Skip to content

Change lizard's public IP

The folks that host our server need us to change lizard's IP from 198.252.153.59 to 204.13.164.63.

Preparation steps:

  • Check with our colo friends about the expected timeline: Week of June 4-11th (between Tails releases 4.19 and 4.20)
  • Communicate with A/I to schedule the change of tails-ns-1.boum.org.
  • Inventory uses of the IP in our config and list impacts of this change (include Tails upgrades and /home)
  • Assert that the new IP works in the machine.
  • The week before, send out messages including the expected time/date:
    • Short blog post
    • Send to tails-dev
    • Send to amnesia-news
    • The authoritative server for our nameservers need to change the IP for tails-ns-1.boum.org
    • Our GitLab provider needs to update a firewall rule that allows outgoing connections to our Gitolite
  • The day before:
    • adjust A records in our DNS to a low TTL.
    • Add new IP-based SSH fingerprints entries in hieradata/common.yaml.

Execution plan:

  • Tweet that it's about to happen
  • Change Tinc node address for lizard (i.e. merge puppet-tails!61) and run Puppet Agent on all hosts.
  • Change DNS records in Tails infra:
    • Change A records in primary DNS
    • Change A records in secondary DNS (this is probably automatic)
  • Change lizard's network config (IP, Gateway and DNS)
  • Ensure all nodes can connect to Puppet Server via VPN (including sib and its VMs)
  • Fix Dropbear config as Grub extra options in hieradata/node/lizard.tails.boum.org.yaml and test that.
  • Wrap up:
    • Make sure A/I's A record for tails-ns-1.boum.org is changed.
    • Update masterless config of stone.
    • Update static host definitions in our monitoring node (modules/tails_private/manifests/hosts.pp).
    • Remove old IP-based SSH fingerprints entries in hieradata/common.yaml.
    • Adjust DNS records back to normal TTL.
    • Make sure GitLab can connect to our Gitolite (and mirror tails.git there)
    • Tweet that everything is working again.
    • Let our colo friends know that the change was successful
    • Change IP in Munin config (not managed by us)
Edited by groente-admin