Publish our puppet repository
Right now our Puppet repository is private, because there's sensitive information in there. The goal of this step is to make sure we can safely publish our repository without risking disclosing secrets.
Secret data is currently stored in Trocla, and we should keep using it for that purpose. That would avoid having to mess around splitting the repository in multiple components in the short term.
The proposed solution here is to remove the "secret" file, move them into trocla (!) and then reset a repository from scratch, with zero history. a graft would have been the old way of doing this, but now there's this thing called git-replace (don't bother reading the manpage, you will fail) that can be used to implement what github called time-based sharding.
The idea is basically that we'd have a commit with the removed files, and that is the historical, private repo. then a new repo is create from scratch, with a syntetic root commit, and an "alternates" pointing at the other private repository. that way we get the best of both world: a repo that is available to the public right now, with the confidential history still available to us.
This is the data that needs to be moved into Trocla or elsewhere at the time of writing:
-
modules/postfix/files/virtual- email addresses -
modules/postfix/files/access-1-sender-rejectand related - email addresses -
sudoers configurations? -
modules/profile/files/donate/blocklist.txt(previously infiles/crm) -
secrets in /etc/puppet (hopefully not in git, but just in case)
A full audit should be redone before this is completed.
This ticket used to hold a long series of possible improvements to the Puppet setup including automatically running g10k, getting rid of 3rdparty, environments, checksums, and so on. This has been moved out of this ticket completely, into the proposed solution section of the Puppet documentation.