tpa rfc 25 btcpay replacement
- Tpa rfc 26 limesurvey upgrade
- Tpa rfc 27 python2 eol
- Tpa rfc 28 alphabetical triage
- Tpa rfc 29 lektor scss plugin
- Tpa rfc 3 tools
- Tpa rfc 30 change lego plugins
- Tpa rfc 31 outsource email
- Tpa rfc 32 nextcloud root level folders migration
- Tpa rfc 33 monitoring
- Tpa rfc 34 office hours ends
- Tpa rfc 35 gitlab email address changes
- Tpa rfc 36 gitolite gitweb retirement
- Tpa rfc 37 lektor replacement
- Tpa rfc 38 new wiki service
- Tpa rfc 39 nextcloud account policy
- Tpa rfc 4 prometheus disk
- Tpa rfc 40 cymru migration
- Tpa rfc 41 schleuder retirement
- Tpa rfc 42 roadmap 2023
- Tpa rfc 43 cymru migration plan
- Tpa rfc 44 email emergency recovery
- Tpa rfc 45 mail architecture
- Tpa rfc 46 gitlab 2fa
- Tpa rfc 47 email account retirement
- Tpa rfc 48 enable new gitlab web ide
- Tpa rfc 5 gitlab
- Tpa rfc 50 private gitlab pages
- Tpa rfc 51 improve l10n review ci workflow
- Tpa rfc 52 cymru migration timeline
- Tpa rfc 53 security keys
- Tpa rfc 54 build boxes retirement
- Tpa rfc 55 swap file policy
- Tpa rfc 56 large file storage
- Tpa rfc 57 bookworm upgrades
- Tpa rfc 58 podman runner
- Tpa rfc 59 ssh jump host aliases
- Tpa rfc 6 naming convention
- Tpa rfc 60 gitlab 2fa enforcement
- Tpa rfc 61 roadmap 2024
- Tpa rfc 62 tpa password manager
- Tpa rfc 63 storage server budget
- Tpa rfc 64 puppet tls certificates
- Tpa rfc 65 postgresql backups
- Tpa rfc 66 gitlab ultimate program
- Tpa rfc 67 retire mini nag
- Tpa rfc 68 idle canary servers
- Tpa rfc 69 civicrm http basic auth
- Tpa rfc 7 root
- Tpa rfc 70 move tails sysadmin issues
- Tpa rfc 71 emergency email deployments round 2
- Tpa rfc 72 migrate donate 01 to gnt dal cluster
- Tpa rfc 73 tails infra merge roadmap
- Tpa rfc 74 gitlab ci retention policy
- Tpa rfc 75 new office hours
- Tpa rfc 76 puppet merge request workflow
- Tails and TPA Puppet codebase merge
- Tpa rfc 78 dangerzone retirement
- Tpa rfc 79 general merge request workflows
- Tpa rfc 8 gitlab ci libvirt
- Tpa rfc 80 debian trixie upgrade schedule
- Tpa rfc 81 gitlab access
- Tpa rfc 82 merge tor and tails support policies
- Tpa rfc 83 mail log retention
- Tpa rfc 84 minio backups and scaling
- Tpa rfc 85 invite only internal irc channels
- Tpa rfc 86 identity access management
- Tpa rfc 87 container image lifecycle
- Background
- Tpa rfc 89 gitaly migration
- Tpa rfc 89 gitlab encrypted confidential notifications
- Tpa rfc 9 proposed process
- Tpa rfc 90 signed commits
- Tpa rfc 91 incident response
- Tpa rfc 92 emergency bbb hosting provider change
Provider
- Autistici / Inventati
- PUSCII
- Quintex
Roadmap
- 2020
- 2021
- 2022
- 2023
- Priorities for 2025
- Tails merge
Service
- BTCpayserver
- Anon ticket
- Backup and restore procedures
- Blog
- Cdn
- Ci
- Crm
- Dangerzone
- Debian archive
- Documentation
- Donate
- Email
- Forum
- Jenkins
- Lists
- Nextcloud
- Object storage
- Onion
- Password manager
- Prometheus
- Schleuder
- Static shim
- Status
- Styleguide
- Support Portal
- Survey
- Template
- Tor weather
- Vault
Tails
- How tos
- Processes
- Tails Sysadmins role description
- Scripts
- Services managed by Tails Sysadmins
- Systems
- How tos
- Processes
  - Improve the infrastructure behind Tails
  - Onboarding new Tails sysadmins
- Scripts
  - Managing mirrors
- Services
- Systems
  - Boot times
  - Chameleon
    - OOB access
  - Dragon
    - Rebooting Dragon
    - Hardware
  - Ecours
    - Information
  - Gecko
    - Information
  - Iguana
    - Hardware
  - Lizard
    - Boot
    - Parts details
    - Setup
  - Skink
    - Skink
    - Usage policy for skink.tails.net
  - Stone
    - Hardware
    - Information
  - Teels
    - Information

Setup

Network

IPv4: 198.252.153.59/24, gateway on .1
SeaCCP nameservers:
204.13.164.2
204.13.164.3

Puppet

We use dynamic environments matching Git branches: https://puppetlabs.com/blog/git-workflow-and-puppet-environments/

Most nodes are in the production environment.

To put a node called $NODE in another environment than production:

Create a topic branch, forked off the production branch. The name of this topic branch must match /[a-z0-9]+/ Let's say this branch is called $TOPIC.
Push that topic branch.
On the production branch, update our basic external node classifier (ENC) so it echoes environment: $TOPIC when passed $NODE as an argument: modules/site_tails/files/puppet/enc.py.
Push your updated production branch.
Deploy the updated /usr/local/bin/puppet-enc script on our Puppet server:
```
 ssh puppet.lizard sudo puppet agent --test
```

Services

Gitolite

Gitolite runs on the puppet-git VM. It hosts our Puppet modules.

The Puppet manifests and modules are managed in the puppet-code Git repository with submodules. See contribute/git on our website for details.

We use puppet-sync to deploy the configuration after pushing to Git:

manifests/nodes.pp (look for puppet-sync)
modules/site_puppet/files/git/post-receive
modules/site_puppet/files/master/puppet-sync
modules/site_puppet/files/master/puppet-sync-deploy

dropbear

SSH server, run only at initramfs time, used to enter the FDE passphrase.

DSS Fingerprint: md5 a3:2e:f8:b6:dd:0a:d1:a6:a8:90:3a:10:18:b7:82:4c RSA Fingerprint: md5 b4:83:59:1c:6c:12:da:10:d1:2a:a6:0b:8f:e1:49:9a

Services

SSH

1024 SHA256:tBJk1VUVZZvURMAftdNrZYc4D5RxLuTpu8M+L1jWzB4 root@lizard (DSA) 256 SHA256:E+EH+PkvOCxnVbO8rzDnxJwmO4rqINC3BNnfKPKNwpw root@lizard (ED25519) 2048 SHA256:DeEE4LLIknraA8GZbqMYDZL0CiBjCHWFtOeOhpai89w root@lizard (RSA)

HTTP

A HTTP server is running on www.lizard, and receives all HTTP requests sent to lizard. It plays the role of a reverse-proxy, that is it forwards requests to the web server that is actually able to answer the request (e.g. the web server on apt.lizard).

Automatically built ISO images

http://nightly.tails.net/

Virtualization

lizard runs libvirt.

Information about the guest VMs (hidden service name, SSHd fingerprint) lives in the internal Git repo, as non-sysadmins need it too.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search